Shell Detect is the FREE tool to detect presence of Shell Code within a file or network stream. You can either provide raw binary file (such as generated from Metasploit [Reference 4]) or network stream file as input to this tool.
These days attackers distribute malicious files which contains hidden exploit shell code. On opening such files, exploit shell code get executed silently, leading to complete compromise of your system . This is more dangerous when the exploit is ‘Zero Day’ as it will not be detected by traditional signature based Anti-virus solutions.
In such cases ShellDetect may help you to identify presence of shell code (as long as it is in raw format) and help you to keep your system safe.
Though the new version is more stable than past releases, we recommend running this tool in Virtual Environment(using VMWare, VirtualBox [Reference 2,3]) as it may cause security issues on your system if the input file is malicious.
Currently ShellDetect tool is in experimentation stage and works on Windows XP (with SP2, SP3) only.
Example of usage(credits):
Shelldetect only works for Windows shellcodes.
Let’s check some shellcodes against shelldetect.
Below snapshot is of a blackhole exploit kit shellcode, we will feed this stream to shelldetect.
Below snapshot shows the result of shelldetect.
The stream was direct shellcode so shell detect reported the results without any delay; in the snapshot, we can see the decoded shellcode and also the malicious URL.
Let’s feed a random stream to shall detect and see how shell detect react to it.