About Shell code
 

About ShellCode

In this tutorial you'll learn all about shellcode, of course if you'll be reading this article.

Let's begin.

How could we obtain a ShellCode?

What is ShellCodeing? First of all, when we think about ShellCodeing, we think about a Code that will return a remote shell when it's executed. The meaning of ShellCode evolved, now we understand it this way: any byte code which is introduced in an exploit, how'll take an action. CAUTION! A ShellCode cannot contain Null Bytes, and it's even more beautiful if the byte size is small. Another think, important, of course, in this tutorial i'll present only Windows ShellCodeing!Thank's Slick for your help!

The tool's you'll need :
1. NASM (The compiling of ASM will make it with NASM)
Download :
code:
2. ALINK (*.exe will make it with this tool)
Download :
Code:
3. ARWIN [With this program C, which will be compiled, we can find the API function address in the dll)
Download :
Code:
4. W32DASM [· Disassembles Both 16 and 32 Bit Windows Programs
· Displays for Exports, Imports, Menu, Dialog, and Text References
· Integrated Debugger for 32 Bit Programs (16 Bit Debug Not Available)
· Includes Text Search and Navigation Functions.
I recommend v.8.93]
5. WDHEX [A useful tool which copyed the ShellCode from a list to anther .afl saved with W32DASMU].
Download :
Code:
Now that we have this tool's and a little decent knowledge about ASM, let's see how will extract the ShellCode and ,further more, to optimize the ASM code for ShellCode, because we want to have the size as small as possible; without Null Bytes (\x00).

Let's consider a little ASM code, which dosen't do much, only a BEEP! CAUTION! A detailed thing . . . i 'll not reach in this tutorial (maybe, the next tutorial) : any kind of application come's loaded with kernel32.dll, so useing other API function's from other dll's (user32.dll, etc.) will need to load the library ( 2 API function's <<very important>> : LoadLibraryA and GetProcAddress).Another thing, when will extract the ShellCode, will extract him only from the zone .. start of the programe made in ASM; declareing the variable's is DENIED!, and importing API function's above this section is the same: incorrect. Let's see an incorrect code:
Code:
So, you get the idea? i'll present now a little code, a CORRECT one, after this will leave this idea and move on to dezvolting the base's of ShellCodeing.
Code:
The code in FASM is much mode simple, because we could use direct the variable's, and in NASM we can't write like : push something Call(APIfunction), only if something is a number. Before we execute the lable of a API function we jumped to another label which calles the initial label which contain's a very important element: db 'SetCursorPosN', where SetCursorPos is the name of the "variable" needed to be used of course; N come's from Null Byte. I'll carry on now, hopeing you understand something from the above code, i'll move on to simple thing's. Let's consider again our little code, which make's the BEEP.
Code:
If you want to learn more about the API function Beep :
In Windows, a NASM code begin's with segment .code USE32..start:, and Linux : [SECTION .text] global _start_start:
CAUTION! The API function addresses in dll's can differ from a windows user to another, because the Windows version's, Service Pack version's and the different update's which are made daily. That's why will use ARWIN to find out the function addresses in dll's from our Windows.
Will enter the folder were we saved the arwin.exe useing CMD!! After we made it, type the following command: arwin.exe TheDllName FunctionName. For example, we can put: arwin.exe kernel32.dll Beep. Maybe the following image will be helpful:

http://www.go4expert.com/images/arti.../arwin2qz4.jpg

After your done with the API code above, the fun can start! Copy the code (with your modification) in Notepad and then save it with .ASM extension (File -> Save As -> Filename: beep.asm). So our file will be named like : beep, got it? Ok. It would be better to save all the file's above ( the compiled one's 2 - if it's necessary ) in a folder. Now open CMD to compile the ASM code and to make it .exe ! Enter in CMD in the folder ( were you saved the shit ), then type the following command :
nasmw.exe -fobj beep.asm
This way were checking for error's, now we can go further. Type in cmd CMD :
alink -c -oPE -subsys gui beep
If the operation worked you can type beep in CMD to run.
Maybe this image will help :

http://www.go4expert.com/images/arti...e/alinkzw8.jpg

Now we created the exe, let's extract the ShellCode. For this, open .exe with W32DASM.

http://www.go4expert.com/images/arti...ode/assfq5.jpg

n the above image, you can see : addresses, shellcode and the ASM code ( left -> right ).We can extract this shellcode manual, for example from 31C031DB we obtain :
“\x31\xC0\x31\xDB”, or useing wdhex (automatic extractor for the code). For this thing, we need to save all we have seen in W32DASM. How? Easy: File -> Save Disassembly Text File and Create Project File -> FileName: beep.ALF -> Ok.
Note: the extension need to be : .ALF, NOT .ELF ( some of you guy's know, i mean, it's for Linux ).
Now go to : CMD -> your folder,were you saved the beep.alf -> type : wdhex beep.alf , the app will show the shellcode extracted .

http://www.go4expert.com/images/arti...e/wdhexgo3.jpg

Conclusion:

Our Shellcode is :
How can we verify if the ShellCode work's? Very simple!!! let's consider this C application :
Feelas you'll need to modify : "bytecode will go here!" with your shellcode, then compile the app, and make it .exe and see if it work's.

here our some good links

NOTE:THAT VLAD IS NOT A REAL USER ACCOUNT IT IS A FALSE ACCOUNT THAT HAS BEEN DELETED. AND IS NO LONGER AVAILBE

Hope you all like my tutorial if you need help dont hesitate to ask me