I would like to continue my previous post related strings extraction from the malware. We should have known that the initial steps for the malware analyst or any antimalware software will do their quick static analysis by analyzing the strings that is extracted from binary
This article is just giving you ideas not the bullet proof technique to evade any anlysis. Lets assume that the analyst and antimalware application will use an application like FLOSS to extract the strings from the binary. This tool helps on extracting stack based strings and also helps on the string extraction which requires decoding algorithm
With the below sample code, we can see that the FLOSS will be able to detect the string from the binary
#include <iostream>
char* decodeMe(char* data, int len) {
for (int i = 0; i < len; i++) {
data[i] = data[i] + 1;
}
return data;
}
int main()
{
char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};
char MyString2[] = "Qhn.@rl`q`.Rtqx`ch";
printf("the result : %s", decodeMe(MyString2,18));
}
We can see that FLOSS is able to detect both MyString and MyString2
So lets think about how to evade it. Lets assume FLOSS is one of the malware detection engine to extract the strings from the binary.
Lets change the code into below that would result the same program output
// StackBasedStrings.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
char* decodeMe(char* data, int len) {
for (int i = 0; i < len; i++) {
data[i] = data[i] + 1;
}
return data;
}
int main()
{
//65 110 110 105 115 115 97
char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};
char MyString2[17];// = "Qhn.@rl`q`.Rtqx`ch";
*MyString2 = 81;
*(MyString2 + 1) = 104;
*(MyString2 + 2) = 110;
*(MyString2 + 3) = 46;
*(MyString2 + 4) = 64;
*(MyString2 + 5) = 114;
*(MyString2 + 6) = 108;
*(MyString2 + 7) = 96;
*(MyString2 + 8) = 113;
*(MyString2 + 9) = 96;
*(MyString2 + 10) = 46;
*(MyString2 + 11) = 82;
*(MyString2 + 12) = 116;
*(MyString2 + 13) = 113;
*(MyString2 + 14) = 120;
*(MyString2 + 15) = 96;
*(MyString2 + 16) = 99;
*(MyString2 + 17) = 104;
printf("the result : %s", decodeMe(MyString2,18));
}
output of the program
We can see the result that FLOSS is still able to decode it
Lets do some evasion. We can manipulate the string with additional formula and also mathematic which actually will strill result the same output string
#include <iostream>
int Obfuscate(int a) {
return ((a+5)-5);
}
char* decodeMe(char* data, int len) {
for (int i = 0; i < len; i++) {
data[i] = data[i] + 1;
}
return data;
}
int main()
{
char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};
char MyString2[17];// = "Qhn.@rl`q`.Rtqx`ch";
*MyString2 = 81;
*(MyString2 + 1) = 104;
*(MyString2 + 2) = 110;
*(MyString2 + 3) = 50-4;
*(MyString2 + 4) = 64;
*(MyString2 + 5) = 114;
*(MyString2 + 6) = Obfuscate(108);
*(MyString2 + 7) = 96;
*(MyString2 + 8) = 113;
*(MyString2 + 9) = (100-4);
*(MyString2 + 10) = 46;
*(MyString2 + 11) = 82;
*(MyString2 + 12) = 116;
*(MyString2 + 13) = Obfuscate(113);
*(MyString2 + 14) = 120;
*(MyString2 + 15) = 96;
*(MyString2 + 16) = 99;
*(MyString2 + 17) = 104;
printf("the result : %s", decodeMe(MyString2,18));
}
outout of the program
We can see that the output of the program is still the same even we change it into more complex with some additional function call and mathematic calculation but with that additional complexity the result of the FLOSS is very different. It cannot parse it well
you can see that the parse is splitted into some chunks which we cannot get the complete word or sentence as the previous parse.
So with this basic knowledge that now you are able to bypass or hide your IOC or API Call from the static analyses of the antimalware or human analyst.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 
Great read! Glad i found this little blog haha thanks 🙂