Another stats from the sampleset – this time the most common entry points. One can generate a histogram of all Entry points for all executables on the whole system and potentially discover LFO (Least Frequency Occurrence) anomalies. This is not that straightforward though – even system32 directory gives lots of variety (see at the bottom): while most OS files are generated by the same compiler, system32 directory often holds many extra clean .exes that are accumulated over some time and give funny results (thanks to java\/installers\/and lots of other ‘goodness’ offered by badly written apps).<\/p>\n
55 and 8B EC are very common since they are an equivalent of<\/p>\n
55 push ebp\r\n\r\nand<\/pre>\n8B EC mov ebp, esp<\/pre>\nIf the entry point does NOT start with any of these (look at 1-bytes only, remember the sampleset is biased), high chances it is a polymorphic \/ packed sample:<\/p>\n
Stats for first 1,2,3,4,5,6 bytes below:<\/p>\n
\u00a0139672 55 <-- push ebp\r\n\u00a0 33107 68 <-- push xx\r\n\u00a0 14183 4D <-- MZ header\r\n\u00a0 13208 E8 <-- call\r\n\u00a0 12936 60 <-- pushad\r\n\u00a0 10048 6A <-- push xx\r\n\u00a0\u00a0 5376 83 <-- various (e.g. cmp xx,yy)\r\n\u00a0\u00a0 5363 E9 <-- long jump\r\n\u00a0\u00a0 5222 EB <-- short jump\r\n\u00a0\u00a0 4962 8B <-- mov xx,yy\r\n\r\n\u00a0133124 55 8B <-- home work :)\r\n\u00a0 14173 4D 5A\r\n\u00a0\u00a0 5037 60 E8\r\n\u00a0\u00a0 4505 6A 60\r\n\u00a0\u00a0 3870 55 89\r\n\u00a0\u00a0 3145 83 7C\r\n\u00a0\u00a0 3140 81 EC\r\n\u00a0\u00a0 2377 6A 00\r\n\u00a0\u00a0 1992 8B FF\r\n\u00a0\u00a0 1826 64 A1\r\n\r\n\u00a0132898 55 8B EC\r\n\u00a0\u00a0 7731 4D 5A 90\r\n\u00a0\u00a0 5786 4D 5A 50\r\n\u00a0\u00a0 4492 6A 60 68\r\n\u00a0\u00a0 3842 55 89 E5\r\n\u00a0\u00a0 3191 60 E8 00\r\n\u00a0\u00a0 3145 83 7C 24\r\n\u00a0\u00a0 1821 81 EC 80\r\n\u00a0\u00a0 1770 64 A1 00\r\n\u00a0\u00a0 1584 8B FF 55\r\n\r\n\u00a0 53290 55 8B EC 83\r\n\u00a0 35846 55 8B EC 6A\r\n\u00a0 17214 55 8B EC 53\r\n\u00a0 12931 55 8B EC B9\r\n\u00a0\u00a0 7712 4D 5A 90 00\r\n\u00a0\u00a0 6536 55 8B EC 81\r\n\u00a0\u00a0 5778 4D 5A 50 00\r\n\u00a0\u00a0 3190 60 E8 00 00\r\n\u00a0\u00a0 3137 83 7C 24 08\r\n\u00a0\u00a0 2853 55 89 E5 83\r\n\r\n\u00a0 45104 55 8B EC 83 C4\r\n\u00a0 35729 55 8B EC 6A FF\r\n\u00a0 14775 55 8B EC 53 8B\r\n\u00a0\u00a0 7711 4D 5A 90 00 03\r\n\u00a0\u00a0 6638 55 8B EC 83 EC\r\n\u00a0\u00a0 5775 4D 5A 50 00 02\r\n\u00a0\u00a0 5258 55 8B EC 81 EC\r\n\u00a0\u00a0 3190 60 E8 00 00 00\r\n\u00a0\u00a0 3131 83 7C 24 08 01\r\n\u00a0\u00a0 2801 55 89 E5 83 EC\r\n\r\n\u00a0 35498 55 8B EC 6A FF 68\r\n\u00a0 22712 55 8B EC 83 C4 F0\r\n\u00a0 14775 55 8B EC 53 8B 5D\r\n\u00a0\u00a0 7711 4D 5A 90 00 03 00\r\n\u00a0\u00a0 6959 55 8B EC 83 C4 C4\r\n\u00a0\u00a0 5775 4D 5A 50 00 02 00\r\n\u00a0\u00a0 3497 55 8B EC 83 C4 F4\r\n\u00a0\u00a0 3190 60 E8 00 00 00 00\r\n\u00a0\u00a0 3080 83 7C 24 08 01 75\r\n\u00a0\u00a0 2152 55 8B EC 83 C4 B4<\/pre>\nWhen I say the sampleset is biased, I mean it \ud83d\ude42<\/p>\n
Rrunning stats over executables within system32 directory, I got the following stats:<\/p>\n
\u00a0 1461 8B <-- mov xx,yy\r\n\u00a0\u00a0 361 E8 <-- this is CALL\r\n\u00a0\u00a0 329 4D <-- MZ header (not 'real' executable PE files)\r\n\u00a0\u00a0\u00a0 44 55 <-- push ebp = much lower value as for 300K malware sampleset\r\n\u00a0\u00a0\u00a0 32 83 <-- various (e.g. cmp xx,yy)\r\n\u00a0\u00a0\u00a0 23 53 <-- push ebx\r\n\u00a0\u00a0\u00a0 15 6A <-- push xx\r\n\u00a0\u00a0\u00a0 11 FF <-- various (can be CALL)\r\n\u00a0\u00a0\u00a0\u00a0 2 E9 <-- long jump\r\n\u00a0\u00a0\u00a0\u00a0 1 EB <-- short jump<\/pre>\nand for 3 bytes:<\/p>\n
\u00a0 1447 8B FF 55 <-- mov edi, edi \/ push ebp\r\n\u00a0\u00a0 329 4D 5A 90 <-- MZ header\r\n\u00a0\u00a0\u00a0 33 55 8B EC <-- push ebp \/ mov ebp, esp\r\n\u00a0\u00a0\u00a0 31 83 7C 24\r\n\u00a0\u00a0\u00a0 14 53 55 56\r\n\u00a0\u00a0\u00a0 11 8B 44 24\r\n\u00a0\u00a0\u00a0 10 55 89 E5\r\n\u00a0\u00a0\u00a0\u00a0 9 E8 0A 00\r\n\u00a0\u00a0\u00a0\u00a0 8 E8 DA 02\r\n\u00a0\u00a0\u00a0\u00a0 8 6A 0C 68<\/pre>\nIf you want to quickly convert between bytes and the opcodes, you can use RTA<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Another stats from the sampleset – this time the most common entry points. One can generate a histogram of all Entry points for all executables on the whole system and potentially discover LFO (Least Frequency Occurrence) anomalies. This is not … Continue reading