Comments (11)
Hello!
First of all... yes, I tried them, of course :D These manipulations are not trivial to create, and less to debug.
Mmmh, so the DOS header extension might also need to change the size of headers defined in the format.
Also, if the sample is packed, you might have problems, as the packer / unpacker routine might do something "fancy" on the file. And also, the dos extension might suffer from not fitting into a memory page (as I discovered later that the header has a maximum size when mapped into memory, but I'm still investigating this).
Try the manipulations with a non-packed file, like compile one hello world yourself (or use a malware that you know it is not packed).
Let me know, maybe I have missed something in the code or in the procedure, thank you for opening this!
from secml_malware.
update:
Thanks for the suggestions!
I did these attacks on unpacked samples. the content shift attack works, but the size of header should remain as original, otherwise the modified file by content shift attack will corrupt.
Have no luck on DOS extension attack.
from secml_malware.
Mmmmmh
How much content you're adding with the DOS extension?
Btw, Content Shift do not require to change the size of headers, as you are not changing the size of any header.
from secml_malware.
tried 512, 1024 to DOS extension. these amount should be multiple of FileAlignment as they will be round up multiple of FileAlignment no matter how many content we defined advance. right?
you are right, the size of headers should keep unchanged for content shift. I did not change the size of headers.
from secml_malware.
Mmmh.
Which sample is that? I would like to investigate a bit!
from secml_malware.
I attached the samples I tested below. Thank you ~!
putty: https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.66.html (the one with 'the SSH and Telnet client itself' under 'Alternative binary files' section)
PEviewer: download from github https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
010editor: download from github https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
from secml_malware.
Ok, I'll take some time in the future to apply manipulations on them, thank you for the help!
from secml_malware.
First session of debug: I am using calc as test (unpacked sample). Everything work smoothly (both extend and shift).
I am now trying the PEView exe you said. Since I'm paranoid, I've uploaded it on VT just to be sure (since the link you sent me point toward a GitHub repo which is not the official source of PEView).
One AV flagged it as packed, so I'll start investigating (and hence, one of the comments I already posted may apply).
from secml_malware.
Shift attack on PEView is working smoothly. I am using my library for computing, and not by hand.
Extend attack on PEView is working smoothly. Same as before.
I used 512 as payload size.
Did you try to apply adversarial manipulations using the library?
from secml_malware.
Awesome, great to hear you verified extend! Thank you so much for updating!
I did not try the library to apply the adversarial manipulations. I used 010 editor to apply these manipulations by hand.
The reason is, based on my understanding (may wrong), load exe as bytes and save it back to exe, which will corrupt the executability of original exe file. please correct me if I am wrong. (if I am wrong, and this is possible, then it would be great news for me since I am trying to use AV to scan the malware modified by extend or shift attacks (obviously, doing this by hand is infeasible for hundreds of malware))
I am very curious about the way how to verify the extend attack and want to reproduce by myself, I am wondering if you could share the method how you apply the extend attack on PEView or calc.
For the library you mentioned, could you share the specific library, and which function you used? (I am not an expert like you in this area, may ask some easy questions, hope you don't mind, thank you in advance!)
from secml_malware.
Well, I used my library to do so! This library!
There are some tutorials that I wrote, and I think you can pick them up from there.
Also, check if you correctly computed the indexes in the right way (the PE header pointer, summing 4 which is the length of PE00
, summing 20 which is the size of the COFF header... and so on).
I'm closing the issue for now.
from secml_malware.
Related Issues (20)
- How to run lightGBM and SOREL model using secml_malware? HOT 2
- No data preprocessing for SorelNet? HOT 2
- Error while running the sample attack code from blackbox_tutorial.ipynb HOT 4
- real sample generation HOT 5
- can't attack EMBER model HOT 1
- Confidence on Microsoft Malware Classification Challenge HOT 10
- Differences Between WhiteBox Attacks HOT 7
- Adding support for QuoVadis models HOT 2
- AttributeError: 'NoneType' object has no attribute 'dos_header' HOT 4
- No such file or directory: 'secml_malware/data/malware_samples/test_folder' HOT 3
- lightGBM and SOREL model weights? HOT 1
- Support for ensemble models HOT 1
- SOREL ATTACK HOT 1
- CGammaSectionsEvasionProblem attack budget HOT 6
- FGSM Attacking Running for days HOT 1
- Train models HOT 5
- Fix numpy retrocompatibility for CClassifierEmber
- issue installing secml-malware with pip with python 3.12
- Wrong ember prediction
- GAMMA section injections might load sections at random
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secml_malware.