27 Apr
2009
27 Apr
'09
7:37 p.m.
If you cipher the strings of your binary image but decipher them at the process' start-up, process explorer (in Windows) will be able to show them.
You make some good points. I think the strings need to stay obfuscated until they're used and then discarded immediately afterwards.
For the cipher, something simple and fast like RC4 is sufficient. RC4 can be written in few lines of C++ (http://en.wikipedia.org/wiki/RC4#Implementation) without any dependencies and is better than a trivial byte to byte obfuscation that will not hide the patterns the attacker may be looking for (ie. path with '/' or '\').
I will look into that. Thanks for the suggestions. -Sid