Anatomy of a shell code

by
Abhineet Ayan
abhineet.ayan.verma@gmail.com
ANATOMY OF A SHELLCODE
1. Initialization:
When the Shellcode is loaded in the eo!"# the $i!st ste% to&a!ds its e'ec(tion is to )no&
its o&n add!ess. The %!ocess is acco%lished (sin* the techni+(e called ,-et .!o*!a
Co(nte!/ a)a ,-et.C/. Fi* 1 &ill sho& the code in0ol0ed in this:
Ste% 1: CALL inst!(ction &ill %(sh the o$$set $!o EI. and &ill 1(% to the s%eci$ied line.
Ste% 2: .O. inst!(ction &ill %o% the o$$set %(shed and &ill sto!e it to the EA3.
So# no& the add!ess is )no&n and sa0ed to EA3.
2. Dec!"%tion:
a4 The LOO.:
No& a$te! )no&in* its o&n add!ess# it &ill dec!"%t the &hole code to ca!!" o(t the e'ec(tion.
The code 5e$o!e dec!"%tion is 1(st *a!5a*e and &ill not acco%lish an"thin*. Let6s ha0e a
loo) at Fi* 2:
Ste% 1: Set the EC3 to e'ec(te the loo% $o! dec!"%tin* the code. 7elo& "o( can see the
0al(e o$ EC3.
Ste% 2: 3O8 each 5"te 5" 29h to "ield act(al data and )ee% inc!eentin* EA3 till EC3
!eaches : to
e'it the loo% s(ccess$(ll".
The Dec!"%tion Loo% )ee%s 3O8in* each 5"te at the s%eci$ied add!ess &ith 29H to dec!"%t
it. The loo% &ill 5e e'ec(ted the n(5e! o$ ties e+(al to the ;al(e !e%!esented in the EC3
!e*iste!.
54 Fi* < and Fi* = &ill sho& "o( the enc!"%ted and dec!"%ted line !es%ecti0el".
Fi* <a: Enc!"%ted Code
Fi* <5: Co!!es%ondin* ;al(e at Enc!"%ted 7"te.
Fi* =a: Dec!"%ted Code.
Fi* =5: Co!!es%ondin* ;al(e at Dec!"%ted 7"te:
c4 F(ll o0e!0ie& o$ the Enc!"%ted and Dec!"%ted Code &ith thei! Meo!".
Fi* >: Enc!"%ted Code and its Meo!":
Fi* ?: Dec!"%ted Code and its Meo!":
I$ "o( loo) at the Meo!" )eenl"# "o( can $ind o(t di$$e!ence and can see that the ne& Meo!"
act(all" a)es sense.
<. Loadin* Li5!a!" F(nctions:
a4 .E7@ALd!:
Fo! shellcode# a coon ethod to !esol0e the add!esses o$ li5!a!" $(nctions needed is to
*et the 5ase add!ess o$ the )e!nel<2.dll ia*e in eo!" and !et!ie0e the add!esses o$
-et.!ocAdd!ess and LoadLi5!a!"A 5" %a!sin* the )e!nel<2 ia*es E'%o!t Add!ess Ta5le
BEAT4. These t&o $(nctions can then 5e (sed to !esol0e the !eainin* $(nctions needed 5"
the shellcode. To !et!ie0e the )e!nel<2.dll 5ase add!ess ost shellcodes (se the .!ocess
En0i!onent 7loc) B.E74 st!(ct(!e to !et!ie0e a list o$ od(les c(!!entl" loaded in the
%!ocesses add!ess s%ace. The InInitializationO!de! od(le list %ointed to 5" the .E7Cs Ld!
st!(ct(!e holds a lin)ed list o$ od(les.
The code (sed to !et!ie0e the )e!nel<2 5ase add!ess 5ased on this ethod is sho&n 5elo&
in Fi* D:
Ste% 1: -et a %ointe! to the .E7.
Ste% 2: -et .E7@ALd!.
Ste% <: -et .E7@ALd!.InInitializationO!de!Mod(leList.Flin) B1
st
Ent!"4. The Meo!" sho&n
5elo& is a$te! $etchin* the $i!st ent!" o$ .E7@ALd!.InInitializationO!de!Mod(leList.Flin) and
then NTDLL.DLLB1
st
Ent!"4.
54 .E@Heade! o$ NTDLL:
Fi* 9 &ill sho& "o( the code and eo!" o$ ho& the shellcode ade its &a" to the NTDLL6s
.E@Heade!:
The !o(nded code sho&s the e't!action o$ add!ess o$ the NTDLL6s .E@Heade! and the
Meo!" sho&s the .E@Heade!. The $i!st t&o 5"tes o$ the .E@Heade! a!e called as ,eEa*ic/
0al(e.
c4 O$$set o$ .E@Heade!:
The a5o0e Fi* F sho&s the a!)ed code to o0e the $ile o$$set o$ .E@Heade! to 73. This
O$$set is also %o%(la!l" )no&n as ,eEl$ane&/ 0al(e.
d4 7"tes Sea!ch:
The code 5loc) sho&n 5elo& in Fi* 1: &ill sea!ch $o! a st!in* o$ 7"tes sa0ed in !e*iste! EA3
5" inc!eentin* the 0al(e o$ ESI till it !eaches a %a!tic(la! add!ess &he!e the sae st!in* o$
7"tes !e%!esent an inst!(ction.
The a5o0e !o(nded code o$ 5loc):
The $i!st inst!(ction &ill sto!e the st!in* o$ 7"tes in EA3. The ESI &ill 5e inc!eented and
co%a!ed $o! each inc!eentin* ESI.
A$te! s(ccess$(l sea!ch# the add!ess $o! the inst!(ction !e%!esented 5" that st!in* o$ 7"tes &ill 5e
s&a%%ed &ith the add!ess sto!ed at ES..
In the Meo!" &indo& a5o0e# the st!in* o$ 7"tes a!e atched at the add!ess sho&n. No&# the
add!ess &ill 5e s&a%%ed &ith ES.. The ne't $i*(!e &ill sho& the ne& 0al(e at ES. a$te!
s&a%%in*.
e4 -et .E7@ALd!.InInitializationO!de!Mod(leList.Flin) B2
nd
Ent!"4:
A$te! e'chan*in* 0al(e $!o ES.# ESI contains the add!ess $o! $i!st ent!".
Fi* 1:: The a!)ed code &ill contain the add!ess $o! the ne't lin) in the .Flin) $ile i.e. lin) to
Ge!nel<2.dll. The a!)ed %a!t o$ Meo!" sho&s the add!ess $!o &he!e &e can e't!act the
DLLs nae.
The a!)ed %a!t is the D
th
$ield. 7elo& Fi* 11 sho&s the nae o$ the c(!!ent DLL:
$4 Chec)in* $o! Ge!nel<2.dll:
Fi* 12 sho&s the code that chec)s $o! the ,Ge!nel<2.dll/ nae.
Ste% 1: Mo0e the add!ess &hich sho&s the c(!!ent DLLs6 nae to E7..
Ste% 2: Chec)s $o! the 12
th
7"te i$ e+(al to di*it <. I$ e+(al the e'ec(tion contin(es to load
li5!a!ies.
*4 Loadin* Ge!nel<2.dll .E@Heade!:
A$te! con$i!in* the add!ess o$ Ge!nel<2.dll# Fi* 1<:
Ste% 1: Mo0e the ,7ase Add!ess/ o$ Ge!nel<2.dll to E7.. Meo!" sho&s the .E@Heade! o$
Ge!nel<2.dll.
h4 Loadin* Add!ess o$ eEl$ane& o$ Ge!nel<2 .E@Heade!:
The %ointed code in Fi* 1= sho&s the loadin* o$ ,eEl$ane&/ 0al(e in ESI. The Meo!"
sho&s the ,eEl$ane&/ 0al(e. ,eEl$ane&/ contains the o$$set to the sta!t o$ the ,.E@Heade!/.
i4 Loadin* the Add!ess o$ ,IMA-EEDATAEDI8ECTO8Y:/ $!o .E@Heade! o$ Ge!nel<2.dll:
Fi* 1> 5elo& &ill sho& "o( the code to o5tain the add!ess $o!
,IMA-EEDATAEDI8ECTO8Y:/ &hich is the $i!st ent!" o$ the ,N(5e!O$80aAndSizes/.
,N(5e!O$80aAndSizes/ is the <:
th
e5e! o$ EIMA-EEO.TIONALEHEADE8 St!(ct(!e.
Ste% 1: The o$$set $o! ,IMA-EEDATAEDI8ECTO8Y:/ is loaded in ESI.
Ste% 2: The act(al add!ess is loaded in ESI. BE7. is sto!in* the sta!tin* add!ess o$ .E@
Heade!4.
The Meo!" he!e sho&s the add!ess o$ ,IMA-EEDATAEDI8ECTO8Y:/.
HThe o$$set o$ ,IMA-EEDATAEDI8ECTO8Y:/ is the 8;A o$ ,E'%o!t Di!ecto!"/.
14 Loadin* The Add!essO$Naes $!o the E'%o!t Ta5le:
Fi* 1?:
Ste% 1: The co!!es%ondin* code &ill load the add!ess o$ 1:
th
e5e! o$ the ,E'%o!t Ta5le/
i.e.# ,Add!essO$Naes/. The 0al(e is the 8;A o$ ,E'%o!t Nae
Ta5leBENT4/.
Ste% 2: The act(al add!ess is o5tained.
)4 Loadin* the Naes o$ F(nctions o$ Ge!nel<2.dll:
Fi* 1D: The !o(nded code &ill !e$e! to the act(al add!ess o$ the e5e! ,Add!essO$Naes/.
The Meo!" &indo& sho&s the loaded Naes $!o Ge!nel<2.dll.
l4 The Hashin* Loo% to sea!ch $o! desi!ed F(nction Naes:
The Hashin* Loo%:
Each 7"te is sto!ed in ED3 and then added to E73. The 0al(e at E73 is then !otated !i*ht
5" the 0al(e o$ :DH. This %!ocess is !e%eated till EA3 enco(nte!s the NILL i.e.# till the code
*ene!ates the hash $o! the $(ll F(nction Nae. A$te! c!eatin* the hash# this hash 0al(e is
co%a!ed $o! e+(alit" &ith the 0al(e sto!ed at EDI. I$ the Nae hash atches# &ill e'it the
loo% else &ill !e%eat the &hole %!ocess $o! the ne't F(nction Nae.
The Fi* 19 is a loo% to t!a0e!se th!o(*h the F(nction Naes and sea!ch $o! the desi!ed
F(nction.
Ste% 1: Mo0e one 7"te %ointe! i.e. the 7"te $o! the $i!st al%ha5et o$ the F(nction Nae to
ED3. The Meo!" &ill sho& the EA3 7"te .ointe! ;al(e.
Ste% 2: Co%a!in* the DL and DH &ill chec) i$ the 7"te .ointe! 0al(e has enco(nte!ed an
NILL.
Ste% <: I$ No# contin(e th!o(*h Ste%s =@D to $etch the ne't 7"te and c!eatin* a hash $o! the
F(nction
Nae to co%a!e it late!.
Ste% =: The Hashin* is ca!!ied o(t at this ste%.
Ste% >: ED3 is added to the E73.
Ste% ?: EA3 is inc!eented to %oint to&a!ds ne't 7"te.
Ste% D: 8e%eat Ste% 1@? till EA3 enco(nte!s NILL.
Ste% 9: Co%a!e the hash o$ F(nction Nae &ith the sto!ed hash at EDI.
Ste% F: I$ not e+(al# $etch ne't F(nction Hash. I$ e+(al# contin(e &ith the $ollo&in* code. The
c!eated hash is chec)ed $o! the 0al(e sto!ed at EDI. The a!)ed 0al(e sho&s the hash
sto!ed $o! co%a!ison at EDI.
The a5o0e Meo!" sho&s the desi!ed F(nction Nae sea!ched: LoadLi5!a!"A. The hash
c!eated atches the 0al(e at EDI.
4 Loadin* o$ ,Add!essO$NaeO!dinals/:
Fi* :
The !o(nded code loads the 11
th
e5e! $!o the ,E'%o!t Ta5le/ i.e.#
,Add!essO$NaeO!dinals/. The 0al(e contains the 8;A o$ ,E'%o!t O!dinal Ta5le BEOT4/.
n4 -ettin* to EAT:
A$te! *ettin* the ,Add!essO$NaeO!dinals/# the 5elo& *i0en code 5loc) &ill sho& the
o5tainin* 8;A o$ ,E'%o!t Add!ess Ta5le BEAT4/.
The a5o0e %ointed code &ill load the e$$ecti0e add!ess o$ BESI@1=h4 to EA3.
No& !ecall the 7"tes st!in* sea!ch &e did 5e$o!e and sto!ed the add!ess o$ inst!(ction
!e%!esented 5" that 7"tes st!in* at ES..
The a5o0e %ointed code &ill call the co!!es%ondin* inst!(ction. The Meo!" he!e sho&s the
inst!(ctions6 add!ess.
The hi*hli*hted inst!(ction is called 5" !e$e!encin* the add!ess sto!ed at ES.. The a!)ed
st!in* o$ 7"tes is the 7"tes# the code sea!ched $o! ea!l".
Co5inin* 5oth codes sho&n in a5o0e and %!e0io(s sna%shots "ields the $inal inst!(ction as
!e$e!encin* to the add!ess at ,ESIJ1CH/.
7elo& *i0en Fi* &ill sho& &he!e it is act(all" %ointin* to.
The !o(nded code 5loc) &ill access the add!ess at BESI@1CH4 i.e.# the F
th
e5e! o$ the ,E'%o!t
Ta5le/.
The F
th
e5e! o$ this ta5le is ,Add!essO$F(nctions/ containin* the ,8;A o$ EAT/. Addin* this
o$$set &ith the 5ase add!ess o$ .E@Heade!# contained at E7.# &ill *i0e the add!ess to EAT.
As "o( can see# the EA3 is in ;.!ocEIa*eE'%o!tDi!ecto!" c(!!entl".
o4 Sto!in* Sta!tin* Add!ess O$ Desi!ed F(nctions:
The a5o0e sho&n Fi* &ill o5tain the sta!tin* add!ess o$ $(nction &hich &ill 5e sto!ed to the EDI.
The $i*(!e 5elo& &ill sho& "o( the c(!!ent %osition o$ EA3 a$te! the e'ec(tion o$ this 5loc).
Sto!in* the sta!tin* add!ess o$ $(nction to EDI.
The 5elo& t&o $i*(!es &ill sho& the &hole code !es%onsi5le $o! sea!chin* o$ desi!ed $(nction
nae to sto!in* its sta!tin* add!ess at EDI.

The 5elo& $i*(!e &ill sho& "o( the Meo!" &!itten at EDI a$te! the &hole code loo% sho&n
a5o0e !et(!ns $inall".
1
st
Ent!"
2
nd
Ent!"
<
!d
Ent!"
=
th
Ent!"
>
th
Ent!"
?
th
Ent!"
All Ent!ies
The F(nction Naes a!e: LoadLi5!a!"A# WinE'ec# Te!inateTh!ead# -etTe%.athA#
;i!t(al.!otect and I!lDo&nloadToFileA !es%ecti0el".
=. Sel$@8e*iste!in* DLL
a4 8e*s0!<2:
The code 5loc) sho&n 5elo& &ill &!ite ,!e*s0!<2 @s/ to Meo!". 8e*s0!<2 tool
B8e*s0!<2.e'e4 is (sed to This coand@line tool !e*iste!s .dll $iles as coand
co%onents in the !e*ist!". The ,@s/ o%tion S%eci$ies !e*s0!<2 to !(n silentl" and to not
dis%la" an" essa*e 5o'es.
Fi!st Inst!(ction:
Second Inst!(ction:
Thi!d Inst!(ction:
54 Callin* ,-etTe%.athA/:
BESIJ:CH4 is the sta!tin* add!ess o$ the $(nction ,-etTe%.athA/.
c4 W!itin* DLL:
7elo& *i0en Fi* &ill sho& the Meo!" &!itten &ith DLL nae desi!ed to 5e e'ec(ted as
%a!aete! to !e*s0!<2.e'e.
The DLL nae is then !enaed. 7elo& $i*(!e &ill sho& the !enaed DLL &ith its %ath:
d4 Callin* ,I!lDo&nloadToFileA/:
The a!)ed code &ill call the add!ess sto!ed at BESIJ1=H4 i.e.# the ?
th
$(nction nae ent!"#
,I!lDo&nloadToFIleA/.
e4 Callin* ,Te!inateTh!ead/:
The %ointed code calls the add!ess sto!ed at BESIJ94 i.e.# the <
!d
$(nction nae ent!"#
,Te!inateTh!ead/. The $(nction &ill e'it the nati0e code.