Chapter 14 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press

Data Encoding

Simple ciphers may be used, or more sophisticated. We need to recognize the common forms.

Malware authors may use encoding to hide configuration information, or to prepare information to be
sent outside, or to hide strings until needed, thereby hiding the malware's malicious properties

 

Simple Ciphers

Base64

Example (based on Exercise 13-1)

Common Crypto

Custom-Encoding

Decoding

 

Another Example (based on Exercise 13-1)

searching for XOR

Example (based on Exercise 13-1)

XOR in a tight loop