[Anti Virus topic] 1.1 principle of Virus [from watching Snow]

1. Principles of Viruses

First of all, it seems that we should introduce what is virus, because many people are always confused with viruses and Trojans. No-this cannot blame them, because many Trojans now use virus-related technologies, there is no trojan virus. A virus is a group of computer commands or program code compiled or inserted in a computer program that destroys computer functions or data, affects computer usage, and is capable of self-copying. However, it does not have any function to steal personal information, which is different from Trojans. A long time ago, vxer (virus author) was known as a "talented programmer" who aimed at writing virus code that is perfect, sophisticated, rigorous, spreading, hidden, and novel in combat ideas. But now there is no vxer, and no virus authors are pursuing traditional purposes, which is a headache. Therefore, we intend to write this topic to extend the interest of our elders.

With the above understanding, I think you should have some knowledge about the concept of viruses and know what viruses are for and the purpose of writing them (remember: we only do virus research, only ). Next we will begin to explain the principle of virus with a true knife.

All my friends who want to learn the PE file structure know that our code, related data, and structure all exist in the section of our PE file, in this way, the pe loader will map the section to the RVA address of our compiler link relative to the base address during loading. In fact, I hate to explain these basic theoretical knowledge, but I am afraid that some beginners will not understand it. So I will introduce the basic knowledge here. (Some xxx think that there is no need to explain this, but remember that everyone has come from this process)

Beginner's concept: (if you have a grasp of the PE Structure, skip directly :-)

The base address is the recommended loading address of the program. It is stored in the ImageBase Member of the _ IMAGE_OPTIONAL_HEADER structure. The PE Loader first tries to load the file to the base address-the specified address. If the address is occupied, the PE Loader tries to load the file to another address. Due to the paging mechanism, the virtual address space of each process in the win32 operating system is independent, that is, the base address of the exe file is generally not occupied, therefore, the PE Loader of an exe file can load it to the address specified by the base address.

The RVA address refers to the virtual address relative to the base address. For example, if the exe program defines a piece of data, the base address of the program is 00400000 h, and the address of the data is 00403201 h, so the data section RVA address = 00403201 h-00400000 h = 3201 h (in fact, we should be familiar with 16 compilation friends, this is similar to our offset to the segment address, except that the segment concept is no longer available in the win32 environment. All the addresses are offset to the base address)

:-

So what is the purpose of the previous knowledge? I want to explain:

Assume that our code is as follows -- the code of the function in the pop-up message box of the call segment

$-2>/$31C0 xor eax, eax
$ ==>>|. 50 push eax;/style => mb_ OK | mb_applmodal
$ + 1> |. 50 push eax; | Title => null
$ + 2> |. 68 11104000 push 00401011; | Text = "Virus ?, AD, "Li"
$ + 7> |. 50 push eax; | hOwner => NULL
$ + 8> |. FF15 58104000 call dword ptr [401058]; \ MessageBoxA

So we are thinking about porting this code to our infected object. Where do we need to change it to make it run successfully and bring up a message box? (We should not consider other factors here, such as whether to return to the host or execute from this address. We assume that the infected object is executed from our code)

Should we find the absolute offset in this code first?

So we can see
$ + 2> |. 68 11104000 push 00401011; | Text = "Virus ?, AD, "Li"
$ + 8> |. FF15 58104000 call dword ptr [401058]; \ MessageBoxA

One of the two codes is the constant pushed into the stack 00401011h, and 00401011h is the address of the string we define. The other is call dword ptr [401058]. Here we call the storage address at the memory offset of H, which is actually the IAT Member address, it is also the image_thunk_data array pointed to by the firstthunk member in our input table structure. When the image_thunk_data array file is not loaded, the array members point to the address of image_import_by_name, which is the address of each API function after being loaded to the memory.

OK, understand the above points. Let's reverse our thinking. If we insert this Code directly into the infected object and load the infected object, what kind of errors will happen to our code.

First, Part 1 is not necessarily the address of the string ending with 0 we define. Part 2 does not necessarily store the messageboxa function address. It may not be a valid address or data, then the program will have an exception.

To solve these problems, we need to master the content of the next course. {Relocate, get the kernel32.dll base address, Dynamically Retrieve and fill in the API function}, we think that as long as we solve the relocation and get the kernel32.dll base address, our virus program has no input table structure, all functions are dynamically obtained and filled by themselves. Can our programs be transplanted.

This article is intended to help you understand the principles of viruses. As for how to implement the virus, we will see you in the next article.