Position-Independent Code

Position-independent code (PIC) is code that uses no hard-coded addresses for either code or data. Shellcode is PIC. It cannot assume that it will be located at a particular memory location when it executes, because at runtime, different versions of a vulnerable program may load the shellcode into different memory locations. The shellcode must ensure that all memory access for both code and data uses PIC techniques.

Table 19-1 shows several common types of x86 code and data access, and whether they are PIC.

Table 19-1. Different Types of x86 Code and Data Access

Instruction mnemonics

Instruction bytes

Position-independent?

call

sub_401000

E8 C1 FF FF FF

Yes

jnz

short loc_401044

75 0E

Yes

mov

edx, dword_407030

8B 15 30 70 40 00 ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.