Description: We've started this new Hack of the Day series and to follow them all please use this link: http://securitytube.net/tags/hod
In previous videos, we've talked about understanding and modifying shellcode. In this one, we will look at how to write a shellcode encoder from scratch in Python and then the decoder in assembly language. There are tons of encoders out there - XOR ... Shikata ga Nai etc. but what does it take to write your own?
Truth be told - writing your own encoder is EASY! However, creating an encoder which is not easily fingerprintable is DIFFICULT. In this video, I will take you through a new encoder - a very simple one but not done before (to the best of my limited googling skills). I've christened it the Poor Man's Encoder :)
The Poor Man's Encoder takes a piece of shellcode and reverses it (literally) so the last byte becomes the first etc. I've written this in Python as its really easy to reverse bytearrays and manipulate strings and data in this language.
The decoder however, is a different beast. We have 2 options - (1) You've probably guessed that this would be swapping the bytes back in the original order and JMP'ing to our shellcode and (2) A little unconventional approach --- The stack grows from High Memory to Low Memory, so if I push my reversed shellcode into the stack, then in the end ESP points to the shellcode in original order :) So all we have to do now is a JMP ESP :)
Of course, there are other interesting hurdles such as getting the address of our shellcode - which we solve using the familiar JMP-CALL-POP technique. The PUSH operation on the stack happens with a simple LOOP using the ECX register.
Enjoy the video and please leave behind your comments! :)
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Original Source: http://www.youtube.com/watch?v=FvLLPuaCZic