
Originally Posted by
Hitokiri~
This by definition, isn't actually polymorphic code.
Basically you're encrypting/decrypting your function block as needed.
Polymorphic code would mutate the entire program's binary on the hard disk, thus changing the entire signature each time it's run.
Polymorphic code/self-modifying code is dead either way when ROP can be used for this purpose: ROP enables
polymorphism without requiring a writeable code section in memory
And also:
"Most antivirus software rely on string signatures and mild behavioral profiling detection mechanisms.
By encoding malicious code into its return-oriented equivalent and even by performing elementary permutations (unrolling), the former can be bypassed in the vast majority of cases. Behavioral profiling can also be avoided by carefully intercepting normal execution flow in points that AVs either cannot emulate or simply cannot derive enough evidence to classify the behavior as malicious. In this thesis, we presented as a means to the latter the hooking of common calls to process exit resulting in many cases in absolute evasion and in others rates greater than 98%"
In this thesis, we presented as a means to the latter the
hooking of common calls to process exit resulting in many cases in absolute evasion and in others rates greater
than 98%"
So I mean what's the point of having the leetest of obfuscators (VMProtect, Themida, et al) in the first place.
Source:
ROPInjector Using Return Oriented Programming for
Polymorphism and Antivirus Evasion (Giorgos Poulios, Christoforos Ntantogian, Christos Xenakis, Department of Digital Systems, University of Piraeus)