Current, HaboMalHunter uses file command output to check whether target is executable here. However, file command would regard any executable complied with PIE as shared object.
That means HoboMalHunter would not run dynamic analysis for any malware compiled with PIE.
Example
Following are two executables from the same source code and compiled w/ and w/o "-no-pie" flag.
The text was updated successfully, but these errors were encountered:
ZhangZhuoSJTU
changed the title
Any Malware Compiled with PIE would Evasion from Dynamic Analysis
Any Malware Compiled with PIE would Evade Dynamic Analysis
Jul 1, 2019
Current, HaboMalHunter uses
filecommand output to check whether target is executable here. However,filecommand would regard any executable complied with PIE asshared object.That means HoboMalHunter would not run dynamic analysis for any malware compiled with PIE.
Example
Following are two executables from the same source code and compiled w/ and w/o "-no-pie" flag.
Compiled with PIE
pie.zip
$ gcc test.c -o pie $ file pie pie: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=1d677eb3a12c5b5fe6d135fe815efde29474e5ad, not strippedAnalysis result of Habo is available here
Compiled without PIE
nopie.zip
$ gcc test.c -no-pie -o nopie $ file nopie nopie: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=701f6befacfc89af3debea2ce2bfa4c3a74bb371, not strippedAnalysis result of Habo is available here
The text was updated successfully, but these errors were encountered: