ClamWin Free Antivirus :: View topic

Posted: Tue Sep 04, 2007 11:17 pm

Hello,

I was looking in the Signatures files in Clamwin when I saw that amny signatures had EP+n(for n = to a number)
so I looked on the Clamwin signature guide but the explaination that was given did not made much sense to me, would anyone mind to clarify its purpose ?

Thanks

Al968

Posted: Wed Sep 05, 2007 12:40 am

In some signatures, the "EP + a number" refers to the entry point plus a certain number of bytes. It is used in the *.ndb extended signatures for Windows PE (portable executable) files--the standard Windows file type.

Regards,

Posted: Wed Sep 05, 2007 6:48 am

Thank You, but actually thats pretty much what it said in the pdf I read.
I would like the translation in standart english

Thanks

Al968

Posted: Wed Sep 05, 2007 11:18 am

The entry point in the program/application is where processing starts, so in this case, the signature is at the entry point plus a certain indicated number of bytes.

Regards,

Posted: Wed Sep 05, 2007 11:47 am

ok, very helpful
So If I understand correctly there is no point in using EP+0, is that right ?

Thanks

Al968

Posted: Wed Sep 05, 2007 12:02 pm

EP +0 would take you back to the entry point, which is valid.

Regards,

Posted: Thu Sep 06, 2007 7:27 pm

al968 wrote:

So If I understand correctly there is no point in using EP+0, is that right?

If you've found a quality signature that occurs at the entrypoint, then it is feasible to use EP+0. However, if you are familiar with compiled programming languages like C. C++, and Pascal, the entrypoint is supplied by the compiler and is usually standard code for that version of the compiler.

For instance, this code

Code:

int main(int argc, char *argv[])
{
puts("Hello world");
return 0;
}

If compiled by visual studio, the entrypoint will be pointing to a function inside of the C runtime called "tmainCRTStartup" which in turn calls your "main" function. So it is atypical to see malware directly at the entrypoint.

Posted: Fri Oct 26, 2007 6:08 am

b0ne wrote:

So it is atypical to see malware directly at the entrypoint.

You couldn't be more wrong.

Posted: Fri Oct 26, 2007 2:55 pm

Christoph wrote:

You couldn't be more wrong.

Atypical doesn't mean never. I work on malware daily and can say with fair certainty, aside from counting packers as malware, when referencing the ORIGINAL entrypoint, it is typically MSVC startup code.

Yes some malware decides to redirect the entrypoint to their own code, however, in most instances today they do not.

Posted: Fri Oct 26, 2007 4:53 pm

I think EOP manipulation (or any method of obfuscation) depends upon the skill level of the malware writer, or whatever "script" or tools he/she is working with, and where the malware is going to be planted/used.

Regards,

Posted: Wed Oct 31, 2007 12:32 pm

If you are a malware writer without really good skills, you rely upon packing rather than EPO. If you see less entry point obscuring, it's because of that. There are also fads, in malware, as in anything else.

Regards,