Differences

This shows you the differences between two versions of the page.

--- en:it-security:blog:obfuscation_polymorphic_in_memory_decoder [2024/09/23 10:51] – created psycore
+++ en:it-security:blog:obfuscation_polymorphic_in_memory_decoder [2024/10/15 21:30] (current) – psycore
@@ Line 143: / Line 143: @@
 <code python>
-python shencode.py extract -f calc.o -o calc.raw -fb 60 -lb 311
+python shencode.py extract -i calc.o -o calc.raw -fb 60 -lb 311
 ...
-python shencode.py encode -f calc.raw -o calc.xor -x -xk 63
+python shencode.py xorencode -i calc.raw -o calc.xor -k 63
 ...
-python shencode.py output -f calc.xor -s cs
+python shencode.py formatout -i calc.xor -s cs
 [*] processing shellcode format...
 x6a,0x77,0xb6,
@@ Line 188: / Line 188: @@
 <code python>
-python shencode.py output -f xor-decoder.o -s inspect
+python shencode.py formatout -i xor-decoder.o -s inspect
 x00000048: 00 00 00 00 00 00 00 00
@@ Line 198: / Line 198: @@
 x00000336: 00 00 00 00 00 fe ff 00
-python shencode.py extract -f xor-decoder.o -o xor-decoder.stub -fb 60 -lb 329
+python shencode.py extract -i xor-decoder.o -o xor-decoder.stub -fb 60 -lb 329
 [*] try to open file
@@ Line 206: / Line 206: @@
 [+] DONE!
-python shencode.py output -f xor-decoder.stub -s c
+python shencode.py formatout -i xor-decoder.stub -s c
 [*] processing shellcode format...
@@ Line 263: / Line 263: @@
 <code python>
-python shencode.py encode -f input.raw -o xor.out --xor --xorkey 63
+python shencode.py xorencode -i input.raw -o xor.out --key 63
-python shencode.py create --xor-stub --xor-filename xor.out --xor-outputfile stub.raw --xor-key 63
+python shencode.py xorpoly -i xor.out -o stub.raw --key 63
 </code>
 The XOR decoder provides effective memory protection. In combination with other obfuscation techniques, this can be a good helper for penetration tests. During my test, even the Metasploit payload was not detected by Windows Defender.
+~~DISCUSSION~~