My first shell code--Hello World

Tried for a long time, and finally successfully output the Hello World

Experimental environment

$uname -a                     4.2.  5-1-arch #1: x86_64 gnu/ Linux

$GCC--version
GCC (GCC) 5.2.0
Copyright (C) Free Software Foundation, Inc.
This was free software; See the source for copying conditions. There is NO
Warranty Not even to merchantability or FITNESS for A particular PURPOSE.

Core code

Hello.s

1 Section . Text2 Global _start3 4 _start:5 6 jmp msg7 8 Code:9 xor Rax, Rax; clean up the registersTen xor RBX, RBX One xor RDX, RDX A xor RCX, RCX -  -mov al,4; syscallWrite themov bl,1; stdout is1 -Pop RCX; savestringAddress -MOV dl, A; Length of thestring -   int 0x80 +  - xor Rax, Rax +mov al,1; exit the Shellcode A XOR RBX,RBX at   int 0x80 - msg: - Call Code -Db'Hello World',Ten

Here are a few notable points to note:

1. Because the string in C is terminated with '/', the shell code we generate cannot contain 00 bytes, so you can never use an Al ax or eax or rax,bl,dl the same way.

2. Notice that there is a strange pop rcx in the code? Is there a strange organization that found the code? Why first jmp to MSG in call code? In fact, this is also to remove 00 bytes.

The call command pushes the returned address (this is the 26th line) to the stack and then pops to RCX.

$nasm-F elf64 hello.s-o                                              hello.o$ld -S-o hello hello.o $. /Hellohello World                                                 $objdump-D Hello

Hello:file format elf64-x86-64

Disassembly of section. Text:

0000000000400080 <.text>:
400080:eb 1f JMP 0x4000a1
400082:48 C0 XOR%rax,%rax
400085:48 DB XOR%rbx,%rbx
400088:48 D2 xor%RDX,%RDX
40008b:48 C9 XOR%RCX,%RCX
40008E:B0 mov $0x4,%al
400090:B3 mov $0x1,%bl
400092:59 Pop%RCX
400093:B2 0c mov $0xc,%dl
400095:CD int $0x80
400097:48 C0 XOR%rax,%rax
40009A:B0 mov $0x1,%al
40009C:48 DB XOR%rbx,%rbx
40009F:CD int $0x80
4000A1:E8 DC FF FF FF CALLQ 0x400082
4000a6:68 6c 6c 6f Pushq $0x6f6c6c65
4000ab:20 6f and%dh,0x6f (%rdi)
4000AE:72 6c JB 0x40011c
4000B0:64 FS
4000b1:0a. Byte 0xa

can see no 00 bytes

Can write a small program from the output of objdump to get Shellcode

1#include <stdio.h>2 CharCode[] ="\xeb\x1f\x48\x31\xc0\x48\x31\xdb\x48\x31\xd2\x48\x31\xc9\xb0\x04\xb3"3 "\x01\x59\xb2\x0b\xcd\x80\x48\x31\xc0\xb0\x01\x48\x31\xdb\xcd\x80\xe8"4 "\xdc\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64";5 6 7 intMain ()8 {9void (*Hello) ();TenHello = (void (*) ()) code; One(*Hello) (); AReturn0;}

Compilation options are important, and modern compilers seem to have protection

$gcc -z execstack hello.c $. /A.outhello World

Done.

My first shell code--Hello World