Anti-virus attack and defense: Adding virus infection marks

Anti-virus attack and defense: Adding virus infection marks
1. preface if the same target file is infected for multiple times, the target file may be corrupted and cannot be executed. Therefore, virus programs often write an infection mark to the target file when the first infection occurs. In this way, when the file is first encountered, determine whether the file contains an infection mark, if there is, it will not be infected. If there is no sign of infection, it will be infected (for file infection, see article 004th on Anti-Virus Defense: using gaps to implant code, and anti-virus attack and defense: Add a section to implant code.) The so-called infection mark is actually a string written to an insignificant position in the PE file. Therefore, the addition, reading and judgment of the infection mark is actually a basic file read/write operation.


2. Add infected signs there are many impractical fields in the PE file structure. For example, in IMAGE_DOS_HEADER, only the fields e_magic and e_lfanew are important, the former is used to verify whether the file is a PE file, and the latter stores the offset of the PE file. Therefore, we can write the infection mark from the second field, that is, e_cblp (Bytes on last page of file. Set the flag to "Hack. Note that to add an infected sign to a file, you should first convert "Hack" to a hexadecimal value, and then write it in reverse (displayed on a small end). The Code is as follows:

# Define VIRUSFLAG 0x6b636148 // indicates the infection mark, which is written as "Hack" // indicates the infection mark. The three parameters are: the HANDLE of the file to be infected, the location of the infected mark to be written // and BOOL AddSig (HANDLE hFile, DWORD dwAddr, DWORD dwSig) {DWORD dwNum = 0; // set the read/write location SetFilePointer (hFile, dwAddr, 0, FILE_BEGIN) in the file; // write infection flag if (WriteFile (hFile, & dwSig, sizeof (DWORD), & dwNum, NULL) {MessageBox (NULL, "infection mark added successfully! "," Prompt ", MB_ OK); return TRUE;} else {MessageBox (NULL," failed to add infection mark! "," Prompt ", MB_ OK); return FALSE ;}} then write the code for detecting the infected sign: [cpp] view plaincopy // BOOL CheckSig (HANDLE hFile, DWORD dwAddr, DWORD dwSig) {DWORD dwSigNum = 0; DWORD dwNum = 0; SetFilePointer (hFile, dwAddr, 0, FILE_BEGIN); ReadFile (hFile, & dwSigNum, sizeof (DWORD ), & dwNum, NULL); if (dwSigNum = dwSig) {return TRUE;} return FALSE ;}

We need to make the "virus" program call the CheckSig () function before each infection, determine whether the target file has been infected based on its return value, and then decide whether to infect it. The main function code is as follows:

# Include <windows. h> # define FILENAME "helloworld.exe" // name of the file to add the infected sign # define offsetof (struct_t, member) (size_t) & (struct_t *) 0)-> member) int main () {HANDLE hFile = NULL; hFile = CreateFile (FILENAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (CheckSig (hFile, offsetof (IMAGE_DOS_HEADER, e_cblp), VIRUSFLAG) {MessageBox (NULL, "this file has been infected! "," Prompt ", MB_ OK); return-1;} AddSig (hFile, offsetof (IMAGE_DOS_HEADER, e_cblp), VIRUSFLAG); return 0 ;}

The program writes the infection mark to the e_cblp position in IMAGE_DOS_HEADER, which does not affect the execution of the program. Here, we need to note that the macro offsetof () is used in the program, which was originally defined in stddef. h. Here I will define it specifically. This macro is used to find the offset of a specific member of a struct In the struct. For this program, it is used to find the offset of e_cblp in IMAGE_DOS_HEADER, that is, 2 (because the previous e_magic occupies two bytes ).

Here we will analyze the meaning of (size_t) & (struct_t *) 0)-> member. First, (struct_t *) 0 is a pointer to the struct_t type (IMAGE_DOS_HEADER in this program), and its pointer value is 0, therefore, It maps the bucket starting from address 0 to a struct_t type object. (Struct_t *) 0)-> member is a member of the access type member (e_cblp in this program), correspondingly & (struct_t *) 0)-> member) returns the address of the member. Because the starting address of the object is 0, the Member Address is actually the offset address relative to the member of the first address of the object. Finally, convert the data type to size_t (32-bit: unsigned int and 64-bit: long unsigned int ).

 

3. program testing

To test our program, we still use Article 004th on anti-virus attack and defense: Using gaps to implant code.

The dedicated helloworld.exe program. Put the two programs in the same directory. Before infection, use the DOS header section of the Hex Editor neotify program helloworld.exe "program:

 

Figure 1 DOS header before infection

Then run the program and view the DOS header again:

Figure 2 DOS header after infection

We can see that our infection is successful.

 

Iv. Summary

Adding an infected sign to a file does not affect the file. Many infected viruses add an infected sign to the target file. For example, the "WhBoy" sign will be added to the program. Therefore, the "pandatv incense" virus exclusive tool (Li Jun version) compiled by Li Jun is to detect whether the file is infected by the "WhBoy" mark in the file, however, this detection method is too rough.