Presentation Material
Presentation
Video
Abstract
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques. There will be demonstrations of my shellcode on ARM IoT devices featuring different types of ARM architecture. A detailed article shall also be submitted to PoC||GTFO closer to the time of the conference.
AI Generated Summarymay contain errors
Here is a summary of the content in thumb mode:
The speaker is an expert in ARM assembly language and is demonstrating a proof-of-concept code that can switch between ARM and Thumb modes. The code uses a combination of instructions to achieve this, including push and pop instructions that are encoded differently in Thumb mode.
In Thumb mode, a single add instruction becomes two separate instructions: “and” and “add”. The push instruction is encoded with condition bits, register list, and other fields that determine its behavior. The speaker shows how the encoding changes when switching between ARM and Thumb modes.
The demo code starts in ARM mode, switches to Thumb mode using specific instructions, and then stays in Thumb mode while executing a series of instructions. The code uses a universal test case with arbitrary shell code, but the interesting part is when it’s compiled as Code 16 (Thumb mode) and executed.
The speaker steps through the code using a debugger, showing how the instructions are transformed and executed in Thumb mode. The final result is that the code stays in Thumb mode and sets registers R2 and R7 to specific values.
The speaker concludes by mentioning that this is just one iteration of the code sequence and invites collaboration from ARM experts in the audience to improve the shell code and create more polyglot sequences. The slides and code will be published online, and the speaker welcomes feedback and ideas for further development.