Difference between revisions of "Polymorphic"
Gonzalo58T (Talk | contribs) (→pv.rb (polymorphic virus)) |
Gonzalo58T (Talk | contribs) (→md.rb (utility functions)) |
||
| Line 54: | Line 54: | ||
== md.rb (utility functions) == | == md.rb (utility functions) == | ||
| − | < | + | {{code | text=<syntaxhighlight lang="ruby"> |
require 'base64'; | require 'base64'; | ||
if (!defined?(MD_LOADED)) | if (!defined?(MD_LOADED)) | ||
| Line 78: | Line 78: | ||
MD_LOADED=true | MD_LOADED=true | ||
end | end | ||
| − | + | }} | |
Revision as of 22:30, 9 November 2011
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
Adj. referring to self-modifying code.
Contents
[hide]Reasons to write polymorphic code
The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.
Techniques of polymorphic code writing
- Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
Note: you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.
- Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.
Example in Ruby
pv.rb (polymorphic virus)
|
<syntaxhighlight lang="ruby">
if (!defined?(FILE)) FILE=File.basename(__FILE__) end load "md.rb";
def selfCopy(key) code = "" newkey = deterministicKeygen(key); File.open(FILE, "r").each_line do |
md.rb (utility functions)
|
<syntaxhighlight lang="ruby"> require 'base64'; if (!defined?(MD_LOADED)) def deterministicKeygen(theKey) r = Random.new(theKey.to_i);
return r.rand(3)+3;
end def mencrypt(str, theKey) k = deterministicKeygen(theKey)
k.times do
str = Base64.encode64(str)
end
return str
end def mdecrypt(str, theKey) k = deterministicKeygen(theKey)
k.times do
str = Base64.decode64(str)
end
return str
end MD_LOADED=true end |
