Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/zeroSteiner/crimson-forge

Sustainable shellcode evasion
https://github.com/zeroSteiner/crimson-forge

Last synced: about 1 month ago
JSON representation

Sustainable shellcode evasion

Awesome Lists containing this project

README 

        
.. image:: https://github.com/securestate/crimson-forge/blob/master/data/crimson-forge-logo.png



Crimson Forge

=============



Crimson Forge intends to provide sustainable evasion capabilities for native

code on the x86 and AMD64 architectures. It achieves this by rewriting the input

code utilizing the following two techniques:



**Shuffling:** Instructions are shuffled into a new order at the basic block

level. This is a reliable technique and does not modify the size of resulting

binary.



**Alterations:** Instructions are swapped with functional equivalents,

effectively de-optimizing them. New instructions are inserted into the same

graph used by the Shuffling technique, allowing them to be reordered as well.



Due to the nature of the re-writing, it is not necessary for processed shellcode

to exist within writeable memory. This eliminates a very common pattern which is

identified as malicious by many AV and EDR systems.



Installation

------------



See the `INSTALL.md `__ for installation instructions.



Getting Started

---------------



Once installed, utilize the primary command line interface at

``./crimson-forge``. The help menu documents each of the options. Basic usage

includes specifying an architecture (e.g. ``amd64`` or ``x86``), providing an

input file, and specifying an output file. By default both the input and output

files are expected to be raw shellcode, not executable files such EXEs. Use the

``--format`` and ``--output-format`` options to specify the input and output

data formats respectively. Note that the ``--output-format`` option can be

specified multiple times. Additionally, arguments can be defined in a file one

per line and passed using the syntax ``./crimson-forge @file/with/args.txt``.

See `data/common-arguments.txt `__ as an example.



Known Limitations

-----------------



**Unstaged Payloads:** Unstaged payloads as generated by the Metasploit

Framework are currently not functional due to the constraints on the file

format.



**Tainted References:** Certain payloads retrieve references to their location

in memory and then apply a static offset to it. Crimson Forge has no way to

identify the significance of the static offset which will change when

*Alterations* are applied. Crimson Forge will attempt to identify instances

where this occurs and will disable *Alterations* altogether to ensure a

functional output is produced. However, disabling *Alterations* limits the

capability to generate unique binaries.



**Encoded Payloads:** All encoding modules within the Metasploit Framework

require the shellcode to be placed in memory with Read, Write and Execute (RWX)

permissions. This defeats the purpose of Crimson Forge. See also *Tainted

References*. 



**Overlapping Instructions:** In certain, theoretical scenarios instructions may

overlap with one another. This would be the case where one instruction jumps or

calls an address within another instruction. This would cause the block-level

analysis to be misaligned.



The following example would result in a jump into the body of the move

instruction resulting in the flow of execution being `jmp $+3, inc eax` rather

than what is stated.



.. code:: asm



  jmp  $+3

  mov  eax, 0xc0ff0000



Technical Documentation

-----------------------



The existing technical documentation of the internal API is able to be built

with Sphinx. Build the documentation with the following command:



  sphinx-build -a -E -v -b html docs/source docs/html



Credits

-------



Crimson Forge was originally designed and developed by RSM US LLP in Q1 of 2019

as part of an offensive security research and development initiative.