Here’s some favorite c that I use to reverse engineer shellcode that I collect from malicious files, malicious web sites and attacking network traffic:
unsigned char shellcode[] = “”;
void main() {
void (*c)();
printf(”Shellcode it is!\n”);
*(int*)&c = shellcode;
c();
}
Basically, the code creates a buffer that stores your collected shellcode, creates a pointer to a void function empty of instruction, points the function to the beginning of the buffer and transfers control to it, just like an attacker’s exploit. Drop the hex into the array as a c-style string, compile it, and toss it into Olly for stepping and analysis!
We’ll look at a current example from a site in the wild in an upcoming post.