TransWikia.com

.NET - What kind of obfuscation is this?

Reverse Engineering Asked by Diogo Machado on February 10, 2021

I’m currently performing some malicious DLL malware analysis, and I’m having some issues figuring out how to de-obfuscate this particular sample.
It uses a lot of Reflective Assembly calls, and, a lot of "metadata token" stuff. De4Dot is not able to de-obfuscate it also.

So, an example of the obfuscated code is:

internal sealed class fDjsVVR59jMIBOal6t : MulticastDelegate
{
    // Token: 0x06000378 RID: 888
    public extern WebRequest Invoke(string string_0);

    // Token: 0x06000379 RID: 889 RVA: 0x0007B0A2 File Offset: 0x000792A2
    public static WebRequest bHSPgZ6dc(string string_0, fDjsVVR59jMIBOal6t fDjsVVR59jMIBOal6t_0)
    {
        return fDjsVVR59jMIBOal6t_0(string_0);
    }

    // Token: 0x0600037A RID: 890
    public extern fDjsVVR59jMIBOal6t(object object_0, IntPtr intptr_0);

    // Token: 0x0600037B RID: 891 RVA: 0x0007B0AD File Offset: 0x000792AD
    static fDjsVVR59jMIBOal6t()
    {
        C4k09pr78tOqfmEnhjE.rrNXMYDGxr(typeof(fDjsVVR59jMIBOal6t).TypeHandle);
    }

    // Token: 0x040000CE RID: 206
    internal static fDjsVVR59jMIBOal6t wIB7Used4;
}

That was taken from dnSpy, and, that class is responsible for handling the "WebRequest" type.

As it can be seen, it uses references to it’s own TypeHandle (which I cannot figure out)

Also, this was called by the following code:

qx3wn31i9ZJtp4We5w.bHSPgZ6dc(SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls12, qx3wn31i9ZJtp4We5w.WfDsJXBaM);
HttpWebRequest object_ = (HttpWebRequest)fDjsVVR59jMIBOal6t.bHSPgZ6dc(pnkDI8d9JdgdPhiNYk.okRI8sNLe, fDjsVVR59jMIBOal6t.wIB7Used4);
vUZnR2ZDStHLA8R7UM.bHSPgZ6dc(object_, pNJ00Gmqec0CuHSb4d.bHSPgZ6dc(0, pNJ00Gmqec0CuHSb4d.oZ5INgCTd), vUZnR2ZDStHLA8R7UM.koMgxmBP1);
HttpWebResponse httpWebResponse = (HttpWebResponse)tga58GqyVkWMDfmCeA.bHSPgZ6dc(object_, tga58GqyVkWMDfmCeA.ScxpeQTMs);

The method that takes the typehandle, will use that typehandle to fetch a metadata token, and then construct the rest of the function using some data taken from a byteArray (in term, taken from a resource file).

I recreated the code and still can’t figure out the typeHandle of fDjsVVR59jMIBOal6t, and since I can’t do that, the rest of the code breaks. Was just hoping that someone out there had already seen an obfuscation like this before and would be kind enough to point me in the right direction.

Thanks!!

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP