Topic: turnning c code into shellcode like bytestring

Hi
I am asking myself if there is an easy way to turn a compiled c program into a shellcode like byte string, which can be injected into an other executable.

to explain my question a bit more here an example:
for example if I would write a "hello world!" program then the "hello world" string would be in the data segment and the code would be in the text segment. But I want to have the whole code+data in one text segment.
I thought there must be some kind of gcc option to archive that but i could not find it.
So if there is no compiler option like that: Is there an easy way to turn a "normally" compiled program into this shellcode like bytestring. What would I have to care about if i would like to write a program which does that?

greetings

Thumbs up Thumbs down

2 (edited by __squanchy 2016-10-19 19:14:58)

Re: turnning c code into shellcode like bytestring

non wrote:

But I want to have the whole code+data in one text segment.
I thought there must be some kind of gcc option to archive that but i could not find it.
greetings

The fast way would be using gcc's section attribute.
Another posibility is writing an ld linker script. Doing so, you chose the layout where everything will be placed in virtual memory.

non wrote:

So if there is no compiler option like that: Is there an easy way to turn a "normally" compiled program into this shellcode like bytestring. What would I have to care about if i would like to write a program which does that?

What you are looking for is called position-independent code, a lot has already been written about how to do that. I think herm1t wrote an article about it several years ago. I don't know if there is a gcc option for that (-fPIC and -fpic does not do that), but you can do it writing the code in a special way:

  • In x86 basically you have to avoid writing string literals and global variables, because the compiler usually fixes their memory addresses.

  • In x86_64 you can write pretty much everything you want and the code will still be position-independent because memory references will probably be RIP-relative.

Also you have to be careful about importing stuff because it will probably break the shellcode position-independency.

Thumbs up +1 Thumbs down

Re: turnning c code into shellcode like bytestring

does that mean it is not possible to use a library in such a bytestring? (i mean by linking it in some static way)

Thumbs up Thumbs down

Re: turnning c code into shellcode like bytestring

i dont understand for what purpose u need that i dont think so gcc can do that . the huge task is how u fit the other sections of the exe in the text section . for example if there is some data in the .data section u have to change it and find some way to hardcoded it  into the text section see this example in which there is no data section while writing shellcode.

"http://hackoftheday.securitytube.net/20 … stack.html"

learn because u can.....

Thumbs up Thumbs down

5 (edited by herm1t 2017-02-27 17:15:07)

Re: turnning c code into shellcode like bytestring

gcc does this by default, but there are a few limitations:

one cannot use external symbols
one cannot use strings or constant arrays
one should avoid jump tables (generated by switch statements) and callbacks

that's all.

to achieve that you can use macros or preprocessing to encode strings
you can find external symbols in run-time
you can write fully self-relocatable code
(you can find examples of all these methods on my page, Linux 32 bits, but could be easily ported to 64)

Thumbs up Thumbs down