[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator
I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. In addition to it, I want to combine this obfuscator with one of the evasion tool which is SysWhisper2 :)
I will be using process injection script from @m0rv4i as example:
How To Setup
However, I will still point out some other issue than I had faced during the configuration setup.
Note for LLVM Obfuscator
- Git clone the llvm obfuscator (Currently the latest is llvm-13.x)
- Import the path
Executable Directories. Remember
$(ExecutablePath)too, you will need it for std/windows native function.
- Additional Options in
C/C++ > Command Line, this can be found in the unknowncheats forum. For this, I’m refer to 0xPat blog.
-D__CUDACC__ -D_ALLOW_COMPILER_AND_STL_VERSION_MISMATCH -mllvm -bcf -mllvm -bcf_prob=73 -mllvm -bcf_loop=1 -mllvm -sub -mllvm -sub_loop=2 -mllvm -fla -mllvm -split_num=3 -mllvm -aesSeed=DEADBEEFDEADCODEDEADBEEFDEADCODE
Note for SysWhisper2
Additional Include Directoriesfor the folder that contains both
shellcode.halso. In this case, I store all those files under
- Enable MASM,
Build Dependencies > Build Customization
- Convert the newly created file to support
You can find the compiled file for both binaries here.
IDA Pro decompiled SysWhisper’s hashing code for original sample here
IDA Pro decompiled SysWhisper’s hashing code for LLVM obfuscated sample here
Based on the decompiled code, the algorithm for SysWhisper’s hashing function has been complicated a lot (The code complexity depends on the command line parameter of the LLVM compiler in C/C++ > CommandLine).
There are a lot of LLVM based obfuscator out there that you can try out 👹
It is quite painful sometimes when dealing with those kind of obfuscator 😒
You could find more details on LLVM obfuscator from 0xPat blog ✌
Also, It is recommended to read on its Malware Development series too!! 😀
There is other blog which talks about build your own LLVM obfuscator which is quite interesting.
llvm-obfuscator 9.0.1 step by step visual studio
llvm-obfuscator have been discuss some before here How to easily bypass sigscans on your tools. and bypass sigscans…
GitHub - obfuscator-llvm/obfuscator
Contribute to obfuscator-llvm/obfuscator development by creating an account on GitHub.
GitHub - jthuraisamy/SysWhispers2: AV/EDR evasion via direct system calls.
SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. All core…
GitHub - m0rv4i/SyscallsExample: Simple project using syscalls (via Syswhispers2) to execute…
Simple project using syscalls (via SysWhispers2) to execute MessageBox shellcode in a target process. This doesn't use…
This is the seventh post of a series which regards the development of malicious software. In this series we will…