Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43440
  • Total Topics: 16532
  • Online today: 3122
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 3116
Total: 3117









Author Topic: Malware Manipulates Procedure Prologue and Epilogue to Evade Security  (Read 2131 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Malware Manipulates Procedure Prologue and Epilogue to Evade Security

Techniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.

Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.

Modifying Opcode

The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes–and without changing the outcome of the code.

Prologue and Epilogue

The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.

Here’s a typical 32-bit Intel architecture assembly-language function prologue:

        PUSH EBP          —> Save Base Pointer

        MOV EBP,ESP     —> EBP becomes the temporary stack pointer

And here’s a typical epilogue:

        POP EBP            —> Recover Base pointer

        RET                   —> Return from the function

Next we see a typical and a modified prologue:



Figure 1.1: A typical procedure prologue.



Figure 1.2: A modified procedure prologue.

Now let’s look at an example of a typical and a modified epilogue:



Figure 2.1: A typical procedure epilogue



Figure 2.2: A modified procedure epilogue.



Figure 2.3: Another modified procedure epilogue.

The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.


Original article: Tuesday, July 16, 2013 at 5:02pm by Arvind Gowda
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023