Didier Stevens

Saturday 25 July 2020

ndisasm 2.15 stdin Bug Fix

Filed under: Shellcode — Didier Stevens @ 0:00

I like to pipe commands together, especially when doing malware analysis.

ndisasm is the disassembler of NASM. I like to use it, because it’s a single executable (for major operating systems) and accepts input from stdin.

But there was an issue with Windows versions: stdin was opened in text mode, and not in binary mode. This can result in disassembly errors, like in the following example. I send 7 bytes to ndisasm via stdin, and the 4th byte is 0x1A (CTRL-Z): this is the end-of-file marker for Windows text files:

As can be seen, only the first 3 bytes are disassembled, and all bytes from 0x1A on are ignored.

I filled a bug fix with code the fix the issue, and this was integrated in version 2.15:

 

 

 

 

 

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Saturday 2 January 2016

Update: shellcode2vba.py Version 0.4

Filed under: My Software,Shellcode,Update — Didier Stevens @ 13:33

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 3 new options:

Option –nocreatethread allows you to instruct the program not to add the VBA code to create a new thread.

Option –writememory: from now on, the VBA code uses RtlMoveMemory in stead of WriteProcessMemory. To use WriteProcessMemory, use option –writememory process

Option –start allows you to specify the name of the start function (ExecuteShellCode by default).

shellcode2vba_v0_4.zip (https)
MD5: DA1580DEF5B5CFF08ACF5FA921AF0822
SHA256: BDC0A5EC3E918B3DA27C392E1B2F909B7BDAD319C43A4250689DD38C81FF876F

Monday 24 June 2013

shellcode2vba

Filed under: Hacking,My Software,Shellcode — Didier Stevens @ 4:00

This update adds x64 shellcode support to my shellcode2vbs.py script.

shellcode2vba_v0_3.zip (https)
MD5: 44AF2685975346F9DE09E48E7FB855CE
SHA256: 04C42FA26717CCC7BC17A7BEDA02C746CA1A8BC8C6CE184670CD686796B5FF10

Tuesday 9 October 2012

Hack.lu 2012

Filed under: Announcement,Shellcode — Didier Stevens @ 12:57

I’m doing my White Hat Shellcode workshop at Hack.lu 2012.

Friday 27 July 2012

My BlueHat Prize Entry: CounterHeapSpray

Filed under: My Software,Shellcode — Didier Stevens @ 10:24

Congratulations to the winners of the BlueHat Prize contest.

My entry was CounterHeapSpray:

CounterHeapSpray monitors the private memory usage of an application to guard against heap  sprays. When the private memory usage of the application exceeds a predefined threshold,  CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages  and populate these pages with its own shellcode. When the heap spray terminates and the exploit  executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will  suspend all threads and display a warning message for the user. When the user clicks OK,  CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode,  CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.

CounterHeapSpray.zip (https)
MD5: 1947380F935AE0B1A8828DE79621F82F
SHA256: CA0BF635655EE05ABED117C858BC86ECDF3EBB4C39544D7D0C396D7C457F1BBC

Monday 14 May 2012

ExitProcess Shellcode

Filed under: My Software,Shellcode — Didier Stevens @ 0:19

I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.

Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.

Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.

You can find this shellcode on my shellcode page.

Tuesday 1 May 2012

Update: TaskManager.xls V0.1.3 Killer Shellcode

Filed under: My Software,Shellcode,Update — Didier Stevens @ 10:49

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64”: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

Friday 17 February 2012

Article: White Hat Shellcode

Filed under: Announcement,Shellcode — Didier Stevens @ 17:57

The latest (IN)SECURE Magazine issue includes my article on White Hat Shellcode.

Thursday 2 February 2012

x64 Windows Shellcode

Filed under: My Software,Shellcode — Didier Stevens @ 20:00

Last year I found great x64 shellcode for Windows on McDermott’s site. Not only is it dynamic (lookup API addresses), but it even handles forwarded functions.

But it’s written for MASM, and I prefer to use NASM. Hence I translated it, but also normalized it to adhere to the x64 calling convention and fixed a bug in the error handling.

And I modularized it so you can use it like my 32-bit shellcode.

Here’s the classic MessageBox example:

; x64 shellcode to display a "Hello from injected shell code!" MessageBox, then return to caller
; Written for NASM assembler (http://www.nasm.us) by Didier Stevens
; Source code put in public domain by Didier Stevens, no Copyright
; https://DidierStevens.com
; Use at your own risk
;
; History:
;   2011/12/27: Refactored functions to include file sc-x64-api-functions.asm

%include "sc-x64-macros.asm"

INDEX_KERNEL32_LOADLIBRARYA        equ 0 * POINTERSIZE + STACKSPACE
INDEX_MESSAGEBOXA                            equ 1 * POINTERSIZE + STACKSPACE
APIFUNCTIONCOUNT                            equ 2

segment .text

; Setup environment
sub rsp, STACKSPACE + ROUND_EVEN(APIFUNCTIONCOUNT) * POINTERSIZE        ;reserve stack space for called functions and for API addresses

LOOKUP_API KERNEL32DLL, KERNEL32_LOADLIBRARYA, INDEX_KERNEL32_LOADLIBRARYA

lea rcx, [rel USER32DLL]
call [rsp + INDEX_KERNEL32_LOADLIBRARYA]

LOOKUP_API USER32DLL, USER32_MESSAGEBOXA, INDEX_MESSAGEBOXA, INDEX_KERNEL32_LOADLIBRARYA

; Display MessageBox
xor r9, r9
lea r8, [rel TITLE]
lea rdx, [rel HELLO]
xor rcx, rcx
call [rsp + INDEX_MESSAGEBOXA]

add rsp, STACKSPACE + ROUND_EVEN(APIFUNCTIONCOUNT) * POINTERSIZE
ret

%include "sc-x64-api-functions.asm"

KERNEL32DLL                            db    "KERNEL32.DLL", 0
KERNEL32_LOADLIBRARYA        db    "LoadLibraryA", 0

USER32DLL                                db    "USER32.DLL", 0
USER32_MESSAGEBOXA            db    "MessageBoxA", 0

HELLO                                        db    "Hello from injected shell code!", 0
TITLE                                        db    "Message", 0

Here’s what I changed exactly from the original MASM code:
1) non-volatile registers are preserved (by storing them on the stack)
2) building the DLL name for forwarded functions is done with a variable on the stack frame of lookup_api, and not of the caller
3) the address of LoadLibraryA is passed via r9, and no longer r15
4) lookup_api not only returns the function address in rax, but also stores it in memory at an address provided in r8
5) fixed the error handling bug (stack restoration)
6) added some EQUs to make it easier to use this code as a “library” (include)

You can get the code from my shellcode page. Look for filenames starting with sc-x64 in the zip file.

Next Page »

Blog at WordPress.com.