-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathxor.cpp
More file actions
68 lines (60 loc) · 2.46 KB
/
xor.cpp
File metadata and controls
68 lines (60 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#include "xor.hpp"
namespace encryption {
/*
* XorInPlace:
* About:
* XOR encrypts/decrypts the provided input using the provided key.
* The offset parameter will rotate the key by the provided value (specify 0
* to use the key as is).
* Result:
* XOR encrypted/decrypted buffer.
* MITRE ATT&CK Techniques:
* T1027: Obfuscated Files or Information
* T1140: Deobfuscate/Decode Files or Information
* CTI:
* https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html
* https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
*/
void XorInPlace(unsigned char* input, size_t input_len, unsigned char* key, size_t key_len, size_t offset) {
if (key_len == 0) {
return;
}
offset %= key_len;
for (size_t i = 0; i < input_len; i++) {
input[i] = input[i] ^ key[(i + offset) % key_len];
}
}
// Standard XOR encryption
void XorInPlace(unsigned char* input, size_t input_len, unsigned char* key, size_t key_len) {
XorInPlace(input, input_len, key, key_len, 0);
}
// XOR encryption with a single-byte key
void XorInPlace(unsigned char* input, size_t input_len, unsigned char key) {
unsigned char key_array[1] = {key};
XorInPlace(input, input_len, key_array, 1);
}
/*
* TripleXorInPlace:
* About:
* Triple-XOR encrypts/decrypts the provided input using the provided key.
* The first round of XOR encryption uses the key as provided.
* The second round rotates the key by 1 byte,
* and the third round rotates it by 7 bytes.
* Result:
* XOR encrypted/decrypted buffer.
* MITRE ATT&CK Techniques:
* T1027: Obfuscated Files or Information
* T1140: Deobfuscate/Decode Files or Information
* CTI:
* https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html
* https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
*/
void TripleXorInPlace(unsigned char* input, size_t input_len, unsigned char* key, size_t key_len) {
// Round 1
XorInPlace(input, input_len, key, key_len, 0);
// Round 2
XorInPlace(input, input_len, key, key_len, 1);
// Round 3
XorInPlace(input, input_len, key, key_len, 7);
}
} // namespace