Talk:Polymorphic code

From Wikipedia, the free encyclopedia

Contents

[edit] First or not?

I read about DarkAvenger that his MtE was programmed used in 1988, not 1990; that would make him the first programmer of polymorphic codes...

[edit] =

GOTO Loop IF NOT A = (Decryption_Code - Encrypted)

Uhh... should that be A = Decryption_Code?

[edit] better method

Make the polymorphism engine be like the back end of a compiler, complete with a register allocator and so on. Feed it a typical compiler-style intermediate representation of your code.

Now you can easily randomize basic block ordering, register assignment, opcode selection, etc.

24.110.60.225 20:45, 1 January 2006 (UTC)

[edit] too much noise

Then it will be seen that some (small) piece of generated code (assumed to come from the one back-end) uses various trivially equivalent methods to get the same point. How many non-malcompilers would do that?

Even faced with equivalent source-level expressions like, for ex. (x + 3), (x - -3), (x+4 - 1), how many middle-ends would not convert these expressions to only one? (For the third, just asking.) Well, given some minimal -O level. (Really minimal.)

Any malgenerator (randomgenerators? morphgenerators?) would need to vaguely mimic normal code generators. (To the point gratuitous variations are obvious to any reader.)

--217.128.151.41 15:21, 3 September 2007 (UTC)

[edit] substitution

A better example would be the substitution of instructions with equally-effective other instructions. For example,

cmp eax, 7
je destination

is computationally correct (possibly not complete, but this is indeed unneccessary) as this:

sub eax, 7
jz destination

[edit] Encryption? Not!

There are many virus-related terminology problems; here is one.

If the security software finds patterns that correspond to known computer viruses or worms, (...)

so virus code is known by security software.

Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.

So polymorphic algorithms prevents security software, knowing viruses, from identifying them.

Encryption is the most commonly used method of achieving polymorphism in code.

From Encryption, linked:

In cryptography, encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Given a known virus, plaintext is known by hypothesis, key is written in the polymorphic code, and encryption is used to prevent the security software from detecting that the cyphertext is derived from the known plaintext and the there-to-find key.

This is in contradiction with the linked definition of encryption. This use of encryption is closer to the way covert channels often use encryption to avoid detection, except that the receiving side is the decryption function, and is stored together with the hidden message.

--217.128.151.41 15:21, 3 September 2007 (UTC)