Wednesday, March 3, 2021

MMD-067-2021 - Recent talks on shellcode analysis series at R2CON-2020, ROOTCON-14 2020 from HACK.LU-2019

Tag: Linux, LinuxSecurity, Memory Fornsics, RE, ReverseEnineering, DFIR, Fileless, ProcessInjection, Shellcode, Exploit, PostExploitation, BlueTeaming, HandsOut, Demo, Video, Slides, Presentation

The background of these research and talks

After HACK.LU-2019's talk in 2019 [link], I was asked a lot of questions about Linux process injection that can trigger code execution and yes, one of favorite topic is when it comes to the shellcode used as the payload on injection. As a blue-teamer, following up questions received, put me in a unique state between blue and red teaming folks discussion. While red teamers discussed more about practical implementation on the presented idea, the blue teamers asked about handling them.

About the shellcode itself, since 2015 I have been active in cyber threat analysis workshops for our regeneration purpose, that can help young community around me analyzing stuff like I do or better, and when I brought shellcode analysis topic onto the table, the result shows that blue-team friends don't have much information compared to the red team ones, maybe the working nature has caused it, blue-team is not as "hungry" as red team on the topic. This all makes me plan a series of talks about the shellcode from 2019, and finally in 2020 I could establish a sequel of the talks for the topic in online conferences as the continuation from my HACK.LU keynote talk on the shellcode payload part.

Shellcode as a topic is "interesting" in many ways from the binary analysis telescope I use, the coverage is just so wide so I have decided to make presentation approach from the radare2 analysis vector, yet, one event is just simply not enough to cover all of its aspects. My friends are helping me out at this point (thanks to Cooper, Jay Turla and pancake/trufae), so I could adjust the plan to cover shellcode analysis by radare2 in two parts, for the basic part and more advance talk, in conferences of R2CON-2020 and ROOTCON-14 2020. Due to mitigation and handling is needed, this post has been in TLP Amber for six months, we have decided it is a good timing to publish it properly in March 2021.

The sharing purpose of these presentations

  • Security community, especially blue team should consider the possibility of the mentioned threats, to be more prepared in mitigate and handling such incidents.
  • By this sharing of information we hope audience can improve their protection scheme, their playbooks in handling such incidents, and can be more systematic in documentation/database/providing detection signatures of the presented possibility threats, noted what has been presented are actual tools and incidents artifact results.
  • It is important to lift up our self to see a wider scope of the cyber threat information that might hit us in the future. Remember that what hasn't hit us now doesn't mean it won't hit us later. The materials shared is an example of this point of view.

The talks sequel..

Below is the talks sequel explanation of those three presentations. Starting from the summarize of the talk information, following by viewable links to the slide-deck I use in slideshare, and also the link of talk video in the youtube. You can download the slide-deck from my maintained MalwareMustDie repository in the Github after being uploaded.

Warning: There are probably several minor miss or leftover on presentation in here and there, few of them are in the slides but many of them are in the video during I pronouncing some terms due to I had to race with my talk-stopwatch time. Please refer to the slide instead and kindly bear with those minor mistakes. Thanks

HACK.LU-2019 talk materials of "Fileless malware and Process Injection in Linux"

The HACK.LU-2019 talk materials were set in TLP AMBER for a year, so no one from MMD shared them openly. That policy is due to giving time as awareness and to mitigate several security aspects in the talk (to the international and Japanese scope of security community), and we're giving a year to it. It has been more than a year since since HACK.LU-2019, R2CON-2020 and ROOTCON-14 2020 shellcode talks are also related to it, we think it is good to switch the TLP into WHITE to be used as reference to each other as a sequel of talks. Below is the material information:

You can see the slide below:

The video of the talks can be viewed here:

(Big thanks to Cooper @Ministraitor for the terrific recording)

The Q & A I received has been compiled and published in the report page in here: [link]

About the talk in R2CON-2020 "So, you don't like the shellcode too.."

This presentation I made in R2CON-2020 [link] is the part one of shellcode analysis sequel, which has been actually planned since 2019, and finally can be delivered well in 2020. The talk was taken about 30miutes contains about 58pages and six demonstrations. It is rich of information about the very basic shellcode analysis for the radare2 users. The goal of the talk is to introduce r2 beginners and learners to try to use radare2 for the shellcode analysis, and all you need is a shell for it. The talk aims for those who want to analyze shellcode statically and dynamically with the different enriched alternatives than gdb, objdump (binutils) or other tools. More comments on the talk can be read in here: [link]

The six demonstration sessions on Linux and Windows with meant to show steps needed for learning about the shellcode on recent version of radare2 using of what has been provided and shared in the internet nowadays. From how it is built down to the several steps on analysis mode, and explaining about two emulation assembly code analysis process that can support your shellcode static analysis. Like my previous presentations, the slide was formed as structured as possible by explaining the basic concepts, examples, some interesting cases for the share of experience, and some take away advise in the end. Below is the material information:

You can see the slide below:

The video of the talks can be viewed here:

NOTE: The video is obviously too condensed due to I have to adjust to timeline of 30minutes to cover 6 demos and many basic explanation. In the recorded video above you can always pause and follow afterward while reading its slide.

If you want to see the Q & A contents you can tune to the R2CON2020 youtube channel, the link is in here: [link]

About the talk in ROOTCON-14 2020 "A deeper diving into shellcode"

This talk is the part two of the shellcode sequel. Since ROOTCON-14 2020 [] is more to red teamer conference, I assume that most of the attendees are familiar already about the shellcode basics and their usage in exploitation. So the talk is as continuation R2CON-2020 shellcode talk, meant for security professionals, and explaining about a more advanced shellcode tricks and its analysis methods. The talk is almost 45minutes, it contains 75pages and having one demonstration of analyzing a real shellcode payload radare2 that contains several tricks on that is useful for you doing the similar analysis.

The material is introducing two most common stagers or loaders for shellcode payloads, several injection tools that needs to be awared of for its shellcode injection advance tricks with some evasion techniques, and presenting merits and demerits in using some forensics states dealing with the shellcode incidents in Linux environment. Further, environment development advice and some tools are also being introduced in order professionals to handle multi-platform shellcode.
Actually the talk has two more demonstrations on shelcode analysis in MIPS and ARM environments for some IoT aspects of shellcode injection but time is too limited so I had to exclude them at this moment, I will share them in the next event(s). Below is the material of the talk:

You can see the slide below:

The video of the talks can be viewed here:

The Q & A info can be seen in ROOTCON site (they have recorded the full session & promised to share it), access info is here: [link]

Correction: In the video at 10:28 Assembly lang line 3 has a typo. it is supposed to be register EDX holds the "RWX" permission, not ECX. The slide has been corrected.

The disclaimer

The slides and talks mentioned above has been developed as a blue team perspective and based on my know-how or experience in handling cyber incidents involving code injection and shellcodes on Linux platforms, the purpose for sharing these slide deck is as an awareness and a security community sharing back effort for incident responser, DFIR and security research folks dealing with the similar issues.

The talks are meant to be a non-operational and non-attributive in its material, the slide decks are written to be as conceptual as possible; containing basic methods for shellcode analysis in the shell platform, along with the their loader's (either wrappper or suppertive code injection) schemes.

The material is based on strictly cyber threat research we have conducted in MalwareMustDie organization, and there is no data nor information from speaker’s profession nor from other groups any of these slides. All of the threat information used as examples in the slides and demonstrations are actually being accessible in the internet by TLP WHITE.

All of the information security shared in this page is bound to MalwareMustDIe disclaimer [link].


My thank you and appreciation for HACK.LU, R2CON and ROOTCON, to make this sharing happens successfully. Also from MalwareMustDie teams and Cyber Emergency Center of LAC/LACERT team mates who give me many support in delivering these contents. And also a big gratitude to the friends who are supporting our awareness activities and my analysis works for so long.

I hope the information shared in this post can be used with the good responsibility to improve our security knowledge.

1. About the HACK.LU Security Conference [link]

2. About the R2CON Radare2 Community Conference [link]

3. About the ROOTCON Security Conference [link]

Malware Must Die!