1 / 16

Mutating The Mutators

Sean O'Toole. Mutating The Mutators. What is Borrowed From Metamorphism. Metamorphic ShrinkerExpander Modules: Expander: An expander creates a “direct expansion” of opcodes. Direct Expansion: A group of opcodes that copy the actions of an opcode.

dakota
Download Presentation

Mutating The Mutators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sean O'Toole Mutating The Mutators

  2. What is Borrowed From Metamorphism • Metamorphic Shrinker\Expander Modules: • Expander: An expander creates a “direct expansion” of opcodes. • Direct Expansion: A group of opcodes that copy the actions of an opcode. • Shrinker: Inverts actions of the expander. A shrinker module rarely fully optimizes a piece of code since the fully optimized code could be commonly found in memory while the program runs.

  3. Direct Expansion Example • Ex. • Original Code: • MOV REG1, REG2 • 1000 1001 11 {REG2} {REG1} • Direct Expansion: • PUSH REG2 / POP REG1 • 0101 0 {REG2} 0101 1 {REG1} • If REG1 = edx (010) and REG2 = ecx (001) • Original: 89CAh • Direct: 51 5Ah

  4. Addition to Metamorphism • Indirect Expansion: An expansion that includes the opcodes in a direct expansion, but also includes code that does not effect the result of the code.

  5. Indirect Expansion Example • Ex. • Original: • MOV REG1, REG2 • 1000 1001 11 {REG2} {REG1} • Indirect Expansion: • ADD REG1, REG2 / PUSH REG2 / OR REG1, 0Ah / POP REG1 • 0000 0001 11 {REG1} {REG2} / 0101 0 {REG2} / 1000 0011 1100 1 {REG1} 0000 1010 / 0101 1 {REG1} • If REG1 = edx (010) and REG2 = ecx (001) • Original: 89CAh • Direct: 01D1 51 83CA0A 5Ah

  6. Indirect Expansion Engine Theory • Each opcode has certain ways, or rules, that the operands can be manipulated without effecting the outcome of the original opcode's result. • In the example, the rule “REG1 can be manipulated at any point before POP REG1, as long as REG1 is not register ESP.”

  7. Using Rules in the Engine • The rules appear as “labels” in the buffer. • Ex. • RULE1 = REG1 can be manipulated. • Start: • RULE1_Start: ADD REG1, REG2 • INSTRUCTION1: PUSH REG2 • OR REG1, 0Ah • RULE1_End: • INSTRUCTION2: POP REG1 • END:

  8. Tools Used in Implementation of The Engine • A metamorphic engine • A great example of a metamorphic engine can be found in the Metaphor, AKA Simile, virus by Mental Drill, which can be found in 29A Labs #6. • Executable Trash Generator (ETG) • This is a module written by Zombie and is on his site: z0mbie.host.sk.

  9. Calling the Executable Trash Generator • PUSH offset rnd ;offset of random # gen • PUSH offset buffer ;offset of output buffer • PUSH size ;size of the buffer • PUSH numCmds ;max number of commands • PUSH offset buffsize ;size of random code • PUSH destregs ;destination registers flag • PUSH scrregs ;source registers flag • PUSH cmds ;commands flag • CALL etg_engine

  10. Using the ETG to Develop Indirect Expansions • The commands that are chosen in the commands flag, as well as code in direct expansions, must be mapped so that register codes can be inserted into the op-code. • If destination and source registers flags are both set to EAX, whose flag is 01h, then the register codes can be mapped onto an op-code by OR-ing the indirect expansion and the reg values in the proper area.

  11. Extracting Registers From Op-Codes • MOV Reg1, Reg2: • General Binary Form: • 1000 1001 11 {REG2} {REG1} • Second Byte's Range: C0 to FF. • Reg1 = • Second_Byte AND 111b • Reg2 = • SHR (Second_Byte AND 111000b), 3h

  12. Inserting Registers Into Op-Codes • PUSH Reg2 • General Form: • 0101 0{Reg2} • New Op-Code = • 50h OR Reg2 • POP Reg1 • General Form: • 0101 1{REG1} • New Op-Code = • 58h OR Reg1 • OR Reg1, {Random Number} • General Form: • 1000 0011 1100 1 {REG1} {Random Number} • New Op-Code = • 83C800 OR (SHL Reg1, 8) OR Random_Number

  13. Protocol for Changing Expansions • Since complete optimization during shrinking allows the code to be seen by any scanning, all the expansions cannot be changed at the same time. • Protocol: • Shrinker holds half generation n and half generation n-1. • Expander holds remaining generation n and creates expansions for generation n+1.

  14. Why Must Metamorphism Be Improved • Current, metamorphic engines can be defeated by running a static scanner, which cotains the same relationships as the shrinker contains, run the same amount of times as the expander is recursively run. • The static scanner does not need to be emulated since only binary strings need to be found that match an expansion.

  15. Why Use This Technique • Since the expander/shrinker relationships do not remain static, a static scanner cannot be use to defeat the technique. • The engine will also expand opcodes that are part of the worthless code in a previous expansion. This adds an extra layer of complexity since the worthless opcode's expansion will contain opcodes that look worthwhile in the contexed of the expansion.

  16. I Am Happy To Answer Any Questions. Thank You For Comming

More Related