SlideShare a Scribd company logo

ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-Antivirus-Evasion.pdf

D
distortdistort

ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-Antivirus-Evasion

Technology
1 of 31
Download to read offline
ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion G. Poulios, C. Ntantogian, C. Xenakis {gpoulios, dadoyan, xenakis}@unipi.gr
Overview • Return Oriented Programming (ROP) has been used in the past explicitly for DEP evasion in software exploitation scenarios. • We propose a completely different use of ROP! • We propose ROP as a polymorphic alternative to achieve AV evasion! +  1 PE 1 shellcode M different variations
ROPInjector • Local infection of benign PE executables with well-known alarming malicious code (i.e., shellcode) Benign PE Malware shellcode xfcxe8x89x00x00... ROPInjector Carrier PE ROP’ed shellcode
Why ROP for AV evasion? • Does not raise suspicious  Borrowed code (i.e., rop gadgets) is of course benign. The only possible detection footprint is the instructions (i.e., typically push) that insert the addresses of the ROP gadgets into the stack. • Generic  ROP can be used to transform any given malware shellcode to a ROP-based equivalent. • Polymorphism  Use different ROP gadgets or use same ROP gadgets found in different address
Challenges 1. The new resulting PE should evade antivirus detection 2. The benign PE should not be corrupted/damaged 3. The tool should be generic and completely automated 4. Should not require a writeable code section to mutate (i.e., execute ROP chain) Challenges Accepted!
A quick historical overview plain malware code string signatures x59xE8xFFx6Bx5FxFFx6Ax0Fx59xE8xFF x6Bx5FxFFx6Ax0F
A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures x59xE8xFFx6Bx5Fx90xFFx90x6Ax0Fx59xE8 x6Bx5F{x90}*xFF{x90}*x6Ax0F variability
A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures oligomorphism static analysis (disassembly, CFGs) x6Ax0Fx59xE80xFF x6Bx5F************** decoder encoded payload . . . PC PC if RWX and performs then alarm
A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures oligomorphism static analysis (disassembly, CFGs) self-modifying code metamorphism dynamic analysis (emulation, sandboxing, behavior-based signatures) push eax mov [esp-4],eax sub esp,4
ROPInjector Steps 1. Shellcode analysis 2. Find ROP gadgets in PE 3. Transform shellcode to an equivalent ROP chain 4. Inject in PE missing ROP gadgets (if required) 5. Assemble ROP chain building code in PE 6. Patch the chain building code into the PE
STEP 1: Shellcode Analysis (1/3) • The analysis of the shellcode aims to obtain various information so that it can safely replace shellcode instructions with gadgets • In particular, for each instruction, ROPInjector likes to know: – what registers it reads, writes or sets – what registers are free to modify – its bitness (a mov al,X or a mov eax,X ?) – whether it is a branch (jmp, conditional, ret, call) – and if so, where it lands – whether it is a privileged instruction (e.g. sysenter, iret) – whether it contains a VA reference – whether it uses indirect addressing mode (e.g. mov [edi+4], esi)
STEP 1: Shellcode analysis (2/3) • Scaled Index Byte (SIB) enables complex indirect addressing modes – e.g. mov [eax+8*edi+10], ecx • We want to avoid SIBs in the shellcode because they are: – long: >3 bytes  unlikely to be found in gadgets – rarely reusable – reserve at least 2 registers
STEP 1: Shellcode analysis (3/3) • ROPInjector performs a technique that we call it Unrolling of SIBs to transform them into simpler instructions • With this technique we achieve – increased chances of finding suitable gadgets – less gadgets being injected mov eax, [ebx+ecx*2] mov eax, ecx sal eax, 1 add eax, ebx mov eax, [eax] • ecx is freed at this point • shorter instructions • reusable gadgets (either found or injected)
STEP 2: Find ROP Gadgets in PE (1/2) 1. First find returns of type: – ret(n) or – pop regX jmp regX or – jmp regX • used only if a “loader” gadget of the following form is also found: pop regX [any of the first 2 endings above] 2. Then search backwards for more candidate gadgets
STEP 2: Find ROP Gadgets in PE (2/2) • ROPInjector automatically resolves redundant instructions in ROP gadgets, in order to avoid errors during execution of ROP code • Maximize reusability of ROP gadgets • Avoid injecting unsafe ROP gadgets – modify non-free registers – are branches – write to the stack or modify esp – are privileged – use indirect addressing mode
STEP 3: Transform shellcode to ROP chain • First, we translate shellcode instructions to an Intermediate Representation (IR). • Next we translate ROP gadgets found in PE to an IR. • Finally, a mapping is performed between the two IRs – 1 to 1 – 1 to many
STEP 3: Intermediate Representation IR Type (20 in total) Semantics Eligible instructions ADD_IMM regA += imm add r8/16/32, imm8/16/32 add (e)ax/al, imm8/16/32 xor r8/16/32, 0 cmp r8/16/32, 0 inc r8/16/32 test ra32, rb32 (with ra == rb) test r8/16/32, 0xFF/FFFF/FFFFFFFF test (e)ax/al, 0xFF/FFFF/FFFFFFFF or ra32, rb32 (with ra == rb) MOV_REG_IMM . . . mov regA, imm mov r8/16/32, imm8/16/32 imul r16/32, r16/32, 0 xor ra8/16/32, ra8/16/32 and r8/16/32, 0 and (e)ax/al, 0 or r8/16/32, 0xFF/FFFF/FFFFFFFF or (e)ax/al, 0xFF/FFFF/FFFFFFFF
STEP 3: Mapping examples • 1-1 mapping example – Shellcode: mov eax, 0 – Gadget in PE: and eax, 0 ret • 1-many mapping example – Shellcode: add eax, 2 – Gadget in PE: inc eax ret  MOV_REG_IMM(eax, 0)  MOV_REG_IMM(eax, 0) 1 to 1 IR mapping  ADD_IMM(eax, 2)  ADD_IMM(eax, 1) 1 to 2 IR mapping
STEP 4: Gadget Injection • In some cases PE does not include the required ROP gadgets • Simply injecting ROP gadgets would raise alarms using statistics – Presence of successive ret instructions • To this end, ROPInjector inserts ROP gadgets scattered, and in a benign looking way to avoid alarms – 0xCC caves in .text section of PEs (padding space left by the linker) – Often preceded by a RET (due to function epilogue)
STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCCCCCCCCCCCCCCCC
STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC
STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC Normal flow
STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC ROP flow Normal flow
STEP 5 and 6: Assemble and patch the ROP chain into PE • In step 5 we insert the code that loads the ROP chain onto the stack (mainly PUSH instructions) • In step 6 we patch the new PE  ROPInjector extends the .text section (instead of adding a new one that would raise alarm) and then goes on to repair all RVAs and relocations in the PE. • ROPInjector includes two different methods to pass control to the ROPed shellcode – Run first – Run last
STEP 6: PE Patching (1/2) .text Before injection After Injection Section Header (.text) Section Header (.data) Section Header (.rsrc) NT Header .data .rsrc .text Section Header (.text) Section Header (.data) Section Header (.rsrc) NT Header .data .rsrc NT header checksum recalculated
STEP 6: PE Patching (2/2) Section .text [malware code] jmp-back jmp-to-malware [replaced code] NT Header AddressOfEntryPoint . . . (1) (2) (3) Run first: Section .text [malware code] jmp-to-malware ExitProcess() jmp-to-malware Previous calls to ExitProcess() / exit() (very good anti-emulation results) Run last:
Evaluation • Implemented in native Win32 C • 9 32bit executables – firefox.exe, java.exe, AcroRd32.exe, cmd.exe, notepad++.exe and more • Various combinations – No patching at all – ROP’ed shellcode and run last – Intact shellcode passed control during exit (run last) – ROP’ed shellcode and delayed execution (20 secs via Win32 Sleep()) – Intact shellcode • 2 of the most popular payloads of MSF – reverse TCP shell – meterpreter reverse TCP • VirusTotal – at the time it employed 57 AVs
Evasion rate: reverse TCP shell 40% 50% 60% 70% 80% 90% 100% AcroRd32.exe Acrobat.exe cmd.exe Rainmeter.exe firefox.exe java.exe wmplayer.exe nam.exe notepad++.exe Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
Evasion rate: meterpreter reverse TCP 40% 50% 60% 70% 80% 90% 100% AcroRd32.exe Acrobat.exe cmd.exe Rainmeter.exe firefox.exe java.exe wmplayer.exe nam.exe notepad++.exe Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
Overall evasion results • 100% most of the times • 99.31% on average 100% 99,31% 88,99% 83,71% 74,33% 40% 50% 60% 70% 80% 90% 100% Average evasion ratio Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
Black Hat Sound Bytes • Current signature-based detection methods are no longer effective – we shown that by using ROP we can reduce the footprint to benign stack modifying instructions • Behavioral analysis is tough to perform exhaustively – we shown how to easily bypass it by running right before process exit • “Default distrust all” policy – Checksums and certificates is the poor user’s last line of defense at the moment

Recommended

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 

Recommended

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsCysinfo Cyber Security Community
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginSam Bowne
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.informatik Universität Basel
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Abdulrahman Bassam
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Erlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The WinErlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The Winl xf
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystemSisimon Soman
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

More Related Content

Similar to ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-Antivirus-Evasion.pdf

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginSam Bowne
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Abdulrahman Bassam
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Erlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The WinErlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The Winl xf
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernelSisimon Soman
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystemSisimon Soman
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 

Similar to ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-Antivirus-Evasion.pdf (20)

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Erlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The WinErlang Message Passing Concurrency, For The Win
Erlang Message Passing Concurrency, For The Win
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystem
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-Antivirus-Evasion.pdf

  • 1. ROPInjector: Using Return- Oriented Programming for Polymorphism and AV Evasion G. Poulios, C. Ntantogian, C. Xenakis {gpoulios, dadoyan, xenakis}@unipi.gr
  • 2. Overview • Return Oriented Programming (ROP) has been used in the past explicitly for DEP evasion in software exploitation scenarios. • We propose a completely different use of ROP! • We propose ROP as a polymorphic alternative to achieve AV evasion! +  1 PE 1 shellcode M different variations
  • 3. ROPInjector • Local infection of benign PE executables with well-known alarming malicious code (i.e., shellcode) Benign PE Malware shellcode xfcxe8x89x00x00... ROPInjector Carrier PE ROP’ed shellcode
  • 4. Why ROP for AV evasion? • Does not raise suspicious  Borrowed code (i.e., rop gadgets) is of course benign. The only possible detection footprint is the instructions (i.e., typically push) that insert the addresses of the ROP gadgets into the stack. • Generic  ROP can be used to transform any given malware shellcode to a ROP-based equivalent. • Polymorphism  Use different ROP gadgets or use same ROP gadgets found in different address
  • 5. Challenges 1. The new resulting PE should evade antivirus detection 2. The benign PE should not be corrupted/damaged 3. The tool should be generic and completely automated 4. Should not require a writeable code section to mutate (i.e., execute ROP chain) Challenges Accepted!
  • 6. A quick historical overview plain malware code string signatures x59xE8xFFx6Bx5FxFFx6Ax0Fx59xE8xFF x6Bx5FxFFx6Ax0F
  • 7. A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures x59xE8xFFx6Bx5Fx90xFFx90x6Ax0Fx59xE8 x6Bx5F{x90}*xFF{x90}*x6Ax0F variability
  • 8. A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures oligomorphism static analysis (disassembly, CFGs) x6Ax0Fx59xE80xFF x6Bx5F************** decoder encoded payload . . . PC PC if RWX and performs then alarm
  • 9. A quick historical overview plain malware code string signatures simple obfuscation (NOPs/dead-code in-between) regex signatures oligomorphism static analysis (disassembly, CFGs) self-modifying code metamorphism dynamic analysis (emulation, sandboxing, behavior-based signatures) push eax mov [esp-4],eax sub esp,4
  • 10. ROPInjector Steps 1. Shellcode analysis 2. Find ROP gadgets in PE 3. Transform shellcode to an equivalent ROP chain 4. Inject in PE missing ROP gadgets (if required) 5. Assemble ROP chain building code in PE 6. Patch the chain building code into the PE
  • 11. STEP 1: Shellcode Analysis (1/3) • The analysis of the shellcode aims to obtain various information so that it can safely replace shellcode instructions with gadgets • In particular, for each instruction, ROPInjector likes to know: – what registers it reads, writes or sets – what registers are free to modify – its bitness (a mov al,X or a mov eax,X ?) – whether it is a branch (jmp, conditional, ret, call) – and if so, where it lands – whether it is a privileged instruction (e.g. sysenter, iret) – whether it contains a VA reference – whether it uses indirect addressing mode (e.g. mov [edi+4], esi)
  • 12. STEP 1: Shellcode analysis (2/3) • Scaled Index Byte (SIB) enables complex indirect addressing modes – e.g. mov [eax+8*edi+10], ecx • We want to avoid SIBs in the shellcode because they are: – long: >3 bytes  unlikely to be found in gadgets – rarely reusable – reserve at least 2 registers
  • 13. STEP 1: Shellcode analysis (3/3) • ROPInjector performs a technique that we call it Unrolling of SIBs to transform them into simpler instructions • With this technique we achieve – increased chances of finding suitable gadgets – less gadgets being injected mov eax, [ebx+ecx*2] mov eax, ecx sal eax, 1 add eax, ebx mov eax, [eax] • ecx is freed at this point • shorter instructions • reusable gadgets (either found or injected)
  • 14. STEP 2: Find ROP Gadgets in PE (1/2) 1. First find returns of type: – ret(n) or – pop regX jmp regX or – jmp regX • used only if a “loader” gadget of the following form is also found: pop regX [any of the first 2 endings above] 2. Then search backwards for more candidate gadgets
  • 15. STEP 2: Find ROP Gadgets in PE (2/2) • ROPInjector automatically resolves redundant instructions in ROP gadgets, in order to avoid errors during execution of ROP code • Maximize reusability of ROP gadgets • Avoid injecting unsafe ROP gadgets – modify non-free registers – are branches – write to the stack or modify esp – are privileged – use indirect addressing mode
  • 16. STEP 3: Transform shellcode to ROP chain • First, we translate shellcode instructions to an Intermediate Representation (IR). • Next we translate ROP gadgets found in PE to an IR. • Finally, a mapping is performed between the two IRs – 1 to 1 – 1 to many
  • 17. STEP 3: Intermediate Representation IR Type (20 in total) Semantics Eligible instructions ADD_IMM regA += imm add r8/16/32, imm8/16/32 add (e)ax/al, imm8/16/32 xor r8/16/32, 0 cmp r8/16/32, 0 inc r8/16/32 test ra32, rb32 (with ra == rb) test r8/16/32, 0xFF/FFFF/FFFFFFFF test (e)ax/al, 0xFF/FFFF/FFFFFFFF or ra32, rb32 (with ra == rb) MOV_REG_IMM . . . mov regA, imm mov r8/16/32, imm8/16/32 imul r16/32, r16/32, 0 xor ra8/16/32, ra8/16/32 and r8/16/32, 0 and (e)ax/al, 0 or r8/16/32, 0xFF/FFFF/FFFFFFFF or (e)ax/al, 0xFF/FFFF/FFFFFFFF
  • 18. STEP 3: Mapping examples • 1-1 mapping example – Shellcode: mov eax, 0 – Gadget in PE: and eax, 0 ret • 1-many mapping example – Shellcode: add eax, 2 – Gadget in PE: inc eax ret  MOV_REG_IMM(eax, 0)  MOV_REG_IMM(eax, 0) 1 to 1 IR mapping  ADD_IMM(eax, 2)  ADD_IMM(eax, 1) 1 to 2 IR mapping
  • 19. STEP 4: Gadget Injection • In some cases PE does not include the required ROP gadgets • Simply injecting ROP gadgets would raise alarms using statistics – Presence of successive ret instructions • To this end, ROPInjector inserts ROP gadgets scattered, and in a benign looking way to avoid alarms – 0xCC caves in .text section of PEs (padding space left by the linker) – Often preceded by a RET (due to function epilogue)
  • 20. STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCCCCCCCCCCCCCCCC
  • 21. STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC
  • 22. STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC Normal flow
  • 23. STEP 4: Gadget Injection • Assuming missing gadget is mov ecx, eax and we find the following 0xCC cave: <other instructions> jmp epilogue mov ecx, eax jmp return epilogue: mov esp, ebp pop ebp return: ret(n) CCCCCCCC ROP flow Normal flow
  • 24. STEP 5 and 6: Assemble and patch the ROP chain into PE • In step 5 we insert the code that loads the ROP chain onto the stack (mainly PUSH instructions) • In step 6 we patch the new PE  ROPInjector extends the .text section (instead of adding a new one that would raise alarm) and then goes on to repair all RVAs and relocations in the PE. • ROPInjector includes two different methods to pass control to the ROPed shellcode – Run first – Run last
  • 25. STEP 6: PE Patching (1/2) .text Before injection After Injection Section Header (.text) Section Header (.data) Section Header (.rsrc) NT Header .data .rsrc .text Section Header (.text) Section Header (.data) Section Header (.rsrc) NT Header .data .rsrc NT header checksum recalculated
  • 26. STEP 6: PE Patching (2/2) Section .text [malware code] jmp-back jmp-to-malware [replaced code] NT Header AddressOfEntryPoint . . . (1) (2) (3) Run first: Section .text [malware code] jmp-to-malware ExitProcess() jmp-to-malware Previous calls to ExitProcess() / exit() (very good anti-emulation results) Run last:
  • 27. Evaluation • Implemented in native Win32 C • 9 32bit executables – firefox.exe, java.exe, AcroRd32.exe, cmd.exe, notepad++.exe and more • Various combinations – No patching at all – ROP’ed shellcode and run last – Intact shellcode passed control during exit (run last) – ROP’ed shellcode and delayed execution (20 secs via Win32 Sleep()) – Intact shellcode • 2 of the most popular payloads of MSF – reverse TCP shell – meterpreter reverse TCP • VirusTotal – at the time it employed 57 AVs
  • 28. Evasion rate: reverse TCP shell 40% 50% 60% 70% 80% 90% 100% AcroRd32.exe Acrobat.exe cmd.exe Rainmeter.exe firefox.exe java.exe wmplayer.exe nam.exe notepad++.exe Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
  • 29. Evasion rate: meterpreter reverse TCP 40% 50% 60% 70% 80% 90% 100% AcroRd32.exe Acrobat.exe cmd.exe Rainmeter.exe firefox.exe java.exe wmplayer.exe nam.exe notepad++.exe Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
  • 30. Overall evasion results • 100% most of the times • 99.31% on average 100% 99,31% 88,99% 83,71% 74,33% 40% 50% 60% 70% 80% 90% 100% Average evasion ratio Evasion ratio Original file ROP-Exit Exit ROP-d20 Shellcode
  • 31. Black Hat Sound Bytes • Current signature-based detection methods are no longer effective – we shown that by using ROP we can reduce the footprint to benign stack modifying instructions • Behavioral analysis is tough to perform exhaustively – we shown how to easily bypass it by running right before process exit • “Default distrust all” policy – Checksums and certificates is the poor user’s last line of defense at the moment