EntropyReducer : Reduce Entropy And Obfuscate Youre Payload

EntropyReducer is to reduce the entropy ff youre payload and obfuscate it with serialized linked lists

How Does It Work

EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE was set to 4, and NULL_BYTES to 2.

Obfuscation Algorithm

• EntropyReducer first checks if the input raw payload is of a size that’s multiple of BUFF_SIZE, if not, it pads it to be as so.
• It then takes every BUFF_SIZE chunk from the payload, and makes a linked list node for it, using the InitializePayloadList function, initializing the payload as a linked list.
• The created node will have an empty buffer of size NULL_BYTES, that will be used to lower the entropy
• At this point, although EntropyReducer completed its task by lowering the entropy of the payload, it doesn’t stop here. It then continues to randomize the order of each node in the linked list, breaking down the raw payload’s order. This step is done via a Merge Sort Algorithm that is implemented through the MergeSort function.
• The sorted linked list is in random order because the value in which the linked list is sorted is the XOR value of the first three bytes of the raw payload, this value determines its position in the re-organized linked list, this step can be shown here
• Since saving a linked list to a file is impossible due to the fact that it’s linked together by pointers. We are forced to serialize it.
• Serialization of the generated linked list is done via the Obfuscate function here.
• After that, the serialized data is ready to be written to the output file.

Deobfuscation Algorithm

• Since the last step in the Obfuscation Algorithm was serializing the linked list, the first thing that must be done here is to deserialize the obfuscated payload, generating a linked list from it, this step is done here in the Deobfuscate function.
• Next step is to sort the linked list using the node’s Id, which is done using the same Merge Sort Algorithm used before.
• Now, the linked list is in the right order to re-construct the payload’s bytes as they should. So we simply strip the payload’s original bytes from each node, as done here.
• Last step is to free the allocated nodes, which is done here.

Usage

• EntropyReducer simply read the raw payload file from the command line, and writes the obfuscated version to the same file’s name prefixed with “.ER”.
• The size of the final obfuscated payload varies depending on the values of both BUFF_SIZE and NULL_BYTES. However, it can be determined using the following equation

FinalSize = ((OriginalSize + BUFF_SIZE - OriginalSize % BUFF_SIZE ) / BUFF_SIZE) * (BUFF_SIZE + NULL_BYTES + sizeof(INT))

• The PoC project in this repo is used to execute the ".ER" file generated as an example of deserializing and deobfuscating it.

Include In Your Projects

All you have to do is add EntropyReducer.c and EntropyReducer.h files to your project, and call the Deobfuscate function. You can check PoC/main.c for reference.

Output Example

In this example, BUFF_SIZE was set to 3, and NULL_BYTES to 1.

• The raw payload, first payload chunk (FC 48 83)

• The same payload chunk, but at a different offset

Profit

• The x64 calc shellcode generated by metasploit is of entropy 5.883, view by pestudio.

• The same file, AES encrypted, scores entropy of 7.110.

• Nearly the same result with the RC4 algorithm as well; 7.210

Using EntropyReducer however, scoring entropy even lower that that of the original raw payload; 4.093

The Merge Sort Algorithm Is Taken From c-linked-list.

Please consider following and supporting us to stay updated with the latest info