AlphabeticalPolyShellGen: Generate an Alphabetical Polymorphic Shellcode

How Does It Work

• First, the input shellcode is encoded using the same logic behind Alphabetfuscation, which is a shellcode obfuscation method that represents opcode bytes as ASCII. And since this method uses a random ASCII offset per byte, the encoded output differs on every run.
• The first shellcode, g_AlphabeticalDecoder, is prepended with the encoded Alphabetical shellcode, after being configured with the required data for decoding.
• The g_AlphabeticalDecoder is then itself encoded using a simple XOR routine; XorEncrypt.
• A second shellcode is dynamically generated using the GenerateRandomVariant function. This shellcode is responsible for decoding and passing code execution to g_AlphabeticalDecoder, which decodes the Alphabetical shellcode and executes it, alongside performing necessary memory cleanup logic.

Note

The logic behind the g_AlphabeticalDecoder shellcode is located in the AlphabeticalShellcodeDecode.asm file.

The logic behind the XOR decoder shellcode is located in the XorShellcodeDecode.asm file.

Usage:

• One can execute the AlphabeticalPolyGen program to generate a polymorphic shellcode variant of a specified shellcode:

AlphabeticalPolyGen.exe --i <Raw Shellcode File> --o <Output File Name>

• For testing, use the LocalShellcodeExec.exe program as follows:

LocalShellcodeExec.exe --i <Encoded Shellcode To Execute>

Demo:

1. Building two variants of Metasploit's x64 calc.exe shellcode:

2. Examining these variants in a hex editor:

3. Utilizing LocalShellcodeExec.exe for testing: