#nosoc blog
$^\xi xpec_tthe ^un \xi xpecte_d$
Obfuscation: ByteSwapping
Polymorphy
An object with a different appearance always fulfils the same function.In the last post, I decrypted an encrypted shellcode in the working memory and had it executed. As encryption, I converted each byte with an XOR calculation.
Now I would like to bring a little more dynamism into the encryption to make decrypting the shellcode a little more difficult.
Obfuscation: polymorphic in-memory decoder
Red-teaming and penetration tests often require virus scanners to be bypassed in order to effectively detect security vulnerabilities. In the last part we looked at disguising shellcode as a UUID in the source code. This also worked well, but the shellcode was recognised in memory and blocked.
We now want to solve this with a polymorphic in-memory decoder: A shellcode that decodes shellcode.
it-security_windows_kali_pentest_obfuscation_blog_english
Оптимальный результат дадут свежие базы для xrumer <a href=https://www.olx.ua/d/uk/obyavlenie/progon-hrumerom-dr-50-po-ahrefs-uvelichu-reyting-domena-IDXnHrG.html>https://www.olx.ua/d/uk/obyavlenie/progon-hrumerom-dr-50-po-ahrefs-uvelichu-reyting-domena-IDXnHrG.html</a>, содержащие актуальные ссылки.
Tools
The encoder is part of my shellcode tool ShenCode, which is available as open source.
Shellcode Injection Part 4
In this article, we will only deal with shellcode obfuscation in passing. At this point, I wanted to develop a custom shellcode to learn more about how it works.
The following requirements should be met:
- Start of
calc.exeon a Windows computer - 64-bit code
- Avoid null bytes