"Safe Hiking" (5): Shellcode encoding

Source: Internet
Author: User
Tags bitwise

2015/5/19 18:08:45

In the previous section we introduced the basic shellcode, using the exit (), Setreuid () and Execve () three system calls, in fact, according to their own needs to choose the appropriate system calls, system calls need to see the SYS call Table, the parameter indentation is also a similar way to handle the stack, writing assembly code is not very difficult.

In this section we are going to introduce the code for the next shellcode, so why encode shellcode? There are several reasons for this:

    • Avoid bad characters, such as \x00, \xa9, etc.;

    • Avoid detection of IDs or other network detectors;

    • Follow the string filter;

Next, let's briefly describe a way to shellcode encoding.

a simple XOR code

operation is to determine if the corresponding bits is the same, if different--and-->true; if the same--and-->false. Therefore can say xor operation is to determine the corresponding bits different operations .

xor operation has a good computational feature, that is, a number and a number XOR two times will get itself:

0 xor 0 = 0 
0 xor 1 = 1
1 xor 1 = 0
1 XOR 0 = 1
101 XOR = 001
001 XOR = 101

We use this feature to construct Shellcode encoding and basic encryption, and of course, the key (0x100 in the above example) is naturally hardcoded into shellcode.

Second, Jmp/call XOR decoder

Since the Shellcode code, then it means to decode. Our model probably looks like this:

[decoder][encoded Shellcodes] 

Generally, if the decoder needs to know its location, This allows you to calculate the location of the encoded shellcode to begin decoding. Determine the decoder position is often referred to as getpc , there are many methods, today we will introduce one of them: jmp/call .

jmp/call is:

    1. jmp command jumps to the call command;

    2. call command creates a new stack, So the current EIP pointer is pressed against the stack (that is, the starting address of the encoded shellcode);

    3. call calls will save the address of the stack to the register;

    4. jmp to Shellcode;

look complicated, let's see the assembly code below, and notice the order of execution after each assembly statement, can help you understand the whole process:

global _start 

_start:
jmp Short Call_point    ;1. JMP to call

Begin:
pop esi                 3. Save the Shellcode address in the stack to the register ESI For subsequent decoding
XOR ecx, ecx            ;4. empty ECX
MOV cl, 0x0         &NBSP ;   5.shellcode length set to 0

Short_xor:
xor Byte[esi], 0x0      ;6.0x0 is the Code Key
Inc ESI                 7.ESI pointer increment, traverse all shellcode bytes
Loop short_xor          ;8. Looping until Shellcode decoded

jmp short shellcodes    ;9. Skip call Direct to Shellcode segment

Call_point:
Call begin              ;2.call begin process while pressing the starting address of the current EIP, Shellcode, into the stack

Shellcodes:             10. Perform the decoded shellcode

here to place the decoded shellcode

Refer: Gray Hat hacking:the Ethical Hacker ' s handbook, third Edition


This article is from the "Run Yang Hang" blog, make sure to keep this source http://windhawkfly.blog.51cto.com/10171660/1652912

"Safe Hiking" (5): Shellcode encoding

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.