An additional attack for counterfit where the target is modified to mimic a benign PE. The individual modifications are largely the same as ones in existing counterfit attacks (like PEHyperoptAttack), but instead of using an algorithm to pick the changes, it simply makes changes that mimic a chosen benign file. The benign file is chosen by a number of heuristics, mainly similarity in the size and entropy of sections.
The main modifications involve changing sections (changing names and adding additional sections), adding imports, adding overlays, and changing various headers. Some of the modification ideas (specifically changing the optional headers) are inspired by malware_rl (https://github.com/bfilar/malware_rl).
Creating this pull request to let the mlsec organizers know I used counterfit to generate my samples for the competition.
Apologies in advance if the code is a bit messy from the competition. I'd be happy to fix where needed if the repo maintainers would like to incorporate this code.
ghost
commented
3 years ago
An additional attack for counterfit where the target is modified to mimic a benign PE. The individual modifications are largely the same as ones in existing counterfit attacks (like PEHyperoptAttack), but instead of using an algorithm to pick the changes, it simply makes changes that mimic a chosen benign file. The benign file is chosen by a number of heuristics, mainly similarity in the size and entropy of sections.
The main modifications involve changing sections (changing names and adding additional sections), adding imports, adding overlays, and changing various headers. Some of the modification ideas (specifically changing the optional headers) are inspired by malware_rl (https://github.com/bfilar/malware_rl).
Creating this pull request to let the mlsec organizers know I used counterfit to generate my samples for the competition.
Apologies in advance if the code is a bit messy from the competition. I'd be happy to fix where needed if the repo maintainers would like to incorporate this code.