Dailydave mailing list archives
Mutating to avoid structural analysis
From: Dave Aitel <dave () immunityinc com>
Date: Sat, 08 Dec 2007 12:44:16 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So flying home from JFK I was wondering this... Given that avoiding "behavioral signatures" is a matter of calling random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), Halvar's program classification techniques involve a structural differencing engine. This has advantages (see his talk for details) in that program structure closely reflects the semantic meaning of a program, as interpreted by a compiler. So the obvious way, from what I can tell, to defeat a structural differencing algorithm would be to do a static or dynamic analysis of your target program, and for each CALL opcode, change the destination to a dispatcher function. This dispatcher function can then be built to do a O(1) table lookup to find the true destination of the call. So now all your functions call one function D. Your call graph is meaningless without reverse engineering the dispatcher function and reconstructing it, or doing dynamic analysis of the whole program (assuming you can get decent code coverage). For bonus points you could mutate your dispatcher function by putting it as a never-used basic block in lots of other functions. You'd probably also want to do some other easy obfuscation. So my question is this: is defeating a structural based fingerprint of a program more difficult to do than defeating behavioral based fingerprints. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHWtfuB8JNm+PA+iURAgkTAJ9SvFTyihlTarCATljKl+9wd7paBwCfW5Ih xf7/T5wTHaPEFuyVO4X5Px0= =7/Tb -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Mutating to avoid structural analysis Dave Aitel (Dec 08)
- Re: Mutating to avoid structural analysis Stefan Wagner (Dec 09)
- Re: Mutating to avoid structural analysis Halvar Flake (Dec 19)