Skip to content
/ lexicon Public

A low-entropy shellcode executor that encodes shellcode bytes into common English words, with anti-debugging capabilities.

License

ISC license
19 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

k4yt3x/lexicon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
include
include
 
 
src
src
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Lexicon

A low-entropy shellcode executor that encodes shellcode bytes into common English words.

In short, many security software use the entropy of sections within binaries to determine if they contain encrypted or obfuscated code. By encoding shellcode bytes into English words, we can create a binary with very low entropy, which is less likely to be flagged by such security measures. You can watch Will Summerhill's presentation "Simplified Malware Development - Entropy and Other Techniques" to learn more.

Here's a "Hello, World!" shellcode encoded into English words:

image

...and this what the shellcode looks like when it's encoded and stored in the binary:

encoded_shellcode

This project was originally a part of the CyberSci CTF challenge Vector Veil. It has been removed from the challenge before the competition, but I thought it might be a useful tool for bypassing heuristic-based security measures during pentests, so I decided to release it as a standalone project.

Features

Aside from the basic shellcode encoding/decoding functionality, this shellcode executor also features the following anti-debug/analysis techniques:

  • Stores the DJB2 hash of the English words in the lookup table instead of plaintext strings.
  • Detects debuggers by abusing the SIGTRAP signal handler; executes exit(0); if debuggers are detected.
  • Obfuscates the control flow by manually overwriting the main function's return address with the allocated shellcode's address.
  • Hides the allocation of r/w/x memory in the _init_array and the main code in the _fini_array so main appears to be empty.

I might add more in the future for fun.

Usages

Using the Built-in NASM Template

This repo contains a built-in NASM template and shellcode encoding tools that allow you to easily create a binary that's ready to be deployed. All you need to do is to write your NASM code in the src/shellcode.nasm file, then compile the project.

  1. Write your own position-independent NASM shellcode program in src/shellcode.nasm.
  2. Compile the project by running make. The shellcode will be automatically compiled, encoded, and embedded into the output bin/lexicon binary.

Using Custom Shellcode

You can also prepare your own shellcode.

  1. Write your shellcode in a binary file and place it at src/shellcode.bin.
  2. Compile the project by running make custom. The shellcode will be automatically encoded and embedded into the output bin/lexicon binary.

About

A low-entropy shellcode executor that encodes shellcode bytes into common English words, with anti-debugging capabilities.

Resources

Readme

License

ISC license
Activity

Stars

19 stars

Watchers

4 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages