Dailydave mailing list archives
Re: Shellcode
From: Isaac Dawson <isaac.dawson () gmail com>
Date: Wed, 30 Nov 2005 10:44:30 +0800
Hi Pedro, You may be better off creating a hash table of function names and inserting hashing code into your shellcode. That is of course if you are looking up a lot of strings/function addresses etc. Although it may not be the best solution I find it really easy to read and look at to create string/hash section in your shellcode (I put mine at the bottom of the code). So we have something like: startup: call fwd inc ebx inc ebx ; now we have the exact address to the __emit junk. mov [ebp+someoffset], ebx ; store our address on the stack so we can work with it easier fwd: call get_data_offset get_data_offset: pop ebx ; this gives our current location due to popping the last return address from the stack ret __emit(your stuff) __emit(some more of your stuff) Look around the net for hashing algorithms there are plenty out there. (Some better than others!). Or just create your own its not too hard and you can get it really small, 2 bytes is better than 4 :). Hope this helps, -Isaac On 11/30/05, Alexander Sotirov <asotirov () determina com> wrote:
Pedro E wrote:LibraryReturn: pop ecx ;get the library string mov [ecx + 10], dl ;MY PROBLEM is this line I don't have the right permissions to modify the NULL value and finish thestringmov ebx, 0x79470221 ;LoadLibraryA(libraryname); push ecx ;beginning of user32.dll call ebx ;eax will hold the module handle jmp short FunctionName xxx .. .. GetLibrary: call LibraryReturn db 'user32.dllN'Just put the string on the stack: push 0x5f5f6c6c ; 'll__' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn LibraryReturn: lea ecx, [esp+4] ; esp+4 points to the string "user32.dllXX " mov [ecx + 10], dl ; the string is on the stack, so you can write the null terminator or even better: xor eax, eax mov ax, 6c6c push eax ; 'll\0\0' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn Alex
Current thread:
- Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode Dave Aitel (Nov 29)
- Re: Shellcode H D Moore (Nov 29)
- Re: Shellcode halvar (Nov 30)
- RE: Shellcode Dafydd Stuttard (Nov 30)
- Re: Shellcode halvar (Nov 30)
- Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode halvar (Nov 30)
- Re: Shellcode Dustin D. Trammell (Nov 30)
- RE: Shellcode Dave Korn (Nov 30)
- RE: Shellcode Dave Korn (Nov 29)
- <Possible follow-ups>
- Fwd: RE: Shellcode H D Moore (Nov 30)