Rust Shellc0der

, ,

Shellc0der - A Rust Shellcode Encoder

First of all, the source-code can be found here.

This encoder supports several ways of changing the original shellcode:

  • Block Reordering
  • Payload Encoding
  • Instruction Substitution
  • Dead Code Insertion

The default functionality is the following:

    1. Divide the shellcode into blocks and reorder them
    1. Encode the full payload
    1. Generate unique decoder stub, insert dead code, switch instructions, …
    1. Combine the stub and the encoded payload and write it to the output file

Block Reordering

Block reordering works in the following way:

    1. Disassemble the payload (using capstone)
    1. Check for all JMP, Loop, JCC instructions and patch the destination by inserting newl generated labels
    1. Devide the instructions in blocks of X instructions each.
    1. The first and the last block stay the same
    1. The middle-blocks are randomly shuffled and glued together with JMP instructions

It looks somewhat like that:

Block Reordering

Payload Encoding

The basic structure of the encoded shellcode looks like this:

Structure and Stub

    1. The initial shellcode gets encoded via XOR, in the following way:

Encoding Chain

Note: Every Block is a single byte

    1. A random decoder-stub is generated, that is setup in front of the encoded payload
    1. The registers used in the stub are randomly generated on each run
    1. Additionally, dead code snippets (random snippets & random # of snippets) are inserted into the stub
    1. Steps 1-4 can be repeated for arbitrary rounds, as seen below:

Execution in several rounds

Credits

The inspiration came from: