Evade Strings Detection with Stack Based

I would like to continue my previous post related strings extraction from the malware. We should have known that the initial steps for the malware analyst or any antimalware software will do their quick static analysis by analyzing the strings that is extracted from binary

This article is just giving you ideas not the bullet proof technique to evade any anlysis. Lets assume that the analyst and antimalware application will use an application like FLOSS to extract the strings from the binary. This tool helps on extracting stack based strings and also helps on the string extraction which requires decoding algorithm

With the below sample code, we can see that the FLOSS will be able to detect the string from the binary

#include <iostream>
 
char* decodeMe(char* data, int len) {
     
    for (int i = 0; i < len; i++) {
        data[i] = data[i] + 1;
    }
    return data;
}
 
int main()
{
    char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};
 
    char MyString2[] = "Qhn.@rl`q`.Rtqx`ch";
    printf("the result : %s", decodeMe(MyString2,18));
}

We can see that FLOSS is able to detect both MyString and MyString2

So lets think about how to evade it. Lets assume FLOSS is one of the malware detection engine to extract the strings from the binary.

Lets change the code into below that would result the same program output

// StackBasedStrings.cpp : This file contains the 'main' function. Program execution begins and ends there.
//

#include <iostream>

char* decodeMe(char* data, int len) {
    for (int i = 0; i < len; i++) {
        data[i] = data[i] + 1;
    }
    return data;
}

int main()
{
    //65 110 110 105 115 115 97
    char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};

    char MyString2[17];// = "Qhn.@rl`q`.Rtqx`ch";
   
    *MyString2 = 81;
    *(MyString2 + 1) = 104;
    *(MyString2 + 2) = 110;
    *(MyString2 + 3) = 46;
    *(MyString2 + 4) = 64;
    *(MyString2 + 5) = 114;
    *(MyString2 + 6) = 108;
    *(MyString2 + 7) = 96;
    *(MyString2 + 8) = 113;
    *(MyString2 + 9) = 96;
    *(MyString2 + 10) = 46;
    *(MyString2 + 11) = 82;
    *(MyString2 + 12) = 116;
    *(MyString2 + 13) = 113;
    *(MyString2 + 14) = 120;
    *(MyString2 + 15) = 96;
    *(MyString2 + 16) = 99;
    *(MyString2 + 17) = 104;
    
    printf("the result : %s", decodeMe(MyString2,18));
}

output of the program

We can see the result that FLOSS is still able to decode it

Lets do some evasion. We can manipulate the string with additional formula and also mathematic which actually will strill result the same output string

#include <iostream>

int Obfuscate(int a) {

    return ((a+5)-5);
}

char* decodeMe(char* data, int len) {
    
    for (int i = 0; i < len; i++) {
        data[i] = data[i] + 1;
    }
    return data;
}

int main()
{
    
    char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};

    char MyString2[17];// = "Qhn.@rl`q`.Rtqx`ch";
   
    *MyString2 = 81;
    *(MyString2 + 1) = 104;
    *(MyString2 + 2) = 110;
    *(MyString2 + 3) = 50-4;
    *(MyString2 + 4) = 64;
    *(MyString2 + 5) = 114;
    *(MyString2 + 6) = Obfuscate(108);
    *(MyString2 + 7) = 96;
    *(MyString2 + 8) = 113;
    *(MyString2 + 9) = (100-4);
    *(MyString2 + 10) = 46;
    *(MyString2 + 11) = 82;
    *(MyString2 + 12) = 116;
    *(MyString2 + 13) = Obfuscate(113);
    *(MyString2 + 14) = 120;
    *(MyString2 + 15) = 96;
    *(MyString2 + 16) = 99;
    *(MyString2 + 17) = 104;
    
    printf("the result : %s", decodeMe(MyString2,18));
}

outout of the program

We can see that the output of the program is still the same even we change it into more complex with some additional function call and mathematic calculation but with that additional complexity the result of the FLOSS is very different. It cannot parse it well

you can see that the parse is splitted into some chunks which we cannot get the complete word or sentence as the previous parse.

So with this basic knowledge that now you are able to bypass or hide your IOC or API Call from the static analyses of the antimalware or human analyst.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s