Polymorphic code is a type of computador[1] code that constantly changes or mutates, posing a unique challenge for anti-virus software and intrusion detection systems. This code uses complex algorithms to alter itself, making it difficult for security[2] software to spot. Often employed by malicious programmers, they rewrite decryption engines to shield the encrypted code. Techniques like emulation in sandbox environments can potentially defeat this obfuscation. Metamorphic code, a related concept, adds another layer of complexity by executing without identifiable constant code blocks. An introductory example of polymorphic code is encryption via the XOR operator, where the encrypted code serves as a mutable payload. The decryption process involves changing encrypted code within defined markers. Other relevant concepts include alphanumeric shellcode, shellcode, obfuscated code, and oligomorphic code.
This article needs additional citations for verification. (November 2010) |
In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the code changes itself every time it runs, but the função of the code (its semantics) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different machine code in a CPU. This technique is sometimes used by computer viruses, shellcodes e computer worms to hide their presence.
Encryption is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is executed, this function reads the payload and decrypts it before executing it in turn.
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.
PT 
NL 
EN 
FR