- I write a blog, covering a wide range of information security and IT topics. Check it out.
- Check out my cheat sheets with tips for incident response and other information security topics.
- Learn to turn malware inside-out at my SANS Institute course on analyzing malicious code.
Related Content:
- Reverse-Engineering Malware cheat sheet
- Analyzing Malicious Documents cheat sheet
- Combating Malicious Software articles
|
Learn to turn malware inside out by attending my reverse-engineering course at SANS Institute. |
Tips for Converting Shellcode to x86 Assembly
Security analysts might encounter shellcode when examining exploits that they detect on the network, observe inside malicious document files, or find on compromised systems. This note recommends two tools for converting shellcode into x86 assembly instructions that the analyst can read to understand the exploit and its payload: ConvertShellcode.exe and shellcode2exe.py.
ConvertShellcode
The ConvertShellcode.exe tool for Windows parses the supplied shellcode string and immediately disassembles it, converting the string into corresponding x86 assembly instructions. This tool was written by Alain Rioux.
Usage:
ConvertShellcode.exe shellcode
The "shellcode" string can follow any of the following formats:
- "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC"
- "%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989"
- "%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E"
- "%u9090"
- "\u9090"
- "邐"
You can download ConvertShellcode.exe as a zip archive.
shellcode2exe.py
The shellcode2exe.py script accepts shellcode encoded as a string or as raw binary data, and produces an executable that can run that shellcode. You load the resulting executable file into a debugger to examine its. This approach is useful for analyzing shellcode that's difficult to understand without stepping through it with a debugger. This script was written by Mario Vilas, and was later tweaked by Anand Sastry to accept not only shellcode in binary form, but also shellcode encoded as a '\x' ASCII string.
Usage:
shellcode2exe.py payload.bin [payload.exe]
[--arch=i386|powerpc|sparc|arm]
[--os=windows|linux|freebsd|openbsd|solaris]
[-c Allow for ascii shellcode as a cmd line parameter]
[-s Allows for ascii shellcode in file]
Options:
-h, --help show this help message and exit
-a ARCH, --arch=ARCH target architecture [default: i386]
-o OS, --os=OS target operating system [default: windows]
-c, --asciicmd enable ascii entry in input file
-s, --asciifile enable ascii entry in command line
When supplying shellcode encoded as an ASCII string, on the command-line or in a file, it should be formatted like this: "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC".
You can download the updated shellcode2exe.py script as a text file. To run it on Windows, you'll need to install Python.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.