Dailydave mailing list archives
RE: Shellcode
From: "Dafydd Stuttard" <daf () ngssoftware com>
Date: Wed, 30 Nov 2005 09:57:41 -0000
I recently wrote a short paper called "Writing Small Shellcode", which includes a short hashing algorithm which produces one-byte non-colliding hashes for the eight functions (in kernel32.dll & ws2_32.dll) required to implement a bindshell: http://www.ngssoftware.com/papers/WritingSmallShellcode.pdf Although the example is specific to those functions, it is easy to find suitable algorithms programmatically, by dynamically building candidate algorithms using a list of suitable x86 instructions (xor, add, rol, etc), and testing each algorithm to identify collisions. Notice that if you iterate through a library's exported functions in a defined sequence then you can tolerate collisions provided that the correct function is the first match in each case. I also considered 4-bit hashes, but I'd be surprised if these are efficient: the overhead required to unpack the hash block into usable form would presumably outweigh the reduction in its size. Cheers Daf
-----Original Message----- From: Dave Aitel [mailto:dave () immunitysec com] Sent: 30 November 2005 02:55 To: Isaac Dawson Cc: dailydave () lists immunitysec com Subject: Re: [Dailydave] Shellcode If you choose your hashing algorithm correctly, I bet you can use ONE byte hashes too. Given N sets of function names S[0] to S[N] is there a hash function H that for all sets in S can differentiate between them into an 8 bit space and can also differentiate between module names M[0]-M[N]? What about 4 bits? :> Then you get to minimize the size of the hash that can do that. . . Surely there's a Phrack article here somewhere. :> -dave Isaac Dawson wrote:Hi Pedro, You may be better off creating a hash table of function names and inserting hashing code into your shellcode. That is of course if you are looking up a lot of strings/function addresses etc. Although it may not be the best solution I find it really easy to read and look at to create string/hash section in your shellcode (I put mine at the bottom of the code). So we have something like: startup: call fwd inc ebx inc ebx ; now we have the exact address to the __emit junk. mov [ebp+someoffset], ebx ; store our address on the stack so we can work with it easier fwd: call get_data_offset get_data_offset: pop ebx ; this gives our current location due to popping the last return address from the stack ret __emit(your stuff) __emit(some more of your stuff) Look around the net for hashing algorithms there are plenty out there. (Some better than others!). Or just create your own its not too hard and you can get it really small, 2 bytes is better than 4 :). Hope this helps, -Isaac On 11/30/05, *Alexander Sotirov* <asotirov () determina com <mailto:asotirov () determina com>> wrote: Pedro E wrote: > LibraryReturn: > pop ecx ;get the library string > mov [ecx + 10], dl ;MY PROBLEM is this line I don't > have the right permissions to modify the NULL value and finish the string > mov ebx, 0x79470221 ;LoadLibraryA(libraryname); > push ecx ;beginning of user32.dll > call ebx ;eax will hold the module handle > jmp short FunctionName > xxx > .. > .. > GetLibrary: > call LibraryReturn > db 'user32.dllN' Just put the string on the stack: push 0x5f5f6c6c ; 'll__' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn LibraryReturn: lea ecx, [esp+4] ; esp+4 points to the string "user32.dllXX" mov [ecx + 10], dl ; the string is on the stack, so youcanwrite the null terminator or even better: xor eax, eax mov ax, 6c6c push eax ; 'll\0\0' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn Alex
Current thread:
- Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode Dave Aitel (Nov 29)
- Re: Shellcode H D Moore (Nov 29)
- Re: Shellcode halvar (Nov 30)
- RE: Shellcode Dafydd Stuttard (Nov 30)
- Re: Shellcode halvar (Nov 30)
- Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode halvar (Nov 30)
- Re: Shellcode Dustin D. Trammell (Nov 30)
- RE: Shellcode Dave Korn (Nov 30)
- RE: Shellcode Dave Korn (Nov 29)
- <Possible follow-ups>
- Fwd: RE: Shellcode H D Moore (Nov 30)