Friday, August 10, 2012

Experiment With Run Time Encryption/Decryption of Win32 ShellCodes

Hello all in this post I am gonna share one of my experiment with shellcodes with you guys. So, before we begin I wanna warn you guys about one thing that the shellcode I have used in this example is a reverse_tcp shell code. So I will suggest you to use some harmless shell code like WinExec CALC while doing such experiment.

So I started with generating a raw binary of metasploit's windows/shell_reverse_tcp payload. After generating the raw binary I ran a quick anti virus scan of that binary using Here is the output of

31/42. 31 out of 42 anti viruses detected that binary.As usual result was not so much shocking for me.

So I decided to play with that and trying to reduce the detection rate. To do that I generated the raw shellcode from metasploit with single itaration of default encoder shikata_ga_nai. Here is the generated shell code from metasploit.

Obviously I took the encoded one which is null free shellcode. So after that I quickly wrote a XOR encrypt-er in C and encrypted the generated shellcode with a random key. Here is the code of the encrypter.

C code to Encrypt ShellCode using XOR:

So compiling and running the code gave me one XOR encrypted ShellCode.

So from output I removed the extra bytes and extracted the encrypted shellcode.

Upto this its quite easy enough. But actual challenge is running the shellcode on target properly. So to do that we can do following things on run time of the binary.

  1. Decrypt the encrypted shellcode with the key used to encrypt the shellcode.
  2. Allocate a enough space on virtual memory for the decrypted shell code using VirtualAlloc()
  3. Copy decrypted shellcode to the allocated memory using RtlMoveMemory()
  4. Execute the certain region using CreateThread()
So I did exactly the same.

Here is the C code to Decrypt the shellcode and execute it on run time .

So after compiling the code before running I did a quick run time analysis of compiled binary using OllyDBG. Here is few screen shots taken at run time analysis of that binary.

And after that you know what the interesting part is?? Again I ran a quick scan of that new binary using VirusTotal. The detection rate was reduced from 31/42 to 7/42!!!!!

Thank you for reading. Feel free to leave comments for any confusion or question.