Information Security
encryption malware encoding msfvenom
Updated Sun, 26 Jun 2022 09:05:47 GMT

is encoding the same as encryption for malware obfuscation?


I have been learning about hiding and executing msfvenom created shellcode and came to a technique where we xor the shellcode and when executing we reverse it.Would it be the same if i just encrypt it via AES and then decrypt it before executing.Would the end result be same?Is encoding better than encryption for shellcode obfuscation?




Solution

Encoding and encrypting are not the same: encoding does not need a key, encrypting does. XOR is not encoding, is a very weak form of encryption. Base64 would be an example of encoding. Uuencode is another example.

The difference between XOR and AES is the difference between a wooden box with nails closing the door, and a bank safe. XOR can be trivially decrypted, but AES does not.

In this specific case of code obfuscation, XOR is astronomically faster than AES. It will defeat most signature-based IDS systems, and will not increase the resulting code too much. AES will create larger code and will be slower.

On both cases, any human inspector will be able to decrypt the contents, as you will have to supply the key to decrypt the code. Otherwise your program would not run at all.