ROPInjector: Using ROP for Polymorphism and

Document technical information

Format pdf
Size 1.6 MB
First found May 22, 2018

Document content analysis

Category Also themed
Language
English
Type
not defined
Concepts
no text concepts found

Persons

Organizations

Places

Transcript

University of Piraeus
Department of Digital Systems
ROPInjector: Using ReturnOriented Programming for
Polymorphism and AV Evasion
G. Poulios, C. Ntantogian, C. Xenakis
{gpoulios, dadoyan, xenakis}@unipi.gr
Objective of this research
• We propose Return Oriented Programming (ROP) as
a polymorphic alternative to achieve AntiVirus (AV)
evasion.

+
1 Portable Executable
1 well-known shellcode
Many different variations
Background
• A malware is a piece of code
• Usually inside a benign executable (Trojan)
– This will be our type of malware
• Can be written in high level language (C/C++,
VB,…)
• BUT as any code, when compiled, an
executable is created (files with extension .exe)
• This executable file includes a set of machine
instructions  Assembly
Antivirus technology
• An AV uses a combination of two methods:
1. Static analysis (i.e., AVs use a database of
signatures of known malware including MD5
hashes and fixed strings).
2. Dynamic analysis (i.e., when the file is
executed, the AV monitors the behavior of the
executable at runtime to detect any
suspicious action).
• Each method has its own advantages and
drawbacks!
Assembly
• 32 bit CPU has many registers:
– eax, ebx, ecx, edx
• Add eax, 1  eax=eax +1
• Sub eax, 1  eax=eax-1
• Mov eax, 4  eax=4
Example 1
Benign executable
Add eax, 1
Add eax, 6
Sub eax, 3
Mov eax, 3
Add eax, 2
Mov ecx, 2
Add ecx, 4
Sub eax, 7
Add eax, 4
Mov eax, 2
Add eax, 10
Mov ebx, 6
Sub eax, 7
Mov eax, 6
Add eax, 6
Malware (detected by AV)
Sub eax, 7
Mov ebx, 6
Add eax, 6
AVs detect it ! But not
all of them!!
Example 2
Benign executable
Malware (detected by AV)
Add eax, 1
Add eax, 6
Sub eax, 3
Mov eax, 3
Add eax, 2
Sub eax, 1
Mov ecx, 2
Add ecx, 4
Sub eax, 7
Add eax, 4
Mov eax, 2
Mov ebx, 6
Code that executes with the correct
sequence the three assembly
instructions
Sub eax, 7
Mov ebx, 6
Add eax, 6
Return
Oriented
Programming
(ROP)!
Example 3
Benign executable
Malware (detected by AV)
Add eax, 1
Add eax, 6
Sub eax, 3
Mov eax, 3
Add eax, 2
Sub eax, 1
Mov ecx, 2
Add ecx, 4
Sub eax, 7
Add eax, 4
Mov eax, 2
Mov ebx, 6
Code to execute with the correct
sequence the three assembly
instructions
Sub eax, 7
Mov ebx, 6
Add eax, 6
Polymorphism!
Our Tool: ROPInjector
Malware shellcode
Benign exe
\xfc\xe8\x89\x00\x00\...
ROPInjector
Carrier exe
ROP’ed shellcode
Why use ROP for AV evasion?
a) We use borrowed code (i.e., ROP gadgets)
 Does Not raise any suspicion!
b) May transform any given shellcode to a
ROP-based equivalent  Generic
c) May use different ROP chain 
Polymorphism
Challenges for our Tool
1. The new resulting PE should evade
AV detection
2. PE should not be
corrupted/damaged
3. The tool should be generic and
automated
Steps of ROPInjector
1. Analyze the shellcode
2. Analyze the benign PE to find ROP chain
3. Transform the shellcode to an equivalent ROP chain
4. Inject into the PE missing instructions (if required)
5. Patch the PE with ROPed shellcode
STEP 1: Shellcode Analysis
• Aims to obtain the necessary information to safely replace
shellcode instructions with gadgets
• For each instruction, ROPInjector likes to know:
– what registers it reads, writes or sets
– what registers are free to modify
– its bitness (a mov al,X or a mov eax,X ?)
– whether it is a branch (jmp, conditional, ret, call)
• and if so, where it lands
– whether it is a privileged instruction (e.g., sysenter, iret)
– whether it contains a VA reference
– whether it uses indirect addressing mode (e.g., mov [edi+4], esi)
STEP 2: Find ROP chain in PE
1. First, find returns of type:
–
ret(n)
or
–
pop regX
jmp regX
or
–
jmp regX
2. Then, search backwards for more candidate gadgets
STEP 3: Transform shellcode to ROP chain
• Initially, it translates shellcode instructions to an
Intermediate Representation (IR).
• Next, it translates the ROP gadgets found in PE to an IR.
• Finally, it provides a mapping between the two IRs
– 1 to 1
or
– 1 to many
STEP 3: Intermediate Representation
IR Type (20 in total)
Semantics
Eligible instructions
ADD_IMM
regA += imm
add r8/16/32, imm8/16/32
add (e)ax/al, imm8/16/32
xor r8/16/32, 0
cmp r8/16/32, 0
inc r8/16/32
test ra32, rb32 (with ra == rb)
test r8/16/32, 0xFF/FFFF/FFFFFFFF
test (e)ax/al, 0xFF/FFFF/FFFFFFFF
or ra32, rb32 (with ra == rb)
MOV_REG_IMM mov regA, imm
.
.
.
mov r8/16/32, imm8/16/32
imul r16/32, r16/32, 0
xor ra8/16/32, ra8/16/32
and r8/16/32, 0
and (e)ax/al, 0
or r8/16/32, 0xFF/FFFF/FFFFFFFF
or (e)ax/al, 0xFF/FFFF/FFFFFFFF
STEP 3: Mapping examples
• 1-1 mapping example
– Shellcode:
mov eax, 0  MOV_REG_IMM(eax, 0)
– Gadget in PE:
and eax, 0
 MOV_REG_IMM(eax, 0)
ret
1 to 1
IR
mapping
• 1-many mapping example
– Shellcode:
add eax, 2  ADD_IMM(eax, 2)
– Gadget in PE:
inc eax
ret
 ADD_IMM(eax, 1)
1 to 2
IR
mapping
STEP 4: Gadget Injection
• If the PE does not include the required ROP gadgets
• By simply injecting ROP gadgets would raise alarms
Statistics (presence of successive ret instructions)
• Therefore, ROPInjector inserts ROP gadgets scattered in a
benign looking way avoiding alarms:
– 0xCC caves in .text section of PEs (padding space left by the linker)
– Often preceded by a ret (due to function epilogue)
STEP 5 : Assemble and patch the ROP
chain into the PE
• Step 5: Insert the code that loads the ROP chain into the stack (mainly
PUSH instructions)
• Step 6 patch the new PE: Extends the .text section (instead of adding
a new one), and, then, repair all RVAs and relocations in the PE.
• ROPInjector includes two different methods to pass control to the
ROPed shellcode
– Run first + delay execution via sleep()
– Run last
STEP 6: PE Patching (2/2)
Run first:
Run last:
NT Header
AddressOfEntryPoint
...
(1)
jmp-to-malware
jmp-to-malware
Previous calls to
Section .text
(2)
(4)
ExitProcess()
/ exit()
Section .text
jmp-to-malware
[malware code]
[replaced code]
jmp-back
(3) sleep()
[malware code]
ExitProcess()
Evaluation
• ROPInjector is implemented in native Win32 C
• Nine (9) 32-bit popular executables
– firefox.exe, java.exe, AcroRd32.exe, cmd.exe,
notepad++.exe and more
• 2 of the most popular Metasploit payloads
– reverse TCP shell
– meterpreter reverse TCP
• VirusTotal
– at the time it employed 57 AVs
Scenarios
• Various combinations
– Original-file (no patching at all)
– ROPShellocode-Exit (ROP’ed shellcode + run last)
– Shellcode-Exit (intact shellcode passed control
+run last)
– ROPShellcode-d20-Exit (ROP’ed shellcode + run
first with delayed execution for 20 secs)
– Shellcode (intact shellcode)
Evasion rate: reverse TCP shell
Original file
ROP-Exit
Exit
ROP-d20
Shellcode
100%
90%
Evasion ratio
80%
70%
60%
50%
40%
AcroRd32.exe
Acrobat.exe
cmd.exe
Rainmeter.exe
firefox.exe
java.exe
wmplayer.exe
nam.exe
notepad++.exe
Evasion rate: meterpreter reverse TCP
Original file
ROP-Exit
Exit
ROP-d20
Shellcode
100%
90%
Evasion ratio
80%
70%
60%
50%
40%
AcroRd32.exe
Acrobat.exe
cmd.exe
Rainmeter.exe
firefox.exe
java.exe
wmplayer.exe
nam.exe
notepad++.exe
Overall evasion results
• 100% most of the times
• 99.31% on average
Original file
ROP-Exit
Exit
ROP-d20
Shellcode
60%
50%
40%
Average evasion ratio
74,33%
70%
83,71%
88,99%
Evasion ratio
80%
99,31%
90%
100%
100%
Enhanced Mitigation Experience Toolkit
• Microsoft's Enhanced Mitigation Experience
Toolkit (EMET) is a freeware security toolkit for
Microsoft Windows .
• It can be used as an extra layer of defense
against malware attacks, after the firewall and
before antivirus software.
• It can be used to detect ROP based exploits.
Thank you!
Questions?

Similar documents

×

Report this document