😎
Intruder
  • About Shantanu Khandelwal
  • Reporting
    • Excel Sheet to Word Report by PowerShell
    • Ghostwriter - Add report type
  • Red Team
    • HTTPS C2 Done Right NGINX
    • Domain Front
      • Firebase Domain Front - Hiding C2 as App traffic
    • GoLang
      • Red Team: How to embed Golang tools in C#
      • Red Team: Using SharpChisel to exfil internal network
      • Converting your GO bins to Shellcode and Using them in C#
    • ShellCode Injection
      • magic_mz_x86 and magic_mz_x64
      • Process Hollowing DInvoke
      • Shellcode Formatter
      • DLL Sideloading
      • InMemory Shellcode Encryption and Decryption using SystemFunction033
    • PowerShell
      • Enable Restricted Admin using powershell and use mimikatz for RDP
      • Powershell Custom Runspace
      • Using Reflection for AMSI Bypass
    • Database
      • Extract MSSQL Link Password
      • MSSQL Link Crawl - OpenQuery Quotes Calculator
    • DLL Sideloading
      • DLL Koppeling
      • DLL Sideloading not by DLLMain
    • Walking with Docker
      • Self-Hosting Havoc C2 / or any other C2 in Docker
    • Breach Attack Simulation - Starting With OpenBAS
  • Dealing with the Errors
    • Setting Up OPENVAS in KALI 2020.3
    • Page
      • Page 1
  • Phishing
    • Connecting GoPhish with Office365
    • SharpLoginPrompt - Success and a Curious Case
    • Gophish MODs
    • Long Live DMARC - Email Spoof issues
    • Error Solves (Random)
      • Rust OPENSSL install issues
  • Mobile Application Testing
    • How to Download APK from Huawei App Store
  • Talks I Like
  • Talks Worth Checking Out
  • Web Application Penetration Testing
    • Parsing Certificate Transparency Logs
Powered by GitBook
On this page
  • Background
  • Why Change these values?
  • How to change values?
  • What is the actual difference now
  • Thanks
  • References

Was this helpful?

  1. Red Team
  2. ShellCode Injection

magic_mz_x86 and magic_mz_x64

PreviousShellCode InjectionNextProcess Hollowing DInvoke

Last updated 3 years ago

Was this helpful?

Background

We'll this is going to be a very short blog post. magic_mz_x86 and magic_mz_x64 are two malleable profile values one can set in since cobalt strike 2.4.3 . I haven't seen anyone talk about it and what are the possible values. I have searched internet to find anyone using different set of values. No one has ever published this. So here, I'll publish some details about it.

Why Change these values?

magic_mz_x86 and magic_mz_x64 malleable options are available in "Stage" block of Cobaltstrike malleable profile. They are responsible to change the MZ PE header in the shellcode you generate from CobaltStrike (staged or stageless). There is basic information provided on cobaltstrike blog post on how to change these values. One can change these values by providing a set of 2 (for x64) or 4(for x86) assembly instructions. The condition for the assembly instructions is that the resultant should be a no operation. For eg 

inc eax
dec eax

Above instructions combined together result in a no operation

How to change values?

Default values as provided in the blog from cobalt strike are as follows

To change these values here is a generic approach

For x86 - magic_mz_x86

For x86 we have to write 4 instructions (resulting to NOP) to fill up MZRE space. You can use any 4 x86 instructions which can fill 4 byte space and result in a resultant NO-OPERATION . This is how MZRE is created

bits 32
section .text
global _start
 _start:
dec abp
pop edx
push edx
inc ebp

So if you'll compile the above asm, and do a hexdump of this you'll see MZRE.

now to modify, change these 4 instructions to any instructions of 4 byte total length. For example 

bits 32
section .text
global _start
_start:
 dec eax
 inc eax
 dec ebx
 inc ebx

As mentioned above , now you can change magic_mz_x86 to "H@KC"

For x64 - magic_mz_x64

Similarly, for x64, now you need two instructions to fill up the 4 byte space. You can use something 

bits 64
section .text
global _start
_start:
 pop r9
 push r9

Compiling the same will result as following

Now AYAQ can be used as a value in magic_mz_x64

What is the actual difference now

The difference is actually seen when you dump the stageless raw shellcode . You can see you MZ header change which helps evade EDR

With Default profile as below

Following is the dump of stageless payload

Now if we change profile values to custom values you can see the difference

Thanks

References

Thanks to @for guidance and motivation

vysecurity
https://www.cobaltstrike.com/help-malleable-postex
https://www.cobaltstrike.com/help-malleable-postex
Profile with default magic_mz values
Exporting Raw shellcode of unmodified profile
Hexdump of Deafult stageless x86 shellcode
Hexdump of Deafult stageless x64 shellcode
Changing default values of magic_mz
Exporting Raw Shellcode after modifying the profile
Hexdump of Modified stageless x64 shellcode
Hexdump of Modified stageless x86 shellcode