|
Graduate engineer at the Loria High Security lab (LHS)
see job offer in french
The aim of this project is to construct a High security lab at Loria (www.loria.fr) whose purpose it to conduct experiments on computer security.
Contact
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
|
|
Inauguration: covering of the event |
|
Inauguration of High Sec Lab on July, 1st 2010 !
Visit for Loria members on July 2n, 2010 (morning) |
|
Uncovering self-modifying code |
|
 As part of the malware analysis effort of the High Security Lab, researchers work on the analysis and visualization of self-modifying code (SMC). Most malware samples in the wild employ SMC as a polymorphism technique to evade signature-based antiviruses, and it provides the additional benefit to make static analysis harder.
A first step towards defeating self-modifying code is understanding its behaviour. Our visualization, obtained automatically from a trace, considerably speeds up this process. We represent the trace as a graph with the following attributes:
- nodes are code layers: the first one is static, every other are dynamically generated
- edges are relations between nodes:
- plain black edges represent decryption
- dashed black edges represent simple code generation
- red edges are for code scrambling (erasing from memory)
- green edges are for self-checking
For most normal programs, the obtained graph would be only one node with no edges. Unsophisticated malware samples would be two nodes with a decryption arrow:
The real challenge is defeating more sophisticated samples, which can get really complex. Such as this one:
You can see additional graphs online. The tools used are available at http://code.google.com/p/tartetatintools/, and an optimised version will be released for the SSTIC conference.
|
