-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Your Name
committed
Aug 18, 2024
1 parent
cf9a063
commit d13a8bd
Showing
3 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # *IPFuscation* | ||
|
|
||
| ## Authorship information | ||
| * Name or nickname (required): *4rkt0uR0s* | ||
| * Email: *[email protected]* | ||
|
|
||
| ## Technique Information | ||
| * Technique title (required): IPV4/IPV6 Obfuscation | ||
| * Technique category (required): Data Obfuscation | ||
| * Technique description (required): The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the `RtlIpv4StringToAddressA` function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode. Additionally, IPfuscation variants were spotted using IPv6 instead of IPv4 addresses, UUIDs, and MAC addresses, all operating in almost the same way. | ||
|
|
||
| ## Additional resources | ||
| * https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/ | ||
| * https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/ | ||
| * https://cyware.com/news/ipfuscation-is-hives-new-technique-to-evade-detection-96c3c748 | ||
|
|
||
| ## Code snippets | ||
| To generate an obfuscated payload from a shellcode, you must first run the python script which will return the obfuscated payload as a list of IPs | ||
| ```bash | ||
| $ python3 ipv4fuscation.py | ||
| char * payload[13] = { | ||
| "72.101.108.108","111.32.85.110","112.114.111.116","101.99.116.80","114.111.106.101","99.116.44.32","116.104.105.115", | ||
| "32.105.115.32","73.80.118.52","32.111.98.102","117.115.99.97","116.105.111.110","32.58.41.0" | ||
| }; | ||
| ``` | ||
|
|
||
| Then, you can deobfuscate it at runtime in the heap, as in `ipv4defuscation.c` | ||
|
|
||
| ```c | ||
| void Ipv4Deobfuscate(CHAR* Ipv4Array[], int Ipv4ArrayLength) { | ||
| PCSTR Terminator = NULL; | ||
| PBYTE pointer = NULL, tmp = NULL; | ||
| pointer = (PBYTE)HeapAlloc(GetProcessHeap(), 0, Ipv4ArrayLength*4); | ||
| addressToWrite = pointer; | ||
| printf("Allocated on heap at : 0x%p", pointer); | ||
| for (int i = 0; i < Ipv4ArrayLength; i++){ | ||
| RtlIpv4StringToAddressA(Ipv4Array[i], FALSE, &Terminator, addressToWrite); | ||
| addressToWrite = (PBYTE)(addressToWrite + 4); | ||
| } | ||
| getchar(); // Pause so you can inspect the heap | ||
| } | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| #include <Windows.h> | ||
| #include <stdio.h> | ||
| #include <ip2string.h> | ||
|
|
||
| #pragma comment(lib, "ntdll.lib") | ||
|
|
||
| void Ipv4Deobfuscate(CHAR* Ipv4Array[], int Ipv4ArrayLength) { | ||
| PCSTR Terminator = NULL; | ||
| PBYTE pointer = NULL, tmp = NULL; | ||
| pointer = (PBYTE)HeapAlloc(GetProcessHeap(), 0, Ipv4ArrayLength*4); | ||
| addressToWrite = pointer; | ||
| printf("Allocated on heap at : 0x%p", pointer); | ||
| for (int i = 0; i < Ipv4ArrayLength; i++){ | ||
| RtlIpv4StringToAddressA(Ipv4Array[i], FALSE, &Terminator, addressToWrite); | ||
| addressToWrite = (PBYTE)(addressToWrite + 4); | ||
| } | ||
| getchar(); // Pause so you can inspect the heap | ||
| } | ||
|
|
||
|
|
||
| int main() { | ||
| char * payload[13] = { | ||
| "72.101.108.108","111.32.85.110","112.114.111.116","101.99.116.80","114.111.106.101","99.116.44.32","116.104.105.115", | ||
| "32.105.115.32","73.80.118.52","32.111.98.102","117.115.99.97","116.105.111.110","32.58.41.0" | ||
| }; | ||
|
|
||
| Ipv4Deobfuscate(payload, 13); | ||
|
|
||
| return 0; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| def generate_ipv4_string(shellcode): | ||
| shellcode_size = len(shellcode) | ||
|
|
||
| # Ensure shellcode size is a multiple of 4 | ||
| if shellcode_size % 4 != 0: | ||
| raise ValueError("Shellcode size must be a multiple of 4.") | ||
|
|
||
| ipv4_array = [] | ||
| number_of_ip = 0 | ||
|
|
||
| # Generate shellcode every 4 bytes | ||
| for i in range(0, shellcode_size, 4): | ||
| ip = f"{int(shellcode[i], 16)}.{int(shellcode[i+1], 16)}.{int(shellcode[i+2], 16)}.{int(shellcode[i+3], 16)}" | ||
| number_of_ip += 1 | ||
|
|
||
| if number_of_ip % (shellcode_size // 4) == 0: | ||
| ipv4_array.append(f'"{ip}"') | ||
| elif number_of_ip % 8 == 0: | ||
| ipv4_array.append(f'\n\t"{ip}",') | ||
| else: | ||
| ipv4_array.append(f'"{ip}",') | ||
|
|
||
| # Print the result in the same format | ||
| print(f"char * payload[{len(ipv4_array)}] = {{ \n\t{''.join(ipv4_array)}\n}};\n") | ||
|
|
||
| shellcode = ["0x48","0x65","0x6c","0x6c","0x6f","0x20","0x55","0x6e","0x70","0x72","0x6f","0x74","0x65","0x63","0x74","0x50","0x72","0x6f","0x6a","0x65","0x63","0x74","0x2c","0x20","0x74","0x68","0x69","0x73","0x20","0x69","0x73","0x20","0x49","0x50","0x76","0x34","0x20","0x6f","0x62","0x66","0x75","0x73","0x63","0x61","0x74","0x69","0x6f","0x6e","0x20","0x3a","0x29","0x00"] | ||
| generate_ipv4_string(shellcode) |