Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

“…In more detail, we look up or introduce suitable gadgets in the target DLL for one instruction at a time, and wrap constructs like conditional transfers and API calls with templates. Promoting stack variables to global storage in the design sidesteps difficulties that would emerge here and that are known in the ROP practice, as in general translating stack manipulations may require non-trivial program analyses or the use of a parallel stack [4]. While implementing a fully automated translation goes beyond the scope of proving the effectiveness of Rope in avoiding detection, we believe it is a realistic goal also in light of the recent advances in ROP-based program obfuscation [4,32].…”

“…Hence, we make the Rope loader create another transacted file on a signed Microsoft DLL, add to it any required gadgets using code caves, and embed also the bootstrap component (as a ROP chain or even as a shellcode placed in RX caves) in it 4 . Then we create a section object and duplicate the handle to it.…”

“…Promoting stack variables to global storage in the design sidesteps difficulties that would emerge here and that are known in the ROP practice, as in general translating stack manipulations may require non-trivial program analyses or the use of a parallel stack [4]. While implementing a fully automated translation goes beyond the scope of proving the effectiveness of Rope in avoiding detection, we believe it is a realistic goal also in light of the recent advances in ROP-based program obfuscation [4,32]. Also, capable attackers have already written and released fully-ROP malware in the past [14,9].…”

“…For instance, a solution may look for repeated gadget sequences used to invoke API calls or for the arrangement of typical constants as API call arguments. On the other hand, attackers may experiment with gadgets more complex than the ones we use in Rope, for instance by playing with gadget diversification and dynamically dead code [4]. We observe that in this setting ROP-aware analyses may serve a more general purpose, as the recent availability of systems for encoding whole programs in ROP for obfuscation [4,32] may also encourage threat actors to experiment more with ROP in standalone malware too (e.g., for polymorphism [34]).…”

Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

“…In more detail, we look up or introduce suitable gadgets in the target DLL for one instruction at a time, and wrap constructs like conditional transfers and API calls with templates. Promoting stack variables to global storage in the design sidesteps difficulties that would emerge here and that are known in the ROP practice, as in general translating stack manipulations may require non-trivial program analyses or the use of a parallel stack [4]. While implementing a fully automated translation goes beyond the scope of proving the effectiveness of Rope in avoiding detection, we believe it is a realistic goal also in light of the recent advances in ROP-based program obfuscation [4,32].…”

“…Hence, we make the Rope loader create another transacted file on a signed Microsoft DLL, add to it any required gadgets using code caves, and embed also the bootstrap component (as a ROP chain or even as a shellcode placed in RX caves) in it 4 . Then we create a section object and duplicate the handle to it.…”

“…Promoting stack variables to global storage in the design sidesteps difficulties that would emerge here and that are known in the ROP practice, as in general translating stack manipulations may require non-trivial program analyses or the use of a parallel stack [4]. While implementing a fully automated translation goes beyond the scope of proving the effectiveness of Rope in avoiding detection, we believe it is a realistic goal also in light of the recent advances in ROP-based program obfuscation [4,32]. Also, capable attackers have already written and released fully-ROP malware in the past [14,9].…”

“…For instance, a solution may look for repeated gadget sequences used to invoke API calls or for the arrangement of typical constants as API call arguments. On the other hand, attackers may experiment with gadgets more complex than the ones we use in Rope, for instance by playing with gadget diversification and dynamically dead code [4]. We observe that in this setting ROP-aware analyses may serve a more general purpose, as the recent availability of systems for encoding whole programs in ROP for obfuscation [4,32] may also encourage threat actors to experiment more with ROP in standalone malware too (e.g., for polymorphism [34]).…”

Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

Security-as-a-Service with Cyberspace Mimic Defense Technologies in Cloud

A novel malware detection method based on API embedding and API parameters