Polymorphic code: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:41, 24 September 2022 edit MrOllie (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 255,519 edits →Polymorphic encryption: rm stringencrypt advertisement added by COI editor ← Previous edit		Latest revision as of 19:04, 7 April 2025 edit undo MrOllie (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 255,519 edits unreliable source
(12 intermediate revisions by 9 users not shown)
Line 2: {{distinguish\|Polymorphism (computer science)}} {{refimprove\|date=November 2010}} In computing, '''polymorphic code''' is code that uses a [[polymorphic engine]] to mutate while keeping the original [[algorithm]] intact - that is, the ''code'' changes itself every time it runs, but the ''function'' of the code (its [[semantics]]) ~~will~~stays ~~not~~the ~~change at all~~same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different [[machine code]] in a [[Central processing unit\|CPU]]. This technique is sometimes used by [[computer virus]]es, [[shellcode]]s and [[computer worm]]s to hide their presence.<ref name="rugha">{{cite thesis \|last=Raghunathan \|first=Srinivasan \|date=2007 \|title=Protecting anti-virus software under viral attacks \|type=M.Sc. \|publisher=Arizona State University \|citeseerx=10.1.1.93.796}}</ref> [[Encryption]] is the most common method to hide code. With encryption, the main body of the code (also called its [[Payload (computing)\|payload]]) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'', this function reads the payload and decrypts it before executing it in turn. Line 16: Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a [[Sandbox (computer security)\|sandbox]]. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. [[Metamorphic code]] techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection. The first known polymorphic virus was written by Mark Washburn. The virus, called [[1260 (computer virus)\|1260]], was written in 1990.<ref>{{Cite web \|title=An Example Decryptor of 1260 \|url=https://userpages.umbc.edu/~dgorin1/432/example_decryptor.htm \|access-date=2025-03-21 \|website=userpages.umbc.edu}}</ref> A better-known polymorphic virus was created in 1992 by the hacker [[Dark Avenger]] as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter [[Virut]]. ~~== Example ==~~ ~~This example is not really a polymorphic code but will serve as an introduction to the world of encryption via the [[xor\|XOR]] operator.~~ For example, in an algorithm using the variables A and B but not the variable C, there could be a large amount of code that changes C, and it would have no effect on the algorithm itself, allowing it to be changed endlessly and without heed as to what the final product will be. ~~Start:~~ ~~GOTO Decryption_Code~~ ~~Encrypted:~~ ~~...lots of encrypted code...~~ ~~Decryption_Code:~~ ~~C = C + 1~~ ~~A = Encrypted~~ ~~Loop:~~ ~~B = A~~ ~~C = 3214 A~~ ~~B = B XOR CryptoKey~~ A = B ~~C = 1~~ ~~C = A + B~~ ~~A = A + 1~~ ~~GOTO Loop IF NOT A = Decryption_Code~~ ~~C = C^2~~ ~~GOTO Encrypted~~ ~~CryptoKey:~~ ~~some_random_number~~ The encrypted code is the payload. To make different versions of the code, in each copy the garbage lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can search the code between Decryption_Code and CryptoKey and each algorithm for new code that does the same thing. Usually, the coder uses a zero key (for example; A [[xor]] 0 = A) for the first generation of the virus, making it easier for the coder because with this key the code is not encrypted. The coder then implements an incremental key algorithm or a random one. == See also == [[Timeline of notable computer viruses and worms]] * [[Metamorphic code]] * [[Self-modifying code]] * [[Alphanumeric shellcode]] * [[Shellcode]] * [[Software cracking]] * [[Security cracking]] * [[Obfuscated code]] * [[Oligomorphic code]]