Polymorphic code/self-modifying code is dead either way when ROP can be used for this purpose: ROP enables polymorphism without requiring a writeable code section in memory
And also:
"Most antivirus software rely on string signatures and mild behavioral profiling detection mechanisms. By encoding malicious code into its return-oriented equivalent and even by performing elementary permutations (unrolling), the former can be bypassed in the vast majority of cases. Behavioral profiling can also be avoided by carefully intercepting normal execution flow in points that AVs either cannot emulate or simply cannot derive enough evidence to classify the behavior as malicious. In this thesis, we presented as a means to the latter the hooking of common calls to process exit resulting in many cases in absolute evasion and in others rates greater than 98%"
In this thesis, we presented as a means to the latter the hooking of common calls to process exit resulting in many cases in absolute evasion and in others rates greater than 98%"
So I mean what's the point of having the leetest of obfuscators (VMProtect, Themida, et al) in the first place.
Source: ROPInjector Using Return Oriented Programming for
Polymorphism and Antivirus Evasion (Giorgos Poulios, Christoforos Ntantogian, Christos Xenakis, Department of Digital Systems, University of Piraeus)
Last edited by VirtualRoot; 10-16-2016 at 07:52 AM.