Pesidious : Malware Mutation using Deep Reinforcement Learning & GANs

The purpose of the tool is to use artificial intelligence to mutate a malware (PE32 only) sample to bypass AI powered classifiers while keeping its functionality intact. In the past, notable work has been done in this domain with researchers either looking at reinforcement learning or generative adversarial networks as their weapons of choice to modify the states of a malware executable in order to deceive anti-virus agents. Our solution makes use of a combination of deep reinforcement learning and GANs in order to overcome some of the limitations faced while using these approaches independently as showen below.

Find our full documentation for the tool here

Installation Instructions

⚠️ Since this tool deals with malware files, it is strongly recommended to use a virtual machine. After installation of the tool, make sure to disconnect from the network.

The following steps will guide you through all the installations required to set up the environment.

  • Install and set up Python 3.6.
  • Clone the repository. git clone https://github.com/CyberForce/Pesidious
  • Move into the project directory. cd Pesidious
  • Set up and activate a virtual environment with Python 3.6 It is recommended to use a virtual environment to avoid conflicts between packages used by different applications
  • Make sure that you have pip 8.1.1 installed and set up. This is due to later versions of pip not playing well with the PyTorch libary. pip install pip==8.1.1
  • Install all the required libraries, by installing the requirements.txt file. pip install -r pip_requirements/requirements.txt

Mutate Your Malware

The output from GAN has already been stored as (RL_Features/adverarial_imports_set.pk and RL_Features/adverarial_sections_set.pk) which will be used for when adding imports and sections to the malware for mutation.

  • You can test the sample classifier to score malware files. python classifier.py -d /path/to/directory/with/malware/files
  • Run the mutate.py python script to mutate your malware samples. python mutate.py -d /path/to/directory/with/malware/files
  • The mutated malware files will be stored in a directory called Mutated_malware in the following format Mutated_malware/mutated_<name-of-the-file>
  • Once the malware files are mutated, you can run the classifier again to score the mutated malware. python classifier.py -d Mutated_malware/

Known Issues & Fixes

⚠️ WARNING: This segment is currently under construction. We apologize for any inconvinience caused. Please proceed to the next section. click here

  1. pip install -r requirements.txt gives you an error. Solution: pip install tqdm pip install sklearn pip install lief
  2. ModuleNotFoundError: No module named ‘tensorboardX’ error while running python main_malgan.py script. Solution: pip install tensorboardX
  3. Error with the execution of import-append, section-append (not found) Solution Give execute permission to these executables using the following commands on your terminal cd portable-executable/ chmod 777 project-add-sections/bin/Debug/project-append-section chmod 777 project-add-imports/bin/Debug/project-append-imports

Built With

  • PyTorch – Open source machine learning library based on the Torch library.
  • Lief – A cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
  • PE Bliss – PE libarry for rebuilding PE files, written in C++.
  • Gym-Malware – Malware manipulation environment for OpenAI’s gym.
  • MalwareGAN – Adversarial Malware Generation Using GANs.

Authors

  • Chandni VayaX-Force Incident Response, IBM SecurityGithub
  • Bedang SenX-Force Incident Response, IBM SecurityGithub

Acknowledgments

R K

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

1 day ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

1 day ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

1 day ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago