Difference between revisions of "Polymorphic"
(→Techniques of polymorphic code writing) |
(→Techniques of polymorphic code writing) |
||
Line 11: | Line 11: | ||
* Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code | * Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code | ||
+ | |||
+ | |||
{{quote|you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.|Savitri}} | {{quote|you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable.|Savitri}} | ||
+ | |||
+ | |||
* Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code. | * Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code. | ||
Revision as of 21:38, 9 November 2011
This article contains too little information, it should be expanded or updated. |
---|
Things you can do to help:
|
Adj. referring to self-modifying code.
Contents
Reasons to write polymorphic code
The main reason to write polymorphic code is to avoid being hashwise identified, or to have code signature detected, i.e. an IDS or anti-virus software will not identify the payload as it is nicely wrapped-up in an encrypted form. Another reason is to propagate it to multiple copies without having the same signature.
Techniques of polymorphic code writing
- Define a stackable set of encrypting/decrypting functions, preferrably working with an encryption key. Let's call these sets d and e (decryption / encryption), and let there be two integers n, m, n > m so that d[n](d[n-1](...(d[m](e[n](e[n-1](...e[m](code))...) == code
Savitri says |
---|
you can write a single function or pair of functions and have them vary with a series of keys (outputted by a deterministic key generator ideally), as long as your encryption remains revertable. |
- Write your payload code (that you want dissimulated). At the end of this code put some bootstrap that will decrypt and run the code (in PHP/ruby/perl/whatnot, eval it, in C, smash the stack with it, in C#, use reflection). At the beginning of your payload code, call for your encryption/duplication code.
Example in Ruby
pv.rb (polymorphic virus)
<syntaxhighlight lang="ruby">
if (!defined?(FILE)) FILE=File.basename(__FILE__) end load "md.rb";
def selfCopy(key) code = "" newkey = deterministicKeygen(key); File.open(FILE, "r").each_line do |
md.rb (utility functions)
<syntaxhighlight lang="ruby"> require 'base64'; if (!defined?(MD_LOADED)) def deterministicKeygen(theKey) r = Random.new(theKey.to_i); return r.rand(3)+3; end def mencrypt(str, theKey) k = deterministicKeygen(theKey) k.times do str = Base64.encode64(str) end return str end def mdecrypt(str, theKey) k = deterministicKeygen(theKey) k.times do str = Base64.decode64(str) end return str end MD_LOADED=true end </syntaxhighlight> |