Home

Awesome

CRC32_API

New and better alternative for x86 block_api.asm and x64 block_api.asm files. By changing the Windows API name hashing method it is possible to trim 1 byte for every x86 Windows shellcode and 4 bytes from all x64 Windows shellcode. Because most of the security products are searching for well known ROR13 hashes of Windows API function names, changing the Windows API name hashing method will decrease the detection rate of Metasploit Windows shellcodes, also new method in this proposal have much less collision rate compared to ROR13.

Prior Work & References

Following DEFCON25 talk mentions AV products detecting the Metasploit shellcodes by searching for well known ROR13 hashes of Windows API function names.

New Hashing Method

I have taken advantage of CRC32 instruction for calculating the CRC32 (polynomial 11EDC6F41H) value of the Windows [MODULE_NAME+NULL+FUNCTION_NAME] (same as old block_api.asm). By simply changing the ROR13 hashes with CRC32 values crc32_api.asm will find the desired function address with exact same way that old block_api.asm uses. No additional registers are changed. I have tested both of the crc32_api.asm for all existing Windows shellcode inside Metasploit and it works without any error. crc32_hash.py file can be used to calculate a CRC32 value of given input same as hash.py.

image

BUT ! Here's the catch.

CRC32 instruction is a fairly new instruction. It is added with SSE4, so it may cause problems in older CPUs. Any model manufactured after 2006 seems to be working fine, but I don't know what happens when you run an unsupported instruction on an old CPU, simply couldn't find old enough hardware for testing ¯_(ツ)_/¯