Home

Published

- 2 min read

Start It Up! PELoader Running AES Encrypted Shellcode

offensive security Evasion cybersecurity Persistence Redteam
img of Start It Up! PELoader Running AES Encrypted Shellcode

Imagine it’s Sunday but you still need to deliver that Payload. You don’t want to waste a lot of time fighting EDR and at the same time, you’re way too lazy to write your own agent.

PELoading - Create Shellcode

We start by converting our Payload into Shellcode using fine tools. We don’t need to know what Shellcode actually is. We also encrypt the Payload with AES - at least the packaging of the tool said, it’s AES. And advertisments never lie.

It works, so we don’t care. Just follow the instructions. Easy, huh?

cmd
   > .\pe2shc.exe sl_test.exe
> set hagrid=enc sl_test.shc.exe
> .\PELoader.exe
argument: enc sl_test.shc.exe
Encrypting File

Delivery

Next we turn on Defender and copy the encrypted Shellcode, together with the PELoader.exe to the target.

Creating Encrypted Shellcode

ShellzZZZ

We run PELoader.exe (which we renamed, bcause stealtz!), receive the Session and can get back to sleep. ssshhhhh!

Running the encrypted Sliver Agent

What Works

and what doesn’t.

PELoading has some limitations and works best on simple PE apps that don’t need arguments. We got Mimikatz working, with small errors here and there. LaZagne threw an error and couldn’t be loaded, independent of the Loading Technique.

PELoader provides:

  • Module Stomping (LoadLibrary)
  • Module Stomping (NtMapViewOfSection)
  • Transacted Hollowing
  • Ghostly Hollowing
  • NtMapViewOfSection (RWX-RW-RX)
  • NtAllocateVirtualMemory (RW-RX)

and doesn’t need administrative privileges to run.

The work of hasherezad is simply outstanding and will give us material to read and play with for months.

Running Mimikatz with PELoader.exe

https://github.com/hasherezade/pe_to_shellcode
https://github.com/Hagrid29/PELoader