Discover and read the best of Twitter Threads about #obfuscation
Most recents (7)
#VBA declare statement: from libname #obfuscation to remote dll loading 🧵
Declare is used to declare a ref to an external proc in a DLL
Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]
ref: docs.microsoft.com/en-us/office/v…
Declare is used to declare a ref to an external proc in a DLL
Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]
ref: docs.microsoft.com/en-us/office/v…
0⃣ both "kernel32" and "kernel32.dll" are acceptable libnames
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
Is libname actually a file path? yes
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
#ESETresearch is offering you a #behindthescenes look at the diligent work required to see through the
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
obfuscation techniques used in the recently described #Wslink, unique and undocumented
malicious loader that runs as a server. 1/5
@HrckaVladislav
welivesecurity.com/2022/03/28/und…
Wslink’s multilayered #virtualmachine introduced a diverse arsenal of #obfuscation techniques, which
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
we were able to overcome to reveal a part of the deobfuscated malicious code. 2/5
We also described the code we developed to facilitate our research. It is provided to the community
@github 3/5
github.com/eset/wslink-vm…
@github 3/5
github.com/eset/wslink-vm…
VBA is a totally fair and balanced language and does not need nerfs at all =)
Enjoy some code that I have dug up from a certain vault and try to guess what the debug output says.
Cookies and #respect rewards
#obfuscation #homoglyph #infosec #nerfvba #hephaestus #cordyceps
Enjoy some code that I have dug up from a certain vault and try to guess what the debug output says.
Cookies and #respect rewards
#obfuscation #homoglyph #infosec #nerfvba #hephaestus #cordyceps
Debug.Output of the 2 cases above:
The reasoning for all of this fun stuff is the acceptable range of characters withing VBA variable space.
You can have not only homography issues within VBA but you can also have nonprintable characters (ie right to left change) as a valid variable name.
You can have not only homography issues within VBA but you can also have nonprintable characters (ie right to left change) as a valid variable name.
#linux #bash #obfuscation #technique #bashfuscation
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
#linux #bash #obfuscation #bashfuscation
using history expansion character -> !! (i.e. last command)
ca
!!t really
is equivalent to
cat really
(only 4 interactive shell)
using history expansion character -> !! (i.e. last command)
ca
!!t really
is equivalent to
cat really
(only 4 interactive shell)
#linux #bash #obfuscation #bashfuscation
padding commands with empty commands (: ;)
: -> true (do nothing)
; -> command separator
: : ; : ; cat really
! ! ! : : ; : ; cat really
padding commands with empty commands (: ;)
: -> true (do nothing)
; -> command separator
: : ; : ; cat really
! ! ! : : ; : ; cat really
#linux #bash #path #obfuscation
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
....
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
....
#path #obfuscation using #symbolic #link
ln -s / anything
head -n 2 anything////../etc/passwd
ln -s ../../ wow
head -n 2 ././wow/../etc/passwd
* ../ after a sym link applies to the sym link not the current path
ln -s / anything
head -n 2 anything////../etc/passwd
ln -s ../../ wow
head -n 2 ././wow/../etc/passwd
* ../ after a sym link applies to the sym link not the current path
filename expansion #globbing
cat /et*/pa**wd
command expansion
$(echo /e)tc$(echo /pa*)wd
+ other string obfuscation techniques
cat /et*/pa**wd
command expansion
$(echo /e)tc$(echo /pa*)wd
+ other string obfuscation techniques
#linux #bash #obfuscation using shell parameter expansion:
alphabet=abcdefghijklmnopqrstuvwxyz
${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really
gnu.org/software/bash/…
similar #bat #windows (ss64.com/nt/syntax-subs…)
alphabet=abcdefghijklmnopqrstuvwxyz
${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really
gnu.org/software/bash/…
similar #bat #windows (ss64.com/nt/syntax-subs…)
The goal is to obfuscate the following command:
cat really
in which, really is a file.
cat really
in which, really is a file.
Using arithmetic (add, sub, mul, div, mod, and pow) for calculating index or lenght
${alphabet: 2:(-20-3)}at really
${alphabet: 2:(-20-3)}at really
#linux #bash #obfuscation using octal vals
$'\143\141\164' really
gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."
$'\143\141\164' really
gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."
Variations
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really
Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)
(deleted the previous one, as the picture had a problem)
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really
Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)
(deleted the previous one, as the picture had a problem)
To give you a headache
t=
$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really
t=
$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really
