Dailydave mailing list archives
Re: Mutating to avoid structural analysis
From: Stefan Wagner <sw () alldas org>
Date: Sun, 09 Dec 2007 01:51:14 +0100
Hi,
So my question is this: is defeating a structural based fingerprint of a program more difficult to do than defeating behavioral based fingerprints?
Yiha! Works excellent over here :D Keythingy (for me) is to 'crypt' the Libcalls while you smuggle 'em in. Just to make sure IDS/AV kids won't get lucky with their static pattern bs... Reserve 1K of space within' your code for the main (superspeedy) decrypting code and hide the main eor-thing (or xor-omgzomg) in crapcalls, like: moveq #0,d0 sub.l d0,d0 add.l #<random>, d0 <insert more boredom/cleverness here> to replace NOP calls and make the code look legit In this random mess it's perfectly fine to hide your very own code to decrypt the mainlib and other stuff (the main decrypt thingy is a 6 cmd one (wh00h00) 2 be executed during the initial call). Cheers, Stefan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Mutating to avoid structural analysis Dave Aitel (Dec 08)
- Re: Mutating to avoid structural analysis Stefan Wagner (Dec 09)
- Re: Mutating to avoid structural analysis Halvar Flake (Dec 19)