"Safe Hiking" (5): Shellcode encoding

2015/5/19 18:08:45

In the previous section we introduced the basic shellcode, using the exit (), Setreuid () and Execve () three system calls, in fact, according to their own needs to choose the appropriate system calls, system calls need to see the SYS call Table, the parameter indentation is also a similar way to handle the stack, writing assembly code is not very difficult.

In this section we are going to introduce the code for the next shellcode, so why encode shellcode? There are several reasons for this:

• Avoid bad characters, such as \x00, \xa9, etc.;

• Avoid detection of IDs or other network detectors;

• Follow the string filter;

Next, let's briefly describe a way to shellcode encoding.

a simple XOR code

operation is to determine if the corresponding bits is the same, if different--and-->true; if the same--and-->false. Therefore can say xor operation is to determine the corresponding bits different operations .

xor operation has a good computational feature, that is, a number and a number XOR two times will get itself:

0 xor 0 = 0 
 0 xor 1 = 1 
 1 xor 1 = 0 
 1 XOR 0 = 1 
 101 XOR = 001 
 001 XOR = 101 
  

We use this feature to construct Shellcode encoding and basic encryption, and of course, the key (0x100 in the above example) is naturally hardcoded into shellcode.

Second, Jmp/call XOR decoder

Since the Shellcode code, then it means to decode. Our model probably looks like this:

[decoder][encoded Shellcodes] 
  

Generally, if the decoder needs to know its location, This allows you to calculate the location of the encoded shellcode to begin decoding. Determine the decoder position is often referred to as getpc , there are many methods, today we will introduce one of them: jmp/call .

jmp/call is:

1. jmp command jumps to the call command;

3. call command creates a new stack, So the current EIP pointer is pressed against the stack (that is, the starting address of the encoded shellcode);

4. call calls will save the address of the stack to the register;

5. jmp to Shellcode;

look complicated, let's see the assembly code below, and notice the order of execution after each assembly statement, can help you understand the whole process:

global _start 
 
 _start: 
 jmp Short Call_point    ;1. JMP to call 
 
 Begin: 
 pop esi                 3. Save the Shellcode address in the stack to the register ESI For subsequent decoding 
 XOR ecx, ecx            ;4. empty ECX 
 MOV cl, 0x0         &NBSP ;   5.shellcode length set to 0 
 
 Short_xor: 
 xor Byte[esi], 0x0      ;6.0x0 is the Code Key 
 Inc ESI                  7.ESI pointer increment, traverse all shellcode bytes 
 Loop short_xor          ;8. Looping until Shellcode decoded 
 
 jmp short shellcodes    ;9. Skip call Direct to Shellcode segment 
 
 Call_point: 
 Call begin              ;2.call begin process while pressing the starting address of the current EIP, Shellcode, into the stack 
 
 Shellcodes:             10. Perform the decoded shellcode 
 
 here to place the decoded shellcode 
 

Refer: Gray Hat hacking:the Ethical Hacker ' s handbook, third Edition

This article is from the "Run Yang Hang" blog, make sure to keep this source http://windhawkfly.blog.51cto.com/10171660/1652912

"Safe Hiking" (5): Shellcode encoding