问题
This question is a follow-up to that question.
To set the context of this question, consider Null-free programming. This is a technique to masquerade a sequence of instructions (shellcode) as a string. In the C programming language, the byte 0 marks the end of a string, so the instruction sequence must be designed not to contain any such byte, otherwise it would be truncated by the string-manipulation function being abused.
The IA32 and x86-64 instruction sets, with their variable-length instructions of no particular alignment, allow instructions for task B to be decoded at an offset within an existing stream of instructions for doing task A. This technique has been used punctually in the early days of personal computing (1980s) in order to save space.
Has the technique of embedding code within code, starting at an offset within the first instruction, already been used, say, as one way to fool anti-virus detection? Does it have a name? If it is useful and has already been used, what is an example? If the attacker is writing the code to start with, it is enough for task A to do nothing in an ostensibly harmless way, which may leave enough leeway to do anything that one could want as task B.
回答1:
Yes, this has surely been used for any situation where obfuscating code would be useful. Not only for virus programming, but for example software protection and reverse engineering prevention.
I have used it myself a few times for size coding competitions, and seen several examples in other peoples entries.
This technique naturally has been invented and re-invented many times for different processors, so you will naturally find several different names for it. I found names like "overlapping instructions" and "instruction scission".
Some resources:
Jump into the middle of instruction - in IA-32
What is “overlapping instructions” obfuscation?
A new instruction overlapping technique for anti-disassembly and obfuscation of x86 binaries
来源:https://stackoverflow.com/questions/24586242/designing-an-instruction-sequence-so-that-it-does-something-else-if-decoded-with