Jump to content
Nytro

Understanding Windows Shellcode

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Understanding Windows Shellcode

skape

mmiller a hick.org

Last modified: 12/06/2003

Contents
1 Foreword 3
2 Introduction 4
3 Shellcode Basics 5
3.1 System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 11
3.3.1 Export Directory Table . . . . . . . . . . . . . . . . . . . 11
3.3.2 Import Address Table (IAT) . . . . . . . . . . . . . . . . 13
4 Common Shellcode 15
4.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 Advanced Shellcode 29
5.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6 Staged Loading Shellcode 39
6.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . . . . . . 39
6.2 Static File Descriptor Re-use . . . . . . . . . . . . . . . . . . . . 42
6.3 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.4 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.5 Connectback IAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7 Conclusion 49
8 Detailed Shellcode Analysis 50
8.1 Finding kernel32.dll . . . . . . . . . . . . . . . . . . . . . . . . . 50
8.1.1 PEB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
8.1.2 SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.1.3 TOPSTACK . . . . . . . . . . . . . . . . . . . . . . . . . 53
1
8.2 Resolving Symbol Addresses . . . . . . . . . . . . . . . . . . . . . 54
8.2.1 Export Table Enumeration . . . . . . . . . . . . . . . . . 54
8.3 Common Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 56
8.3.1 Connectback . . . . . . . . . . . . . . . . . . . . . . . . . 56
8.3.2 Portbind . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
8.4 Advanced Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . 71
8.4.1 Download/Execute . . . . . . . . . . . . . . . . . . . . . . 71
8.5 Staged Loading Shellcode . . . . . . . . . . . . . . . . . . . . . . 81
8.5.1 Dynamic File Descriptor Re-use . . . . . . . . . . . . . . 81
8.5.2 Egghunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.5.3 Egghunt (syscall) . . . . . . . . . . . . . . . . . . . . . . . 88

Download:

http://www.hick.org/code/skape/papers/win32-shellcode.pdf
http://projectshellcode.com/downloads/http___www.hick.org_code_skape_papers_win32-shellcode.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...