DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Payload Hiding

When bad guys want to put malware on your system, they can hide their payloads in various ways. In this series, we'll go over how to detect and prevent these events.

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Mar. 30, 17 · Opinion
Like (3)
Save
Tweet
Share
4.72K Views

Join the DZone community and get the full member experience.

Join For Free

So how hard is it to hide a payload in an executable?

This is a really common practice in malware delivery. Malware authors will regularly use Cryptors, Packers, and Protectors when building payloads. These are all used to make detecting and reversing the malware payloads more difficult. Cryptors encrypt the payload, camouflaging the contents, effectively hiding them from signature-based detection algorithms. Of course, if the content is encrypted with the same password each time, then AV software can detect the encrypted payload, so if you're a malware author it's really best to randomize these (this can be difficult, though). Packers essentially compress the payload. Some malware will use a hybrid cryptor/packer strategy to hide a payload, where they use multiple encryptions and compression algorithms, multiple times, to change the payload binary signature (Duqu2 did this, for example). Protectors make reverse engineering a malware sample more difficult.

Payload hiding is pretty established in the windows world, but you can also do it in the Mac OS and Linux environments.

The good news is that it's pretty difficult to completely stay memory resident in Linux and Mac OS using this approach, although FreeBSD does supply a library loading routine that will allow you to dynamically load a library from memory (i.e. via fdlopen(.)andshm_open(.)). Stock Linux and Mac OS don't, though Mac OS does provide some relatively complex lower-level deprecated interfaces that do this.

We'll use standard dynamic library loading techniques via the dlopen(.) family to load a packaged payload. We'll have a simple, innocuous application that contains an encrypted, malicious payload (well, it won't really be malicious, but we'll pretend it is). We'll extract the payload, load it into the application, and execute functions from the payload. The payload itself will be encoded via AES 256-bit encryption into the data segment of the file.

Next time, we'll start to build out the infrastructure to make this happen. Stay tuned!

Payload (computing)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Check Docker Images for Vulnerabilities
  • Top 5 Node.js REST API Frameworks
  • Visual Network Mapping Your K8s Clusters To Assess Performance
  • How to Use MQTT in Java

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: