Conversation

namazso
@namazso
I still don't understand what's the point of these "releases". If you want to execute code without allocating executable memory just implement an interpreter. It's simpler, better, faster, less suspicious, and everyone is already doing it.
2
6
Bill Demirkapi
@BillDemirkapi
You believe packaging an entire interpreter in your application is more stealthy than abusing existing instructions through SEH? I am having trouble seeing how an interpreter would be "simpler" or "less suspicious". Got any public examples?
2
1
Justas Masiulis
@JustasMasiulis
It's possible to create a VM in raw assembly that's as little as few hundred bytes. Furthermore IMO it's fair to say that an application single stepping its own instructions isn't a common occurrence. Might be more reasonable if you did this in another process using debug API.
1
1
Bill Demirkapi
@BillDemirkapi
I'd be interested to hear more on the latter. How would you detect an application single stepping legitimate instructions if it is done with SEH exception handling? (Keeping in mind realistic factors like maintaining performance.)
2
namazso
@namazso
simply register a pair of VEH exception and continuation handler. You'll see a pattern of single step exceptions thrown, followed by continue with modified rip. I can't come up with a single legitimate use case that would result in this pattern.
1
1
Bill Demirkapi
@BillDemirkapi
Two things: 1. Registering a VEH exception handler and checking every single exception to detect a pattern of single steps could cause significant performance issues if you perform that system-wide. 2. A legitimate use case here would be a debugger single stepping through an app.
3
Justas Masiulis
@JustasMasiulis
1. Adding a few cycles of checking on something that already is one of the most costly actions and is ideally not a common occurrence shouldn't cause any performance degradation even performed system wide.
1
2
Bill Demirkapi
@BillDemirkapi
Adding cycles to every single exception is a perf. hit I haven't seen any AV take. The only way to tell if the perf. hit is negligible is if we see AV apply this approach in the wild. If there really is negligible performance hit, AV should implement that detection, right?
1
namazso
@namazso
many AVs already implement entire x86 emulators for initial heuristic checking, and what you're doing would probably look sus af. also, they could very well be already watching exceptions and their outcomes with Etw. I never checked because honestly I don't really care about them
1
Like
Bill Demirkapi
@BillDemirkapi
If you know of an AV that can emulate SEH unwinding, I would be extremely impressed. I have not seen any AV hook into exceptions at all, but I am happy to be wrong on this if we see AV implement such detections in the future.
1
Show replies