Encode shellcode into dictionary words to avoid the usual shellcode XOR/AES encryption libraries/signatures and reduce payload entropy for increased evasion.
Ultimately the tool converts shellcode bytes to a word, stores plaintext words in your payload in place of shellcode, and at runtime decode words to shellcode using a "translation dictionary" of shellcode words (bytes).
The Python tool reads the english-words.txt file to pull random dictionary words to be encoded as shellcode bytes. This file can easily be modified or changed to another dictionary file of your choosing (i.e. Microsoft strings, postal/zip codes, whatever else).
Supporting tool: Calculating Shannon Entropy of files
SecTor 2024 conference presentation slides: Simplified Malware Evasion - Entropy and Other Techniques
Use DictionShellcode.py to encode your input shellcode file into dictionary word format.
> python3 DictionShellcode.py -h
usage: DictionShellcode.py [-h] [-file FILE] [-lang {cs,cpp}] [-outfile OUTFILE]
Shellcode converter to Dictionary list
optional arguments:
-h, --help show this help message and exit
-file FILE, -f FILE Raw binary shellcode file for input
-lang {cs,cpp}, -l {cs,cpp}
Output language format
-outfile OUTFILE, -o OUTFILE
OPTIONAL: File output with encoded dictionary words separated by newlines
- Create dictionary-encoded shellcode and output C# format
> python3 DictionShellcode.py -file calc-x64.bin -lang cs
[+] Shellcode Dictionary (256-bytes):
public static string[] translate_dict = new string[256] { "merchant","species","ashley","tender","seven","implies","aging","amounts","solely","accessed","picture","seventh","engage","ruled","shows","former","toolkit","africa","mailman","tobago","decimal","perform","western","haiti","supply","values","scales","postcard","alloy","blood","tuning","writing","views","yields","fantasy","effect","filed","forgot","mongolia","equipped","shaped","title","tampa","downtown","deviant","intro","street","watch","hiring","pastor","crime","damages","clark","before","adapter","during","degrees","count","walks","estimate","tricks","child","combat","angels","seasonal","ebook","remain","scenes","mailto","refined","scout","pearl","everyday","nickel","checks","teach","working","cooler","address","marking","skilled","icons","asking","quoted","tunnel","equally","deadly","hunter","noted","mambo","betting","uruguay","folding","possess","survival","hotmail","equality","document","derby","terms","ralph","human","surprise","affairs","marriott","coming","bunny","jackson","centre","wireless","emirates","pants","aaron","bosnia","wanting","donna","warning","default","remote","dining","thousand","concept","factory","unlike","sharon","insight","missile","further","korea","funds","jerry","dated","based","madrid","reduces","agrees","criminal","sydney","courses","plane","mitchell","after","reminder","connect","program","leonard","between","louis","plymouth","coverage","oriental","adobe","notion","simple","adidas","campus","radio","studies","kenny","rewards","logical","swimming","findings","storm","dragon","sapphire","partly","morgan","websites","savage","fitness","thailand","movers","observed","stating","surgical","grave","almost","barnes","turbo","clouds","standing","prices","affects","merely","opposed","creating","modem","smell","mattress","timely","tucson","welsh","fortune","quantity","banned","mcdonald","shanghai","packard","arrival","touch","locks","which","logan","avoiding","diving","mentor","solid","supplies","occurred","apple","install","remained","insulin","label","capacity","pound","enhance","object","drinking","columbia","shopper","feelings","slightly","robbie","minimal","funny","tribes","invasion","despite","learning","darkness","elephant","spine","fighter","belgium","unsigned","choose","crawford","bones","saddam","pierre","puzzles","economic","avoid","update","falling","bringing","skiing","helmet","receiver","chick","lying","turned","rankings","warner" };
[+] Converted shellcode-to-dictionary variable copied to Clipboard!
- Create dictionary-encoded shellcode and output words to a file separated by newlines
> python3 DictionShellcode.py -file calc-x64.bin -lang cpp -outfile encoded.txt
[+] Shellcode Dictionary (256-bytes):
const char* translate_dict[256] = { "envelope","glass","movie","locally","indicate","features","blues","called","unity","adapted","civil","reserve","wisdom","engaging","wrote","weapon","marshall","lexmark","cruise","material","walls","bible","pharmacy","thailand","fight","counsel","jackson","vertical","olympics","death","pointing","putting","taxes","educated","needed","interior","toolkit","ready","puzzle","optional","weighted","incident","orange","province","gauge","paint","pages","friends","raising","strips","logitech","poultry","bedrooms","density","amazing","around","mixing","studies","dietary","romance","dialog","through","training","depot","annie","boston","eminem","casinos","tommy","segment","heath","develop","within","lonely","sheet","allen","helpful","catalog","weekly","advice","gratuit","jennifer","editors","ventures","zealand","sending","turner","falling","attacks","purse","madison","reviewer","innocent","basic","already","overall","expand","burst","older","enquiry","makes","always","patent","somewhat","memorial","enemy","combo","ascii","followed","crown","banner","america","verified","mirror","yukon","choir","arrange","charged","plaza","ecuador","marker","robin","harder","doors","beverage","strongly","signs","nuclear","accuracy","stocks","virus","achieved","trading","beauty","browsing","meets","cement","metric","crucial","diary","wages","displays","concept","going","trustees","contain","movement","images","sales","samoa","release","amateur","compete","british","superior","pleasure","norfolk","cutting","specs","channel","tones","valued","viewing","federal","verbal","illinois","silver","targeted","writers","wyoming","angola","shanghai","however","genres","reserves","velocity","somebody","stroke","barrier","ranked","inspired","portland","strain","waves","write","invite","crime","china","seconds","october","decline","trades","probably","hoped","offense","fountain","fisher","detect","trips","neighbor","better","entered","contests","holding","shade","november","canvas","kitty","finnish","becoming","offices","ensure","israeli","seeing","voting","matthew","baking","trees","burner","capital","exempt","section","force","milan","template","smoking","calvin","alias","theories","laundry","guest","opens","readings","exchange","quiet","brand","buyer","borders","checking","elect","actually","compact","blanket","chelsea","missing","locked","villas","pretty","phrases","picked","final","champion","swiss","beliefs","stopped","dubai" };
[+] Converted shellcode-to-dictionary variable copied to Clipboard!
[+] Converted shellcode-to-dictionary written to output file "encoded.txt".
Upon execution, the encoded shellcode output will be copied to your clipboard in CSharp/C++ variable format or written to an output file if -outfile is provided.
Drop your dictionary wordlist from the output translate_dict variable and your dictionary-encoded shellcode dict_words variable into one of the provided payloads then compile/run to execute!
IMPORTANT: For C++ payloads, you must update the shellcode length on line 23 to match the dict_words variable length!
GitHub: wsummerhill | Twitter/X: @bsummerz