Revision as of 16:48, 8 February 2004 edit 128.238.79.66 (talk) No edit summary ← Previous edit		Revision as of 13:21, 11 February 2004 edit undo Noone~enwiki (talk \| contribs) 131 edits added some information, erased some other.. Next edit →
Line 1: In computer science (or more often, in computer underground terms) '''polymorphic code''' is code that mutates while keeping the original [[algorithm]] intact. This is ~~often~~sometimes used by [[computer virus]]es ~~and~~, [[shellcode]]s ~~to keep their~~and [[~~encryption\|de/en-cryption-engines~~computer worm]]s ~~from~~to ~~being~~hide ~~detected~~their bypresence. ~~[[anti virus software]] and [[intrusion-detection system]].~~ Most [[anti virus-software]] and [[intrusion detection system]]s tries to find malicious code by searching through computer files and data packets sent over a [[computer network]]. If the security software finds any pattern that corresponds to an allready known virus or worm, it reacts and erases the program. It cannot, however, find the program if it constantly mutates so that it never looks the same. This is the very idea of polymorphic code. Most often, a virus/worm that makes any attempt to hide its presence will do that by encrypting itself. However, before being executed at a remote computer, it obviously first needs to decrypt itself. In order to decrypt the virus or worm, some part of the code has to be deliverd unencrypted. Thus, while not being able to detect the actual virus or worm, the anti virus-software/intrusion detection system will still be able to detect the virus decryption engine! However, if the decryption engine is rewritten each time before it is transfered into a new computer (in the case of a worm/shellcode) or computer file (in the case of a virus), it becomes nearly impossible for any security software to detect the presence of the malicious program. == How it works == Line 52 ⟶ 58: some_random_number The code inside "Encrypted" ("lots of encrypted code!!!") could then search the code between Decryption_Code and [[CryptoKey]] and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C, or ever exchange the code in the algorithm into new code that does the same thing. ~~Start:~~ ~~GOTO Decryption_Code~~ ~~Encrypted:~~ ~~...~~ ~~(when this part is decrypted, it will contain the following...)~~ ~~...~~ ~~Then remove all the C-Codes between Decryption_engine and CryptoKey~~ ~~And input new unnessisary C-Codes at other locations in the algorithm~~ ~~Change the code beneth "Change_this" to RETURN_TO_SYSTEM~~ ~~...~~ ~~Do_whatever_this_code_is_suposed_to_do~~ ~~...~~ ~~Goto Decryption_Code~~ ~~Decryption_Code:~~ ~~C = C + 1~~ A = Encrypted ~~Loop:~~ ~~B = A~~ ~~C = 3214 * A~~ ~~B = B [[XOR]] CryptoKey~~ *A = B ~~C = 1~~ ~~C = A + B~~ ~~A = A + 1~~ ~~GOTO Loop IF NOT A = (Decryption_Code - Encrypted)~~ ~~C = C^2~~ ~~Change_this:~~ ~~GOTO Encrypted~~ ~~CryptoKey:~~ ~~some_random_number~~ The code above will decrypt the code inside "Encrypted" with a mutated crypto-engine. Then it will transfer control to the decrypted code inside "Encrypted". The code in there will remove all the codes that alters C. Then it will input new codes that alters C at other (random) locations in the crypto-algorithm. The change of "GOTO Encrypted" to "RETURN_TO_SYSTEM" will make it possible to re-use the old encryption engine (as [[XOR]] works in both ways.) then it will do ''something'' (like spreading to other files in the case of a virus) and at last, it will return to the Decryption_Code. ~~If the code is trying to replicate itself (in the case of a [[computer worm]] or [[computer virus]]) it will need to encrypt the code inside "Encrypted" before it sends it away.~~ see also: [[self-modifying code]], [[alphanumeric code]], [[shellcode]], [[software cracking]], [[security cracking]]

Polymorphic code: Difference between revisions