I need to build a shellcode without the 0x0f
byte, the problem is that syscall
and sysenter
instructions have 0x0f
in their code machine. Are there any instruction that I can use to call execve
?
After some work here, I find one solution. The idea behind was to construct a shellcode that has the capability to change himself, modify some bytes of machine code before they execute.
So what I did was to load rip
into a register and put some bytes after. Then I change those bytes to \x0f\x05
and in this way, I finally executed my shellcode. I could have use a RIP-relative store instead of a RIP-relative LEA, after getting the desired bytes into a register (with mov + xor or shift, or various other ways.)