The Shellcode Compiler can be run from the command line. The following describes the command line sytax:
scc [options] <input files> [...]
This compiler accepts a subset of C99 syntax, with extensions for creating a standalone
environment for writing shellcode. Many standard system calls and C library functions
are automatically available without the need for include files.
Options:
--arch <value> Specify processor architecture
Can be: x86 (default), x64
--align <boundary> Ensure output is aligned on the given boundary
--allow-return Allow return from shellcode (default is to exit)
--anti-disasm Generate anti-disassembly blocks
--anti-disasm-freq <n> Emit anti-disassembly blocks every <n> instructions
--base <expr> Set base address of output (can be a runtime computed
expression, such as "[eax+8]-12")
--blacklist <byte> Blacklist the given byte value
--concat Jump to end of output on return for concatenating code
-D <define>[=<value>] Define a preprocessor macro
--decoder <source> Use decoder to decode shellcode before executing
--encode-pointers All code pointers are encoded with a random canary
--encoder <source> Use encoder to encode shellcode
--exec Execute shellcode after generation (does not write
output to a file)
--exec-stack When outputting an executable, make stack executable
--format <value>, -f <value> Specify output format
Can be: bin (default), lib, elf, pe, macho
--frame-reg <reg> Use alternate register as the frame pointer
--header <file> Include a precompiled header
-I <path> Add additional directory for include files
-L <lib> Include pre-built library
-m32, -m64 Specify target address size
--map <file> Generate map file
--markov-chain <file> Use file for generating random instruction sequences
--max-length <value> Do not let output size exceed given number of bytes
--mixed-mode Randomly choose subarchitecture for each function
-o <filename> Set output filename (default is hex dump to stdout)
-O0 Do not run the optimizer
-Os Try to generate the smallest code possible
--pad Pad output to be exactly the maximum length
--pie Always generate position independent code
--platform <value> Specify operating system
Can be: linux (default), freebsd, mac, windows, none
--polymorph Generate different code on each run
--preserve <reg> Preserve the value of the given register
--unsafe-stack Stack pointer may be near the code
--return-reg <reg> Use alternate register as the return value
--return-high-reg <reg> Use alternate register as the upper 32 bits of return
value (32-bit output only)
--seed <value> Specify random seed (to reproduce --polymorph runs)
--shared Generate shared library instead of executable
--stack-grows-up Stack grows toward larger addresses
--stack-reg <reg> Use alternate register as the stack pointer
--stdin Read source code from stdin
--stdout Send generated code to stdout for pipelines
Useful extensions:
__noreturn Specifies that a function cannot return
Example: void exit(int value) __noreturn;
__syscall(num, ...) Executes a system call on the target platform
__undefined Gives undefined results, usually omitting code
Example: exit(__undefined);
__initial_<reg> Value of register at start of program
Example: int socketDescriptor = __initial_ebx;