Polymorphic code
 | This article needs additional citations for verification. (November 2010) |
In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the code changes itself every time it runs, but the function of the code (its semantics) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different machine code in a CPU. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.[1]
Encryption is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is executed, this function reads the payload and decrypts it before executing it in turn.
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.[2]
Start: GOTO Decryption_Code
Encrypted: ...lots of encrypted code...
Decryption_Code: C = C + 1 A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number
Example
This example is not really a polymorphic code but will serve as an introduction to the world of encryption via the XOR operator. For example, in an algorithm using the variables A and B but not the variable C, there could be a large amount of code that changes C, and it would have no effect on the algorithm itself, allowing it to be changed endlessly and without heed as to what the final product will be.
Start: GOTO Decryption_Code Encrypted: ...lots of encrypted code... Decryption_Code: C = C + 1 A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number
The encrypted code is the payload. To make different versions of the code, in each copy the garbage lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can search the code between Decryption_Code and CryptoKey and each algorithm for new code that does the same thing. Usually, the coder uses a zero key (for example; A xor 0 = A) for the first generation of the virus, making it easier for the coder because with this key the code is not encrypted. The coder then implements an incremental key algorithm or a random one.
See also
- Metamorphic code
- Self-modifying code
- Alphanumeric shellcode
- Shellcode
- Obfuscated code
- Oligomorphic code
References
- ^ Raghunathan, Srinivasan (2007). Protecting anti-virus software under viral attacks (M.Sc.). Arizona State University. CiteSeerX 10.1.1.93.796.
- ^ Wong, Wing; Stamp, M. (2006). "Hunting for Metamorphic Engines". Journal in Computer Virology. 2 (3): 211–229. CiteSeerX 10.1.1.108.3878. doi:10.1007/s11416-006-0028-7. S2CID 8116065.
- Spinellis, Diomidis (January 2003). "Reliable identification of bounded-length viruses is NP-complete". IEEE Transactions on Information Theory. 49 (1): 280–4. doi:10.1109/TIT.2002.806137.