obfuscator

For a quick audit

• link to video demonstration of work
• audit

Description

This program creates a simple SSH reverse shell and changes its signature each time it is run, using polymorphic encryption.

What polymorphic encryption means

Polymorphic encryption is a technique used to change the appearance of a program each time it is executed, while maintaining its functionality. This technique is often used by malware developers to evade antivirus programs that rely on signatures to detect known threats.

Key Concepts of Polymorphic Encryption

Encryption and Decryption: The code is encrypted using a key, and a decryption routine is included to decrypt the code at runtime.

Mutation Engine: A part of the program that generates a new, unique version of the code each time it runs. This can involve changing variable names, inserting non-functional code, or altering the order of operations.

Dynamic Signature: Since the code changes with each execution, the signature (or identifiable pattern) of the program also changes, making it harder for antivirus programs to detect it.

Requirements

1. Installed docker and Official Ubuntu Docker Container: https://hub.docker.com/_/ubuntu

2. Installed Python and modules required to run the program

3. Program from repository reverse_shell.py

Usage

1. Creating and configuring a container

1.1. Check that docker is installed:

docker --version

Output example:

mkotkov@mkotkov:~/KJ/obfuscator$ docker --version
Docker version 26.1.3, build 26.1.3-0ubuntu1~22.04.1

1.2.Create and launch a container

docker pull ubuntu

docker run -it ubuntu

After launch, the container terminal will open in the format:

root@<CONTAINER ID>:/#

1.3. Installs modules required for operation

apt-get update
apt-get install -y python3 python3-pip netcat-openbsd
apt-get install -y python3-pycryptodome

After installation, check that all modules are installed correctly.

pip list

Example of correct output:

root@<CONTAINER ID>:/# pip list 
Package       Version
------------- -------
pip           24.0
pycryptodomex 3.20.0
setuptools    68.1.2
wheel         0.42.0

2. Running the reverse_shell.py program

2.1. Determine the IP address of the attacking computer:

ifconfig

The attacker's IP address is the IP through which the computer connects to the Internet. The resulting IP must be inserted into the def reverse_shell functions. The necessary places are marked with comments.

2.2. Open a new second terminal and copy the file reverse_shell.py

docker cp reverse_shell.py <CONTAINER ID>:/reverse_shell.py

2.3. Start port tracking

nc -lvp 4444

2.4. In the container terminal, we launch the program:

python3 /reverse_shell.py

Example of correct output:

(base) mkotkov@mkotkov:~/KJ/obfuscator$ nc -lvp 4444
Listening on 0.0.0.0 4444
Connection received on 172.17.0.2 57638

3. Testing

3.1. Checking the connection and access level:

ls

whoami

3.2. Run the script several times and compare its contents:

python3 /reverse_shell.py
cp /reverse_shell.py /reverse_shell_backup.py

python3 /reverse_shell.py
cp /reverse_shell.py /reverse_shell_run1.py

python3 /reverse_shell.py
cp /reverse_shell.py /reverse_shell_run2.py

Use the diff command to compare files

diff /reverse_shell_backup.py /reverse_shell_run1.py
diff /reverse_shell_run1.py /reverse_shell_run2.py

After execution, you can see the lines changed, which means the signature has changed.

How the program works

Encrypting and decrypting data:

The encrypt and decrypt functions use the AES algorithm to encrypt and decrypt data. Encryption is done using the GCM mode, which ensures both confidentiality and integrity of the data.

Code mutation:

The mutate_code function modifies the program code itself, replacing the 'reverse_shell' string with a random string of letters. This is done to make it more difficult for antivirus programs to detect malware.

Reverse shell:

The reverse_shell function establishes a connection to a remote server (at the specified IP address and port) and waits for a command. After receiving a command, it executes it on the local machine and sends the result back to the server.

Main part of the program:

In the main part of the program, a random key for encryption is generated, the code mutation function is called, and then the reverse shell is launched.

License

MIT License

Copyright (c) [2025] [Maksym Kotkov]

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.