Shellcode injection has been around for a long time and usually utilizes four standard windows API calls:

1. VirtualAlloc() is used to allocation a RWX memory page to hold the shellcode
2. RtlMoveMemory() (or some other low-level copy function) is used to copy the shellcode bytes into the region reserved by VirtualAlloc()
3. CreateThread() is used to create a thread within the virtual address space of the calling process
4. WaitForSingleObject() is used to wait until the thread exits

Since the Metasploit .dll is built to be reflectively injectable using Stephen Fewer’s awesome work, we can use the same process to inject the .dll into memory. If we make a few more tweaks, we can build a pure Metasploit stager without resorting to shellcode. Egypt did a great job describing how the Metasploit stager works :

1. establish a socket connection to the Metasploit handler
2. read a 4-byte length
3. allocate a (length-byte + 5) buffer, mark it as writable and executable
4. at buffer[0], write some assembly that stores the current socket ID of the connection in the EDI register
5. at buffer[1:4] store the int value of the current socket ID
6. read length bytes from the connection from the pipe into buffer[5…] (this is the meterpreter .dll)
7. invoke call the shellcode blob with the VirtualAlloc() pattern or void pointer casting
8. the meterpreter .dll now uses the already-established socket for communication, avoiding an additional connect back

Raphael Mudge did a great post a bit ago talking about building these types of loaders, and we stumbled upon his stager code a while back and adapted the code for Veil-evasion. For today’s V-Day, we’re releasing a traditional and psexec-able service versions of this c-stager in Veil-evasion v.2.2.0 under c/meter_rev_tcp and c/meter_rev_tcp_service. We’ve implemented some basic randomization and method obfuscation to decrease detection.

Have fun :)