You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -37,16 +37,16 @@ Multiple files can be compiled into the stub. A file can either be embedded with
37
37
38
38
Typically, an executable is decrypted and executed in-memory by the stub. If the executable is a native PE file, `RunPE` (process hollowing) is used. For .NET executables, the .NET stub uses `Invoke`. Legitimate files with no known signatures can be written to the disk.
Obfuscation and evasive features are fundamental to the design of PEunion and do not need further configuration. The exact implementation is fine tuned to decrease detection and is subject to change in future releases.
46
46
47
47
This graph illustrates the execution flow of the native stub decrypting and executing a PE file. The .NET stub works similarly.
The **fundamental concept** is that the stub **only** contains code to detect emulators and to decrypt and pass execution to the next layer. The second stage is position independent shellcode that retrieves function pointers from the PEB and handles the payload. To mitigate AV detections, only the stub requires adjustments. Stage 2 contains all the "suspicious" code that is not readable at scantime and not decrypted, if an emulator is detected.
52
52
@@ -58,16 +58,16 @@ Assembly code is obfuscated by nop-like instructions intermingled with the actua
58
58
59
59
The C# obfuscator replaces symbol names with barely distinguishable Unicode characters. Both string and integer literals are decrypted at runtime.
The Unicode character `U+202e` allows to create a filename that masquerades the actual extension of a file.
67
67
68
68
It is a simple renaming technique, where all characters followed by `U+202e` are displayed in reversed order. This way, an executable can be crafted in such a way that it looks like a JPEG file.
0 commit comments