evasionbydeoptimization-balci2024

Evasion by De-optimization

by Ege Balci

Phrack Magazine Issue 71 article 15 2024

https://phrack.org/issues/71/15.html

Remark
bypassing security products
packer
encoder
AV evasion
Moneta
PE sieve
obfuscation, obfuscator
arithmetic partitioning
logical inverse
polynomial transformation
logical partitioning
crypter
command and control
exploitation framework
cryptographic cipher
multi-byte encoding schemes
visibility of decoder routines (as detection)
static detection rules
compiler optimization
YARA rule
LEA transform
x86
instruction set
register
compiler toolchain
LLVM
intermediate representation
iced_x86
Rust
EXE
ELF
shared object
DLL
false positive
ROR, SHR, SHL, ROL
gadget
register swapping
xchg
strings
shellcode
linear sweep
depth-first search
PoC
Metasploit
self-modifying code

References
https://github.com/forrest-orr/moneta
https://github.com/hasherezade/pe-sieve
https://github.com/EgeBalci/deoptimizer
https://github.com/hasherezade/pe-sieve/blob/603ea39612d7eb81545734c63dd1b4e7a36fd729/params_info/pe_sieve_params_info.cpp#L179
https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong
https://github.com/EgeBalci/sgn
https://github.com/zeroSteiner/crimson-forge
https://github.com/weak1337/Alcatraz
https://en.wikipedia.org/wiki/Optimizing_compiler
https://monkbai.github.io/files/sp-22.pdf
https://github.com/lifting-bits/mcsema
https://docs.rs/iced-x86/latest/iced_x86/
https://www.strchr.com/x86_machine_code_statistics
http://infoscience.epfl.ch/record/167546/files/thesis.pdf
https://github.com/rapid7/metasploit-framework

---