You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Would it make sense to have a "Shellcode" micro-objective added to Micro-behaviors?
There are a number of different patterns in shellcode that represent specific behaviors that are fairly unique to shellcode. But they may be used in other contexts as well. One good example of this is a relative call with 0x0 as the operand e800000000. This opcode "pushes" the address of the next instruction onto the stack and in one flavor of this pattern, the value is then popped into a register. That address is then used as a reference address in subsequent instructions which refer to other locations inside the shellcode. One use of this is to make a "shellcode base address" which all other position independent data variables and functions etc are referenced by. This pattern can be detected by yara.
Here is one example, so you can see it in a disassembler:
The value thus calculated in eax is the "shellcode base address" which, when you add 0x4f8 to it, the resulting value points to the address of the Sleep function in a hash table elsewhere in the shellcode.
A Yara detection string for this one would be:
$op = { e800000000 58 83e8 }
This can be adapted to detect a variety of registers used to hold the shellcode base address, not just eax as seen in my example.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Would it make sense to have a "Shellcode" micro-objective added to Micro-behaviors?
There are a number of different patterns in shellcode that represent specific behaviors that are fairly unique to shellcode. But they may be used in other contexts as well. One good example of this is a relative call with 0x0 as the operand
e800000000. This opcode "pushes" the address of the next instruction onto the stack and in one flavor of this pattern, the value is then popped into a register. That address is then used as a reference address in subsequent instructions which refer to other locations inside the shellcode. One use of this is to make a "shellcode base address" which all other position independent data variables and functions etc are referenced by. This pattern can be detected by yara.Here is one example, so you can see it in a disassembler:
The value thus calculated in
eaxis the "shellcode base address" which, when you add0x4f8to it, the resulting value points to the address of the Sleep function in a hash table elsewhere in the shellcode.A Yara detection string for this one would be:
This can be adapted to detect a variety of registers used to hold the shellcode base address, not just
eaxas seen in my example.Beta Was this translation helpful? Give feedback.
All reactions