• Stars
    star
    114
  • Rank 308,031 (Top 7 %)
  • Language
    Python
  • Created over 2 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Jargon

Jargon
/ˈjΓ€rΙ‘Ι™n/
noun: jargon; plural noun: jargons
Definition: special words or expressions that are used by a particular profession or group and are difficult for others to understand.

Background

In order to protect our shellcode loaders, we often use encryption to obfuscate our shellcode. Encryption increases the entropy of our shellcode loader. Some AV & EDR use entropy analysis to determine if a binary is trustworthy for execution. If the entropy of a binary is too high, the agent makes a decision the binary is not trustworth for execution. This is, of course, an oversimplified explanation, but it will work for our purposes.

This project takes raw shellcode and encodes it using a dictionary of words. The dictionary could be a dictionary of English words, the text of a Shakespearean tragedy, or it could be strings extracted from your favorite system DLL. The only requirement is that the dictionary contains at least 256 unique entries and all characters are valid for string literals in C/C++.

tldr: Use this program to translate shellcode bytes into words for entropy analysis evasion.

How it works

We typically see shellcode represented as hex bytes - 0x00 to 0xff. However, we can also use integers to represent our shellcode. Since our shellcode can only possibly consist of 256 different values, the program reads the dictionary, selects 256 random words, and places them in an array. A word's position in this tranlsation array represents its shellcode value. Consider the following example:

unsigned char* translation_table[5] = { "petition","creates","proposal","maintain","winner" };

To tranlsate our shellcode into an array of words, we read each byte of shellcode and pull the word from the translation table using the shellcode value as the index. Using the example above, if our first byte of shellcode is 0x01, the value at translation_table[1] is creates. We take the word found at our index and append it to a new array that represents our translated shellcode. We repeat this process until we've reached the end of our shellcode. This will give us two arrays that look like the following abbreviated examples:

const char* translation_table[256] = { "petition","creates","proposal","maintain","winner","accommodations","submitted"..." };

const char* translated_shellcode[287] = { "staying","valuation","differences","score","disks","interests","controls" ... };

To use this translated shellcode in our loader, we simply reverse the process. For each entry in the translated_shellcode array, we search the translation table for that value. The array index of the word is our shellcode byte. Given the first 4 bytes of 64-bit shellcode are typically 0xfc,0x48,0x83,0xe4, we can surmise that "staying","valuation","differences","score" translates to translation_table[252], translation_table[72], translation_table[131], translation_table[228]. As a result, the first 4 bytes of our reconstructed shellcode will be 252,72,131,228.

This program will generate C source code containing the two array definitions and the translation routine to recover the shellcode bytes.

Prior art

Before I wrote this tool, I tried to find examples that people had written before me. I came up short, despite a lot of searching. Since originally writing the tool, I became aware of people who have written similar tools, but their tools are not public. These projects are using similar concepts:

https://github.com/moloch--/wire-transfer: Encode binary files into English text for transfer over HTTP.
[https://github.com/BishopFox/sliver/blob/master/util/encoders/english.go](Sliver C2): Encode binary file as English text.

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
987
star
3

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
798
star
4

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
623
star
5

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
6

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
7

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
498
star
8

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
9

EDD

Enumerate Domain Data
C#
312
star
10

PersistAssist

Fully modular persistence framework
C#
249
star
11

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
12

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
13

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
14

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
15

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star