Research On Code Obfuscation Method Based On Compression Encryption And Polymorphism

With the rapid development of network technology, the environment of network becomes more and more complex. Various of malicious codes are emerging in an endless stream. How to against malicious codes has been an main content of computer security research. Meanwhile, malicious code has played an active role in computer forensics and information warfare, as an auxiliary means. Therefore, study of code obfuscation technology which used to camouflage the malicious code has both theoretical and practical value.Based on the previous researches, the major conceptions related to code obfuscation are discussed, which are control obfuscation, refactoring PE files and anti-detection of code trait. After analyzing two general methods of code obfuscation and discussing their basic processing flow and rationale, the disadvantages of them has been summarized.Based on it, an approach of code obfuscation based on Compression Encryption and Polymorphism exploratory proposed in this paper. The key technologies of this approach are reforming original code segment by compression, encrypting import address table by hash and reforming the loader by polymorphism. For compressing the original segment, there uses a compression method which based on LZMA( Lempel-Ziv Markov chain Algorithm) compression engine and xor treatment with a random number. In ensuring the compression performance, the confidentiality been taken into account. There uses a approach based on shifting and xor hash dynamic search method for encryption, that ensures the detecting software been obfuscated. After analyzing a polymorphism engine, its mode has been described. This engine has been used in CEP for reforming the loader function.For testing the CEP code obfuscation method, an obfuscation implement based on the CEP method has been designed. The major modules of this tool which are compression module and loader module has been listed. After that, a test environment has been set up, which is used for test the availability of CEP obfuscation implement.The results indicate that the CEP code obfuscation method has its universality on different Windows platform. And the malicious wares which handled by it can avoid the monitoring by detecting software successfully.