# Shellcode

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Shellcode
> Markdown URL: https://mediated.wiki/source/Shellcode.md
> Source: https://en.wikipedia.org/wiki/Shellcode
> Source revision: 1355880201
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Code intended as a payload to exploit a software vulnerability

This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (July 2025) (Learn how and when to remove this message)

"Shell code" redirects here. For code written in a shell's command language, see [Shell script](/source/Shell_script).

"Alphanumeric executable" redirects here. For executable code presented in hexadecimal format, see [Hex file (disambiguation)](/source/Hex_file_(disambiguation)).

**Shellcode** is [executable code](/source/Executable_code) intended to be used as a [payload](/source/Payload_(computing)) for [exploiting](/source/Exploit_(computer_security)) a [software](/source/Software) [vulnerability](/source/Vulnerability_(computing)). The term includes *shell* because the attack originally described an attack that opens a [command shell](/source/Shell_(computing)) that the attacker can use to control the target machine, but any code that is injected to gain access that is otherwise not allowed can be called shellcode. For this reason, some consider the name *shellcode* to be inaccurate.[1]

An attack commonly injects [data](/source/Data) that consists of executable code into a [process](/source/Process_(computing)) before or as it exploits a vulnerability to gain control. The [program counter](/source/Program_counter) is set to the shellcode [entry point](/source/Entry_point) so that the shellcode runs. Deploying shellcode is often accomplished by including the code in a file that a vulnerable process downloads and then loads into its memory.

Common wisdom dictates that to maximize effectiveness, a shellcode payload should be small.[2] [Machine code](/source/Machine_code) provides the flexibility needed to accomplish the goal. Shellcode [authors](/source/Hacker) leverage small opcodes to create compact shellcode.[3][4]

## Types

**Local**

A local shellcode attack allows an attacker to gain elevated access privilege on their computer. In some cases, exploiting a vulnerability can be achieved by causing an error such as [buffer overflow](/source/Buffer_overflow). If successful, the shellcode enables access to the machine via the elevated privileges granted to the targeted process.

**Remote**

A remote shellcode attack targets a process running on a remote machine – on the same [local area network](/source/Local_area_network), [intranet](/source/Intranet), or on the [internet](/source/Internet). If successful, the shellcode provides access to the target machine across the network. The shellcode normally opens a [TCP/IP](/source/Internet_protocol_suite) [socket](/source/Stream_socket) connection to allow access to a shell on the target machine.

A remote shellcode attack can be categorized by its behavior. If the shellcode establishes the connection it is called a *reverse shell*, or a *connect-back* shellcode. On the other hand, if the attacker establishes the connection, the shellcode is called a *bindshell* because the shellcode *binds* to a certain port on the victim's machine. A *bindshell random port* skips the binding part and listens on a random port.[a] A *socket-reuse* shellcode is an exploit that establishes a connection to the vulnerable process that is not closed before the shellcode runs so that the shellcode can re-use the connection to allow remote access. Socket re-using shellcode is more elaborate, since the shellcode needs to find out which connection to re-use and the machine may have many open connections.[5]

A [firewall](/source/Firewall_(computer)) can detect outgoing connections made by connect-back shellcode as well as incoming connections made by bindshells, and therefore, offers some protection against an attack. Even if the system is vulnerable, a firewall can prevent the attacker from connecting to the shell created by the shellcode. One reason why socket re-using shellcode is used is that it does not create new connections and, therefore, is harder to detect and block.

**Download and execute**

A download and execute shellcode attack [downloads](/source/Downloads) and [executes](/source/Execution_(computers)) [malware](/source/Malware) on the target system. This type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable file from the network and execute it. Nowadays, it is commonly used in [drive-by download](/source/Drive-by_download) attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victim's machine.

A variation of this attack downloads and [loads](/source/Dynamic_loading) a [library](/source/Library_(computing)).[6][7] Advantages of this technique are that the code can be smaller, that it does not require the shellcode to spawn a new process on the target system, and that the shellcode does not need code to clean up the targeted process as this can be done by the library loaded into the process.

**Staged**

When the amount of data that an attacker can inject into the target process is too limited to achieve the desired effect, it may be possible to deploy shellcode in stages that progressively provide more access. The first stage might do nothing more than download the second stage than then provides the desired access.

**Egg-hunt**

An egg-hunt shellcode attack is a staged attack in which the attacker can inject shellcode into a process but does not know where in the process it is. A second-stage shellcode, generally smaller than the first, is injected into the process to search the process's address space for the first shellcode (the *egg*) and executes it.[8]

**Omelet**

An omelet shellcode attack, similar to egg-hunt, looks for multiple small blocks of data (*eggs*) and combines them into a larger block (*omelet*) that is then executed. This is used when an attacker is limited on the size of injected code but can inject multiple.[9]

## Encoding

Shellcode is often written in order to work around the restrictions on the data that a process will allow. General techniques include:

**Optimize for size**

Optimize the code to decrease its size.

**Self-modifying code**

[Modify its own code](/source/Self-modifying_code) before executing it to use byte values that are otherwise restricted.

**Encryption**

To avoid [intrusion detection](/source/Intrusion_detection), encode as self-decrypting or [polymorphic](/source/Polymorphic_code).

**Character encoding**

An attack that targets a browser might obfuscate shellcode in a [JavaScript](/source/JavaScript) string using an expanded character encoding.[10] For example, on the [IA-32](/source/IA-32) architecture, here's two unencoded no-operation instructions (used in a [NOP slide](/source/NOP_slide)):

90             NOP
90             NOP

As encoded:

- [Percent encoded](/source/Percent-encoding): unescape("%u9090")

- [Unicode](/source/Unicode) literal: \u9090

- [HTML/XML character reference](/source/Character_encodings_in_HTML) : &#x9090; or &#37008;

**Null-free**

Shellcode must be written without zero-value bytes when it is intended to be injected into a [null-terminated string](/source/Null-terminated_string) that is copied in the target process via the usual algorithm (i.e. [strcpy](/source/Strcpy)) of ending the copy at the first zero byte – called the [null character](/source/Null_character) in common [character sets](/source/Character_set). If the shellcode contained a null, the copy would be truncated and not function properly. To produce null-free code from code that contains nulls, one can replace machine instructions that contain zeroes with instructions that don't. For example, on the [IA-32](/source/IA-32) architecture the instruction to set register EAX to 1 contains zeroes as part of the literal (1 expands to 0x00000001).

B8 01000000    [MOV](/source/MOV_(x86_instruction)) EAX,1

The following instructions accomplish the same goal (EAX containing 1) without embedded zero bytes by first setting EAX to 0, then incrementing EAX to 1:

33C0           [XOR](https://en.wikipedia.org/w/index.php?title=XOR_(x86_instruction)&action=edit&redlink=1) EAX,EAX
40             [INC](https://en.wikipedia.org/w/index.php?title=INC_(x86_instruction)&action=edit&redlink=1) EAX

**Text**

An alphanumeric shellcode consists of only [alphanumeric](/source/Alphanumeric) characters (0–9, A–Z and a–z).[11][12] This type of encoding was created by [hackers](/source/Hacker_(computer_security)) to obfuscate machine code inside what appears to be [plain text](/source/Plain_text). This can be useful to avoid detection of the code—to allow the code to pass through filters that scrub non-alphanumeric characters from strings.[b] A similar type of encoding is called *printable code* and uses all [printable](/source/Control_character) characters (alphanumeric plus symbols like !@#%^&*). A similarly restricted variant is *ECHOable code* not containing any characters which are not accepted by the [ECHO](/source/ECHO_(command)) command. It has been shown that it is possible to create shellcode that looks like normal text in English.[13] Writing such shellcode requires in-depth understanding of the [instruction set architecture](/source/Instruction_set_architecture) of the target machines. It has been demonstrated that it is possible to write alphanumeric code that is executable on more than one machine,[14] thereby constituting [multi-architecture executable](/source/Multi-architecture_executable) code.

A work-around was published by Rix in [Phrack](/source/Phrack) 57[11] in which he shows that it is possible to turn any code into alphanumeric code. Often, self-modifying code is leveraged because it allows the code to have byte values that otherwise are not allowed by replacing coded values at runtime. A self-modifying decoder can be created that initially uses only allowed bytes. The main code of the shellcode is encoded, also only using bytes in the allowed range. When the output shellcode is run, the decoder modifies its code to use instructions it requires and then decodes the original shellcode. After decoding the shellcode, the decoder transfers control to it. It has been shown that it is possible to create arbitrarily complex shellcode that looks like normal English text.[13]

Modern software uses [Unicode](/source/Unicode) to support [Internationalization and localization](/source/Internationalization_and_localization). Often, input [ASCII](/source/ASCII) text is converted to Unicode before processing. When an ASCII ([Latin-1](/source/Latin-1) in general) character is transformed to UTF-16 (16-bit Unicode), a zero byte is inserted after each byte (character) of the original text. Obscou proved in [Phrack](/source/Phrack) 61[12] that it is possible to write shellcode that can run successfully after this transformation. Programs that can automatically encode any shellcode into alphanumeric UTF-16-proof shellcode exist, based on the same principle of a small self-modifying decoder that decodes the original shellcode.

## Compatibility

Generally, shellcode is deployed as machine code since it affords relatively unprotected access to the target process. Since machine code is compatible within a relatively narrow computing context ([processor](/source/Central_processing_unit), [operating system](/source/Operating_system) and so on), a shellcode fragment has limited [compatibility](/source/Compatibility_(computing)). Also, since a shellcode attack tends to work best when the code is small and targeting multiple exploits increases the size, typically the code targets only one exploit. None the less, a single shellcode fragment can work for multiple contexts and exploits.[15][16][17] Versatility can be achieved by creating a single fragment that contains an implementation for multiple contexts. Common code branches to the implementation for the runtime context.

## Analysis

As shellcode is generally not executable on its own, in order to study what it does, it is typically loaded into a special process. A common technique is to write a small [C](/source/C_(programming_language)) program that contains the shellcode as data (i.e. in a byte buffer), and transfers control to the instructions encoded in the data [function pointer](/source/Function_pointer) or inline [assembly code](/source/Assembly_code)). Another technique is to use an online tool, such as shellcode_2_exe, to embed the shellcode into a pre-made executable husk which can then be analyzed in a standard debugger. Specialized shellcode analysis tools also exist, such as the iDefense sclog project (originally released in 2005 in the Malcode Analyst Pack). Sclog is designed to load external shellcode files and execute them within an API logging framework. Emulation-based shellcode analysis tools also exist such as the sctest application which is part of the cross-platform libemu package. Another emulation-based shellcode analysis tool, built around the libemu library, is scdbg which includes a basic debug shell and integrated reporting features.

## See also

- [Computer security](/source/Computer_security) – Protection of computer systems from information disclosure, theft or damage

- [Heap overflow](/source/Heap_overflow) – Software anomaly

- [Metasploit Project](/source/Metasploit_Project) – Computer security testing toolPages displaying short descriptions of redirect targets

- [Shell shoveling](/source/Shell_shoveling) – Computer network security concept

- [Stack buffer overflow](/source/Stack_buffer_overflow) – Software anomaly

## Notes

1. **[^](#cite_ref-5)** The *[bindshell random port](https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm)* is the smallest stable bindshell shellcode for [x86_64](/source/X86-64) available to date.

1. **[^](#cite_ref-14)** in part, such filters were a response to non-alphanumeric shellcode exploits

## References

1. **[^](#cite_ref-1)** Foster, James C.; Price, Mike (2005-04-12). [*Sockets, Shellcode, Porting, & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals*](https://books.google.com/books?id=ZNI5dvBSfZoC). Elsevier Science & Technology Books. [ISBN](/source/ISBN_(identifier)) [1-59749-005-9](https://en.wikipedia.org/wiki/Special:BookSources/1-59749-005-9).

1. **[^](#cite_ref-anley_koziol_2007_2-0)** Anley, Chris; Koziol, Jack (2007). [*The shellcoder's handbook: discovering and exploiting security holes*](https://archive.org/details/Wiley.The.Shellcoders.Handbook.2nd.Edition.Aug.2007/) (2 ed.). Indianapolis, Indiana, UA: Wiley. [ISBN](/source/ISBN_(identifier)) [978-0-470-19882-7](https://en.wikipedia.org/wiki/Special:BookSources/978-0-470-19882-7). [OCLC](/source/OCLC_(identifier)) [173682537](https://search.worldcat.org/oclc/173682537).

1. **[^](#cite_ref-3)** Foster, James C. (2005). *Buffer overflow attacks: detect, exploit, prevent*. Rockland, MA, USA: Syngress. [ISBN](/source/ISBN_(identifier)) [1-59749-022-9](https://en.wikipedia.org/wiki/Special:BookSources/1-59749-022-9). [OCLC](/source/OCLC_(identifier)) [57566682](https://search.worldcat.org/oclc/57566682).

1. **[^](#cite_ref-4)** ["Tiny Execve sh - Assembly Language - Linux/x86"](https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm). *GitHub*. Retrieved 2021-02-01.

1. **[^](#cite_ref-6)** BHA (2013-06-06). ["Shellcode/Socket-reuse"](http://www.blackhatlibrary.net/Shellcode/Socket-reuse). Retrieved 2013-06-07.

1. **[^](#cite_ref-7)** SkyLined (2010-01-11). ["Download and LoadLibrary shellcode released"](https://web.archive.org/web/20100123014637/http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/). Archived from [the original](http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/) on 2010-01-23. Retrieved 2010-01-19.

1. **[^](#cite_ref-8)** ["Download and LoadLibrary shellcode for x86 Windows"](https://code.google.com/p/w32-dl-loadlib-shellcode/). 2010-01-11. Retrieved 2010-01-19.

1. **[^](#cite_ref-9)** Skape (2004-03-09). ["Safely Searching Process Virtual Address Space"](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) (PDF). nologin. Retrieved 2009-03-19.

1. **[^](#cite_ref-10)** SkyLined (2009-03-16). ["w32 SEH omelet shellcode"](https://web.archive.org/web/20090323030636/http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode). Skypher.com. Archived from [the original](http://skypher.com/wiki/index.php?title=Shellcode/w32_SEH_omelet_shellcode) on 2009-03-23. Retrieved 2009-03-19.

1. **[^](#cite_ref-11)** ["JavaScript large number of unescape patterns detected"](https://web.archive.org/web/20150403203325/http://www.iss.net/security_center/reference/vuln/JavaScript_Large_Unescape.htm). Archived from [the original](http://www.iss.net/security_center/reference/vuln/JavaScript_Large_Unescape.htm) on 2015-04-03.

1. ^ [***a***](#cite_ref-Rix_2001_12-0) [***b***](#cite_ref-Rix_2001_12-1) rix (2001-08-11). ["Writing ia32 alphanumeric shellcodes"](http://www.phrack.org/issues/57/15). *Phrack*. **0x0b** (57). Phrack Inc. #0x0f of 0x12. [Archived](https://web.archive.org/web/20220308045645/http://phrack.org/issues/57/15.html#article) from the original on 2022-03-08. Retrieved 2022-05-26.

1. ^ [***a***](#cite_ref-Obscou_2003_13-0) [***b***](#cite_ref-Obscou_2003_13-1) obscou (2003-08-13). ["Building IA32 'Unicode-Proof' Shellcodes"](http://www.phrack.org/issues/61/11). *Phrack*. **11** (61). Phrack Inc. #0x0b of 0x0f. [Archived](https://web.archive.org/web/20220526165740/http://phrack.org/issues/61/11.html#article) from the original on 2022-05-26. Retrieved 2008-02-29.

1. ^ [***a***](#cite_ref-Mason-Small-Monrose-MacManus_2009_15-0) [***b***](#cite_ref-Mason-Small-Monrose-MacManus_2009_15-1) Mason, Joshua; Small, Sam; Monrose, Fabian; MacManus, Greg (November 2009). [*English Shellcode*](http://www.cs.jhu.edu/~sam/ccs243-mason.pdf) (PDF). Proceedings of the 16th ACM conference on Computer and Communications Security. New York, NY, USA. pp. 524–533. [Archived](https://web.archive.org/web/20220526164459/https://www.cs.jhu.edu/~sam/ccs243-mason.pdf) (PDF) from the original on 2022-05-26. Retrieved 2010-01-10. (10 pages)

1. **[^](#cite_ref-16)** ["Multi-architecture (x86) and 64-bit alphanumeric shellcode explained"](https://web.archive.org/web/20120621124443/http://www.blackhatlibrary.net/Alphanumeric_shellcode). Blackhat Academy. Archived from [the original](http://www.blackhatlibrary.net/Alphanumeric_shellcode) on 2012-06-21.

1. **[^](#cite_ref-Eugene_2001_17-0)** eugene (2001-08-11). ["Architecture Spanning Shellcode"](http://www.phrack.org/issues/57/14). *Phrack*. Phrack Inc. #0x0e of 0x12. [Archived](https://web.archive.org/web/20211109173710/http://phrack.org/issues/57/14.html#article) from the original on 2021-11-09. Retrieved 2008-02-29.

1. **[^](#cite_ref-Nemo_2005_18-0)** nemo (2005-11-13). ["OSX - Multi arch shellcode"](https://seclists.org/fulldisclosure/2005/Nov/387). *[Full disclosure](/source/Full_disclosure_(mailing_list))*. [Archived](https://web.archive.org/web/20220526191616/https://seclists.org/fulldisclosure/2005/Nov/387) from the original on 2022-05-26. Retrieved 2022-05-26.

1. **[^](#cite_ref-Cha-Pak-Brumley-Lipton_2010_19-0)** Cha, Sang Kil; Pak, Brian; [Brumley, David](/source/David_Brumley); [Lipton, Richard Jay](/source/Richard_Jay_Lipton) (2010-10-08) [2010-10-04]. [*Platform-Independent Programs*](https://softsec.kaist.ac.kr/~sangkilc/papers/cha-ccs10.pdf) (PDF). Proceedings of the 17th ACM conference on Computer and Communications Security (CCS'10). Chicago, Illinois, USA: [Carnegie Mellon University](/source/Carnegie_Mellon_University), Pittsburgh, Pennsylvania, USA / [Georgia Institute of Technology](/source/Georgia_Institute_of_Technology), Atlanta, Georgia, USA. pp. 547–558. [doi](/source/Doi_(identifier)):[10.1145/1866307.1866369](https://doi.org/10.1145%2F1866307.1866369). [ISBN](/source/ISBN_(identifier)) [978-1-4503-0244-9](https://en.wikipedia.org/wiki/Special:BookSources/978-1-4503-0244-9). [Archived](https://web.archive.org/web/20220526153147/https://softsec.kaist.ac.kr/~sangkilc/papers/cha-ccs10.pdf) (PDF) from the original on 2022-05-26. Retrieved 2022-05-26. [\[1\]](https://web.archive.org/web/20220526182333/http://users.ece.cmu.edu/~sangkilc/papers/ccs10-cha.pdf) (12 pages) (See also: [\[2\]](https://security.ece.cmu.edu/pip/index.html))

## External links

- [Shell-Storm](http://www.shell-storm.org/shellcode/) Database of shellcodes Multi-Platform.

- [An introduction to buffer overflows and shellcode](http://www.phrack.org/issues/49/14)

- [The Basics of Shellcoding (PDF)](https://web.archive.org/web/20050528022508/http://www.infosecwriters.com/text_resources/pdf/basics_of_shellcoding.pdf) An overview of x86 shellcoding by Angelo Rosiello

- [An introduction to shellcode development](https://web.archive.org/web/20120109070051/http://goodfellas.shellcode.com.ar/docz/bof/Writing_shellcode.html)

- [Contains x86 and non-x86 shellcode samples and an online interface for automatic shellcode generation and encoding, from the Metasploit Project](https://web.archive.org/web/20080302111910/http://www.metasploit.com/shellcode/)

- [a shellcode archive, sorted by Operating system](https://web.archive.org/web/20060619025456/http://www.linux-secure.com/endymion/shellcodes/).

- [Microsoft Windows and Linux shellcode design tutorial going from basic to advanced](https://web.archive.org/web/20061112203748/http://www.milw0rm.com/papers/11).

- [Windows and Linux shellcode tutorial containing step by step examples](http://www.vividmachines.com/shellcode/shellcode.html).

- [Designing shellcode demystified](https://web.archive.org/web/20210322094322/http://www.enderunix.org/docs/en/sc-en.txt)

- [ALPHA3](https://code.google.com/p/alpha3/) A shellcode encoder that can turn any shellcode into both Unicode and ASCII, uppercase and mixedcase, alphanumeric shellcode.

- [Writing Small shellcode by Dafydd Stuttard](https://web.archive.org/web/20061115040739/http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf) A whitepaper explaining how to make shellcode as small as possible by optimizing both the design and implementation.

- [Writing IA32 Restricted Instruction Set Shellcode Decoder Loops by SkyLined](http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/whitepaper_shellcode.html.php) [Archived](https://web.archive.org/web/20150403114315/http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl%2F~bjwever%2Fwhitepaper_shellcode.html.php) 2015-04-03 at the [Wayback Machine](/source/Wayback_Machine) A whitepaper explaining how to create shellcode when the bytes allowed in the shellcode are very restricted.

- [BETA3](https://code.google.com/p/beta3/) A tool that can encode and decode shellcode using a variety of encodings commonly used in exploits.

- [Shellcode 2 Exe](http://sandsprite.com/shellcode_2_exe.php) - Online converter to embed shellcode in exe husk

- [Sclog](https://github.com/dzzie/sclog) - Updated build of the iDefense sclog shellcode analysis tool (Windows)

- [Libemu](https://archive.today/20130219020328/http://libemu.carnivore.it/) - emulation based shellcode analysis library (*nix/Cygwin)

- [Scdbg](http://sandsprite.com/blogs/index.php?uid=7&pid=152) - shellcode debugger built around libemu emulation library (*nix/Windows)

v t e Information security Threats Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie vectorial version Defenses Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Software obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation Related security topics Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management

---
Adapted from the Wikipedia article [Shellcode](https://en.wikipedia.org/wiki/Shellcode) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Shellcode?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.