Sunk
February 8th, 2013, 13:38
Can anyone explain what the bellow blog post means?
Wrap an executable into a python script? Insert (the script?) into a good executable? So they get the opcodes from the malware, and then somehow insert those opcodes into a good program? Is that the same as meterpreter templates?
"Straight" export a program to a Python array? They mean put the opcodes from the malware into a python script, and compile the script into a .exe?
Wrap an executable into a python script? Insert (the script?) into a good executable? So they get the opcodes from the malware, and then somehow insert those opcodes into a good program? Is that the same as meterpreter templates?
"Straight" export a program to a Python array? They mean put the opcodes from the malware into a python script, and compile the script into a .exe?
Quote:
The evasion technique is pretty simple, wrap the executable into a python script (you can also use perl and Ruby) then insert it into a good executable or export to a new one. Poison Ivy - Straight export to Python Array. Pretty sad that it worked actually. This is where I had hoped to create some alerts that I would have had to suppress. ... http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results |