#nosoc blog
$^\xi xpec_tthe ^un \xi xpecte_d$
Obfuscation: polymorphic in-memory decoder
Red-teaming and penetration tests often require virus scanners to be bypassed in order to effectively detect security vulnerabilities. In the last part we looked at disguising shellcode as a UUID in the source code. This also worked well, but the shellcode was recognised in memory and blocked.
We now want to solve this with a polymorphic in-memory decoder: A shellcode that decodes shellcode.
Obfuscation: Disguise shellcode as UUIDs
In the last blog post we dealt with the development of a calc.exe shellcode. The injection method that I used for testing was immediately blocked by Windows Defender. I therefore had to adapt the loader and shellcode accordingly.
I came up with the idea of converting the opcodes into a string array, which is filled with UUIDs is filled. These then have to be converted back into bytes before injection. To do this, I wrote an encoder and decoder that does exactly this.
Shellcode Injection Part 4
In this article, we will only deal with shellcode obfuscation in passing. At this point, I wanted to develop a custom shellcode to learn more about how it works.
The following requirements should be met:
- Start of
calc.exeon a Windows computer - 64-bit code
- Avoid null bytes
Shellcode Injection Part 3
Shellcode injections are generally used to initiate a reverse shell. However, in some circumstances it may be necessary to load the code for the shell in the second step.
In this blog post, I show how we can use a shellcode injection to load a file via HTTP and then execute it.