Open Access
Transforming malicious code to ROP gadgets for antivirus evasion
Author(s) -
Ntantogian Christoforos,
Poulios Georgios,
Karopoulos Georgios,
Xenakis Christos
Publication year - 2019
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/iet-ifs.2018.5386
Subject(s) - executable , malware , computer science , evasion (ethics) , obfuscation , computer security , software , code (set theory) , cryptovirology , programming language , operating system , immune system , set (abstract data type) , immunology , biology
This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to traditional shellcode inspection and detection. The proposed ROP‐based attack vector provides two unique features: (i) the ability to automatically analyse and generate equivalent ROP chains for a given code, and (ii) the ability to reuse legitimate code found in an executable in the form of ROP gadgets. To this end, a software tool named ROPInjector was developed which, given any piece of shellcode and any legitimate executable file, it transforms the shellcode to its ROP equivalent re‐using the available code in the executable and finally patches the ROP chain infecting the executable. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service, making ROP an effective ingredient for code obfuscation. This attack vector poses a serious threat which malicious actors can take advantage to perform cyber‐attack campaigns.