NVISO has recently made the source code of their new CODASM tool public. This tool is designed to encode arbitrary data in pseudo-SAS instructions and then compile them in the .Text section of binary files. The main goal of this step is to enhance the safety and stability of data for analysis purposes. By hiding data, like shell codes, in high-entropy areas of binary files, CODASM makes them less noticeable to protective mechanisms.
CODASM is a Python script that can generate a legitimate shellcode for any arbitrary loads. It also creates a header file in the C language, which can be utilized in programs to embed shellcode into binary files and extract it during execution.
The process of coding useful loads using CODASM involves generating valid functions x86_64 with prologues, epilogues, and random instructions. It also involves converting bays of payload bytes into operands of instructions (e.g., MOV EAX,) using XOR.
On the other hand, the decoding process of useful loads includes parsing individual instructions to extract the necessary number of payload bytes. It also involves detecting instructions containing the payload bytes, extracting them, and decoding them.
CODASM supports MSVC and MingW compilers and does not require specific Python libraries to be installed, which makes it easy to integrate into various projects. This step is part of NVISO’s commitment to enhancing openness and collaboration in the cybersecurity community by providing powerful tools for analysis and protection against threats.
For more information, visit the official project page on GitHub.