January 12

Webinar takeaway – Shellcode Execution with Python


teaser for this Webcast, which made me attend

Imagine you are pen testing a company and gain access to a Windows application server. You discover the server has application allow listing deployed, and strong EDR/XDR defensive solutions. To your excitement, you find there is a Python interpreter installed. It would be really great if you could use that Python interpreter to execute your favorite C2 framework shellcode and use all of your normal hacking toolsets to continue your work. With a little bit of coding work, you can! In this Black Hills Information Security (BHIS) webcast, you will learn exactly how to achieve your goal of shellcode execution with Python.

My key takeaways

  • Having a python interpreter installed on a Windows Application Server is an additional security risk, as it allows the attacker to create a C2 channel without using any exe (which might be detected by EDR)
    • disable Microsoft Store to avoid LOTL
    • file
  • ctypes buildin Python3 lib provides C compatible data types and allows DLL function calling
  • the NTDLL.dll, which is not really documented, might help overcome the barrier between usermode and kernel mode
  • Its easy to crash the interpreter when calling C functions in a DLL if passed incompatible Python-types as arguments
    • using wintypes might help to avoid
  • Remote process injection is often detected by EDR/XDR. Creating a thread within the Python process itself is preferred.
    • Basic steps to follow:
      • Allocate some memory
      • Copy the shellcode to the allocated memory
      • Create the thread with the starting address of the allocated memory
      • Wait on the thread
  • You can reduce the to getting busted by adding english words or NULLs to your script
  • Memory scanners looking for virtual mem not backed by disk image.
    • Use heap in same process
    • Make new thread base address “look” legit.
  • Evaluate if Python3 process is 64 bit or 32 bit: echo(sys.maxsize == 2 ** 63 - 1) or plattform.architecture() (mod import required)


additional links

User comments


Shellcode Execution with Python | Joff Thyer | 1-Hour


C2, python, shellcode

You may also like

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – Malware of the Day

Webinar takeaway – Malware of the Day
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}