About Shell code

Discussion in 'Ethical hacking Tips' started by XXxxImmortalxxXX, Jul 4, 2008.

  1. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Jun 27, 2007
    Likes Received:
    Trophy Points:

    About ShellCode

    In this tutorial you'll learn all about shellcode, of course if you'll be reading this article.

    Let's begin.

    How could we obtain a ShellCode?

    What is ShellCodeing? First of all, when we think about ShellCodeing, we think about a Code that will return a remote shell when it's executed. The meaning of ShellCode evolved, now we understand it this way: any byte code which is introduced in an exploit, how'll take an action. CAUTION! A ShellCode cannot contain Null Bytes, and it's even more beautiful if the byte size is small. Another think, important, of course, in this tutorial i'll present only Windows ShellCodeing!Thank's Slick for your help!

    The tool's you'll need :
    1. NASM (The compiling of ASM will make it with NASM)
    Download :
    2. ALINK (*.exe will make it with this tool)
    Download :
    3. ARWIN [With this program C, which will be compiled, we can find the API function address in the dll)
    Download :
    4. W32DASM [· Disassembles Both 16 and 32 Bit Windows Programs
    · Displays for Exports, Imports, Menu, Dialog, and Text References
    · Integrated Debugger for 32 Bit Programs (16 Bit Debug Not Available)
    · Includes Text Search and Navigation Functions.
    I recommend v.8.93]
    5. WDHEX [A useful tool which copyed the ShellCode from a list to anther .afl saved with W32DASMU].
    Download :
    Now that we have this tool's and a little decent knowledge about ASM, let's see how will extract the ShellCode and ,further more, to optimize the ASM code for ShellCode, because we want to have the size as small as possible; without Null Bytes (\x00).

    Let's consider a little ASM code, which dosen't do much, only a BEEP! CAUTION! A detailed thing . . . i 'll not reach in this tutorial (maybe, the next tutorial) : any kind of application come's loaded with kernel32.dll, so useing other API function's from other dll's (user32.dll, etc.) will need to load the library ( 2 API function's <<very important>> : LoadLibraryA and GetProcAddress).Another thing, when will extract the ShellCode, will extract him only from the zone .. start of the programe made in ASM; declareing the variable's is DENIED!, and importing API function's above this section is the same: incorrect. Let's see an incorrect code:
    %include "win32n.inc"
    extern SetCursorPos
    import SetCursorPos user32.dll
    title db "hello",0
    message db "hello world",0
    So, you get the idea? i'll present now a little code, a CORRECT one, after this will leave this idea and move on to dezvolting the base's of ShellCodeing.
    segment .code USE32
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx
    jmp short function   ; jump to the label @function
    pop eax   ;remove's the stack from the last value and put's it in eax
    mov byte [eax+10], dl  ;we write 10 character's: user32.dll, ignore N
    mov ebx, 0x77e7d961 ;function address LoadLibraryA
    push eax  ;same thing with push user32.dll
    call ebx  ;calling LoadLibraryA
    mov ecx, eax
    xor eax, eax
    jmp short function3
    pop eax
    mov byte [eax+12], dl
    mov ebx, 0x77e7b332 ;function address GetProcAddress
    push eax
    push ecx
    call ebx
    the rest:
    push byte 1
    push byte 1
    call eax ;SetCursorPos
    mov ebx, 0x77e798fd ;function address ExitProcess
    push byte 1
    call ebx
    call function2
    db 'user32.dllN'
    jmp short function2 ; jump (back to labe @function2)
    call function4
    db 'SetCursorPosN'
    The code in FASM is much mode simple, because we could use direct the variable's, and in NASM we can't write like : push something Call(APIfunction), only if something is a number. Before we execute the lable of a API function we jumped to another label which calles the initial label which contain's a very important element: db 'SetCursorPosN', where SetCursorPos is the name of the "variable" needed to be used of course; N come's from Null Byte. I'll carry on now, hopeing you understand something from the above code, i'll move on to simple thing's. Let's consider again our little code, which make's the BEEP.
    segment .code USE32
        xor eax, eax
        xor ebx, ebx
        xor ecx, ecx
        mov ebx, 0x77eac910  ;Beep function address from kernel32.dll
        mov ax, 750  ;the sound frequency in Hertz
        mov cx, 3000  ;time of the Beep
        push eax
        push ecx
        call ebx  ;Calling function Beep
        mov ebx, 0x77e798fd  ;ExitProcess Function address in kernel32.dll
        mov ax, 1
        push eax
        call ebx
    If you want to learn more about the API function Beep :
    In Windows, a NASM code begin's with segment .code USE32..start:, and Linux : [SECTION .text] global _start_start:
    CAUTION! The API function addresses in dll's can differ from a windows user to another, because the Windows version's, Service Pack version's and the different update's which are made daily. That's why will use ARWIN to find out the function addresses in dll's from our Windows.
    Will enter the folder were we saved the arwin.exe useing CMD!! After we made it, type the following command: arwin.exe TheDllName FunctionName. For example, we can put: arwin.exe kernel32.dll Beep. Maybe the following image will be helpful:


    After your done with the API code above, the fun can start! Copy the code (with your modification) in Notepad and then save it with .ASM extension (File -> Save As -> Filename: beep.asm). So our file will be named like : beep, got it? Ok. It would be better to save all the file's above ( the compiled one's 2 - if it's necessary ) in a folder. Now open CMD to compile the ASM code and to make it .exe ! Enter in CMD in the folder ( were you saved the shit ), then type the following command :
    nasmw.exe -fobj beep.asm
    This way were checking for error's, now we can go further. Type in cmd CMD :
    alink -c -oPE -subsys gui beep
    If the operation worked you can type beep in CMD to run.
    Maybe this image will help :


    Now we created the exe, let's extract the ShellCode. For this, open .exe with W32DASM.


    n the above image, you can see : addresses, shellcode and the ASM code ( left -> right ).We can extract this shellcode manual, for example from 31C031DB we obtain :
    “\x31\xC0\x31\xDBâ€, or useing wdhex (automatic extractor for the code). For this thing, we need to save all we have seen in W32DASM. How? Easy: File -> Save Disassembly Text File and Create Project File -> FileName: beep.ALF -> Ok.
    Note: the extension need to be : .ALF, NOT .ELF ( some of you guy's know, i mean, it's for Linux ).
    Now go to : CMD -> your folder,were you saved the beep.alf -> type : wdhex beep.alf , the app will show the shellcode extracted .



    Our Shellcode is :
    char shellcode[]=
    How can we verify if the ShellCode work's? Very simple!!! let's consider this C application :
    char code[] = "bytecode will go here!";
    int main(int argc, char **argv)
       int (*func)();
       func = (int (*)()) code;
    Feelas you'll need to modify : "bytecode will go here!" with your shellcode, then compile the app, and make it .exe and see if it work's.

    here our some good links


    Hope you all like my tutorial if you need help dont hesitate to ask me
    Last edited by a moderator: Jan 21, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice