Writing OS Independent Shellcode
Vipin Kumar and Nitin Kumar, authors of the system security section, covered shellcoding step by step and in great details.
Today they are sharing a shellcode that is OS independent and working on any Windows in the NT family.
The techniques used is explained within the course.
When you see a shell-code online, 90% of the times this is for a specific OS version. Our goal is to have a shellcode that not tied to a particular version of the operating system.
This translates into the following:
- We need OS independent method of finding a DLL base address
- We just need to invoke it as easily as possible
As an example, we will consider the winexec shellcode, which executes calc.exe as the payload, though more complex payloads can be written, similarly.
Now consider the function Execute_External_Function_Call.
It basically consists of PEB parser so as to find the DLL’s base address and then we use the export table parser to call the function.
So, the algorithm is
- parse the PEB block and find each DLL which is loaded into the process
- find the DLL name, make it upper case and then calculate the hash
- check if calculated hash matches hash provided by the user
- if yes, then get the base address and jump to export table parser code
Actual code is
This kind of shellcode saves a lot of time during a penetration test when the environment to test is heterogeneous. Avoiding to have a specific shellcode for each version of Windows and for each Service Pack level is a big time saver.
If you really want to get into the details of advanced shell coding consider enrolling in our penetration testing training course here.