the remote metamorphic engine
play

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI - PowerPoint PPT Presentation

May 03, 2023 •168 likes •683 views

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

  1. The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016

  2. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 ‣ Security as undefined expression db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 ‣ Flux binary mutation mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 ‣ Resisting Reverse Engineering xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx ‣ Evading AI machine learning line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] ‣ Artificial Immunity nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  3. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 { } db 1 dd -1 Security Patterns mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 Division by Zero | Division by Infinity sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx Isolation Randomization line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  4. line46_1: mov ecx, [esp] nop nop The Undefined Expression mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad Security as Undefined & indeterminate expression pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 1 dd 3318121790 db 2 - ∞ ∞ dd 1375432265 = = db 1 dd -1 mov ebx, 92 0 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 Undefined sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf ∞ 0 popad RE Time nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx The Remote mov cl, 0xe9 mov byte [eax], cl Metamorphic xor edx, 0 mov ecx, 0x00000057 Engine mov dword [eax+1], ecx ret

  5. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx The Unbreakable Code mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 Unpredictable db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 un · pre · dict · a · ble db 2 dd 1375432265 db 1 dd -1 mov ebx, 92 adjective:/ ˌə npr əˈ dikt ə b( ə )l/ add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 Likely to change suddenly and without reason jmp ebx line95_2: popf popad nop jmp long line96 and therefore not able to be predicted line95_1: mov eax, [esp] nop nop xor eax, eax (= expected before it happens) xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  6. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret The Breakable Code line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 The Fixed Static Code Problem db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Static Code Dynamic Data dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 Core security weakness in all today’s software add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad nop jmp long line96 Enables all sorts of replicable software line95_1: mov eax, [esp] nop nop security exploits xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  7. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 Unpredictable Code Evolution mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 Dynamic Code Dynamic Data dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Code evolution across time dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d Functionality evolution across location add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee Self contained autonomous code add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad Unpredictable nop jmp long line96 line95_1: mov eax, [esp] nop nop Self aware xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  8. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl Code Evolution xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 Resisting Reverse Engineering db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 Locate the Code db 2 dd 1375432265 db 1 dd -1 not locatable mov ebx, 92 add eax, ebx mov ebx, eax Remote Execution sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 Analyze the Code sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 Sho ru Lifetime jmp ebx line95_2: popf Flux Mutation popad nop jmp long line96 line95_1: mov eax, [esp] Break the Code nop nop Unbreakable xor eax, eax xor ecx, ecx Self aware xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  9. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 Remote Flux Mutation db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Tru su ed Zone Untru su ed Zone dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 Remote Mutation Thread/Process add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx Mutation Engine Morphed Code Execution line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax Challenge xor ecx, ecx Response xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret

  10. line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx The Remote Metamorphic Engine mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf Challenge Response Metamorphic Protocol call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 Tru su ed Zone Untru su ed Zone dd 3318121790 db 2 dd 1375432265 Challenge db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d 4 bytes size Code add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 Remote Mutation Thread/Process add eax, 4 sub dword [eax], 0x111111ee add eax, 4 Clock Synced add dword [eax], 0xaaccee22 add eax, 4 Mutation Engine jmp ebx Morphed Code Execution line95_2: popf Response popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx Communication protocol made of morphed clock mov cl, 0xe9 mov byte [eax], cl xor edx, 0 synchronized machine code rather than data mov ecx, 0x00000057 mov dword [eax+1], ecx ret

Recommend

Remote controlled tractor TECHNICAL with attachments SPECIFICATIONS LV300 Green Climber: REMOTE

Remote controlled tractor TECHNICAL with attachments SPECIFICATIONS LV300 Green Climber: REMOTE

Remote controlled tractor TECHNICAL with attachments SPECIFICATIONS LV300 Green Climber: REMOTE CONTROLLED TRACTOR WITH FLAIL Capable of working on 60 slopes Extendable tracks Side-shifting of attachment Engine: EPA - TIER 4 final

219 views • 5 slides
Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition Metamorphic rock is the result of the transformation of an existing rock type, the protolith ( parent rock ) , in a process called metamorphism, which means

804 views • 23 slides
Whats New in Alibabas X-DB SQL Engine Min Qiu, Alibaba Group Santa Clara, California |

Whats New in Alibabas X-DB SQL Engine Min Qiu, Alibaba Group Santa Clara, California |

Whats New in Alibabas X-DB SQL Engine Min Qiu, Alibaba Group Santa Clara, California | April 23th 25th, 2018 Agenda Introduction to X-DB Features in X-DB SQL Engine Query Plan Cache Remote Execution Distributed SQL

727 views • 34 slides
Remote Vehicle Interface (RVI) Remote Vehicle Interface (RVI) Travis Johnson Ben Moon 1

Remote Vehicle Interface (RVI) Remote Vehicle Interface (RVI) Travis Johnson Ben Moon 1

Remote Vehicle Interface (RVI) Remote Vehicle Interface (RVI) Travis Johnson Ben Moon 1 Project Goals Project Goals Interface with vehicle using phone or WWW Start / Kill engine Lock / Unlock doors Pop trunk Must provide

396 views • 20 slides
Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4 Objectives Metamorphism changes one kind of rock into another kind of rock. Several ways that heat and pressure change rocks. Metamorphic

277 views • 16 slides
RUXCON Courtesy of google images Metamorphic template with

RUXCON Courtesy of google images Metamorphic template with

Oct, 2016 Senior Malware Scientist ,Trend Micro spark@trendmicro.com RUXCON Courtesy of google images Metamorphic template with parameters #1 Original Code

701 views • 43 slides
Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the

Search Engine Optimization What is Search Engine Optimization Search Engine Optimization is the process of improving the visibility of a website on organic ("natural" or un-paid) search engine result pages (SERPs), by incorporating

1.54k views • 35 slides
Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a

Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a

FUNDAMENTALS OF EARTH SCIENCE I FALL SEMESTER 2018 Metamorphic rocks What is metamorphism? Process by which a rock in a solid state experiences a transformation of one or a combination of the following characteristics: Chemical

557 views • 31 slides
MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

Introduction System Architecture Evaluations References MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan Huynh, Wu-chang Feng { akshay, buithai, letien, nhhuyng, wuchang } @cs.pdx.edu Portland

913 views • 57 slides
A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program

A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program

A Revisit of the Integration of Metamorphic Testing and Test Suite Based Automated Program Repair Mingyue Jiang 1,2, Tsong Yueh Chen 2, Fei-Ching Kuo 2, Zuohua Ding 1, Eun-Hye Choi 3, Osamu Mizuno 4 1 Zhejiang Sci-Tech University,

465 views • 19 slides
Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic

Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic

Quantitative Texture Analysis of shells, Palm Canyon mylonites, natural ice, metamorphic amphibolites and SCT-microquartz D. Chateigner - Laboratoire de Cristallographie et Sciences des Matriaux (CRISMAT) - Ecole Nationale Suprieure

943 views • 49 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
Search Engine Research and Color, Design, and Usability CS 115 Computing for the Socio-Techno Web

Search Engine Research and Color, Design, and Usability CS 115 Computing for the Socio-Techno Web

Search Engine Research and Color, Design, and Usability CS 115 Computing for the Socio-Techno Web Instructor: Brian Brubach Announcements Remote project milestone 2 meetings tomorrow Reading for guest speaker on Tuesday Assignment 4

783 views • 31 slides
Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your troubleshooting needs ! On Premises Available on cloud Feature Highlights Advanced remote desktop sharing Voice, video and text chat Remote

222 views • 11 slides
Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach Sergio Segura 1 , Robert M. Hierons 2 , David Benavides 1 and Antonio Ruiz-Corts 1 1 Department of Computer Languages and Systems, Univesity of

330 views • 28 slides
Reducing Remote Read Footprint Bartek Plotka @bwplotka Getting samples from TSDB /api/v1/query

Reducing Remote Read Footprint Bartek Plotka @bwplotka Getting samples from TSDB /api/v1/query

Reducing Remote Read Footprint Bartek Plotka @bwplotka Getting samples from TSDB /api/v1/query /api/v1/query_range Prometheus PromQL Engine Select() Select() /read Queryable Interface TSDB @bwplotka Remote Read: Response /read

418 views • 13 slides
Metamorphic Testing: A Simple Method for Testing Non-Testable Programs Tsong Yueh Chen

Metamorphic Testing: A Simple Method for Testing Non-Testable Programs Tsong Yueh Chen

Metamorphic Testing: A Simple Method for Testing Non-Testable Programs Tsong Yueh Chen tychen@swin.edu.au Swinburne University of Technology Australia 1 Test Oracle A mechanism or procedure against which the computed outputs could be

1.01k views • 63 slides
Dynamic, Metamorphic (and opensource) Virtual Machines A. Desnos ESIEA - Operational Cryptology

Dynamic, Metamorphic (and opensource) Virtual Machines A. Desnos ESIEA - Operational Cryptology

Introduction Obfuscation Virtual Machines Android/Java appplications Conclusion Dynamic, Metamorphic (and opensource) Virtual Machines A. Desnos ESIEA - Operational Cryptology and Virology Laboratory (CVO) 38 rue des Dr Calmette et Gurin,

1.21k views • 75 slides
1 Mapping Relational Data Model Patterns To The App Engine Datastore Max Ross November 19,

1 Mapping Relational Data Model Patterns To The App Engine Datastore Max Ross November 19,

1 Mapping Relational Data Model Patterns To The App Engine Datastore Max Ross November 19, 2009 1 Agenda App Engine Datastore Basics Soft Schemas Moving To App Engine Leaving App Engine Questions 2 2 3 The App Engine

945 views • 41 slides
Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus

Hunting for Metamorphic By Pter Szr and Peter Ferrie Introduction Polymorphic virus engines resulted in stronger virus scanners. Paper focuses on how virus creators have challenged virus scanners over the past decade. Evolution of

446 views • 16 slides
Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting opportunity: with just a few tweaks to your homelife and routine, your productivity and personal well-being can be maximized. This document

324 views • 6 slides
Whats New in Engine Research Whats New in Engine Research Mark Musculus Engine Combustion

Whats New in Engine Research Whats New in Engine Research Mark Musculus Engine Combustion

Whats New in Engine Research Whats New in Engine Research Mark Musculus Engine Combustion Department Combustion Research Facility Sandia National Laboratories, Livermore, Ca Funded by U.S. Department of Energy Program Managers: Gurpreet

682 views • 17 slides
Google App Engine Guido van Rossum Stanford EE380 Colloquium, Nov 5, 2008 Google App Engine

Google App Engine Guido van Rossum Stanford EE380 Colloquium, Nov 5, 2008 Google App Engine

Google App Engine Guido van Rossum Stanford EE380 Colloquium, Nov 5, 2008 Google App Engine Does one thing well: running web apps Simple app configuration Scalable Secure 2 App Engine Does One Thing Well App Engine handles

538 views • 14 slides
EPA 2016 PACCAR MX-11 Engine Month XX, 20XX EPA 2016 PACCAR MX-11 Engine PRESENTERS NAME

EPA 2016 PACCAR MX-11 Engine Month XX, 20XX EPA 2016 PACCAR MX-11 Engine PRESENTERS NAME

EPA 2016 PACCAR MX-11 Engine Month XX, 20XX EPA 2016 PACCAR MX-11 Engine PRESENTERS NAME PRESENTERS POSITION TRADITION OF ENGINE INNOVATION MX, NA PX MX, EU MX 11, EU DD575 PR 1960 1970 1980 1990 2000 2010 2015 Turbo

783 views • 30 slides

More recommend