For more malware development technqiues visit maldevacademy.com
EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE
was set to 4, and NULL_BYTES
to 2.
- EntropyReducer first checks if the input raw payload is of a size that's multiple of
BUFF_SIZE
, if not, it pads it to be as so. - It then takes every
BUFF_SIZE
chunk from the payload, and makes a linked list node for it, using the InitializePayloadList function, initializing the payload as a linked list. - The created node will have an empty buffer of size
NULL_BYTES
, that will be used to lower the entropy - At this point, although EntropyReducer completed its task by lowering the entropy of the payload, it doesn't stop here. It then continues to randomize the order of each node in the linked list, breaking down the raw payload's order. This step is done via a Merge Sort Algorithm that is implemented through the MergeSort function.
- The sorted linked list is in random order because the value in which the linked list is sorted is the XOR value of the first three bytes of the raw payload, this value determines its position in the re-organized linked list, this step can be shown here
- Since saving a linked list to a file is impossible due to the fact that it's linked together by pointers. We are forced to serialize it.
- Serialization of the generated linked list is done via the
Obfuscate
function here. - After that, the serialized data is ready to be written to the output file.
- Since the last step in the
Obfuscation Algorithm
was serializing the linked list, the first thing that must be done here is to deserialize the obfuscated payload, generating a linked list from it, this step is done here in theDeobfuscate
function. - Next step is to sort the linked list using the node's Id, which is done using the same Merge Sort Algorithm used before.
- Now, the linked list is in the right order to re-construct the payload's bytes as they should. So we simply strip the payload's original bytes from each node, as done here.
- Last step is to free the allocated nodes, which is done here.
- EntropyReducer simply read the raw payload file from the command line, and writes the obfuscated version to the same file's name prefixed with ".ER".
- The size of the final obfuscated payload varies depending on the values of both
BUFF_SIZE
andNULL_BYTES
. However, it can be determined using the following equation
FinalSize = ((OriginalSize + BUFF_SIZE - OriginalSize % BUFF_SIZE ) / BUFF_SIZE) * (BUFF_SIZE + NULL_BYTES + sizeof(INT))
- The PoC project in this repo is used to execute the
".ER"
file generated as an example of deserializing and deobfuscating it.
All you have to do is add EntropyReducer.c and EntropyReducer.h files to your project, and call the Deobfuscate function. You can check PoC/main.c for reference.
In this example, BUFF_SIZE
was set to 3, and NULL_BYTES
to 1.
- The raw payload, first payload chunk (
FC 48 83
)
- The same payload chunk, but at a different offset
- The x64 calc shellcode generated by metasploit is of entropy
5.883
, view by pestudio.
- The same file, AES encrypted, scores entropy of
7.110
.
- Nearly the same result with the RC4 algorithm as well;
7.210
- Using EntropyReducer however, scoring entropy even lower that that of the original raw payload;
4.093