Mutating The Mutators - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Mutating The Mutators

Description:

A great example of a metamorphic engine can be found in the Metaphor, AKA Simile, ... Current, metamorphic engines can be defeated by running a static scanner, which ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 17
Provided by: althingCs
Category:

less

Transcript and Presenter's Notes

Title: Mutating The Mutators


1
Mutating The Mutators
  • Sean O'Toole

2
What is Borrowed From Metamorphism
  • Metamorphic Shrinker\Expander Modules
  • Expander An expander creates a direct
    expansion of opcodes.
  • Direct Expansion A group of opcodes that copy
    the actions of an opcode.
  • Shrinker Inverts actions of the expander. A
    shrinker module rarely fully optimizes a piece of
    code since the fully optimized code could be
    commonly found in memory while the program runs.

3
Direct Expansion Example
  • Ex.
  • Original Code
  • MOV REG1, REG2
  • 1000 1001 11 REG2 REG1
  • Direct Expansion
  • PUSH REG2 / POP REG1
  • 0101 0 REG2 0101 1 REG1
  • If REG1 edx (010) and REG2 ecx (001)
  • Original 89CAh
  • Direct 51 5Ah

4
Addition to Metamorphism
  • Indirect Expansion An expansion that includes
    the opcodes in a direct expansion, but also
    includes code that does not effect the result of
    the code.

5
Indirect Expansion Example
  • Ex.
  • Original
  • MOV REG1, REG2
  • 1000 1001 11 REG2 REG1
  • Indirect Expansion
  • ADD REG1, REG2 / PUSH REG2 / OR REG1, 0Ah /
    POP REG1
  • 0000 0001 11 REG1 REG2 / 0101 0 REG2 / 1000
    0011 1100 1 REG1 0000 1010 / 0101 1 REG1
  • If REG1 edx (010) and REG2 ecx (001)
  • Original 89CAh
  • Direct 01D1 51 83CA0A 5Ah

6
Indirect Expansion Engine Theory
  • Each opcode has certain ways, or rules, that the
    operands can be manipulated without effecting the
    outcome of the original opcode's result.
  • In the example, the rule REG1 can be manipulated
    at any point before POP REG1, as long as REG1 is
    not register ESP.

7
Using Rules in the Engine
  • The rules appear as labels in the buffer.
  • Ex.
  • RULE1 REG1 can be manipulated.
  • Start
  • RULE1_Start ADD REG1, REG2
  • INSTRUCTION1 PUSH REG2
  • OR REG1, 0Ah
  • RULE1_End
  • INSTRUCTION2 POP REG1
  • END

8
Tools Used in Implementation of The Engine
  • A metamorphic engine
  • A great example of a metamorphic engine can be
    found in the Metaphor, AKA Simile, virus by
    Mental Drill, which can be found in 29A Labs 6.
  • Executable Trash Generator (ETG)
  • This is a module written by Zombie and is on his
    site z0mbie.host.sk.

9
Calling the Executable Trash Generator
  • PUSH offset rnd offset of random gen
  • PUSH offset buffer offset of output buffer
  • PUSH size size of the buffer
  • PUSH numCmds max number of commands
  • PUSH offset buffsize size of random code
  • PUSH destregs destination registers flag
  • PUSH scrregs source registers flag
  • PUSH cmds commands flag
  • CALL etg_engine

10
Using the ETG to Develop Indirect Expansions
  • The commands that are chosen in the commands
    flag, as well as code in direct expansions, must
    be mapped so that register codes can be inserted
    into the op-code.
  • If destination and source registers flags are
    both set to EAX, whose flag is 01h, then the
    register codes can be mapped onto an op-code by
    OR-ing the indirect expansion and the reg values
    in the proper area.

11
Extracting Registers From Op-Codes
  • MOV Reg1, Reg2
  • General Binary Form
  • 1000 1001 11 REG2 REG1
  • Second Byte's Range C0 to FF.
  • Reg1
  • Second_Byte AND 111b
  • Reg2
  • SHR (Second_Byte AND 111000b), 3h

12
Inserting Registers Into Op-Codes
  • PUSH Reg2
  • General Form
  • 0101 0Reg2
  • New Op-Code
  • 50h OR Reg2
  • POP Reg1
  • General Form
  • 0101 1REG1
  • New Op-Code
  • 58h OR Reg1
  • OR Reg1, Random Number
  • General Form
  • 1000 0011 1100 1 REG1 Random Number
  • New Op-Code
  • 83C800 OR (SHL Reg1, 8) OR Random_Number

13
Protocol for Changing Expansions
  • Since complete optimization during shrinking
    allows the code to be seen by any scanning, all
    the expansions cannot be changed at the same
    time.
  • Protocol
  • Shrinker holds half generation n and half
    generation n-1.
  • Expander holds remaining generation n and creates
    expansions for generation n1.

14
Why Must Metamorphism Be Improved
  • Current, metamorphic engines can be defeated by
    running a static scanner, which cotains the same
    relationships as the shrinker contains, run the
    same amount of times as the expander is
    recursively run.
  • The static scanner does not need to be emulated
    since only binary strings need to be found that
    match an expansion.

15
Why Use This Technique
  • Since the expander/shrinker relationships do not
    remain static, a static scanner cannot be use to
    defeat the technique.
  • The engine will also expand opcodes that are part
    of the worthless code in a previous expansion.
    This adds an extra layer of complexity since the
    worthless opcode's expansion will contain opcodes
    that look worthwhile in the contexed of the
    expansion.

16
Thank You For Comming
  • I Am Happy To Answer Any Questions.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Mutating The Mutators" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!