I wanted to figure out how to statically decode the GUID encoded shellcode Xavier wrote about in his diary entry “Shellcode Encoded in UUIDs“.

Here is the complete Python script:

I use re-search.py to select the GUIDs:

I then decode the hexadecimal data with my tool hex-to-bin.py. Option -H is needed to ignore all non-hexadecimal characters.

Notice that the text that resembles a User Agent String is mangled. That’s because of the way GUIDs are encoded into binary data.

Take a GUID like this one:

{00112233-4455-6677-8899-AABBCCDDEEFF}

When it is encoded to binary data, the first 3 parts are encoded little-endian, and the last 2 parts are encoded big-endian. Giving this byte sequence:

33 22 11 00 55 44 77 66 88 99 AA BB CC DD EE FF

I will now use my translate.py tool to reproduce this encoding (in the original Python script, this encoding is done with a Win32 API call: ctypes.windll.Rpcrt4.UuidFromStringA).

First I split the byte stream into chuncks of 16 bytes (the length of a GUID) with a Python list comprehension:

Next I rewrite the GUID (data[i:i+16]) by changing the order of the first 3 parts: data[i:i+4][::-1] + data[i+4:i+6][::-1] + data[i+6:i+8][::-1] ([::-1] is the expression used to reverse a sequence in Python):

Now I can analyze this shellcode with my Cobalt Strike analysis tool 1768.py:

This gives me information like the IPv4 address of the C2, the port, the path, …

What I don’t see, is the license ID. That’s because the decoded data has trailing null bytes:

These 2 trailing null bytes are the result of the GUID encoding: each GUID is 16 bytes, so the decoded data has a length which is a multiple of 16 bytes, while the shellcode has a length which is not a multiple of 16 bytes. If I drop these 2 trailing null bytes, 1768.py will detect the license ID:

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.