Talk:Shellcode

This article is rated B-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing High‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as Mid-importance). Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

I've rewritten the page and adding more information about alphanumer/printable/unicode shellcode. I'd like to see more information on:

• Shellcode writting for different processors/operating systems/service packs.

(I can add a lot about win32 shellcode, but my *nix shellcode is a bit rusty and I've never done anything other than IA32)

• Platform spanning shellcode

(Runs on multiple OSes/processor types).

• Egghunt shellcode

(Shellcode exists of small code that scans the process' memory (hunt) for a larger shellcode (egg) that does the actual work. When found, the egg is executed. This is often used when a larger shellcode can be injected, but is hard to execute immediately and a smaller shellcode would be easier to inject and execute as well.)

• Omelete shellcode

(Shellcode exists of small code that scans the process' memory for more small pieces of shellcode (eggs) that are combined to form the original shellcode (omelette), which is executed. This can be used when a large shellcode cannot be injected as a whole, but can be injected in multiple smaller parts.)

• Multi-stage shellcode

(Shellcode downloads and executes a larger second stage shellcode - used when second stage shellcode itself is too large to be injected immediately.)

- SkyLined (talk) 17:04, 29 February 2008 (UTC)[reply]

An assessment was requested over at Wikipedia:WikiProject Computing/Assessment. I've given this article a B rating. Comprehensible, interesting, reasonably complete (adding more detail would risk WP:HOWTO infraction) and reasonably well-referenced treatment. Further improvements would include more work on references and reworking some of the prose to eliminate a few unnecessary headings. I'd also like to see discussion of Data Execution Prevention and other modern countermeasures. Congratulations! --Kvng (talk) 15:51, 30 September 2010 (UTC)[reply]

I noticed that loading the Shellcode page caused my antivirus program (ESET NOD antivirus) to trigger (JS/exploit.Shellcode.A.gen trojan), probably because of a detection mechanism that can't differentiate between displayed and running code. It intercepts the page loading, so I can't see what it reacts to. Perhaps the page can be rewritten so it doesn't contain literal examples of shellcode? Mumiemonstret (talk) 21:12, 11 October 2010 (UTC)[reply]

ESET NOD is apparently (over-) reacting to the presence of the character "邐" ( also known as unicode character 9090 as listed on http://en.wikibooks.org/wiki/Unicode/Character_reference/9000-9FFF ), URL-encoded, or encoded as a javascript escape sequence or a html character entity. That's a pretty far cry from a shellcode. It's only relevant to shellcodes in that the character's UTF-16 representation happens to match a 2 bytes sequence frequently used as part of a NOP slide, which many shellcodes rely on. It's clearly a false positive, and the article shouldn't need to dance around ESET NOD to avoid its flagging. Also note that ESET NOD is the only AV on VirusTotal to flag this page. 209.131.62.115 (talk) 10:37, 1 November 2010 (UTC)[reply]

According to a recent PPT presentation given by T. H., a virus-analyst working at F-Secure of Finland: Windows 7 is immune to shellcode exploitation, which would have stopped the famous EMC-RSA hack attack, had that company migrated its vulnerable WinXP and Vista desktops to Win7 before the spring of 2011. 82.131.210.163 (talk) 12:15, 7 February 2012 (UTC)[reply]

Not sure what you mean by "shellcode exploitation", but [1] works just fine on Windows 7.     — SkyLined (talk) 16:49, 7 February 2012 (UTC)[reply]

Hello fellow Wikipedians,

I have just modified 8 external links on Shellcode. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20100123014637/http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/ to http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/
• Added archive https://web.archive.org/web/20090323030636/http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode to http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode
• Added archive https://web.archive.org/web/20120109070051/http://goodfellas.shellcode.com.ar/docz/bof/Writing_shellcode.html to http://goodfellas.shellcode.com.ar/docz/bof/Writing_shellcode.html
• Added archive https://web.archive.org/web/20080302111910/http://www.metasploit.com/shellcode/ to http://www.metasploit.com/shellcode/
• Added archive https://web.archive.org/web/20060619025456/http://www.linux-secure.com/endymion/shellcodes/ to http://www.linux-secure.com/endymion/shellcodes/
• Added archive https://web.archive.org/web/20061112203748/http://www.milw0rm.com/papers/11 to http://www.milw0rm.com/papers/11
• Added archive https://web.archive.org/web/20061115040739/http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf to http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf
• Added archive https://archive.is/20130219020328/http://libemu.carnivore.it/ to http://libemu.carnivore.it/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 16:30, 9 December 2017 (UTC)[reply]

Depends on specific piece of software where shellcode is to be applied. Many “classical” network services (such as ones running from inetd.conf) serve one client session per process and already have STDIN/STDOUT facing the client’s side. No special manipulation with file descriptors is necessary. Incnis Mrsi (talk) 14:14, 4 August 2019 (UTC)[reply]

It can be either "shellcode" (uncountable noun) or "a shellcode" (countable) — unlike, say, "software", where native English speakers do not use the countable "softwares". The article doesn't really make this clear. See Wiktionary [2]. Equinox ◑ 13:31, 17 December 2023 (UTC)[reply]

Do you want anything done about this? It looks like you're making a remark and not suggesting a chance or asking a question, which is what normally happens on the talk page. — SkyLined (talk) 14:33, 17 December 2023 (UTC)[reply]

@SkyLined: Well, we could start the article with "In hacking, shellcode or a shellcode is..." (to show both forms) but I don't know how long that change would last. Compare what is done with variant spellings in some articles though. Equinox ◑ 18:52, 18 December 2023 (UTC)[reply]

I don't immediately see much use on that; I think this is something a dictionary should explain but i see no need to explain this on Wikipedia. For example, I wouldn't start the page about beer with "beer or a beer is..." But then I have been working on shellcode for decades myself, so maybe this is tribal knowledge that I assume it's obvious but that warrants explaining for most. Maybe others can provide their opinion? — SkyLined(talk) 23:00, 18 December 2023 (UTC)[reply]