Shellcode Loader is something that loads shellcode from a file into the OS memory (RAM).
Yellow Box: we have the shellcode that will be saved in .data section in the binary compiled. In this example the shellcode output is generated using msfvenom in order to execute the calculator windows app.
Red Box: first we want to know how much region allocate in the RAM and this is done by calculating the size of shellcode. Next the space in the RAM is allocated using the VirtualAlloc system call Windows API:
So calling VirtualAlloc here we’re not specifying any address pointing to memory space (is optional), we’re requesting a space as large as bufsize and also we are requesting the RAM available to us ASAP so we use MEM_COMMIT | MEM_RESERVE. The last argument indicates that page allocated should have read/write/execute permission in order to write the shellcode inside this region and execute the code from this region.
<aside> ⚠️
This is an IOC because is anomaly that a memory region has all this permissions contemporarily
</aside>
Then copy the shellcode to the allocated memory space using memcpy and clean the content of buf in order to not have redundant shellcode saved in the memory.
Finally execute the shellcode using CreateThread Windows API.