|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Stealth.
From: Andrew R. Reiter (arr
watson.org)
Date: Mon Sep 19 2005 - 20:17:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 19 Sep 2005, Dave Aitel wrote:
:
:Here's another shellcode paper for people who like that sort of thing:
:http://www.ngssoftware.com/papers/WritingSmallShellcode.pdf
:
:It's good, although it will fail on certain 2k/XP configurations with a . in
:the pathname. To correct it, might need some more bytes to do a getsystemdir
:and strcpy, etc. I have some really non-optimized code in Shellcoder's that
:does that. I would also have added a 7. Consider using a special purpose
:assembler that brute forces the smallest way to assemble it.
:
:If everyone knows what you look like, your only option for stealth is to try to
:make everyone look like you.
:
:-dave
This is a good one, especially since schemes like this have been seen in
the wild (MS05-038 com obj overflow's).
I think the commonly seen code utlizing that scheme have been doing this
(post decode):
- Load urlmon.dll
- Locate URLDownloadToFileA
- ... download ...
- WinExec()
But who knows :) So many things to do :)
-------------------------------------------------------------
"Natural bridges on a clean west swell,
Break over the reef like a bat of out hell." -- Sublime.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]