Shikata Ga Nai (SGN)
Created the Monday 03 July 2023. Updated 1 year, 2 months ago.
Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the payload. Additional garbage instructions are added to enhance obfuscation and make the payload highly resistant to static heuristic analysis. The resulting blob can be executed from the first instruction, which will decode and run the original binary payload. It's important to note that the SGN-encoded shellcode requires a RWX (Read-Write-Execute) protected memory space for proper execution.
Technique Identifier
Code Snippets
Detection Rules
Contributor
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- GitHub - EgeBalci/sgn: Shikata ga nai (仕方がない) encoder ported into go with several improvements
- metasploit-framework/modules/encoders/x86/shikata_ga_nai.rb at master · rapid7/metasploit-framework · GitHub
- https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
fw-backup-4M.bin | 4 | 2024-11-13 | 2 weeks, 6 days ago |