Full Disclosure mailing list archives
Re: A modest proposal
From: Gage Bystrom <themadichib0d () gmail com>
Date: Thu, 19 Jul 2012 18:43:52 -0700
1.) waste of a reference by no follow through :( shame shame 2.) The only real problem with that idea is that you'd be doing it wrong. As in what you are doing does not accomplish what you want it to do. Those polymorphic techniques are there to prevent identification, not necessarily to prevent hooking, code injection, and reverse engineering. You use completely different techniques for those. 3.) It wouldn't be hard to get around it. Just replace a dll or two with the functions you want to intercept and analyze the output. They couldn't care less how polymorphic your code is if it still needs to pass the juicy data to a library function. And in a lot of cases they are already doing this, so its highly possible that you could suddenly take an application a piece of malware was designed to harvest information from, make it all polymorphic, and the same old malware version could still mess with it. And yes, it would still he able to identify the application cause the end user needs to be able to identify it and the malware would just use whatever method the end user would to spot it for injection or what not. 3.) I will say, at least you're thinking, even if its flawed. On Jul 19, 2012 6:24 PM, "Glenn and Mary Everhart" <everhart () gce com> wrote:
Hello, FD... A thought occurred to me: Why not use the same kind of polymorphism and software metamorphism that is used by malware writers as a protective measure? If you have a piece of code that you don't want malware to be able to inspect, that might perhaps have some "secrets" in it or that you want not to be trivial to have some other code patch, why not arrange for that code to be different in form (but the same in function) with every copy? (For places that insist on code that must be signed, you might need to have only perhaps scores or hundreds of variants, and then make it clear that the "signed code" requirements were making the systems that have them LESS secure than those without. <bwahahaha>. <grin>.) There are many ways to achieve this kind of result. Many would result in somewhat larger executables or the like, or possibly larger data, but some of the methods don't even need access to source code. (I would suspect many systems like this will be clearest to those of us who have worked in assembly languages and the like over the years, but that is a bit beside the point.) If every copy of a program is laid out differently, and data gets moved around also from copy to copy, the job of the attacker would seem to get much harder. Glenn Everhart _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A modest proposal Glenn and Mary Everhart (Jul 19)
- Re: A modest proposal Gage Bystrom (Jul 19)
- Message not available
- Re: A modest proposal Gage Bystrom (Jul 20)
- Message not available
- Re: A modest proposal Gage Bystrom (Jul 19)
- Re: A modest proposal valdis . kletnieks (Jul 19)
- Re: A modest proposal Memory Vandal (Jul 19)
- Re: A modest proposal Thor (Jul 20)
- Re: A modest proposal Christian Sciberras (Jul 20)
- Re: A modest proposal Thor (Jul 20)
- Re: A modest proposal Ben Laurie (Jul 20)
- Re: A modest proposal Bzzz (Jul 20)
- Re: A modest proposal Christian Sciberras (Jul 20)
- Re: A modest proposal valdis . kletnieks (Jul 20)
- Re: A modest proposal Jeffrey Walton (Jul 20)