{"id":3411,"date":"2015-12-10T16:21:33","date_gmt":"2015-12-10T16:21:33","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3411"},"modified":"2023-12-22T22:58:11","modified_gmt":"2023-12-22T22:58:11","slug":"converting-shellcode-to-portable-executable-32-and-64-bit","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/10\/converting-shellcode-to-portable-executable-32-and-64-bit\/","title":{"rendered":"Converting Shellcode to Portable Executable (32- and 64- bit)"},"content":{"rendered":"<p><strong>Update 2023-12-22<\/strong><\/p>\n<p><a href=\"https:\/\/twitter.com\/mgreen27\">Matthew<\/a> pinged me about the Yasm links no longer working, so I have updated them to point to Yasm github repo, as he suggested. Thanks Matthew!<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>Analyzing shellcodes is tricky so to simplify this process it&#8217;s really handy to convert them into executables which can be then analyzed with a debugger\/IDA. Since a shellcode is a position-independent code, all we have to do is to build a simple executable that embeds the shellcode blob, and ensure the entry point of the executable points to the beginning of the embedded code.<\/p>\n<p>Many people use different tricks to do it, some write <a href=\"https:\/\/security.stackexchange.com\/questions\/18958\/are-there-any-tools-that-focus-on-shellcode-analysis\">C code<\/a>, or use <a href=\"https:\/\/github.com\/MarioVilas\/shellcode_tools\/blob\/master\/shellcode2exe.py\">python<\/a>.<\/p>\n<p>Below, I present probably the simplest and shortest method &#8211; using assembly \ud83d\ude09<\/p>\n<p>The following is a short tutorial on how to do it with 2 freely available tools &#8211; YASM and GoLink:<\/p>\n<ul>\n<li>Download Yasm\n<ul>\n<li><a href=\"https:\/\/github.com\/yasm\/yasm\/releases\/\">https:\/\/github.com\/yasm\/yasm\/releases\/<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Extract <strong>yasm-1.3.0-win64.exe<\/strong> or <strong>yasm-1.3.0-win32.exe<\/strong> and rename it to <strong>yasm.exe<\/strong><\/li>\n<li>Download Jeremy Gordon&#8217;s GoLink linker\n<ul>\n<li><a href=\"http:\/\/www.godevtool.com\/Golink.zip\">http:\/\/www.godevtool.com\/Golink.zip<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Extract <strong>golink.exe<\/strong><\/li>\n<li>Name the file storing the extracted shellcode as <strong>shellcode.bin<\/strong><\/li>\n<li>Create a <strong>shellcode.asm<\/strong> file with the following instructions<\/li>\n<\/ul>\n<pre style=\"padding-left: 60px;\">Global Start<\/pre>\n<pre style=\"padding-left: 60px;\">Start:<\/pre>\n<pre style=\"padding-left: 60px;\">incbin \"shellcode.bin\"<\/pre>\n<ul>\n<li>From a command line run the following command to assemble the code:\n<ul>\n<li>for 32-bit shellcode\n<ul>\n<li>yasm.exe -f win<strong>32<\/strong> -o shellcode.obj shellcode.asm<\/li>\n<\/ul>\n<\/li>\n<li>for 64-bit shellcode\n<ul>\n<li>yasm.exe -f win<strong>64<\/strong> -o shellcode.obj shellcode.asm<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Now run the linker\n<ul>\n<li>golink \/ni \/entry Start shellcode.obj<\/li>\n<\/ul>\n<\/li>\n<li>The resulting file <strong>shellcode.exe<\/strong> can be debugged or analyzed with IDA<\/li>\n<\/ul>\n<p>If it still sounds like a lot of steps, you can create a batch file to do all the work for you. Save it as shell2exe.bat and from now on, all you have to do is to run the following command:<\/p>\n<pre style=\"padding-left: 30px;\">shell2exe.bat 64 &lt;shellcode file&gt;<\/pre>\n<p>or<\/p>\n<pre style=\"padding-left: 30px;\">shell2exe.bat 32 &lt;shellcode file&gt;<\/pre>\n<p>depending on the shellcode architecture.<\/p>\n<p>Here&#8217;s the shell2exe.bat file:<\/p>\n<pre>------------ shell2exe.bat ------------ \n@echo off\n@if \"%1\"==\"\" goto help\n\n@echo Global Start &gt; shellcode.asm\n@echo SECTION 'foo' write, execute,read &gt;&gt; shellcode.asm\n@echo Start:       &gt;&gt; shellcode.asm\n@echo incbin \"%2\"  &gt;&gt; shellcode.asm\n@yasm.exe -f win%1 -o shellcode.obj shellcode.asm\n@golink \/ni \/entry Start shellcode.obj\n@del shellcode.asm\n@del shellcode.obj\n@dir shellcode.exe\n\n@goto exit\n\n@:help\n@echo Converts a shellcode blob to an executable\n@echo Required Arguments:\n@echo - architecture: 32 or 64 (depending on the shellcode)\n@echo - shellcode blob file name\n\n@:exit\necho.\n------------ shell2exe.bat ------------\n<\/pre>\n<p>And we really, really want to keep it supersimple here is the <a href=\"https:\/\/www.hexacorn.com\/d\/shell2exe.zip\">whole package<\/a> for your convenience. It contains shell2exe.bat + GoLink.exe + 32-bit yasm.exe \/for portability\/.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2023-12-22 Matthew pinged me about the Yasm links no longer working, so I have updated them to point to Yasm github repo, as he suggested. Thanks Matthew! Old Post Analyzing shellcodes is tricky so to simplify this process it&#8217;s &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/10\/converting-shellcode-to-portable-executable-32-and-64-bit\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3411"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3411"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3411\/revisions"}],"predecessor-version":[{"id":8972,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3411\/revisions\/8972"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}