1 post in this topic
I am writing an obfuscator currently with quite a few features, as I have found no good obfuscators yet that are complex enough to be nearly impossible to deobfuscate (as of course it is impossible to reach a 100% level of obfuscation where no one can deobfuscate it).
Current obfuscation methods include flow obfuscation, string encryption, proxy calls, unique renaming scheme (create gibberish WinAPI like name), junk codes, and removing all functions (merging them with the main script), traps to prevent automated deobfuscation, debugger detection, VM detection, moving strings to other parts of scripts (functions, proxy strings, etc), exit if not compiled, file integrity check. Decompile protection is also added (nothing that violates the reverse engineering clause of the ToS, I am using a PE loader with protections built into it.)
Does anyone have any ideas for more obfuscation methods to add?
please have a look at this vulnerability: https://packetstormsecurity.com/files/137077/AutoIT-3-DLL-Hijacking.html
You have not replied for months, so it is already public now.
I am looking for a way to set up either VIRTUAL_PROTECT or PAGE_GUARD for memory protection. I currently don't know how to do this, I have made the encryption for my EXE Protector, the RunPE module, and basically everything that I need. I also have made an advanced obfuscation tool, which I might release here on the forums in the future, to make sure the code is impossible to be understood. However, people can dump the original EXE from memory when I am injecting it. So how would I implement VIRTUAL_PROTECT, PAGE_GUARD or other methods of protecting memory?
How secure is:
_Crypt_EncryptFile _Crypt_DecryptFile I understand the strength of encryption is mainly down to the algorithm and password, but I’m not referring to either of these, I am looking to find out how strong the code behind crypt it.
I have noticed when encrypting a file, it uses a “.tmp” file while encrypting. In my experience a “.tmp” file is temporary and is deleted after use. But does this file contain any data that is related to the file being encrypted, or worse the password itself. Even though the file is deleted, it could possibly be recovered with a tool like: https://www.piriform.com/recuva.
I'm not quite sure if this is a potential security threat, and if anyone could say if it is or not then that would be much appreciated.
Is it possible to display text in a GUI which cannot be detected by any tool (Ex. AutoIt Window Info)?