This technique is very simple, a RW memory region 2048 the size of the shellcode is allocated. This region is then filled with randomized data data (RtlGenRandom), the shellcode is then placed randomly somewhere within this massive region each time. This makes it hard for an AV/EDR solution, or an analyst, to simply see where the shellcode is in-memory. To summarize:
- Allocate a large
PAGE_READWRITEregion,2048 * sizeof the target shellcode, and align to0x1000 - Fill this allocated region with random data
- Write the shellcode to a random location within this region, save position
- Change the page permissions to
PAGE_EXECUTE - Execute the shellcode (page + position)
- Zero the memory where the entire large region is to ensure the data does not persist after being freed, using the
RtlZeroMemorymacro - Free the region of memory
As can be seen below, the entropy does not change much at all. It is not obvious, from e.g. a memory dump, where the shellcode is actually situated. This can be seen inside example_pop_calc.c
You can execute the shellcode however you wish. This code is simply to demonstrate the simple technique. This technique was originally detailed in Avast's Raspberry Robin writeup here.