Convert Exe File To Shellcode And Run In Memory?

[Earthnuker]

yeah, the title pretty much says it,

is it possible to convert and exe file to shellcode that can be run in memory/inserted into a metasploit executable template?

here's he python code i use to load and run the shellcode

WARNING! IT CAN CRASH YOUR SYSTEM ( 64-bit ) ONLY WORKS ON 32-bit:

from ctypes import * #load ctypes module
import sys,binascii # import binascii to decode shellcode
o=open(sys.argv[1],"r") # open file to read encoded shellcode from
shellcode=binascii.unhexlify(o.read()) # write decoded shellcode to variable
cast(create_string_buffer(shellcode, len(shellcode)), CFUNCTYPE(c_void_p))() # run it

now i want to use an exe file as payload to run it from RAM

here's the code of the encoder:

import sys,binascii
i=open(sys.argv[1],"rb")
o=open(sys.argv[1]+".hex","w")
o.write(binascii.hexlify(i.read()))

the problem is when i feed it an encoded exe file it won't work:

C:\Dokumente und Einstellungen\User\Desktop>test.py out.txt
Traceback (most recent call last):
  File "C:\Dokumente und Einstellungen\User\Desktop\test.py", line 5, in <module>
    cast(create_string_buffer(shellcode, len(shellcode)), CFUNCTYPE(c_void_p))()

WindowsError: exception: access violation writing 0x00001101

i also checked if it was possible to use metasploit to convert an exe to shellcode, but i didn't find anything :(

so i'd like to convert the exe to "real" shellcode that can be run from RAM

any ideas?

[digip]

I'm not really good with metasploit, but Meterpreter already allows you to start executables in memory from what I recall. The whole point of meterpreter is the ability to be stealthy and runs the payloads or starting processes in memory. There isn't any way I know of to take an existing executable and make it purely shellcode. They are two different things, where shellcode is something that calls info at a lower level of the system and is not a compiled program in itself(although you could make an executable that exploits a system and contains shellcode) most shell code are scripts to push things onto the buffer and take control of it.

If you are looking to avoid Anti-virus and such though, look into using SET as well. Dave has some tools in there that make the payloads and executables run all from memory and avoid all AV programs out there(or so he says).

Edited October 23, 2011 by digip

[int0x80]

Executables are more complex than just the byte code instructions. When you load and execute a binary, it is already running in memory. So why would you need to "convert it to shellcode" to run it in memory?

[cashcashjonny]

Hello, I'm thinking my response is going to be a bit late & you have probably found a solution already. I haven't really got a total solution for you either ... just a method really ... but if it helps anyone, here goes ...

Download a Free Hex/Disc editor like this one: Free Hex Editor

Open your .exe with the Hex editor. The centre section will have your .exe in hex (eg. 4D 00 A3 5C O8 .... ). You can copy and paste this hex to a text document.

Now comes the part you probably won't like ... write a simple programme in your favorite language ... maybe C or C++ ... to add whatever stuffs you need to get the hex into the desired format (eg. \0x4D\0x00\0xA3\0x5C or &4D, &00, &A3 ...) ...get the general idea? B)