Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Slides:

Advertisements

Similar presentations

Machine Instructions Operations

Advertisements

The 8051 Microcontroller and Embedded Systems

Machine Instructions Operations 1 ITCS 3181 Logic and Computer Systems 2015 B. Wilkinson Slides4-1.ppt Modification date: March 18, 2015.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

There are two types of addressing schemes:

COMP 2003: Assembly Language and Digital Logic

Microprocessor Fundamentals Week 5 Mount Druitt College of TAFE Dept. Electrical Engineering 2008.

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

PC hardware and x86 3/3/08 Frans Kaashoek MIT

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

TK 2633 Microprocessor & Interfacing

8051 ASSEMBLY LANGUAGE PROGRAMMING

Chapter 4 Basic Instructions. 4.1 Copying Data mov Instructions mov (“move”) instructions are really copy instructions, like simple assignment statements.

Binary Operations Math/Logical. Binary Math Decimal Addition Example ) Add = 15 Write down 5, carry ) Add 3 +

INSTRUCTION SET OF MICROPROCESSOR 8085

Sahar Mosleh California State University San MarcosPage 1 Applications of Shift and Rotate Instructions.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola

6.828: PC hardware and x86 Frans Kaashoek

CDP ECE Spring 2000 ECE 291 Spring 2000 Lecture 7: More on Addressing Modes, Structures, and Stack Constantine D. Polychronopoulos Professor, ECE.

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

1/2002JNM1 Positional Notation (Hex Digits). 1/2002JNM2 Problem The 8086 has a 20-bit address bus. Therefore, it can access 1,048,576 bytes of memory.

Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.

Game Scripting by: Nicholas Haines. What is Scripting? Interpreted Language Interpreted Language –As the game runs.

Types of Registers (8086 Microprocessor Based)

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Dr. José M. Reyes Álamo 1.  Review: ◦ Statement Labels ◦ Unconditional Jumps ◦ Conditional Jumps.

The x86 Architecture Lecture 15 Fri, Mar 4, 2005.

Assembly Code Optimization Techniques for the AMD64 Athlon and Opteron Architectures David Phillips Robert Duckles Cse 520 Spring 2007 Term Project Presentation.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 4 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Using Engine Signature to Detect Metamorphic Malware Mohamed R. Chouchane and Arun Lakhotia Software Research Laboratory The University of Louisiana at.

1 Logic, Shift, and Rotate Instructions Read Sections 6.2, 7.2 and 7.3 of textbook.

The x86 Instruction Set Lecture 16 Mon, Mar 14, 2005.

METAMORPHIC VIRUS NGUYEN LE VAN.

Basic Elements of Processor ALU Registers Internal data pahs External data paths Control Unit.

1 The Stack and Procedures Chapter 5. 2 A Process in Virtual Memory  This is how a process is placed into its virtual addressable space  The code is.

ECE291 Computer Engineering II Lecture 3 Dr. Zbigniew Kalbarczyk University of Illinois at Urbana- Champaign.

Logical and Bit Operations Chapter 9 S. Dandamudi.

October 1, 2003Serguei A. Mokhov, 1 SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003.

8086/8088 Instruction Set, Machine Codes and Addressing Modes.

Chapter 10 Control Unit Operation “Controls the operation of the processor”

Microprocessor Fundamentals Week 2 Mount Druitt College of TAFE Dept. Electrical Engineering 2008.

CPE 323 Introduction to Embedded Computer Systems: The MSP430X Architecture Instructor: Dr Aleksandar Milenkovic.

8085 INTERNAL ARCHITECTURE.  Upon completing this topic, you should be able to: State all the register available in the 8085 microprocessor and explain.

Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007.

Calling Procedures C calling conventions. Outline Procedures Procedure call mechanism Passing parameters Local variable storage C-Style procedures Recursion.

Assembly Language Data Movement Instructions. MOV Instruction Move source operand to destination mov destination, source The source and destination are.

Practical Session 8. Position Independent Code- self sufficiency of combining program Position Independent Code (PIC) program has everything it needs.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Microprocessors CSE- 341 Dr. Jia Uddin Assistant Professor, CSE, BRAC University Dr. Jia Uddin, CSE, BRAC University.

Bringing VX back to life!

CHAPTER ADDRESSING MODES.

Data Transfers, Addressing, and Arithmetic

Techniques, Tools, and Research Issues

The 8051 Microcontroller and Embedded Systems

Microprocessor and Assembly Language

Machine control instruction

Assembly Language Programming Part 2

Computer Architecture and Assembly Language

Data Transfers, Addressing, and Arithmetic

MIPS Procedure Calls CSE 378 – Section 3.

Practical Session 4.

Introduction to Micro Controllers & Embedded System Design

Some Assembly (Part 2) set.html.

CSC 497/583 Advanced Topics in Computer Security

Computer Operation 6/22/2019.

Computer Architecture and System Programming Laboratory

Computer Architecture and System Programming Laboratory

Presentation transcript:

Mutating The Mutators Sean O'Toole

What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct expansion” of opcodes. Direct Expansion: A group of opcodes that copy the actions of an opcode. Shrinker: Inverts actions of the expander. A shrinker module rarely fully optimizes a piece of code since the fully optimized code could be commonly found in memory while the program runs.

Direct Expansion Example Ex. Original Code: MOV REG1, REG {REG2} {REG1} Direct Expansion: PUSH REG2 / POP REG {REG2} {REG1} If REG1 = edx (010) and REG2 = ecx (001) Original:89CAh Direct:51 5Ah

Addition to Metamorphism Indirect Expansion: An expansion that includes the opcodes in a direct expansion, but also includes code that does not effect the result of the code.

Indirect Expansion Example Ex. Original: MOV REG1, REG {REG2} {REG1} Indirect Expansion: ADD REG1, REG2 / PUSH REG2 / OR REG1, 0Ah / POP REG {REG1} {REG2} / {REG2} / {REG1} / {REG1} If REG1 = edx (010) and REG2 = ecx (001) Original:89CAh Direct:01D CA0A 5Ah

Indirect Expansion Engine Theory Each opcode has certain ways, or rules, that the operands can be manipulated without effecting the outcome of the original opcode's result. In the example, the rule “REG1 can be manipulated at any point before POP REG1, as long as REG1 is not register ESP.”

Using Rules in the Engine The rules appear as “labels” in the buffer. Ex. RULE1 = REG1 can be manipulated. Start: RULE1_Start:ADD REG1, REG2 INSTRUCTION1:PUSH REG2 OR REG1, 0Ah RULE1_End: INSTRUCTION2:POP REG1 END:

Tools Used in Implementation of The Engine A metamorphic engine A great example of a metamorphic engine can be found in the Metaphor, AKA Simile, virus by Mental Drill, which can be found in 29A Labs #6. Executable Trash Generator (ETG) This is a module written by Zombie and is on his site: z0mbie.host.sk.

Calling the Executable Trash Generator PUSH offset rnd ;offset of random # gen PUSH offset buffer ;offset of output buffer PUSH size ;size of the buffer PUSH numCmds ;max number of commands PUSH offset buffsize ;size of random code PUSH destregs ;destination registers flag PUSH scrregs ;source registers flag PUSH cmds ;commands flag CALL etg_engine

Using the ETG to Develop Indirect Expansions The commands that are chosen in the commands flag, as well as code in direct expansions, must be mapped so that register codes can be inserted into the op-code. If destination and source registers flags are both set to EAX, whose flag is 01h, then the register codes can be mapped onto an op-code by OR- ing the indirect expansion and the reg values in the proper area.

Extracting Registers From Op- Codes MOV Reg1, Reg2: General Binary Form: {REG2} {REG1} Second Byte's Range: C0 to FF. Reg1 = Second_Byte AND 111b Reg2 = SHR (Second_Byte AND b), 3h

Inserting Registers Into Op-Codes PUSH Reg2 General Form: {Reg2} New Op-Code = 50h OR Reg2 POP Reg1 General Form: {REG1} New Op-Code = 58h OR Reg1 OR Reg1, {Random Number} General Form: {REG1} {Random Number} New Op-Code = 83C800 OR (SHL Reg1, 8) OR Random_Number

Protocol for Changing Expansions Since complete optimization during shrinking allows the code to be seen by any scanning, all the expansions cannot be changed at the same time. Protocol: Shrinker holds half generation n and half generation n-1. Expander holds remaining generation n and creates expansions for generation n+1.

Why Must Metamorphism Be Improved Current, metamorphic engines can be defeated by running a static scanner, which cotains the same relationships as the shrinker contains, run the same amount of times as the expander is recursively run. The static scanner does not need to be emulated since only binary strings need to be found that match an expansion.

Why Use This Technique Since the expander/shrinker relationships do not remain static, a static scanner cannot be use to defeat the technique. The engine will also expand opcodes that are part of the worthless code in a previous expansion. This adds an extra layer of complexity since the worthless opcode's expansion will contain opcodes that look worthwhile in the contexed of the expansion.

Thank You For Comming I Am Happy To Answer Any Questions.