Reputation: 5399
Shellcode searching for Bytes String: 0C330408Bh
I am learning how malware(Blackhole Exploit) works. I extracted the shellcode from a malicious code. I figured out everything except a search for the Byte String. Can anyone help me with this? Why does this shellcode (most of the malicious shellcodes) search for this particular string? The searching code goes like this:
mov eax, 0C330408BH;
inc esi
cmp dword ptr [esi], eax
jne //back to top//
Upvotes: 0
Views: 502
Answers (2)
Reputation: 91
As an addition to the Igor's answer, I recommend you to read this article http://skypher.com/index.php/2010/11/17/bypassing-eaf/. The code looks for the specific instructions within system DLLs to use them for reading or writing data from/to arbitrary locations in memory. So to use this code just put the (address-0x30) to eax, and call the sequence above.
Upvotes: 3
Reputation: 25298
If you take the magic bytes, convert them to little-endian format and disassemble, you get the following:
8B 40 30 mov eax, [eax+30h]
C3 retn
So, the shellcode is searching for this sequence of instructions. I'm not 100% sure but I think it's used to find kernel32 image in memory (since this sequence usually occurs there).
Upvotes: 3
Related Questions
- Detecting and extracting opcode sequences
- What is this programe doing?
- How to convert shellcode to readable assembly code/instructions?
- Is there any way to decode this malware code from infected file?
- Running data shellcode in c executable
- How stosd works in assembly?
- Desiging Shellcode gives incorrect results
- Understanding of a shellcode example
- Understanding/decoding obscure assembly code
- Null bytes in shellcode?