Summary
Writing shellcode by hand is too costly for complex attack action. Modern attackers prefer to develop their malware in C/C++ and convert the EXE files to shellcode for use. There are two main reasons for this: one is that handwritten shellcode is costly and time-consuming and it is difficult to develop complex backdoor designs, elevated privileges, or lateral movement features; the second is that shellcode is often used as code to hijack the execution in only a first-stage exploit.
In practice, due to both buffer overflow and heap exploits, there is often not enough space under the attacker’s control to store the whole shellcode, so it is usually split into two pieces of shellcode: the small shellcode (called the stub) is responsible for the first stage of the exploit; when successful, the larger shellcode is loaded into memory for execution, whether by network connection, file reading, or egg-hunting techniques.
In this chapter, we introduced the principle and...
