hll shellcode

Author: David Zimmer
Date: 06.24.11 - 7:56am

I have been seeing more and more shellcode written in high level languages lately. This last week alone i think I have seen about 5 distinct samples.

The only public hll shellcode templates i have found for Windows are one by didier stevens, and one called WishMaster.

What i am seeing falls into the following catagories:
  • Shellcodized C used in process injection payloads. ThreadStart argument is a prebuilt api table for the payload to use. To analyze these, I had to update the patchgen.exe so that you could also control the initial register state.

  • Shellcode stub that links to a C obj file. In these payloads the asm author has just decided to use certain hll functions such as an encryption library or whatever. Initilization and setup of function pointers and strings seems to still be preferred to be done in the asm stub.

  • single hll function extracts which use advanced or bulky WinApi. Function pointers usually passed in from asm.

  • I have also seen a couple which use variations on didiers template technique.
Shellcode sophistication is also on the rise, having the shellcode do more and more actions on its own. Both of these trends are only going to grow.

Multistage shellcode is also still alive and well, but everything i have seen is file format based. Extracting level 2 shellcode from the parent file and/or extracting exe payloads from the host exploit file.

Comments: (1)

On 07.04.11 - 8:20am Dave wrote:
thanks to Han for submitting another example of a hll shellcode. This one was fully written in C except for the initial decoder. It is based off of the didier template, passing a pointer to the api table into each function and using his or, shl hasher to find LoadLibrary and GetProcAddress. Strings in this sample were embedded differently though using inline asm to call overstring, pop [var_x].

This was a complex sample which mounted a sophisticated attack against AhnLab AV. It made numerous calls to the service control manager to disable services, did registry key checks, and even loads one of their dlls to call exports related to product uninstallation.

Also these attackers look like they are uploading their (encoded) malicious exes as files with image extensions to places like messagesboards or image hosting places so they can get free malware hosting. Thats pretty smart actually...

Thanks again for the interesting submission.

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 30 + 64 = ? followed by the letter: R 

About Me
More Blogs
Main Site
Posts: (year)
2024 (1)
     vbdec backstory
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     vb6 API and call backs
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation