ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Signature Question
al968


Joined: 24 Feb 2007
Posts: 37
Reply with quote
Hello,

I was looking in the Signatures files in Clamwin when I saw that amny signatures had EP+n(for n = to a number)
so I looked on the Clamwin signature guide but the explaination that was given did not made much sense to me, would anyone mind to clarify its purpose ?

Thanks

Al968
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
In some signatures, the "EP + a number" refers to the entry point plus a certain number of bytes. It is used in the *.ndb extended signatures for Windows PE (portable executable) files--the standard Windows file type.

Regards,
View user's profileSend private message
al968


Joined: 24 Feb 2007
Posts: 37
Reply with quote
Thank You, but actually thats pretty much what it said in the pdf I read.
I would like the translation in standart english

Thanks

Al968
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
The entry point in the program/application is where processing starts, so in this case, the signature is at the entry point plus a certain indicated number of bytes.

Regards,
View user's profileSend private message
al968


Joined: 24 Feb 2007
Posts: 37
Reply with quote
ok, very helpful
So If I understand correctly there is no point in using EP+0, is that right ?

Thanks

Al968
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
EP +0 would take you back to the entry point, which is valid.

Regards,
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
al968 wrote:
So If I understand correctly there is no point in using EP+0, is that right?


If you've found a quality signature that occurs at the entrypoint, then it is feasible to use EP+0. However, if you are familiar with compiled programming languages like C. C++, and Pascal, the entrypoint is supplied by the compiler and is usually standard code for that version of the compiler.

For instance, this code
Code:

int main(int argc, char *argv[])
{
    puts("Hello world");
    return 0;
}


If compiled by visual studio, the entrypoint will be pointing to a function inside of the C runtime called "tmainCRTStartup" which in turn calls your "main" function. So it is atypical to see malware directly at the entrypoint.
View user's profileSend private message
Christoph


Joined: 11 Jul 2007
Posts: 6
Reply with quote
b0ne wrote:
So it is atypical to see malware directly at the entrypoint.


You couldn't be more wrong.
View user's profileSend private message
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
Christoph wrote:
You couldn't be more wrong.


Atypical doesn't mean never. I work on malware daily and can say with fair certainty, aside from counting packers as malware, when referencing the ORIGINAL entrypoint, it is typically MSVC startup code.

Yes some malware decides to redirect the entrypoint to their own code, however, in most instances today they do not.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
I think EOP manipulation (or any method of obfuscation) depends upon the skill level of the malware writer, or whatever "script" or tools he/she is working with, and where the malware is going to be planted/used.

Regards,
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
If you are a malware writer without really good skills, you rely upon packing rather than EPO. If you see less entry point obscuring, it's because of that. There are also fads, in malware, as in anything else.

Regards,
View user's profileSend private message
Signature Question
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic