Metamorphism as a Software Protection for Non-Malicious Code

摘要

The software protection community is always seeking out new methods for defending their products from unwanted reverse engineering, tampering, and piracy. Most protections currently sought are static in nature. Once integrated, the program never modifies them. Being static makes them stationary instead of moving targets. This observation begs a question, 'Why not incorporate self-modification as a defensive measure.' Metamorphism is a defensive mechanism used in modern, advanced malware programs. Although the main impetus for this protection in malware revolves around avoiding detection from anti-virus signature scanners by changing the program's form, certain metamorphism techniques also serve as anti-disassembler and anti-debugger protections. For example, opcode shifting is a metamorphic technique used to confuse the program disassembly, but malware modifies these shifts dynamically unlike the software protection community's current static approaches. This research assessed the performance overhead of a simple opcode-shifting metamorphic engine and evaluated the instruction reach of this particular metamorphic transform. In addition, the investigator examined the effects of dynamic subroutine reordering.