Polymorphic Shellcode — SecurityTube Linux Assembly Expert 32 bit — Exercise 6

Onward to the SLAE32 exercise series, today we have the exciting world of polymorphic shellcodes. Lets define it before we delve into it.

polymorphic(adjective) : occurring in several different forms, in particular with reference to species or genetic variation.

That is the dictionary meaning of the word and in our case it means a variation of the existing shellcode. Now you would ask why do we need a variation? The answer is simply because we would like to obfuscate or hide our shellcode in such a way that its not detected by IDS or any other EDRs. These solutions have a static dictionary/database of signatures of existing shellcodes and their variations. These signatures are samples of the byte patterns(viz.. loading $eax with the syscall number, calling int 80h, etc…) commonly occurring in shellcodes. Now for the big spoiler— modern EDRs and IDS have far sophisticated algorithms to find out if the payload/binary is a shellcode. They employ heuristics, emulation and other methodologies to figure out what the shellcode is doing. In fact if emulation is part of the filtering solution of an EDR it would catch *almost* all of shellcode payload. I will show you below, how running an emulation on a shellcode would tell us what the semantics of the code is, its really fun and nifty, I will be using unicorn engine as usual :)

The exercise here is to understand and learn how we can use different instructions of the x86 ISA to…