Advanced antivirus evasion techniques
In this thesis we examine the use of Return-Oriented Programming (ROP) combined with other practices for local (i.e. infected executables on disk) antivirus evasion. ROP is considered as a polymorphism alternative to crypters and packers. The software product of this work is a tool written in Win32 C which, given any piece of shellcode and any non-packed 32-bit Portable Executable (PE) file, it transforms the shellcode into its ROP equivalent and patches it into (i.e. infects) the PE file. After trying various combinations of evasion techniques, the results show that certain methods can evade nearly and completely all antivirus software employed in the online VirusTotal service. From a theoretical standpoint, the main outcome of this research is a) the algorithms for analysis and manipulation of assembly code on the x86 instruction set (up to and excluding the SSE), and b) the highlighting of common antivirus software weaknesses.