Jump to content


Photo
- - - - -

Mutating Code


  • Please log in to reply
11 replies to this topic

#1 thenotwist

thenotwist

    Mack Daddy 31337

  • Members
  • 216 posts

Posted 09 September 2007 - 12:56 PM

I watched Live Free Or Die Hard the other night and apart from all the crap that was in it there was one thing i found pretty interesting:
They said that this 1337 HAX0R kid wrote some kind of "a mutating piece of code".

So i was wondering "damn that'd be cool if that was really possible" and since i couldn't find anything particulary useful I'm asking you guys. Do you think it's possible to write code that mutates, i.e. changing itself but still performing the same task?
(Not any specific language, just in general)

#2 jedibebop

jedibebop

    Dangerous free thinker

  • Members
  • 1,935 posts

Posted 09 September 2007 - 01:04 PM

http://en.wikipedia....olymorphic_code
http://en.wikipedia....-modifying_code

Edited by jedibebop, 09 September 2007 - 01:05 PM.


#3 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 09 September 2007 - 01:35 PM

http://en.wikipedia....olymorphic_code
http://en.wikipedia....-modifying_code


Yep, VERY common for AV software to hunt for this behavior.

#4 thenotwist

thenotwist

    Mack Daddy 31337

  • Members
  • 216 posts

Posted 09 September 2007 - 03:18 PM

How the hell did i not find these links by myself? </wondering>

Do you have any reads on how to implement this stuff in c/c++ or delphi?

#5 kingospam

kingospam

    SUP3R 31337

  • Members
  • 177 posts

Posted 09 September 2007 - 05:37 PM

phrack has a lot of articles about polymorphism (mainly dealing with shellcode).

#6 McGrewSecurity

McGrewSecurity

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 338 posts
  • Location:Starkville, MS

Posted 09 September 2007 - 10:57 PM

Do you have any reads on how to implement this stuff in c/c++ or delphi?


I think you'll find that most examples of polymorphic code (that polymorphs/self-replicates itself) work on a lower level than that. For example, for a to do this in a higher level language like C, it would need to have a copy of its own original (or most recent) source code, and access to a C compiler with which to build the new versions of itself. The most frequent application of polymorphism is by malware evading signature-based detection, so those requirements would not be very desirable :) .

Most examples you will find will involve assembly, replacing sequences of instructions with other instructions that are functionally equivalent.

That's in the context of the original discussion, of self-replication and modification (mutation). You could have software that generates polymorphic (different, but functionally identical) sets of code, such as shellcode, and the resulting code would not have the capability to polymorph/replicate itself. This is useful to evade IDS that trigger on the shellcode in an attack. In this case, you could have some sort of scheme for generating polymorphic C/C++/Whatever code (change the order functions are called, loop structure, etc), but it'd be of limited use for some applications (shellcode) and probably harder than doing at the assembly level for other applications (malware).

#7 thenotwist

thenotwist

    Mack Daddy 31337

  • Members
  • 216 posts

Posted 10 September 2007 - 07:34 AM

Hm i guess I'll have to learn assembly then... ^^ Since it's not really practical in C/C++? I partly read the dissertation concerning programs reproducing themselves by Jürgen Kraus and I think it's because C/C++ programs can't access their own machine code in memory they can not reproduce themselves in a way I'd want them to if I wanted the code to mutate?!

Is there a way to dynamically mutate the code or do I have to predefine the patterns?
//edit: just read about the encryption thing on wikipedia. what if i randomly generate a new encryption key and change the algorithm to decrypt it every time on execution? Couldn't that be done in C/C++ too?

And does anyone have tutorials on Assembly that are any good?

Edited by thenotwist, 10 September 2007 - 07:36 AM.


#8 McGrewSecurity

McGrewSecurity

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 338 posts
  • Location:Starkville, MS

Posted 10 September 2007 - 08:43 AM

Hm i guess I'll have to learn assembly then... ^^ Since it's not really practical in C/C++? I partly read the dissertation concerning programs reproducing themselves by Jürgen Kraus and I think it's because C/C++ programs can't access their own machine code in memory they can not reproduce themselves in a way I'd want them to if I wanted the code to mutate?!


A C or C++ program can examine its own machine code in memory (using function pointers), it would simply be dealing with finding and substituting code segments at the assembly level, because the C/C++ code and structures are gone.

Is there a way to dynamically mutate the code or do I have to predefine the patterns?
//edit: just read about the encryption thing on wikipedia. what if i randomly generate a new encryption key and change the algorithm to decrypt it every time on execution? Couldn't that be done in C/C++ too?


Predefining chunks of code that do the same thing is going to be a lot easier, of course, but dynamically mutating is possible. A good balance might be to define patterns that can be of variable size, either by how they work or by inserting NOP equivalents, and then randomizing the length.

Encrypting code is sort of a different thing in my mind. This helps to beat signature-based detection on the file on-disk, however at some point the code has to be decrypted to execute. Examining the code in-memory after the decryption routine is over will reveal the same code every time. But yes, this could be done in C/C++ easier than polymorphism as I was discussing.

And does anyone have tutorials on Assembly that are any good?


This is pretty ok : http://www.drpaulcarter.com/pcasm/

Richard Blum's "Professional Assembly Language", from Wrox Publishing, is really worth every penny though.

#9 jedibebop

jedibebop

    Dangerous free thinker

  • Members
  • 1,935 posts

Posted 10 September 2007 - 04:35 PM

Lisp can easily do this, since code is data, data is code, etc.

#10 McGrewSecurity

McGrewSecurity

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 338 posts
  • Location:Starkville, MS

Posted 10 September 2007 - 04:57 PM

Lisp can easily do this, since code is data, data is code, etc.


Exploit developers will be the first to tell you that "code is data, data is code" no matter what you're programming in, as they light the candles on their shrine to Jon von Neumann.

#11 jedibebop

jedibebop

    Dangerous free thinker

  • Members
  • 1,935 posts

Posted 10 September 2007 - 06:34 PM

Lisp can easily do this, since code is data, data is code, etc.


Exploit developers will be the first to tell you that "code is data, data is code" no matter what you're programming in, as they light the candles on their shrine to Jon von Neumann.


Perhaps, however Lisp makes no distinctions

#12 snakesonaplane

snakesonaplane

    SUP3R 31337 P1MP

  • Members
  • 297 posts
  • Location:Mass

Posted 16 September 2007 - 05:41 PM

I once read a Dan Brown book about a mutating encryption algorithm. It was pretty interesting, though I don't know too much about that stuff.




BinRev is hosted by the great people at Lunarpages!