Game-Changing Advances in Windows Shellcode Analysis

Presented at DEF CON 31 (2023), Aug. 11, 2023, 3:30 p.m. (45 minutes).

Shellcode is omnipresent, seen or unseen. Yet tooling to analyze shellcode is lacking. We present the cutting-edge SHAREM framework to analyze enigmatic shellcode. SHAREM can emulate shellcode, identifying 20,000 WinAPI functions and 99% of Windows syscalls. In some shellcode, some APIs may never be reached, due to the wrong environment, but SHAREM has a new solution: Complete code coverage preserves the CPU register context and memory at each change in control flow. Once the shellcode ends, it restarts, restoring memory and context, ensuring all functionality is reached and identifying all APIs. Encoded shellcode may be puzzling at times. SHAREM is a game-changer, as it presents emulated shellcode in its decoded form in a disassembler. IDA Pro and Ghidra can produce disassembly of shellcode that is of poor quality. However, SHAREM uniquely can ingest emulation data, resulting in virtually flawless disassembly. While SHAREM has its own custom disassembler, we are also releasing a Ghidra plugin, so SHAREM's enhanced disassembly can enhance what is in GHidra. Only SHAREM identifies APIs in disassembly, and this also can be brought to Ghidra. We will also see how SHAREM can be used by aspiring shellcode authors to enhance their own work, and we will examine advanced shellcode specimens in SHAREM. | Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations, for which he did his dissertation on Jump-Oriented Programming, a hitherto seldom-studied and poorly understood subset of code-reuse attacks. REFERENCES: [1] Mds. Research, “Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams,” MDSec, 2020. [Online]. Available: https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/. [2] K. Borders, A. Prakash, and M. Zielinski, “Spector: Automatically analyzing shell code,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, pp. 501–514, 2007. [3] Y. Fratantonio, C. Kruegel, and G. Vigna, “Shellzer: a tool for the dynamic analysis of malicious shellcode,” in International workshop on recent advances in intrusion detection, 2011, pp. 61–80. [4] D. Zimmer, “Scdbg Shellcode Analysis,” 2011. [Online]. Available: http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html. [5] FireEye, “Speakeasy.” [Online]. Available: https://github.com/fireeye/speakeasy. [6] M. Jurczyk, “Windows X86-64 System Call Table (XP/2003/Vista/2008/7/2012/8/10).” [Online]. Available: https://j00ru.vexillium.org/syscalls/nt/64/. [7] T. Nowak, “The Undocumented Functions Microsoft Windows NT/2000/XP/Win7,” NTAPI Undocumented Functions. . [8] A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design science in information systems research,” MIS Q., pp. 75–105, 2004. [9] C. Anley, J. Heasman, F. Lindner, and G. Richarte, The shellcoder’s handbook: discovering and exploiting security holes. John Wiley & Sons, 2011. [10] S. Eckels, “WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques,” Mandiant, 2020. [Online]. Available: https://www.mandiant.com/resources/wow64-subsystem-internals-and-hooking-techniques. [11] A. Ionescu, “Closing Heaven’s Gate,” 2015. [Online]. Available: https://www.alex-ionescu.com/?p=300. [12] Hasherezade, “PE-Sieve,” GitHub, 2018. [Online]. Available: https://github.com/hasherezade/pe-sieve. [13] Hasherezade, “PE to Shellcode,” GitHub, 2021. [Online]. Available: https://github.com/hasherezade/pe_to_shellcode.

Presenters:

  • Jake Hince - Cybersecurity Engineer
    Jake Hince recently completed his Computer Science Master's degree at Dakota State University. He was a security researcher and malware analyst at VERONA Lab, working on security tool development and shellcode analysis. Jake has been highly actively in collegiate cyber security competitions (CCDC, CPTC), and he participates in CTF competitions. He works professionally as a cybersecurity engineer.
  • Max 'Libra' Kersten - Malware Analyst at Trellix
    Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as Black Hat Arsenal (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for several universities and private entities.
  • Bramwell Brizendine - Assistant Professor at University of Alabama in Huntsville   as Bramwell Brizendine, Dr.
    Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations, for which he did his dissertation on Jump-Oriented Programming, a hitherto seldom-studied and poorly understood subset of code-reuse attacks. Bramwell is now an Assistant Professor of Computer Science at the University of Alabama in Huntsville; he previously was an Assistant Professor and the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab) at Dakota State University, specializing in vulnerability research, software exploitation, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell has taught numerous undergraduate, graduate and doctoral level courses in software exploitation, reverse engineering, malware analysis and offensive security. Bramwell was a PI on a $300,000 NSA/NCAE research grant, which culminated in the release of a shellcode emulator, SHAREM, in September 2022. Bramwell has been a speaker at many top security conferences, including DEF CON, Hack in the Box Amsterdam, @Hack, Black Hat Middle East, Black Hat Asia, Black Hat Europe, Wild West Hackin’ Fest, and more.

Links:

Similar Presentations: