12.11 Hiding Strings
12.11.1 Problem
ASCII strings are a ready source of
information about a compiled binary—so much so that the first
response of many programmers to a foreign binary is to run the Unix
utility strings on it to guess what it does.
When viewing a file in a binary editor, ASCII strings are the only
data structures that can be immediately recognized without prior
knowledge of the file format or any familiarity with machine code.
12.11.2 Solution
Strings can be generated dynamically from a collection of substrings
or random characters. Alternatively, strings can be encrypted in the
binary and decrypted on the fly by the program as needed.
12.11.3 Discussion
 |
The techniques for hiding strings presented in this recipe are
intended to prevent their discovery from casual analysis, and should
not be considered a secure way of hiding strings. In cases where a
string must be hidden securely, you should treat the string as if it
were a password, and use a strong encryption method.
|
|
The purpose of obfuscating data is to mislead the observer in such a
way that he may not even realize that the obfuscation has taken
place. Calling an encryption routine is a more secure way to hide
data, but it defeats the purpose of obfuscation as it makes obvious
the fact that the data is both encrypted and important.
An example of dynamically generating strings from a collection of
substrings is presented below. In the example, the string
"/etc/passwd" is created on the
fly. A quick scan of the compiled version of the code will not reveal
the string because the characters that compose it are stored out of
order as separate strings. Routines like this one can be generated
automatically by Perl or shell scripts as a separate C source code
file, then linked in with rest of the program's
object files.
#include <stdio.h>
#include <string.h>
char *get_filename(int n, char *buf, int buf_len) {
int x;
char *p;
buf[0] = 0;
p = &((char *)&n)[0];
for (x = 0; x < 4; x++, p++) {
switch (*p) {
case 1:
strncat(buf, "swd", buf_len - strlen(buf));
break;
case 2:
strncat( buf, "no", buf_len - strlen(buf));
break;
case 3:
strncat( buf, "/e", buf_len - strlen(buf));
break;
case 4:
strncat( buf, "as", buf_len - strlen(buf));
break;
case 5:
strncat( buf, "us", buf_len - strlen(buf));
break;
case 6:
strncat( buf, "tc/p", buf_len - strlen(buf));
break;
case 7:
strncat( buf, "mp", buf_len - strlen(buf));
break;
default:
strncat( buf, "/", buf_len);
}
}
buf[buf_len] = 0;
return buf;
}
int main(int argc, char *argv[ ]) {
char filename[32];
/* 0x01040603 is 03 . 06 . 04 . 01 -- note that the number is passed as little
* endian but read as big endian!
*/
printf("get_filename( ) returns \"%s\"\n",
get_filename(0x01040603, filename, sizeof(filename)));
return 0;
}
Strings can also be stored encrypted in the binary and in memory. You
can achieve this by generating separate object files with the
encrypted strings in them, by encrypting the strings in the binary
after compilation, or by initializing the strings with encrypted
characters. The following code demonstrates the last technique, using
the A macro to subtract a constant value from each
character in the string. Note that this is not a strong encryption
method, but rather a quick and simple obfuscation of the value of
each character.
#define A(c) (c) - 0x19
#define UNHIDE_STR(str) do { char *p = str; while (*p) *p++ += 0x19; } while (0)
#define HIDE_STR(str) do { char *p = str; while (*p) *p++ -= 0x19; } while (0)
Each character of the string must be initialized, which makes this
method somewhat cumbersome, but it allows the obfuscation to take
place at compile time:
#include <stdio.h>
int main(int argc, char *argv[ ]) {
char str[ ] = {
A('/'), A('e'), A('t'), A('c'), A('/'),
A('p'), A('a'), A('s'), A('s'), A('w'), A('d'), 0
};
UNHIDE_STR(str);
printf("%s\n", str);
HIDE_STR(str);
return 0;
}
 |
