SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR.
This project is the reimplementation of the original Shikata ga nai in golang with many improvements.
How? & Why?
For offensive security community, the original implementation of shikata ga nai encoder is considered to be the best shellcode encoder(until now). But over the years security researchers found several pitfalls for statically detecing the encoder(related work FireEye article). The main motive for this project was to create a better encoder that encodes the given binary to the point it is identical with totally random data and not possible to detect the presence of a decoder. With the help of keystone assembler library following improvments are implemented.
Finally properly encoded x64 shellcodes !
LFSR key reduced to 1 byte
Decoder stub is also encoded with a psudo random schema
Stub decodes itself WITHOUT using any loop conditions !!
Random garbage instruction generator added with keystone
Non of the registers are clobbered (optional preable, may reduce polimorphism)
Install
Only dependencies required is keystone and capstone libraries. For easily installing capstone and keystone libararies check the table below;
OS | Install Command |
---|---|
Ubuntu/Debian | sudo apt-get install libcapstone-dev |
Arch Linux | sudo pacman -S capstone keystone |
Mac | brew install keystone capstone |
Fedora | sudo yum install keystone capstone |
Windows/All Other… | CHECK HERE |
Installation of keystone library can be little tricky in some cases. Check here if you have any problem with yor packet manager.
Then just go get it ツ
go get github.com/egebalci/sgn
Usage
-h
is pretty self explanatory use -v
if you want to see what’s going on behind the scenes ( ͡° ͜ʖ ͡°)_/¯
Usage: sgn [OPTIONS]
-a int
Binary architecture (32/64) (default 32)
-asci
Generates a full ASCI printable payload (takes very long time to bruteforce)
-badchars string
Don’t use specified bad characters given in hex format (\x00\x01\x02…)
-c int
Number of times to encode the binary (increases overall size) (default 1)
-h Print help
-max int
Maximum number of bytes for obfuscation (default 20)
-o string
Encoded output binary name
-plain-decoder
Do not encode the decoder stub
-safe
Do not modify and register values
-v More verbose output
Using As Library
Warning !! SGN package is still under development for better performance and several improvements. Most of the functions are subject to change.
package main
import (
"encoding/hex"
"fmt"
"io/ioutil"
sgn "github.com/egebalci/sgn/lib"
)
func main() {
// First open some file
file, err := ioutil.ReadFile("myfile.bin")
if err != nil { // check error
fmt.Println(err)
return
}
// Create a new SGN encoder
encoder := sgn.NewEncoder()
// Set the proper architecture
encoder.SetArchitecture(64)
// Encode the binary
encodedBinary, err := encoder.Encode(file)
if err != nil {
fmt.Println(err)
return
}
// Print out the hex dump of the encoded binary
fmt.Println(hex.Dump(encodedBinary))
}
Execution Flow
The following image is a basic workflow diagram for the encoder. But keep in mind that the sizes, locations and orders will change for garbage instructions, decoders and schema decoders on each iteration.
LFSR itself is pretty powerful in terms of probability space. For even more polimorphism garbage instructions are appended at the begining of the unencoded raw payload. Below image shows the the companion matrix of the characteristic polynomial of the LFSR and denoting the seed as a column vector, the state of the register in Fibonacci configuration after k steps.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…