by Mike Saunders, Principal Consultant
This blog is the fourteenth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series here. If you’d like to try these techniques out on your own, you can find the code we’ll be using on the Red Siege GitHub.
This is the final installment in our series on shellcode obfuscation techniques. In this installment, I’ll summarize how the different techniques I tested fared and discuss several ideas for further research.
Detection Summary
The table below shows how each technique we looked at fared on VirusTotal. As you can see, XOR with a multibyte key and offsets fared the best, followed closely by Jargon, reverse byte order, and Jigsaw. Clearly, none of the tested were perfect, but some of them are quite effective.
The testing programs didn’t attempt to actually execute the shellcode. In some cases, the presence of obfuscated shellcode, resulting in higher entropy, combined with the presence of certain API calls used to deobfuscate, move, and execute shellcode could result in additional detections. It’s worth investigating whether remotely hosted shellcode, distributing the shellcode in a separate file with the loader, or placing the shellcode in something like a resource file, would reduce some of the detections.
| Technique | VT Score |
|---|---|
| XOR Multibyte Key | 2 |
| Offsets | 2 |
| Jargon | 3 |
| Reverse Byte Order | 4 |
| Jigsaw | 4 |
| Reversed Byte XOR | 5 |
| IPv4 | 6 |
| MAC Address | 6 |
| Caesar | 7 |
| RC4 | 7 |
| XOR | 8 |
| AES | 8 |
| Two Array | 8 |
| Reverse String | 13 |
| UUID | 13 |
| Base64 | 18 |
| No Obfuscation | 27 |
Bit Gymnastics
Recently, John Stigerwalt of White Knight Labs posted on LinkedIn about combining multiple operations to obfuscate shellcode. Specifically, the post discussed applying a XOR, then a NOT operator, and finally incrementing the result as a way of obfuscating shellcode. To reverse the process, he applied a NOT operation, subtracted from that result, and then applied a XOR. You can find the example code in this gist.
John made a follow-up post where he provided code to apply this obfuscation technique using assembly code. Click here to review the post and you can find the example code here: https://gist.github.com/WKL-Sec/2706827dfed4913781088a5d1553a2fa.
MorphAES
Another interesting technique is MorphAES. MorphAES uses 64-bit Intel AES-NI for encryption and decryption and implements polymorphism by randomizing constants, applying logic changes, and instruction modification. While this is an older repository, (the code was published over 7 years ago at the time of this writing), it may be worth playing around with this repository.
Steganography
This series was about techniques to obfuscate your shellcode embedded in a loader. The idea of steganography – encoding data in images by manipulating color or alpha channels – is incredibly interesting and can be quite effective. As it involves embedding your shellcode in an image file, it’s likely the image would be loaded from a remote resource rather than embedded in your payload. As such, I didn’t include it in this series. It is a technique worth considering, however. Devang Jain has an article on Medium discussing the concept. He also has a GitHub repository containing example code. While the proof-of-concept only applies steganography using a Python script, you could port the extraction process to your shellcode loader to retrieve and extract shellcode from a remotely hosted image. An analyst examining your payload would only observe a request for an image and wouldn’t directly observe any shellcode by analyzing the image.
That’s All, Folks!
And that’s it for our shellcode obfuscation series. I hope you’ve enjoyed this series and, hopefully, you’ve picked up a new technique or two along the way. If you enjoyed this series or you have a favorite technique you’d like to share, let us know on Discord!
Try it Yourself
You can find the example code for the articles in this series at the Red Siege GitHub.
About Principal Security Consultant Mike Saunders
Mike Saunders is Red Siege Information Security’s Principal Consultant. Mike has over 25 years of IT and security expertise, having worked in the ISP, banking, insurance, and agriculture businesses. Mike gained knowledge in a range of roles throughout his career, including system and network administration, development, and security architecture. Mike is a highly regarded and experienced international speaker with notable cybersecurity talks at conferences such as DerbyCon, Circle City Con, SANS Enterprise Summit, and NorthSec, in addition to having more than a decade of experience as a penetration tester. You can find Mike’s in-depth technical blogs and tool releases online and learn from his several offensive and defensive-focused SiegeCasts. He has been a member of the NCCCDC Red Team on several occasions and is the Lead Red Team Operator for Red Siege Information Security.
Certifications:
GCIH, GPEN, GWAPT, GMOB, CISSP, and OSCP
Red Siege at Wild West Hackin’ Fest Mile High 2025 – What to Expect!
By Red Siege | February 2, 2025
The Red Siege train is heading to Denver, Colorado, for the first-ever Wild West Hackin’ Fest @ Mile High from February 5-7, 2025! If you’re a cybersecurity professional who loves […]
Learn More
Red Siege at Wild West Hackin’ Fest Mile High 2025 – What to Expect!
Security Posture Review and Penetration Testing
By Red Siege | January 31, 2025
Ever wondered if your organization is truly secure or if your teams are just crossing items off a checklist? A Security Posture Review (SPR) is a solid way to answer […]
Learn More
Security Posture Review: The Process
By Red Siege | January 28, 2025
The Security Posture Review (SPR) is the newest addition to our suite of security offerings at Red Siege. We’ve combined our collective experiences in red team, blue team, and security […]
Learn More
Find Out What’s Next
Stay in the loop with our upcoming events.