Alphabet Soup is a shellcode obfuscation technique based on Living Off The Land (LOTL) principles. Instead of embedding encrypted shellcode blobs, it treats existing signed system files (like .chm help files or DLLs) as dictionaries. A Python encoder maps shellcode bytes to file offsets, producing an integer index array. At runtime, a loader maps the dictionary file to memory and reconstructs the shellcode byte-by-byte via lookup table substitution. Two injection methods are demonstrated: local module stomping (overwriting a function in wininet.dll) and remote process injection via WriteProcessMemory. An optional XOR key can further obfuscate the index array. The technique successfully evades Microsoft Defender for Endpoint static and dynamic analysis on a known-bad shellcode sample.
Table of contents
A Living Off The Land Recipe for Shellcode ObfuscationBackgroundProject CodeGitHub - toneillcodes/AlphabetSoup: A Living off the Land recipe for payload obfuscationConceptGet Tom O'Neill’s stories in your inboxImplementationProof-of-ConceptSort: