Hello everyone,
I often see the question "What is shellcode? How do I make one?" and a lot of script kiddies or average safe people use this term indiscriminately without really knowing what is behind this term.
"Shellcode" can be defined as follows: "shellcode" is a piece of code in binary form that can be executed (basically without malicious intent). On the hacking side, the definition is a little more advanced: "shellcode" is a piece of malicious binary code executed on the fly in memory (stack or heap regardless).
Now the definition posed, how to execute it and how to manufacture it? Or rather extract it
Before starting, one condition must be set: I start from the use of a Windows system (and not Linux). It is important to understand that a "shellcode" is not necessarily (and even rarely) cross-platform.
I will start with the execution which is the least complicated part to achieve.
Several solutions are available as to the chosen method but the methodology is always the same:
1. Write the "shellcode" somewhere in memory
2. Apply an executable attribute to the memory region where it was written
3. Run this memory region
There are 2 methods to do this:
Method 1. Step 1. Generate an executable file including the shellcode. Something like that :
With this method, the "shellcode" will automatically end up in the so-called ".text" section (which will be executed in memory). And so it will not be necessary to allocate a memory region.
Method 2.
Step 1. Allocate a memory region with write, read and execute access
Step 2. Write the shellcode in this region
Step 3. Execute the code in this memory region.
I will not detail this second method which requires more advanced knowledge and which I will detail in other tutorials.
<<Well it's very nice all that I know how to execute it but "HOW DO I GET MY SHELLCODE?">>
Well, it's all in the definition: it's a piece of executable code!
So a compiler can do it for us!
Without going into the details that will be used in another tutorial, this is the ".text" or so-called "code" section (section which is mapped in memory with the executable attribute) of a file in "PE" format (executable laptop). There are 2 other important points that should not be overlooked if you wish to extract this section from a file in "PE" format: does your code contain symbol dependencies linked to external code libraries (type kernel32, user32...)? does this section contain any blocks that need to be relocated (aslr)?" If the answer to both of these questions is "yes", I strongly advise against mapping this ".text" section independently of your base executable file, in which case, you risk crashing your "loader" (program serving as an intermediary to decrypt/de-obfuscate said shellcode).
With everything I have just explained to you in this tutorial, you normally have enough to start looking for and manipulating this on your own
This tutorial is from « 0xHexedCode »
I often see the question "What is shellcode? How do I make one?" and a lot of script kiddies or average safe people use this term indiscriminately without really knowing what is behind this term.
"Shellcode" can be defined as follows: "shellcode" is a piece of code in binary form that can be executed (basically without malicious intent). On the hacking side, the definition is a little more advanced: "shellcode" is a piece of malicious binary code executed on the fly in memory (stack or heap regardless).
Now the definition posed, how to execute it and how to manufacture it? Or rather extract it
Before starting, one condition must be set: I start from the use of a Windows system (and not Linux). It is important to understand that a "shellcode" is not necessarily (and even rarely) cross-platform. I will start with the execution which is the least complicated part to achieve.
Several solutions are available as to the chosen method but the methodology is always the same:
1. Write the "shellcode" somewhere in memory
2. Apply an executable attribute to the memory region where it was written
3. Run this memory region
There are 2 methods to do this:
Method 1. Step 1. Generate an executable file including the shellcode. Something like that :
C:
#include <stdio.h>
char shellcode[] ="\xfc\xe8\x82";//"raw" shellcode
int main(int argc, char **argv)
{
((void(*)())shellcode)(); //"shellcode" execution
}With this method, the "shellcode" will automatically end up in the so-called ".text" section (which will be executed in memory). And so it will not be necessary to allocate a memory region.
Method 2.
Step 1. Allocate a memory region with write, read and execute access
Step 2. Write the shellcode in this region
Step 3. Execute the code in this memory region.
I will not detail this second method which requires more advanced knowledge and which I will detail in other tutorials.
<<Well it's very nice all that I know how to execute it but "HOW DO I GET MY SHELLCODE?">>
Well, it's all in the definition: it's a piece of executable code!
So a compiler can do it for us!
Without going into the details that will be used in another tutorial, this is the ".text" or so-called "code" section (section which is mapped in memory with the executable attribute) of a file in "PE" format (executable laptop). There are 2 other important points that should not be overlooked if you wish to extract this section from a file in "PE" format: does your code contain symbol dependencies linked to external code libraries (type kernel32, user32...)? does this section contain any blocks that need to be relocated (aslr)?" If the answer to both of these questions is "yes", I strongly advise against mapping this ".text" section independently of your base executable file, in which case, you risk crashing your "loader" (program serving as an intermediary to decrypt/de-obfuscate said shellcode).
With everything I have just explained to you in this tutorial, you normally have enough to start looking for and manipulating this on your own
This tutorial is from « 0xHexedCode »
