Presented at
DEF CON 32 (2024),
Aug. 10, 2024, noon
(105 minutes).
CODASM aims to decrease a stageless payload's Shannon entropy, which was found to be a simple but annoying detection vector used by EDRs. It's a Python program that processes arbitrary binary inputs and produces a C program consisting of two parts: a buffer holding generated x86-64 ASM instructions with the original payload encoded into it, and a set of functions that can decode the ASM at runtime. The buffer is designed to be compiled into the final payload's .text section, thus it looks like regular (if not functional) code to AVs, EDRs and analysts. This encoding effectively decreases the payload's Shannon entropy but comes with a significant increase in output size. The demo will cover usage of the tool and dissection/reverse engineering of the resulting payload.
Presenters:
-
Moritz Laurin Thomas
- Senior Red Team Security Consultant at NVISO ARES
Moritz is a senior red team security consultant at NVISO ARES (Adversarial Risk Emulation & Simulation). He focuses on research & development in red teaming to support, enhance and extend the team’s capabilities in red team engagements of all sorts. Before joining the offensive security community, Moritz worked on a voluntary basis as a technical malware analyst for a well-known internet forum with focus on evading detections and building custom exploits. When he isn’t infiltrating networks or exfiltrating data, he is usually knees deep in research and development, dissecting binaries and developing new tools.
Similar Presentations: