Conversation

This Tweet is unavailable. Learn more

I still don't understand what's the point of these "releases". If you want to execute code without allocating executable memory just implement an interpreter. It's simpler, better, faster, less suspicious, and everyone is already doing it.

Bill Demirkapi

@BillDemirkapi

Feb 15, 2022

You believe packaging an entire interpreter in your application is more stealthy than abusing existing instructions through SEH? I am having trouble seeing how an interpreter would be "simpler" or "less suspicious". Got any public examples?

namazso

@namazso

Feb 15, 2022

I implemented a tiny Pawn (compuphase.com/pawn/pawn.htm ) interpreter as a one day project: github.com/namazso/PawnPP - as for less suspicious: how do you think a software would be able to prove something is Turing complete? scanning or looking for exception handlers on the other hand..

Bill Demirkapi

@BillDemirkapi

Feb 15, 2022

I think the big difference here is that packaging an entire interpreter is significantly more vulnerable to common AV techniques like signature scanning. Detecting that a program contains exception handlers is easy, but how would you detect a malicious EOP exception handler?

namazso

@namazso

how would you signature scan such a thing? most simple interpreters like PawnPP (minus the loader which can be replaced) is nothing but arithmetic heavy code. You can simply apply a pass of obfuscator-llvm and it will be wildly different each time. or just change compiler flags.

6:22 AM · Feb 16, 2022

Bookmark