2015/5/19 18:08:45
In the previous section we introduced the basic shellcode, using the exit (), Setreuid () and Execve () three system calls, in fact, according to their own needs to choose the appropriate system calls, system calls need to see the SYS call Table, the parameter indentation is also a similar way to handle the stack, writing assembly code is not very difficult.
In this section we are going to introduce the code for the next shellcode, so why encode shellcode? There are several reasons for this:
Avoid bad characters, such as \x00, \xa9, etc.;
Avoid detection of IDs or other network detectors;
Follow the string filter;
Next, let's briefly describe a way to shellcode encoding.
a simple XOR code
operation is to determine if the corresponding bits is the same, if different--and-->true; if the same--and-->false. Therefore can say xor operation is to determine the corresponding bits different operations .
xor operation has a good computational feature, that is, a number and a number XOR two times will get itself:
0 xor 0 = 0
0 xor 1 = 1
1 xor 1 = 0
1 XOR 0 = 1
101 XOR = 001
001 XOR = 101
We use this feature to construct Shellcode encoding and basic encryption, and of course, the key (0x100 in the above example) is naturally hardcoded into shellcode.
Second, Jmp/call XOR decoder
Since the Shellcode code, then it means to decode. Our model probably looks like this:
[decoder][encoded Shellcodes]
Generally, if the decoder needs to know its location, This allows you to calculate the location of the encoded shellcode to begin decoding. Determine the decoder position is often referred to as getpc , there are many methods, today we will introduce one of them: jmp/call .
jmp/call is:
-
jmp command jumps to the call command;
-
-
call command creates a new stack, So the current EIP pointer is pressed against the stack (that is, the starting address of the encoded shellcode);
-
call calls will save the address of the stack to the register;
-
jmp to Shellcode;
look complicated, let's see the assembly code below, and notice the order of execution after each assembly statement, can help you understand the whole process:
global _start
_start:
jmp Short Call_point ;1. JMP to call
Begin:
pop esi 3. Save the Shellcode address in the stack to the register ESI For subsequent decoding
XOR ecx, ecx ;4. empty ECX
MOV cl, 0x0 &NBSP ; 5.shellcode length set to 0
Short_xor:
xor Byte[esi], 0x0 ;6.0x0 is the Code Key
Inc ESI 7.ESI pointer increment, traverse all shellcode bytes
Loop short_xor ;8. Looping until Shellcode decoded
jmp short shellcodes ;9. Skip call Direct to Shellcode segment
Call_point:
Call begin ;2.call begin process while pressing the starting address of the current EIP, Shellcode, into the stack
Shellcodes: 10. Perform the decoded shellcode
here to place the decoded shellcode
Refer: Gray Hat hacking:the Ethical Hacker ' s handbook, third Edition
This article is from the "Run Yang Hang" blog, make sure to keep this source http://windhawkfly.blog.51cto.com/10171660/1652912
"Safe Hiking" (5): Shellcode encoding