One of the most important features of Shellter, is the ability to obfuscate its stubs by mixing the effective instructions with other junk instructions and/or generate a specific output with variable instructions. This has been improved a lot in Shellter Pro already, but we wanted to make things even better.
Obfuscating the code by itself doesn’t really mean anything. The way the obfuscation works is the key part.
In a few words we want the obfuscated code to look as ‘normal’ as possible. This can be achieved by randomly using a variety of instructions of variable length.
The number of instructions used each time should also be randomized. This helps against not just in terms of finding patterns to target from the AV perspective, but also to have variable ranges between instructions that could be otherwise grouped together by an AV signature in a specific code block.
Until now, for simplicity reasons, we have been using the standard ‘rand()’ C library function in order to randomize the various paths that are taken during the obfuscation process.
Even though, this has served us good enough for this specific purpose, we decided that it was time to improve that part as well.
That being said, the random path selection process will now use by default Microsoft’s Crypto API, either CNG ( Next Generation) supported from Windows Vista onwards, or the legacy Crypto API supported from Windows XP onwards.
Someone might ask why we didn’t move directly to use just the ‘Next Generation Crypto API’. The answer is simply “Backwards OS Compatibility”. We want Shellter Pro to be compatible with Windows XP because people operating our software through Wine are usually using the default settings.
However, for reliability purposes, in case those Crypto API functions fail at any time (Wine issues etc…), then Shellter Pro will automatically switch back to the ‘rand()’ function in order to complete the payload injection without problems.
In other words, depending on which functions can be used and/or succeeded, Shellter Pro will try to use the next available ones.
If, for example, CNG is available but for some reason a call to a CNG function fails, then Shellter Pro will try with the legacy Crypto API and if that attempt fails too, then and only then it will switch back to use the ‘rand()’ function.
In a few words this is another update that aims to improve an already existing functionality which down the road could be extended and enhanced further thanks to the improved randomization process that will be used in the future.
We aim to introduce this update in Shellter Pro v3.3 which we will release as soon as possible.