SLAE64 #7 - Crypters

Since shellcode is usually very small in size, I have used RSA asymmetric encryption to encrypt the shellcode. Most of the code is boilerplate code so there is not much to talk about. Encryptor. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ...

SLAE64 #6 - Polymorphic shellcode

I have taken shellcode #603 and #859 from shell-storm and created polymorphic version that passed clamav scan. The original version of both shellcodes were detected by clamav scan due to the presence of the /bin/sh string. Breaking up the string caused the modified versions of both shellcodes ...

SLAE64 #5 - MSF shellcode analysis

I would be analysing chunks of the linux/x64/meterpreter/bind_tcp and the linux/x64/shell_bind_tcp and see how they differ. Although both are TCP bind shellcode, the primary difference among them is that the meterpreter shellcode is a staged payload while the other is a stageless payload. As ...

SLAE64 #4 - SSE4.2 CRC32C Encoder

I decided to do something special for the custom encoder shellcode. I used the Intel SSE4.2 CRC32C function to encode the shellcode. CRC32 is a hash function, not an encoding function, so in order to make it an encoder, I had to compute the preimage for each possible byte of the final shellcode ...

SLAE64 #3 - Egghunter shellcode

As usual, I will only be touching on interesting or unique points in the shellcode. Line 25/26: To avoid having the egg in memory, I moved 0x5090508f into a register and incremented it to get 0x50905090 Line 27: repne scasd searches the next 4 bytes and increments the address searched ...

SLAE64 #2 - Revshell TCP shellcode

This shellcode is very similar to the Bindshell TCP shellcode, so please refer to it for the unique and interesting points. There is only 1 additional point I would like to make: Line 8/37: Listen on 127.1.1.1 instead of 127.0.0.1. This saves us from having to nullify the 2 bytes in the middle. ...

SLAE64 #1 - Bindshell TCP shellcode

There are many SLAE64 blogposts each explaining their variant of shellcode out there. I thought I would join in the fun. This is my version of the Bindshell TCP shellcode. I'll keep it brief and only list down the interesting or unique points in my shellcode. Line 9: To reduce size, I only ...

Hiding files with mount

When filesystems are mounted on a directory, existing files in that directory are hidden and will not be accessible until the mount point is removed. This is a relatively decent way to thwart or slow down online analysis of a system. A recursive listing of files will not reveal these hidden ...