An Example of Stack String in High Level Language, (Sat, May 23rd)

This week, I m attending the SEC670[ 1 ] training ( Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control ). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point of view. Many techniques used by threat actors are often discovered while reversing the malware code and are read in assembly. A perfect example are stack strings. This is a malware obfuscation technique where strings are constructed dynamically at runtime by assigning individual characters or bytes directly onto the stack, rather than storing them as contiguous string literals in the binary's static data sections. Read: they won t be detected by simple tools like strings or pestr . From an assembly code point of view, a stack string looks like this: sub esp, 16 ; Reserve 16 bytes (padded to hold our string) mov byte [esp + 0], 0x73 ; 's' mov byte [esp + 1], 0x61 ; 'a' mov byte [esp + 2], 0x6E ; 'n' mov byte [esp + 3], 0x73 ; 's' mov byte [esp + 4], 0x20 ; ' ' mov byte [esp + 5], 0x69 ; 'i' mov byte [esp + 6], 0x73 ; 's' mov byte [esp + 7], 0x63 ; 'c' mov byte [esp + 8], 0x00 ; '\0' null terminator mov eax, 4 ; sys_write mov ebx, 1 ; fd = stdout mov ecx, esp ; buf = stack string mov edx, 8 ; len = 8 int 0x80 The string sans isc will be printed on the console. But, how do you implement this in a high-level language like C? Here is an example: #include stdio.h #include string.h void plainTextExample(void) { // Will be stored in .rodata and easy to spot with strings tools const char* url = http://plain-malicious.com/ ; printf( Plain URL = %s\n , url); } void stackStringExample(void) { // Now we use a stack string. The script will be located in .text! char url[30]; url[0] = 0x68; // 'h' url[1] = 0x74; // 't' url[2] = 0x74; // 't' url[3] = 0x70; // 'p' url[4] = 0x3A; // ':' url[5] = 0x2F; // '/' url[6] = 0x2F; // '/' url[7] = 0x65; // 'e' url[8] = 0x6E; // 'n' url[9] = 0x63; // 'c' url[10] = 0x6F; // 'o' url[11] = 0x64; // 'd' url[12] = 0x65; // 'e' url[13] = 0x64; // 'd' url[14] = 0x2D; // '-' url[15] = 0x6D; // 'm' url[16] = 0x61; // 'a' url[17] = 0x6C; // 'l' url[18] = 0x69; // 'i' url[19] = 0x63; // 'c' url[20] = 0x69; // 'i' url[21] = 0x6F; // 'o' url[22] = 0x75; // 'u' url[23] = 0x73; // 's' url[24] = 0x2E; // '.' url[25] = 0x63; // 'c' url[26] = 0x6F; // 'o' url[27] = 0x6D; // 'm' url[28] = 0x2F; // '/' url[29] = 0x00; // '\0' printf( Obfuscated URL = %s\n , url); memset(url, 0, sizeof(url)); } int main(void) { plainTextExample(); stackStringExample(); ret