Converting Shellcode to Portable Executable (32- and 64- bit)

December 10, 2015 in Malware Analysis, Software Releases

Analyzing shellcodes is tricky so to simplify this process it’s really handy to convert them into executables which can be then analyzed with a debugger/IDA. Since a shellcode is a position-independent code, all we have to do is to build a simple executable that embeds the shellcode blob, and ensure the entry point of the executable points to the beginning of the embedded code.

Many people use different tricks to do it, some write C code, or use python.

Below, I present probably the simplest and shortest method – using assembly 😉

The following is a short tutorial on how to do it with 2 freely available tools – YASM and GoLink:

Global Start
Start:
incbin "shellcode.bin"
  • From a command line run the following command to assemble the code:
    • for 32-bit shellcode
      • yasm.exe -f win32 -o shellcode.obj shellcode.asm
    • for 64-bit shellcode
      • yasm.exe -f win64 -o shellcode.obj shellcode.asm
  • Now run the linker
    • golink /ni /entry Start shellcode.obj
  • The resulting file shellcode.exe can be debugged or analyzed with IDA

If it still sounds like a lot of steps, you can create a batch file to do all the work for you. Save it as shell2exe.bat and from now on, all you have to do is to run the following command:

shell2exe.bat 64 <shellcode file>

or

shell2exe.bat 32 <shellcode file>

depending on the shellcode architecture.

Here’s the shell2exe.bat file:

------------ shell2exe.bat ------------ 
@echo off
@if "%1"=="" goto help

@echo Global Start > shellcode.asm
@echo SECTION 'foo' write, execute,read >> shellcode.asm
@echo Start:       >> shellcode.asm
@echo incbin "%2"  >> shellcode.asm
@yasm.exe -f win%1 -o shellcode.obj shellcode.asm
@golink /ni /entry Start shellcode.obj
@del shellcode.asm
@del shellcode.obj
@dir shellcode.exe

@goto exit

@:help
@echo Converts a shellcode blob to an executable
@echo Required Arguments:
@echo - architecture: 32 or 64 (depending on the shellcode)
@echo - shellcode blob file name

@:exit
echo.
------------ shell2exe.bat ------------

And we really, really want to keep it supersimple here is the whole package for your convenience. It contains shell2exe.bat + GoLink.exe + 32-bit yasm.exe /for portability/.

Share this 🙂

Comments are closed.