Vulnerability Development mailing list archives
asm shellcode techniques (especially relevant for win32)
From: Franklin DeMatto <franklin.lists () qDefense com>
Date: Tue, 04 Sep 2001 20:47:34 -0400
I am working on a x86/win32 shellcode, using intel mneumonics and nasm, and have some basic questions:
1) If I want to do a far call, I normally call a pointer to the func. example: call FUNC FUNC: dd 0x74348712However, I think it can be done directly using a far call to an immediate offset, something like 9a ?? ?? 12 87 34 74
I think the ?? ?? has to do with something called AR byte.But I can't find, or figure out, exactly how to do this. NASM keeps on telling me something like "far calls aren't reloctable" and refuses to assemble it. Is there a way to get NASM to do it anyway? If not, I can enter the opcodes by hand - what should they be?
2) If I have a string, and I need to append a null afterwards, what is the best way?
eg: ebx is 0 ebp points to beginning of string string is 26h bytes long I would normally do: mov [ebp+27h], ebx this yields opcode: 89 9D 27 00 00 00, which is obviously not good I could do: add ebp 0xffffffd8 mov [ebp], ebx sub ebp 0xffffffd8 but this is kind of longis there a shorter way to do it, especially since I only need to move one byte? ( I don't even need to move it, just make a 0,
so I could use not or xor or something...)3) many times, I need to add or subtract by less than 0x7f. I would normally just use add/sub byte xx, but this won't carry, right? in other words, if eax == 0xffffff01, and I try sub byte 3, I'll get eax==0xfffffffe, which is not what I want
so I am forced to use sub/add dword, which is much longer.likewise, sometimes I want to mov location, byte. But since location is specified by dword, I need to do mov location, dword,
even if I only need a byte.my question is: is there a shorter way to do all this, or am I forced to use dwords, even though I'm only using bytes??
also, since I push paramters to the win32 calls, I normally sub from esp so as to not overwrite the code itself. However, if I understood correctly, the excellent lsd-pl paper said that this is not neccessary. Is that correct? How is this? Any elaboration would be appreciated.
Thanks, Franklin Franklin DeMatto Senior Security Analyst, qDefense Penetration Testing http://qDefense.com qDefense: Making Security Accessible
Current thread:
- asm shellcode techniques (especially relevant for win32) Franklin DeMatto (Sep 04)
- Re: asm shellcode techniques (especially relevant for win32) Enrique A. CompaƱ Gzz. (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) RaiSe (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) Ryan Permeh (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) RaiSe (Sep 05)
- Re: asm shellcode techniques (especially relevant for win32) Enrique A. CompaƱ Gzz. (Sep 05)