Re: pen testing & obfuscated shell code

From: Karsten Johansson (ksaj@penetrationtest.com)
Date: Thu Feb 12 2004 - 13:08:06 EST

Next message: Don Parker: "RE: OPST vs CEH"
Previous message: Don Parker: "RE: OPST vs CEH"
Maybe in reply to: Don Parker: "pen testing & obfuscated shell code"
Next in thread: Don Parker: "Re: pen testing & obfuscated shell code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <200402101324.i1ADOEFc005524@webmail2.magma.ca>

Greetings,

>There is no shortage of
>1 byte functions for use, problem is to make it still works after.

I made a paper about a similar topic in 1993 which is available here: http://www.penetrationtest.com/computer_viruses/Byte%20Substitutions%20for%20Intel%20Opcodes.pdf

The story behind this (which may be useful to those looking for new ways to make nop sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems.

As an example (and the document is a huge list of examples) is:

  ADD AX,BX can be either 03h C3h or 01h D8h.

All of the examples that I put in the paper are 2-byte opcodes, but if you follow the method I did for finding these opcode equivelants, a nice list of single-digit opcodes can probably be found. I didn't feel like making a thorough list of every possible intel opcode, although I may do this one day.

Incidentally, I did this experiment when I was playing with virus encryption engines, and then later for watermarking binary executable files, and then later again as a form of stego using binary executable files. Nice to see there may be yet another use for this idea.

>It is simple to just
>use an ascii character as well,

Not true. All ASCII characters result in opcodes. If you were to do this, the system will probably crash. Besides, if this worked, the concept of a nop sled wouldn't be necessary in the first place.

Laters,
    Karsten Johansson
    www.PENETRATIONTEST.com

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Next message: Don Parker: "RE: OPST vs CEH"
Previous message: Don Parker: "RE: OPST vs CEH"
Maybe in reply to: Don Parker: "pen testing & obfuscated shell code"
Next in thread: Don Parker: "Re: pen testing & obfuscated shell code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT