Running Shellcode Directly in C

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function ๐Ÿ™‚ For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.



This section has no execute permissions. So let’s add execute permissions and see.

That’s it! the position independent code executes nicely ๐Ÿ™‚

Well, this seems a bit of a hassle to change flags each time you want to run shellcode. Let’s tell the linker to give Execute and Write permission to the “.data” section while linking.

Another tricky way would be to place the shellcode in the “.rdata” section and merge it with the “.text” section. And of course, you can give Execute permission to the “.rdata” section like we did before and execute as well.

Now if you see our code is merged in the ‘.text’ section and it will execute nicely.

You can place the shellcode directly in the ‘.text’ without modifying the PE structure like this. Thanks to @yair_omer for mentioning this.

You can also write shellcode in any number base. For example in decimals:

This is in octal.

Under GCC you don’t need to change section permissions, it will automatically place in the ‘.text’ section. Make sure your code is position indepdent or else it won’t work on other Windows systems due to dynamic addressing of DLLs. In this way, you can execute your shellcode without any function pointers. You can check out some of my public shellcodes from here.

Advertisements

3 thoughts on “Running Shellcode Directly in C

Leave a Reply