A little project of mine has been to write a complete code pervertor that would actually modify the opcodes of an executable, to perform equivalent operations but using different opcodes. This would be the ultimate method of "crypting" a file, since the executable in memory would still remain unique and undetected.
I therefore set about creating an engine that modifies the code with equivalent operations.
For instance,
mov EAX, 5;
is equivalent to:
push 5; pop EAX;
so I developed a library of equivalent operations for every x86 instruction commonly used. The engine will:
1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.
5) scan entire code section looking for jmp's, jcc's, call's and adjusting the address they reference to allow for the extra space inserted in step 3.
Now, this actually has been done before. Zombie wrote code pervertor which could achieve this but only for instructions that have an equivalent instruction of equal size in bytes when assembled. I will be taking this to the next level.
The engine is currently mid-way through development and uses ollydbg's disassembler engine to perform the tedious task of disassembling each instruction.
While it's not complete, here's how it is working on a stub used in a program called Code Crypter that I wrote a while back.
the table view makes it easy to see how it is mutating each opcode. This was using a very limited library of equivalent opcodes for testing purposes.
The big problem at moment is handling things like JMP EAX. I have to use a little stub to adjust for code movement, which is not quite working yet.
The encrpytion process is recursive and pretty slow. It takes about 30 minutes to fully mutate a typical 100k executable. This is because each time it swaps an opcode for an equivalent sequence of opcodes, it must adjust all the JXX, JMP, CALL's in the code, for the padded space added by inserting the new code.
Hopefully I will get some time to work on this again soon.
Tibbar.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
