This brings us to another issue: How will the stub know when it found the right byte? A generic approach is to simply prepend a signature to the shellcode so, if after xor’ing the first byte from the payload, with current iteration’s byte (iteration from the brute force), it finds the signature byte, then that iteration’s byte value is the “key”. I solved this by deciding to use a generic decoder, which stub will brute force the payload until it finds the right value. The problem with this approach is that you won’t have a generic decoder that works, because you’ll have to insert the randomly generated byte to xor the payload with, in it. I decided I wanted to create a variation of the xor encoder, but one which will xor the payload with a randomly generated byte. An example is a XOR encoder, in which you xor the payload byte by byte with the value 0xAA, and you then write the stub which will just run through the payload, byte by byte, xor it with 0xAA, and then execute the decoded payload.įor the sake of simplicity, the encoding of the payload is usually done in a high level programming language, such as Python, while the decoder, obviously being done in 圆4 assembly, because that’ll be the actual shellcode. The first is called the stub, and it’s the code responsible to decode the second part, the payload. So what are encoders? Encoders are shellcode made of two distinct parts: Figure 1 – Decoder structure ![]() ![]() Thanks to MalwRecon for bringing that to my attention. I added de function valid(byte), and also a loop until a valid random byte (R) is generated:Īnd sometimes, after executing the encoder.py, you’ll realise it had to re-execute: So don’t expect the screenshots to match the code exactly, because of this new logic I added. ![]() Made it so you can simply add any others to the “bad_chars” list. I improved the python’s code to not only generate the random byte (to xor the original payload byte by byte), but to also validate if the xor’ed payload will have any bad characters (in this case, just the null byte 0x00). Even though bypassing anti-virus systems is not the only purpose of encoders, it certainly is the most exciting one, and hence the detailed focus on this one subject throughout this post. I’ll develop a python encoder that will XOR the payload, byte by byte, with a randomly generated byte value, and also generate a polymorphic stub in 圆4 to decode that payload, by brute-forcing all 256 possibilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |