In this post walk-through, we covered the first part of obfuscation techniques and principles for signature and AV evasion where we focused on object concatenation.

HackTheBox CPTS Study Notes

OSCP Study Notes

Overview

  • Obfuscation Defined: The process of altering code to make it harder to understand without affecting its functionality. It involves changing variable names, structures, or logic to obscure the purpose of the code.

Applications

  1. Intellectual Property Protection:
    • Protects proprietary software from theft or unauthorized reproduction.
    • Prevents competitors from reverse-engineering the software to extract core functionalities or data.
  2. Antivirus Evasion:
    • Makes malicious code undetectable by antivirus software.
    • Relatively simpler compared to protecting intellectual property due to limited techniques required.

Techniques Discussed

  1. Data Obfuscation:
    • Obfuscating variables, arrays, and data structures using techniques such as splitting, merging, or encoding.
  2. Concatenation:
    • Combining variables or data dynamically to obscure the original form.
    • Implemented using different operators in various programming languages:
      • Python: + operator.
      • PowerShell: $ or + operator.
      • C#: + or String.Concat.
      • C: strcat.
  3. Practical Example in PowerShell:
    • The presenter demonstrates the application of obfuscation techniques to bypass antivirus detection.
    • Code snippets are rewritten using concatenation to make them harder for antivirus software to detect.

Case Study

  • Signature Evasion:
    • Identifies components of the code that trigger antivirus alerts.
    • Implements concatenation to break these components into smaller, less detectable parts.
    • A PowerShell script is used as an example, showing step-by-step obfuscation to bypass Windows Defender.

Goals and Layers

  • The video emphasizes the taxonomy of obfuscation techniques, structured in layers similar to the OSI model in networking:
    • Code Element Layer: Focuses on obfuscating variables and methods.
    • Application Layer: Includes techniques for encrypting and restructuring application logic.

Key Takeaways

  • Obfuscation is a dual-purpose tool—beneficial for security and intellectual property but also exploited for malicious purposes like evading detection.
  • The methods and techniques demonstrated highlight the importance of understanding obfuscation for cybersecurity practitioners.

TryHackMe Obfuscation Principles | Room Answers

How many core layers make up the Layered Obfuscation Taxonomy?
4

What sub-layer of the Layered Obfuscation Taxonomy encompasses meaningless identifiers?

Obfuscating Layout

What obfuscation method will break or split an object?
Data Splitting

What obfuscation method is used to rewrite static data with a procedure call?

Data Procedurization

What flag is found after uploading a properly obfuscated snippet?
THM{koNC473n473_4Ll_7H3_7H1n95}

What are junk instructions referred to as in junk code?

Code Stubs

What obfuscation layer aims to confuse an analyst by manipulating the code flow and abstract syntax trees?

Obfuscating Controls

Can logic change and impact the control flow of a program? (T/F)
T

What flag is found after properly reversing the provided snippet?
THM{D3cod3d!!!}


What flag is found after uploading a properly obfuscated snippet?
THM{Y0Ur_1NF0_15_M1N3}

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles