Another technique that we can use to try and evade signature detection is to use encoding to mask the bytes in a binary. This technique, however, does require a decoding stub in order to unmask the bytes so that the binary executes as originally intended.

From an analysis perspective, we need to understand what encoding and decoding looks like, especially from a static or dynamic analysis perspective. When it comes to signature detection, as we'll see, encoding and decoding may work in certain situations. It's becoming less and less frequent that it does, but every now and then, I'll find an encoding scheme that works, albeit increasingly rarely. Still, this is a good skill to have during analysis.

In this recipe, we'll look at an encoded version of our reverse shell and identify the decoder stub during our analysis. We won't cover how I made the encoded version of the code or the decoder stub and will focus on the analysis of a binary containing the encoded version instead, along with a means of decoding and executing the code. If, like me, you're a penetration tester who's curious about the process, there is already plenty of material out there on encoders and decoders for shellcode.