Shellter - A Dynamic Shellcode Injector

uh anyone that doesn't understand the Portuguese okay with me so yeah the book page about center then i'm recording Dethklok talk more about it it's a tool that i started developing on my it's already more than two years ago this of course of being not free time in my free time but still a sort of work so yeah this introduction my name and police where senior directly speaking at messe and with yeah we're at out of europe yet um so these are my way my gloves and the single point about center I think I Pamela working it cute grd these are some of the main us I'm doing my work so well if you have a passion for any for

any of these coming up to me later on so let's start talking a little bit about Cinco detectors in general yeah that's a realistic Safehold ejector suck they suck big time and I'm going to explain why first of all all stopping or predictable vintage locations it's going to be in a code embedded in ending file or at a new section with those permissions blah blah blah so this is further they might just pass the entry point just put the cross section jump do not sexual or just hoping a variety entry point code they rely these are not properly hopefully starting rely on recognizing some common compiler endpoints visual studio etc and they just try to be no worth or locations of

the type ingenico there instead of doing it directly in the entry point but all this is very easy to find something as I said my just had a huge section and this month I did appoint start executing darkly there so they avoid very funny so I jump to another section directly in game point but of course using the binary the first section is is the section that falls basic double gold and gained upon the scores of the main one so this is variability for a viscount's of course you've got some you might help might have a case of like just say other pillars whole back entry so the don't need to would fire a three point but

finish the busy season to find the scan with the degenerate can find the pointer that just goes come of course Pacific and a be a be smoother so what can you do if you use one called Palos not totally busted there are many vendors that can detect specific patterns of cell phone from generated from a display usually overset all-terrain x minus one has the entry point of it is very similar so what kind of you then you have to go to pillow so uniquely right execute permissions were you able to do it so there were two usual just change section permissions in specific section where they have put it other peaceful in already existing section in the cold

cave or they just create a new one yeah so so then a primo rather sleep just use final exam other phase at bay which is still not too bad but still look very dynamic you have my factory which it can read it maintained excuse not the reason application while make sure your circle but this is assuming you have bypass Vav in the it's not mention about bio factory uses the autistic need to do that starting but the entry point and done through to my cell phone we start on the same style and it has been driving second term issues you can test this one you will see it's not really good and some specified here so let's say this is an

achievement be fine so you have for example um an example I cell phone interpre- they're going to point to the code came first section and I feel you have any coding error that needs to be called itself you need to rewrite rescue permissions this is very guilty usually has specific permissions for each section of the meeting require so called Texas pub read execute data rewrite our data ceremony called a more stable to be just read and so on this is another case that's done from the air 3.2 offended code in the results section again you need to if you want to execute the code they're not mine doesn't have extra provisions you need execute if it's also

called this because instead of full access or it gets us create initiation with full access again really bad or just change the permissions in random section again politically vodka very which you find enough space so yeah it's totally bad but hopefully this is where I I come in the game i decided to totally change all this and this is my main motivation so creates under is truly dynamic doesn't rely on static stuff for example don't look without passing a three-point cross sections on etc don't change if you point to be in another section so not used to be the base sometimes they use that main executable where they usually in take their logical operators the loader loaded but then they have to

stick with from template which makes it makes it more easy to create a visa me inshallah but you still need support in both payloads it's very important we need to avoid relocation fix-ups you can't just inject anywhere in the binary because you might fall in the relocation stable reference might break just modify your code and of course we know so when I just overwrite any code because my might be said no defined so that we pray for so-called run back and of course way to be a sign i'm as possible and still manage to arrive who are rejected code without breaking execution before pinga so that does not continue execution of the main application this is us to

bypass the AVS as a pen tester we have problems injected and got blowed it on your dinosaurs I do functionality to actually continue but when the execution of the main application is between to fall back on the same or bad things that all the others to append accord in another section to these that I had some ideas from dynamic and still have reading the same functionality but this is totally out of scope for this right now so some first steps I started up 2015 first release was in DC London may 2015 then virus updates I added different operation modes we said oh so no answer I actually needed by the user always several five six years the musicians

then I made one but compatible it has some issue the tracers or how to change some things I mean initially had two periods ones as for window transas for wine push compatible you back or fixing some issues then I Marisa I come online that's all the more important of the two others what makes mortgages friendly so it started as folk and then kept developing everything so moving on the automatic mode nouns can become a the users of liquid understatement handlers which means that Center basically does it doesn't need to have for example tales from issues on a section to use your coded payloads and it can also take advantage of their original report it won't stay below the application so it's

going to partake what state work will find the combination of heavy eyes can be used to allocate relied upon its global memory let me rotate basically but doesn't work as i rotate but this is what you will be dropped or a tailor next but try to find important functions make a combination that work for you so it is most more customizable now if you come online it does auto backup there is another secret of all they're not the base model he produced context that work for norfolk hedging so basically and generate code go to skate some stuff that i'm going to show later without breaking the execution of that hole and still make a totally different than time

or at least a lot different so this is a polymorphic code that doesn't break the third oldest so repositories with one of the first places of us combined with 1.7 sunday night so and then 3.1 which is there is their latest public release and i think in part devil one in stock ready fax it so let's say that it is the public release so this whole bad boy movies excuses Factory in the world and one or leaves mark affordable most of that required know as the dependencies doesn't affect our size of what you use but you get enough XP a place emma roberts supports a 50p pillow cellco it's of course compatible with and that

and Cody as long as 24 you submit works and fix that so these are some computations for allocating memory username what's table of application if it finds these things is going to be no c'mon met in the prandtl we use it for you in mind what you can select which lengthening to use and it will actually make calls to members table like 10 or more casually spoon is using those reported cushions but it has a plan B if the binary argue she doesn't support as important those include guys whether your inaudible center with just automatically sweets to change the section publishers because it doesn't want you to doesn't make yourself one with work so this is just basically a

plan B if can't find the magic wait wait because just can't dysfunctional reporting it will just switched the method for images go will change the section permissions permanently some canoes called Palos so there is also polymorphic type o dancing that just quit random call that doesn't care about the Fred context this is your source in order to make salsa maybe you laters and son boxes had some random loops and things like that was good slow down to execution before you actually read something that is meaningful way in a beetle tech and user the user can use polymorphic code official instead of time to the ends in place for you ill and submitter or by Merrill when working all that you

create for yourself converse with you lot so more people as i said its usual gave me part of the injected code that we don't want to break the execution you don't affected the fair contest it actually takes advantage of dynamical collects information from the actual really squished frog application it has new lobes while you rest and doesn't featuring so you can tell you later okay at this values would be the same every time round application so this is a unique feature it was always there from the first thing is the only difference was up to quite there is some updates now so later that totally automates some stuff and that's ematic there it as a

safe and exit with fine hole and receive a mooted applications you can just place all the threads so it's more safe you don't want to inject into a code that is executed not fret and then might overwrite partially if function is executed by a thread which is actually executed before a friend up execute other part of the code or partially overrated so it's better to keep track of four threads and as I said put my name in text from locations based on the execution flow so looks awesome not yet this is set a virtual for it introduces some awesome stuff and makes it even more user-friendly and better for a user so first update in fast injection

organization in auto mode so I'm going to explain what this is so I to version 3.1 in what we were using this in night mode we just use that location available from the list this is also meaningful in terms of how deep in the execution floating go so this is but in other mode because you want it's completely automatic set we just traced application for 30 seconds whatever it can't raise for 10 seconds and then we'll stop in a magic shield with the next stages so you don't have to interact with it so a lot of work because sometimes you use that in the same machine you would basically use the same binary exact they're

different cellco that more or less has the same size and things like that so in 30 seconds you might office not the more you might just always speak the same injection locations in the same battery different sessions from using the tool which totally makes sense so settle for randomizes this over a percentage of the last available section locations deep down in the execution flow so we'll just take a percentage efficient use on one at random so even if you use the same application the same amount of stress destructions same child rejected gold you will still be in another place so I'm very bad with our toilets but before it's okay but that's it so and this

brings us now to the proprietary got older it was about time to introduce this in point to explain why so does a random selection of some operations the golden happens with higher in a higher level 70 plus and then randomized is the user of counterpoint data registers generate the bit colder in an assembly big operation were picked up so the decoder is not starting not even the register users in the generating assembly I the amount of structures notes it's not same the company on the same the registered users would say and after he does everything dust generated accordion assembly and binding the payload and email or so shaded using thread context-aware up on morse code

which makes it totally like obfuscated during the live demo sponsored event that brings us to their beds and that's why i had to introduce da corner before actually introducing embedded payloads because as I said it's good good hey don't encoded many companies recognize Pacific Partnership metasploit a circle so hot first with the my own reporter so you have to figure the payload from center and they said they will like a cone and it will appreciate a decoder if you want which is recommended so this is the i am very basic Palos a lot of people use meterpreter reverse if I'm sell investors direct and bind in execution come on I think most people probably do when you want to inject to

upload the banner and probably need most of the time I just need one of those can so this is an example vehicle TT is the binder where you won't reject we serve as a pair of method requested speaks and VIP support you say who said to set her up on this thing and call it so encode about 100 people that the state will not change section permissions I want to obfuscate it with older so in spoiling older and also want to escape the portal stay 100 so I have become passive fully yet and so this basement explanation of why 33 so it's basically what that I was in stride enough and this brings us to the

next version for reflected here others no just simple anymore you can actually also pick on if I said there as well it's going to be three there's a normal say both you can't exactly take the other end and go did it first of course text for the reflected glory function so that together launch itself memory so yeah now because us build something cool in a in a small tll like this one dll file and put some basic functions there like a mini riot or download and execute sauce with the reason application be very handy so you still execute original problem program like a standalone applications someone and just maybe that's more for a rating thing that so

the downloader then it's going to download the original executable back you will execute its only user will just see the original one right because you know just call me a higher than lands like plus facile you kind it's more flexible from the user people things like that and this is an example for usually as I say the real oh is that one I say this is a reflective to the selected loader and this is a function name of the reflected glory son together and Cody's create I want to handle to be important to stay from the first table for in the odor of shareholder there yet and artwork and that bring that brings us to the place which is this is an

awesome feature how to change a lot of things to make this work idols I mean just to see it working this hard I don't know any other two that something it actually automates reused formation as an only keys no mind of interaction anymore you surgeries were totally focus for you it will open figure Eight's the virus I can be used as a coating keys you don't need to park opening it a key anymore the value is going to be on the month ICP registers were never this beautiful arrives there all you said there knows what the key was and the decoder it just needs to grab a pie from where it's time we use it for you know if your

extraction you have an analysis forth just like I think try to emulate over the loop of the decoder is no key there unless you actually execute the binary and you get to the point where the key exists none of the registers you don't know what they keep going about the keys so this is on by design permutations that you can use when you use certain a simple lines as having the paper holder of course exhibits recommended it we don't have a andean condor here so you should help you you would have to chase the sexual permission something good or you can just our payload again and just add some of a polymorphic can hold that

doesn't care about Fred context us randomizes generation of random gold time moves slow down the execution before you actually get the payload or you can tell something like that start or you can have some meta so in this case you have any 800 I so so it means that people need a special permission for anything so little holder can take care of and coat the payload clarity or in the health this and suck everything together so it takes more time to arrive in there today earth under which then when will handle the memory for you to find a place in dispute orale I look remember where you have a low time to call itself trust your execution there

the politics takes over and then you go on the payload and then a variation like that again in this case when I talk to you about the coder article about set you can also submit and already noted payload from better spray doesn't break and shelter just to make fear this is centered coder your payload can be also encoded by whatever you want if you were going to said it earlier holy so the colder here is saturated folder if it's already called it it cut Dakota stop depended no problem just to save her I'm worried referring to a support that center uses you can already values what everybody what so let give some prairies to Francisco google water and colleague

will so that he suggested to me you might turn out we might put i support the reflective dealers might be a nice thing for some conscious focus he's thinking higher and Lance still injected into an application and it hold it so so I'm going to pass to do some live demos right now I believe that's what you must be expecting

so just for testing right so I get a lot of people who want to use this from cali another attack from windows even though i also saw this using the tools on both so just are the silence makes more sense for most of the beauties

gosh so yeah right so I have some sort of someone you want let's see let me solve em I see maybe or i usually like picking up small banners like it's a good thing for that is safe people just have a windows relation I mean I sold some programs just going to pick up the animals for boutique say that they generate they are small girl standalone you need used on the run applications anyway and they are very good but not alone small on how to clear bias from Adam kilobytes awesome of course this leave it to you what what you can inject I mean you want to inject the other girl L this one metal bike you can use a pick

up something that can feel right alright so let me just use it's just ejection or most people know about

so our self in the mic then so the options individual and then we can use automated mode to utter command line into everything the other mode can also work falcom online in that case just automates everything just requires from you that the basic input but the you can just customized to home online and maybe not enable an optional or something else minority just totally specify everything

so this is actually passed if you put a little bit Nashira the vessel gas will gather dynamics information this is used if you want to later use as a set an unfair context keys and things like that I'm not going to use that I things now in the next example of so this is work so number of distractions just put the number of instructions actually referred instructions is hadley being fine it actually traces a lot more on what you are going to see but it ignores structures executed outside of the p5 doesn't care about which the task people want to take 475 holborn racing so it can do it can take 475 point with real

arm or increasing and it will also difficulty neighborhood is fine you will also to be circulated by ejecting dress or friends yes so real-time pricing know so Tracy starts as I said these are effectively structures inside the be fine after the race is a lot more of the beings very interesting racing I'm not going to place follow them this config file on this one it's racially to be is in the morning trade you download the execution flow so so better for an ATF agent Weiss stuff so it's fine you can interact wait so it's going to ask variable payload from this leash to submit the castle I will submit your custom a payload generated from metasploit 10 and saw me but just

because I made the show convenience i'm going to use on my who can choose middle very ready for some

so I'm going to need this information

or a game up with whatever you want just to the fourth one so then what would be called the data etc and yes we do and do all do off the ship oh yes you won't make as complex as we can so it's such a randomly and this stage may take a few seconds because doesn't use like startled right to retain and bind everything together so it needs to be very accurate what does ancestry called a dragon without following specific things while you break it context which is very important at this days right so 12 ask if you want to use important dress type of handlers or the same section permissions I would say of

course we won't take from stable handlers the binary supports these methods we see if it'll ever use aqua tank will not vary the preparedness and verified mapping Matthew 05 combinations so let's try great fight puppy crate on moving and then mar 05 what people would use which all other but i don't painting and it's going to ask if you were top state but under as well yes would all say that work so we make it us polymorphic and then I'm as possible

tasty said it was freshman being autonomous force word doesn't want to generate the same thing for the diamonds pity to be very accurate what 10 raised interstates it's very boring and it will but i'm going to prevent point more people this refers to polymorphic time cold cold that doesn't care about the Fed context it's going to be just above everything else is to slow down before we actually enter meaningful code a little some just prefer i hear it as if you will use up let the end wait for us when you use the engine and let's say generate 300 bites approach something of polymorphic tackle this is even more random because doesn't really care fed

context and it give us a note Oh 27 inches for example if I say yes it says that for now you have like 60 locations available certain technique and you can see actually those distractions for example I've put on it so let me start started 30 and platform so it just shows you a list of addresses and what are their aerial structures are so big one look how will the school the last one is fine so where is no right then so what we need to do now is of course need to start there nice hungry here

in the meantime going to transfer the spider into the windows

try to call you basic right

this is my host Mike recession ended up fighting here so

I go back to this

right so another execute binary from here 20 some time machines right that's us for a few was just very delayed or it's still probably oh yeah I'm forgot to configure my my settings here

okay so but it's not simple as that how to show you what the heck is going on otherwise you say that silly things that don't do I don't like that so I'm going to go we have here the brittle address and the object of we're actually a cold who's detective we're going to examine this we followed butter so that you actually see what's going on well that's poking into a point so I'm going to 47 654

right

right so okay this is very bad so this is a sample of sample I doesn't care about colleagues now you're going to see that some random or subjected clear example just random locations and then since returning back doesn't get about that have some time to looks here that's a good to keep looking at doing some random stuff as I said it here doesn't care about Fred context more looking code here is full two totally different this time some random poll is exactly that poor random fake functions in the binary this is all one more time code it doesn't care about execution flow of the application and somewhere here fine but so somewhere here I believe it's the

beginning of the obfuscating hundred on Tuesday or the dress table functions to allocate memory where you can copy your [ __ ] out there and start XP so I think this is the first effect exception of the earth under 20 and then a lot of randomized gold there is another effective structure here a lot of random is cold and then course played by mocking then randomized code whatever there is another effective instruction here randomizer again it's like not effective stuff there another here it's another one here and let's go downward actual course module file finally so if I say the break one there right so course that and let me know scroll down let me find a very rustic

but it actually cop is the set code this is randomized called so uh yeah this is going to copy the circle we're not all capable let me just use magnify so you can actually so let's go so the actual circle is located where the organization and it will trust ready to eat where ed I points which is possibly right action permission are allocated by combination of great value marking and pop you file

just going to copy everything there and then we're already here you just don't and now so this is the appreciated decoder so it's the decoder that shelter generated and then we decided okay it before so this is all shady be colder so let's find some useful instructions here you see just called the next the next action there is to find a place they calculate the relative motion there is a lot of time code and then invasion of Isis press that iron by state so let me go buddy so there's a lot of let's find some mad coding operations 20 so this is a recording operation you see it as something where API point soon we'd be

another registered which is randomized just happened here another VDI I points to sell gold in the allocated memory this is really from the prospect target before and this is not a hard coding key see that testament album game we didn't use the non technical information from coalition that key is reporting you can also see here another operation there is charcoal there is no operation and other is an operation here so all these operations are very people for every for bias so one operation for its like the random number of operations / 4 bytes of the sailboats multiple holding here is another effective instruction then just a lot of junk off yet this is another effective suction some goals and all

other things and I scroll down to the end with a decoder loop ok here is that you see it has not coded the experts at home this is a main folder it initiated use exs come next time happy but this is an example so now I'd like to show doing the magic by using dynamic level information so we don't have to cut for the kill you don't you don't know what is the key you won't see the key until you arrive at that point when one of the registers that's going to be picked up will actually call a colleague

so let's try going to use another binary I'm going to tell you this one are no district honorific MRC this is frequently megabytes sighs make you want smaller binary but you can just use a select random subtle only if you don't play with now now i'm going to use the command line so it is more meaningful to you as well so we said target which is MIT which has the payload can do with this particular command if you want let's say it is execute this is a window unit sick and I want the displace you can see any details to show another hello I want to use the nograkh context keys this implies that the cell called

lot they don't want to pay coding for us you don't need to specify the specific old I want to what I'm moving up waving the parts so it's more clear sunny man choice he had a while ago fateful becomes very complicated you cannot see actually the real goal that was generated so is this enough let me try I am really specify also how we want you would start handing want to use someone specify important stable again which is that most dynamic best way to do it

so now the tools would bottom identity for you so just grace for about 30 seconds and i will proceed by itself it would choose the encoding key from tentacle exclamation which registered to use at one point and code without value created colder bind them together and carry one consejos left we didn't you say ok sir so much faster you didn't have to generate a lot of code to the engines start like that so I'm going to bring this now again my host that's if my predecessors didn't together I'm surprised ok so so this now is just supposed to just lock and voila so what I'm going to do now right so let's go back and see how none decodes because

it's not going to use a hard Kentucky so I need to go back and just

to see what is a days extra knockers so can go about in the darkling lightweight but now if there is no education so we're going to actually see it's of course your comment a beautification because this kind of my fellow guard makes it very difficult to read detection skills so this 6252 right so again 60 right so there's no sched now so it's clear it does cause low battery I paper others want to put a breakpoint here to see it's very clear not what it's going to do just gets the the other super tall it's going to pull it then it's going to copy nothing there and now it was yes from the start and this is

what it's going to be our key now it's a get inside this is the actual value what eh should have been a real vacation without no injection a lot more it's not something that Sarah Kuta event you see some operations that work it up to involve this one so going to you see it's going to start phone you know who CBS as a counter top in the game if the Irish picked up as a point about snow fight that's amazing so let's see today's but you see that it uses the value in years to decoding this value is not set by me if I go back and I I start everything stoned again what happens is

before entering hunger the tons that memory allocation and everything you see it has a [ __ ] yet because at that moment it felt violent the decoder crazy use that file to encoding so before we need to shave that value of a stock that's why we push on the stock and we're going to pump it up so i use it as a key when they go to meet so this one sent by means thus the if you're on the original back of the line a dull moment in exiting from in the x-rays so this is a i think this is a very nice feature I don't know any other to the kinetics about love so but this attention about

the thing with no need I called the key of course this might have some mom I never had a failure it was really risky I didn't never fail to my my tests so we're welcome if you use the spoon you're welcome to to use that unfair context keys and see that every we fail but I never had a failing adults it seems to be very sickening I do some wine of course on filtering something it's not random so no which raised to minus beta web so well you can't very fit so Commerce time five minutes yeah what am I think I'll just let you ask some questions now do not have much time that same way I can

approve these binaries on the bar so that if you want note the second one because if they use it oops casement so it's not but the first one why not so let's see

so I know specific exemplar has also a couple of false positives from somebody vendors so I'm were already two detentions maybe was not the best example but it's fine you can't blame your own see what results she won't get

I'm already expecting top of results a couple of detection at least because i know this way she hated a driver just original file its kayla double for bringing some hospital it's fine our clothing fine because it saves might not otherwise no i don't like so let me go back in the second is to do it from here if it's something the sound box

so guys had told me on twitter i'm [ __ ] because I upload I know when I knew trust me I wouldn't waste more up two years of pork I think that happy lean I'm not too big not one hundred percent listen so what I think up there are met by Q oh right here yeah oh yeah yeah and I dunno about bb-8 but the others who are commonly got the van is the reason oh yeah the sauce goes free I could use another it's funny because if these given us the specific binaries that pipe themselves very like my abs then you use our miners like booty and things like that and you go totally

undetectable oh so how much time can I have five minutes who is this a booty yes you supporting all right the pc if i have here and I or use so let me use steam see the steam team is not bad and I can also use it from less used from my windows time it's right it's fun unless example there ok so I'm going to use think let's see what happen should speak I lasting right I'm going to use it fully a little bit move look one line no nothing just automate just give me skin looking said I stop will just select the payload latest it's live data for a fresh you so much you

got goat sample some bars but only once again just that makes we use of educational and everything so makes their life very hard that's all I want ok so this for hope let's do the gates of the quake soldered shut up versus the specs you continue to do everything by itself if you use favorable combined monthly neighbor for the features so it won't all skate everything

for their cycles social vm so so it rather we beat up one of the methods to amuse me to a lot of design and it's going to now that we come with knowledge being appreciated and it's going to add some polymorphic on hold on top of everything just for the sake of you to execute more instructions before arriving to the effective forms of done so if i just found Steve she takes some time to actually ask you the commander is because of the of the turncoat we have actually depend and then both so let's add this thing to the bar spoken oh yeah that Explorer does a long forgot

hopefully we are going to being a better time a little who used by euro by here or javi maybe a nice abs for tall people like me I don't know there is justice patrol to take everything so whether it was very well so just wrap up everything