|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Some Propaganda.
From: Halvar Flake (halvar
gmx.de)
Date: Wed Nov 15 2006 - 07:03:09 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Silly question: How different do the morphed executables
look from compiler-generated ones statistically ?
Cheers,
Halvar
----- Original Message -----
From: "Joanna Rutkowska" <joannainvisiblethings.org>
To: "Piotr Bania" <bania.piotrgmail.com>
Cc: <dailydavelists.immunitysec.com>
Sent: Wednesday, November 15, 2006 8:53 AM
Subject: Re: [Dailydave] Some Propaganda.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Piotr Bania wrote:
>> CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA
>> ----------------------------------------
>>
>> Just some info for those who are interrested. I'm currently working on
>> my masterpiece project (school project), a first gui oriented and the
>> most advanced integrating-metamorphic engine so far. Integration engine
>> allows user to integrate any code to any PE binary file (x86 rocessors),
>> including device drivers etc. etc. 4514N engine can rebuild all the PE
>> structure, internal offsets (jumps,refferences), any type of PE sections
>> relocs,imports,exports,resources...), moreover it even can keep the
>> align of variables. Integration means that firstly target file is
>> disassembled to pieces (it creates a chain which connects the body of
>> target file), then we move that chain, we do everything we want (i call
>> this step InverseKinematics, just because i'm an 3d graphics hobbyst)
>> and then we compile the chain again. Such horrible modified application
>> runs perfectly, moreover it is almost impossible to disinfect the
>> modified target. So tell me, do you want to compile a rootkit inside of
>> yours ndis.sys? :)
>>
>
> That would actually be trivially detectable if you decided to infect any
> of the Windows system files (like e.g. quoted above NDIS.SYS), as all
> those files (starting from Windows 2000) are digitally signed...
>
> Still, the project looks cool - I could imagine using such an engine to
> e.g. infect any of the non-signed PF files on disk, just to allow our
> rootkit to be loaded into memory at system startup - but once loaded
> rootkit should not change *any* code sections (Type I rootkits ale
> really passe IMHO)...
>
> Existence of such tools, as Piotr is working on, should really convince
> and encourage *all* developers to digitally sign their executables.
>
> cheers,
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFFWseMORdkotfEW84RAvg7AJ4mARCFjcDNfhYVy2B5SMi/lgZ+fwCcC2m+
> 0GtRUkGLSCZ2/km4Vhx8VqU=
> =F3mR
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]