Dailydave mailing list archives

Re: Shellcode

From: Isaac Dawson <isaac.dawson () gmail com>
Date: Wed, 30 Nov 2005 10:44:30 +0800

Hi Pedro,
You may be better off creating a hash table of function names and inserting
hashing code into your shellcode. That is of course if you are looking up a
lot of strings/function addresses etc. Although it may not be the best
solution I find it really easy to read and look at to create string/hash
section in your shellcode (I put mine at the bottom of the code). So we have
something like:
startup:
  call fwd
  inc ebx
  inc ebx ; now we have the exact address to the __emit junk.
  mov [ebp+someoffset], ebx ; store our address on the stack so we can work
with it easier

fwd:
call get_data_offset

get_data_offset:
  pop ebx ; this gives our current location due to popping the last return
address from the stack
  ret
  __emit(your stuff)
  __emit(some more of your stuff)


Look around the net for hashing algorithms there are plenty out there. (Some
better than others!).
Or just create your own its not too hard and you can get it really small, 2
bytes is better than 4 :).
Hope this helps,
-Isaac

On 11/30/05, Alexander Sotirov <asotirov () determina com> wrote:


Pedro E wrote:

LibraryReturn:
      pop ecx                         ;get the library string
      mov [ecx + 10], dl              ;MY PROBLEM is this line I don't
have the right permissions to modify the NULL value and finish the

string

      mov ebx, 0x79470221             ;LoadLibraryA(libraryname);
      push ecx                        ;beginning of user32.dll
      call ebx                        ;eax will hold the module handle
      jmp short FunctionName
xxx
..
..
GetLibrary:
      call LibraryReturn
      db 'user32.dllN'


Just put the string on the stack:

push 0x5f5f6c6c              ; 'll__'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn

LibraryReturn:
    lea ecx, [esp+4]            ; esp+4 points to the string "user32.dllXX
"
    mov [ecx + 10], dl        ; the string is on the stack, so you can
write the null terminator


or even better:

xor eax, eax
mov ax, 6c6c
push eax                          ; 'll\0\0'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn



Alex

Current thread:

Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
  - RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
  - Re: Shellcode Isaac Dawson (Nov 29)
    - Re: Shellcode Dave Aitel (Nov 29)
    - Re: Shellcode H D Moore (Nov 29)
    - Re: Shellcode halvar (Nov 30)
    - RE: Shellcode Dafydd Stuttard (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: Shellcode Dustin D. Trammell (Nov 30)
    - RE: Shellcode Dave Korn (Nov 30)
- <Possible follow-ups>
- Fwd: RE: Shellcode H D Moore (Nov 30)