Understanding an example Shellcode

Example:

1 xor ebx, ebx
2 mov ebx, fs:[0x30]
3 mov ebx, [ebx + 0x0c]
4 mov ebx, [ebx + 0x1c]
5 mov ebx, [ebx]
6 mov ebx, [ebx + 0x08]

Instruction 1: xor ebx, ebx
clear ebx

Instruction 2: mov ebx, fs:[0x30]
get a pointer to the PEB


Instruction 3: mov ebx, [ebx + 0x0c]
Move the value stored at offset 0x0c of PEB into the register ebx. Let's see what is there:

0:000> dt nt!_PEB @$peb
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 BitField         : 0x8 ''
   +0x003 ImageUsesLargePages : 0y0
   +0x003 IsProtectedProcess : 0y0
   +0x003 IsLegacyProcess  : 0y0
   +0x003 IsImageDynamicallyRelocated : 0y1
   +0x003 SkipPatchingUser32Forwarders : 0y0
   +0x003 SpareBits        : 0y000
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x00680000 Void
   +0x00c Ldr              : 0x77657880 _PEB_LDR_DATA

We have a pointer to _PEB_LDR_DATA structure. So, ebx has 0x77657880 memory address stored inside it.

Instruction 4: mov ebx, [ebx + 0x1c]
We are moving the value stored at the offset, 0x1c, in the _PEB_LDR_DATA into the register. Let's see what is stored there:

0:000> dt nt!_PEB_LDR_DATA 0x77657880
ntdll!_PEB_LDR_DATA
   +0x000 Length           : 0x30
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x221b38 - 0x224728 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x221b40 - 0x224730 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x221bd8 - 0x224738 ]
   +0x024 EntryInProgress  : (null) 
   +0x028 ShutdownInProgress : 0 ''
   +0x02c ShutdownThreadId : (null) 

We can see 3 linked lists stored in this structure. Windows loader maintains information about how the DLLs were loaded into the memory in 3 ways:

• InLoadOrderModuleList: Based on the order in which they were loaded
• InMemoryOrderModuleList: Based on the order in which they appear in memory
• InInitializationOrderModuleList: Based on the order in which they were initialized

All these lists are of type: _LIST_ENTRY. Let's see the definition:

0:000> dt nt!_LIST_ENTRY
ntdll!_LIST_ENTRY
   +0x000 Flink            : Ptr32 _LIST_ENTRY

   +0x004 Blink            : Ptr32 _LIST_ENTRY

So it is a set of Forward Pointer and Backward Pointer. It's a double linked list keeping track of both the previous node and the next node. However, we have to understand what data items are they pointing to. Let's expand the InInitializationOrderModuleList:

0:000> dt nt!_PEB_LDR_DATA 0x77657880 InInitializationOrderModuleList.Flink /r1
ntdll!_PEB_LDR_DATA
   +0x01c InInitializationOrderModuleList       :  [ 0x221bd8 - 0x224738 ]
      +0x000 Flink                                 : 0x00221bd8 _LIST_ENTRY [ 0x222018 - 0x7765789c ]

We are expanding the Flink of this List which gives us the first memory address as, 0x00221bd8. This memory address is moved into the ebx register.

Instruction 5: mov ebx, [ebx]
Now, we are reading the data stored at this memory address. Let's dump this data using dd command:

0:000> dd 0x00221bd8 
00221bd8  00222018 7765789c 77580000 00000000
00221be8  0013c000 003c003a 00221a98 00140012

We are storing value 00222018 into ebx.

Instruction 6: mov ebx, [ebx + 0x08]:
We are moving the value stored at offset 0x08 from 00222018 into the register ebx. Let's dump the contents:

0:000> dd 00222018
00222018  00221f00 00221bd8 756a0000 756a7e10
00222028  0004b000 00460044 00221fa8 001e001c

So, we are moving the value 756a0000 into ebx and this should be the base address of kernelbase. Let's confirm this using lm command:

0:000> lm
start    end        module name
00680000 006b0000   notepad    (pdb symbols)
743e0000 74431000   WINSPOOL   (pdb symbols)
74a20000 74bbe000   COMCTL32   (pdb symbols)
74bf0000 74bf9000   VERSION    (pdb symbols)
756a0000 756eb000   KERNELBASE   (pdb symbols)
758f0000 75a4c000   ole32      (private pdb symbols)
75a50000 75aed000   USP10      (pdb symbols)
75c10000 75c5e000   GDI32      (pdb symbols)
75c60000 768aa000   SHELL32    (pdb symbols)
76d00000 76d0a000   LPK        (pdb symbols)
76d10000 76de4000   kernel32   (pdb symbols)
76df0000 76e92000   RPCRT4     (pdb symbols)
76fd0000 7705f000   OLEAUT32   (pdb symbols)

==========================================================
In the above method, we dumped the contents of memory addresses (Flinks) and used the offsets to see what is there. But to understand better, we need to look deeper into the double linked list.

The Flinks of the lists stored in _PEB_LDR_DATA structure actually point to a data structure, _LDR_DATA_TABLE_ENTRY. Let's view the structure:

0:000> dt nt!_LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT
   +0x04c PatchInformation : Ptr32 Void
   +0x050 ForwarderLinks   : _LIST_ENTRY
   +0x058 ServiceTagLinks  : _LIST_ENTRY
   +0x060 StaticLinks      : _LIST_ENTRY
   +0x068 ContextInformation : Ptr32 Void
   +0x06c OriginalBase     : Uint4B
   +0x070 LoadTime         : _LARGE_INTEGER

As we can see, the Lists in the data structure _PEB_LDR_DATA are pointing to Links in the _LDR_DATA_TABLE_ENTRY data structure. We saw before that, _LIST_ENTRY is a set of two pointers, flink and blink. But we could not see the data item of the double linked list. We will use the concept of macro CONTAINING_RECORD of linked lists to read the real data elements of the list. Let's look only at the fields of type, _LIST_ENTRY of both structures:

0:001> dt nt!_PEB_LDR_DATA
ntdll!_PEB_LDR_DATA
  +0x00c InLoadOrderModuleList : _LIST_ENTRY
  +0x014 InMemoryOrderModuleList : _LIST_ENTRY
  +0x01c InInitializationOrderModuleList : _LIST_ENTRY
0:001> dt nt!_LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
  +0x000 InLoadOrderLinks : _LIST_ENTRY
  +0x008 InMemoryOrderLinks : _LIST_ENTRY
  +0x010 InInitializationOrderLinks : _LIST_ENTRY

There is a one-to-one correspondence between the _LIST_ENTRY fields of the two structures. For instance, the InLoadOrderModuleList.Flink points to InLoadOrderLinks entry of _LDR_DATA_TABLE_ENTRY at offset 0. In WinDbg, if you want to display the offsets of fields in a structure you can use the following command:

#FIELD_OFFSET(Structure Name, Field Name)

Now, let's again take the above example shellcode and look into it:

Instruction 4:
We got that the Flink of InInitializationOrderModuleList points to 0x00221bd8 which is stored in ebx.

Instruction 5:
We take the next Flink entry, 00222018 of InInitializationOrderModuleList and move it into ebx register. Now, let's use the above structures to see what data element of the linked list it points to.

0:000> dt nt!_LDR_DATA_TABLE_ENTRY (00222018 -@@(#FIELD_OFFSET(_LDR_DATA_TABLE_ENTRY,InInitializationOrderLinks)))
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x222870 - 0x221ef0 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x222878 - 0x221ef8 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x221f00 - 0x221bd8 ]
   +0x018 DllBase          : 0x756a0000 Void
   +0x01c EntryPoint       : 0x756a7e10 Void
   +0x020 SizeOfImage      : 0x4b000
   +0x024 FullDllName      : _UNICODE_STRING "C:\Windows\system32\KERNELBASE.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "KERNELBASE.dll"
   +0x034 Flags            : 0x84004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x7765a690 - 0x7765a690 ]
   +0x03c SectionPointer   : 0x7765a690 Void
   +0x040 CheckSum         : 0x7765a690
   +0x044 TimeDateStamp    : 0x531599f6
   +0x044 LoadedImports    : 0x531599f6 Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 
   +0x050 ForwarderLinks   : _LIST_ENTRY [ 0x222058 - 0x222058 ]
   +0x058 ServiceTagLinks  : _LIST_ENTRY [ 0x222060 - 0x222060 ]
   +0x060 StaticLinks      : _LIST_ENTRY [ 0x222098 - 0x222098 ]
   +0x068 ContextInformation : 0x775f0594 Void
   +0x06c OriginalBase     : 0xdce0000
   +0x070 LoadTime         : _LARGE_INTEGER 0x1cfee26`a96973b3

This shows us that the second entry in the InInitializationOrderModuleList contains information about the kernelbase.dll module.