Category Archives: shellcode

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 1 Comment

Windows Process Injection: Asynchronous Procedure Call (APC)

Introduction An early example of APC injection can be found in a 2005 paper by the late Barnaby Jack called Remote Windows Kernel Exploitation – Step into the Ring 0. Until now, these posts have focused on relatively new, lesser-known … Continue reading

Posted in assembly, injection, malware, process injection, programming, shellcode, windows | Tagged , , , | Leave a comment

Windows Process Injection: Winsock Helper Functions (WSHX)

Introduction The MSDN documentation states that Winsock Helper Functions (WSHX) are “obsolete for Windows Server 2003, Windows Vista, and later…”. However, Helper DLLs continue to be used by the latest build of Windows 10 to implement sockets for TCP, Infrared, … Continue reading

Posted in malware, process injection, programming, shellcode, windows | Tagged , , , , | Leave a comment

Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL

Introduction UPDATE: After being available for twenty years, Dr.Dobb’s removed access to two articles linked from here. I’ve no idea why. A DynaCall() Function for Win32 was published in the August 1998 edition of Dr.Dobbs Journal. The author, Ton Plooy, … Continue reading

Posted in assembly, programming, security, shellcode, windows | Tagged , , , , , , , | Leave a comment

Shellcode: In-Memory Execution of DLL

Introduction In March 2002, the infamous group 29A published their sixth e-zine. One of the articles titled In-Memory PE EXE Execution by Z0MBiE demonstrated how to manually load and run a Portable Executable entirely from memory. The InMem client provided … Continue reading

Posted in assembly, injection, programming, security, shellcode, windows | Tagged , , , | 2 Comments

Windows Process Injection: CLIPBRDWNDCLASS

Introduction The Object Linking & Embedding (OLE) library (ole32.dll) uses a private clipboard. It registers CLIPBRDWNDCLASS as a window class, creates a window derived from that class, and assigns a number of window properties to store the address of interfaces … Continue reading

Posted in malware, programming, security, shellcode, windows | Tagged , , , | Leave a comment

Shellcode: Using the Exception Directory to find GetProcAddress

Introduction Let’s say you want the location of the GetProcAddress API in memory, but you can’t use the Import Address Table (IAT) or the Export Address Table (EAT). What other ways can you do it?. Perhaps there are many ways, … Continue reading

Posted in assembly, programming, security, shellcode, windows | Tagged , , , , , | 3 Comments