McAfee Labs

Malware Manipulates Procedure Prologue and Epilogue to Evade Security

By on Jul 16, 2013

Techniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.

Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.

Modifying Opcode

The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes–and without changing the outcome of the code.

Prologue and Epilogue

The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.

Here’s a typical 32-bit Intel architecture assembly-language function prologue:

PUSH EBP          —> Save Base Pointer

MOV EBP,ESP     —> EBP becomes the temporary stack pointer

And here’s a typical epilogue:

POP EBP            —> Recover Base pointer

RET                   —> Return from the function

Next we see a typical and a modified prologue:




Figure 1.1: A typical procedure prologue. 




Figure 1.2: A modified procedure prologue.

Now let’s look at an example of a typical and a modified epilogue:




Figure 2.1: A typical procedure epilogue.






Figure 2.2: A modified procedure epilogue.






Figure 2.3: Another modified procedure epilogue.


The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.