IPfuscation

0001-01-01

IPfuscation is an anti-analysis obfuscation technique where data is converted to and from IP addresses to obfuscate its true content.

An IPv4 address contains 4 octets. Each octet of an IPv4 address represents one byte of data. Converting an IP address such as 4.4.4.4 is equivalent to four bytes of data: \x04\x04\x04\x04.

A WinAPI function RtlIpv4StringToAddressA converts IPv4 addresses to a DWORD. Chaining several bogus IP addresses together in this manner can be used to encode shellcode in a manner that appears to be a bunch of IP addresses.

IPv6 addresses can be used in a similar manner to hold 16 bytes of data with the RtlIPv6StringToAddressA WinAPI function.

This technique was observed in use by the Hive Ransomware malware

https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/

Links to this note

Main Index
Main Index - I

IPfuscation

0001-01-01

Links to this note

Recent Posts

Linux Hardening: SSH

2025-03-06 DFIR SSH hardening linux hardening SSH PAM

Linux Anti-Forensics: Timestomping

2025-03-05 DFIR linux anti-forensics

Finding Bad with Linux Package Managers

2025-03-03 DFIR linux persistence

Linux Persistence: Startup Scripts

2024-11-10 DFIR CTF linux persistence systemd SysV init startup script

Linux Persistence: Cron

2024-11-10 DFIR CTF linux persistence cron