Full Disclosure mailing list archives
Re: (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
From: Alejandro Barrera <abarrera () iron-gate net>
Date: Fri, 9 Sep 2005 21:39:45 +0200
Hi,
TAPiON engine was developed to avoid code detection (shellcode/whatever).
Hi Piotr, I had a look at Tapion's code and I don't relly see any trully genuin polymorphism. Actually I did see some fixed patterns which could make Tapion's decryptors pretty detectable: The main problem is that you build the decryptor based on some blocks which can be made into patterns, specially because the block construction is always the same: 1) XOR block [optional with 50% of probabilities] 2) (mov block | get_eip block) or (get_eip block | anti_emu block [1/3 prob] | mov block) [50% prob] 3) anti_emu block [1/3 prob] 4) -- Decryptor loop -- (copy_reg block | mov_reg block) or (mov_reg block | copy_reg block | temp block ) [50% prob] ... As you see, there is nearly no randomnes in the process and the construction blocks are easy to detect. If you want some indepth on polymorphis I recomend you the 29a papers: http://vx.netlux.org/29a/
best regards, Piotr Bania
Kindest regards :) -- Alejandro Barrera GarcĂa-Orea R&D Engineer c/ Alcala 268 28027 Madrid Office: +34 91 326 66 11 Fax: +34 91 326 66 11 e-mail: abarrera () iron-gate net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine Piotr Bania (Sep 09)
- Re: (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine Alejandro Barrera (Sep 09)
- <Possible follow-ups>
- Re: (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine Piotr Bania (Sep 09)
- Re[2]: (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine Alejandro Barrera (Sep 09)