TridenT Polymorphic Engine version 1.3
============================================================
Written by Masud Khafir of the TridenT virus research group.
What is it?
~~~~~~~~~~~
The TPE is a module that can be included in programs to make
them able to produce polymorphic programs. The TPE comes as
an OBJ file. If you want to include the TPE in your program
you must link it to it. If you have never linked an object
file to a program, DON'T start with the TPE. First do this,
then return to the TPE.
The TPE does two things. First, it will encrypt the original
code. This is done in a different way each time the TPE is
called. Second, it will generate a decryption routine for it.
The encrypted code will be put right after the decryption
routine. The size of the decryption routine will not be very
big. At most a few hundred bytes. Of course, the decryptor
will also be different each time the TPE is called. The TPE
can produce plain decryptors or decryptors with some random
non-functional instructions inserted.
The size of the TPE is 1411 bytes; We believe this is not too
big.
What's new?
~~~~~~~~~~~
Read the file HISTORY.DOC for more information about this
new version of TPE.
How can I use it?
~~~~~~~~~~~~~~~~~
The TPE offers you 3 subroutines: 'rnd_init', 'rnd_get' and
'crypt'. It also can give you the addresses of the begin and
end of TPE. If you write your program in assembler, you must
include the following in your source code:
.model tiny
.code
extrn rnd_init:near
extrn rnd_get:near
extrn crypt:near
extrn tpe_bottom:near
extrn tpe_top:near
The first (rnd_init) is a subroutine to initialize the random
number generator. You are advised to call this subroutine
before the first time you call the encryption subroutine. If
you don't, the random number generator may not function
perfectly. All registers will be preserved.
The second is a subroutine that returns a random number in AX.
This subroutine is used by TPE, but you can use it also for
other things in your program. Your imagination is the limit.
All registers, except AX, are preserved.
The third is the actual encryption subroutine. This one needs
several input parameters. When it finishes, it will return
some output parameters. All parameters are passed in registers
(see below).
The last two are the begin and end addresses of the TPE in
your program. You may need these if your program is going to
include the TPE in the generated program.
You can leave out 'extrn' commands of things you don't use
in your source code.
Be sure that there is enough stack space for the TPE. (100
bytes appear to be enough). If you use the TPE in a resident
program, it is recomended to maintain your own stack.
Otherwise the chance is that you will blow the DOS stack.
Of course, you must link TPE.OBJ to you program!
If you are using more than one segment in your program, the
complete TPE will be put in the CODE segment (called _TEXT).
Input parameters of the crypt routine:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ES = Work segment
This is the place where the decryptor and the encrypted
code will be generated. Be sure that it is large enough.
It must at least be as large as the size of the code to
encrypt plus the size of the decryptor. 512 bytes plus
the length of the code ought to be enough.
DS:DX => Code to encrypt
This must point to the code you want to encrypt.
CX = Length of code to encrypt
Put the size of the piece of code you want to encrypt
in CX. The TPE cannot encrypt more than 32768 bytes,
so the value of CX must be lower.
BP = Offset where the decryption routine will be executed
You must put the address where the decryptor will start
in BP. For example, if the generated program will be a
COM file which starts with the decryptor, you must set
this value to 100h.
SI = Distance between decryptor and encrypted code
In this register you must put the distance that will be
between the decryptor and the encrypted code. If the
encrypted code will be right after the decryptor (this
is the normal case) you must set this value to 0.
AX = Bit field
In this register you can provide some options about the
way the decryptor must be.
bit 0: DS will not always be equal to CS
If you are not sure that DS will be equal to CS when
the decryptor takes control, you must set this bit
high. This is the case when the decryptor is in an
EXE file.
bit 1: Insert random non-functional instructions in
decryptor
If this bit is high, the decryption routine will
contain several non-functional instructions. Since
these instructions are non-functional, they don't
disturb the decryptor.
bit 2: Put random instructions before decryptor
If this bit is high, several random instructions
are put before the decryption routine. These
instructions may affect the registers, but they
won't disturb the decryptor.
bit 3: Preserve AX with decryptor
If you want to preserve the original value of AX
after decryption, you must set this bit high.
Output parameters of the crypt routine:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ES = Work segment (preserved)
ES will still point to the work segment.
DS:DX => Decryptor + encrypted code
This will now point to the decryptor, immediatly followed
by the encrypted code. DS:DX will be the same as ES:0000.
If SI was set to 0 before the TPE was called, the code
is now ready to be put in a file.
CX = Length of decryptor + encrypted code
CX now has the summary length of both the decryptor and
the encrypted code. You can use this value to write the
decryptor plus the encrypted code to a file (in case SI
was set to 0 before the TPE was called).
DI = Length of decryptor
If SI was not set to 0 before the TPE was called, you
will need this value when you want to write the decryptor
to a file. This value can also be used as an offset of
the encrypted code. This will be at DS:DI (because DX
will be 0). If SI was 0, you can ignore this value.
AX = length of encrypted code
This value will be the same as the value of CX before
the TPE was called. If SI was not set to 0 before the
TPE was called, you will need this value when you want
to write the encrypted code to a file. If SI was 0, you
can ignore this value.
Final notes.
~~~~~~~~~~~~
First, I want to thank the Dark Avenger from Bulgaria for his
nice 'Mutation Engine' program. This fine program has been a
great source of inspiration for the TPE!
Check out the source of TPE-GEN to learn more about the TPE
and how it works.
Please, remember that the author of the TPE and the TridenT
virus research group are not responsible if you use the TPE
in an illegal or naughty way.
Good luck.
�