Jump to content

Executable research papers?

Amaroq_Starwind

By Amaroq_Starwind
in General Chat

 Share

Recommended Posts

Amaroq_Starwind

Amaroq_Starwind

Posted
Posted (edited)

On the one hand, this is really awesome stuff (I freaking love the demoscene, man), but on the other, this also illustrates potential vulnerabilities in stuff.
What do you guys think?

The video:

  

https://www.reddit.com/r/compsci/comments/62o9lz/guy_writes_an_executable_research_paper_by/

 

Here's where you can find the raw file:
  

https://www.cs.cmu.edu/~tom7/abc/

 

More reading:

  

https://www.journals.elsevier.com/pattern-recognition-letters/news/introducing-executable-papers
https://www.sciencedirect.com/science/article/pii/S1877050911001323

 

Edited by AdvancedSetup
Removed live hyperlink
Link to post
Share on other sites
Amaroq_Starwind

Amaroq_Starwind

Posted
  • Author
Posted

To summarize what's explained in the links:

A guy named Tom made a computer science paper in the form of an ASCII plaintext file. However, the paper is also an executable program (which also happened to be the subject of the paper) using only x86 instructions that also corresponded to printable ASCII characters. Turns out, it's extremely difficult to do this, for numerous reasons; for example, you can't even exit the program without exploiting illegal instructions!

I decided, as a test, to scan the text file with Malwarebytes. It didn't even seem to realize it was an executable program! (Seriously, MBAM, you ought to up your game.)

Luckily, the file is entirely self-contained and doesn't perform any operations outside of its own memory... though only because it relies on being 16-bit and using protected memory so he can roll over the instruction pointer to quit the program, so 64-bit users will need to use DOSBox. I'd suggest using DOSBox to run it anyway.

If anyone is interested, the text file also contains ASCII art to look at! However, it may be difficult to read the paper because it has zero linebreaks (because no OS can agree on what characters create a linebreak and he only wanted to use printable characters) and was manually padded with spaces for a target width of 160 monospace characters per line of text.

- - - - - 

If anyone has more crazy Demoscene programs they'd like to share, feel free to comment. 🦊

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)
1 hour ago, Amaroq_Starwind said:

I decided, as a test, to scan the text file with Malwarebytes. It didn't even seem to realize it was an executable program! (Seriously, MBAM, you ought to up your game.)

It is not recognized because it is not a PE file and thus it is not targeted via signatures.  It is a 16bit DOS executable.

TrID - File Identifier (Definitions: 10878)
100.0%  (EXE)          DOS Executable (alternate ZM id)

The first two characters of the binary are ZM.


Image.jpg.951ab84f14de4eb5af465409edef8584.jpg

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MZ-binary.jpg

 

As you have noted Windows 64 does not have a 16bit DOS Emulator and you would have to use a 3rd party utility such as DOSBox on Win64 or use Win32.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites
Amaroq_Starwind

Amaroq_Starwind

Posted
  • Author
Posted

But that means a malicious executable could easily hide from Malwarebytes by being disguised as a DOS executable. That also means DOS-based malware may also pose a threat to Win32 systems, even if those systems are running on a modern .NET-based Windows operating system.

On the other hand, that does give me ideas for using machine learning to convert DOS-based programs into Win32 programs.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

No, that's not a true scenario.

Unlike Win9x/ME, Windows NT is not based on DOS and DOS Interrupt Calls.  Windows NT/32 emulates DOS.  That's why you don't see 16bit malware anymore and that's one of the reasons why MBAM is not a historic anti malware solution.  It uses signatures to only target new Portable Executable ( PE ) malware.  It relies on the anti exploitation module for old malware.  To state " MBAM, you ought to up your game " concerning archaic malware means that you really don't "get" what MBAM does and how it operates.  Since moving from Win9x/ME and FATx to Windows NT and NTFS whole classes of malware have fallen by the wayside.  The EICAR test string is actually based on old technology and since it too isn't a Potable Executable it too is not targeted by MBAM.

Reference:
DOS API
Comparison of executable file formats

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.