# Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

## Presentation on theme: "Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct."— Presentation transcript:

Mutating The Mutators Sean O'Toole

What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct expansion” of opcodes. Direct Expansion: A group of opcodes that copy the actions of an opcode. Shrinker: Inverts actions of the expander. A shrinker module rarely fully optimizes a piece of code since the fully optimized code could be commonly found in memory while the program runs.

Direct Expansion Example Ex. Original Code: MOV REG1, REG2 1000 1001 11 {REG2} {REG1} Direct Expansion: PUSH REG2 / POP REG1 0101 0 {REG2} 0101 1 {REG1} If REG1 = edx (010) and REG2 = ecx (001) Original:89CAh Direct:51 5Ah

Addition to Metamorphism Indirect Expansion: An expansion that includes the opcodes in a direct expansion, but also includes code that does not effect the result of the code.

Indirect Expansion Example Ex. Original: MOV REG1, REG2 1000 1001 11 {REG2} {REG1} Indirect Expansion: ADD REG1, REG2 / PUSH REG2 / OR REG1, 0Ah / POP REG1 0000 0001 11 {REG1} {REG2} / 0101 0 {REG2} / 1000 0011 1100 1 {REG1} 0000 1010 / 0101 1 {REG1} If REG1 = edx (010) and REG2 = ecx (001) Original:89CAh Direct:01D1 51 83CA0A 5Ah

Indirect Expansion Engine Theory Each opcode has certain ways, or rules, that the operands can be manipulated without effecting the outcome of the original opcode's result. In the example, the rule “REG1 can be manipulated at any point before POP REG1, as long as REG1 is not register ESP.”

Using Rules in the Engine The rules appear as “labels” in the buffer. Ex. RULE1 = REG1 can be manipulated. Start: RULE1_Start:ADD REG1, REG2 INSTRUCTION1:PUSH REG2 OR REG1, 0Ah RULE1_End: INSTRUCTION2:POP REG1 END:

Tools Used in Implementation of The Engine A metamorphic engine A great example of a metamorphic engine can be found in the Metaphor, AKA Simile, virus by Mental Drill, which can be found in 29A Labs #6. Executable Trash Generator (ETG) This is a module written by Zombie and is on his site: z0mbie.host.sk.

Calling the Executable Trash Generator PUSH offset rnd ;offset of random # gen PUSH offset buffer ;offset of output buffer PUSH size ;size of the buffer PUSH numCmds ;max number of commands PUSH offset buffsize ;size of random code PUSH destregs ;destination registers flag PUSH scrregs ;source registers flag PUSH cmds ;commands flag CALL etg_engine

Using the ETG to Develop Indirect Expansions The commands that are chosen in the commands flag, as well as code in direct expansions, must be mapped so that register codes can be inserted into the op-code. If destination and source registers flags are both set to EAX, whose flag is 01h, then the register codes can be mapped onto an op-code by OR- ing the indirect expansion and the reg values in the proper area.

Extracting Registers From Op- Codes MOV Reg1, Reg2: General Binary Form: 1000 1001 11 {REG2} {REG1} Second Byte's Range: C0 to FF. Reg1 = Second_Byte AND 111b Reg2 = SHR (Second_Byte AND 111000b), 3h

Inserting Registers Into Op-Codes PUSH Reg2 General Form: 0101 0{Reg2} New Op-Code = 50h OR Reg2 POP Reg1 General Form: 0101 1{REG1} New Op-Code = 58h OR Reg1 OR Reg1, {Random Number} General Form: 1000 0011 1100 1 {REG1} {Random Number} New Op-Code = 83C800 OR (SHL Reg1, 8) OR Random_Number

Protocol for Changing Expansions Since complete optimization during shrinking allows the code to be seen by any scanning, all the expansions cannot be changed at the same time. Protocol: Shrinker holds half generation n and half generation n-1. Expander holds remaining generation n and creates expansions for generation n+1.

Why Must Metamorphism Be Improved Current, metamorphic engines can be defeated by running a static scanner, which cotains the same relationships as the shrinker contains, run the same amount of times as the expander is recursively run. The static scanner does not need to be emulated since only binary strings need to be found that match an expansion.

Why Use This Technique Since the expander/shrinker relationships do not remain static, a static scanner cannot be use to defeat the technique. The engine will also expand opcodes that are part of the worthless code in a previous expansion. This adds an extra layer of complexity since the worthless opcode's expansion will contain opcodes that look worthwhile in the contexed of the expansion.

Thank You For Comming I Am Happy To Answer Any Questions.

Download ppt "Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct."

Similar presentations