Penetration Testing mailing list archives
Re: pen testing & obfuscated shell code
From: "Don Parker" <dparker () rigelksecurity com>
Date: Fri, 13 Feb 2004 08:38:53 -0500 (EST)
Hello Karsten, I see upon re-reading my comments below that they are a little confusing. What I meant is that you can substitute the 0x90 for say 0x41 (which equates to "A") Yes you are also quite correct, as well you can also use 2 byte opcodes. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 12, Karsten Johansson <ksaj () penetrationtest com> wrote: In-Reply-To: <200402101324.i1ADOEFc005524 () webmail2 magma ca> Greetings,
There is no shortage of 1 byte functions for use, problem is to make it still works after.
I made a paper about a similar topic in 1993 which is available here: <a href='http:// www.penetrationtest.com/computer_viruses/Byte%20Substitutions%20for%20Intel% 20Opcodes.pdf'>http://www.penetrationtest.com/computer_viruses/Byte%20Substitutions% 20for%20Intel%20Opcodes.pdf</a> The story behind this (which may be useful to those looking for new ways to make nop sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems. As an example (and the document is a huge list of examples) is: ADD AX,BX can be either 03h C3h or 01h D8h. All of the examples that I put in the paper are 2-byte opcodes, but if you follow the method I did for finding these opcode equivelants, a nice list of single-digit opcodes can probably be found. I didn't feel like making a thorough list of every possible intel opcode, although I may do this one day. Incidentally, I did this experiment when I was playing with virus encryption engines, and then later for watermarking binary executable files, and then later again as a form of stego using binary executable files. Nice to see there may be yet another use for this idea.
It is simple to just use an ascii character as well,
Not true. All ASCII characters result in opcodes. If you were to do this, the system will probably crash. Besides, if this worked, the concept of a nop sled wouldn't be necessary in the first place. Laters, Karsten Johansson www.PENETRATIONTEST.com --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: <a href='http://www.astaro.com/php/contact/securityfocus.php'>http://www.astaro.com/php/ contact/securityfocus.php</a> ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code Don Parker (Feb 11)
- Re: pen testing & obfuscated shell code Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code Marius Huse Jacobsen (Feb 11)
- Re: pen testing & obfuscated shell code Karsten Johansson (Feb 12)
- Re: pen testing & obfuscated shell code Don Parker (Feb 16)