These notes continue from Exploit Development Notes Vol.2.

Section 22: Malware Injection with JMP instruction

Learning Objectives:

1. Shellcode with JMP and Malware Injected
2. Injecting Shellcode and Creating Exploit

Shellcode with JMP and Malware Injected

Program Breakdown

global _start         ; Entry point for the program

section .text         ; Start of code section

_start:
		jmp string        ; Jump to 'string' label

code:
		pop rsi           ; Pop the return address (pointing to "hacked_str") into RSI
		mov al,   1       ; Set AL to 1, which specifies the 'write' syscall
		xor rdi,  rdi     ; Clear RDI, setting it to 0
		add rdi,  1       ; Set RDI to 1 (file descriptor for stdout)
		xor rdx,  rdx     ; Clear RDX
		add rdx,  rdx     ; Double RDX (0 * 2 = 0)
		add rdx,  17      ; Set RDX to 17 (number of bytes to write)
		syscall           ; Invoke syscall (write to stdout)

		xor rax,  rax     ; Clear RAX (set it to 0)
		add rax,  60      ; Set RAX to 60 (syscall number for 'exit')
		xor rdi,  rdi     ; Clear RDI (exit code 0)
		syscall           ; Invoke syscall (exit program)

string:
		call code         ; Call 'code' label, pushing address of 'hacked_str' onto stack
		hacked_str: db 'Malware Injected', 0xa ; Define string with newline 

Explanation

1. Jump to string: The program begins by jumping to the string label to reach the data section indirectly.

2. String Handling:

   • The string section calls code, pushing the address of hacked_str onto the stack. When code is executed, this address is popped into the RSI register, which will act as a pointer to the string.

   The instruction pop rsi is used to retrieve the return address from the stack and store it in the RSI register. In this context:

   • When call code is executed, it pushes the address of hacked_str onto the stack.
   • The pop rsi instruction then removes this address from the top of the stack and places it into the RSI register.
   • As a result, RSI now contains the memory address of the string "Malware Injected", which will be used later in the syscall to write the string to stdout.

   This technique is commonly used in shellcode and exploit development to efficiently locate and utilize data within the code itself.

3. Syscall Write (mov al, 1 and syscall):

   • mov al, 1 sets up the syscall number for write.
   • xor rdi, rdi clears RDI, and add rdi, 1 sets RDI to 1, representing stdout.
   • xor rdx, rdx clears RDX, and add rdx, 17 sets RDX to 17, which defines the length of the string to print (17 bytes).
   • The syscall instruction executes the write syscall, printing "Malware Injected\n".

4. Syscall Exit (mov al, 60 and syscall):

   • After printing, the program prepares for a graceful exit.
   • xor rax, rax and add rax, 60 set RAX to 60, the syscall number for exit.
   • xor rdi, rdi sets RDI to 0, which is the exit code for normal termination.
   • syscall exits the program.

Summary

This code is a self-contained Assembly program that prints "Malware Injected" followed by a newline and then exits. It uses a jump and call mechanism to handle string printing in a compact way, demonstrating control over registers and syscall usage.