Overview
Explore advanced techniques for polymorphism and antivirus evasion using Return Oriented Programming (ROP) in this Black Hat conference talk. Dive into the innovative ROPInjector tool, which transforms shellcode into its ROP equivalent and injects it into non-packed 32-bit Portable Executable (PE) files. Learn about the limitations of current polymorphism methods and how ROP overcomes them by avoiding the need for writeable code sections. Discover the algorithms developed for x86 instruction set analysis and manipulation, and see a demonstration of the ROPInjector tool in action. Examine the evaluation results showing near-complete evasion of antivirus software on VirusTotal. Gain insights into topics such as Borel code, static analysis challenges, CellCode analysis and transformation, and the intermediate representation layer used in the process.
Syllabus
Introduction
ROPInjector
Objectives
Detection
Why use ROP
Borel code
Overview
Encryption
Static Analysis
Challenges
Steps
CellCode Analysis
CellCode Transformation
Intermediate Representation Layer
OnetoOne Mapping
Missing Gadget Example
Final Steps
Code Run
Evaluation
Results
Outcome
Questions
Conclusion
Taught by
Black Hat