Talk:Shellcode

Mayor overhaul
I've rewritten the page and adding more information about alphanumer/printable/unicode shellcode. I'd like to see more information on: (I can add a lot about win32 shellcode, but my *nix shellcode is a bit rusty and I've never done anything other than IA32) (Runs on multiple OSes/processor types). (Shellcode exists of small code that scans the process' memory (hunt) for a larger shellcode (egg) that does the actual work. When found, the egg is executed. This is often used when a larger shellcode can be injected, but is hard to execute immediately and a smaller shellcode would be easier to inject and execute as well.) (Shellcode exists of small code that scans the process' memory for more small pieces of shellcode (eggs) that are combined to form the original shellcode (omelette), which is executed. This can be used when a large shellcode cannot be injected as a whole, but can be injected in multiple smaller parts.) (Shellcode downloads and executes a larger second stage shellcode - used when second stage shellcode itself is too large to be injected immediately.)
 * Shellcode writting for different processors/operating systems/service packs.
 * Platform spanning shellcode
 * Egghunt shellcode
 * Omelete shellcode
 * Multi-stage shellcode

- SkyLined (talk) 17:04, 29 February 2008 (UTC)

Review
An assessment was requested over at WikiProject Computing/Assessment. I've given this article a B rating. Comprehensible, interesting, reasonably complete (adding more detail would risk WP:HOWTO infraction) and reasonably well-referenced treatment. Further improvements would include more work on references and reworking some of the prose to eliminate a few unnecessary headings. I'd also like to see discussion of Data Execution Prevention and other modern countermeasures. Congratulations! --Kvng (talk) 15:51, 30 September 2010 (UTC)

This article triggers Antivirus itself!
I noticed that loading the Shellcode page caused my antivirus program (ESET NOD antivirus) to trigger (JS/exploit.Shellcode.A.gen trojan), probably because of a detection mechanism that can't differentiate between displayed and running code. It intercepts the page loading, so I can't see what it reacts to. Perhaps the page can be rewritten so it doesn't contain literal examples of shellcode? Mumiemonstret (talk) 21:12, 11 October 2010 (UTC)
 * ESET NOD is apparently (over-) reacting to the presence of the character "邐" ( also known as unicode character 9090 as listed on http://en.wikibooks.org/wiki/Unicode/Character_reference/9000-9FFF ), URL-encoded, or encoded as a javascript escape sequence or a html character entity. That's a pretty far cry from a shellcode. It's only relevant to shellcodes in that the character's UTF-16 representation happens to match a 2 bytes sequence frequently used as part of a NOP slide, which many shellcodes rely on. It's clearly a false positive, and the article shouldn't need to dance around ESET NOD to avoid its flagging. Also note that ESET NOD is the only AV on VirusTotal to flag this page. 209.131.62.115 (talk) 10:37, 1 November 2010 (UTC)

End game
According to a recent PPT presentation given by T. H., a virus-analyst working at F-Secure of Finland: Windows 7 is immune to shellcode exploitation, which would have stopped the famous EMC-RSA hack attack, had that company migrated its vulnerable WinXP and Vista desktops to Win7 before the spring of 2011. 82.131.210.163 (talk) 12:15, 7 February 2012 (UTC)
 * Not sure what you mean by "shellcode exploitation", but works just fine on Windows 7.     — SkyLined (talk) 16:49, 7 February 2012 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 8 external links on Shellcode. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20100123014637/http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/ to http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/
 * Added archive https://web.archive.org/web/20090323030636/http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode to http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode
 * Added archive https://web.archive.org/web/20120109070051/http://goodfellas.shellcode.com.ar/docz/bof/Writing_shellcode.html to http://goodfellas.shellcode.com.ar/docz/bof/Writing_shellcode.html
 * Added archive https://web.archive.org/web/20080302111910/http://www.metasploit.com/shellcode/ to http://www.metasploit.com/shellcode/
 * Added archive https://web.archive.org/web/20060619025456/http://www.linux-secure.com/endymion/shellcodes/ to http://www.linux-secure.com/endymion/shellcodes/
 * Added archive https://web.archive.org/web/20061112203748/http://www.milw0rm.com/papers/11 to http://www.milw0rm.com/papers/11
 * Added archive https://web.archive.org/web/20061115040739/http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf to http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf
 * Added archive https://archive.is/20130219020328/http://libemu.carnivore.it/ to http://libemu.carnivore.it/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 16:30, 9 December 2017 (UTC)

Socket re-using shellcode is more elaborate…
Depends on specific piece of software where shellcode is to be applied. Many “classical” network services (such as ones running from inetd.conf) serve one client session per process and already have STDIN/STDOUT facing the client’s side. No special manipulation with file descriptors is necessary. Incnis Mrsi (talk) 14:14, 4 August 2019 (UTC)

Grammatical countability
It can be either "shellcode" (uncountable noun) or "a shellcode" (countable) — unlike, say, "software", where native English speakers do not use the countable "softwares". The article doesn't really make this clear. See Wiktionary. Equinox ◑ 13:31, 17 December 2023 (UTC)
 * Do you want anything done about this? It looks like you're making a remark and not suggesting a chance or asking a question, which is what normally happens on the talk page. — SkyLined (talk) 14:33, 17 December 2023 (UTC)


 * Well, we could start the article with "In hacking, shellcode or a shellcode is..." (to show both forms) but I don't know how long that change would last. Compare what is done with variant spellings in some articles though. Equinox ◑ 18:52, 18 December 2023 (UTC)
 * I don't immediately see much use on that; I think this is something a dictionary should explain but i see no need to explain this on Wikipedia. For example, I wouldn't start the page about beer with "beer or a beer is..." But then I have been working on shellcode for decades myself, so maybe this is tribal knowledge that I assume it's obvious but that warrants explaining for most. Maybe others can provide their opinion? — SkyLined (talk) 23:00, 18 December 2023 (UTC)