Dailydave mailing list archives
Re: Shellcode
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Tue, 29 Nov 2005 22:56:09 -0600
A couple years ago, optyx and I did a collision test of all Win32 function names in common DLLs - there wasn't a single 16-bit algorithm we could generate that wouldn't collide in the full function set. If you narrow it down to a specific DLL or set of functions, it is doable, but only if the function order in the DLL stays the same (otherwise you still get collisions because you have to include every function in the DLL you search). If you are resolving symbols only in the Win32 base DLLs (k32, u32, s32, etc), its not much of a problem, because the order stays the same across versions. Be careful of small hash values when using non-system DLLs, since there are a few vendors that change ordinals betwen versions. It is definitely possible to write a hash routine optimized for a specific set of function names, but the order problem can make keep it from being a general purpose solution (plus, some combinations of names could result in your hash byte being a restricted character). -HD PS. To the original poster - you don't need to include the ".dll" extension in your call to LoadLibrary. On Tuesday 29 November 2005 20:55, Dave Aitel wrote:
If you choose your hashing algorithm correctly, I bet you can use ONE byte hashes too. Given N sets of function names S[0] to S[N] is there a hash function H that for all sets in S can differentiate between them into an 8 bit space and can also differentiate between module names M[0]-M[N]? What about 4 bits? :> Then you get to minimize the size of the hash that can do that. . . Surely there's a Phrack article here somewhere. :> -dave Isaac Dawson wrote:Hi Pedro, You may be better off creating a hash table of function names and inserting hashing code into your shellcode. That is of course if you are looking up a lot of strings/function addresses etc. Although it may not be the best solution I find it really easy to read and look at to create string/hash section in your shellcode (I put mine at the bottom of the code). So we have something like:
Current thread:
- Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode Dave Aitel (Nov 29)
- Re: Shellcode H D Moore (Nov 29)
- Re: Shellcode halvar (Nov 30)
- RE: Shellcode Dafydd Stuttard (Nov 30)
- Re: Shellcode halvar (Nov 30)
- Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode halvar (Nov 30)
- Re: Shellcode Dustin D. Trammell (Nov 30)
- RE: Shellcode Dave Korn (Nov 30)
- RE: Shellcode Dave Korn (Nov 29)
- <Possible follow-ups>
- Fwd: RE: Shellcode H D Moore (Nov 30)