After several weeks of research and having produced a proof-of-concept code in Python, I have finally found some time to code the obfuscation library in proper programming language. I have named the library Obfusion and I will make sure to expand on its functionality in the future.

Obfusion, at the moment, is able to obfuscate the code, the same way the Python version does, but I made sure to make the code cleaner and more optimized. The obfuscation process should be much faster than previously and I'm sure it can be optimized even more.

Here is the short demo of the library's capabilities. Take a look at this disassembled shellcode sample. This shellcode just executes calc.exe via the WinExec API:

Original shellcode disassembly - exec_calc.lst

I ran this shellcode through Obfusion obfuscator, performing 3 obfuscation passes and here is the disassembled obfuscated shellcode that performs the same tasks as the original:

Obfuscated shellcode disassembly - output.lst

As you can see, that makes it pretty hard to analyze. The shellcode size increased from 189 bytes to 357'236 bytes and you can increase the obfuscation complexity even more at the cost of obfuscation speed.

Those of you who haven't followed my previous research posts on obfuscation, feel free to catch up here:

X86 Shellcode Obfuscation - Part 1

X86 Shellcode Obfuscation - Part 2

X86 Shellcode Obfuscation - Part 3

GitHub

You can follow the development of the Obfusion library on my Github project page here:

Coming up

Make sure to watch this space as I plan to release some blog posts on how to prepare your Metasploit meterpreter shellcodes to be obfuscation-friendly (they are not currently) and I will also demonstrate best ways to infect any Portable Executable file with your own shellcode.

As always, if you want more of what you just read, follow me on Twitter @mrgretzky or send those heart-warming emails to kuba@breakdev.org.

See you soon and have fun with the library!