Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
NOD32 10.0 HIPS Test (Catastrophic failure)
Message
<blockquote data-quote="tim one" data-source="post: 579269" data-attributes="member: 25920"><p>Speaking of general HIPS detection, for example, we can have a specific common encrypted malcode that automatically decrypts itself on the HDD.</p><p>This malware can perform an array of bytes (a simple JMP) in a memory segment and the executable reads the encrypted file and stores it in a buffer. At this point, the buffer is decrypted by jumping to the address pointed by the buffer, to run the decrypted code.</p><p></p><p>But yes, the virtual address does not match, for example, we admit the first istruction of the malware in the buffer, the CPU jumps to the instruction in the address but into that address there is already a instruction of the executable.</p><p></p><p>Sure, to bypass this problem is complicated for malware, but many samples change the virtual address of the decrypted code with the related address by setting the registry "code base" to the address pointed by the buffer.</p><p></p><p>In this case, many HIPS do not detect this behavior.</p></blockquote><p></p>
[QUOTE="tim one, post: 579269, member: 25920"] Speaking of general HIPS detection, for example, we can have a specific common encrypted malcode that automatically decrypts itself on the HDD. This malware can perform an array of bytes (a simple JMP) in a memory segment and the executable reads the encrypted file and stores it in a buffer. At this point, the buffer is decrypted by jumping to the address pointed by the buffer, to run the decrypted code. But yes, the virtual address does not match, for example, we admit the first istruction of the malware in the buffer, the CPU jumps to the instruction in the address but into that address there is already a instruction of the executable. Sure, to bypass this problem is complicated for malware, but many samples change the virtual address of the decrypted code with the related address by setting the registry "code base" to the address pointed by the buffer. In this case, many HIPS do not detect this behavior. [/QUOTE]
Insert quotes…
Verification
Post reply
Top