sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.
sheep-wolf - Exploit MD5 Collisions For Malware Detectionand then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!
Dependencies
32-bit Windows (virtual) machine (64-bit breaks stuff)
Visual Studio 2012 to compile the projects (Express will do)
Fastcoll for collisions
Optional: Cygwin+MinGW to compile Evilize
How does it work?
shepherd.bat executes shepherd.exe with the user supplied command line arguments
shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
shepherd.bat executes the build process of sheep.exe
sheep.exe is built with sc.hincluded by Visual Studio
shepherd.bat executes evilize.exe
evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
evilize.exe executes fastcoll.exe with the IV as a parameter
fastcoll.exe generates two 128 byte colliding blocks: a and b
evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.
You can download sheep-wolf here
sheep-wolf - Exploit MD5 Collisions For Malware Detectionand then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!
Dependencies
32-bit Windows (virtual) machine (64-bit breaks stuff)
Visual Studio 2012 to compile the projects (Express will do)
Fastcoll for collisions
Optional: Cygwin+MinGW to compile Evilize
How does it work?
shepherd.bat executes shepherd.exe with the user supplied command line arguments
shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
shepherd.bat executes the build process of sheep.exe
sheep.exe is built with sc.hincluded by Visual Studio
shepherd.bat executes evilize.exe
evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
evilize.exe executes fastcoll.exe with the IV as a parameter
fastcoll.exe generates two 128 byte colliding blocks: a and b
evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.
You can download sheep-wolf here