Вирус fat-obfuscated что это

It's exciting to get that reverse shell or execute a payload, but sometimes these things don't work as expected when there are certain defenses in play. One way to get around that issue is by obfuscating the payload, and encoding it using different techniques will usually bring varying degrees of success. Graffiti can make that happen.

Graffiti is a tool that can generate obfuscated payloads using a variety of different encoding techniques. It offers an array of one-liners and shells in languages such as Python, Perl, PHP, Batch, PowerShell, and Bash. Payloads can be encoded using base64, hex, and AES256, among others. It also features two modes of operation: command line mode and interactive mode.

Other useful features of Graffiti include the ability to create your own payload files, terminal history, option to run native OS commands, and tab-completion in interactive mode. Graffiti should work out of the box on Linux, Mac, and Windows, and it can be installed to the system as an executable on both Linux and Mac. We will be using Kali Linux to explore the tool below.

Setup & Installation

To get started, let's clone into the GitHub repo for Graffiti using the git command:

Next, change into the new directory:

And list the contents to verify everything is there:

We can run the tool with the python command — let's see the help menu by tacking on the -h switch:

Here, we get its usage information and optional arguments that are available.

An easier way to use Graffiti is to install it onto the system. That way, we don't need to be in the directory to run it — it can be executed from anywhere. Simply launch the install script to begin:

It tells us we need to run the source command on our bash profile to complete the installation — the source command basically loads any functions in the current shell:

Now we should be able to run the tool from anywhere by typing graffiti in the terminal:

Option 1: Use Graffiti in Command-Line Mode

The first way to run Graffiti is in normal command-line mode. All we have to do is pass the arguments after the command, just like you would with any other tool or script. For example, we can list all available payloads with the -l switch:

We can see there are options for Netcat shells, Python shells, and many others, separated between Windows and Linux.

We can use the -Vc option to view the available encoders and the corresponding languages they're available for:

The -p switch is the bread and butter of Graffiti — use it to specify a payload, followed by -c to specify the encoding technique, and finally -lH and -lP to set the listening address and port, respectively. Here is a Python reverse shell in raw format, meaning no encoding:

That will spit out the command for the appropriate reverse shell with all the information filled in. All we need to do at this point is copy and paste.

Let's try another example. Here is that same Python reverse shell encoded in base64:

And again, this time using the AES256 cipher:

Instead of going back and running these commands again, Graffiti keeps a cache of payloads for easy access — use the -vC option to see them:

We can also wipe the history with the -W switch:

Option 2: Use Graffiti in Interactive Mode

The other way to run Graffiti is in its interactive mode, which comes with a built-in terminal environment. Simply run the tool without any arguments to drop in:

If you receive the error above, all you have to do is create a new history file in the appropriate directory — use the touch command like so:

Now when we run it, we successfully enter the interactive mode, which will come with its own prompt:

To see the help menu, type help or ? at the prompt:

/graffiti# ? Command Description --------- -------------- help/? Show this help external List available external commands cached/stored Display all payloads that are already in the database list/show List all available payloads search

Search for a specific payload use

Use this payload and encode it using a specified coder info Get information on all the payloads check Check for updates history/mem[ory] Display command history exit/quit Exit the terminal and running session encode

A terrible law, a ‘phantom tax,’ and a captured regulator mean that big businesses are forcing you to pay their taxes without even knowing it.

A regulation has forced Americans to pay the corporate income taxes of an industry that Congress exempted from that tax in 1986, an outrage I have chronicled for years.

Now a federal court has determined that this taxpayer abuse is worse than I reported. In fact, it’s twice as bad.

Yet despite the latest court ruling in a long-running case, this rip-off may continue.

The idea that any business could force you to pay its taxes may strike some readers as beyond belief. When I first heard about this more than a decade ago my skepticism meter hit high alert. Then I started reading the laws, regulations, and official proceedings, none of which made the news. I’ve been writing about it ever since, hoping the public will demand an end to this abuse.

The way it works is simple: The Federal Energy Regulatory Commission (FERC) sets the rates that monopoly pipelines can charge. The rates are based on all of their costs—people, equipment, taxes, and the corporate income tax. But that last expense is fake. The pipelines are exempt from that tax.

How Consumers End Up Paying Oil Pipeline Taxes

No industry benefits more from the forced payment of taxes for private gain than the pipelines that are the subject of the latest court ruling.

Pipelines are monopoly rights-of-way granted by government. The rates that oil pipelines charge shippers—oil companies, airlines, chemical companies—to move their product across the country are regulated under a law first enacted in 1887, the Interstate Commerce Act, which was designed to protect shippers from abuses by railroads—and was partly drafted by those railroads. Natural gas pipelines are regulated under updates to a 1938 law.

Congress created the Federal Energy Regulatory Commission to regulate everything from the rules of the so-called electricity markets to the level of water behind hydroelectric dams to pipeline rates. Not one major news organization assigns a reporter to cover FERC, which is cozy with those it regulates. That’s a major reason you have not heard about how the pipelines get to collect a tax that Congress does not require them to pay.

FERC chooses to set pipeline profits on an after-tax basis. This means that for every dollar of authorized after-tax profit, a monopoly pipeline adds 54 cents to cover the “grossed up” federal income tax of 35 percent of profits.

Thus, a monopoly pipeline authorized to earn $1 billion after tax actually collects $1.54 billion. If it actually owed the 35 percent income tax rate, it would be left with a net profit of $1 billion.

Even Investors Don’t Get the Tax Profits

Most monopoly pipelines are organized as master limited partnerships, or MLPs. Congress exempted MLPs from corporate income tax under the 1986 Tax Reform Act.

So collecting the tax that never gets paid, I reported previously, means the pipeline really earns an after-tax rate of return that is 154 percent of what is authorized.

What makes this outrage even worse is that MLP investors do not get the tax money. Management contracts, whose terms are obfuscated in disclosure reports, sweep the fake tax dollars away to the companies that oversee the MLPs and primarily enrich their executives, as Gordon Gooch, FERC’s former general counsel, found by scrutinizing those documents.

Gooch first alerted me to this rip-off and his petitions to FERC to stop it years ago.

FERC dismisses his petitions, saying that, as a mere consumer, he has no standing to challenge its decisions. Gooch’s latest petition is labeled “prohibited” by FERC, yet it listens closely to everything the industry it regulates wants. It even holds “off the record” “technical conferences” with the industry’s lawyers and lobbyists.

What the Court Found

The new court ruling shows that the pipelines are ripping people off for not just 54 percent more than their profits, as I have reported, but for double that.

In the latest twist in a case known colloquially as United Airlines v. FERC, Senior Circuit Judge David B. Sentelle, who has been hearing appeals of FERC pipeline tax cases for a quarter-century, came to this conclusion on July 1 in the U.S. Court of Appeals, District of Columbia Circuit Court.

Judge Sentelle wrote that United Airlines and eight other pipeline customers, known as the Shippers, complain that they are being overcharged because the rates they pay include covering taxes that the pipelines do not owe. You end up paying the bill when they pass these costs on through higher fares or in reduced profits earned by shareholders.

The Shippers “claim that because FERC’s rate-making methodology already ensures a sufficient after-tax rate of return to attract investment capital, and partnership pipelines otherwise do not incur entity-level taxes, FERC’s tax allowance policy permits partners in a partnership pipeline to ‘double recover’ their taxes.”

Judge Sentelle concluded that the plaintiffs were right.

Unfortunately, he did not include the tax algebra in his decision so that we could calculate the amount of the overcharges.

Previously I calculated from disclosure reports that the pipeline industry tax rip-off totals about $3.4 billion annually. A Congressional study prompted by my reporting estimated the cost at $1.9 billion. Judge Sentelle’s decision suggests the rip-off costs Americans somewhere between $3.8 billion to $6.8 billion annually.

What the Court Did—and Didn’t—Do

The problem is in what Judge Sentelle ordered. He could have blocked the fake tax, but did not. Instead he sent the issue back to FERC, giving it an opportunity to gin up another justification for letting pipelines collect twice on a tax they never have to pay.

“We agree that FERC has not adequately justified its tax allowance policy for partnership pipelines and grant the Shippers’ petition,” Sentelle ruled (PDF).

Sentelle in an earlier ruling had allowed the pipelines to collect the fake tax. In a ruling before that, in the late 1990s, he held that collecting the tax from shippers was improper because it was a nonexistent expense that he called a “phantom tax.” Judge Sentelle noted that once you start allowing imaginary expenses there is no end to the mischief.

FERC got around this by inventing a new regulatory approach called the “position paper” that allowed pipeline lobbyists to legally meet with commissioners in secret to craft the plan. Only then was it announced as a case, which ended the one-sided meetings. All sides were then given two weeks and allowed one 15-page filing with no rebuttals. The rate case was, to be polite, a sham.

The awful details are laid out in my 2012 book, The Fine Print and, in shorter form, in a 2010 column I wrote for the policy journal Tax Notes.

Why It Matters

By law FERC must balance the interests of pipeline owners and pipeline customers using the “just and reasonable” theory that owners are entitled to reasonable profits and customers to reasonable prices. Instead, it favors pipelines (and other monopolies it regulates) because most of the commissioners come from—and later go back to—the industries they regulate.

In Judge Sentelle’s most recent previous decision in the matter he allowed the fake tax to be imposed by the pipelines using reasoning I think is specious. Sentelle made clear that he was deeply vexed by the idea of making shippers pay a tax that is not imposed by Congress. However, he ruled that, since FERC had explained its rationale, it was beyond the court’s authority to challenge the regulatory decision.

That last part is nonsense. No matter how well FERC explains itself, no matter the absurd argument it came up with in its one-sided sham proceedings, a fake tax is a fake tax is a fake tax. No one should have to pay any tax that goes not to government but stays with the business. And whether seen as an obligation of the pipeline’s direct customers, like United Airlines, or the ultimate customer—you—no justification exists for imposing a tax unless Congress requires it and the money goes to Uncle Sam.

That’s why United Airlines and the other shippers sued again to reduce the price they were being charged for transporting airline fuel.

In his latest ruling Sentelle seems to recognize his error, but unfortunately he did not block the fake tax from being collected. Instead he told FERC to undertake yet another rule-making proceeding. Based on past history you will keep being dinged for this fake tax.

There is an easy solution to this and the man to solve it is Norman C. Bay, current FERC chairman. His background is as an enforcement staffer at FERC; he’s not the usual pro-industry regulator. Bay can ask commissioners to vote on ending the inclusion of the corporate income tax in the rates that pipelines charge customers like United Airlines. But I doubt he will unless the public demands action to make sure that pipelines charge only for actual expenses, which would not include the corporate income tax that Congress says does not apply to Master Limited Partnership pipelines.

You can do something about this. Tell your congressperson and senators you can’t believe they are doing nothing about a fake tax that you are forced to pay. Demand hearings. Demand an end to this tax abuse.

Pulitzer Prize winner and recipient of an IRE medal and the George Polk Award, David Cay Johnston is author of five books. His new book, The Making of Donald Trump, was published on Aug. 2, 2016. His next one will be The Prosperity Tax: A New Federal Tax Code for the 21st Century Economy. Johnston is a Distinguished Visiting Lecturer at Syracuse University College of Law and Whitman School of Management, and also writes for The Daily Beast and Tax Notes.

Related terms:

Download as PDF

About this page

Tools of the Trade

As its name implies, a decompiler performs the opposite operation of a compiler: it transfers compiled bytecode to corresponding high-level source code. By knowing the relationship between the high-level code and its corresponding IL bytecode, a decompiler can identify and convert the IL instructions into their high-level equivalent.

It's easier to decompile IL than to decompile another language such as assembly, for the following reasons:

Compilation from high-level source code to IL requires a simple transformation that can easily be reversed. Although some operations are composed from a few low-level pieces of code, many perform a one-to-one transformation.

The decompiler knows the types of variables included in the IL. The x86 assembler needs to make assumptions based on how variables are used.

The decompiler is aware of the application's structure, code flow, memory layout, and other important information, thereby enabling a cleaner transformation.

The compiler leaves most of the optimizations to the JIT compiler, and as such it produces clearer code.

IL contains the code's metadata, a description of all the classes and class members defined in the assembly and those that are used externally. The metadata includes a complete description of methods, the return type, and all the method parameters.

The names of classes, methods, and parameters help to generate source code that is almost similar to the original.

Having all that information in one place makes the decompilation process much easier and more accurate.

Figure 3.4 . The .NET Reflector User Interface

So now by navigating inside the content of that DLL, we can see all the namespaces it contains, the classes, their code, and other useful information.

You can use .NET Reflector on .NET Framework assemblies by directly loading them from the file system or from the cache. Then you can see how the framework was implemented and the code that Microsoft's developers wrote. This will give you a clue as to how your application is supposed to behave. Another option for looking at the source code is to obtain the Shared Source Common Language Infrastructure (SSCLI, previously known as the Rotor project), which you can freely download from the Microsoft Web site. The preferred method, however, is to look at the compiled binaries, since this is the actual, accurate code for the binary version.

Besides enabling code decompilation, one of the interesting features of .NET Reflector is its ability to build a full-blown Visual Studio solution (and project file) containing all of the classes' code and resources. This feature, called Export, lets you actually reverse compiled executable source code into the IDE, add your own pieces of code, and compile it back into an executable.

For the Java runtime, there are two recommended open source decompilers you should use: the DJ Java Decompiler and the JODE Decompiler. They do a great job of letting you decompile Java class files back to their Java source code representations. Also available is a plug-in for Java decompilation, called JadClipse. JadClipse is intended for use with Eclipse, a commonly used IDE for Java.

You can download the aforementioned open source decompilers from the following Websites: •

For the Android Dalvik runtime environment, there is no straightforward decompiler available; you cannot just load the compiled code into an easy-to-use tool such as those provided for Java and .NET. Instead, you must implement a workaround that involves going back to the Dalvik Java bytecode representation and using the Java decompiler on that. To move from the classes.dex file to its bytecode disassembly you need to use a tool called dexdump, and feed the result into another tool called undx. The result will be then readable by any Java decompiler, including those described earlier.

A variety of commercial decompilers are also available, including the following:

Sothink decompiler (Java)

These tools enable users to bypass antidecompilation techniques commonly used by code obfuscation tools (i.e., tools that are used as reverse-engineering deterrents) to make the code more difficult to understand.

An interesting feature of debuggers is their ability to decompile to any high-level language that can be compiled to the target runtime. Since high-level languages are compiled to the same (almost identical) IL, a given piece of IL code can be translated back to any language the user chooses. Therefore, a common feature of decompilers is to allow the user to choose the high-level language into which the IL code will be decompiled.

Figure 3.5 shows the different languages into which the code can be decompiled in Spices.NET.

Figure 3.5 . Using Spices.NET to Decompile an Executable to a Specific Language

Decompilers play an important role when producing MCRs. They help you to understand the code that is about to be modified, the first step of gathering information about the target.

Decompilers also provide information to the attacker regarding how the framework was built, the classes it uses, and how the classes interact. Essentially, a decompiler lets you review the source code of the classes the applications use, and helps you to do the following:

Decide where to inject external code.

Know what to modify.

Highlight interesting classes.

Determine class member variable values.

Plan how to add code to a given method.

Investigate which code to remove from a method (so that it can still work).

Reveal the existence of private methods not exposed to the outside world.

Reveal the existence of private class members.

Decompilers cannot always produce high-level source code that can be compiled back into a binary. In many cases, the decompiler/compiler must have references to external classeswhen generating a binary from generated source code. In such cases, it probably is better to use an assembler/disassembler.

Forensic Software and Hardware

REC is a portable reverse engineering compiler, or decompiler. It reads an executable file and attempts to produce a C-style representation of the code and data used to build the executable file. It is portable because it has been designed to read files produced for many different targets, and it has been compiled on several host systems.

RecStudio offers a modern user interface to REC's interactive mode. A command-line version is still available for Linux and Solaris hosts.

These are some of REC's features:

Multitarget operation: REC can decompile 386, 68k, PowerPC, and MIPS R3000 programs.

Multiformat operation: REC recognizes the following file formats:

ELF (System V release 4, for example Linux and Sun Solaris)

COFF (System V release 3.x, for example SCO)

PE (Win32.exe and .dll for Windows 95 and NT)

AOUT (BSD derivatives, for example SunOS 4.x)

Sony PlayStation PS-X (MIPS target only)

Raw binary data (thorough CMD files)

Multihost operation: REC is available for Linux 3.0 (i386), Windows 95, and Sun SunOS 4.1.4.

Supports high-level symbolic information in COFF, ELF+STAB, and AOUT+STAB.

Scalable user interaction: From 100 percent batch mode to a full-screen, browser-like interactive mode.

HTTP server mode allows the use of an HTML browser as the user interface.

Table 13.1 contains a list of forensic software tools.