CN108270771A - A kind of shellcode encoding and decoding deformation method - Google Patents

A kind of shellcode encoding and decoding deformation method Download PDF

Info

Publication number
CN108270771A
CN108270771A CN201711399102.5A CN201711399102A CN108270771A CN 108270771 A CN108270771 A CN 108270771A CN 201711399102 A CN201711399102 A CN 201711399102A CN 108270771 A CN108270771 A CN 108270771A
Authority
CN
China
Prior art keywords
shellcode
random integers
decoding
encoding
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711399102.5A
Other languages
Chinese (zh)
Inventor
姬国珍
饶志宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN201711399102.5A priority Critical patent/CN108270771A/en
Publication of CN108270771A publication Critical patent/CN108270771A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of shellcode encoding and decoding deformation methods, and random integers G is generated using random number generator;Random integers G is carried out using Encryption Algorithm encryption key is calculated;Shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;Procotol is built according to network protocol features, then random integers G and ciphertext C are filled into the unused payload segment of procotol respectively, and pass through network and be transmitted;Network data is filtered in receiving terminal and extracts random integers G and ciphertext C;Random integers G is carried out using Encryption Algorithm decruption key is calculated;It is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.The encoding and decoding deformation method of the present invention can effectively hide load information, and can prevent network flow from kidnapping analysis, can efficiently perform vulnerability detection utilization.

Description

A kind of shellcode encoding and decoding deformation method
Technical field
The present invention relates to a kind of shellcode encoding and decoding deformation methods.
Background technology
Shellcode is the binary code of one section of vulnerability exploit for being used for being sent to server, for Hole Detection and System safety test.Under normal conditions, the shellcode features write using C language or other language are apparent, especially pass through It is unfavorable for Information hiding when crossing network transmission, easily kidnaps and analyze, while also easily by reverse or static analysis by flow.
Invention content
In order to overcome the disadvantages mentioned above of the prior art, the present invention provides a kind of shellcode encoding and decoding deformation methods.
The technical solution adopted by the present invention to solve the technical problems is:A kind of shellcode encoding and decoding deformation method, packet Include following steps:
Step 1: generate random integers G using random number generator;
Step 2: random integers G is carried out using Encryption Algorithm encryption key is calculated;
Step 3: shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;
Step 4: building procotol according to network protocol features, then random integers G and ciphertext C are filled into respectively The unused payload segment of procotol, and pass through network and be transmitted;
Step 5: network data is filtered in receiving terminal and extracts random integers G and ciphertext C;
Step 6: random integers G is carried out using the Encryption Algorithm identical with step 2 decruption key is calculated;
Step 7: it is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.
Compared with prior art, the positive effect of the present invention is:The encoding and decoding deformation method of the present invention can effectively be hidden Load information, and can prevent network flow from kidnapping analysis, it can efficiently perform vulnerability detection utilization.
Description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow chart of the method for the present invention;
Fig. 2 is the schematic diagram for calculating encryption key;
Fig. 3 is the schematic diagram for obtaining cipher-text information;
Fig. 4 is the schematic diagram of decrypting process.
Specific embodiment
A kind of shellcode encoding and decoding deformation method, as shown in Figure 1, including the following steps:
Step 1: it writes shellcode programs using C language compiler or other compilation tools and extracts shellcode。
Step 2: the short type random integers G of 2 bytes is generated using random number generator.
Due to needing that random integers are converted to obtain encryption secret key in step 3.The method for generating random integers is non- Chang Duo, as long as the random number generated every time meets length requirement.
The method that another kind calculates random number is to calculate its cryptographic Hash using current time stamp, and take some of which certain bits ASCII character value generate a new random number G.The pseudocode for calculating G is as follows.
String strTimeStampHash=Calc_SHA1 ((int) time (0));
String strGenRandNum=strTimeStampHash [0:1]+strTimeStampHash[7:8];
Int intGenRand=StringToInt (strGenRandNum);
Wherein, Calc_SHA1 functions are used to current timestamp obtaining its Kazakhstan using SHA1 algorithms progress Hash calculation Uncommon value, strTimeStampHash is one section of character string.StrGenRandNum is from Hash calculation result Which part data are chosen in strTimeStampHash and form the character string that a length is 4.Finally utilize StringToInt The character string that length is 4 is converted to integer by function.
Random number G can be other types, such as one section of random string.But the Encryption Algorithm being in response to is also required to carry out phase The change answered.The method that encryption secret key is calculated for random string is provided in step three below.
(pay attention to:The length of random number G can change, its length value is determined according to step 3 algorithm.)
Step 3: random integers G is carried out using Encryption Algorithm encryption key is calculated:
Encryption Algorithm is by the use of the random integers G that step 2 generates as input parameter, and one is obtained by certain transformation The random number of a regular length, the random number are to encrypt secret key.Here Encryption Algorithm be by the digit according to random number G come It determines.
First method is to be directed to random integers, is illustrated for improved block encryption algorithm, calculates encryption key Method as shown in Fig. 2, wherein, if G is a 2 byte random integers, Reverse (G) is the hexadecimal backward integer of G (such as Reverse (0x1234)=0x4321).Finally, G is multiplied with the permutation number of G, multiplied by with invariant 8, take its last 8 A byte is as encryption key K.
Second method is for one section of random string that length is 8, is realized by shift transformation and xor operation Encryption to each character.Such as the ciphertext being encrypted using more than Encryption Algorithm for character string " luck " " 3d24323a " is converted into hexadecimal integers as 0x3d24323a.Corresponding key is also 0x3d24323a.
For our two different Encryption Algorithm for providing respectively of the random number of different types, as long as random number G is not Identical, the encryption key of generation is also different from.Meet Cryptographic Algorithm Requirements.It is analyzed by algorithm above, it can be seen that needle It is more relatively easy that encryption secret key is calculated integer random number.
Step 4: shellcode is encrypted using encryption key to obtain shellcode cipher-text informations.
As shown in figure 3, by taking common XOR encryptions as an example, be first to shellcode clear datas according to key length into Row grouping obtains plaintext M (m1,m2,…,mn), then with grouping after every section of shellcode plaintexts miIt is carried out respectively with encryption key Exclusive or (XOR) cryptographic calculation obtains ciphertext C (c1,c2,…,cn)。
Step 5: building procotol according to network protocol features, then random integers G and ciphertext C are filled into respectively The unused payload segment of procotol, and pass through network and be transmitted.
By taking ICMP agreements as an example, it is 28 byte data sections that ciphertext C, which is divided for multiple length, then by the 0~1 of procotol Position is used for filling random plaintext G, and length is 2 bytes, and 2~31 are used for filling ciphertext C, and length is 28 bytes.For it He can also use different agreement field to fill random plaintext G and encrypted shellcode ciphertexts C at agreement.
Specific construction method is as follows:
Using the first method mentioned before, if 2 byte the random number G=0x154d, corresponding key K=generated 8*G*Reverse (G)=8*0x154d*0xd451=0x8d540ae8.
Next only need ICMP agreements the 1st, 2 padding bytes 0x15,0x4d, it is bright to shellcode using secret key K Text carries out exclusive or cryptographic calculation, and by shellcode ciphertexts, every 30 are divided into one group, are filled into the 2nd~the of ICMP agreements respectively 31.Later data message will be filled to send.
Step 6: receiving terminal network data is filtered and extract random integers G and encryption shellcode it is close Literary information C.
Step 7: random integers G is carried out using the Encryption Algorithm identical with step 3 decruption key is calculated.
Step 8: ciphertext C is decrypted to obtain using decruption key using the decipherment algorithm identical with step 4 Shellcode is in plain text.
Decrypting process is that the decruption key progress XOR that ciphertext C and step 7 are calculated obtains clear data.Specific solution Close process is as shown in Figure 4.Decipherment algorithm identical with Encryption Algorithm computational methods is all XOR.
Step 9: performing shellcode, permission is obtained.

Claims (8)

1. a kind of shellcode encoding and decoding deformation method, it is characterised in that:Include the following steps:
Step 1: generate random integers G using random number generator;
Step 2: random integers G is carried out using Encryption Algorithm encryption key is calculated;
Step 3: shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;
Step 4: building procotol according to network protocol features, random integers G and ciphertext C are then filled into network respectively The unused payload segment of agreement, and pass through network and be transmitted;
Step 5: network data is filtered in receiving terminal and extracts random integers G and ciphertext C;
Step 6: random integers G is carried out using the Encryption Algorithm identical with step 2 decruption key is calculated;
Step 7: it is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.
2. a kind of shellcode encoding and decoding deformation method according to claim 1, it is characterised in that:Generate random integers G Method be:Its cryptographic Hash is calculated using current time stamp, the ASCII character value of some of which certain bits is then taken to generate one newly Random integers.
3. a kind of shellcode encoding and decoding deformation method according to claim 2, it is characterised in that:The random integers G Short type integers for 2 bytes.
4. a kind of shellcode encoding and decoding deformation method according to claim 3, it is characterised in that:Meter described in step 2 Calculate encryption key method be:Random integers G is multiplied with its permutation number Reverse (G) first, then multiplied by with 8, finally Again using last 8 bytes of acquired results as encryption key.
5. a kind of shellcode encoding and decoding deformation method according to claim 4, it is characterised in that:The permutation number Reverse (G) is the hexadecimal backward integer of random integers G.
6. a kind of shellcode encoding and decoding deformation method according to claim 5, it is characterised in that:It will described in step 4 The method that random integers G and ciphertext C are filled is:For ICMP agreements, it is 28 byte datas that ciphertext C, which is divided for multiple length, Then 0~1 of procotol is used for filling random integers G by section, length is 2 bytes, and 2~31 are used for filling ciphertext C, length are 28 bytes.
7. a kind of shellcode encoding and decoding deformation method according to claim 3, it is characterised in that:Meter described in step 2 Calculate encryption key method be:For one section of random string that length is 8, pass through shift transformation and xor operation realization pair The encryption of each character.
8. a kind of shellcode encoding and decoding deformation method according to claim 1, it is characterised in that:Add described in step 3 It is close obtain shellcode ciphertexts C method be:It is that shellcode clear datas are grouped according to key length first To plaintext M (m1,m2,…,mn), then with grouping after every section of shellcode plaintexts miRespectively exclusive or encryption is carried out with encryption key Operation obtains ciphertext C (c1,c2,…,cn)。
CN201711399102.5A 2017-12-22 2017-12-22 A kind of shellcode encoding and decoding deformation method Pending CN108270771A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711399102.5A CN108270771A (en) 2017-12-22 2017-12-22 A kind of shellcode encoding and decoding deformation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711399102.5A CN108270771A (en) 2017-12-22 2017-12-22 A kind of shellcode encoding and decoding deformation method

Publications (1)

Publication Number Publication Date
CN108270771A true CN108270771A (en) 2018-07-10

Family

ID=62772164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711399102.5A Pending CN108270771A (en) 2017-12-22 2017-12-22 A kind of shellcode encoding and decoding deformation method

Country Status (1)

Country Link
CN (1) CN108270771A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110176988A (en) * 2019-04-25 2019-08-27 中国人民解放军战略支援部队信息工程大学 Guarantee that redundancy executes body and encrypts the consistent device and method of behavior
CN110351077A (en) * 2019-05-30 2019-10-18 平安科技(深圳)有限公司 Method, apparatus, computer equipment and the storage medium of data encryption

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1133297C (en) * 1995-09-26 2003-12-31 林仙坎 A kind of file encryption processing method
EP2851788A3 (en) * 2013-09-20 2016-06-08 VIA Alliance Semiconductor Co., Ltd. Microprocessor with integrated NOP slide detector
CN106254342A (en) * 2016-09-23 2016-12-21 西安邮电大学 The secure cloud storage method of file encryption is supported under Android platform
CN106385313A (en) * 2016-09-08 2017-02-08 四川长虹电器股份有限公司 Random cryptograph system based on grouping encryption algorithm and realization method thereof
CN106487659A (en) * 2016-10-20 2017-03-08 宇龙计算机通信科技(深圳)有限公司 Information ciphering method and device, information decryption method and device and terminal
CN107168706A (en) * 2017-05-12 2017-09-15 北京理工大学 A kind of Windows Shellcode method for auto constructing

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1133297C (en) * 1995-09-26 2003-12-31 林仙坎 A kind of file encryption processing method
EP2851788A3 (en) * 2013-09-20 2016-06-08 VIA Alliance Semiconductor Co., Ltd. Microprocessor with integrated NOP slide detector
CN106385313A (en) * 2016-09-08 2017-02-08 四川长虹电器股份有限公司 Random cryptograph system based on grouping encryption algorithm and realization method thereof
CN106254342A (en) * 2016-09-23 2016-12-21 西安邮电大学 The secure cloud storage method of file encryption is supported under Android platform
CN106487659A (en) * 2016-10-20 2017-03-08 宇龙计算机通信科技(深圳)有限公司 Information ciphering method and device, information decryption method and device and terminal
CN107168706A (en) * 2017-05-12 2017-09-15 北京理工大学 A kind of Windows Shellcode method for auto constructing

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110176988A (en) * 2019-04-25 2019-08-27 中国人民解放军战略支援部队信息工程大学 Guarantee that redundancy executes body and encrypts the consistent device and method of behavior
CN110176988B (en) * 2019-04-25 2022-04-08 中国人民解放军战略支援部队信息工程大学 Device and method for ensuring consistency of encryption behaviors of redundant execution bodies
CN110351077A (en) * 2019-05-30 2019-10-18 平安科技(深圳)有限公司 Method, apparatus, computer equipment and the storage medium of data encryption
CN110351077B (en) * 2019-05-30 2023-05-02 平安科技(深圳)有限公司 Method, device, computer equipment and storage medium for encrypting data

Similar Documents

Publication Publication Date Title
CN108023724B (en) Data transmission method and device
CN107147488A (en) A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms
JP7353375B2 (en) End-to-end double ratchet encryption with epoch key exchange
US20120008767A1 (en) System for encrypting and decrypting a plaintext message with authentication
CN103368975B (en) A kind of method and system of batch data safe transmission
CN107395368A (en) Without the digital signature method in media environment and solution encapsulating method and decryption method
CN113312608B (en) Electric power metering terminal identity authentication method and system based on time stamp
Jolfaei et al. A lightweight integrity protection scheme for low latency smart grid applications
CN106385313A (en) Random cryptograph system based on grouping encryption algorithm and realization method thereof
CN107249002B (en) Method, system and device for improving safety of intelligent electric energy meter
Hayati et al. A novel secure root key updating scheme for LoRaWANs based on CTR_AES DRBG 128
CN108270771A (en) A kind of shellcode encoding and decoding deformation method
CN112947967B (en) Software updating method, blockchain application store and software uploading terminal
CN114338648A (en) SFTP multi-terminal file secure transmission method and system based on state cryptographic algorithm
CN106789053A (en) Random ciphertext generation method and system, decryption method and system
CN116996327A (en) Encryption method, decryption method and product based on block cipher
CN109698743A (en) A kind of block cipher encrypted cipher text data reconstruction method based on message filling loophole
Riyadi et al. The Dynamic Symmetric Four-Key-Generators System for Securing Data Transmission in the Industrial Control System.
CN115632765A (en) Encryption method, decryption device, electronic equipment and storage medium
CN108616351B (en) Full-dynamic encryption and decryption method and encryption and decryption device
CN115499118A (en) Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium
CN116781265A (en) Data encryption method and device
CN112422278A (en) Byte-oriented random multi-table replacement encryption and decryption method
CN106357382A (en) Encryption method and system for network data transmission
KR101076747B1 (en) Method and apparatus for random accessible encryption and decryption by using a hierarchical tree structure of stream cipher module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180710

RJ01 Rejection of invention patent application after publication