Analysing shellcode

Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:






most of the time either shellcode does following:

1.creates a file

2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect

3.create a new thread

4. Creates a new process


having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.

once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.


i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.

There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:

Hope this helps.


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: