Category:Encryption

From aldeid
Jump to: navigation, search

Description

  • Malware often encrypt content (strings, content sent to C&C)
  • A reversible cipher uses the same function to encode and decode

Detecting cryptography in malware

Strings and Imports

Constants

Entropy

Some algorithm can't be detected from constants because they build their structures on the fly. This is the case for the International Data Encryption Algorithm (IDEA) and the RC4 algorithms.

You can search for high-entropy content to detect such algorithms using IDA Entropy Plugin:

Revealing base64 encoding with high 6-bit entropy in the data section (64-bit (0x40) chunk size with maximum entropy of 5.95)
High-entropy-001.png
Revealing AES encryption with high 8-bit entropy in the rdata section (256-bit (0x100) chunk size with maximum entropy of 7.9)
High-entropy-002.png

Decryption in practice

Basic decryption

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Complex decryption

With OllyDbg

Suppose we are analyzing a malware that encrypts an image file (a bmp file) using a complex encryption mechanism and that the encryption routine is reversible (same routine to encrypt and decrypt). We can use modify the flow in the malware to decrypt encrypted content. Below is an example.

Encryption-example-001.png Encryption-example-002.png

Let's setup 2 breakpoints in OllyDbg:

  • At offset 0x401880, just before the content is encrypted
  • At offset 0x40190A, just after the file is written

Once the program has reached our first breakpoint (0x401880), the arguments on the stack represent the buffer that is about to be encrypted:

Encryption-example-003.png
  • [1] At 0x401880, the breakpoint is reached.
  • [2] The arguments on the stack represent the buffer pointed by the ESP register
  • [3] Right click on the 1st argument and select "Follow in Dump"
  • [4] Notice the magic word for *.bmp files (0x42 0x4D) which confirms that the buffer contains a bitmap image just before being encrypted. Select all the dump from here to the end (Begin the selection and while you maintain the left click, press the
    END
    key to reach the end).
Encryption-example-004.png
  • [5] Now, open your encrypted file in a hexadecimal editor and copy the entire content in hex.
  • [6] Paste the content to OllyDbg in place of your selection (Right click >
    Binary
    >
    Binary paste
    )
  • [7] Run the program (F9) until it reaches our second breakpoint. Add the *.bmp extension to the new file generated by the malware. It's our decoded image.

With python scripting in Immunity Debugger

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.