Discover and read the best of Twitter Threads about #obfuscation

Most recents (7)

#VBA declare statement: from libname #obfuscation to remote dll loading 🧵

Declare is used to declare a ref to an external proc in a DLL

[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]

0⃣ both "kernel32" and "kernel32.dll" are acceptable libnames
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
Is libname actually a file path? yes
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
Read 6 tweets
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community
@github 3/5…
Read 5 tweets
VBA is a totally fair and balanced language and does not need nerfs at all =)

Enjoy some code that I have dug up from a certain vault and try to guess what the debug output says.

Cookies and #respect rewards

#obfuscation #homoglyph #infosec #nerfvba #hephaestus #cordyceps ImageImage
Debug.Output of the 2 cases above: Image
The reasoning for all of this fun stuff is the acceptable range of characters withing VBA variable space.

You can have not only homography issues within VBA but you can also have nonprintable characters (ie right to left change) as a valid variable name.
Read 5 tweets
#linux #bash #obfuscation #technique #bashfuscation
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
#linux #bash #obfuscation #bashfuscation

using history expansion character -> !! (i.e. last command)

!!t really

is equivalent to
cat really

(only 4 interactive shell)
#linux #bash #obfuscation #bashfuscation

padding commands with empty commands (: ;)

: -> true (do nothing)
; -> command separator

: : ; : ; cat really
! ! ! : : ; : ; cat really
Read 8 tweets
#linux #bash #path #obfuscation
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
#path #obfuscation using #symbolic #link
ln -s / anything
head -n 2 anything////../etc/passwd

ln -s ../../ wow
head -n 2 ././wow/../etc/passwd

* ../ after a sym link applies to the sym link not the current path
filename expansion #globbing

cat /et*/pa**wd

command expansion
$(echo /e)tc$(echo /pa*)wd

+ other string obfuscation techniques
Read 5 tweets
#linux #bash #obfuscation using shell parameter expansion:

${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really…
similar #bat #windows (…)
The goal is to obfuscate the following command:
cat really
in which, really is a file.
Using arithmetic (add, sub, mul, div, mod, and pow) for calculating index or lenght
${alphabet: 2:(-20-3)}at really
Read 6 tweets
#linux #bash #obfuscation using octal vals
$'\143\141\164' really…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem) Image
To give you a headache

$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really Image
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!