Programming Languages

True hackers use only one or two programming languages ” C and Assembly. With all that being so, the latter is being rapidly moved out of use in application programming, giving place to Basic, Delphi, and other languages, using which it is principally impossible to develop elegant shellcode.

What about C? From an aesthetic point of view, C is the worst possible choice, and old-school hackers won't forgive you for choosing it. On the other hand, because C is a low-level system-oriented language, it is well suited for the development of various malware, although this doesn't mean that a hacker mustn't study Assembly language.

The code generated by the compiler must satisfy the following requirements: First, this code must be fully portable (in other words, independent from the base loading address), it must not modify any memory cells (except for the stack memory), and it must not use standard mechanisms of importing functions. Instead of using standard mechanisms, this code must either link all required libraries on its own or use the native Application Program Interface (API). Most compilers satisfy these requirements; however, the programmer is also required to observe some rules.

First, never declare the main function of the program as main , because when the linker encounters such a function, it will insert the start-up code into the file, while shellcode doesn't require it. Do not use global or static variables, because the compiler will forcibly place them into the data segment, but shellcode mustn't have any data segments. Even if the shellcode will attempt to use the data segment of a vulnerable program, it will have to, first, determine the address of its "tail" on its own, and second, stretch the segment to ensure that it has the required length. All of these actions can be easily carried out using Assembly language; however, the same task is too complicated for the compiler. Thus, to write efficient shellcode, store all data only in local variables and specify string constants in the numeric form. For example, if you write something like char x [] = "hello, world" , the cunning compiler will place the "hello, world" string into the data segment and then copy it dynamically into the local stack variable x . Thus, it is necessary to proceed as follows : x[0] = 'h',x[1] = 'e',x[2] = 'l' Alternatively, you could convert char to int and carry out assignment in double words. When doing so, do not forget that the least significant byte must be located at the smaller address, which makes the string appear in inverse order.

Do not use any library functions if you are not sure that they fully satisfy the preceding requirements. As a rule, system functions are called through the native API, also known as sys-call . In Linux and systems similar to it, this task is carried out using the int 80h interrupt. Other systems, as a rule, use the far call by selector 7, offset zero. Therefore, system calls vary from system to system, which limits shellcode portability. If desired, the shellcode might rely on insertion into the import table.

Having compiled the resulting file, you'll get an object module, along with the compiler's error message complaining about the missing main function. Now it only remains to link it into a binary 32- or 64-bit file. The hacker will have to insert it manually because the system loader will refuse to process such a file.