obfuscation


Mono.Cecil - obfuscated malicious code


In this great article (http://eatplayhate.wordpress.com/2010/07/18/mono-cecil-vs-obfuscation-fight/), the author claims that Mono.Cecil is not perfect, but that it translated a good 90% of the functions without any issues.
My question to you guys is: Can an evil programmer obfuscate malicious code that could not be deobfuscated using Mono.Cecil and thus cause a serious breach in my program (3rd party code)?
If the answer is yes, do you know what symbols I can use to write such code, or how I can protect my self from such code?
Of course an evil programmer can always obfuscate code better than you can deobfuscate it. Determining the behavior of arbitrary code in advance is an undecidable problem after all.
More practically, the obfuscation vs deobfuscation fight is just over who puts in more effort. Obfuscation is much easier than deobfuscation, but commercial obfuscators tend to be much less sophisticated than what you can write by hand or with a custom obfuscator, for various reasons. The fact that Mono Cecil is good enough to debofuscate many common obfuscation tools doesn't mean it can do anything about the later.
If you want to see some of the tricks you can pull with hand obfuscated code, take a look at this crackme. It's Java bytecode rather than CLI, but the idea is similar. As of this writing, noone has even solved it, despite the crackme consisting of a single method in a single class. And it doesn't even use Reflection, the proper use of which makes automated deobfuscation all but impossible.
The real question however, is what you're trying to do with this. Are you trying to check arbitrary code for malicious behavior? Sorry, but that's not really possible. You need to run it in a sandbox.

Related Links

Obsfucation of code in commercial product
Is there a way to remove xml doc of internalized methods when using ILmerge?
Is it possible to hide sources under HHVM?
Upgrade from Eazfuscator free… to confuserex?
Obfuscating C++ Shared Library
Obfuscation in IBM MobileFirst 6.3
How do I get Autofac delegate factories to work with obfuscation?
Is it possible to use pyminifier with py2app?
How to use ConfuserEx?
Obfuscate Portable Class Library in SmartAssembly
Obfuscating SharpDX assemblies
Ignore method during Proguard Obfuscation
log4j2 doesnot print exception logs for obfuscated code
Obfuscation causes VerifyError: Expecting a stackmap frame
Obfuscated assembly detected by antivirus ( false positive)
Automatically log error and terminate application with SmartAssembly

Categories

HOME
polymer
case
swt
can
grafana
nuget
appcelerator
banner
flume
barcode
sendgrid-api-v3
okhttp
fosrestbundle
google-schemas
resultset
cmdb
automatic-ref-counting
scrolltop
coin3d
internationalization
chargify
pyramid
r-mice
scriptella
monit
maze
interbase
failover
android-gridview
arduino-ide
navigator
openerp-7
dm-script
ideascript
ods
verifiable-c
cin
chef-solo
ogc
parser-generator
glm-math
vaadin-elements
fwrite
xbmc
vugen
podscms
reindex
pair-programming
appdomain
ngmaterial
mach-o
java-websocket
structuremap4
pure-css
cubism.js
synonym
vorpal.js
observablecollection
http-status-code-401
spreadjs
sklearn-pandas
createprocess
highland.js
jbase
relativelayout
directdraw
ons-api
video-player
pyobjc
cwrsync
ansi
umlgraph
grouping-sets
at-job
iiop
spy++
genymotion-call
unix-socket
mintty
grails-domain-class
visual-studio-express
tlf
neos-server
failing-tests
update-statement
massive
inline-formset
appledoc
silent
tabpanel
sifr
windows-identity
httpcookie
netbeans6.1

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App