[Dailydave] Mutating to avoid structural analysis
Stefan Wagner
sw at alldas.org
Sat Dec 8 19:51:14 EST 2007
Hi,
> So my question is this: is defeating a structural based fingerprint of
> a program more difficult to do than defeating behavioral based
> fingerprints?
Yiha! Works excellent over here :D
Keythingy (for me) is to 'crypt' the Libcalls while you smuggle 'em in.
Just to make sure IDS/AV kids won't get lucky with their static pattern
bs... Reserve 1K of space within' your code for the main (superspeedy)
decrypting code and hide the main eor-thing (or xor-omgzomg) in
crapcalls, like:
moveq #0,d0
sub.l d0,d0
add.l #<random>, d0
<insert more boredom/cleverness here>
to replace NOP calls and make the code look legit
In this random mess it's perfectly fine to hide your very own code to
decrypt the mainlib and other stuff (the main decrypt thingy is a 6 cmd
one (wh00h00) 2 be executed during the initial call).
Cheers,
Stefan
More information about the Dailydave
mailing list