Hey guys, I struggle a bit, but I think I am getting closer to doing this. The goal is to create a persistence mechanism as a service via .dll, which the svchost.exe will run. I stumbled across this amazing post from the Red Team Notes (here is the URL: https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain#references). You can see the code example in the post. A section called "Persistent code here," what I did was to have a shellcode in the char array and later, in the place of "Persistent code here," call the function that is assigned to the shellcode array.
Example:
void (*runShellcode)() = (void (*)())shellcode; runShellcode(); Apparently, everything else that was described in the post is working fine except the service start part.Below is an example of the last step (starting the service and it being stopped):
Overall, my guess is that to execute the shellcode, I need to allocate memory, and only then can I run the shellcode, but the question is if the svchost.exe is running it, it will be abnormal to allocate memory space in that process, not taking into account that svchost.exe is meant to run the DLLs. And can this be why svchost can't properly start the service because the shellcode is executed incorrectly?
If so, please suggest what can be done to get the result I described above.
Thanks in advance
[EDIT] The picture is not uploading,the idea is that when service is being started the service status is PENDING, and after doing the query the status is changed to STOPPED
[link] [comments]
from hacking: security in practice https://ift.tt/teSc9dX
Comments
Post a Comment