assemblyx86-64shellcode

How to use a syscall in a shellcode without use `syscall` or `sysenter` for Linux x86-64, avoiding 0x0F bytes?


I need to build a shellcode without the 0x0f byte, the problem is that syscall and sysenter instructions have 0x0f in their code machine. Are there any instruction that I can use to call execve?


Solution

  • After some work here, I find one solution. The idea behind was to construct a shellcode that has the capability to change himself, modify some bytes of machine code before they execute.

    So what I did was to load rip into a register and put some bytes after. Then I change those bytes to \x0f\x05 and in this way, I finally executed my shellcode. I could have use a RIP-relative store instead of a RIP-relative LEA, after getting the desired bytes into a register (with mov + xor or shift, or various other ways.)