DailyBread

{{ SECURITY Network packet Forensic }} 

Chapter 13-1 : Shell code packet analysis

From following example, there is some suspicious data to run [calc.exe].

After converting it hex format, there are many 0x90 in-front of the data. This could be NOP(No Operation) code to use buffer overflow attach. To know what those codes mean, it should be converted to assembly code. The last 4 bytes will indicate the CRLF (Carriage Return) to change the line for HTTP. Let us make some assumption it will be a shell code.

Wireshark provides a good way to display the data for C array type as following.

After copy the content to a text file, change it to a binary file. And try to check whether it's real binary code or not.

References :

http://codinguy.net/2013/06/03/insertion-encoderdecoder-shellcode/

http://gnuwin32.sourceforge.net/packages/hex2bin.htm