You want to hide portions of your binary using self-modifying code without rewriting existing code in assembler.
The most effective use of self-modifying code is to overwrite a section of vital code with another section of vital code, such that both vital sections do not exist at the same time. This can be time-consuming and costly to develop; a more expedient technique can be achieved with C macros that decrypt garbage bytes in the code section to proper executable code at runtime. The process involves encrypting the protected code after the binary has been compiled, then decrypting it only after it has been executed.
The code presented in this recipe applies to FreeBSD, Linux, NetBSD, OpenBSD, and Solaris. The concepts apply to Unix and Windows in general.
For the code presented in this recipe, we’ll be using RC4 to perform our encryption. We’ve chosen to use RC4 because it is fast and easy to implement. You will need to use the RC4 implementation from Recipe 5.23 or an alternative implementation from somewhere else to use the code we will be presenting.
The actual code to decrypt and replace the code in memory is minimal.
The complexity arises from having to obtain the code to be encrypted,
encrypting it, and making it accessible to the code that will be
decrypting and executing it. A set of macros provides the means to
mark replaceable code, and a single function,
, performs the decryption of the code. ...