Noroi is a simple "Polymorphic Decoder Generator" using a Hand-written contex-free-grammer. Current version can bypass shellcode emulators by accessing a static windows address between getpc and decoding process (cuase AV in emulator and result to skip without getpc detection). I think libemu is unable to detect this shellcode.
- Register Swaping
- Instruction Substitution
- Random XOR Key
- Random Junk Insertation
- swap regs with XOR/ADD/SUB
- use CMOV/NOT/NEG/SHR/AND/OR/XOR/XCHG/XADD
- Indirect branches for anti.disassembly. eg JMP ECX
- Hiding CFG by self-modifing
- SSE/FPU decryption routine
- XOR with MZ of nth module or any other fix data ( read PTR in shellcode detectors 7.31 ~= 19 )
- Shellcode relocation with native APIs like NtAllocateVirualMemory/NtReadVirtualMemory
- NO two null-bytes continuously (or no null-byte at all)
- more realistic FPU/SSE garbages
- re-arrange the garbage table for every generation
- x64 support
- Hiding getpc pattern by runtime decode and execution of getpc (using stack for example) eg:
MOV REG, GETPC_INST_CONSTANT
XOR REG, RANDOM_VALUE
PUSH REG
CALL ESP
I have tested Noroi with SkyLined's dl-loadlib in windows 7 x64 and it was working. current version only works on x86 systems ( not wow64 ), if you want to use it on a x64, remove the linse makred with "this one is for x86 only".