reverse engineering - How does polymorphic code work on the .exe file

Question

I'm writing a paper on malware and malware analysis and would like to include a bit on polymorphic malware(Code that changes itself), not to be confused with polymorphism is OOP.

My hypothesis is that it changes the function names which change the file signature. So for example I did a test and went into vim and changed some of the function names in my hello world program which was written in c(The actual executable) and it did not change the way the code executed but it changed the file signature.

So am I wrong or is there more to it? I know there's metamorphic code which inserts instructions and changes the actual flow of the program but I'm just talking about obfuscation and how basic polymorphic code works. If someone could answer me or point me to a research paper that would be awesome!

question from:https://stackoverflow.com/questions/65877330/how-does-polymorphic-code-work-on-the-exe-file

Answer 1

First of all, I doubt that when you changed the function name, the file signature has changed. Or, it depends on your definition of the signature here. If you mean MD5 hash, this will change even if you didn't change anything in your code because the timestamp in the header changes.

Polymorphic code basically consists of a piece of self-changing encrypting code (metamorphic encryptor) + encrypted payload. I would advise you to read the great book of Peter Szor "The Art of Computer Virus Research and Defense". Although the book is a bit old, many basic concepts like this are explained well.