Presented at
Texas Cyber Summit 2019,
Oct. 12, 2019, 1 p.m.
(60 minutes).
PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.
Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.
Presenters:
-
Shreyans Doshi
- Cybrary, Inc
Shreyans Devendra Doshi is a Cybersecurity Graduate Student at the University of Maryland, College Park. He has previously worked as a Malware Research Intern at Cybrary Inc., where he started developing PErfidious and researched other techniques that can be used to bypass modern endpoint detection systems. He has also previously worked as a teaching assistant for a graduate course on Big Data Analytics and as a research intern with the Department of Science and Technology, Government of India. His main areas of interests are reverse-engineering, malware analysis, exploit development and intersection between software security and machine learning.
Links:
Similar Presentations: