ShenCode - PolyXOR

Polymorphic XOR in-memory Decoder (Win64)

Description

The polymorphic feature provides a multi layer protection from evasion:

1. The raw payload will be encoded by XOR with your custom key
2. The encoded payload will be appended to the XOR-decoder-stub¹
3. Your custom key will be replaced in the stub and appended to EOF
4. The final shellcode will be written to disc

After injection, the stub will decode your payload bitwise, until a NULL-byte is found.

Once the decoding is done, your payload will be executed.

Command

python shencode.py xorpoly --input xor-encoded.raw --output output.raw ---key 63

Resources

• Obfuscation: polymorphic in-memory decoder
• doyler.net

1. the stub is based on Ray Doyles work check this article ↩