Shulou(Shulou.com)06/01 Report--

2015-5-19 18:08:45

In the last section, we introduced the compilation of basic shellcode, using three system calls: exit (), setreuid () and execve (). In practice, of course, we choose the appropriate system call according to our own needs, the system call number needs to check syscalltable, and the parameter pressing is also taken in a similar way, so it is not very difficult to deal with the stack and compile the assembly code.

In this section we are going to introduce the coding of shellcode, so why encode shellcode? The general reasons are as follows:

Avoid Bad characters, such as\ X00,\ xa9, etc.

Avoid detection by IDS or other network detectors

Follow string filter

Next, let's briefly introduce a way of shellcode coding.

1. Simple XOR coding

A common bit operation in computers is the XOR operation, that is, "XOR by bit". It took me some time to remember this operation before it was separated from the "bitwise and / or" operation. The essence of XOR operation is to determine whether the corresponding binary bits are the same, if different-- > different-- > True; if the same-- > same-- > False. Therefore, it can be said that the XOR operation is an operation to judge the corresponding binary bits.

XOR operation has a very good operation characteristic, that is, a number and a number XOR twice will get itself:

0 XOR 0 = 0

0 XOR 1 = 1

1 XOR 1 = 0

1 XOR 0 = 1

101 XOR 100 = 001

001 XOR 100 = 101

We can use this feature to construct shellcode encoding and basic encryption, and of course, the key (0x100 in the example above) is naturally hard-coded into shellcode.

2. JMP/CALL XOR × ×

Since shellcode is encoded, it also means decoding. Our model looks something like this:

[decoder] [encoded shellcodes]

Generally speaking, if you need to know your location, you can calculate the position of the encoded shellcode and start decoding. Determining the location of xxx is often called GETPC, and there are many ways to determine it. Today we will introduce one of them: JMP/CALL.

JMP/CALL 's idea is:

JMP instruction jumps to CALL instruction

The CALL instruction precedes the encoded shellcode

The CALL instruction creates a new stack, so the current EIP pointer is stacked (that is, the starting address of the encoding shellcode)

The procedure called by CALL pops up and saves the address of the stack to the register

Shellcode decoding using saved registers

JMP to shellcode to execute

It looks complicated. Let's take a look at the following assembly code. Pay attention to the order of execution after each assembly statement, which can help you understand the whole process:

Global _ start

_ start:

Jmp short call_point; 1. JMP to CALL

Begin:

Pop esi; 3. Pop up the shellcode address in the stack and save it to register esi for subsequent decoding

Xor ecx, ecx; 4. Clear ecx

Mov cl, 0x0; 5.shellcode length is set to 0

Short_xor:

Xor byte [esi], 0x0; 6.0x0 is the coded key here.

Inc esi; 7.ESI pointer increments, traversing all shellcode bytes

Loop short_xor; 8. Loop until the shellcode is decoded

Jmp short shellcodes; 9. Skip CALL and go directly to shellcode segment

Call_point:

Call begin; 2.CALL begin process, while pressing the current EIP, that is, the starting address of shellcode, into the stack

Shellcodes:; 10. Execute the decoded shellcode

The decoded shellcode is placed here

The overall process is like this, as long as you pay close attention to the logical order and the stack of shellcode addresses, JMP/CALL is not difficult to understand.

Refer: Gray Hat Hacking: The Ethical Hacker's Handbook, Third Edition

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.