Red Team Notes logo Red Team Notes

Maldev-Basis

Payload Storage

We can store our payload on differents PE sections.

Here we are going to show how to store in .text, .data, and .rsrc sections.

Data Section

To store the payload in .data section we need to store the payload in a global variable.

#include <windows.h>
#include <stdio.h>

char payload[] ={0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41};

int main() {
    
    printf("payload -> 0x%p\n", payload);
    getchar();
    return 0;
}

As a result of the execution, the pointer of the payload is printed.

c:\Tools\rtnotes>.\rtnotes.exe
payload -> 0x000000014000D000

Here we can see that the memory address 0x000000014000D000 is asigned on .data section of rtnotes.exe PE file.

Text Section

This is the most common way to store payload in a PE file.

To store the payload in the .text section we just need to store the payload on a local variable.

Example of read the payload from a file.

#include <windows.h>
#include <stdio.h>

int main() {
    char * payload;
    FILE *fptr;
    unsigned int payload_len;

    fptr = fopen("calc64.bin", "rb");
    if(fptr == NULL){
        printf("[-] Unable to open the calc64.bin\n");
        return 0;
    }
    fseek(fptr, 0, SEEK_END);
    payload_len = ftell(fptr);
    rewind(fptr);

    payload = (char *)malloc(payload_len + 8);
    fread(payload, payload_len, 1, fptr);

    printf("payload -> 0x%p\n", payload);
    fclose(fptr);
    getchar();
    return 0;
}

Resource section

To store the payload in the .rsrc section we can store our payload in the favicon.ico file.

#include <stdio.h>
#include <windows.h>
#include "resources.h"

int main(void)
{
	BOOL rv;
	HANDLE th;
    DWORD oldprotect = 0;
	HGLOBAL resHandle = NULL;
	HRSRC res;
	
	char * payload;
	int payload_len;
	
	// Extract payload from resources section
	res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
	resHandle = LoadResource(NULL, res);
	payload = (char *) LockResource(resHandle);
	payload_len = SizeofResource(NULL, res);
    printf("payload -> 0x%p", payload);
    getchar();
    return 0;
}

We also need to define some archives:

#define FAVICON_ICO 100


#include "resources.h"

FAVICON_ICO RCDATA favicon.ico

Some staff is needed to compile the resource:

rc resources.rc
cvtres /MACHINE:x64 /OUT:resources.obj resources.res
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tp *.cpp /link /OUT:rtnotes.exe resources.obj

As a result of the execution, the pointer of the payload is printed.

c:\Tools\rtnotes>.\rtnotes.exe
payload -> 0x0000000140013060

Here we can see that the memory address 0x0000000140013060 is asigned on .rsrc section of rtnotes.exe PE file.