Skip to content

Hiding shellcode in plain sight within a large memory region. Inspired by technique used by Raspberry Robin's Roshtyak

License

Notifications You must be signed in to change notification settings

LloydLabs/shellcode-plain-sight

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hiding Shellcode In Plain Sight

This technique is very simple, a RW memory region 2048 the size of the shellcode is allocated. This region is then filled with randomized data data (RtlGenRandom), the shellcode is then placed randomly somewhere within this massive region each time. This makes it hard for an AV/EDR solution, or an analyst, to simply see where the shellcode is in-memory. To summarize:

  1. Allocate a large PAGE_READWRITE region, 2048 * size of the target shellcode, and align to 0x1000
  2. Fill this allocated region with random data
  3. Write the shellcode to a random location within this region, save position
  4. Change the page permissions to PAGE_EXECUTE
  5. Execute the shellcode (page + position)
  6. Zero the memory where the entire large region is to ensure the data does not persist after being freed, using the RtlZeroMemory macro
  7. Free the region of memory

Example

As can be seen below, the entropy does not change much at all. It is not obvious, from e.g. a memory dump, where the shellcode is actually situated. This can be seen inside example_pop_calc.c

Memory dump entropy

You can execute the shellcode however you wish. This code is simply to demonstrate the simple technique. This technique was originally detailed in Avast's Raspberry Robin writeup here.

About

Hiding shellcode in plain sight within a large memory region. Inspired by technique used by Raspberry Robin's Roshtyak

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages