Re: Stealth.

["Andrew R. Reiter" <arr () watson org>]

On Mon, 19 Sep 2005, Dave Aitel wrote:

:
:Here's another shellcode paper for people who like that sort of thing:
:http://www.ngssoftware.com/papers/WritingSmallShellcode.pdf
:
:It's good, although it will fail on certain 2k/XP configurations with a . in
:the pathname. To correct it, might need some more bytes to do a getsystemdir
:and strcpy, etc. I have some really non-optimized code in Shellcoder's that
:does that. I would also have added a 7. Consider using a special purpose
:assembler that brute forces the smallest way to assemble it.
:
:If everyone knows what you look like, your only option for stealth is to try to
:make everyone look like you.
:
:-dave

This is a good one, especially since schemes like this have been seen in 
the wild (MS05-038 com obj overflow's). 

I think the commonly seen code utlizing that scheme have been doing this 
(post decode):
        - Load urlmon.dll
        - Locate URLDownloadToFileA
        - ... download ...
        - WinExec()

But who knows :) So many things to do :)


-------------------------------------------------------------
  "Natural bridges on a clean west swell,
     Break over the reef like a bat of out hell." -- Sublime.