Cyber Affairs
No Result
View All Result
  • Login
  • Register
[gtranslate]
  • Home
  • Live Threat Map
  • Books
  • Careers
  • Latest
  • Podcast
  • Popular
  • Press Release
  • Reports
  • Tech Indexes
  • White Papers
  • Contact
Social icon element need JNews Essential plugin to be activated.
  • AI
  • Cyber Crime
  • Intelligence
  • Laws & Regulations
  • Cyber Warfare
  • Hacktivism
  • More
    • Digital Influence Mercenaries
    • Digital Diplomacy
    • Electronic Warfare
    • Emerging Technologies
    • ICS-SCADA
    • Books
    • Careers
    • Cyber Crime
    • Cyber Intelligence
    • Cyber Laws & Regulations
    • Cyber Warfare
    • Digital Diplomacy
    • Digital Influence Mercenaries
    • Electronic Warfare
    • Emerging Technologies
    • Hacktivism
    • ICS-SCADA
    • News
    • Podcast
    • Reports
    • Tech Indexes
    • White Papers
COMMUNITY
NEWSLETTER
  • AI
  • Cyber Crime
  • Intelligence
  • Laws & Regulations
  • Cyber Warfare
  • Hacktivism
  • More
    • Digital Influence Mercenaries
    • Digital Diplomacy
    • Electronic Warfare
    • Emerging Technologies
    • ICS-SCADA
    • Books
    • Careers
    • Cyber Crime
    • Cyber Intelligence
    • Cyber Laws & Regulations
    • Cyber Warfare
    • Digital Diplomacy
    • Digital Influence Mercenaries
    • Electronic Warfare
    • Emerging Technologies
    • Hacktivism
    • ICS-SCADA
    • News
    • Podcast
    • Reports
    • Tech Indexes
    • White Papers
NEWSLETTER
No Result
View All Result
Cyber Affairs
No Result
View All Result
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • Reports
  • White Papers

What is .NET Malware Obfuscators?

admin by admin
Feb 15, 2024
in News
A A
0

The .NET malware obfuscators are tools used to obfuscate the source code of .NET applications, making it challenging for reverse engineers to understand and analyze the code. 

They rename variables, alter code structures, and add misleading instructions to hide detection and analysis by enhancing the malware’s strength against security measures.

It’s rare to find clean malware, as they are often altered to prevent analysis with obfuscators. Some mutate machine code (C/Asm/Rust), while others modify .NET IL code.

According to ANY.RUN Technical write-up Part 1, to comprehend obfuscators, we must think like their creators. To defend correctly, you must understand the offensive, like the red/blue team in cybersecurity.

ANY.RUN is a developer of a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, as well as Threat Intelligence Feeds and Threat Intelligence Lookup. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.   

Technical Analysis

ANY.RUN researchers built a simple obfuscator in which the one function below the image, “ProtectMe,” which outputs “No_On3_Can_Find_My_S3cr37_Pass,” contains a few lines of code and one variable.

Source code

In the .NET debugger “DnSpy” the decompiled code looks like the following:

Decompiled code

Opening the built-in software in the relevant tool shows that anyone may quickly and readily discover the password.

To protect the password. following strategies are recommended:

  • proxy functions
  • character breakdown
  • numeric conversion
  • heavy math
  • CFG obfuscation

The proxy functions put each static string in its own function with an absurd name that gives better control over these individual functions.

This image has an empty alt attribute; its file name is YLwZzx-nyCjZ44yrt1y2Gt0dSvbSHIqYH1mj-BHPEow96hsC1wPZMNe2f_OouEUkJiE8cJ9ZfrenYl296IIOVVR5V7diLnmnpCbkVgnBANZPr4U_VLLdbsX_es-o1j-uPFody4mnW_OLI5v6orRxAws
String assignment in the separate function

Researchers urged that the IL code needs to be modified to achieve the goal. Then, on the compiled “Source code,” the proper analysis and implementation are required using the “Dnlib” library.

Several steps are needed to be followed to complete this process, and here we have mentioned them:

  • Locate function “ProtectMe”. 
  • Go through all the instructions and find each instance of “ldstr” (load string). 
  • Create a new class and a new function with a random name. 
  • Add “ldstr” and “ret” instructions to the body of the created function. 
  • Replace the original “ldstr” with a call to the new function. 
IL code modifications

Researchers obscured the original string, but it remains easily discoverable. The cybersecurity analysts fragmented the secret into characters to enhance security by enabling later shuffling for a more challenging code presentation.

Constructing string by bytes

Replacing the symbols with numerical representations in the source and decompiled code obscures characters effectively. 

Using the “Conv.U2” instruction, each character is converted to an unsigned int, reverted to a string, and appended to the final result. 

Researchers tweaked their obfuscator, where the “MaskCharsWithNumVal” function facilitates this conversion.

Numeric conversion defeated DnSpy, but failed with IlSpy

IlSpy is another effective IL code analysis tool that adeptly reverts numerical representations to characters, rendering them readable. 

Besides this, examining the file’s binary view reveals the scattered presence of the researchers’ secret.

Document

ANY.RUN Threat Intelligence Lookup

Threat Intelligence Lookup centralized repository of millions of IOCs extracted from ANY.RUN’s extensive database of interactive malware analysis sessions..


Here below, we have mentioned all the elements that could be used to attack the simple obfuscator:

  • Breakpoint
  • Memory dump 
  • The De4dot

Modern obfuscators employ evolved versions of these techniques. With an enhanced understanding, researchers are well-prepared to study contemporary obfuscators thoroughly, which helps them delve into their core difficulties.

Part 2 will cover further code protection methods. How obfuscators counter breakpoints, De4dot, and memory dumps. How to bypass their defenses to comprehend the code and other fascinating elements will also be examined. We will keep you posted.

Try all features of ANY.RUN Interactive malware analysis premium access at zero cost for 14 days with a Free Trial.

Read the full article here

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

[mc4wp_form id=”387″]

Recent News

  • Understanding the Implications & Guarding Privacy- Axios Security Group
  • Hackers Actively Using Pupy RAT to Attack Linux Systems
  • Buckle Up_ BEC and VEC Attacks Target Automotive Industry

Topics

  • AI
  • Books
  • Careers
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • News
  • Podcast
  • Reports
  • Tech Indexes
  • Uncategorized
  • White Papers

Get Informed

[mc4wp_form id=”387″]

Social icon element need JNews Essential plugin to be activated.

Copyright © 2022 Cyber Affairs. All rights reserved.

No Result
View All Result
  • Home
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • Reports
  • White Papers

Copyright © 2022 Cyber Affairs. All rights reserved.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.