1 of 40

Shellcode Analysis

CDEF Meetup 2025

Lalu Raynaldi Pratama Putra

ITSEC Asia

2 of 40

whoami

Lalu Raynaldi Pratama Putra

��

Researcher at ITSEC Asia

Magister Student Cyber Security & Digital Forensic at

Telkom University

3 of 40

AGENDA

Malware Analysis

Shellcode

Encoding

Demo

01

Introduction

Static Analysis

Dynamic Analysis

02

What is shellcode

Characteristics of Shellcode

Structure of Shellcode

Delivery Methods�Analysis Techniques

03

Polymorphic

XORing

Shikata Ga Nai

04

3

4 of 40

Malware Analysis

01

5 of 40

What is malware ?

5

Malware (malicious software) is a term used to describe a program or code created to harm a computer, network, or server. Cybercriminals develop malware to infiltrate a computer system discreetly to breach or destroy sensitive data and computer systems. There are many types of malware infections, which make up most of the online threat landscape.

Source : https://www.crowdstrike.com/en-us/cybersecurity-101/malware

6 of 40

Malware Analysis ?

6

Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat.

Source : https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malware-analysis

7 of 40

7

Source : https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malware-analysis

8 of 40

Static Analysis

8

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

Static analysis is aimed at extracting useful information from binaries without executing them.

9 of 40

Static Analysis

9

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

10 of 40

Dynamic Analysis

10

Source : https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malware-analysis

Extracting : � - Host Base Indicator

  • Network Based Indicator

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

11 of 40

Dynamic Analysis

11

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

12 of 40

Advance Static Analysis

12

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

Assembly Language, Decompiling, & Disassembling

13 of 40

Advance Dynamic Analysis

13

Source : https://www.crowdstrike.com/en-us/cybersecurity-101/malware/malware-analysis

Debugging,Carving Information

https://academy.tcm-sec.com/p/practical-malware-analysis-triage

14 of 40

Shellcode

02

15 of 40

What is Shellcode?

15

Shellcode is a lightweight piece of machine-level code used to deliver specific instructions directly to a system’s memory.

It’s most commonly associated with exploitation, where it's injected into a vulnerable process to execute a predefined task,

https://en.wikipedia.org/wiki/Shellcode

16 of 40

Characteristics of Shellcode

16

  • Compact and Efficient: Shellcode is designed to be small and efficient to avoid detection and fit into small memory spaces.
  • System-Level Access: It often aims to gain low-level system access, which can be used to bypass security mechanisms.
  • Written in Machine Code: Shellcode is usually written in machine code, the lowest-level programming language, because it needs to interact directly with the operating system at a fundamental level.
  • Platform-Specific: It is often specific to a particular processor architecture and operating system.

Reference: https://hadess.io/shellcode-development/

17 of 40

Structure of Shellcode

17

  1. Setup/Bootstrap Code: Initializes registers, stack, or environment to ensure the payload runs smoothly.
  2. Payload: The main task of the shellcode, like spawning a shell, downloading a file, or connecting back to an attacker.
  3. Exit Routine: Ensures the program exits gracefully without crashing the target system.

Reference: https://seedsecuritylabs.org/Labs_20.04/Files/Shellcode/Shellcode.pdf

18 of 40

Structure of Shellcode

18

Reference: https://www.kayssel.com/post/introduction-to-the-creation-of-shellcodes/

19 of 40

Shellcode Delivery Methods

19

Exploitation of Vulnerabilities:

Attackers leverage software bugs (e.g., buffer overflows) to inject shellcode directly into memory.

Malicious Files:

Embedded in documents, scripts, or executables shared through phishing emails or downloads.

Network-Based Delivery:

Sent via malicious payloads in network packets, exploiting protocols or services.

Reference: https://hadess.io/shellcode-development/

20 of 40

Shellcode

Delivery Methods -

Exploitation of Vulnerabilities

20

Reference: https://www.exploit-db.com/exploits/44485

21 of 40

Shellcode Delivery Methods - Malicious Files

21

22 of 40

Shellcode Delivery Methods - Network-Based Delivery

22

23 of 40

Shellcode Stub

23

decompile the javascript bytecode

C program

24 of 40

Shellcode Analysis Techniques

24

Static Analysis

Disassembly: Binary Ninja

Hex Analysis: Examine raw hex values to identify patterns or signatures.

String Analysis: Search for human-readable strings to uncover potential functionality.

Dynamic Analysis

Sandbox Execution: shellcode_launcher.exe

Debugger Tools: Use debuggers (e.g., scdgb, x64dbg)

Reference: https://hadess.io/shellcode-development/

25 of 40

Shellcode Analysis Techniques - Binary Ninja

25

Reference: https://hadess.io/shellcode-development/

26 of 40

Shellcode Analysis Techniques - scdbg

26

Reference: https://hadess.io/shellcode-development/

27 of 40

Encoding

03

28 of 40

Polymorphic Shellcode

28

Mutating the code while keeping the original algorithm intact, but the function of the code (its semantics) will not change at all. For example, 1+3 and 6–2 both achieve the same result while using different values and operations. This technique is sometimes used by computer viruses, shellcodes, and computer worms to hide their presence.

Reference: https://medium.com/@0x4553/shellcode-polymorphism-96e3d55abf87

29 of 40

Polymorphic Shellcode

29

Reference: https://medium.com/@0x4553/shellcode-polymorphism-96e3d55abf87

30 of 40

XORing Shellcode

30

31 of 40

XORing Shellcode -

Generation

31

Output

32 of 40

XORing Shellcode -

Execution

32

33 of 40

Shikata Ga Nai

33

Reference: https://www.linkedin.com/pulse/shikata-ga-nai-encoder-still-dominating-today-well-abou-chabk%C3%A9-vyuxf

34 of 40

Shikata Ga Nai

34

Reference: https://www.linkedin.com/pulse/shikata-ga-nai-encoder-still-dominating-today-well-abou-chabk%C3%A9-vyuxf

35 of 40

Shikata Ga Nai

35

Reference: https://medium.com/@acheron2302/decode-shikata-ga-nai-with-binary-ninja-part-2-19cea990ea4b

36 of 40

Shikata Ga Nai

36

Reference: https://medium.com/@acheron2302/decode-shikata-ga-nai-with-binary-ninja-part-2-19cea990ea4b

37 of 40

Preparing for AI based Malware ??

37

Reference: https://link.springer.com/article/10.1007/s10515-022-00331-3

38 of 40

Preparing for AI based Malware ??

38

Reference: https://link.springer.com/article/10.1007/s10515-022-00331-3

39 of 40

Demo

04

40 of 40

THANK YOU

Get In Touch :

LinkedIn : Lalu Raynaldi Pratama PutraGithub : https://github.com/KanakSasak�Medium : https://kanaksasak.medium.com