The downside of current polymorphism techniques lies to the fact that they require a writeable code section, either marked as such in the corresponding Portable Executable (PE) section header, or by changing permissions during runtime. Both approaches are identified by AV software as alarming characteristics and/or behavior, since they are rarely found in benign PEs unless they are packed. In this paper we propose the use of Return-Oriented Programming (ROP) as a new way to achieve polymorphism and evade AV software. To this end, we have developed a tool named ROPInjector which, given any piece of shellcode and any non-packed 32-bit Portable Executable (PE) file, it transforms the shellcode to its ROP equivalent and patches it into (i.e. infects) the PE file. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service. The main outcome of this research is: A) the developed algorithms for analysis and manipulation of assembly code on the x86 instruction set, and B) the release and demonstration of the ROPInjector tool.
Giorgos Poulios obtained both his B.Sc degree in Digital Systems (2011) and M.Sc degree in Security of Digital Systems (2013) from the Department of Digital Systems of University of Piraeus. Currently, he is a Researcher at the same department. His research interests lie in the field of Software exploitation, machine learning and Intrusion Detection Systems.
Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009, he received his PhD from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are software security, digital forensics and data analytics.
Professor Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). From 1998 2001 he was with a Greek telecoms system development firm, where he was involved in the design and development of advanced telecommunications subsystems. From 1996 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where currently is an Associate Professor and member of the System Security Laboratory. He has participated in numerous projects realized in the context of EU Programs (ACTS, ESPRIT, IST, AAL, DGHOME, Marie Curie, Horizon2020) as well as National Programs (Greek). He is the project manager of the ReCRED project funded by Horizon2020 and his research interests are in the field of systems, networks and applications security.