Dailydave mailing list archives

Re: Mutating to avoid structural analysis

From: Stefan Wagner <sw () alldas org>
Date: Sun, 09 Dec 2007 01:51:14 +0100

Hi,

So my question is this: is defeating a structural based fingerprint of
a program more difficult to do than defeating behavioral based
fingerprints?


Yiha! Works excellent over here :D
Keythingy (for me) is to 'crypt' the Libcalls while you smuggle 'em in.
Just to make sure IDS/AV kids won't get lucky with their static pattern
bs... Reserve 1K of space within' your code for the main (superspeedy)
decrypting code and hide the main eor-thing (or xor-omgzomg) in
crapcalls, like:

moveq #0,d0
sub.l d0,d0
add.l #<random>, d0
<insert more boredom/cleverness here>
to replace NOP calls and make the code look legit

In this random mess it's perfectly fine to hide your very own code to
decrypt the mainlib and other stuff (the main decrypt thingy is a 6 cmd
one (wh00h00) 2 be executed during the initial call).

Cheers,
  Stefan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Mutating to avoid structural analysis Dave Aitel (Dec 08)
- Re: Mutating to avoid structural analysis Stefan Wagner (Dec 09)
- Re: Mutating to avoid structural analysis Halvar Flake (Dec 19)