Talk:Polymorphic code

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing: Software Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Software (assessed as Low-importance). This article is supported by WikiProject Computer Security.

First or not?

I read about DarkAvenger that his MtE was programmed used in 1988, not 1990; that would make him the first programmer of polymorphic codes...

=

GOTO Loop IF NOT A = (Decryption_Code - Encrypted)

Uhh... should that be A = Decryption_Code?

better method

Latest comment: 18 years ago1 comment1 person in discussion

Make the polymorphism engine be like the back end of a compiler, complete with a register allocator and so on. Feed it a typical compiler-style intermediate representation of your code.

Now you can easily randomize basic block ordering, register assignment, opcode selection, etc.

24.110.60.225 20:45, 1 January 2006 (UTC)Reply

too much noise

Latest comment: 16 years ago1 comment1 person in discussion

Then it will be seen that some (small) piece of generated code (assumed to come from the one back-end) uses various trivially equivalent methods to get the same point. How many non-malcompilers would do that?

Even faced with equivalent source-level expressions like, for ex. (x + 3), (x - -3), (x+4 - 1), how many middle-ends would not convert these expressions to only one? (For the third, just asking.) Well, given some minimal -O level. (Really minimal.)

Any malgenerator (randomgenerators? morphgenerators?) would need to vaguely mimic normal code generators. (To the point gratuitous variations are obvious to any reader.)

--217.128.151.41 15:21, 3 September 2007 (UTC)Reply

substitution

A better example would be the substitution of instructions with equally-effective other instructions. For example,

cmp eax, 7
je destination

is computationally correct (possibly not complete, but this is indeed unneccessary) as this:

sub eax, 7
jz destination

Encryption? Not!

Latest comment: 16 years ago1 comment1 person in discussion

There are many virus-related terminology problems; here is one.

If the security software finds patterns that correspond to known computer viruses or worms, (...)

so virus code is known by security software.

Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.

So polymorphic algorithms prevents security software, knowing viruses, from identifying them.

Encryption is the most commonly used method of achieving polymorphism in code.

From Encryption, linked:

In cryptography, encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Given a known virus, plaintext is known by hypothesis, key is written in the polymorphic code, and encryption is used to prevent the security software from detecting that the cyphertext is derived from the known plaintext and the there-to-find key.

This is in contradiction with the linked definition of encryption. This use of encryption is closer to the way covert channels often use encryption to avoid detection, except that the receiving side is the decryption function, and is stored together with the hidden message.

--217.128.151.41 15:21, 3 September 2007 (UTC)Reply