Designing an instruction sequence so that it does something else if decoded with an offset

旧城冷巷雨未停 提交于 2019-12-19 04:46:42

问题


This question is a follow-up to that question.

To set the context of this question, consider Null-free programming. This is a technique to masquerade a sequence of instructions (shellcode) as a string. In the C programming language, the byte 0 marks the end of a string, so the instruction sequence must be designed not to contain any such byte, otherwise it would be truncated by the string-manipulation function being abused.

The IA32 and x86-64 instruction sets, with their variable-length instructions of no particular alignment, allow instructions for task B to be decoded at an offset within an existing stream of instructions for doing task A. This technique has been used punctually in the early days of personal computing (1980s) in order to save space.

Has the technique of embedding code within code, starting at an offset within the first instruction, already been used, say, as one way to fool anti-virus detection? Does it have a name? If it is useful and has already been used, what is an example? If the attacker is writing the code to start with, it is enough for task A to do nothing in an ostensibly harmless way, which may leave enough leeway to do anything that one could want as task B.


回答1:


Yes, this has surely been used for any situation where obfuscating code would be useful. Not only for virus programming, but for example software protection and reverse engineering prevention.

I have used it myself a few times for size coding competitions, and seen several examples in other peoples entries.

This technique naturally has been invented and re-invented many times for different processors, so you will naturally find several different names for it. I found names like "overlapping instructions" and "instruction scission".

Some resources:

Jump into the middle of instruction - in IA-32
What is “overlapping instructions” obfuscation?
A new instruction overlapping technique for anti-disassembly and obfuscation of x86 binaries



来源:https://stackoverflow.com/questions/24586242/designing-an-instruction-sequence-so-that-it-does-something-else-if-decoded-with

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!