Shellcode Research

Shellcode Research

Assembly, basically

Hello, world!

global _start

section .text

  mov rax, 1        ; write(
  mov rdi, 1        ;   STDOUT_FILENO,
  mov rsi, msg      ;   "Hello, world!\n",
  mov rdx, msglen   ;   sizeof("Hello, world!\n")
  syscall           ; );

  mov rax, 60       ; exit(
  mov rdi, 0        ;   EXIT_SUCCESS
  syscall           ; );

section .rodata
  msg: db "Hello, world!", 10
  msglen: equ $ - msg
$ nasm -f elf64 -o hello.o hello.asm
$ ld -o hello hello.o
$ ./hello


Hello, root!

global _start

section .text

    mov rax, 102;
    syscall     ; rax now contains the uid
    cmp rax,0
    jne .root

    mov     rax, 1         ; write(
    mov     rdi, 1         ; STDOUT_FILENO
    mov     rsi, msguser   ; "Hello, world!\n"
    mov     rdx, msguserlen; sizeof("Hello, world!\n")
    syscall                ; )
    jmp .end

    mov     rax, 1         ; write(
    mov     rdi, 1         ; STDOUT_FILENO
    mov     rsi, msgroot   ; "Hello, world!\n"
    mov     rdx, msgrootlen; sizeof("Hello, world!\n")
    syscall                ; )

    mov     rax, 60; exit(
    mov     rdi, 0 ; EXIT_SUCCESS
    syscall        ; )

section .rodata
msguser: db "Hello, user!", 10
msguserlen: equ $ - msguser
msgroot: db "Hello, root!", 10
msgrootlen: equ $ - msgroot

arch switch

Saw this fly by on discord, not 100% on it

Not sure if this is useful to anyone here, but I used this technique for some shell code I had to switch between 32/64 bit on the fly:
    xor ecx, ecx        ; ecx = 0
    db 0x41             ; x32 opcode "inc ecx"
    loop x64_code       ; ecx is either -1 in x64, and if so we jmp
    ; use fs to locatae system DLLs
    ; use gs to locatae system DLLs