asm shellcode techniques (especially relevant for win32)

From: Franklin DeMatto (franklin.listsat_private)
Date: Tue Sep 04 2001 - 17:47:34 PDT

Next message: Marco van Berkum: "Re: SSH 2.4.0/3.0.1 usernames guessable ?"

Previous message: Michael Wojcik: "FW: verizon wireless website gaping privacy holes"
Next in thread: Enrique A. Compañ Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
Reply: Enrique A. Compañ Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am working on a x86/win32 shellcode, using intel mneumonics and nasm, and 
have some basic questions:


1) If I want to do a far call, I normally call a pointer to the func.
	example:
	call FUNC
	FUNC: dd 0x74348712

However, I think it can be done directly using a far call to an immediate 
offset, something like 9a ?? ?? 12 87 34 74
I think the ?? ?? has to do with something called AR byte.

But I can't find, or figure out, exactly how to do this.  NASM keeps on 
telling me something like "far calls aren't reloctable" and refuses to 
assemble it.  Is there a way to get NASM to do it anyway?  If not, I can 
enter the opcodes by hand - what should they be?

2) If I have a string, and I need to append a null afterwards, what is the 
best way?
eg:
	ebx is 0
	ebp points to beginning of string
	string is 26h bytes long
	I would normally do:
		mov     [ebp+27h], ebx
	this yields opcode:
		89 9D 27 00 00 00, which is obviously not good
	I could do:
		add ebp 0xffffffd8
		mov [ebp], ebx
		sub ebp 0xffffffd8
	but this is kind of long
is there a shorter way to do it, especially since I only need to move one 
byte?  ( I don't even need to move it, just make a 0,
so I could use not or xor or something...)

3) many times, I need to add or subtract by less than 0x7f.  I would 
normally just use add/sub byte xx, but this won't carry, right?
in other words, if eax == 0xffffff01, and I try sub byte 3, I'll get 
eax==0xfffffffe, which is not what I want
so I am forced to use sub/add dword, which is much longer.
likewise, sometimes I want to mov location, byte.  But since location is 
specified by dword, I need to do mov location, dword,
even if I only need a byte.
my question is: is there a shorter way to do all this, or am I forced to 
use dwords, even though I'm only using bytes??

also, since I push paramters to the win32 calls, I normally sub from esp so 
as to not overwrite the code itself.  However, if I understood correctly, 
the excellent lsd-pl paper said that this is not neccessary.  Is that 
correct?  How is this?  Any elaboration would be appreciated.

Thanks,
Franklin


Franklin DeMatto
Senior Security Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible

Next message: Marco van Berkum: "Re: SSH 2.4.0/3.0.1 usernames guessable ?"
Previous message: Michael Wojcik: "FW: verizon wireless website gaping privacy holes"
Next in thread: Enrique A. Compañ Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
Reply: Enrique A. Compañ Gzz.: "Re: asm shellcode techniques (especially relevant for win32)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 18:44:41 PDT