The Latest in IT Security

Malware Manipulates Procedure Prologue and Epilogue to Evade Security


Techniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.

Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.

Modifying Opcode

The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes-and without changing the outcome of the code.

Prologue and Epilogue

The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.

Here’s a typical 32-bit Intel architecture assembly-language function prologue:

PUSH EBP          -> Save Base Pointer

MOV EBP,ESP     -> EBP becomes the temporary stack pointer

And here’s a typical epilogue:

POP EBP            -> Recover Base pointer

RET                    -> Return from the function

Next we see a typical and a modified prologue:


Figure 1.1: A typical procedure prologue. 


Figure 1.2: A modified procedure prologue.

Now let’s look at an example of a typical and a modified epilogue:


Figure 2.1: A typical procedure epilogue.


Figure 2.2: A modified procedure epilogue.


Figure 2.3: Another modified procedure epilogue.

The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.

Leave a reply


MONDAY, JULY 15, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments