Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

asm shellcode techniques (especially relevant for win32)

From: Franklin DeMatto <franklin.lists () qDefense com>
Date: Tue, 04 Sep 2001 20:47:34 -0400
I am working on a x86/win32 shellcode, using intel mneumonics and nasm, and have some basic questions: 


1) If I want to do a far call, I normally call a pointer to the func.
        example:
        call FUNC
        FUNC: dd 0x74348712
However, I think it can be done directly using a far call to an immediate offset, something like 9a ?? ?? 12 87 34 74 
I think the ?? ?? has to do with something called AR byte.
But I can't find, or figure out, exactly how to do this. NASM keeps on telling me something like "far calls aren't reloctable" and refuses to assemble it. Is there a way to get NASM to do it anyway? If not, I can enter the opcodes by hand - what should they be?
2) If I have a string, and I need to append a null afterwards, what is the best way? 
eg:
        ebx is 0
        ebp points to beginning of string
        string is 26h bytes long
        I would normally do:
                mov     [ebp+27h], ebx
        this yields opcode:
                89 9D 27 00 00 00, which is obviously not good
        I could do:
                add ebp 0xffffffd8
                mov [ebp], ebx
                sub ebp 0xffffffd8
        but this is kind of long
is there a shorter way to do it, especially since I only need to move one byte? ( I don't even need to move it, just make a 0, 
so I could use not or xor or something...)
3) many times, I need to add or subtract by less than 0x7f. I would normally just use add/sub byte xx, but this won't carry, right? in other words, if eax == 0xffffff01, and I try sub byte 3, I'll get eax==0xfffffffe, which is not what I want 
so I am forced to use sub/add dword, which is much longer.
likewise, sometimes I want to mov location, byte. But since location is specified by dword, I need to do mov location, dword, 
even if I only need a byte.
my question is: is there a shorter way to do all this, or am I forced to use dwords, even though I'm only using bytes??
also, since I push paramters to the win32 calls, I normally sub from esp so as to not overwrite the code itself. However, if I understood correctly, the excellent lsd-pl paper said that this is not neccessary. Is that correct? How is this? Any elaboration would be appreciated. 

Thanks,
Franklin


Franklin DeMatto
Senior Security Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible
Previous By Date Next
Previous By Thread Next

Current thread: