JonJon
Jun 20 2005, 09:08 PM
i was just wondering about polymorphic code / viruses...
i wanted to write a polymorphic code that would change itself every run but i faced one big problem..
you can't edit the physical code whilst running...
let's take a poly virus for example.. they use a simple xor decryption mechanism to give av companies a hard time... so how does it change it's xor key?
i cant seem to find a way to do it whilst running(im not talking about the virtual memory i want to change the physical exe file so next time it would use another xor key)
and trying to change the file after it closes is not very efficent..
so any ideas?
aapje
Jun 20 2005, 09:40 PM
do you mean you want to let the program modify its own memory space in runtime?
If so, you can do a read on the memory and modify stuff using asm and make that random.
vnet576
Jun 20 2005, 09:51 PM
an example worm containing a polymorphic engine. Should give you a concrete place to start. Its not my worm, had nothing to do in coding it, just have it in my hd.
JonJon
Jun 20 2005, 10:48 PM
EDIT:
well here's a thought... i know that windows maps the physical data into the memory and creates a mapping handle... and that keeps the file "busy", maybe if ill close that map from inside the process (if it won't close the file itself) i could use the physical file?
thx for the code
and what i want is to make the code change it's physical file(it's own exe file) whilst running which seems impossible since windows just says the file is being used by another process ...
nolimit
Jun 20 2005, 11:56 PM
Perhaps most work by simply changing the file to be spread to another box. Ie, make the EXE write itself to another file, then change the XOR decryption with a random number.
DiabloPatch
Jun 21 2005, 12:11 AM
just as nolimit says that would be the solution and for the local machine just use code on this board to make a new exe in runtime, and when the process finished delete the old one.
or start a second program that modifies the xor key every X time and starts the exe again. Jjust make sure the exe closes itself every X time
belgther
Jun 21 2005, 07:59 AM
hxxp://vx.netlux.org has tutorials and ready-to-use engines for the topic polymorphism, and metamorphism. But don't forget that some AV programs also have a heuristic analyzing function to defeat such engines and find the virii. Also polymorphism is not completely undetectable.
GSecur
Jun 21 2005, 01:06 PM
More appropriate for the V section
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
