Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: pen testing & obfuscated shell code
From: Karsten Johansson <ksaj () penetrationtest com>
Date: 12 Feb 2004 18:08:06 -0000

In-Reply-To: <200402101324.i1ADOEFc005524 () webmail2 magma ca>

Greetings,

There is no shortage of 
1 byte functions for use, problem is to make it still works after. 

I made a paper about a similar topic in 1993 which is available here: 
http://www.penetrationtest.com/computer_viruses/Byte%20Substitutions%20for%20Intel%20Opcodes.pdf

The story behind this (which may be useful to those looking for new ways to make nop sleds) is that there are at least 
2 ways of producing the same opcodes on Intel systems.

As an example (and the document is a huge list of examples) is:

  ADD AX,BX can be either 03h C3h or 01h D8h.

All of the examples that I put in the paper are 2-byte opcodes, but if you follow the method I did for finding these 
opcode equivelants, a nice list of single-digit opcodes can probably be found. I didn't feel like making a thorough 
list of every possible intel opcode, although I may do this one day.

Incidentally, I did this experiment when I was playing with virus encryption engines, and then later for watermarking 
binary executable files, and then later again as a form of stego using binary executable files.  Nice to see there may 
be yet another use for this idea.

It is simple to just 
use an ascii character as well, 

Not true.  All ASCII characters result in opcodes.  If you were to do this, the system will probably crash.  Besides, 
if this worked, the concept of a nop sled wouldn't be necessary in the first place.

Laters,
    Karsten Johansson
    www.PENETRATIONTEST.com

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]