Static Analysis of GUID Encoded Shellcode

    Published: 2025-03-17. Last Updated: 2025-03-17 07:28:26 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    I wanted to figure out how to statically decode the GUID encoded shellcode Xavier wrote about in his diary entry "Shellcode Encoded in UUIDs".

    Here is the complete Python script:

    I use re-search.py to select the GUIDs:

    I then decode the hexadecimal data with my tool hex-to-bin.py. Option -H is needed to ignore all non-hexadecimal characters.

    Notice that the text that resembles a User Agent String is mangled. That's because of the way GUIDs are encoded into binary data.

    Take a GUID like this one:

    {00112233-4455-6677-8899-AABBCCDDEEFF}

    When it is encoded to binary data, the first 3 parts are encoded little-endian, and the last 2 parts are encoded big-endian. Giving this byte sequence:

    33 22 11 00 55 44 77 66 88 99 AA BB CC DD EE FF

    I will now use my translate.py tool to reproduce this encoding (in the original Python script, this encoding is done with a Win32 API call: ctypes.windll.Rpcrt4.UuidFromStringA).

    First I split the byte stream into chuncks of 16 bytes (the length of a GUID) with a Python list comprehension:

    Next I rewrite the GUID (data[i:i+16]) by changing the order of the first 3 parts: data[i:i+4][::-1] + data[i+4:i+6][::-1] + data[i+6:i+8][::-1] ([::-1] is the expression used to reverse a sequence in Python):

    Now I can analyze this shellcode with my Cobalt Strike analysis tool 1768.py:

    This gives me information like the IPv4 address of the C2, the port, the path, ...

    What I don't see, is the license ID. That's because the decoded data has trailing null bytes:

    These 2 trailing null bytes are the result of the GUID encoding: each GUID is 16 bytes, so the decoded data has a length which is a multiple of 16 bytes, while the shellcode has a length which is not a multiple of 16 bytes. If I drop these 2 trailing null bytes, 1768.py will detect the license ID:

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Monday, March 17th, 2025 https://isc.sans.edu/podcastdetail/9366

      Comments


      Diary Archives