Win32 PE virus entry tutorial by koms bomb
Disclaimer: If someone wrote any malignant virus, it has nothing to do with the society because of seeing this paper. I just discussed some theoretical knowledge.
Purpose of this article: 1, like the popularity knowledge, even if the old man (talking about me? Depressed) the old people must understand the knowledge, so the better programs are also best understood the principle of some viruses. 2. Carry forward China's virus career. Why do you want to carry forward? Go see my other articles.
Readers facing this article: 1. Familiar with Win32 assembly. Don't understand compilation, only VB? That's right, VB can also write "virus", but is it too miserable? 2, familiar with the PE structure. Faint! If you don't even know the structure of the PE file, you still have to infect anyone. 3, there is "serious" love for the virus, at least don't hate it. Since this article contains an ingredient that may incur a dissatisfaction of PC users, if you don't like a virus, please leave again. 4, if you are a virus master, don't laugh in this article, this is an introductory article, I hope to have a large number of Chinese writing viruses. 5, this is the most basic virus writing technology, if you are really a master (you are really a master? How can you really master ??? :)), you can't see it.
First, how do I get the address of the Kernel32 API? The virus has no import table, and it is now not fashionable to snap the import table of the Host program. The current technology is now the base address of the Kernel32 from the 4G address space, and then finds the address required for the API from the Kernel32's export table. Once there is a Kernel32's API, the API wants to import other DLLs is easily, at least use LoadLibrarya and getProcaddress (huh, good basic approach). First determine the base address of Kernel32. This address is different from 98, 2k, and XP is different. Note that a good virus cannot over-reliance on a certain OS, so we can't write a dead 77E80000 in the virus. So we have to search. Generally, when a program is executed, Kernel32 is mapped to its address space, which is why we can search for its address. Look at the base site of the three OS, 98 is BFF70000, 2K is 77E80000, XP is 77E60000, OK, all over 700,000,000, we can start here. Of course, if a one-byte search is too slow, the general DLL positioning is in the 1m boundary, so we can span at 10,000. There is also a problem, 4G space is not all readable, and a GPE error will appear in some place. How to do? hmmmmmmmmmmmm, M $ has thought of this point, it provides a technique known as Win32 SEH in there that lets you strangle errors, make your program to proceed without crash. Specific SEH is written in assembly, as long as several instructions, everyone can find some viruses to see it. Note that the image in the PE file and the memory is very similar, so we can search for kernel32ebx-> current address, now is 70000000HSET SEH FRAME # 1ebx = 0 dam 10000HIF EBX == 0 dam. Didn't find kernel32? ? ? Is it crash or return to Host? I have nothing to say. Word PTR [EBX] == 'zm'? no, goto # 1eax = EBX 3CHEAX = EBX [EAX] Word PTR [EBX] == 'EP'? NO, GTO # 1NOW WE Are Sure this is a pe Image , let's look up whether it's a dll, if not, goto # 1then check the export dll name, if it's not 'KERNEL32.DLL', goto # 1Now go into it's export table, get the APIs address which we use to start our smart Work, Hahahaha.Remove Seh Frame ... SEH HANDLER: Resume To # 1 specific details, everyone goes to study. At present, most Win32 viruses are this process, of course, specific implementation methods will have different.
Second, then do you? Remember the truth written by a virus: The better the Host program, the better, otherwise a significant latency will cause a beautiful user (? Beauty usually not very understanding computer, (Painted outside: The female program I have ever seen is beautiful ) ^ _ ^) Doubt. So we should assign a memory immediately, copy your own copy, create a viral thread there, then return to the host program. Ok, now the Host program is running normally, and our virus has also begun to start, Hoho, start our devil journey. Third, infection is re-infected, as much as possible as possible as possible! Infection is a virus dependher on the root of long-term survival, so we have to search for a large-scale search, infected infection! Findfirstfile, FindNextFile, FindClose unless you hook some system API (refer to Win32.Kriz), these three APIs are necessary, search and search, infection, re-infection. If you don't have to search, you don't have to say it :).
Fourth, what way is infected? At present, Win32 virus is divided into two mainstreams, a class of the most common, covering the last section of the Host program, or simply adds it behind the last section and expands it. This technique is very simple, examples can be found in Funlove, and there is a relatively large virus with a complex Polymorphism engine. The second category is to insert themselves into the host body as much as Elkern, insert it as much as possible, PE files compiled as VC, its file alignment is 4K, so the gap between sections is likely to have 4, 5K, foot can accommodate a Win32 virus. This technique is more troublesome, and debugging is also complex, and the main popular has Elkern. (The method of CIH is similar, but that is Win95 virus, not within this tutorial).
Five, what else do you have? For survival, we have to stay in memory as long as possible, rather than the Host program ended over (many early Win32 viruses: (). There are two ways, one is like funlove. A file in the system directory, and modify the registry or create a system service. This way is very common, and most of the viruses include worms. But, huh, let's release a document, too easy to pay attention Another way is to infect all the running processes. Good way, it is easy to implement under Win2k, CreateremoteThread, but if you want to implement it under all Win32 platforms, it is relatively high, not within the scope of this. Of course, if you can write a Ring 0 virus that works in all Win32 platforms, then I sue you. This is not impossible, but the virus will be relatively large, it is very hard, not universal.
Sixth, how to quickly infect two most basic 1. Search for files as much as possible without paying attention, when you write a virus, run it, if it can search 15000 ~ 2000 within an hour Document and you didn't hear the sound of the hard drive, so congratulations, your virus can be quickly infected. 2, use File Mapping API, do not use readfile and writefile, the latter is slower. Seven, Win32 virus is best to have much SIZE. The smaller, the better, preferably between 3k ~ 6k (depressed, the bottom line is like my monthly salary: (). Now some young people who specialize in studying the virus are getting bigger and bigger, a Metamorphism virus minimal 80k, hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm, can't, so big one Dongdong, users are too easy to find. 愚 以, Polymorphism or Metamorphism is not the most important, general users will not disassemble your virus code, and then powerful Metamorphism The engine must be killed by Avers, so appropriate polymorphism, cheating little girl. Don't believe you, funlove doesn't have any Encryption or PolyMorphism, isn't the most popular Win32 virus? If you are passionate about Metamorphism, it is recommended to write Virus, change to write disassembler and strive to exceed Ida Pro.
I originally wrote in English, I will go to "internationalization", but my rotten English, foreigners can understand, but the Chinese do not necessarily understand, so they will write this article in writing this article. After turning it into English. After reading the simple tutorial above, add your own efforts to drilled, and refer to some viral source code, I believe you can also read a Win32 virus. Don't be afraid that others laugh your virus stupid, rest assured, don't forget to give me a look * ^ __ ^ *. For some details I have not mentioned, I hope everyone should study itself, try not to ask me. If you write a virus with my help, then your virus level will not exceed me. I hope that everyone's virus level exceeds me, carry forward the Chinese virus career, huh, huh.
At 10 o'clock on June 3, 2002, Koms Bomb, mad drink beer welcome, please keep "by koms bomb"
