Malware developers have options as to where they place the payload for their malware within a PE file. The .data and .rdata sections are easy and straightforward choices.
.data
The .data section of a PE file contains initialized global and static variables. .data is readable and writable, which makes decryption and decoding of payloads at runtime easier.
#include <stdio.h>
#include <Windows.h>
unsigned char shellcode[] = { ... };
int main() {
printf("shellcode is at 0x%p\n", shellcode);
return 0;
}
.rdata
Variables defined using the const qualifier are “constant” (read-only) as indicated in the “r” in .rdata.
#include <stdio.h>
#include <Windows.h>
const unsigned char shellcode[] = { ... };
int main() {
printf("shellcode is at 0x%p\n", shellcode);
return 0;
}
To view the raw contents of .rdata. you may use dumpbin.exe:
dumpbin.exe /ALL whatever.exe
.text
Payloads can also be stored in the .text section.
#include <stdio.h>
#include <Windows.h>
#pragma section(".text")
__declspec(allocate(".text")) const unsigned char shellcode[] = {...};
int main() {
printf("shellcode is at 0x%p\n", shellcode);
return 0;
}
the .text section is executable, which is convenient because memory region permissions do not need to be modified. This is very useful for small payloads.
.rsrc
Larger payloads can be stored as a resource in the .rsrc section of a PE file. Large payloads may be subject to size limits and emit errors during compilation if stored in .data or .rdata.
To add a resource in Visual Studio:
Right Click on “Resource Files”, Click “Add” -> “New Item”
Select “Resource File”
In the new sidebar, “Resource View”, Right click on the newly-created .rc file and “Add Resource”
Click “Import”
Select your payload. Renaming payload as .ico or .bmp or something may help blend in and not raise suspicion.
Enter “RCDATA” as the Resource type.
Click “Ok”
Resources cannot be directly accessed and must be moved into a buffer. Resources can be accessed with the following WinAPI functions:
- FindResourceW
- LoadResource
- LockResource
- SizeofResource