Just an obfuscation technique in a resource file in 2 possible formats
- ICO - Conversion of a binary file into an ico file (without the header) and loading of this file with ntmapViewOfSection Technique.
- BITMAP - Create a Bitmap file, inject the paylaod bin into the file and load it with ntmapViewOfSection Technique.
Binary shellcode...
.
.
.
.
...
- Use the
Inconvert.exewith shellcode bin file as argument and the output with ico extension. - Load this output file in
Ico.cpplike ressources in visual studio you can make like that :
Look's like the ICO method but in this case we will create bitmap file or use existing bitmap file.
- Use the
CreateBitmap.exethis exe will create a bitmap file. - Use
BitmapInsert.exewith argument bmp file and the binary file. This will inject our shellcode encoded into the bitmap file. - Load this output file in
BMP.cpplike ressources.
Note
The bitmap methodology is more OPSEC because it doesn't touch the bitmap file to the point of making it unreadable, we can still visualize it we've just added our shellcode with delimiters at the end but in reality I've left it like that so you can simply define how you want to integrate it you could split it into several pieces or integrate it right in the middle of the file.
In this two methods I also added service format of ico and bitmap technique, this allows you to use your payload as a service, so you can start it, stop it...etc.
sc create serviceBmpICO binPath= C:\THIS\IS\THE\PATH\OF.exe start= demand | auto
sc start serviceBmpICO
Note
Based on RedefiningReality repo https://github.com/RedefiningReality/Cobalt-Strike
I put respect on his name.
Caution
This is just a POC so you're nice you keep your hands in your pockets and chill unless it's your lab. 