Didier Stevens

Friday 23 September 2011


Filed under: My Software — Didier Stevens @ 9:04

To help the attendees of my Brucon White Hat Shellcode workshop, I wrote a new program to generate simple shellcode. I’m releasing it now.

People regularly ask me for malware so they can test their security setup. First, that’s a bad idea, and second, you can do without.

Why is using malware a bad idea? It’s dangerous and not reliable. Say you use a trojan to test your sandbox. You notice that your machine is not compromised. But is it because your sandbox contained the trojan, or because the trojan failed to execute properly? It might surprise you, but there’s a lot of unreliable malware out in the wild.

So how can you reliably test your sandbox without risking infection, or even worse, have malware escape into your corporate network? Just use simple shellcode that creates a file in a location your sandbox should prevent, like system32.

To generate this shellcode with simple-shellcode-generator.py, create a text file (call it createfile.def) with these 2 lines:

kernel32.dll CreateFileA str 0x0 0x0 0x0 0x2 0x80 0x0
kernel32.dll CloseHandle eax

Each line in this definition file instructs the generator to generate assembler code to lookup the address of the WIN32 API function, and to call it with the arguments you provide. The first column defines the dll that contains the function to call, the second column is the actual API function, and the rest are arguments to this function. The arguments you provide are copied literally into the generated assembler code, except for 3 keywords.
Keyword int is used to represent any DWORD, it will result in the generation of a push 0x0.
Keyword str is used to reserve space for a string, and the address of the string is used as argument.
Keyword pint is user to reserve space for a DWORD, and the address of the DWORD is used as argument.

To generate our shellcode, issue this command:

simple-shellcode-generator.py -o createfile.asm createfile.def

This generates the following assembler code:

; Shellcode generated by simple-shellcode-generator.py
; Generated for NASM assembler (http://www.nasm.us)
; https://DidierStevens.com
; Use at your own risk
; History:
;   2011/09/23: generated


KERNEL32_HASH equ 0x000D4E88

segment .text
	call geteip
	pop ebx

	; Setup environment for kernel32.dll
	lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx]
	push esi
	lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx]
	push esi
	call LookupFunctions

	; call to CreateFileA
	push 0x0
	push 0x80
	push 0x2
	push 0x0
	push 0x0
	push 0x0
	lea eax, [STRING1-geteip+ebx]
	push eax
	call [KERNEL32_CREATEFILEA-geteip+ebx]

	; call to CloseHandle
	push eax
	call [KERNEL32_CLOSEHANDLE-geteip+ebx]


%include "sc-api-functions.asm"


KERNEL32_CREATEFILEA dd 0x00000000
KERNEL32_CLOSEHANDLE dd 0x00000000

STRING1: db "String 1", 0

You can replace “String 1” on line 57 with the file you want to create: “C:\Windows\System32\testfile.txt”.

This shellcode uses the library sc-api-functions.asm you can find in my shellcode repository.


simple-shellcode-generator_V0_0_1.zip (https)
MD5: 3A6D00C6EBC1F20589C952817174653E
SHA256: FEFD4059810DA7855CC3CBC6A198FD75607C4F7B7B2F71817689E1520B454C58

1 Comment »

  1. […] that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a […]

    Pingback by ExitProcess Shellcode « Didier Stevens — Monday 14 May 2012 @ 0:19

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.