In this hands-on workshop you will learn how to obfuscate your payloads with a custom VM. This will help to evade signature detections and make reverse engineering more difficult. Participants will walk away with new tooling they can try out in the field right away!
In this workshop we will leverage the RISC-V architecture and the LLVM ecosystem to build a simple obfuscation pipeline. The VM interpreter code is small and once it is loaded, you do not need to allocate additional executable pages to execute arbitrary payloads.
Covered topics: - Introduction to VM-based obfuscation
- Basics of the RISC-V architecture
- Compiling payloads for the RISC-V architecture
- Obfuscating the VM interpreter for evasion - VM Hardening to complicate reversing the payloads - Building a basic C2 framework (as time allows)
The bulk of the work will be done in a GitHub Codespace (Linux), which makes it easy for participants to get started. However, the final payloads need to be executed in a Windows VM (which you have to prepare beforehand).
Note: You need basic C programming and Linux command line experience to follow along with the workshop. Reverse engineering experience is definitely a plus!
The start of the workshop is a hands-on version of a blog post I was the main author of:
RISC-Y Business: Raging against the reduced machine, specifically tailored for red teamers. The second half will contain currently-unpublished research, discussing obfuscation and evasion techniques which should be interesting to conference participants.
