VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
The Mental Driller «Advanced polymorphic engine construction» (18479)
MidNyte «An Introduction to Encryption, Part I» (15442)
Dark Angel «Advanced Polymorphism Primer» (15362)
T. Yetiser «Polymorphic Viruses - Implementation, Detection, and Protection» (15189)
S. Pearce «Viral polymorphism» (14398)

Library: Polymorphism

«Polymorphism - A Discussion Of Methodology And Implementation» 21Kb 8800 hits
*-zine (Asterix) [2] (1999)
This article deals with a viral technology that has been widely documented, discussed and implemented. However, it is aimed at explaining certain design flaws in current polymorphic engines and proposing solutions for these flaws, as well as suggesting improvements to current technology.The discussion will present an overview of the history of polymorphism pertinent to our subject, anti-virus detection methods, and will present concepts needed for properly designing polymorphic engines with a view to their survival in the wild. It will also include a section on structuring and writing polymorphic engines.
«Polymorphism: Level 6B (Polymorphism: Chaotic Permutations)» 10.17Kb 12777 hits
Level 6: permutating viruses. The main code of the virus is subject to change to change, it is divided into blocks which are positioned in random order while infecting. Despite of that the virus continues to be able to work. Such viruses may be unencrypted.
Dark Angel
«Advanced Polymorphism Primer» [SRC] 9.53Kb 15362 hits
40hex [11] (1993)
[...] With the recent proliferation of virus encryption "engines," I was inspired to write my own. In a few short weeks, I was able to construct one such routine which can hold its own. A polymorphic encryption routine is nothing more than a complex code generator [...]
flush, MGL
«Other techniques of polymorphism» 8.36Kb 8191 hits
*-zine (Asterix) [2] (1999)
Polymorphism is for viruses one of the must. Buz[FS] brings us some valuable ideas for the coding. His paper is very consistent and good written. But there are several ommited things that we should mention.
«GLiTCH's Polymorphic Batch Tutorial» 13.33Kb 12607 hits
«GPU powered file infector» [SRC] 6.29Kb 13470 hits
Valhalla #4 (2013)
This is my second virus to use NVIDIA CUDA capable GPU. It is a direct action file infector of PE32 exe files in the current directory, overwriting to their reloc data if present in the last section and enough to hold the virus body. I call its infection engine "Vesper". It is the world's first virus to infect files using the GPU.
«Using CUDA PTX for decryption» [SRC] 7.04Kb 12965 hits
Valhalla #4 (2013)
It is my first virus using NVIDIA CUDA capable GPU for decryption. It is a direct action file infector of PE32 exe files in the current directory, overwriting to their reloc data if present in the large section and enough to hold the virus body. The infected files become droppers. It is the world's first virus to decrypt code using Parallel Thread Execution code.
jack twoflower
«The 'bliem' polymorphic engine for VBA» 6.1Kb 12056 hits
This engine is a combination of both a class infector and a polymorphic engine. The whole thing is called 'bliem' like the virus I first used this engine in.
«Mutation Engines» 8.14Kb 11972 hits
Xine [1] (1996)
I had taken apart several viruses, but most mutation engines due to thier nature are difficult to dissassemble. So after seeing other people's code I decide to try my hand at this type of coding. This article will illustrate the path I took in designing and building a Mutation Engine.
Lord Julus
«Polymorphism - Analysis on the decryptor generator 1.5» 63.29Kb 12253 hits
29a [2] (1998)
Before the heuristic analysers and the code emulators appeared on the market the usual encryption methods worked pretty good. And I do not speak only about viruses. I also reffer to the methods used for protecting software and data. Code emulators are able to crack your protections in a matter of minutes. That's when the ideea of polymorphism arose. A coder from Bulgaria passing by the nickname of Dark Avenger who wrote a lot of destructive viruses (including an antivirus against two of his viruses who unleashed a third virus) came with this ideea when his MtE (Mutation Engine) appeared. What polymorphism is really all about is creating self decrypting code, able to create each and every time a different decryptor containing both decrypting code and also junk instruction designed to make debugging and emultating harder.As this article is not designed to explain why is this needed or make a pro statement for polymorphism I will get directly to facts.
«An Introduction to Encryption, Part I» 13.41Kb 15442 hits
Final Chaos [1] (1999)
First, a brief description of some of the principles involved in encryption that you should know before we start. After the principles follows a brief discussion of a few more important topics, then examples of the encryption types mentioned here.
«An Introduction to Encryption, Part II» 19.07Kb 9188 hits
Final Chaos [1] (1999)
I'll give you some ways of making your data as secure as possible, along with a few ways of reducing the amount of code you require to encrypt and decrypt something securely. As before, I will leave the tutoring of armouring to people better qualified to teach (I've only dabbled in the subject so far).
«An Introduction to Encryption, Part III (Is an impenetrable encryption possible?)» 8.01Kb 9223 hits
Coderz [1] (2000)
Stephen Pearce
«Viral polymorphism» 23.63Kb 14398 hits
SANS Institute (2003)
This paper is an overview of polymorphic and metamorphic viruses. It defines them, provides some information regards the safe handling of them and comments on the legality/morality/policy regard the analysis of them. It looks at their history and the methods that they used both with reference to individual viruses and the virus toolkits prevalent in the early 90s. The response of the anti-virus industry is described along with the more recent evolution to metamorphic viruses and the challenge they provide. The aim will be to describe the techniques and then draw parallels between what was seen with viruses and what may happen with worms which now dominate the "virus" world.
«"Smart" trash: building of logic» [SRC] 15.8Kb 9392 hits
Electrical Ordered Freedom #3 (2011)
The main goal of garbage instructions - a hiding/protection of useful code (from av'ers, a watchful eye reverser and other curious). However, the "wrong" trash can lead to detection of viral code, thereby undermining all our efforts.This text is about how to improve the quality of the generated garbage.
Rogue Warrior
«Argument for slow infection and slow polymorphism» 7.54Kb 11823 hits
Insane Reality Magazine [8] (1996)
Many people say that fast infectors are better than slow infectors but I have to disagree. The goal of a virus is to travel to as many hosts as possible. Agreed?
«Guide to improving Polymorphic Engines» 17.61Kb 12518 hits
Insane Reality Magazine [8] (1996)
This is a guide for those who already know how to make an engine but cannot work out why their viruses are still detectable.
«Hiding your virus in the matrix» [TeX] [SRC] 19.92Kb 13288 hits
In this article you will read about a new kind of polymorphism provided by the eigenvalue problem. We will use some easy results from linear algebra to understand the concept, look at the encryption, decryption and chipher code, see some example and a running virus using this technique, and read about how to use that technique and how to improve it.
The Black Baron
«A general description of the methods behind a polymorph engine» 23.19Kb 12147 hits
This .DOC attempts to provide an insight into the workings of a Polymorph Engine. The methods described in this .DOC are the ones used in SMEG (Simulated Metamorphic Encryption Generator) Polymorph Engine and are by no means the only way to do it!
The Mental Driller
«Advanced polymorphic engine construction» [SRC] 38.16Kb 18479 hits
29a [5] (2000)
This article is assumed upon a basis on polymorphic engines construction, so you need an adquired good knowledge about decryptor generators and its construction (it's not for newbies! ;)I wrote this for win32 engines. I'm not very versated in Linux/Unix virusing, but modifying some words on this article (and some points in the index) it can be extrapolated to engines under these systems.
The Sorcerer
«Thoughts About The Use Of Garbage Instructions In Polymorphism» [TeX] [SRC] 4.61Kb 8792 hits
Ready Rangers Liberation Front [7] (2006)
Most texts on polymorphism suggest that the use of garbage instructions are paramount, in my playing with polymorphism I have come to the conclusion that Garbage is of limited use in protecting a virus from AV software and can in fact do the opposite.
Gary Watson
«A Discussion of Polymorphism» 9.38Kb 11166 hits
Data Plus (1992)
A polymorphic virus is a type of encrypted virus. Let's talk about those first. Many anti-virus programs rely on what we call a "scanner" which looks for an unusual sequence of machine language instructions or other unique data that indicates that a given virus is present. To defeat this, virus writers started encrypting their viruses by applying (for example) a random number exclusive-or'ed with the body of the virus. This obsfucates the unique string of bytes. So, programs like McAfee's scan had to do one of two things: look for the decryption routine (which cannot itself be encrypted since the 808x microprocessor would fail to execute it); or attempt to decrypt the body of the virus and look for the unique string of bytes in the body of the virus.
Joe Wells
«Understanding encryption and polymorphism» [SRC] 14.14Kb 6910 hits
IBM antivirus online (1996)
Escalation is a good word to use here.Virus programmers may encrypt messages so they can not be easily seen. In the same way many viruses contain encrypted code to hide what they do. Before there were virus scanners, there were programs written to detect possible Trojans. One such program was written by Andy Hopkins in 1984 and was called CHK4BOMB. When you used it to check out a program, it would alert you to anything suspicious in the program, like direct disk writes and formatting, as well as print out any messages it found. Obviously, a fully encrypted program, even one that did and said nasty things, would look safe on examination.Yet, encrypted viruses are not complete encrypted. Encrypted code is no longer executable code - it simply won't run. For an encrypted virus to actually run, it has to decrypt its code and data. The portion that does this decryption is not encrypted because it has to run. This portion is refered to as a decryptor.
«"Do polymorphism" tutorial» [SRC] 15.91Kb 7512 hits
DDT [1] (1999)
This tutorial isn't to discuss about any polymorphism matters, or to just explain you it's basics. It's fully oriented for you to at last learn how to write a polymorphic engine, with useful tips on how to implement it.Some coders, even some really good ones, feel it so difficult when it's time to come into polymorphism. "Ok, I have to swap instructions, but how the hell do I make that, how do I control the decryptor length and that the decrypting instructions are on their place?" and so on.
«Polymorphism and grammars» 21.82Kb 13604 hits
This is a technical article about polymorphism and grammar/automaton theories, which is intended to give a new point of view about this virus technique, and to show you some things on polymorphism theory. Before you start this, keep in mind it's not a "begginer article". If you never did a polymorphic engine or you don't know what the hell it is, you may come here later.
Tarkan Yetiser
«Mutation Engine Report» 25.22Kb 12193 hits
This report is provided to satisfy the curiosity of the public. We were approached by some third parties to perform an analysis on MtE. We would like to share the results of our analysis with everyone. If you find an error or inaccuracy in this report, please feel free to contact us. All constructive criticism is welcome. We thank all those who took the time to read and bring inaccurate or ambiguous parts of this report to our attention.
«Polymorphic Viruses - Implementation, Detection, and Protection» 13.84Kb 15189 hits
This paper discusses the subject of polymorphic engines and viruses. It looks at general characteristics of polymorphism as currently implemented. It tries to maintain a practical presentation of the subject matter rather than an academic and abstract approach that would confuse many people. Basic knowledge of the Intel 80x86 instruction set will be highly useful in understanding the material presented. A very detailed discussion is avoided not to have the side effect of "teaching" how to create polymorphic engines or viruses. The purpose is to help computer professionals understand this trend of virus development and the threats it poses. It should serve as a starting point for individuals who would like to get an idea about the polymorphic viruses and how they are implemented. Long gone are the days of innocence, when any schoolboy could write a virus scanner using a few signatures extracted from captured virus samples. The subject of polymorphism can be extended to other areas such as anti-reverse-engineering or anti-direct-attacks, and it can be argued to be useful in that context. This paper only looks at the use of polymorphism in PC viruses to avoid simple detection techniques.
21 authors, 27 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka