Mistfall is a polymorphic and metamorphic engine for PE files created by Z0mbie. It was used for his Zmist virus. The engine disassembles the target files for each infection and reassembles it with the necessary relative offsets giving any virus using the engine its polymorphic features.
Behavior
Mistfall first checks if the PE file is valid and loads it into memory. It allocates memory for the virtual program image and flag table. The engine loads the dos stub + PE header, then the sections (.data, .text, etc.) into virtual addresses. It searches for signatures such as push ebp/mov ebp,esp and marks them as for-next-analysis, then marks the entry point. The engine analyzes the structure of the file, creating a table of flags and setting bits in it indicating that the corresponding DWORDs are pointers/instruction offsets and which ones.
It then disassembles the file instruction by instruction while filling the flag table with new information about the instruction offsets. This part is often tricky, as a mistake in confusing code and data may be fatal, so the engine may refuse to process some files. It then converts all information from the file into a list of instructions, data blocks, labels, and pointers in order to make the information a bit higher level. This makes it easier to maniuplate the file. It then calls an external mutation engine which modifies the instruction list. It finally reassembles the file, then recalculates the offsets and then the checksum of the file.
The engine requires 32 megabytes of memory. It can only work with PE files that have distinct sections such as .data, .text, and similar. It assumes the code is in the first section. It will fail on anything else and is even picky about files that do have such sections.
Origin
The Mistfall engine was coded by Z0mbie in Russia. It was written in Borland C++ withouth classes or other features. The name comes from the G. Martin story "With morning comes Mistfall". It was used in Z0mbie's Zmist virus, which made it one of the hardest viruses to detect for its time, along with one of the most complex.
Sources
Z0mbie. AUTOMATED REVERSE ENGINEERING: MISTFALL ENGINE. (Russian) 2001
Z0mbie. AUTOMATED REVERSE ENGINEERING: MISTFALL ENGINE. (English) 2001
Peter Szor. The Art of Computer Virus Research and Defense, Chapter 7, Section 6, pp 278-280, 659. Addison Wesley, Symantec Press, 2005. ISBN 0-321-30454-3
-. SARC USA, Zmist Opportunities. 2001.03 (PDF)