Www.edup.tudelft.nl/~bjwever/documentation alpha2.html.php
From Skypher
← Back to www.edup.tudelft.nl/~bjwever/This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.
ALPHA2: Zero tolerance, Unicode-proof uppercase alphanumeric shellcode encoding.
Contents |
Functionality
ALPHA 2: Zero-tolerance encodes IA-32 (x86) based shellcode to contain only alphanumeric characters (0-9 and A-Z). The result is a fully working version of the origional shellcode which consists of a decoder and the encoded origional shellcode. ALPHA 2 can encode your shellcode to plain ASCII shellcodes and Unicode-proof shellcodes using mixed-case or uppercase only characters.
The decoder will changes it's own code to escape the limitations of alphanumeric code. It creates a decoder loop that will decode the origional shellcode from the encoded data. It overwrites the encoded data with the decoded shellcode and transfers execution to it when done. To do this, it needs read, write and execute permission on the memory it's running in and it needs to know it's location in memory (it's baseaddress). You will need to provide a source for the baseaddress, which can be any of the following, depending on the other encoding options:
- Registers: eax, ebx, ecx, edx, esi, edi, esp and ebp.
- Stack locations: [esp-n], [esp], [esp+n].
- Win32 SEH GetPC code (NT/2K/XP only): seh.
The "nops" baseaddress option is added for use with your own baseaddress calculations. The code that normally moves the baseaddress in the correct register has been replaced with nops so you can replace it with your own.
Header compression reduces the size of the decoder. The first few bytes are mostly there to fill up space and the number required can be reduced with specific instructions. You'll normally want this option on unless you need to overwrite this space with your own code (eg. in combination with "nops" to perform baseaddress calculation).
Win32 SEH GetPC creates an SEH handler on the stack and hooks it into the SEH chain. It then causes an exception, passing execution to this new SEH. This SEH can determine the location where the exception took place and calculate the baseaddress. It then transfers execution back to the code after the instruction that caused the exception. This trick requires an executable stack. The mixedcase version should work 100% of the time, where as the uppercase version might not work if the program uses a lot of stack or if one of the other exception handlers in the chain handles the write exceptions.
Compile
"ALPHA 2 was created to compile with gcc under linux, even though the encoded shellcodes can be used on any operating system.
- gcc alpha2.c -o alpha2
Usage
- ./alpha2 [OPTION] [BASEADDRESS] <shellcode_file
- or:
- shellcode_generator | ./alpha2 [OPTION] [BASEADDRESS]
OPTIONS
-n
- Do not output a trailing newline after the shellcode.
--nocompress
- The baseaddress-code uses "dec"-instructions to lower the required padding length. The unicode-proof code will overwrite some bytes in front of the shellcode as a result. Use this option if you do not want the "dec"-s.
--unicode
- Make shellcode unicode-proof. This means it will only work when it gets converted to unicode (inserting a '0' after each byte) before it gets executed.
--uppercase
- Make shellcode 100% uppercase characters, uses a few more bytes then mixedcase shellcodes.
--sources
- Output a list of BASEADDRESS options for the given combination of --uppercase and --unicode.
--help
- Display this help and exit.
--version
- Output version information and exit.
BASEADDRESS
The decoder routine needs have its baseaddress in specified register(s). The baseaddress-code copies the baseaddress from the given register or stack location into the apropriate registers.
eax, ecx, edx, ecx, esp, ebp, esi, edi
- Take the baseaddress from the given register. (Unicode baseaddress code using esp will overwrite the byte of memory pointed to by ebp!)
[esp], [esp-X], [esp+X]
- Take the baseaddress from the stack.
seh
- The windows "Structured Exception Handler" (seh) can be used to calculate the baseaddress automatically on win32 systems. This option is not available for unicode-proof shellcodes and the uppercase version isn't 100% reliable.
nops
- No baseaddress-code, just padding. If you need to get the baseaddress from a source not on the list use this option (combined with --nocompress) and replace the nops with your own code. The ascii decoder needs the baseaddress in registers ecx and edx, the unicode-proof decoder only in ecx.
Acknowledgements
- Thanks to rix for his phrack article on aphanumeric shellcode.
- Thanks to obscou for his phrack article on unicode-proof shellcode.
- Thanks to Costin Ionescu for the idea behind w32 SEH GetPC code.
- Thanks to everybody on 0dd for help, information and feedback.
Links
- src/alpha2.c C source code (contains compiled decoders and GetPC code).
- src/mixedcase_alphanumeric_decoder.c C source code for the mixedcase alphanumeric decoder.
- src/uppercase_alphanumeric_decoder.c C source code for the uppercase alphanumeric decoder.
- src/mixedcase_alphanumeric_unicode_decoder.c C source code for the mixedcase alphanumeric unicode decoder.
- src/uppercase_alphanumeric_unicode_decoder.c C source code for the uppercase alphanumeric unicode decoder.
- src/w32_SEHGetPC_mixedcase.c C source code for the mixedcase win32 SEH GetPC code.
- src/w32_SEHGetPC_uppercase.c C source code for the uppercase win32 SEH GetPC code.
- ALPHA3 - The successor to ALPHA2.
