ปกติจะเห็นบทความสอนเขียน shellcode มากมายบน internet
แต่ส่วนใหญ่แล้วจะเป็น shellcode สำหรับ linux
บทความที่สอนเขียน shellcode บน windows ที่น้อยมาก (ทั้งๆ ที่ windows โจมตีง่ายกว่าตั้งเยอะ - -a)
เป็นภาษาอังกฤษนะครับ


[hide=30]
Knowledges of the writing shellcodes for Windows are very important to every IT security professional. Again as it is about the buffer overflow papers, there are a lot of Linux shellcode guides, but not enough for Windows. Read the next simple Windows shellcode article, what can explain to you the base of shellcoding. Shellcoding experiences help you to better understand of the buffer overflow attacks and inspire you how to set up the IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) systems.

In my article about the buffer overflow attack I showed you how hackers exploiting the buffer overflow bugs. I explained, how easy it is to redirect the code flow and run code what is not intend to be launched. But buffer overflow problem is a little tricky. Attackers usually want to get the administrator privileges and to execute some commands by an operating system. An easy way to get it is to launch a command line – cmd.exe. If vulnerable application have some function what calls cmd.exe, hacker haven’t write shellcode and can redirect the code flow. But the most of the applications haven’t any function that launches the cmd.exe, so hackers usually using shellcode.

Why is it called shellcode? Shellcode is the name what come from Unix systems (FreeBSD, Linux), where shellcode is the name for a code what launch a shell. So in Windows operating system you could call this code a cmdcode. But today the shellcode is every code what hackers and IT security professional can use to exploit the software vulnerability. The smaller shellcode the better, that’s true. If a shellcode is small it’s harder to IDS/IPS systems to detect it. It’s always convenient to test your IDS/IPS systems against more shellcodes. However, there’s no rule saying the smaller shellcode is always the most effective. Hackers sometimes encrypt the shellcode to be not detected by IDS/IPS systems. The most easiest way to do it is a simple XOR encryption. Unfortunately it’s hard to IDS/IPS systems to analyze the whole traffic, so well encrypted shellcode usually bypass the IDS/IPS systems.

How to dynamic shellcode?

Now I will show you, how to create an MessageBox shellcode what will works in process which hasn’t User32.dll library loaded. Since the MessageBox function is in the User32.dll, you have to load User32.dll to use the MessageBox function. To better understand I get you a little explanation what DLL is and how it works. If you launch some EXE file, operating system looks which APIs are imported. The next step for Windows is to load all needed DLLs which contain all APIs used in the application. So if an exploiting application don’t use any function exported by User32.dll, your exploit what use MessageBox function won’t works. But there is a way to dynamically load the User32.dll by your shellcode before the MessageBox function is called.

The first thing you have to do is to load the User32.dll by LoadLibrary() function and get the MessageBox function address by GetProcAddress() function. Take a look at the next code. There are defined the three strings at the end of the code : USER32.DLL, MessageBoxA and Hacked!. Every string ends with decimal number 11 what is 0Bh. But get back to the start of the code. There are three unconditional jumps – JMP - in the code. Every jump jumps to the label and a CALL instruction immediately calls an address back right behind the unconditional jump. After that’s done we got an address of the first string. The following POP EBX instruction reads the string address and we have to zeroing the last byte – 11. The string ends with one zero byte, so now all we need is to call a function. It repeats three times, one time for every string.


[code]
; dynamic_shellcode.asm

.386

.model flat,stdcall

include c:\masm32\include\kernel32.inc

includelib c:\masm32\lib\kernel32.lib

.code

our_code:

jmp User32Library

getBack_1:

; LoadLibrary address in Kernel32.dll 0