Analyzing Windows shellcode – triage, disassemble, debug


If simply put, shellcode is a piece of low-level code (in hex) carefully tailored to be directly interpreted by the CPU. The CPU executes instructions in the form of machine code, these instructions are typically referred to as opcodes or operation codes. Here are a couple popular instructions you’ll often come across (1 per line):
558B EC These instructions will be directly executed by the CPU, which will then perform two specific tasks:55      push ebp8B EC   mov ebp, espThe code on the right of the opcodes is the opcodes’ corresponding assembly instructions. Assembly (or assembler) is a human readable representation of these opcodes.  These two instructions are setting up a new stack frame, which you can equate to entering a new function in a high-level programming language like C/C++. 

Read more…