codasm: Payload encoding utility to effectively lower payload entropy
CODASM
CODASM allows you to encode arbitrary data into pseudo-ASM instructions and compile them into the .text section of binaries.
Payloads (esp. shellcode) come with pretty high entropy and look out of place in most places in a compiled binary. CODASM aims to hide payloads in a place that comes with a high entropy already: the .text section that contains your binary’s compiled code. To do so, CODASM generates legit-looking shellcode that can embed any arbitrary payloads.
CODASM is a Python script that generates
- legit looking shellcode for arbitrary payloads
- a C header file you can use in your program to embed the shellcode into a binary and retrieve it at run-time
For encoding payloads, CODASM does the following:
- Generate valid x86_64 functions with prologues and epilogues and random instructions
- Embed payload bytes into instruction operands (e.g.
mov eax, <4 bytes of payload>) - XOR encrypt the embedded payload bytes
- Embed payload bytes into instruction operands (e.g.
For decoding payloads, the generated C header file does the following:
- Parse single instructions until the desired number of payload bytes was retrieved:
- Detect individual instructions, determine whether they contain payload bytes
- If an instruction contains payload bytes, extract and decrypt them
