Conversation

This Tweet is unavailable. Learn more

I still don't understand what's the point of these "releases". If you want to execute code without allocating executable memory just implement an interpreter. It's simpler, better, faster, less suspicious, and everyone is already doing it.

Bill Demirkapi

@BillDemirkapi

Feb 15, 2022

You believe packaging an entire interpreter in your application is more stealthy than abusing existing instructions through SEH? I am having trouble seeing how an interpreter would be "simpler" or "less suspicious". Got any public examples?

namazso

@namazso

I implemented a tiny Pawn (compuphase.com/pawn/pawn.htm ) interpreter as a one day project: github.com/namazso/PawnPP - as for less suspicious: how do you think a software would be able to prove something is Turing complete? scanning or looking for exception handlers on the other hand..

5:43 PM · Feb 15, 2022

you can also use some more popular bytecode like webassembly with an interpreter like wasm3. both just needs some generic bindings for calling arbitrary OS functionality.

namazso

@namazso

Feb 15, 2022

it is also significantly easier to write code for a proper interpreter. look at the code below and compare it to as if you had to puzzle it together from instructions around a binary.

Bill Demirkapi

@BillDemirkapi

Feb 15, 2022

I think the big difference here is that packaging an entire interpreter is significantly more vulnerable to common AV techniques like signature scanning. Detecting that a program contains exception handlers is easy, but how would you detect a malicious EOP exception handler?

namazso

@namazso

Feb 16, 2022

how would you signature scan such a thing? most simple interpreters like PawnPP (minus the loader which can be replaced) is nothing but arithmetic heavy code. You can simply apply a pass of obfuscator-llvm and it will be wildly different each time. or just change compiler flags.