CN108270771A - A kind of shellcode encoding and decoding deformation method - Google Patents
A kind of shellcode encoding and decoding deformation method Download PDFInfo
- Publication number
- CN108270771A CN108270771A CN201711399102.5A CN201711399102A CN108270771A CN 108270771 A CN108270771 A CN 108270771A CN 201711399102 A CN201711399102 A CN 201711399102A CN 108270771 A CN108270771 A CN 108270771A
- Authority
- CN
- China
- Prior art keywords
- shellcode
- random integers
- decoding
- encoding
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of shellcode encoding and decoding deformation methods, and random integers G is generated using random number generator;Random integers G is carried out using Encryption Algorithm encryption key is calculated;Shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;Procotol is built according to network protocol features, then random integers G and ciphertext C are filled into the unused payload segment of procotol respectively, and pass through network and be transmitted;Network data is filtered in receiving terminal and extracts random integers G and ciphertext C;Random integers G is carried out using Encryption Algorithm decruption key is calculated;It is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.The encoding and decoding deformation method of the present invention can effectively hide load information, and can prevent network flow from kidnapping analysis, can efficiently perform vulnerability detection utilization.
Description
Technical field
The present invention relates to a kind of shellcode encoding and decoding deformation methods.
Background technology
Shellcode is the binary code of one section of vulnerability exploit for being used for being sent to server, for Hole Detection and
System safety test.Under normal conditions, the shellcode features write using C language or other language are apparent, especially pass through
It is unfavorable for Information hiding when crossing network transmission, easily kidnaps and analyze, while also easily by reverse or static analysis by flow.
Invention content
In order to overcome the disadvantages mentioned above of the prior art, the present invention provides a kind of shellcode encoding and decoding deformation methods.
The technical solution adopted by the present invention to solve the technical problems is:A kind of shellcode encoding and decoding deformation method, packet
Include following steps:
Step 1: generate random integers G using random number generator;
Step 2: random integers G is carried out using Encryption Algorithm encryption key is calculated;
Step 3: shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;
Step 4: building procotol according to network protocol features, then random integers G and ciphertext C are filled into respectively
The unused payload segment of procotol, and pass through network and be transmitted;
Step 5: network data is filtered in receiving terminal and extracts random integers G and ciphertext C;
Step 6: random integers G is carried out using the Encryption Algorithm identical with step 2 decruption key is calculated;
Step 7: it is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.
Compared with prior art, the positive effect of the present invention is:The encoding and decoding deformation method of the present invention can effectively be hidden
Load information, and can prevent network flow from kidnapping analysis, it can efficiently perform vulnerability detection utilization.
Description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow chart of the method for the present invention;
Fig. 2 is the schematic diagram for calculating encryption key;
Fig. 3 is the schematic diagram for obtaining cipher-text information;
Fig. 4 is the schematic diagram of decrypting process.
Specific embodiment
A kind of shellcode encoding and decoding deformation method, as shown in Figure 1, including the following steps:
Step 1: it writes shellcode programs using C language compiler or other compilation tools and extracts
shellcode。
Step 2: the short type random integers G of 2 bytes is generated using random number generator.
Due to needing that random integers are converted to obtain encryption secret key in step 3.The method for generating random integers is non-
Chang Duo, as long as the random number generated every time meets length requirement.
The method that another kind calculates random number is to calculate its cryptographic Hash using current time stamp, and take some of which certain bits
ASCII character value generate a new random number G.The pseudocode for calculating G is as follows.
String strTimeStampHash=Calc_SHA1 ((int) time (0));
String strGenRandNum=strTimeStampHash [0:1]+strTimeStampHash[7:8];
Int intGenRand=StringToInt (strGenRandNum);
Wherein, Calc_SHA1 functions are used to current timestamp obtaining its Kazakhstan using SHA1 algorithms progress Hash calculation
Uncommon value, strTimeStampHash is one section of character string.StrGenRandNum is from Hash calculation result
Which part data are chosen in strTimeStampHash and form the character string that a length is 4.Finally utilize StringToInt
The character string that length is 4 is converted to integer by function.
Random number G can be other types, such as one section of random string.But the Encryption Algorithm being in response to is also required to carry out phase
The change answered.The method that encryption secret key is calculated for random string is provided in step three below.
(pay attention to:The length of random number G can change, its length value is determined according to step 3 algorithm.)
Step 3: random integers G is carried out using Encryption Algorithm encryption key is calculated:
Encryption Algorithm is by the use of the random integers G that step 2 generates as input parameter, and one is obtained by certain transformation
The random number of a regular length, the random number are to encrypt secret key.Here Encryption Algorithm be by the digit according to random number G come
It determines.
First method is to be directed to random integers, is illustrated for improved block encryption algorithm, calculates encryption key
Method as shown in Fig. 2, wherein, if G is a 2 byte random integers, Reverse (G) is the hexadecimal backward integer of G
(such as Reverse (0x1234)=0x4321).Finally, G is multiplied with the permutation number of G, multiplied by with invariant 8, take its last 8
A byte is as encryption key K.
Second method is for one section of random string that length is 8, is realized by shift transformation and xor operation
Encryption to each character.Such as the ciphertext being encrypted using more than Encryption Algorithm for character string " luck "
" 3d24323a " is converted into hexadecimal integers as 0x3d24323a.Corresponding key is also 0x3d24323a.
For our two different Encryption Algorithm for providing respectively of the random number of different types, as long as random number G is not
Identical, the encryption key of generation is also different from.Meet Cryptographic Algorithm Requirements.It is analyzed by algorithm above, it can be seen that needle
It is more relatively easy that encryption secret key is calculated integer random number.
Step 4: shellcode is encrypted using encryption key to obtain shellcode cipher-text informations.
As shown in figure 3, by taking common XOR encryptions as an example, be first to shellcode clear datas according to key length into
Row grouping obtains plaintext M (m1,m2,…,mn), then with grouping after every section of shellcode plaintexts miIt is carried out respectively with encryption key
Exclusive or (XOR) cryptographic calculation obtains ciphertext C (c1,c2,…,cn)。
Step 5: building procotol according to network protocol features, then random integers G and ciphertext C are filled into respectively
The unused payload segment of procotol, and pass through network and be transmitted.
By taking ICMP agreements as an example, it is 28 byte data sections that ciphertext C, which is divided for multiple length, then by the 0~1 of procotol
Position is used for filling random plaintext G, and length is 2 bytes, and 2~31 are used for filling ciphertext C, and length is 28 bytes.For it
He can also use different agreement field to fill random plaintext G and encrypted shellcode ciphertexts C at agreement.
Specific construction method is as follows:
Using the first method mentioned before, if 2 byte the random number G=0x154d, corresponding key K=generated
8*G*Reverse (G)=8*0x154d*0xd451=0x8d540ae8.
Next only need ICMP agreements the 1st, 2 padding bytes 0x15,0x4d, it is bright to shellcode using secret key K
Text carries out exclusive or cryptographic calculation, and by shellcode ciphertexts, every 30 are divided into one group, are filled into the 2nd~the of ICMP agreements respectively
31.Later data message will be filled to send.
Step 6: receiving terminal network data is filtered and extract random integers G and encryption shellcode it is close
Literary information C.
Step 7: random integers G is carried out using the Encryption Algorithm identical with step 3 decruption key is calculated.
Step 8: ciphertext C is decrypted to obtain using decruption key using the decipherment algorithm identical with step 4
Shellcode is in plain text.
Decrypting process is that the decruption key progress XOR that ciphertext C and step 7 are calculated obtains clear data.Specific solution
Close process is as shown in Figure 4.Decipherment algorithm identical with Encryption Algorithm computational methods is all XOR.
Step 9: performing shellcode, permission is obtained.
Claims (8)
1. a kind of shellcode encoding and decoding deformation method, it is characterised in that:Include the following steps:
Step 1: generate random integers G using random number generator;
Step 2: random integers G is carried out using Encryption Algorithm encryption key is calculated;
Step 3: shellcode is encrypted using encryption key to obtain shellcode ciphertexts C;
Step 4: building procotol according to network protocol features, random integers G and ciphertext C are then filled into network respectively
The unused payload segment of agreement, and pass through network and be transmitted;
Step 5: network data is filtered in receiving terminal and extracts random integers G and ciphertext C;
Step 6: random integers G is carried out using the Encryption Algorithm identical with step 2 decruption key is calculated;
Step 7: it is decrypted to obtain shellcode in plain text to ciphertext C using decruption key.
2. a kind of shellcode encoding and decoding deformation method according to claim 1, it is characterised in that:Generate random integers G
Method be:Its cryptographic Hash is calculated using current time stamp, the ASCII character value of some of which certain bits is then taken to generate one newly
Random integers.
3. a kind of shellcode encoding and decoding deformation method according to claim 2, it is characterised in that:The random integers G
Short type integers for 2 bytes.
4. a kind of shellcode encoding and decoding deformation method according to claim 3, it is characterised in that:Meter described in step 2
Calculate encryption key method be:Random integers G is multiplied with its permutation number Reverse (G) first, then multiplied by with 8, finally
Again using last 8 bytes of acquired results as encryption key.
5. a kind of shellcode encoding and decoding deformation method according to claim 4, it is characterised in that:The permutation number
Reverse (G) is the hexadecimal backward integer of random integers G.
6. a kind of shellcode encoding and decoding deformation method according to claim 5, it is characterised in that:It will described in step 4
The method that random integers G and ciphertext C are filled is:For ICMP agreements, it is 28 byte datas that ciphertext C, which is divided for multiple length,
Then 0~1 of procotol is used for filling random integers G by section, length is 2 bytes, and 2~31 are used for filling ciphertext
C, length are 28 bytes.
7. a kind of shellcode encoding and decoding deformation method according to claim 3, it is characterised in that:Meter described in step 2
Calculate encryption key method be:For one section of random string that length is 8, pass through shift transformation and xor operation realization pair
The encryption of each character.
8. a kind of shellcode encoding and decoding deformation method according to claim 1, it is characterised in that:Add described in step 3
It is close obtain shellcode ciphertexts C method be:It is that shellcode clear datas are grouped according to key length first
To plaintext M (m1,m2,…,mn), then with grouping after every section of shellcode plaintexts miRespectively exclusive or encryption is carried out with encryption key
Operation obtains ciphertext C (c1,c2,…,cn)。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711399102.5A CN108270771A (en) | 2017-12-22 | 2017-12-22 | A kind of shellcode encoding and decoding deformation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711399102.5A CN108270771A (en) | 2017-12-22 | 2017-12-22 | A kind of shellcode encoding and decoding deformation method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108270771A true CN108270771A (en) | 2018-07-10 |
Family
ID=62772164
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711399102.5A Pending CN108270771A (en) | 2017-12-22 | 2017-12-22 | A kind of shellcode encoding and decoding deformation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108270771A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110176988A (en) * | 2019-04-25 | 2019-08-27 | 中国人民解放军战略支援部队信息工程大学 | Guarantee that redundancy executes body and encrypts the consistent device and method of behavior |
CN110351077A (en) * | 2019-05-30 | 2019-10-18 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of data encryption |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1133297C (en) * | 1995-09-26 | 2003-12-31 | 林仙坎 | A kind of file encryption processing method |
EP2851788A3 (en) * | 2013-09-20 | 2016-06-08 | VIA Alliance Semiconductor Co., Ltd. | Microprocessor with integrated NOP slide detector |
CN106254342A (en) * | 2016-09-23 | 2016-12-21 | 西安邮电大学 | The secure cloud storage method of file encryption is supported under Android platform |
CN106385313A (en) * | 2016-09-08 | 2017-02-08 | 四川长虹电器股份有限公司 | Random cryptograph system based on grouping encryption algorithm and realization method thereof |
CN106487659A (en) * | 2016-10-20 | 2017-03-08 | 宇龙计算机通信科技(深圳)有限公司 | Information ciphering method and device, information decryption method and device and terminal |
CN107168706A (en) * | 2017-05-12 | 2017-09-15 | 北京理工大学 | A kind of Windows Shellcode method for auto constructing |
-
2017
- 2017-12-22 CN CN201711399102.5A patent/CN108270771A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1133297C (en) * | 1995-09-26 | 2003-12-31 | 林仙坎 | A kind of file encryption processing method |
EP2851788A3 (en) * | 2013-09-20 | 2016-06-08 | VIA Alliance Semiconductor Co., Ltd. | Microprocessor with integrated NOP slide detector |
CN106385313A (en) * | 2016-09-08 | 2017-02-08 | 四川长虹电器股份有限公司 | Random cryptograph system based on grouping encryption algorithm and realization method thereof |
CN106254342A (en) * | 2016-09-23 | 2016-12-21 | 西安邮电大学 | The secure cloud storage method of file encryption is supported under Android platform |
CN106487659A (en) * | 2016-10-20 | 2017-03-08 | 宇龙计算机通信科技(深圳)有限公司 | Information ciphering method and device, information decryption method and device and terminal |
CN107168706A (en) * | 2017-05-12 | 2017-09-15 | 北京理工大学 | A kind of Windows Shellcode method for auto constructing |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110176988A (en) * | 2019-04-25 | 2019-08-27 | 中国人民解放军战略支援部队信息工程大学 | Guarantee that redundancy executes body and encrypts the consistent device and method of behavior |
CN110176988B (en) * | 2019-04-25 | 2022-04-08 | 中国人民解放军战略支援部队信息工程大学 | Device and method for ensuring consistency of encryption behaviors of redundant execution bodies |
CN110351077A (en) * | 2019-05-30 | 2019-10-18 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of data encryption |
CN110351077B (en) * | 2019-05-30 | 2023-05-02 | 平安科技(深圳)有限公司 | Method, device, computer equipment and storage medium for encrypting data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108023724B (en) | Data transmission method and device | |
CN107147488A (en) | A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms | |
JP7353375B2 (en) | End-to-end double ratchet encryption with epoch key exchange | |
US20120008767A1 (en) | System for encrypting and decrypting a plaintext message with authentication | |
CN103368975B (en) | A kind of method and system of batch data safe transmission | |
CN107395368A (en) | Without the digital signature method in media environment and solution encapsulating method and decryption method | |
CN113312608B (en) | Electric power metering terminal identity authentication method and system based on time stamp | |
Jolfaei et al. | A lightweight integrity protection scheme for low latency smart grid applications | |
CN106385313A (en) | Random cryptograph system based on grouping encryption algorithm and realization method thereof | |
CN107249002B (en) | Method, system and device for improving safety of intelligent electric energy meter | |
Hayati et al. | A novel secure root key updating scheme for LoRaWANs based on CTR_AES DRBG 128 | |
CN108270771A (en) | A kind of shellcode encoding and decoding deformation method | |
CN112947967B (en) | Software updating method, blockchain application store and software uploading terminal | |
CN114338648A (en) | SFTP multi-terminal file secure transmission method and system based on state cryptographic algorithm | |
CN106789053A (en) | Random ciphertext generation method and system, decryption method and system | |
CN116996327A (en) | Encryption method, decryption method and product based on block cipher | |
CN109698743A (en) | A kind of block cipher encrypted cipher text data reconstruction method based on message filling loophole | |
Riyadi et al. | The Dynamic Symmetric Four-Key-Generators System for Securing Data Transmission in the Industrial Control System. | |
CN115632765A (en) | Encryption method, decryption device, electronic equipment and storage medium | |
CN108616351B (en) | Full-dynamic encryption and decryption method and encryption and decryption device | |
CN115499118A (en) | Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium | |
CN116781265A (en) | Data encryption method and device | |
CN112422278A (en) | Byte-oriented random multi-table replacement encryption and decryption method | |
CN106357382A (en) | Encryption method and system for network data transmission | |
KR101076747B1 (en) | Method and apparatus for random accessible encryption and decryption by using a hierarchical tree structure of stream cipher module |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180710 |
|
RJ01 | Rejection of invention patent application after publication |