Virtual Code

roy g biv
Electrical Ordered Freedom #2 (EOF-DR-RRLF)
October 2007

This is an idea that I had after I read about the Locreate in Uninformed #6 journal. There, the author describes about relocation data being used to alter the in-memory image. We have seen this before, where a virus uses relocation data to decrypt itself. The author talks about packer but it is really cryptor. There are some interesting things in the article, but it was not very special for me. So, my idea is to remove all code from a section, and use relocation data to restore it. Since the section is now only in virtual memory, I call it virtual code. It seems that IDA does not support multiple relocations being applied to the same location, so it cannot handle my files. :)

