[Dailydave] Some Propaganda.

Piotr Bania bania.piotr at gmail.com
Wed Nov 15 16:53:20 Local tim 2006 

 >All in all, it looks pretty impressive :-)

It requested a lot of time, it should look so :)

 >A few things I am wondering about: If one regards instruction n-grams, 
 >e.g. sequences of n instructions, do they still statistically match 
 >what a regular compiler would generate ?

The metamorphic engine is not 100% finished yet , so i will try to 
answer  this question when the release time will come (i hope i will not 
forget though, if so pls just remind me).

 >Secondly, if one was capable of "measuring" the effectivity of the
 >optimizer, would one not see a difference at the point were code is 
 >inserted ?

If we speak about the integration engine, well first of all if you dont 
have the prototype file - i doubt you can find the injection (without 
spending some cool time with your ida and debugger). Secondly, the user 
decides where the injection should be done (for example he can use one 
of the HotRegions listed in the window i showed you before, HotRegions 
shows the locations that are most probable to get executed, but from the 
other hand he can use his imagination and use some other place). Also, 
currently the integration engine is 100% ready so it is a fact, that it 
is able to make some cool things to keep the injection undetected. For 
example if user produces a malware code which relies on the orginal 
program API functions, the engine can write the correct offsets and 
update his code, moreover it can also add his "instructions" to the 
reloc sections - so the thing works even if the code is relocated ie. 
drivers. All depends on the plugins, you can do everything, you have 
your PE file in pieces you just move the chains and it walks.

But when the user is dumb (i belive such guys will not get my software) 
and he makes the injection at the entrypoint - its stupid, but what can 
i say even for experienced reverse-engineer it is very hard to find the 
injected code (of course if the injected code is nicely written) inside 
a big applicaton. Who can expect that attacker is going to rebuild all 
the orginal file? Yes, times with adding trojans to the last sections 
ended for good, at least in 4514N.


Btw. Here's the link for the EEYE's BINDIFFER report, runned against the 
original freecell application and the modified freecell application (2 
nops injected after every instruction).

BDS Level 1/BDS Level 2:
http://piotrbania.com/all/4514N/diff_report.txt


Geez, i spent all this day answering mails :)


best regards,
pb

P.S Like always sorry for my bad english.

-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."

More information about the Dailydave mailing list