Generate shorter shellcode
Question
Is there a way to generate short shellcode from a malware executable (PE/.exe)?, meaning sometimes some malware executable (PE/.exe) are big which when converted to shellcode will lead to longer and bigger shellcode size making analysis and obfuscation difficult and time intensive. Imagine trying to obfuscate a shellcode generated from 1.5KB size trojan, by insert new instructions before, after and between existing ones, replace existing instructions with alternative ones and insert jump instructions that will change the execution flow and randomly divide the shellcode into separate blocks. Performing these insertion operations on such a big size shellcode will take many hours. If anyone have an idea on how to shorten these long shllcode I will be gratefull.
1 answers
solution1
1 2022-07-13 15:26:55
While I hate helping people that do these kinds of things, I have a feeling you won't get anywhere anyway.
Your payload is your payload.
You don't try to minimize a payload. You find a way to encode it, a way that suits you.
You can compress it of course but you must treat a payload as a completely opaque blob of data, it could be almost incompressible as far as you know.
For example, a simple way to encode arbitrary data in a shellcode is by applying any transformation T to it (eg compress it) and then converting the result to a modified base64 where arbitrary letter pairs are swapped.
This prevents antiviruses from detecting the payload (checking memory in real-time is too expensive so the final payload won't be checked), uses only printable characters, lets you reduce the payload size if possible (thanks to T ), and is easily automated.
If you need to have a shorter payload, then reduce its size and not the size of the payload plus the shellcode that bootstraps it.
However, what is usually done is to adopt the well-known kill-chain: vector -> dropper -> packer -> malware .
The vector is how you gain execution in a particular context (eg a malicious MS Office macro or a process injection) and the dropper is a piece of code or an executable that will download or load the payload.
Your shellcode should act as a dropper, shellcodes are typically very constrained (in size and shape) so they are kept short by loading the payload from somewhere else.
If you need to embed your payload in the shellcode then analyze the constraints and work on the payload.
If your payload can't satisfy them, you need to change it.
I've only seen plain PE/ELF payloads mostly in process injections, where the attacker can allocate remote memory for the payload and the code (which is often called a shellcode but it is not really one).
All shellcodes used in real binary exploitation either needed no payload (eg: spawn a reverse shell) or were droppers.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.