Shellcode

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.

When creating shellcode, it is generally desirable to make it both small and executable, which allows it to be used in as wide a variety of situations as possible.

If successfully executed, the shellcode will provide the attacker access to the machine with the same higher privileges as the targeted process.

Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine.

This code then downloads a larger piece of shellcode (stage 2) into the process's memory and executes it.

This code then searches the process's address space for the larger shellcode (the egg) and executes it.

Most shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings.

[11][12] This type of encoding was created by hackers to hide working machine code inside what appears to be text.

In certain circumstances, a target process will filter any byte from the injected shellcode that is not a printable or alphanumeric character.

Most shellcode is written in machine code because of the low level at which the vulnerability being exploited gives an attacker access to the process.

Shellcode is therefore often created to target one specific combination of processor, operating system and service pack, called a platform.

However, it is not impossible for one shellcode to work for multiple exploits, service packs, operating systems and even processors.

One common analysis technique is to write a small C program which holds the shellcode as a byte buffer, and then use a function pointer or use inline assembler to transfer execution to it.

Another technique is to use an online tool, such as shellcode_2_exe, to embed the shellcode into a pre-made executable husk which can then be analyzed in a standard debugger.

Specialized shellcode analysis tools also exist, such as the iDefense sclog project which was originally released in 2005 as part of the Malcode Analyst Pack.

Sclog is designed to load external shellcode files and execute them within an API logging framework.

Emulation-based shellcode analysis tools also exist such as the sctest application which is part of the cross-platform libemu package.

Another emulation-based shellcode analysis tool, built around the libemu library, is scdbg which includes a basic debug shell and integrated reporting features.

vectorial version
vectorial version