Obfuscation and Data Encoding

From Unprotect Project
Jump to: navigation, search

Technique Description

Malware uses obfuscation and data encoding to mask its malicious activities, to fully understand the malware we have to understand these techniques. Sometimes, they will choose simple ciphers or basic encoding functions that are easy to code and provide enough protection. Other times, they will use sophisticated cryptographic ciphers or custom encryption to make identification and reverse-engineering more difficult.

Techniques

Below is a list of all the obfuscation and data encoding techniques in Unprotect Project:

Obfuscation & Data Encoding
Techniques Description
XOR The XOR operation is the most common use by malware. This is because it is really easy to use and hide data. Basically a key is used and create the cipher text. XOR is a reversible function that means it uses the same function to encode and decode.
Base64 Base64 is used to represent binary data in an ASCII string. This is a simple encoding and commonly found into malware.
Cesar/ROT The Caesar Cipher is a simply encoding algorithm used during the Roman Empire to hide secret message.
ROL Similar to Cesar cipher, which are simple rotation of the original strings.
Crypto Cryptography is often use in malware to protect against analysis or to perform malicious action (e.g: ransomware).
Custom Malware often uses custom encoding schemes. it could a complete custom one or a different layer of known algorithm (e.g: XOR+Base64).

References

Practical Reverse Engineering: http://amzn.to/2nY3W9e