Closed cocomelonc closed 1 year ago
Hello @cocomelonc , Thanks for all you help to improve this tool and your really nice techniques or commits, and you are right the single byte xor encryption is really easy to guess by malware analysts and also thanks for your GetProcAddress and GetModuleHandle Implementation ^_^
Imagine that we are malware analyst and we investigate a malware. We know popular WinAPI strings like VirtualAlloc, CreateThread etc. We suspect that this strings (also another strings like "kernel32.dll" or "ntdll.dll") may be an XOR-encoded, but how do we find out. One of the good strategy is brute-force that works with single-byte encoding. Since there are only 256 possible values for KEY, we can try all of the possible 255 single byte key's XORed with first symbol of encoded winAPI string, compare it with the string we would expect for a winAPI string like "VirtualAlloc" or etc. For preventing this, add some changes
Yes, let's go to merge null preserved xor trick
Imagine that we are malware analyst and we investigate a malware. We know popular WinAPI strings like VirtualAlloc, CreateThread etc. We suspect that this strings (also another strings like "kernel32.dll" or "ntdll.dll") may be an XOR-encoded, but how do we find out. One of the good strategy is brute-force that works with single-byte encoding. Since there are only 256 possible values for KEY, we can try all of the possible 255 single byte key's XORed with first symbol of encoded winAPI string, compare it with the string we would expect for a winAPI string like "VirtualAlloc" or etc. For preventing this, add some changes