Win32 Virus Design Introduction _ Security related

Introduction to virus design under WIN32

This article assumes that you have a certain understanding of the virus and 386PM under DOS.

1, infected with any virus need host, the virus code into the host program
(except companion virus).
Here's how to embed the virus code in a PE file, see the previous article for the structure of the PE file. Typical structure of PE file: MZ header DOS STUB CODE PE Header OPTIONAL header section TABLE section 1 Section 2 ... IMPORT table EXPORT table and DOS executable files are similar, the PE code image is divided into several sections, in the file will be aligned
Page boundaries (4K). In general, the file is loaded at the beginning of the 400000h space, while the first section at 401000h, while the entry address is 401000h. Programs written in a high-level language, each sectio-n length is unlikely to be just a multiple of 4K, so there will be an unused space at the end of the section, and the size can be obtained by the physical size-virtualsize in the file, where the starting position can be Physical offset, this space can be used to store the virus code. In addition, generally speaking, MZ Header+dos Stud+pe
Header+optional header+section table is about 1K, and section 1 starts with 4 K, where the empty space is enough to store a well-designed virus. CIH is to store the code in these free spaces.

2, allocate the memory required to reside
For a resident-shaped virus, it is necessary to allocate the memory required to reside. Used in DOS because all applications are mapped to the same linear address space, using a generic memory allocation call is sufficient. Under WIN32, each application has its own linear address space and must use a special function to allocate more than 2GB of the system address. Typical examples are: VxD service _pageallocate, and Kernel32 's Vxdcall
_pagereserve. _pageallocate Please refer to the instructions in WIN98DDK, Vxdcall _pagereserve See the comments in HPS source code.

3, interception file I/O operation resident type of virus through the interception of file I/O to activate, you can use the VxD service
Ifsmgr_install-filesystemapihook (such as CIH) or a DOS Services callback (such as HPS) in Vxdcall.
Writing a virus under Win32 is not a difficult thing. There are a few things worth noting:

system function calls under WIN32 are not implemented through interrupts, but are exported by DLLs.
(except for the use of the VxD service directly). It is not easy to get an API entry directly into a virus, and you can use the following workaround.
In the same version of Windows, the entry of the same core function is always fixed
(refers to a function exported by Kernel32,gdi32,user32). So you can get a function entry by using the following methods:
.386p
. Model Flat,stdcall
EXTRN Getmodulehandlea:proc
EXTRN Getprocaddress:proc
EXTRN Exitprocess:proc
. Data
Szkernel db ' KERNEL32. DLL ', 0
Szfindfirst db ' Findfirstfilea ', 0
Szfindnext db ' Findnextfilea ', 0
Szfindclose db ' FindClose ', 0
Szgetcurrentdir db ' Getcurrentdirectorya ', 0
Szgetwindir db ' Getwindowsdirectorya ', 0
Szgetsysdir db ' Getsystemdirectorya ', 0
Szgetfileattrib db ' Getfileattributesa ', 0
Szsetfileattrib db ' Setfileattributesa ', 0
Szlopen db ' _lopen ', 0
Szlread db ' _lread ', 0
Szlwrite db ' _lwrite ', 0
Szlclose db ' _lclose ', 0
Szllseek db ' _llseek ', 0
Hkernel DD 0
. Code
; Initialize Code
Start
Push Szkernel
Call Getmodulehandlea
MOV hkernel,eax
Push Szfindfirst
Push Hkernel
Call GetProcAddress
MOV findfirstfile,eax
....
JMP Virusstart
Initexit:
Push 0
Call ExitProcess
Virusstart:
JMP Entry
Hostentry DD Initexit
FindFirstFile DD 0
FindNextFile DD 0
...
Entry:
...
End Start
The intialize code gets the function portal to use and fills it into the virus, which can be used directly when the virus is running.

Second: The main is to intercept file I/O operation.
There are several ways to intercept file I/O operations under Windows, and there are two main types of viruses used in the virus.
1. Use Vxdcallifsmgr_installfilesystemhook
2, interception Kernel32.dll the first function Vxdcall to Dos
Call to INT 21 (eax=2a0010).
The code for Vxdcall is as follows:
mov Eax,dword ptr [esp+04]
Pop DWORD ptr [ESP]
Call Fword ptr cs:[xxxxxxxx]
^^ ^^ ^^ ^^ captures all the vxdcall as long as the address to which this address is directed is changed to its own process entry.
When entering this process:
Eax=service number, if it is DOS INT 21 will be 2a0010
Esp[2c] call int 21 o'clock EAX value
I've missed a pushad, it should be 10h.

ESP[30] calls the value of int 21 o'clock ECX
~~~~14h

The other registers are the values that are required for the call. (segment registers are useless)
Later on and in the DOS write virus is no different.
To write a virus under Windows, how to get the API entry is a hassle. The APIs that can be used directly are in the DLL, and Vxdcall to be used when RING0, and the DOS INT 21 service cannot be invoked directly. There are two ways to get an API entry in a DLL:

1. When loading, an import table is established, and Windows locates the API's entry address according to import table at load time. This is the method used by general applications, but it is not suitable for viruses.
2. Run-time get, use GetModuleHandle and GetProcAddress to get API entrance, but if you want to know GetModuleHandle and GetProcAddress's entry address .:< This is obvious and impossible. In addition to copying GetModuleHandle and GetProcAddress code into our virus, we only use brute force to find the API entry in 2GB space.

Let's begin by explaining the memory map of windows, which starts with a 00000000 invalid address (I forgot exactly how much) to capture the pointer to an application error.
Then all the way to 0x7fffffff for the application space. 0x80000000 later for the system's space, DLLs and VxD are mapped here. What we're going to do is find Krnl32.dll from this 2GB space. In general, Programs under Windows are aligned at 64k boundaries. The first is the MZ file header, followed by the information in the header of the MZ to get the entry of the PE header. You can find all the DLLs by this tag. The PE header can get the entry of the DLL's EXPORT table, where the first item of the name PTR table is the name of the DLL, so that Krnl32.dll can be found and the address Table to get an entry for any API.

It is noteworthy that in this 2GB is not all and the address is valid, in a general program can be isxxxxxptr to determine whether the address is valid, but not in the virus. Only hook Exception, ignoring access to invalid address caused by Exception.  The structure of the exception chain in Windows is as follows: Fs:[0] The new value of ESP when the DWORD exception occurs, which points to the new value of the structure [ESP] DWORD fs:[0], which is the following [Esp+4] DWORD exception Handler's entry [Esp+8] DWORD exception handler use of the data first address [esp+12] dword-1 The detailed assembly code can write a __try...__except code in C and translate it into a compilation. As long as our exception handler jump directly to the virus to find the Krnl32.dll code, you can not cause GP error and access to any address. Examples can refer to the source code of HPS, PE header,export table see PE FORMAT.

1. dlls that are downloaded in Windows map to the same address in different process.
2. The function exported in the DLL records the offset of the relative DLL Image Base in the export table, changing the address of the offset using GetProcAddress. (Imagine a function that points a CreateProcess address to its own DLL, or intercepts getdlgitemtext to record password)
3, in the Kernel32.DLL section table in the 0x300 before the end, and the real code from the 0x1000 start, during which there are 3 K unused space, can be used to store our code. The image base of Kernel32.DLL can be obtained by Getmodulehandlea.
4. In any version of Windows, 3 basic DLLs are always loaded (Kernel32.dll,user32.dll,gdi32.dll), and for the same version of Windows, their image Base and the address of the exported function are always fixed. The resulting address can be used directly for virus use. (also can write virus in NT, and change system again 8<)