设计一个指令序列,以便在使用偏移量解码时执行其他操作
[英]Designing an instruction sequence so that it does something else if decoded with an offset
问题描述
This question is a follow-up to that question .
这个问题是该问题的后续问题。
To set the context of this question, consider Null-free programming .要设置此问题的上下文,请考虑Null-free programming 。 This is a technique to masquerade a sequence of instructions (shellcode) as a string.这是一种将指令序列(shellcode)伪装成字符串的技术。 In the C programming language, the byte 0 marks the end of a string, so the instruction sequence must be designed not to contain any such byte, otherwise it would be truncated by the string-manipulation function being abused.在 C 编程语言中,字节 0 标志着字符串的结束,因此指令序列必须设计为不包含任何此类字节,否则会被滥用的字符串操作函数截断。
The IA32 and x86-64 instruction sets, with their variable-length instructions of no particular alignment, allow instructions for task B to be decoded at an offset within an existing stream of instructions for doing task A. This technique has been used punctually in the early days of personal computing (1980s) in order to save space. IA32 和 x86-64 指令集的可变长度指令没有特定的对齐方式,允许任务 B 的指令在执行任务 A 的现有指令流中的偏移处进行解码。这种技术已在个人计算机的早期(1980 年代)以节省空间。
Has the technique of embedding code within code, starting at an offset within the first instruction, already been used, say, as one way to fool anti-virus detection?从第一条指令的偏移量开始,在代码中嵌入代码的技术是否已经被用作欺骗反病毒检测的一种方法? Does it have a name?它有名字吗? If it is useful and has already been used, what is an example?如果它有用并且已经被使用过,那么一个例子是什么? If the attacker is writing the code to start with, it is enough for task A to do nothing in an ostensibly harmless way, which may leave enough leeway to do anything that one could want as task B.如果攻击者开始编写代码,那么任务 A 以一种表面上无害的方式什么都不做就足够了,这可能会留下足够的余地来做任务 B 想要做的任何事情。
1 个解决方案
解决方案1
5 已采纳 2014-07-05 13:01:42
Yes, this has surely been used for any situation where obfuscating code would be useful.是的,这肯定已用于混淆代码有用的任何情况。 Not only for virus programming, but for example software protection and reverse engineering prevention.不仅用于病毒编程,还用于软件保护和逆向工程预防。
I have used it myself a few times for size coding competitions , and seen several examples in other peoples entries.我自己在大小编码比赛中使用过几次,并在其他人的参赛作品中看到了几个例子。
This technique naturally has been invented and re-invented many times for different processors, so you will naturally find several different names for it.这种技术自然已经针对不同的处理器进行了多次发明和再发明,因此您自然会为它找到几个不同的名称。 I found names like "overlapping instructions" and "instruction scission".我发现了诸如“重叠指令”和“指令中断”之类的名称。
Some resources:一些资源:
Jump into the middle of instruction - in IA-32 跳转到指令的中间 - 在 IA-32
What is “overlapping instructions” obfuscation? 什么是“重叠指令”混淆?
A new instruction overlapping technique for anti-disassembly and obfuscation of x86 binaries x86二进制反汇编和混淆的新指令重叠技术
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.