Assignement Goals (SLAE-1530)
1) Study about the Egg Hunter shellcode.
2) Create a working demo of the Egghunter.
3) Should be configurable for different payloads.
What is an Egg Hunter Shellcode ?
An egg hunter is a very small piece of shellcode designed to find another shellcode in memory (usually a bigger one). To do so, it scans the whole process memory in search of a special pattern. This pattern is called an egg and is preceded from the the second and bigger shellcode. When an egg is found in memory, the egg hunter shellcode will redirect execution flow to the second one.
An egg is composed of 4 bytes (the size of a memory address in x86-32 processors) for example 0x44434241
(ABCD
Little Endian). We generally repeat the egg once to avoid "collisions".
Imagine if we choose ABCD
as our egg, ABCD
is a common string and we could find this pattern at multiple memory location but ABCDABCD
less likely.
ABCD
is not a good choice anyway since it is too common, even if we repeat it. It is important to choose something you don't often see in programs and memory, for example egg!
or 3gg!
.