ARMv8 Shellcodes from ‘A’ to ‘Z’

Abstract: We describe a methodology to automatically turn arbitrary ARMv8 programs into alphanumeric executable polymorphic shellcodes. Shellcodes generated in this way can evade detection and bypass filters, broadening the attack surface of ARM-powered devices such as smartphones.

“…Although this technique has allowed us to effectively bypass the aforementioned checks, we must observe that it reduces the number of machine instructions that can appear inside a malicious payload: besides a prologue composed of binary instructions, the rest of the payload is obviously limited to machine instructions that are also ASCII characters. It is important to note that the metamorphic and polymorphic transformations are independent of the ASCII encoding as shown in [7] where the authors describe a technique for turning an arbitrary ARMv8 code into alphanumeric (ASCII) executable code. The technique is generic and may well apply to other architectures.…”

Glyph: Efficient ML-Based Detection of Heap Spraying Attacks

“…Although this technique has allowed us to effectively bypass the aforementioned checks, we must observe that it reduces the number of machine instructions that can appear inside a malicious payload: besides a prologue composed of binary instructions, the rest of the payload is obviously limited to machine instructions that are also ASCII characters. It is important to note that the metamorphic and polymorphic transformations are independent of the ASCII encoding as shown in [7] where the authors describe a technique for turning an arbitrary ARMv8 code into alphanumeric (ASCII) executable code. The technique is generic and may well apply to other architectures.…”

Glyph: Efficient ML-Based Detection of Heap Spraying Attacks

“…The technique however does not carry over to more recent implementations. In 2016, Barral et al introduced the first tool capable of compiling arbitrary ARMv8 code into alphanumeric executable code [3]. This is a tour de force but also and most importantly it introduces a generic approach to design such tools.…”

“…Through a three-staged modular design, these shellcodes achieve arbitrary code execution on this platform. This is the second architecture which can be addressed using the methodology from [3], which is an argument in favor of such generic approaches (rather than ad hoc ones). Our approach differs on the fact that we do not manually assemble available instructions into higher-level constructs for building the unpacker in a bottom-up fashion and instead opt for a partially automated strategy to generate the required alphanumeric instruction sequences to achieve the desired results.…”

“…Hereafter, we provide a review of those instructions, by explaining their semantics and some insight on the available operands. For simplicity and following the methodology introduced by Barral et al in [3], we cluster instructions as control-flow, data processing, and memory manipulation instructions.…”

RISC-V: #AlphanumericShellcoding

Emoji shellcoding in RISC-V