Geek Answers Handbook

Polymorphic engines, in controlled languages?

I developed my programming skills to the point that I can do most everyday things quite well and easily, and once I thought that creating a polymorphic engine really tests my skills, and I was wondering if anyone had any pointers about creating a polymorphic engine for a program, where to start, maybe some code examples? in fact, everything would be useful at this moment :)

Here are some of my resorts:

+7
c #
source share
3 answers

As I mention in a comment, this is possible in .NET using the magic System.Reflection.Emit namespace. You simply create a new DynamicMethod and allocate all the [valid] opcodes into it, and then call Invoke.

I spent the last few hours trying to create a simple showcase for a "clean" program that would create new copies of itself with encrypted il code. The approach I went to was the Exec method, grabbed the il-bytes (using MethodBase.GetMethodBody ), encrypted them, and released a new assembly with the iv + key and encrypted bytes. Then the main method will decrypt, create a new DynamicMethod, call DynamicILInfo.SetCode and, hopefully, it will work. This is not true.

The encryption / decryption job worked, and my emitted code was right. However, it seems that you cannot take raw bytes from one assembly and just execute them in another.

Data (from BitConverter.ToString) from start A and run B.
A: 28-01-00-00-0A ...
B: 28-11-00-00-0A ...

If you do not know the byte values ​​for each opcode, open ILDAsm, choose View> Show Bytes. There's also a View> Show token view, which also helps debug. Press ctrl-m to browse> MetaData> Show! to resolve tokens and other magical creatures.

"28 01 00 00 0A" β†’ CALL 0A000001 β†’ [According to ctrl-m] MethodBase.GetCurrentMethod

These different token values ​​are generated sequentially by the compiler. This means that it is impossible to guarantee that everything will work using raw bytes. Think about the general case where the compiler just created tokens for each method call, requires decryption of the byte array, and you call Console.WriteLine in your encrypted code. Such a token is not written, and when you call the dynamic method, you will get "BadImageFormatException: Bad binary signature".

I leave this as a task for reading (or until I get bored) to convert the byte array during the output process to a format that the decoder can read and emit into real bytes. The emission process will create all the necessary tokens, so it should work.

If you want to get rid of all the acuteness of emitting opcodes, do some dynamic compilation from code stored as strings (which, of course, can be encrypted). This, however, loses both in intelligence, coolness, and in everything else that can be used to measure the developer’s sheer surprise (YOU!). Check out this tutorial to quickly display dynamic compilation and C # execution in lines.

+5
source share

Well, as far as I know, a polymorphic engine is just the code that you want to run encrypted, and then pair with the decryption module. So all you have to do is encrypt your code in a string. Then you write the recipient. Would I use a basic symmetric encryption class like hxxp: //www.obviex.com/samples/Code.aspx? Source = EncryptionCS & title = Symmetric% 20Key% 20Encryption & Lang = C% 23 After that, run the code in memory, for example hxxp: //support.microsoft.com/kb/304655

EDIT: If you want to get more indepth, you can always write your own encryption / decryption, do something like base_64 (without key) instead of AES (with key)

Hope this helps, Max

0
source share

Polymorphic code is not possible in C # or managed languages. It requires that you create assembly code for a specific platform (.NET is platform independent) in a buffer or data region, then go to that buffer or data region. There are many levels of software and hardware to stop this: see the NX Bit on Wikipedia, for example.

You cannot do this in managed code. You will have to write it to unmanaged code and invoke it.

Hope this helps.

See a helpful comment on this answer, as you can dynamically create managed code from managed code; I was considering unmanaged code that is used in general.

0
source share

More articles:


All Articles