Check out our official Discord Server: https://discord.gg/malwaretech
Shellcode is most commonly discussed in the context of software exploitation, but it’s also extremely useful for malware. Normal applications are typically compiled into executables, which contain multiple discrete ‘segments’ or ‘sections’. The executable expects each section to be loaded into memory at a specific address, or a specific distance from the previous section. As such, trying to move any code within the executable will usually result in the entire processes crashing.
On the other hand, shellcode is designed to be self-contained and work regardless of whatever memory address it’s loaded at. This means shellcode can easily be moved around in memory, and even copied into the memory of other processes (known as code injection).
Shellcode can also be encrypted when not in use, prevent anti-malware products from scanning it for known malicious signatures. When the code is needed it can be decrypted, copied into executable memory, then run.
These challenges serve as an introduction to working with malware which utilizes shellcode to conceal functionality. While you may not need to fully reverse all the shellcode to extract the flag, it’s always good to be able to explain what the shellcode does and why.
Inside the example malware you’ll find the code responsible for running and executing the malicious shellcode, as well as the shellcode itself. Your job is to perform static analysis to figure out how the shellcode loader works, then extract and analyze the shellcode.
Once you’ve figured out what the shellcode does, you should be able to manually extract the flag, or write a script to do it for you.
Recommended Environment
Host Machine: Anything with an x86_64 CPU (32-bit CPUs won’t work and ARM CPUs will require an emulator).
Virtual Machine: VMware or VirtualBox
Operating System: Windows 10 64-bit
Disassembler: Binary Ninja or Ghidra
Note: for Windows Labs the walkthrough videos will be done using Binary Ninja, with a 64-bit Windows 10 Virtual Machine running on VMWare Workstation Pro. You are free to choose your own software & hardware, just be aware that there will only be official support for the recommendations listed above, any custom setups are your own responsibility.
Stay Informed
Subscribe to my newsletter or get notified of new posts.

