Mutating to avoid structural analysis

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So flying home from JFK I was wondering this...

Given that avoiding "behavioral signatures" is a matter of calling
random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP),
Halvar's program classification techniques involve a structural
differencing engine. This has advantages (see his talk for details) in
that program structure closely reflects the semantic meaning of a
program, as interpreted by a compiler.

So the obvious way, from what I can tell, to defeat a structural
differencing algorithm would be to do a static or dynamic analysis of
your target program, and for each CALL opcode, change the destination
to a dispatcher function. This dispatcher function can then be built
to do a O(1) table lookup to find the true destination of the call.

So now all your functions call one function D. Your call graph is
meaningless without reverse engineering the dispatcher function and
reconstructing it, or doing dynamic analysis of the whole program
(assuming you can get decent code coverage).

For bonus points you could mutate your dispatcher function by putting
it as a never-used basic block in lots of other functions. You'd
probably also want to do some other easy obfuscation.

So my question is this: is defeating a structural based fingerprint of
a program more difficult to do than defeating behavioral based
fingerprints.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHWtfuB8JNm+PA+iURAgkTAJ9SvFTyihlTarCATljKl+9wd7paBwCfW5Ih
xf7/T5wTHaPEFuyVO4X5Px0=
=7/Tb
-----END PGP SIGNATURE-----


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave