4

Shellcode presents certain challenges for disassembly. It often self-modifies, jumps to the stack (where the shellcode will likely be placed), and relies on certain unusual tricks that standard disassembly tools don't focus on.

With this in mind, what tools are available for disassembling and analysing shellcode?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • @Gilles I'm looking for tools that allow the assembly and disassembly of shellcode specifically. Most assemblers / disassemblers work on complete executable files, with headers and such, which shellcode doesn't have. Anything that allows you to input a set of assembly instructions and output a raw assembled version, or input a raw blob of shellcode and get out a disassembled result. – Polynomial Aug 21 '12 at 07:47
  • @Gilles Shellcode has its own challenges that don't fit in with normal disassembly. For example, you need to be able to specify the address of the shellcode for disassembly to be meaningful. Most assembly / disassembly tools assume an IAT to provide obvious access to APIs, whereas shellcode won't have that. They have to recognise techniques such as ROP, which won't be obvious in a normal disassembly scenario. – Polynomial Aug 21 '12 at 09:50
  • Thanks for the edit, it addresses all my concerns. Just for reference, I'll mention [this](http://stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code) as an example of basic tools to disassemble arbitrary code blobs that aren't in a PE/ELF/… executable, but nothing that covers the modified question. – Gilles 'SO- stop being evil' Aug 21 '12 at 11:49
  • @Polynomial this is still a "list of" shopping list question, basically asking for a recommendation for tools. Better to phrase it as asking how to disassemble/analyze it. – AviD Aug 22 '12 at 08:24
  • 1
    @AviD There are so few tools available that I don't think it's even worth a list. At the risk of presenting an "appeal to authority" argument, see [here](http://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application?rq=1) for a similar situation. – Polynomial Aug 22 '12 at 08:31

3 Answers3

3

Since shellcode is just a raw block of instructions, these tools aren't really suited.

Wat? Executables are just raw blocks of instructions too! No really. Ok, maybe there's bits of data in there for PE/ELF headers or the like, or just plain program data, but the data is the same binary as instructions. To the point sections of executables are labelled (text, data) so the OS knows what to treat as what.

For a demo, take any set of assembler and type:

nasm -f bin <asmfile.asm>

That'll do absolutely no additional work bar translating the assembler instructions to opcodes and writing it down in a binary file. This is how you'd go about writing a bootloader or the like.

Now, if you wanted to analyse some shellcode, there's a multitude of ways you could do it. For starters, you could just use a harness:

#include <stdio.h>

char shellcode[] = { ... };

int main()
{
    int (*function)() = shellcode;
    function();
}

and voila you're off - simply get gdb or the like to single step through it. Of course, if you wanted to analyse that particularl piece of shell code statically, well, there's a way for that too:

#include <stdio.h>

char shellcode[] = { ... };

int main()
{
    FILE* f = fopen('test.bin', 'wb');
    fwrite(shellcode, sizeof(shellcode), f);
    fclose(f);
}

and now you have a binary blob to work with. Actually, chances are you had to do the inverse of this to load the code into the test harness (i.e. escape it) anyway.

If you're looking for tools, I suggest the x86 wikibook. Basically, it comes down to picking one or more you can afford and having a play.

Unless the shellcode contains anti-debugging measures (remember, it's space-constrained) chances are a runtime debugger with the test harness will work just fine.

  • I think you misunderstood. I'm looking for tools that make it easy to reverse engineer or edit a blob of shellcode, without all the PE garbage and function prologs/epilogs. You'd be surprised how much garbage is linked into your average executable - for a 30 byte shellcode you might be looking at 10kB+ of crud, e.g. stdlib, COFF headers, PE headers, IAT, etc. I'm looking for a way to disassemble and edit raw blobs of instructions. For example, you can't open `shellcode.bin` in OllyDbg, since it's not a valid PE file. I don't think IDA will open it either. – Polynomial Aug 21 '12 at 07:48
  • 2
    @Polynomial you can disassemble raw blobs using objdump: objdump -mi386 -D -b binary shellcode.bin – Zzz Aug 21 '12 at 18:48
2

libemu. Is free. For Linux but is able to analyze win32 shellcode.
miasm. Implemented in Python, looks very interesting.

dgarcia
  • 476
  • 3
  • 6
2

you can use scdbg with the raw binary shellcode file to get a runtime log of all of the api it uses. Execution is done in the libemu emulation envirnoment. The -d option will create a dump of the memory once finished if it detects any memory modifications (self decoding). The tool also supports locating shellcode start offsets (in case of ROP prefix), and an integrated (basic) debug shell. There is a youtube video to see it in action.

http://sandsprite.com/blogs/index.php?uid=7&pid=152

http://www.youtube.com/watch?v=jFkegwFasIw

You can open the dumped memory into IDA disassembler which can intrepret it as raw 32 bit code. You can also set the base address (usually not necessary), and modify the code if you have to using built in scripting capabilities.

John
  • 21
  • 1