Shellcode in Literature
ADVANCED DIGITAL FORENSICS
Part A. Shellcode in Literature
1. Development bottom line for an exploit - “The Shellcode Generation”
There are three basic components can be used for exploiting the bottom lines of the systems are listed below.
Adding user accounts
It is one of the easiest way of exploitation where the user can use the command of adding a line to the password file and accesses all of the information about the system.
Changing systems configuration
This method is one of the publicly available processes where the user can be able to exploit the payload while alerting the vulnerable system configuration. The payload will be distracted from one OS to the other simple variable one.
Network aware shellcode
Shellcode is most vulnerable towards attackers as the attacker already has some of the interactive access with the system. Software flaws advantage will be taken to run the existing programs of the systems where the communication between the remote systems as well with the span shell will be destroyed.
2. Intrusion detection system - “Evasion Techniques”
Most of the Intrusion detection systems are basically work on the basis of signatures detection. The attacker can be able to create a custom packet payload that does not match with any kind of signature in the integrated development systems predefined database (ieeexplore.ieee.org, 2018). In this way the attacker can be able to pass to the IDS without creating any kind of noisy alerts and enters from the remote system. Following many different kind of techniques a piece of shellcode can be able to pass to the intrusion detection systems are listed below.
Insertion Attack: using the shellcode the attackers will confuse the system through invalid packets. Malformed packets will end the system for any other kind of interpretations.
Denial of Service: IDS system generally uses the one of its centralized logging server in order to log the alerts and events. Using the shell code method the intruder can be able to attack the known Internet protocol addresses and launch the denial of service attack. This in turn will not allow any other servers to log in any more events.
Session fragmentation and splicing: This process includes the splitting of packets, breaking and slicing into some of the multiple pieces and none of the single packet can cause any kind of triggers to make any alerts. IDS systems generally ignore this packet reconstruction and also fail to match against the databases signature.
3. Program counter concept and its importance - “English Shellcode”
Program counter is a kind of special purpose machine register that helps in identifying the available next instruction that scheduled for execution (ieeexplore.ieee.org, 2018). The first objective of the intruder and attacker is to gain control over the program counter of the machines. While gaining control over program controller the attacker can be able to redirect to the programs and also disrupts it for execution. Program counter in the shell code is generally adjusted to point out the machines. Once the machines gets fetched out by the program counter than the tasks gets executed and performs. It can also be stated that there is a difference between the different exploits to use different techniques of exploits like code injection attacks, buffer overflow and format string attacks. Incase if using code injection technique of exploits the intruder can exploits the grants and takes control over the program counter. The attacker will execute the whole code designed by the programmers in the system and execute the code that is delivered by them. In case of buffer overflow also the intruder takes control over the program counter. Using the program counter the machine instruction will be classified into two types namely jump instruction and do not method.
In case of shell code the program counter has more prominent role where the default exception handling in Operating system will be done through using this program counter. Program counter in OS will be modified to execute detection program. Program counter helps for detecting the programs and controlling over this program controller the hacker can be able to control over the whole programs that has been designed using Shellcode.
4. Advantages of alphanumeric encoding engines - “English Shellcode”
An alphanumeric encoding engine converts the arbitrary payloads to the set of composed numerical digits and letters in the machine. There are two basic reasons behind the usage of alphanumeric encoding engines to the machines are of
- Alphanumeric encoding engines can be stored in a shellcode are of unsuspected contexts like syntactically valid directory names, files, user passwords and many more.
- Compared to UTF 8 encoding and in Unicode the alphanumeric encoding engines character sets are significantly smaller in nature.
Advantage of using the alphanumeric encoding engines is that it copes with all kind of possible restrictions and also practices self-modification phenomenon automatically. It has restricted instruction set and for the intruder it creates challenge to encode the system. Arbitrary payloads can be encoded using the phenomenon of decoder and encoding schemes. An alphanumeric encoding engine in shell code encodes the bytes without making any allowed by the vulnerable applications from the intruder or third parties. An alphanumeric shellcode encoder also helps in evading the shell code detection by the Intrusion detection system. Alphanumeric shellcode encoder makes the routine detection more difficulty by the decoder and this in turn helps the system from unwanted threats and also enhances the vulnerability. This machine also helps in detecting the attacks while searching the shellcode patterns that have been already known (dl.acm.org, 2018). The integrated development system in a machine will be updated with all kind of shellcode patterns and signatures and this in turn helps to bring critical situation for the intruder. The attacker need to have greater skills and the process is damn time consuming to predict the pattern. In this case the attacker will implement and try his own patterns and also gets caught by the unknown attacks with new signature. In this way the alphanumeric shellcode encoder has greater advantage while generating shellcode patterns.