I wanted to figure out how to statically decode the GUID encoded shellcode Xavier wrote about in his diary entry “Shellcode Encoded in UUIDs”.
Here is the complete Python script:
I use re-search.py to select the GUIDs:
I then decode the hexadecimal data with my tool hex-to-bin.py. Option -H is needed to ignore all non-hexadecimal characters.
Notice that the text that resembles a User Agent String is mangled. That’s because of the way GUIDs are encoded into binary data.
Take a GUID like this one:
{00112233-4455-6677-8899-AABBCCDDEEFF}
When it is encoded to binary data, the first 3 parts are encoded little-endian, and the last 2 parts are encoded big-endian. Giving this byte sequence:
33 22 11 00 55 44 77 66 88 99 AA BB CC DD EE FF
I will now use my translate.py tool to reproduce this encoding (in the original Python script, this encoding is done with a Win32 API call: ctypes.windll.Rpcrt4.UuidFromStringA).
First I split the byte stream into chuncks of 16 bytes (the length of a GUID) with a Python list comprehension:
Next I rewrite the GUID (data[i:i+16]) by changing the order of the first 3 parts:Â data[i:i+4][::-1] + data[i+4:i+6][::-1] + data[i+6:i+8][::-1] ([::-1] is the expression used to reverse a sequence in Python):
Now I can analyze this shellcode with my Cobalt Strike analysis tool 1768.py:
This gives me information like the IPv4 address of the C2, the port, the path, …
What I don’t see, is the license ID. That’s because the decoded data has trailing null bytes:
These 2 trailing null bytes are the result of the GUID encoding: each GUID is 16 bytes, so the decoded data has a length which is a multiple of 16 bytes, while the shellcode has a length which is not a multiple of 16 bytes. If I drop these 2 trailing null bytes, 1768.py will detect the license ID:
Didier Stevens
Senior handler
blog.DidierStevens.com
