Site icon API Security Blog

FUD-UUID-Shellcode – Another shellcode injection technique using C++ that attempts to bypass Windows Defender using XOR encryption sorcery and UUID strings madness

[![](https://blogger.googleusercontent.com/img/a/AVvXsEiOoS9-KAM1wjbweAaKJkoRz3eRYelIMOxkWtHgmYbaBjijf3Wb9j25ANPxkZ2dP9cki8QuvWkYkh2Fle5EPvBhi1ibG68a6ab7Vx6X73n9ARCY0MbmQCUbLnMnfFyoj33ouIGiPzaD9X73mdcFwhRYBZF8AucAJP1XmMZ1tB81JFVqib_OjYErHO5UHg=w640-h492)]()

## Introduction

Another shellcode [injection]( “injection” ) technique using C++ that attempts to bypass [Windows Defender]( “Windows Defender” ) using XOR [encryption]( “encryption” ) sorcery and UUID strings **madness** :).

# How it works

## Shellcode generation

* Firstly, generate a payload in binary format( using either `CobaltStrike` or `msfvenom` ) for instance, in `msfvenom`, you can do it like so( the payload I’m using is for **illustration** purposes, you can use whatever payload you want ):

msfvenom -p windows/messagebox -f raw -o shellcode.bin

* Then convert the shellcode( in binary/raw format ) into a `UUID` string format using the Python3 script, `bin_to_uuid.py`:

./bin_to_uuid.py -p shellcode.bin > uuid.txt

* `xor` encrypt the `UUID` strings in the `uuid.txt` using the Python3 script, `xor_encryptor.py`.

./xor_encryptor.py uuid.txt > xor_crypted_out.txt

* Copy the `C-style` array in the file, `xor_crypted_out.txt`, and paste it in the C++ file as an array of `unsigned char` i.e. `unsigned char payload[]{your_output_from_xor_crypted_out.txt}`

## Execution

This shellcode injection technique comprises the following subsequent steps:

* First things first, it allocates virtual memory for payload execution and residence via `VirtualAlloc`
* It `xor` decrypts the payload using the `xor` key value
* Uses `UuidFromStringA` to convert `UUID` strings into their binary representation and store them in the previously allocated memory. This is used to avoid the usage of suspicious APIs like `WriteProcessMemory` or `memcpy`.
* Use `EnumChildWindows` to execute the payload previously loaded into memory( in step 1 )

# What makes it unique?

* It doesn’t use standard functions like `memcpy` or `WriteProcessMemory` which are known to raise alarms to AVs/EDRs, this program uses the [Windows API]( “Windows API” ) function called `UuidFromStringA` which can be used to decode data as well as write it to memory( **Isn’t that great folks?** _And please don’t say “NO!”_ 🙂 ).
* It uses the **function call obfuscation** trick to call the Windows API functions
* Lastly, because it looks unique 🙂 ( _Isn’t it?_ 🙂 )

# Important

* You have to change the `xor` key(row 86) to what you wish. This can be done in the `./xor_encryptor.py` python3 script by changing the `KEY` variable.
* You have to change the default `executable filename` value(row 90) to your filename.
* The command for compiling is provided in the C++ file( _around the top_ ). NB: `mingw` was used but you can use whichever [compiler]( “compiler” ) you prefer. 🙂

## Compile

make

# Proof-of-Concept( PoC )

[]( “$ (7)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhzfHoGJWNFUM80qupxwsRz7JX3RNC8GxQJc_Knr5bNfZLCDYBBlADwVRwb8znyR4yXCem5_DBsRLcYlGzoyELZcEDS42kWFKESj0x3l02rZU0NnMildnqNfln2BIGGm_OXiOFSJmbJA8eIoZCGLbmLQpWREjsj0o-1JzRNeKwdBOUEof3PrzeRwBKT2A=w640-h388)]()

# Static Analysis

[]( “$ (8)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEh6vvsTa7MIU-XN5oXpZicyW5_LV2lpOHSHvMMDcVGZAcQIGTBZXLaLKqZOKJGbH84VRFgLudtFyxIV14KMgoxlxd1KdllFI7Wi3ulJIEo9fCINaJuuCTFxxexyM76UOw9xeF0L9iiEhaTCbTJkQTMkznwU0GE9bA7qsXCNJbrRMeib_Qey6BrZTTpiIw=w640-h344)]()

# AV Scan results

The binary was scanned using [antiscan.me]( “antiscan.me” ) on 01/08/2022.

[]( “$ (10)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhUzsKspqlku91Phvw7oYMtpTSnFZl02ZeWj88VaklJotBY4jgMBdW8-0PYrhuxoyRewJB4m6SErAbpY1kES0oZSeOKfgr2bCQBJs58kQ57UBwdA7RoyLZdZDfLcV3amJ2VN3eONr7Zes7fp2dLyKt5BQ35KRmlNmDGEhiYxd37NYTljLCxeBs8aU72qA=w640-h516)]()

# Credits

**[Download FUD-UUID-Shellcode]( “Download FUD-UUID-Shellcode” )**Read More

Exit mobile version