XOR encryption is a simple, easy to implement, and lightweight form of encryption. XOR is faster than other algorithms such as AES or RC4 and does not require any additional libraries or suspicious API calls. As such, it is a popular choice for malware purposes.
VOID Xor(IN PBYTE input, IN SIZE_T inputSize, IN BYTE key) {
for (size_t i = 0; i < inputSize; i++)
input[i] = input[i] ^ key;
}
Some security tools such as YARA can brute force single byte XOR encrypted data to unearth the malicious content contained within. A simple method to thward this analysis method is to add the counter ‘i’ as part of the key:
VOID Xor(IN PBYTE input, IN SIZE_T inputSize, IN BYTE key) {
for (size_t i = 0; i < inputSize; i++)
input[i] = input[i] ^ (key + i);
}
It is also possible to use a longer key, making the ciphertext even harder to crack:
VOID Xor(IN PBYTE input, IN SIZE_T inputSize, IN PBYTE key, IN SIZE_T keySize) {
for (size_t i = 0; i < inputSize; i++)
input[i] = input[i] ^ key[i % keySize];
}
XOR keys may be discovered with manual analysis of the ciphertext by searching for repeating bytes or combinations of bytes.
XOR is also susceptible to known plaintext attacks.