Cyber security

FLOWER – A Novel Obfuscation Technique For Enhanced Cybersecurity

In the evolving landscape of cybersecurity, obfuscation plays a critical role in protecting against intrusive memory scans.

‘FLOWER’ emerges as a groundbreaking technique, offering a fresh approach to sleep obfuscation. Developed by bakki at sillywa.re, FLOWER leverages unique methods to queue the ropchain, enhancing compatibility and evading detection.

This article delves into the intricacies of FLOWER, exploring its implementation, versatility, and the strategic advantages it offers in the digital defense arsenal.

/*!
 *
 * FLOWER
 *
 * flowing sleep obfuscation 
 *
 * bakki - sillywa.re
 *
!*/

This is a primitive implementation of the technique I discuss in my blogpost

for any technical explanation, caveats or IOCs, do give it a read.

A version of this that does not rely on any external technique to queue the ropchain will be made available.

FLAGS

To showcase the compatibility of this technique, several flags are made available for the user

Techniques

Self explanatory, specifies which technique you wish to use to queue the ropchain

FLOWER_EKKO_OBF
FLOWER_FOLIAGE_OBF
FLOWER_ZILEAN_OBF

Zero

Freeing the old region means a copy of our shellcode is still there for as long as the old region does not get used.

Considering changing the protection back to RW has, at this time, no perceivable caveats stealth wise; I added the option to zero out the old region before freeing it.

FLOWER_ZERO_PROTECT

Jop

Using jump gadgets is nowadays the preferred way to evade the PATRIOT memory scanner which targets the research of both @C5pider and ilove2pwn_.

In simple terms, PATRIOT will check if the Rip field of a CONTEXT struct points to a *Protect function.

Since it doesn’t inspect non-volatile registers we can simply store the address of our function in a non-volatile register and point the Rip of the CONTEXT to an arbitrary gadget that jumps to said register.

//
// use the given register to store our function address
// we then execute it through a JMP gadget
//
FLOWER_GADGET_RAX
FLOWER_GADGET_RBX

Stackspoofing

Will conceal the instruction pointer (RtlUserThreadStart + 0x21) and stack of the beacon thread (Rsp pointing to an empty buffer)

FLOWER_STACKSPOOF

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityFLOWERinformationsecuritykalilinuxkalilinuxtools
9 months ago

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

1 day ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

1 day ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

6 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago