Hiding code inside perl

Many languages allow hiding of the executable code inside the the executable itself in such a way that it won’t be easily seen to the naked eye. Perl is considered “safe” from such things are it is not easy to “encrypt” executed content and the “decrypt” and execute it.

The following will provide a simple method of hiding content from the naked eye, while still making it possible to execute seamlessly.

The method doesn’t make it hard to recover the executed code, nor does it make it hard to detect the presence of such “encrypted” content, however by utilizing the mentioned method you can cause the perl script to become a lot less readable both to man and machine.

The below code will simple execute /usr/bin/whoami and return its content, but I wouldn’t trust it :) – kidding. In any case as the sample show even in such languages where pointers/assembly/code bytes are not easily accessible it is still possible to write code that would “decrypt” prior to being executed.
#!/usr/bin/perl
# Self decrypting and executing code in Perl
# Noam Rathaus – Beyond Security Inc.

use Storable qw(freeze thaw);
use Safe;
use strict;
my $safe = new Safe;
$safe->permit(qw(:default require open close));
local $Storable::Deparse = 1;
local $Storable::Eval = sub { $safe->reval($_[0]) };

my $serialized = “%0e%0d%0e%3b%38%39%3e%0e%0e%0e%02%10%00″. “%a2%71%00%2a%2a%2a%2a%7f%79%6f%2a%79%7e%78%63″. “%69%7e%2a%2d%78%6f%6c%79%2d%31%00%2a%2a%2a%2a”. “%63%6c%2a%22%65%7a%6f%64%2a%4c%43%46%4f%26%2a”. “%2d%25%7f%79%78%25%68%63%64%25%7d%62%65%6b%67″. “%63%2a%76%2d%23%2a%71%00%2a%2a%2a%2a%2a%2a%2a”. “%2a%7d%62%63%66%6f%2a%22%6e%6f%6c%63%64%6f%6e”. “%22%2e%55%2a%37%2a%36%4c%43%46%4f%34%23%23%2a”. “%71%00%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%2a%7a”. “%78%63%64%7e%2a%2e%55%31%00%2a%2a%2a%2a%2a%2a”. “%2a%2a%77%00%2a%2a%2a%2a%2a%2a%2a%2a%69%66%65″. “%79%6f%2a%4c%43%46%4f%31%00%2a%2a%2a%2a%77%00″. “%77%0a%0a%0a”;

$serialized =~ s/%([\da-fA-F]{2})/chr (hex ($1)^10)/eg;
my $code = thaw($serialized);
$code->();

Share
  • r

    whats the function you are using to encrypt that “shellcode” with? the decrypt function looks like a function to decrypt javascript encodeURIcomponent? and you xor by 10? mail me or reply if your able to its an interesting concept

  • http://www.BeyondSecurity.com noam

    The “encryption” is simply encoding of each character into its %xx equivalent with a XOR of 10 (as you noted).