[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. In addition to it, I want to combine this obfuscator with one of the evasion tool which is SysWhisper2 :)

I will be using process injection script from @m0rv4i as example:

https://github.com/m0rv4i/SyscallsExample

How To Setup

For both LLVM obfuscator and SysWhisper2 setup, most of the steps are already mentioned in unknowncheats.me forum and SysWhisper2 github page.

However, I will still point out some other issue than I had faced during the configuration setup.

Note for LLVM Obfuscator

• Set Platform Toolset into LLVM (clang-cl)

• Git clone the llvm obfuscator (Currently the latest is llvm-13.x)

• Import the path <filepath_to_obfuscator>\build\obfuscator\bin into Executable Directories. Remember $(ExecutablePath) too, you will need it for std/windows native function.

• Additional Options in C/C++ > Command Line, this can be found in the unknowncheats forum. For this, I’m refer to 0xPat blog.

-D__CUDACC__ -D_ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=1 -mllvm -sub -mllvm -sub_loop=2 -mllvm -fla -mllvm -split_num=3 -mllvm -aesSeed=DEADBEEFDEADCODEDEADBEEFDEADCODE

Note for SysWhisper2

• Add Additional Include Directories for the folder that contains both syscalls.c and syscalls.h generated from SysWhisper2 and shellcode.h also. In this case, I store all those files under some_random_path>\ext_header

• Enable MASM, Build Dependencies > Build Customization

👇

• Convert the newly created file to support masm format.

Results

You can find the compiled file for both binaries here.

Graph overview for original sample

IDA Pro decompiled SysWhisper’s hashing code for original sample here

Graph overview for LLVM obfuscated sample

IDA Pro decompiled SysWhisper’s hashing code for LLVM obfuscated sample here

Based on the decompiled code, the algorithm for SysWhisper’s hashing function has been complicated a lot (The code complexity depends on the command line parameter of the LLVM compiler in C/C++ > CommandLine).

Code snippet for original sample

Code snippet for original sample for LLVM obfuscated sample

There are a lot of LLVM based obfuscator out there that you can try out 👹

It is quite painful sometimes when dealing with those kind of obfuscator 😒

Extra

You could find more details on LLVM obfuscator from 0xPat blog ✌

Also, It is recommended to read on its Malware Development series too!! 😀

There is other blog which talks about build your own LLVM obfuscator which is quite interesting.

References

llvm-obfuscator 9.0.1 step by step visual studio

GitHub - obfuscator-llvm/obfuscator

GitHub - jthuraisamy/SysWhispers2: AV/EDR evasion via direct system calls.

GitHub - m0rv4i/SyscallsExample: Simple project using syscalls (via Syswhispers2) to execute…

0xPat blog

Build your first LLVM Obfuscator