Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus Mechanisms
Abstract
:1. Introduction
2. Related Work
2.1. Antivirus Detection Methods
2.2. Polymorphic and Metamorphic Malware
2.3. Obfuscation Techniques for Malware Evasion
2.4. Well-Known Evasion Tools
2.4.1. TheFatRat
2.4.2. Shikata Ga Nai
2.4.3. Veil Framework
2.4.4. ROPInjector
2.4.5. Movfuscator
2.5. Chaotic Systems in Cryptography
3. Methodology
Algorithm 1: Chaotic Encryption Algorithm |
Input: Plain text (shellcode) P Output: Cipher text C |
Algorithm 2: Chaotic Decryption Algorithm |
Input: Cipher text (encrypted shellcode) C Output: Plain text P |
3.1. Logistic Map Encryption/Decryption
- : The current state of the system, typically within the range .
- r: The control parameter.
- n: The iteration index.
3.2. Henon Map Encryption/Decryption
- a and b: The control parameters that influence the system’s dynamics.
- and : The state variables at iteration n.
3.3. Lorenz System Encryption/Decryption
- , , and : Control parameters that influence the system’s dynamics.
- x, y, and z: Initialize the start value.
3.4. Chua’s Circuit System Encryption/Decryption
- and : Control parameters for the system’s dynamics.
- and : Parameters defining the nonlinearity of .
- x, y, and z: Initialize the start value.
3.5. Rössler System Encryption/Decryption
- a, b, and c: Control parameters that determine the system’s behavior.
- x, y, and z: Initialize the start value.
4. Experiment
4.1. Windows Shellcode Execution
4.2. Linux Shellcode Execution
4.3. Parameters in Chaotic Systems
5. Results
5.1. Execution Time
5.2. Ensuring Chaotic Behavior in Encryption
5.3. Worst Encryption Case
5.4. Handling 0x00 Values in Chaotic Encryption
5.5. Disassemble
5.6. Scan Report
5.6.1. Comparison Other Proposed Method
5.6.2. Proposed Method
6. Conclusions
7. Future Work
7.1. Dynamic Malware Analysis
7.2. Real-World Deployment
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Appendix A. The Pseudocode for the Implementation
Appendix A.1. Encryption and Decryption
Listing A1. Pseudocode for logistic map. |
Function LogisticMapEncrypt(data, r, x0) Initialize x = x0 Initialize encryptedData as a byte array of the same length as data Initialize keys as an integer array of the same length as data For each index i in data Repeat Update x as r * x * (1 - x) Set chaoticValue as the integer part of x * 255 Until chaoticValue is not equal to 0 Store chaoticValue in keys at position i Set encryptedData at position i to data[i] XOR chaoticValue End For Return encryptedData and keys End Function |
Listing A2. Pseudocode for Henon map. |
Function HenonMapEncrypt(data, a, b, x0, y0) Initialize x = x0 Initialize y = y0 Initialize encryptedData as a byte array of the same length as data Initialize keys as an integer array of the same length as data For each index i in data Repeat Calculate newX as 1 - a * x * x + y Calculate newY as b * x Set chaoticValue as the integer part of newX * 255 Until chaoticValue is not equal to 0 Store chaoticValue in keys at position i Set encryptedData at position i to data[i] XOR chaoticValue Update x to newX Update y to newY End For Return encryptedData and keys End Function |
Listing A3. Pseudocode for Lorenz system. |
Function LorenzSystemEncrypt(data, sigma, rho, beta, x0, y0, z0) Initialize x = x0, y = y0, z = z0 Set time step dt = 0.01 Initialize encryptedData as a byte array of the same length as data Initialize keys as an integer array of the same length as data For each index i in data Repeat // Calculate RK4 steps using LorenzDerivatives (k1x, k1y, k1z) = LorenzDerivatives(x, y, z, sigma, rho, beta) (k2x, k2y, k2z) = LorenzDerivatives(x + 0.5 * k1x * dt, y + 0.5 * k1y * dt, z + 0.5 * k1z * dt, sigma, rho, beta) (k3x, k3y, k3z) = LorenzDerivatives(x + 0.5 * k2x * dt, y + 0.5 * k2y * dt, z + 0.5 * k2z * dt, sigma, rho, beta) (k4x, k4y, k4z) = LorenzDerivatives(x + k3x * dt, y + k3y * dt, z + k3z * dt, sigma, rho, beta) // Update x, y, z using RK4 formula x = x + (dt / 6) * (k1x + 2 * k2x + 2 * k3x + k4x) y = y + (dt / 6) * (k1y + 2 * k2y + 2 * k3y + k4y) z = z + (dt / 6) * (k1z + 2 * k2z + 2 * k3z + k4z) Set chaoticValue as integer part of x * 255 Until chaoticValue is not equal to 0 Store chaoticValue in keys at position i Set encryptedData at position i to data[i] XOR chaoticValue End For Return encryptedData and keys End Function Function LorenzDerivatives(x, y, z, sigma, rho, beta) Set dx = sigma * (y - x) Set dy = x * (rho - z) - y Set dz = x * y - beta * z Return (dx, dy, dz) End Function |
Listing A4. Pseudocode for Chua’s circuit system encryption. |
Function ChuasCircuitEncrypt(data, alpha, beta, m0, m1, x0, y0, z0) Initialize x = x0, y = y0, z = z0 Set time step dt = 0.01 Initialize encryptedData as a byte array of the same length as data Initialize keys as an integer array of the same length as data For each index i in data Repeat // Calculate RK4 steps using ChuaDerivatives (k1x, k1y, k1z) = ChuaDerivatives(x, y, z, alpha, beta, m0, m1) (k2x, k2y, k2z) = ChuaDerivatives(x + 0.5 * k1x * dt, y + 0.5 * k1y * dt, z + 0.5 * k1z * dt, alpha, beta, m0, m1) (k3x, k3y, k3z) = ChuaDerivatives(x + 0.5 * k2x * dt, y + 0.5 * k2y * dt, z + 0.5 * k2z * dt, alpha, beta, m0, m1) (k4x, k4y, k4z) = ChuaDerivatives(x + k3x * dt, y + k3y * dt, z + k3z * dt, alpha, beta, m0, m1) // Update x, y, and z using RK4 formula x = x + (dt / 6) * (k1x + 2 * k2x + 2 * k3x + k4x) y = y + (dt / 6) * (k1y + 2 * k2y + 2 * k3y + k4y) z = z + (dt / 6) * (k1z + 2 * k2z + 2 * k3z + k4z) Set chaoticValue as integer part of x * 255 Until chaoticValue is not equal to 0 Store chaoticValue in keys at position i Set encryptedData at position i to data[i] XOR chaoticValue End For Return encryptedData and keys End Function Function ChuaDerivatives(x, y, z, alpha, beta, m0, m1) // Piecewise-linear function g(x) for Chua’s diode If x <= -1 Set g = m1 * x + (m1 - m0) Else if x >= 1 Set g = m1 * x + (m0 - m1) Else Set g = m0 * x End If // Derivatives of the Chua’s Circuit equations Set dx = alpha * (y - x - g) Set dy = x - y + z Set dz = -beta * y Return (dx, dy, dz) End Function |
Listing A5. Pseudocode for Rössler system encryption. |
Function RosslerSystemEncrypt(data, a, b, c, x0, y0, z0) Initialize x = x0, y = y0, z = z0 Set time step dt = 0.01 Initialize encryptedData as a byte array of the same length as data Initialize keys as an integer array of the same length as data For each index i in data Repeat // Calculate RK4 steps using RosslerDerivatives (k1x, k1y, k1z) = RosslerDerivatives(x, y, z, a, b, c) (k2x, k2y, k2z) = RosslerDerivatives(x + 0.5 * k1x * dt, y + 0.5 * k1y * dt, z + 0.5 * k1z * dt, a, b, c) (k3x, k3y, k3z) = RosslerDerivatives(x + 0.5 * k2x * dt, y + 0.5 * k2y * dt, z + 0.5 * k2z * dt, a, b, c) (k4x, k4y, k4z) = RosslerDerivatives(x + k3x * dt, y + k3y * dt, z + k3z * dt, a, b, c) // Update x, y, z using RK4 formula x = x + (dt / 6) * (k1x + 2 * k2x + 2 * k3x + k4x) y = y + (dt / 6) * (k1y + 2 * k2y + 2 * k3y + k4y) z = z + (dt / 6) * (k1z + 2 * k2z + 2 * k3z + k4z) Set chaoticValue as integer part of x * 255 Until chaoticValue is not equal to 0 Store chaoticValue in keys at position i Set encryptedData at position i to data[i] XOR chaoticValue End For Return encryptedData and keys End Function Function RosslerDerivatives(x, y, z, a, b, c) Set dx = -y - z Set dy = x + a * y Set dz = b + z * (x - c) Return (dx, dy, dz) End Function |
Appendix A.2. Executing Shellcode
Listing A6. Pseudocode for executing shellcode on Windows. |
Function ExecuteShellcode() // Load necessary Windows API functions Load GetProcAddress from kernel32.dll Load GetModuleHandleA from kernel32.dll // Define delegates for system calls Define RtlMoveMemoryDelegate as a pointer to RtlMoveMemory function Define VirtualProtectDelegate as a pointer to VirtualProtect function Define CreateThreadDelegate as a pointer to CreateThread function Define WaitForSingleObjectDelegate as a pointer to WaitForSingleObject function Set PAGE_EXECUTE_READWRITE = 0x40 // Initialize shellcode or encrypted data Set data as byte array with shellcode If shellcode is encrypted by a chaotic system like Lorenz, decrypt data using LorenzSystemEncrypt(…) If shellcode is original (e.g., from msfvenom), use data directly for execution. // Obtain addresses for required functions Set kernel32Handle = GetModuleHandleA("kernel32.dll") Set virtualProtectAddr = GetProcAddress(kernel32Handle, "VirtualProtect") Set createThreadAddr = GetProcAddress(kernel32Handle, "CreateThread") Set waitForSingleObjectAddr = GetProcAddress(kernel32Handle, "WaitForSingleObject") // Create delegate instances for system calls Set VirtualProtect = Create delegate for VirtualProtect using virtualProtectAddr Set CreateThread = Create delegate for CreateThread using createThreadAddr Set WaitForSingleObject = Create delegate for WaitForSingleObject using waitForSingleObjectAddr // Allocate memory for shellcode Set addr = Allocate memory of size data.Length // Copy shellcode data to allocated memory Copy data to addr // Change memory protection to PAGE_EXECUTE_READWRITE Call VirtualProtect on addr with size data.Length, new protection PAGE_EXECUTE_READWRITE // Create a thread to execute shellcode Set hthread = Call CreateThread with start address addr // Wait for thread to complete Call WaitForSingleObject with hthread and timeout 0xFFFFFFFF End Function |
Listing A7. Pseudocode for executing shellcode on Linux. |
Function ExecuteShellcodeLinux() // Load necessary Linux system functions Load mmap from libc.so.6 Load mprotect from libc.so.6 // Define constants for memory protection and mapping flags Set PROT_READ = 0x1 Set PROT_WRITE = 0x2 Set PROT_EXEC = 0x4 Set MAP_PRIVATE = 0x02 Set MAP_ANONYMOUS = 0x20 // Initialize shellcode or encrypted data Set data as byte array with shellcode If shellcode is encrypted by a chaotic system like Lorenz, decrypt data using LorenzSystemEncrypt(…) If shellcode is original (e.g., from msfvenom), use data directly for execution. // Allocate memory with read, write, and execute permissions Set size = data.Length Set addr = mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) // Copy shellcode data to allocated memory Copy data to addr // Change memory protection to read and execute only Call mprotect on addr with size and PROT_READ | PROT_EXEC // Create delegate to execute shellcode Set dataDelegate = Create delegate for data at addr // Execute shellcode Call dataDelegate() End Function |
Appendix B. Data
Appendix B.1. Disassembly
Listing A8. Disassembly of staged Windows shellcode in 64 bits. | |||
0: | fc | cld | |
1: | 48 83 e4 f0 | and | rsp,0xfffffffffffffff0 |
5: | e8 cc 00 00 00 | call | 0xd6 |
a: | 41 51 | push | r9 |
c: | 41 50 | push | r8 |
e: | 52 | push | rdx |
f: | 51 | push | rcx |
10: | 56 | push | rsi |
11: | 48 31 d2 | xor | rdx,rdx |
14: | 65 48 8b 52 60 | mov | rdx,QWORD PTR gs:[rdx+0x60] |
19: | 48 8b 52 18 | mov | rdx,QWORD PTR [rdx+0x18] |
1d: | 48 8b 52 20 | mov | rdx,QWORD PTR [rdx+0x20] |
21: | 4d 31 c9 | xor | r9,r9 |
24: | 48 8b 72 50 | mov | rsi,QWORD PTR [rdx+0x50] |
28: | 48 0f b7 4a 4a | movzx | rcx,WORD PTR [rdx+0x4a] |
2d: | 48 31 c0 | xor | rax,rax |
30: | ac | lods | al,BYTE PTR ds:[rsi] |
31: | 3c 61 | cmp | al,0x61 |
33: | 7c 02 | jl | 0x37 |
35: | 2c 20 | sub | al,0x20 |
37: | 41 c1 c9 0d | ror | r9d,0xd |
3b: | 41 01 c1 | add | r9d,eax |
3e: | e2 ed | loop | 0x2d |
40: | 52 | push | rdx |
Listing A9. Disassembly of staged Linux shellcode in 64 bits. | |||
0: | 31 ff | xor | edi,edi |
2: | 6a 09 | push | 0x9 |
4: | 58 | pop | rax |
5: | 99 | cdq | |
6: | b6 10 | mov | dh,0x10 |
8: | 48 89 d6 | mov | rsi,rdx |
b: | 4d 31 c9 | xor | r9,r9 |
e: | 6a 22 | push | 0x22 |
10: | 41 5a | pop | r10 |
12: | 6a 07 | push | 0x7 |
14: | 5a | pop | rdx |
15: | 0f 05 | syscall | |
17: | 48 85 c0 | test | rax,rax |
1a: | 78 51 | js | 0x6d |
1c: | 6a 0a | push | 0xa |
1e: | 41 59 | pop | r9 |
20: | 50 | push | rax |
21: | 6a 29 | push | 0x29 |
23: | 58 | pop | rax |
24: | 99 | cdq |
Listing A10. Disassembly of encrypted Windows shellcode in 64 bits. | |||
0: | 02 4a 89 | add | cl,BYTE PTR [rdx-0x77] |
3: | c2 72 16 | ret | 0x1672 |
6: | ce | (bad) | |
7: | 0b 2c 93 | or | ebp,DWORD PTR [rbx+rdx*4] |
a: | b9 4b 1e be 6f | mov | ecx,0x6fbe1e4b |
f: | eb 91 | jmp | 0xffffffffffffffa2 |
11: | e5 ec | in | eax,0xec |
13: | a1 99 43 a0 dd 9a 5b | movabs | eax,ds:0x99cd5b9adda04399 |
1a: | cd 99 | ||
1c: | bb a2 c0 81 af | mov | ebx,0xaf81c0a2 |
21: | b7 23 | mov | bh,0x23 |
23: | 8c 81 23 91 30 a7 | mov | WORD PTR [rcx-0x58cf6edd],es |
29: | 36 06 | ss (bad) | |
2b: | 9d | popf | |
2c: | ce | (bad) | |
2d: | b6 32 | mov | dh,0x32 |
2f: | cf | iret | |
30: | 96 | xchg | esi,eax |
31: | 8f | (bad) | |
32: | b2 f3 | mov | dl,0xf3 |
34: | f8 | clc | |
35: | 3d 61 80 7b 01 | cmp | eax,0x17b8061 |
3a: | a7 | cmps | DWORD PTR ds:[rsi],DWORD PTR es:[rdi] |
3b: | a1 6b 36 fc 87 a5 5f | movabs | eax,ds:0xbf3b5fa587fc366b |
42: | 3b bf | ||
44: | 96 | xchg | esi,eax |
Listing A11. Disassembly of encrypted Linux shellcode in 64 bits. | |||
0: | cf | iret | |
1: | fd | std | |
2: | 60 | (bad) | |
3: | 2f | (bad) | |
4: | da 67 b4 | fisub | DWORD PTR [rdi-0x4c] |
7: | 1b 64 1a 2e | sbb | esp,DWORD PTR [rdx+rbx*1+0x2e] |
b: | 57 | push | rdi |
c: | 6e | outs | dx,BYTE PTR ds:[rsi] |
d: | 27 | (bad) | |
e: | 57 | push | rdi |
f: | 98 | cwde | |
10: | 86 f7 | xchg | bh,dh |
12: | b7 74 | mov | bh,0x74 |
14: | a6 | cmps | BYTE PTR ds:[rsi],BYTE PTR es:[rdi] |
15: | 04 2e | add | al,0x2e |
17: | c7 | (bad) | |
18: | 7f d3 | jg | 0xffffffffffffffed |
1a: | 3e 9a | ds (bad) | |
1c: | c9 | leave | |
1d: | e0 0a | loopne | 0x29 |
1f: | 8a df | mov | bl,bh |
21: | 90 | nop | |
22: | 3b 1d 50 c2 e1 3f | cmp | ebx,DWORD PTR [rip+0x3fe1c250] # 0x3fe1c278 |
28: | 85 38 | test | DWORD PTR [rax],edi |
Listing A12. Disassembly of encrypted Windows shellcode in 64 bits including 0x00 keys. | |||
0: | ea | (bad) | |
1: | 4f 81 e4 f0 e8 cc 00 | rex.WRXB and r12,0xcce8f0 | |
8: | 00 00 | add | BYTE PTR [rax],al |
a: | 41 51 | push | r9 |
c: | 41 50 | push | r8 |
e: | 52 | push | rdx |
f: | 51 | push | rcx |
10: | 56 | push | rsi |
11: | 48 31 d2 | xor | rdx,rdx |
14: | 65 48 8b 52 60 | mov | rdx,QWORD PTR gs:[rdx+0x60] |
19: | 48 8b 52 18 | mov | rdx,QWORD PTR [rdx+0x18] |
1d: | 48 8b 52 20 | mov | rdx,QWORD PTR [rdx+0x20] |
21: | 4d 31 c9 | xor | r9,r9 |
24: | 48 8b 72 50 | mov | rsi,QWORD PTR [rdx+0x50] |
28: | 48 0f b7 4a 4a | movzx | rcx,WORD PTR [rdx+0x4a] |
2d: | 48 31 c0 | xor | rax,rax |
30: | ac | lods | al,BYTE PTR ds:[rsi] |
31: | 3c 61 | cmp | al,0x61 |
33: | 7c 02 | jl | 0x37 |
35: | 2c 20 | sub | al,0x20 |
37: | 41 c1 c9 0d | r9d,0xd | |
3b: | 41 01 c1 | add | r9d,eax |
3e: | e2 ed | loop | 0x2d |
40: | 52 | push | rdx |
Appendix B.2. Shellcode Generation
Appendix B.3. Scan Report
Notes | Scan Result URL |
---|---|
No Encryption Shellcode | https://kleenscan.com/scan_result/2a79cfe73f5114a13d7e9139f82b768b6a690ff844684ea99fce8d98532cc911 |
Logistic Map Encryption | https://kleenscan.com/scan_result/9a6ca9a7221675c91088baa0e92e62699608b248b1a78aec11ebf49b9ac38ded |
Henon Map Encryption | https://kleenscan.com/scan_result/70fb5b29d61e2064a8e30fea1ab4e3b547eff7fef204351778d4125bbeaa19b2 |
Lorenz System Encryption | https://kleenscan.com/scan_result/fb28f0c703418878a45b147df853af92ff931e878bf4258b0f5af70017c2a38a |
Chua’s Circuit System Encryption | https://kleenscan.com/scan_result/f1b3bab9edfb2f3720baeb39d4015bc95ae2ff22aa2e6454a5c1252d9babd781 |
Rössler System | https://kleenscan.com/scan_result/200b9570e6ad1cc84cf9f6afb953b43e95eb24ae05ced954ad8e2be8b6d7ae6f |
Notes | Scan Result URL |
---|---|
No Encryption Shellcode | https://kleenscan.com/scan_result/d19cfebe80fc46ede1cca891b27bb99f147458292d1023788362e9c08b08f41a |
Logistic Map Encryption | https://kleenscan.com/scan_result/070b4889528b78a3e58a80fe313a2fd5823b5473c8ae91cbd8fe6603c65d8910 |
Henon Map Encryption | https://kleenscan.com/scan_result/cc5c9c218ac16489c55d18cb56883f7e994216cfea63763e26ab419fd7ca5cd7 |
Lorenz System Encryption | https://kleenscan.com/scan_result/7a50c86fc750d8982712a14b3c3b0860d39e569eb56bf542279335fb69b3b7c9 |
Chua’s Circuit System Encryption | https://kleenscan.com/scan_result/99fdc85e2f28d0d0f3cfec9f02b0fb9534a6d195af3d4171ae9d0c82b28181aa |
Rössler System | https://kleenscan.com/scan_result/909e99b779650af2fa6f4a5c4ef5e16f09f558151e66d7308eed2ac50a29f989 |
Notes | Scan Result URL |
---|---|
No Encryption Shellcode | https://kleenscan.com/scan_result/d19cfebe80fc46ede1cca891b27bb99f147458292d1023788362e9c08b08f41a |
Logistic Map Encryption | https://kleenscan.com/scan_result/7866ed2f5d852c5f910013cded9fbc5bc9c5efc496c02f4d18cfd190d7de7961 |
Logistic Map Encryption with 0x00 keys | https://kleenscan.com/scan_result/48553fa830bd3b124b6ae501e2d53e1a2043e585f8bf763176211b502190f597 |
References
- Sikorski, M.; Honig, A. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software; No Starch Press: San Francisco, CA, USA, 2012. [Google Scholar]
- Vasani, V.; Bairwa, A.K.; Joshi, S.; Pljonkin, A.; Kaur, M.; Amoon, M. Comprehensive analysis of advanced techniques and vital tools for detecting malware intrusion. Electronics 2023, 12, 4299. [Google Scholar] [CrossRef]
- Bermejo Higuera, J.; Abad Aramburu, C.; Bermejo Higuera, J.R.; Sicilia Urban, M.A.; Sicilia Montalvo, J.A. Systematic approach to malware analysis (SAMA). Appl. Sci. 2020, 10, 1360. [Google Scholar] [CrossRef]
- Samociuk, D. Antivirus evasion methods in modern operating systems. Appl. Sci. 2023, 13, 5083. [Google Scholar] [CrossRef]
- Cohen, F. Computer viruses: Theory and experiments. Comput. Secur. 1987, 6, 22–35. [Google Scholar] [CrossRef]
- Cañadas, A.M.; Mendez, O.M.; Vega, J.D.C. Algebraic structures induced by the insertion and detection of malware. Computation 2023, 11, 140. [Google Scholar] [CrossRef]
- Kolosnjaji, B.; Demontis, A.; Biggio, B.; Maiorca, D.; Giacinto, G.; Eckert, C.; Roli, F. Adversarial malware binaries: Evading deep learning for malware detection in executables. In Proceedings of the 2018 26th European Signal Processing Conference (EUSIPCO), Roma, Italy, 3–7 September 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 533–537. [Google Scholar]
- Mitsuhashi, R.; Shinagawa, T. Exploring optimal deep learning models for image-based malware variant classification. In Proceedings of the 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), Los Alamitos, CA, USA, 27 June–1 July 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 779–788. [Google Scholar]
- Millar, S.; McLaughlin, N.; del Rincon, J.M.; Miller, P. Multi-view deep learning for zero-day Android malware detection. J. Inf. Secur. Appl. 2021, 58, 102718. [Google Scholar] [CrossRef]
- Alrzini, J.R.S.; Pennington, D. A review of polymorphic malware detection techniques. Int. J. Adv. Res. Eng. Technol. 2020, 11, 1238–1247. [Google Scholar]
- Lyu, J.; Xue, J.; Han, W.; Zhang, Q.; Zhu, Y. A Streamlined Framework of Metamorphic Malware Classification via Sampling and Parallel Processing. Electronics 2023, 12, 4427. [Google Scholar] [CrossRef]
- Hofmeyr, S.A.; Forrest, S.; Somayaji, A. Intrusion detection using sequences of system calls. J. Comput. Secur. 1998, 6, 151–180. [Google Scholar] [CrossRef]
- Sharma, A.; Sahay, S.K. Evolution and detection of polymorphic and metamorphic malwares: A survey. arXiv 2014, arXiv:1406.7061. [Google Scholar] [CrossRef]
- Brengel, M.; Backes, M.; Rossow, C. Detecting hardware-assisted virtualization. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment: 13th International Conference, DIMVA 2016, San Sebastián, Spain, 7–8 July 2016; Proceedings 13. Springer: Berlin/Heidelberg, Germany, 2016; pp. 207–227. [Google Scholar]
- Nguyen, M.T.; Nguyen, V.H.; Shone, N. Using deep graph learning to improve dynamic analysis-based malware detection in PE files. J. Comput. Virol. Hacking Tech. 2024, 20, 153–172. [Google Scholar] [CrossRef]
- You, I.; Yim, K. Malware obfuscation techniques: A brief survey. In Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Fukuoka, Japan, 4–6 November 2010; IEEE: Piscataway, NJ, USA, 2010; pp. 297–300. [Google Scholar]
- Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Lee, W. Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In Proceedings of the 2006 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami Beach, FL, USA, 11–15 December 2006; IEEE: Piscataway, NJ, USA, 2006; pp. 289–300. [Google Scholar]
- EdoMaland. TheFatRat. 2021. Available online: https://github.com/screetsec/TheFatRat (accessed on 1 November 2024).
- Bhardwaj, A.; Kaushik, K.; Maashi, M.S.; Aljebreen, M.; Bharany, S. Alternate data stream attack framework to perform stealth attacks on active directory hosts. Sustainability 2022, 14, 12288. [Google Scholar] [CrossRef]
- Team, V. Veil 3.0. 2020. Available online: https://github.com/Veil-Framework/Veil-Evasion (accessed on 1 November 2024).
- Poulios, G.; Ntantogian, C.; Xenakis, C. Ropinjector: Using return oriented programming for polymorphism and antivirus evasion. In Proceedings of the Blackhat USA 2015, Las Vegas, NV, USA, 1–6 August 2015. [Google Scholar]
- Ntantogian, C.; Poulios, G.; Karopoulos, G.; Xenakis, C. Transforming malicious code to ROP gadgets for antivirus evasion. IET Inf. Secur. 2019, 13, 570–578. [Google Scholar] [CrossRef]
- gpoulios. ROPInjector. 2015. Available online: https://github.com/gpoulios/ROPInjector (accessed on 1 November 2024).
- Borrello, P.; Coppa, E.; D’Elia, D.C.; Demetrescu, C. The ROP needle: Hiding trigger-based injection vectors via code reuse. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, Limassol, Cyprus, 8–12 April 2019; pp. 1962–1970. [Google Scholar]
- D’Elia, D.C.; Coppa, E.; Salvati, A.; Demetrescu, C. Static analysis of ROP code. In Proceedings of the Proceedings of the 12th European Workshop on Systems Security, Dresden, Germany, 2–5 March 2019; pp. 1–6.
- xoreaxeaxeax. movfuscator. 2015. Available online: https://github.com/xoreaxeaxeax/movfuscator (accessed on 1 November 2024).
- leetonidas. demovfuscator. 2016. Available online: https://github.com/leetonidas/demovfuscator (accessed on 1 November 2024).
- Kirsch, J.; Jonischkeit, C.; Kittel, T.; Zarras, A.; Eckert, C. Combating control flow linearization. In Proceedings of the ICT Systems Security and Privacy Protection: 32nd IFIP TC 11 International Conference, SEC 2017, Rome, Italy, 29–31 May 2017; Proceedings 32. Springer: Berlin/Heidelberg, Germany, 2017; pp. 385–398. [Google Scholar]
- Kocarev, L. Chaos-based cryptography: A brief overview. IEEE Circuits Syst. Mag. 2001, 1, 6–21. [Google Scholar] [CrossRef]
- Baptista, M. Cryptography with chaos. Phys. Lett. A 1998, 240, 50–54. [Google Scholar] [CrossRef]
- Alvarez, G.; Li, S. Some basic cryptographic requirements for chaos-based cryptosystems. Int. J. Bifurc. Chaos 2006, 16, 2129–2151. [Google Scholar] [CrossRef]
- Lawnik, M.; Berezowski, M. New chaotic system: M-map and its application in chaos-based cryptography. Symmetry 2022, 14, 895. [Google Scholar] [CrossRef]
- Fridrich, J. Symmetric ciphers based on two-dimensional chaotic maps. Int. J. Bifurc. Chaos 1998, 8, 1259–1284. [Google Scholar] [CrossRef]
- Yasser, I.; Mohamed, M.A.; Samra, A.S.; Khalifa, F. A chaotic-based encryption/decryption framework for secure multimedia communications. Entropy 2020, 22, 1253. [Google Scholar] [CrossRef]
- Stamp, M. Information Security: Principles and Practice; John Wiley & Sons: Hoboken, NJ, USA, 2011. [Google Scholar]
- Lorenz, E.N. Deterministic nonperiodic flow. J. Atmos. Sci. 1963, 20, 130–141. [Google Scholar] [CrossRef]
- Madan, R.N. Chua’s Circuit: A Paradigm for Chaos; World Scientific: Singapore, 1993; Volume 1. [Google Scholar]
- Rössler, O.E. An equation for continuous chaos. Phys. Lett. A 1976, 57, 397–398. [Google Scholar] [CrossRef]
- Kutta, W. Beitrag zur Näherungsweisen Integration Totaler Differentialgleichungen; Teubner: Leipzig, Germany, 1901. [Google Scholar]
- Runge, C. Über die numerische Auflösung von Differentialgleichungen. Math. Ann. 1895, 46, 167–178. [Google Scholar] [CrossRef]
- Parker, T.S.; Chua, L. Practical Numerical Algorithms for Chaotic Systems; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
- Strogatz, S.H. Nonlinear Dynamics and Chaos: With Applications to Physics, Biology, Chemistry, and Engineering; CRC Press: Boca Raton, FL, USA, 2018. [Google Scholar]
- Hénon, M. A two-dimensional mapping with a strange attractor. In The Theory of Chaotic Attractors; Springer: Berlin/Heidelberg, Germany, 2004; pp. 94–102. [Google Scholar]
- Tang, F. An adaptive synchronization strategy based on active control for demodulating message hidden in chaotic signals. Chaos Solitons Fractals 2008, 37, 1090–1096. [Google Scholar] [CrossRef]
- Layek, G. An Introduction to Dynamical Systems and Chaos; Springer: Berlin/Heidelberg, Germany, 2015; Volume 449. [Google Scholar]
- Liu, Y.; Cai, R.; Yin, X.; Liu, S. An Exploit Traffic Detection Method Based on Reverse Shell. Appl. Sci. 2023, 13, 7161. [Google Scholar] [CrossRef]
- Almaleh, A.; Almushabb, R.; Ogran, R. Malware API calls detection using hybrid logistic regression and RNN model. Appl. Sci. 2023, 13, 5439. [Google Scholar] [CrossRef]
- Rose, A.; Graham, S.; Krasnov, J. IronNetInjector: Weaponizing. NET Dynamic Language Runtime Engines. Digit. Threat. Res. Pract. 2023, 4, 1–23. [Google Scholar] [CrossRef]
- Cho, K.; Bahn, H. A Lightweight File System Design for Unikernel. Appl. Sci. 2024, 14, 3342. [Google Scholar] [CrossRef]
- Security, D. Online x86/x64 Assembler and Disassembler. 2024. Available online: https://defuse.ca/online-x86-assembler.htm (accessed on 1 November 2024).
- Ilca, L.F.; Lucian, O.P.; Balan, T.C. Enhancing cyber-resilience for small and medium-sized organizations with prescriptive malware analysis, detection and response. Sensors 2023, 23, 6757. [Google Scholar] [CrossRef]
- Alhamed, M.; Rahman, M.H. A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions. Appl. Sci. 2023, 13, 6986. [Google Scholar] [CrossRef]
Method | Advantages | Disadvantages |
---|---|---|
TheFatRat | Automates payload injection and applies multiple obfuscation techniques, challenging AV detection. | Susceptible to detection by advanced AV systems, as many AV tools recognize common patterns in generated payloads. |
Shikata Ga Nai | Polymorphic encoding alters the appearance of shellcode without changing functionality, defeating static analysis. | Limited effectiveness, as AV systems can learn to detect the encoding pattern with multiple iterations. |
Veil Framework | Supports multiple languages and formats for payload generation, using encryption and polymorphic techniques. | Less effective against dynamic analysis and sandboxing; may still be flagged by heuristic or behavioral-based AV systems. |
ROPInjector | Converts shellcode into return-oriented programming (ROP) gadgets, complicating detection. | Complex to implement and limited by the availability of suitable ROP gadgets within the target environment. |
Movfuscator | Replaces instructions with equivalent MOV instructions, creating unique obfuscated code. | Limited deobfuscation techniques exist, but AV systems may still detect certain patterns; high performance overhead. |
Chaotic Encryption (Proposed) | Generates randomized, dynamic encryption with chaotic systems, offering high unpredictability and evasion capabilities. | Sensitive to parameter tuning; if the parameters are not optimized, the system may stabilize, reducing evasion effectiveness. |
Chaotic System | Windows Execution Time (µs) | Linux Execution Time (µs) |
---|---|---|
Logistic Map | 425.2 | 463.8 |
Henon Map | 754.5 | 668.9 |
Lorenz System | 1677.5 | 1368.3 |
Chua’s Circuit | 1268.3 | 1431.4 |
Rössler System | 1855.3 | 1313.1 |
Vendor | Msfvenom Native (exe) | shikata_ga_nai in 5 Iterators | PwnWind in FatRat | Veil Framework |
---|---|---|---|---|
AdAware | Trojan.Metasploit.A | Trojan.Metasploit.A | Gen:Variant.Bulz.632241 | Gen:Variant.Kryptik.175 |
Alyac | Trojan.Metasploit.A | Trojan.Metasploit.A | - | Gen:Variant.Razy.575638 |
Arcabit | Trojan.Metasploit.A | Trojan.Metasploit.A | Trojan.Bulz.D9A5B1 | Trojan.Kryptik.175 |
Avast | Win32:MsfShell-V | Win32:ShikataGaNai-B | Win32:TheFatRat-A | Win32:Evo-gen |
AVG | Win32:MsfShell-V | Win32:ShikataGaNai-B | Win32:TheFatRat-A | Win32:Evo-gen |
Avira | TR/Crypt.XPACK.Gen7 | TR/Crypt.XPACK.Gen7 | HEUR/AGEN.1234945 | TR/Crypt.XPACK.Gen7 |
Bullguard | Win32:MsfShell-V | Win32:ShikataGaNai-B | Win32:TheFatRat-A | Win32:Evo-gen |
ClamAV | Win.Malware.Metasploit-10022275-0 | Win.Trojan.MSShellcode-6360728-0 | - | - |
Comodo Linux | - | - | TrojWare.MSIL.Rozena.C | TrojWare.MSIL.TrojanDownloader.Small.H |
Crowdstrike Falcon | Threat detected. | - | Threat detected. | - |
Emsisoft | Trojan.Metasploit.A | Trojan.Metasploit.A | Gen:Variant.Bulz.632241 | Gen:Variant.Kryptik.175 |
F-Prot | W64/S-c4a4ef26!Eldorado | W64/S-c4a4ef26!Eldorado | - | - |
F-Secure | TR/Crypt.XPACK.Gen7 | Trojan.TR/Crypt.XPACK.Gen7 | Heuristic.HEUR/AGEN.1306275 | Trojan.TR/Crypt.XPACK.Gen7 |
G Data | Trojan.Metasploit.A | Trojan.Metasploit.A | Gen:Variant.Bulz.632241 | Gen:Variant.Kryptik.175 |
IKARUS | Trojan.Win64.Meterpreter | Trojan.Win64.Meterpreter | Trojan.MSIL.Rozena | Trojan-Downloader.MSIL.Tiny |
Immunet | Win.Malware.Metasploit-10022275-0 | Win.Trojan.MSShellcode-6360728-0 | - | - |
Kaspersky | Trojan.Win64.Packed.gen | Trojan.Win64.Packed.gen | - | - |
Max Secure | Trojan_W64_090622_Packed_gen_YR | Trojan_W64_090622_Packed_gen_YR | - | - |
McAfee | Trojan-FJIN!D8D12B41E269 trojan !!! | Trojan-FJIN!C681A28426B4 trojan !!! | - | Trojan-Veil-FLRH!FC0B92454BC0 trojan !!! |
Microsoft Defender | Trojan:Win64/Meterpreter!pz | Trojan:Win64/Meterpreter!pz | Trojan:Win32/Rozena.D!bit | Trojan:MSIL/Tiny.EM!MTB |
NANO | - | - | - | Multiple Threats Detected (Trojan.Win32.TrjGen.dbjaze, Trojan.Win32.TrjGen.dkksls) |
NOD32 | Win64/Rozena.M trojan | Win64/Rozena.J trojan | MSIL/Rozena.C trojan | MSIL/TrojanDownloader.Tiny.BQ trojan |
Norman | Win32:MsfShell-V | Win32:ShikataGaNai-B | Win32:TheFatRat-A | Win32:Evo-gen |
SecureAge APEX | Malicious | Malicious | - | Malicious |
Seqrite | Trojan.Dynamer.S4605 | Trojan.Dynamer.S4605 | - | - |
Sophos | Mal/Swrort-J | Mal/Swrort-J | Troj/Tiny-DJ | Troj/Rozena-D |
Vba32 | - | - | Trojan.MSIL.PShell.gen | - |
VirITExplorer | Trojan.Win32.Generic.BZPS | Trojan.Win32.Generic.BZPS | - | Backdoor.Win32.Meterpreter.BG |
VirusFighter | ATK/Meter-A | ATK/Swrort-J | ATK/FatRat-H | ATK/Dloadr-EFR |
ZoneAlarm | HEUR:Trojan.Win64.Packed.gen | HEUR:Trojan.Win64.Packed.gen | HEUR:Trojan-Downloader.Win32.Generic | HEUR:Trojan.Win32.Generic |
Vendors | Original | Logistic Map | Henon Map | Lorenz System | Chua’s Circuit System | Rössler System |
---|---|---|---|---|---|---|
AdAware | Generic.ShellCode.Marte.4.EFC3787B | - | - | - | - | - |
Arcabit | Generic.ShellCode.Marte.4.EFC3787B | - | - | - | - | - |
Avast | Win32:MsfShell-V | - | - | - | - | - |
AVG | Win32:MsfShell-V | - | - | - | - | - |
Avira | HEUR/ AGEN.1216641 | HEUR/ AGEN.1216641 | HEUR/ AGEN.1216641 | HEUR/ AGEN.1216641 | HEUR/ AGEN.1216641 | HEUR/ AGEN.1216641 |
ClamAV | Win.Malware.Metasploit-10022275-0 | - | - | - | - | - |
Crowdstrike Falcon | Threat detected. | - | Threat detected. | Threat detected. | - | Threat detected. |
Emsisoft | Generic.ShellCode.Marte.4.EFC3787B | - | - | - | - | - |
G Data | Generic.ShellCode.Marte.4.EFC3787B | - | - | - | - | - |
IKARUS | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt |
Immunet | Win.Malware.Metasploit-10022275-0 | - | - | - | - | - |
Microsoft Defender | Trojan:Win64/ Meterpreter.B | Trojan:Win64/ Meterpreter.B | Trojan:Win64/ Meterpreter.B | - | - | - |
Norman | Win32:MsfShell-V | - | - | - | - | - |
ZoneAlarm | HEUR:Trojan.Win32.Generic | - | - | - | - | - |
Vendors | Original | Logistic Map | Henon Map | Lorenz System | Chua’s Circuit System | Rössler System |
---|---|---|---|---|---|---|
AdAware | Gen:Variant.MSILHeracles.120280 | - | - | - | - | - |
Avast | ELF:Agent-DDL | - | - | - | - | - |
AVG | ELF:Agent-DDL | - | - | - | - | - |
eScan | Gen:Variant.MSILHeracles.120280[ZP] | - | - | - | - | - |
Norman | ELF:Agent-DDL | - | - | - | - | - |
Vendors | Original | Logistic Map |
---|---|---|
AdAware | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.7E57359F |
Arcabit | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.7E57359F |
Avast | Win32:MsfShell-V | Win32:MsfShell-V |
AVG | Win32:MsfShell-V | Win32:MsfShell-V |
Avira | HEUR/AGEN.1216641 | HEUR/AGEN.121664 |
ClamAV | Win.Malware.Metasploit-10022275-0 | Win.Malware.Metasploit-10022275-0 |
Crowdstrike Falcon | Threat detected. | - |
Emsisoft | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.7E57359 |
G Data | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.7E57359F |
IKARUS | Trojan.MSIL.Crypt | Trojan.MSIL.Cryp |
Immunet | Win.Malware.Metasploit-10022275-0 | Win.Malware.Metasploit-10022275-0- |
Microsoft Defender | Trojan:Win64/Meterpreter.B | Trojan:Win64/Meterpreter.B |
Norman | Win32:MsfShell-V | Win32:MsfShell-V |
ZoneAlarm | HEUR:Trojan.Win32.Generic | - |
Vendors | Original | Logistic Map with 0x00 Keys |
---|---|---|
AdAware | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.1CC7DB19 |
Arcabit | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.1CC7DB19 |
Avast | Win32:MsfShell-V | Win32:MsfShell-V |
AVG | Win32:MsfShell-V | Win32:MsfShell-V |
Avira | HEUR/AGEN.1216641 | HEUR/AGEN.1216641 |
ClamAV | Win.Malware.Metasploit-10022275-0 | Win.Malware.Metasploit-10022275-0 |
Crowdstrike Falcon | Threat detected. | - |
Emsisoft | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.1CC7DB19 |
G Data | Generic.ShellCode.Marte.4.EFC3787B | Generic.ShellCode.Marte.4.1CC7DB19 |
IKARUS | Trojan.MSIL.Crypt | Trojan.MSIL.Crypt |
Immunet | Win.Malware.Metasploit-10022275-0 | Win.Malware.Metasploit-10022275-0 |
Microsoft Defender | Trojan:Win64/Meterpreter.B | Trojan:Win64/Meterpreter.B |
Norman | Win32:MsfShell-V | Win32:MsfShell-V |
ZoneAlarm | HEUR:Trojan.Win32.Generic | - |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Huang, G.-C.; Chang, K.-C.; Lai, T.-H. Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus Mechanisms. Symmetry 2024, 16, 1526. https://doi.org/10.3390/sym16111526
Huang G-C, Chang K-C, Lai T-H. Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus Mechanisms. Symmetry. 2024; 16(11):1526. https://doi.org/10.3390/sym16111526
Chicago/Turabian StyleHuang, Gang-Cheng, Ko-Chin Chang, and Tai-Hung Lai. 2024. "Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus Mechanisms" Symmetry 16, no. 11: 1526. https://doi.org/10.3390/sym16111526
APA StyleHuang, G. -C., Chang, K. -C., & Lai, T. -H. (2024). Chaotic-Based Shellcode Encryption: A New Strategy for Bypassing Antivirus Mechanisms. Symmetry, 16(11), 1526. https://doi.org/10.3390/sym16111526