Shelter: ROP-based sleep obfuscation to evade memory scanners

This crate comes with the following characteristics:

• AES-128 encryption.
• Whole PE encryption capability.
• Removal of execution permission during sleep time.
• No APC/HWBP/Timers were used, exclusive use of ROP to achieve the obfuscation.
• Use of Unwinder to achieve call stack spoofing before executing the ROP chain.
• Different methods of execution to adapt to various circumstances.
• Other OPSEC considerations: DInvoke_rs, indirect syscalls, string literals encryption, etc.

[dependencies]
shelter = "0.1.0"

The main functionality of this crate has been wrapped in three functions:

• fluctuate() allows to encrypt of either the current memory region or the whole PE. This function requires the PE’s MZ bytes to be present to dynamically retrieve its base address.
• fluctuate_from_address() completely encrypts the PE. This function expects as an input parameter the PE’s base address.
• fluctuate_from_pattern() also completely encrypts the PE. This function expects as an input parameter a custom set of two bytes to use to determine the PE’s base address. These custom magic bytes replace the classic MZ pattern.

Whenever the whole PE is encrypted, the original sections’ memory protections are stored in the heap to restore them afterward.

Shelter uses NtWaitForSingleObject to sleep. In addition to indicating how many seconds you want to sleep, you can also pass an event handle and signal it at any time to return before the timeout expires (using SetEvent for example). Take into account that if your whole payload is encrypted (which is the whole point I guess), you will need an alternative way to signal the event in case you have slept indefinitely.

Download & Tutorial

Copyright 2024 Kurosh Dabbagh Escalante & Inés Martín Mínguez