Monday, October 28, 2013

XOR From the Unix CLI


Every once in while (depending upon how hard you look) I'm faced with something that looks like an executable, but not quite. A very common tactic used by cyber criminals to evade IDS and analysts is to XOR executables (and sometimes data) so that they don't look suspicious. There are no shortage of ways to XOR, but I thought I'd share an easy method using perl, borrowed from Daniel Wesemann (https://isc.sans.edu/forums/diary/Exploit+cocktail+Struts+Java+Windows+going+after+3-month+old+vulnerabilities/16913).

In the example below he uses  "cat" and "perl" to perform a single byte XOR (0x77) on a file called "data.hex" and then redirects that to a file called "data.exe". 

cat data.hex | perl -pe 's/(..)/chr(hex($1)^0x77)/ge' > data.exe

No comments:

Post a Comment