Advanced Malware Evasion Techniques - Control Flow Obfuscation Overview

control flow obfuscation an evasion technique sometimes used by malware to frustrate static reverse engineer attempts, and/or break signatures used by anti-malware tool vendors. they can be general techniques control flow flattening or platform specific- callback function registered for a class (RegisterClassExA()) which is triggered on the receipt of a specific message. The call back function contains the malware.

Control Flow Flattening Control Flow Flattening destroy expected structure by splitting the code into blocks, all of which are put in a loop with a controlling switch statement The basic method for flattening a function is the following. First, we break up the body of the function to basic blocks, and then we put all these blocks, which were originally at different nesting levels, next to each other. The now equal-leveled basic blocks are encapsulated in a selective structure (a switch statement in the C++ language) with each block in a separate case, and the selection is encapsulated in turn in a loop. Finally, the correct flow of control is ensured by a control variable representing the state of the program, which is set at the end of each basic block and is used in the predicates of the enclosing loop and selection. -- https://www.inf.u-szeged.hu/~akiss/pub/fulltext/laszlo2007obfuscating.pdf

Control Flow Flattening Control Flow Flattening int original() { print "Do" print "you" print "like" print "milk?" } https://reverseengineering.stackexchange.com/posts/2222/revisions

control flow obfuscation using exception handlers put code in exception handler used bye Microsoft SHE (Structured Exception Handling) then raise/cause exceptions to execute can be used in conjunction with flattening https://unprotect.it/technique/obscuring-control-flow/

API Hashing replace the names of api functions with hashed values import address table names and addresses imported from other libraries now have hashed values hash function is called to get each function address base + hash value https://unprotect.ittechniqueapi-obfuscation/

String Encryption This is an extension of the Anti ASCII techniques we discussed earlier. Instead of moving to the stack subsequent hiding, use encryption for string literals. skip base64 encding while you re at it Dotfuscator preemptive protection

Obfuscator-LLVM commercial, open-source fork of LLVM compilation suite which provides obfuscation and anti-tampering via command line compiler flags promoted as a defensive tool, but used both ways instruction substitution replace unary & binary operators with equivalent, but more complex, multi step operations bogus control flow - modify a function call graph by adding a basic block before the current block. This new basic block contains an opaque predicate and then makes a conditional jump to the original basic block. The original basic block is also cloned and filled up with junk instructions chosen at random.

Obfuscator-LLVM control flow flattening based on the same paper/work function annotations - use them on parameters, return values, and properties of the entire function e.g. __Raises_SEH_Exception__ - Annotates a function that always raises a structured exception handler (SEH) exception, subject to __When__ and __On_failure__ conditions.

Tigress diversifying virtualizer/obfuscator for the C language that supports many novel defenses against both static and dynamic reverse-engineering and de-virtualiztion attacks generate instruction sets of arbitrary complexity with their own (intentionally slow) interpreters and dispatch add bogus functions code packing continuous runtime code modification http://tigress.cs.Arizona.edu/