This program allows you to build raw binary shellcode for linux from C.
$ make #build shellcode runners (scrun-*)
$ vim hello.c
void main() {
//write shellcode with C
sys_write(1, "hello\n", 6);
sys__exit(0);
}
$ cshc -o /tmp/hello_x86 hello.c
$ scrun-x86 /tmp/hello_x86
hello
$ cshc -a x86_64 -o /tmp/hello_x86_64 hello.c
$ scrun-x86_64 /tmp/hello_x86_64
hello
$ cshc -a armel -o /tmp/hello_armel hello.c
$ scrun-armel /tmp/hello_armel #need QEMU
hello
$ cshc -a aarch64 -o /tmp/hello_aarch64 hello.c
$ scrun-aarch64 /tmp/hello_aarch64 #need QEMU
hello>>> import cshc
>>> cshc.VERSION
'0.1.0'
>>> cshc.archlist()
['aarch64', 'x86_64', 'armel', 'x86']
# Compile string
>>> cshc.arch("x86").compile('int main() { const char *a[] = {"/bin/sh", 0}; sys_execve(*a, a, 0); }')
'VS\xe89\x00\x00\x00\x81 ...' #shellcode
# Compile file
>>> cshc.arch("x86").compile_file("examples/shellcode.c")- cshc doesn't link standard libraries into your shellcode, thus you can't use libc functions in the code. You can still use macros defined in libc headers.
- cshc includes linux-syscall-support implicitly, therefore you can make system calls using it.
- An errno generated by linux-syscall-support is stored in _errno variable.
- (armel/aarch64) invalidate instruction cache after relocation
- libc
- ARM floating point support
- 32-bit PowerPC support
- MIPS o32 ABI support
- MIPS n32 ABI support
- MIPS n64 ABI support
- expose symbols of injectee to shellcode
- optimize output code
- shared object loading
- ARM OABI support
- 64-bit PowerPC support
- windows support