Today, I don't know why. I suddenly wanted to see the virus code... After Google, we found that the CvC Forum opened again... It seems that I closed it once and then closed it again. It was really ups and downs... The portraits of vxk, wowocock, and others are very familiar... I miss college and can do what I like.
Next, I want to find a virus code. Oh, maybe this is my casual approach. Even if many things seem a little unfamiliar, the general framework is still a little familiar. Find the source code of the core part of panda.com. I learned the first language in Delphi, which is quite old. I looked at people's comments on pandatv. I thought the virus was very rough and many items were ready for use. Therefore, we feel that the same technology is not used until many viruses are used. We can only scan and kill viruses in the form of feature libraries. The major cause of the virus poisoning is that we are not used to computers... Anti-virus software is actually much better.
Occasionally, I see a virus that uses overflow, and I think of some virus patterns:
1. Scan Machines with potential intrusion
2. Attack the corresponding machine vulnerabilities (usually a vulnerability)
3. Escalate permissions on the attacked machine (at least permission for writing and executing files is required)
4. infection can be an infection of the executable body or a startup item. In short, the virus can run again.
This is a mode like the red code. There are also many other virus modes, such as spreading through e-mails, USB flash drives, and the virus may also have encryption functions to improve survival. Therefore, the virus framework can be like this:
1. Self-decryption
2. Enable virus protection (for example, enable the startup Item for thread-opening interval scanning and enable the virus firewall .)
3. Scan potential intrusion resources (networks, emails, USB flash drives, executable bodies, etc.) based on certain algorithms)
4. Attack the scanned resources and escalate the permissions (writable and executable) of the attacked resources to infect them.
5. The infected part includes virus encryption and polymorphism.
Here, we will infect the website, email, USB flash drives, and other potentially executable virus resources to expand the scope of the virus. One resource consists of two steps: scan and attack. Once the framework is provided, the virus only needs a bunch of libraries based on the framework and can be used.
Therefore, viruses must contain the following databases:
1. Virus encryption and decryption code (including polymorphism)
2. Scan attack code for resources
3. Virus Infection code
4. Virus self-protection
Each item contains multiple sets of code. For example, the encryption and decryption algorithms for viruses are different. The code can be divided into several types, including network, email, and USB flash disks. Various code libraries can be combined according to the previous framework to obtain a virus.
In fact, after breaking down a virus, it is easy to find these codes on the Internet... Software Engineering? Modular Design? Haha, interesting!
I have been thinking about the question: How can I be detected and killed after a multi-state virus infection? You can only scan and kill in memory if you want... Because the decryption code after each infection is different after a virus infection, it cannot be identified by a pattern. The only solution is to improve the executable body structure and add MD5 verification items (CRC or other items are useless. Some online programs will download an MD5 verification file with this function ).
After writing this article, I personally feel that there are two points that include my own thoughts:
1. Virus structure. In particular, various infections and attack methods are modularized and reusable, allowing viruses to quickly develop viruses based on database functions compatible with some interfaces in a framework, implement code reuse (the brain is not easy to use ...), The same function is similar to the porting of a function library to different system platforms during embedded development.
2. in virus detection, it is really necessary to add an MD5 verification code to the EXE file. In particular, when you perform the first scan of the entire EXE file, you can mark the MD5 code somewhere in the PE file, the next scan is much more convenient. This is not just for Polymorphism viruses, it can be applied to all PE viruses.
Occasionally YY, not necessarily to implement... I have been deeply entangled in viruses. Do not do anything practical!
I don't know if 29A's virus magazine is updating now... There are a lot of ideas in the virus. I once saw a 128-byte PE virus. I admire it...
Start again. yy time is over!