BEGIN:VCALENDAR PRODID:-//vBulletin 6//EN VERSION:2.0 CALSCALE:GREGORIAN BEGIN:VEVENT UID:e887863d-829d-44d5-bbc2-89e30357c31f DTSTAMP:20260612T232513Z SUMMARY:CODASM - Hiding Payloads in Plain .text : Moritz Laurin Thomas : DESCRIPTION:Title: CODASM - Hiding Payloads in Plain .text\nPresenter: Mori tz Laurin Thomas\nCo-Presenter:\nLocation: W305\nDay\,Time: Sat Aug 10 \, 12PM - 1:45PM\nAudience: Offense\, Defense\, Malware Development\nProject: \n\nAbstract:\nCODASM aims to decrease a stageless payload's Shannon entro py\, which was found to be a simple but annoying detection vector used by EDRs. It's a Python program that processes arbitrary binary inputs and pro duces a C program consisting of two parts: a buffer holding generated x86- 64 ASM instructions with the original payload encoded into it\, and a set of functions that can decode the ASM at runtime. The buffer is designed to be compiled into the final payload's .text section\, thus it looks like r egular (if not functional) code to AVs\, EDRs and analysts. This encoding effectively decreases the payload's Shannon entropy but comes with a signi ficant increase in output size. The demo will cover usage of the tool and dissection/reverse engineering of the resulting payload.\n\nBios:\n* Prese nter:\nMoritz is a senior red team security consultant at NVISO ARES (Adve rsarial Risk Emulation & Simulation). He focuses on research & development in red teaming to support\, enhance and extend the team’s capabilities in red team engagements of all sorts. Before joining the offensive securit y community\, Moritz worked on a voluntary basis as a technical malware an alyst for a well-known internet forum with focus on evading detections and building custom exploits. When he isn’t infiltrating networks or exfilt rating data\, he is usually knees deep in research and development\, disse cting binaries and developing new tools.\n* Co-Presenter: URL:https://forum.defcon.org/node/249629 DTSTART:20240810T200000Z DTEND:20240810T214501Z LOCATION:W305 END:VEVENT END:VCALENDAR