阅读说明：本技术 一种数据混淆加密方法 (Data confusion encryption method ) 是由 王力红 阚瑞超 夏玉明 于 2021-08-12 设计创作，主要内容包括：本发明公开了一种数据混淆加密方法,所述方法包括：数据发送端生成待传输的初始数据代码；利用异或运算加密初始数据代码,获得一次加密结果；将一次加密结果转化为字符串数组以完成二次加密并将所述字符串数组发送给数据接收端；数据接收端对字符串数组进行解密,还原为一次加密结果；数据接收端再次利用异或运算对一次加密结果解密获得初始数据代码,最终执行初始数据代码；本发明的优点在于：一些不希望进行特征检测的场合下避免数据被杀毒软件检测而无法正常进行下一步操作,提高数据传输的效率以及安全性。(The invention discloses a data confusion encryption method, which comprises the following steps: a data sending end generates an initial data code to be transmitted; encrypting the initial data code by utilizing an exclusive-or operation to obtain a primary encryption result; converting the primary encryption result into a character string array to complete secondary encryption and sending the character string array to a data receiving end; the data receiving end decrypts the character string array and restores the character string array into a primary encryption result; the data receiving end decrypts the primary encryption result by utilizing the XOR operation again to obtain an initial data code, and finally executes the initial data code; the invention has the advantages that: in some occasions where feature detection is not desired, the data is prevented from being detected by antivirus software and the next operation cannot be normally performed, and the efficiency and the safety of data transmission are improved.)

1. A data obfuscation encryption method, the method comprising:

the method comprises the following steps: a data sending end generates an initial data code to be transmitted;

step two: encrypting the initial data code by utilizing an exclusive-or operation to obtain a primary encryption result;

step three: converting the primary encryption result into a character string array to complete secondary encryption, and sending the character string array to a data receiving end;

step four: the data receiving end decrypts the character string array and restores the character string array into a primary encryption result;

step five: and the data receiving end decrypts the primary encryption result by utilizing the XOR operation to obtain an initial data code, and finally executes the initial data code.

2. The data obfuscation encryption method of claim 1, wherein the initial data code to be transmitted generated in the first step is a segment of shellcode.

3. The data obfuscation encryption method of claim 1, wherein the encrypting the initial data code using an exclusive-or operation to obtain an encryption result comprises: and carrying out XOR operation on the initial data code and a preset character string to encrypt the initial data code to obtain a primary encryption result.

4. The data obfuscation encryption method of claim 1, wherein the step of converting the primary encryption result into a string array to complete the secondary encryption comprises: and converting the primary encryption result into a character string array in the form of a MAC address, an IPv4 address, an IPv6 address or a UUID by using a conversion function.

5. The data obfuscation encryption method of claim 4, wherein calling the conversion function rtlEthernet Address ToStringA () of ntdll. dll library converts the one-time encryption result into a character string array in the form of MAC address.

6. The data obfuscation encryption method of claim 5, wherein the step of decrypting the string array by the data receiving end and restoring the string array to the primary encryption result comprises: the loader of the data receiving end calls a function RtlEtherStringToAddress () of an ntdll library to decrypt the character string array and restore the character string array to be a primary encryption result.

7. The data obfuscation encryption method of claim 3, wherein the step five includes: and the data receiving end performs exclusive-or operation on the primary encryption result restored in the step four and a preset character string, decrypts to obtain an initial data code, and finally executes the initial data code.

8. The data obfuscation encryption method of claim 7, further comprising: the self-decryption program is inserted before the initial data code to be transmitted is generated.

9. The data obfuscation encryption method of claim 8, wherein the self-decryption program is executed by: and finding the current IP register value, finding the address of the initial data code to be transmitted by using the distance between the found IP register value and the initial data code to be transmitted, and performing exclusive-or operation on the primary encryption result restored in the step four and a preset character string byte by byte.

10. The data obfuscation encryption method of claim 9, wherein the fifth step further comprises: and returning to the step one, executing the XOR operation in the decoding program to decrypt the primary encryption result restored in the step four to obtain an initial data code, and finally executing the initial data code.

Technical Field

The invention relates to the technical field of computer network security, in particular to a data confusion encryption method.

Background

The feature code detection is mainly adopted in the current mainstream technology of softening, and the reason is the first, the technology is the earliest to research and the most mature to develop; secondly, the virus can be accurately and effectively identified, and the engine detection efficiency developed based on characteristic detection is high, so that the method is adopted by most virus releasing software manufacturers. In view of this, research on the characteristic code-based killing-free technology is gradually developed at home and abroad. At present, research results of killing-free active codes, killing-free floriation instructions, separating and loading shellcode, mixing shellcode, adding business shells, calling a bottom API (application programming interface), writing Trojan in cold languages, and bypassing killing and soft detection by means of unhook and the like.

At present, a mainstream C2 control end utilizes a Cobalt string tool to realize remote control, and the Cobalt string tool is a full-platform multi-party collaborative penetration attack framework written based on Java and also called CS. Early versions relied on the Metasplait framework, followed by Cobalt Strike 3.0 as a separate platform. The system supports various communication protocols including http, https, dns, smb and the like, integrates functions of right lifting, credential exporting, port forwarding, port scanning, lateral movement, Socks proxies, phishing attacks and the like, supports abundant extension plug-ins, and can almost cover all technical links required by an APT attack chain. The Trojan horse generation aspect also covers most platforms and attack scenes, including PE Trojan horses, ELF Trojan horses, webpage Trojan horses, Office macro virus Trojan horses and the like, and the Trojan horse generated by a tool with the Trojan horse generation aspect has strong characteristics and is searched and killed by most manufacturers, so that most of Trojan horses or data with the strong characteristics can be searched and killed in the transmission process at present, and how to realize data killing becomes a new research hotspot in some occasions where characteristic detection is not desired.

Chinese patent publication No. CN112052432A discloses a terminal device authorization method, which includes an encryption process, a decryption process, and a terminal authentication process, where the encryption process includes forming a two-dimensional array from an MAC address of a terminal device, performing xor operation on elements of the two-dimensional array and a character R to obtain a ciphertext character string, and then writing the ciphertext character string into a key file; the decryption process comprises the steps of reading a ciphertext character string of the key file, carrying out XOR operation on the ciphertext character string and the character R, and then processing to obtain an MAC address of the terminal equipment; the terminal authentication process comprises the steps of judging whether the MAC address of the terminal equipment is in a preset terminal equipment white list or not and judging whether the key file is in the valid period or not so as to judge whether the terminal equipment is authorized or not. The beneficial effect of this patent application lies in: the physical address information of the terminal equipment is used for encrypting the key file, and the terminal equipment is authenticated, so that a hardware encryption lock is not required for encryption of each terminal equipment, the cost is greatly saved, and the project management efficiency is improved. However, the patent application adopts one-time exclusive-or encryption and two-time exclusive-or decryption, part of the antivirus software has special monitoring rules for exclusive-or, and when cyclic exclusive-or occurs, the information entropy sum of the program is increased and can be considered as suspicious by the antivirus software, so that the patent application is difficult to bypass the feature detection of the antivirus software.

Disclosure of Invention

The invention aims to solve the technical problem that the data confusion encryption method in the prior art is difficult to bypass the characteristic detection of antivirus software, so that the data is still detected by the antivirus software in some occasions where the characteristic detection is not desired and the next operation cannot be normally carried out, thereby influencing the efficiency and the safety of data transmission.

The invention solves the technical problems through the following technical means: a data obfuscation encryption method, the method comprising:

the method comprises the following steps: a data sending end generates an initial data code to be transmitted;

step two: encrypting the initial data code by utilizing an exclusive-or operation to obtain a primary encryption result;

step three: converting the primary encryption result into a character string array to complete secondary encryption, and sending the character string array to a data receiving end;

step four: the data receiving end decrypts the character string array and restores the character string array into a primary encryption result;

step five: and the data receiving end decrypts the primary encryption result by utilizing the XOR operation to obtain an initial data code, and finally executes the initial data code.

The method and the device encrypt the initial data codes by utilizing XOR operation to obtain a primary encryption result, convert the primary encryption result into the character string array to finish secondary encryption and then send the character string array to the data receiving end, realize multilayer confusion, realize static killing-free, avoid the situation that the data is still detected by antivirus software and cannot be normally operated in the next step in some occasions where characteristic detection is not desired, improve the data transmission efficiency and simultaneously improve the data transmission safety.

Further, the initial data code to be transmitted generated in the first step is a segment of shellcode.

Further, the step of encrypting the initial data code by using the xor operation to obtain an encryption result comprises: and carrying out XOR operation on the initial data code and a preset character string to encrypt the initial data code to obtain a primary encryption result.

Further, the step of converting the primary encryption result into a string array to complete secondary encryption includes: and converting the primary encryption result into a character string array in the form of a MAC address, an IPv4 address, an IPv6 address or a UUID by using a conversion function.

Further, calling the conversion function rtlethernet addresstostiga () of the ntdll. dll library converts the one-time encryption result into a character string array in the form of a MAC address.

Further, the step of decrypting the character string array by the data receiving end and reducing the character string array into a primary encryption result by the data receiving end includes: the loader of the data receiving end calls a function RtlEtherStringToAddress () of an ntdll library to decrypt the character string array and restore the character string array to be a primary encryption result.

Further, the fifth step includes: and the data receiving end performs exclusive-or operation on the primary encryption result restored in the step four and a preset character string, decrypts to obtain an initial data code, and finally executes the initial data code.

Still further, the method further comprises: the self-decryption program is inserted before the initial data code to be transmitted is generated.

Further, the self-decryption program is executed by: and finding the current IP register value, finding the address of the initial data code to be transmitted by using the distance between the found IP register value and the initial data code to be transmitted, and performing exclusive-or operation on the primary encryption result restored in the step four and a preset character string byte by byte.

Further, the fifth step further includes: and returning to the step one, executing the XOR operation in the decoding program to decrypt the primary encryption result restored in the step four to obtain an initial data code, and finally executing the initial data code.

The invention has the advantages that:

(1) the method and the device encrypt the initial data codes by utilizing XOR operation to obtain a primary encryption result, convert the primary encryption result into the character string array to finish secondary encryption and then send the character string array to the data receiving end, realize multilayer confusion, realize static killing-free, avoid the situation that the data is still detected by antivirus software and cannot be normally operated in the next step in some occasions where characteristic detection is not desired, improve the data transmission efficiency and simultaneously improve the data transmission safety.

(2) According to the method and the device, the self-decryption program is inserted before the generated initial data code to be transmitted, and the initial data code can be obtained only by carrying out secondary decryption on the restored primary encryption result through the inserted self-decryption program, so that the initial data code is not stored in the memory, the initial data code cannot be found in a memory searching mode, and the safety of data transmission is further improved.

Drawings

Fig. 1 is a flowchart of an algorithm of a data obfuscating encryption method according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

As shown in fig. 1, a data obfuscation encryption method includes:

s1: a data sending end generates an initial data code to be transmitted; the initial data code to be transmitted generated in this embodiment is a segment of shellcode, which is a segment of code designed by a programmer according to needs, and the function of the code is not particularly limited and is written according to needs. The method can be used for encrypting and transmitting the data to avoid the problem that the transmission efficiency is influenced because the data is cracked or the data is not expected to be detected by antivirus software, and can also be used for sending a specific code to avoid the searching and killing of the defender when the defender attacks the defender in the attacking and defending drill, and the skills of the attacking and defender are improved through the attacking and defending drill.

In this embodiment, a self-decryption program is inserted before the generated initial data code to be transmitted, and the assembly code is written and converted into a machine code and inserted before the xor encrypted shellcode, where the assembly code has the functions of: firstly, finding out the current ip register value through a call pop skill, then finding out the address of shellcode by using the distance between the found ip and the shellcode, then decrypting byte by byte through circulation to recover the shellcode, and then executing a program.

S2: encrypting the initial data code by utilizing an exclusive-or operation to obtain a primary encryption result; in this embodiment, the initial data code and the preset character string are subjected to xor operation to encrypt the initial data code, so as to obtain an encryption result, specifically, traversal of the shellcode character string is subjected to xor operation by using a ^ operator, so as to perform first encryption.

S3: converting the primary encryption result into a character string array to complete secondary encryption, and sending the character string array to a data receiving end; in this embodiment, the primary encryption result is converted into a string array in the form of a MAC address, an IPv4 address, an IPv6 address, or a UUID by using a conversion function, wherein the conversion function rtlethernet address tostiga () that calls an ntdll library converts the primary encryption result into a string array in the form of a MAC address, and the conversion between an IPv4 address, an IPv6 address, or a UUID and the string array is similar to the conversion between the MAC address and the string array, except that the conversion functions are different.

The procedure for converting the primary encryption result into the character string array in the form of the MAC address is as follows:

RtlEthernetAddressToStringA((DL_EUI48*)bufptr,(PSTR)hptr)；

\xFC\x48\x83\xE4\xF0\xE8＝＝＝＝>FC-48-83-E4-F0-E8

s4: the data receiving end decrypts the character string array and restores the character string array into a primary encryption result; in this embodiment, the loader at the data receiving end calls the function rtlethernet striptotadaddressa () of the ntdll.dll library to decrypt the string array and restore it to a primary encryption result, and the procedure is as follows:

RtlEthernetStringToAddressA(S[i],(PCSTR*)hptr,(DL_EUI48*)hptr)；

FC-48-83-E4-F0-E8＝＝＝＝>\xFC\x48\x83\xE4\xF0\xE8

s5: the data receiving end decrypts the primary encryption result by utilizing the XOR operation to obtain an initial data code, and finally executes the initial data code, and the specific process is as follows: returning to the step S1, performing an exclusive or operation in the decoding program to perform an exclusive or operation on the first encrypted result restored in the step S4 and the preset character string, so that the program self-decrypts in the memory again to obtain the initial data code, and finally executes the initial data code. In this embodiment, shellcode is executed by using the enum windows registration callback function wndenmproc, and at this time, shellcode is executed by performing exclusive or decryption in the memory.

Through the technical scheme, the initial data codes are encrypted by utilizing XOR operation to obtain a primary encryption result, the primary encryption result is converted into the character string array to complete secondary encryption and then is sent to the data receiving end, multi-layer confusion is realized, static killing-free is realized, the situation that the data cannot be normally operated due to the fact that the data is still detected by antivirus software on occasions where characteristic detection is not desired is avoided, the data transmission efficiency is improved, and meanwhile, the data transmission safety is improved.

The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.