Friday, August 10, 2012

Experiment With Run Time Encryption/Decryption of Win32 ShellCodes

Hello all in this post I am gonna share one of my experiment with shellcodes with you guys. So, before we begin I wanna warn you guys about one thing that the shellcode I have used in this example is a reverse_tcp shell code. So I will suggest you to use some harmless shell code like WinExec CALC while doing such experiment.

So I started with generating a raw binary of metasploit's windows/shell_reverse_tcp payload. After generating the raw binary I ran a quick anti virus scan of that binary using VirusTotal.com. Here is the output of virustotal.com.



31/42. 31 out of 42 anti viruses detected that binary.As usual result was not so much shocking for me.

So I decided to play with that and trying to reduce the detection rate. To do that I generated the raw shellcode from metasploit with single itaration of default encoder shikata_ga_nai. Here is the generated shell code from metasploit.

Obviously I took the encoded one which is null free shellcode. So after that I quickly wrote a XOR encrypt-er in C and encrypted the generated shellcode with a random key. Here is the code of the encrypter.

C code to Encrypt ShellCode using XOR:

So compiling and running the code gave me one XOR encrypted ShellCode.

So from output I removed the extra bytes and extracted the encrypted shellcode.

Upto this its quite easy enough. But actual challenge is running the shellcode on target properly. So to do that we can do following things on run time of the binary.

  1. Decrypt the encrypted shellcode with the key used to encrypt the shellcode.
  2. Allocate a enough space on virtual memory for the decrypted shell code using VirtualAlloc()
  3. Copy decrypted shellcode to the allocated memory using RtlMoveMemory()
  4. Execute the certain region using CreateThread()
So I did exactly the same.

Here is the C code to Decrypt the shellcode and execute it on run time .

So after compiling the code before running I did a quick run time analysis of compiled binary using OllyDBG. Here is few screen shots taken at run time analysis of that binary.



And after that you know what the interesting part is?? Again I ran a quick scan of that new binary using VirusTotal. The detection rate was reduced from 31/42 to 7/42!!!!!


Thank you for reading. Feel free to leave comments for any confusion or question.

13 comments:

  1. Hi debasish mandal , Nice post !!!
    Could you share xor1.exe codes ?

    ReplyDelete
  2. the code is already in this post!Check out section "C code to Encrypt ShellCode using XOR" of this post!

    ReplyDelete
    Replies
    1. Well,got it (noscripts blocked it) TKS:D)

      Delete
  3. very nice tutorial. But can you change it more to get 0/42? ;)

    ReplyDelete
    Replies
    1. In this case its bit difficult because of XOR encryption.These AVs detecting this binary on the basis of XOR encryption/decryption signature. Even if you use any harmless shellcode like calc.exe it will get detected. So you can try any the other encryption technique to reduce the detection rate.

      Delete
  4. Hi,

    I think it's also about how did you copy/run the process/thread into memory.

    ReplyDelete
  5. hello
    but in it problem in count every line char any solution for it in ur upper example ur simple shell first line have 15 hex char and after decrpt 18 char in one line so how can know how much char in one line ???

    ReplyDelete
    Replies
    1. I dint get your question!can you please elaborate!

      Delete
  6. my mean after encryption xor how can i know how much hex char in one line

    ReplyDelete
  7. like shell first line is
    "\xba\x8f\x22\xc1\xd7\xda\xcf\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
    15 hex and after xor
    "\xD7\xF6\x5A\xAE\xA5\xB1\xAA\xA0\x34\x15\xC6\x68\x5C\xB0\xC9\x26\x43\x38"
    18 hex char

    ReplyDelete
    Replies
    1. That is not important.TOtal size of shellcode is 317 bytes,before and after encryption.

      Delete
  8. yes but if i write after encryption "\xD7\xF6\x5A\xAE\xA5\xB1\xAA\xA0\x34\x15\xC6\x68\x5C\xB0\xC9"
    "\x26\x43\x38\x71\xFA\x83\x35\x31\x60\x7D\x14\xAF\x52\x4D\x93"
    like this it will work ???

    ReplyDelete
  9. oh sorry i check its works fine thx for it :)

    ReplyDelete