Security&Encryption/Network Packet Forensic

Shell code packet analysis - 1

GilbertPark 2016. 3. 7. 22:20

{{ SECURITY Network packet Forensic }} 


Chapter 13-1 : Shell code packet analysis


From following example, there is some suspicious data to run [calc.exe].


After converting it hex format, there are many 0x90 in-front of the data. This could be NOP(No Operation) code to use buffer overflow attach. To know what those codes mean, it should be converted to assembly code. The last 4 bytes will indicate the CRLF (Carriage Return) to change the line for HTTP. Let us make some assumption it will be a shell code.


Wireshark provides a good way to display the data for C array type as following.


After copy the content to a text file, change it to a binary file. And try to check whether it's real binary code or not.


References :

http://codinguy.net/2013/06/03/insertion-encoderdecoder-shellcode/

http://gnuwin32.sourceforge.net/packages/hex2bin.htm

반응형
저작자표시 비영리