Running Shellcode Directly in C

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function 🙂 For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.


(more…)

Shellcode to Dump the Lsass Process

Here’s the shellcode I wrote for curiosity and ended up working nicely 🙂

This shellcode is for Windows 10 and Server 2019 x86_64.

(more…)

Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.

VirtualProtect

This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
(more…)

Running Shellcode in your Raspberry Pi

I was interested in learning ARM assembly language for developing small applications for microcontrollers. I wrote this small piece of shellcode which will write “127.0.0.1 google.lk” inside the /etc/hosts file in a Linux system. I used my Raspberry Pi model B+ for this 🙂
Image result for raspberry pi b+
We will be needing the following syscalls.

#define __NR_exit                       (__NR_SYSCALL_BASE+  1)
#define __NR_write                      (__NR_SYSCALL_BASE+  4)
#define __NR_open                       (__NR_SYSCALL_BASE+  5)
#define __NR_close                      (__NR_SYSCALL_BASE+  6)

(more…)

x86 Linux Egg hunter

This is a small post regarding egg hunting on x86 Linux systems. I’d highly recommend you to read skape’s paper “Safely Searching Process Virtual Address Space” . He has described his techniques for Linux and Windows systems. I will be using one of his implementations.  I will use the access system call which is 33 for IA-32.

#define __NR_access              33

The access system call can be used the check whether the calling process can access the file.

#include <unistd.h>
int access(const char *pathname, int mode);

This is the x86 assembly implementation of the hunger code. It will search the virtual address space for our tag “AAAA” and begin execution of our shellcode. I am not going to explain this implementation. You can refer to skape’s document in higher detail.

(more…)

Chmod 0777 Polymorphic Shellcode

This is my first hand written shellcode for linux which I wrote it for fun and exploration. I am a bit new to shellcoding in *nix environments. This shellcode changes the permission of the shadow file in linux/x86 system to 0777. According to the Linux programmer’s manual of chmod it takes two arguments.

#include <sys/stat.h>

int chmod(const char *path, mode_t mode);

(more…)