ShenCode - Output - Heckhausen.IT

Inspect and display files in different formats

Description

The output module converts binary data, such as shellcodes, into human-readable output.

You can use different styles:

Command

shencode core output [-h] [-i INPUT] [-s {c,casm,cs,ps1,py,hex,inspect}] [-b INT] [-d] [-l] [-n] [-o OUTPUT]

options:
  -h, --help           show this help message and exit
  -i, --input          Input file for formatted output
  -s, --syntax         formatting the shellcode in C, Casm, C#, Powershell, python or hex

additional:
  -b, --bytes-per-row  Define how many bytes per row will be displayed
  -d, --decimal        Output decimal offsets instead of hex
  -l, --lines          adds a line numbering after each 8 bytes
  -n, --no-line-break  no line break during output
  -o, --output         save output to file

Inspect

If you want to analyze a shellcode, try to use the --syntax inspect command. This will display 16 bytes per line with additional offsets. You can manipulate the output with --bytes-per-row and --decimal, which are described further down.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000: 55 48 e2 80 b0 c3 a5 48 c6 92 c3 ac 40 48 31 c3
00000010: 80 48 e2 80 b0 45 c3 b8 48 e2 80 b0 45 c3 b0 48
00000020: e2 80 b0 45 c3 a8 48 e2 80 b0 45 c3 a0 48 e2 80
00000030: b0 45 c3 98 48 e2 80 b0 45 c3 90 48 e2 80 b0 45

Language outputs

C / C++

Well known C / C++ output.

--syntax c

"\x55\x48\x89\xe5\x48\x83\xec\x40\x48\x31\xc0\x48\x89\x45\xf8\x48"
"\x89\x45\xf0\x48\x89\x45\xe8\x48";

C-ASM

If you want to inject Code with inline assembly in C, you need this special output.

--syntax casm

".byte 0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x40,0x48,0x31,0xc0,0x48,0x89,0x45,0xf8,0x48\n\t"
".byte 0x89,0x45,0xf0,0x48,0x89,0x45,0xe8,0x48"

C#

This is the C# output format.

--syntax cs

0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x40,0x48,0x31,0xc0,0x48,0x89,0x45,0xf8,0x48
0x89,0x45,0xf0,0x48,0x89,0x45,0xe8,0x48

Powershell

This generates a PowerShell byte array.

--syntax ps1

0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x40,0x48,0x31,0xc0,0x48,0x89,0x45,0xf8,0x48
0x89,0x45,0xf0,0x48,0x89,0x45,0xe8,0x48

Python

If you want to work with a python byte array, here you are!

--syntax py

buf += b'\x55\x48\x89\xe5\x48\x83\xec\x40\x48\x31\xc0\x48'

Hex

Text-based outputs in hex.

--syntax hex

554889e54883ec404831c0488945f8488945f0488945e848

Additional outputs

Bytes per row

--bytes-per-row defines how many bytes per row will be displayed. The default value is 16.

Decimal

In combination with -l or -s inspect you can define decimal offset values

// Instead of this
00000000:0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x40
00000008:0x48,0x31,0xc0,0x48,0x89,0x45,0xf8,0x48
00000010:0x89,0x45,0xf0,0x48,0x89,0x45,0xe8,0x48

// you will get that
00000000:0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x40
00000008:0x48,0x31,0xc0,0x48,0x89,0x45,0xf8,0x48
00000016:0x89,0x45,0xf0,0x48,0x89,0x45,0xe8,0x48

Lines

You can add file offsets to your output for a better readability and analysis with --lines --syntax c

[*] processing shellcode format...
0x00000000: "\x55\x48\x89\xe5\x48\x83\xec\x40\x48\x31\xc0\x48\x89\x45\xf8\x48"
0x00000010: "\x89\x45\xf0\x48\x89\x45\xe8\x48";
[+] DONE!

No line break

Disable Line Breaks with the --no-line-break argument

Output

Save the output to a file with --output filename.txt