Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] Some Propaganda.
From: Halvar Flake (halvargmx.de)
Date: Wed Nov 15 2006 - 07:03:09 CST
Silly question: How different do the morphed executables
look from compiler-generated ones statistically ?
----- Original Message -----
From: "Joanna Rutkowska" <joannainvisiblethings.org>
To: "Piotr Bania" <bania.piotrgmail.com>
Sent: Wednesday, November 15, 2006 8:53 AM
Subject: Re: [Dailydave] Some Propaganda.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Piotr Bania wrote:
>> CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA
>> Just some info for those who are interrested. I'm currently working on
>> my masterpiece project (school project), a first gui oriented and the
>> most advanced integrating-metamorphic engine so far. Integration engine
>> allows user to integrate any code to any PE binary file (x86 rocessors),
>> including device drivers etc. etc. 4514N engine can rebuild all the PE
>> structure, internal offsets (jumps,refferences), any type of PE sections
>> relocs,imports,exports,resources...), moreover it even can keep the
>> align of variables. Integration means that firstly target file is
>> disassembled to pieces (it creates a chain which connects the body of
>> target file), then we move that chain, we do everything we want (i call
>> this step InverseKinematics, just because i'm an 3d graphics hobbyst)
>> and then we compile the chain again. Such horrible modified application
>> runs perfectly, moreover it is almost impossible to disinfect the
>> modified target. So tell me, do you want to compile a rootkit inside of
>> yours ndis.sys? :)
> That would actually be trivially detectable if you decided to infect any
> of the Windows system files (like e.g. quoted above NDIS.SYS), as all
> those files (starting from Windows 2000) are digitally signed...
> Still, the project looks cool - I could imagine using such an engine to
> e.g. infect any of the non-signed PF files on disk, just to allow our
> rootkit to be loaded into memory at system startup - but once loaded
> rootkit should not change *any* code sections (Type I rootkits ale
> really passe IMHO)...
> Existence of such tools, as Piotr is working on, should really convince
> and encourage *all* developers to digitally sign their executables.
> -----BEGIN PGP SIGNATURE-----
> -----END PGP SIGNATURE-----
> Dailydave mailing list
Dailydave mailing list