What is going on when running "msfvenom"?

Hello everyone!!

I always generate payload with “msfvenom”.
But I don’t know what happens while running “msfvenom”
I read payload modules (e.g. shell_reverse_tcp.rb) and generated payload files decompiled with ghidra, but I have no idea what is going on because I’m beginner in programming.
So please tell me what functions and information are attached while generating payload or nice website explained how to make payload file if you know.

(Maybe you are difficult to read my sentence because I’m not native English speaker. Thank you)

I’m not sure what you’re asking for here but I’ll give you two replies based off what I think it might be, lol.

1.) You can see what some of the payloads are doing by keeping them raw and not piping or directing to a file. Or just read the file lol.

2.) Almost every flag has a list function. This can help break down all the options for each one. Anything between that just do a search. Offsec probably has a solid resource on their website covering it.

For instance -l payloads will list all the payload options. Just tinker around with it most of it is self explained but a few things are not I suppose.

bad chars for instance are used when doing shell code or Buffer Overflows.

Do either of these cover your request?

Though I couldn’t convey my question well,thank you two for answering my question.

I don’t wanna use any tools without understaing what happens inside programs.
That’s why I asked the question.

Anyway,I’d like to study how to write shell code by reading raw payload and shell code on the web.
I appreciate your help. I can see a silver lining to understand “msfvenom”.

On a very high level, msfvenom has a bunch of templates that get filled with the according parameter values (LHOST, LPORT, etc.). Those templates include shellcode, serialized Java/Ruby/Python/whatever, ans several different scripts (php, python, etc.)

There are 2 types of shellcode templates: staged and stageless.
Stageless payloads are self-contained. This means that everything it needs to e.g. create a meterpreter shell, is included. Those payloads are rather large, since they have to include all required code.
Staged payloads contain only a minimal stub. This stub is establishing a connecting to the attacker (in case of a reverse shell, for bind shells it provides a stub that waits for connection). Once the connection is established, the stub downloads the actual payload code (e.g. a meterpreter shell) and then executes it.

In addition to “plain shellcodes”, there are several encoders which allow bypassing bad characters, and (sometimes) evade anti-virus detection.

The actual generation of shellcode (and other payloads) can be found by checking the metasploit core library metasploit-framework/lib/msf/core/payload at 76954957c740525cff2db5a60bcf936b4ee06c42 · rapid7/me