Intra-Section Code Cave Injection for Adversarial Evasion Attacks on Windows PE Malware File
Kshitiz Aryal, Maanak Gupta, Mahmoud Abdelsalam, Moustafa Saleh
TL;DR
This paper tackles adversarial evasion of Windows PE malware detectors by introducing intra-section code caves to host perturbations, paired with a small code loader that restores the original malware during execution to preserve functionality. By generating perturbations inside the .text, .data, and .rdata sections using gradient descent and FGSM, the authors demonstrate substantially higher evasion rates than end-of-file append attacks against CNN-based detectors MalConv and MalConv2, with maximum evasion reaching around 97% for MalConv2. The approach relies on careful section selection, code cave creation, and runtime restoration, achieving high effectiveness while maintaining executability. The study highlights the practical risk of intra-section perturbations and suggests future work on securing detectors and extending evaluation to black-box scenarios and other PE vulnerabilities.
Abstract
Windows malware is predominantly available in cyberspace and is a prime target for deliberate adversarial evasion attacks. Although researchers have investigated the adversarial malware attack problem, a multitude of important questions remain unanswered, including (a) Are the existing techniques to inject adversarial perturbations in Windows Portable Executable (PE) malware files effective enough for evasion purposes?; (b) Does the attack process preserve the original behavior of malware?; (c) Are there unexplored approaches/locations that can be used to carry out adversarial evasion attacks on Windows PE malware?; and (d) What are the optimal locations and sizes of adversarial perturbations required to evade an ML-based malware detector without significant structural change in the PE file? To answer some of these questions, this work proposes a novel approach that injects a code cave within the section (i.e., intra-section) of Windows PE malware files to make space for adversarial perturbations. In addition, a code loader is also injected inside the PE file, which reverts adversarial malware to its original form during the execution, preserving the malware's functionality and executability. To understand the effectiveness of our approach, we injected adversarial perturbations inside the .text, .data and .rdata sections, generated using the gradient descent and Fast Gradient Sign Method (FGSM), to target the two popular CNN-based malware detectors, MalConv and MalConv2. Our experiments yielded notable results, achieving a 92.31% evasion rate with gradient descent and 96.26% with FGSM against MalConv, compared to the 16.17% evasion rate for append attacks. Similarly, when targeting MalConv2, our approach achieved a remarkable maximum evasion rate of 97.93% with gradient descent and 94.34% with FGSM, significantly surpassing the 4.01% evasion rate observed with append attacks.