Win32 Virus Design Introduction Details _ Security related

This article assumes that you have a certain understanding of the virus and 386PM under DOS.

1, infected with any virus need host, the virus code into the host program (except companion virus)

Here's how to embed the virus code in a PE file, see the previous article for the structure of the PE file. Typical structure of PE file: MZ header DOS STUB CODE PE Header OPTIONAL header section TABLE section 1 Section 2 ... IMPORT table EXPORT table and DOS executable files are similar, the code image of PE is divided into several sections, in the file will be aligned page boundaries (4K). In general, the file is loaded at the beginning of the 400000h space, while the first section at 401000h, while the entry address is 401000h.

Programs written in a high-level language, each sectio-n length is unlikely to be just a multiple of 4K, so there will be an unused space at the end of the section, and the size can be obtained by the physical size-virtualsize in the file, where the starting position can be Physical offset, this space can be used to store the virus code. In addition, generally speaking, MZ header+dos stud+peheader+optional header+section table is about 1K, and section 1 starts with 4 K, the vacated place enough to store a well-designed virus. CIH is to store the code in these free spaces.

2, allocate the memory required to reside

For a resident-shaped virus, it is necessary to allocate the memory required to reside. Used in DOS because all applications are mapped to the same linear address space, using a generic memory allocation call is sufficient. Under WIN32, each application has its own linear address space and must use a special function to allocate more than 2GB of the system address. Typical examples are: VxD service _pageallocate, and Kernel32 's Vxdcall _pagereserve. _pageallocate Please refer to the instructions in WIN98DDK, Vxdcall _pagereserve See the comments in HPS source code.

3, interception file I/O operation resident type of virus through the interception of file I/O to activate, you can use the VxD service

Ifsmgr_install-filesystemapihook (such as CIH) or a DOS Services callback (such as HPS) in Vxdcall.

Writing a virus under Win32 is not a difficult thing. There are a few things worth noting:

system function calls under WIN32 are not implemented through interrupts, but are exported by DLLs

(except for the use of the VxD service directly). It is not easy to get an API entry directly into a virus, and you can use the following workaround.

Under the same version of Windows, the entry of the same core function is always fixed (refers to a function exported by Kernel32,gdi32,user32). So you can get a function entry by using the following methods:

The intialize code gets the function portal to use and fills it into the virus, which can be used directly when the virus is running.

One of my operating system for Win2000 server notebook computer recently infected with the virus, I first use the relevant anti-virus software to scan the computer, scan the report as follows:

Virus Name: Hacktool
FileName: C:\winnt\system32\ntservice.exe
Action: Delete failed, quarantine failed, Access denied

How can you remove it altogether?

Since C:\winnt\system32\ntservice.exe is already running, it is obviously impossible to delete it directly. So I ran Windows Task Manager, and in the Process tab, I chose to end the Ntservice.exe process and the system showed "unable to abort process, deny access".

It suddenly occurred to me that a DOS command is available in the console state of Win (XP).

What is a console

The console is a simple Windows operating mode that allows you to restrict access to FAT and NTFS partitions in the command line state without starting the graphical interface, and to set up and manipulate the system. Through the console, we can replace system files, turn off or disable a system service, disable or uninstall hardware devices, repair boot sectors, create new partitions, and format hard disk partitions.

Start the console

For Windows 2000, we can start the computer with a CD-ROM, then press R in the menu of the installer to select "Repair Windows 2000 Installation" and press C in the Repair menu to select "Recovery Console Repair Windows2000". For Windows XP, the same is the CD to start the computer, and then press R to select Repair, you can go directly to the console.

Directly install the relevant options of the console to the boot menu: Put the CD into the CD-ROM drive, and then enter the "d:\i386\winnt32/cmdcons" directly into the operation after the return (this assumes that your CD drive is D), and then click "Yes", you can install the console option to the Advanced Boot menu, This will allow you to enter the console directly from the hard drive. This method applies to Windows 2000 and Windows XP.

At the command prompt at the console, for security reasons, I first backup the Ntservice.exe and run directly: Del C:\winnt\system32\ntservice.exe is OK.

Second, the main is to intercept file I/O operation

There are several ways to intercept file I/O operations under Windows, and there are two main types of viruses used in the virus.

1. Use Vxdcallifsmgr_installfilesystemhook

2, interception Kernel32.dll the first function Vxdcall to Dos

Call to INT 21 (eax=2a0010).

The code for Vxdcall is as follows:

mov Eax,dword ptr [esp+04]
Pop DWORD ptr [ESP]
Call Fword ptr cs:[xxxxxxxx]
^^ ^^ ^^ ^^ captures all the vxdcall as long as the address to which this address is directed is changed to its own process entry.

When entering this process:

Eax=service number, if it is DOS INT 21 will be 2a0010
Esp[2c] call int 21 o'clock EAX value

I've missed a pushad, it should be 10h.

ESP[30] calls the value of int 21 o'clock ECX

~~~~14h

The other registers are the values that are required for the call. (segment registers are useless)

Later on and in the DOS write virus is no different.

To write a virus under Windows, how to get the API entry is a hassle. The APIs that can be used directly are in the DLL, and Vxdcall to be used when RING0, and the DOS INT 21 service cannot be invoked directly. There are two ways to get an API entry in a DLL:

1. When loading, an import table is established, and Windows locates the API's entry address according to import table at load time. This is the method used by general applications, but it is not suitable for viruses.

2. Run-time get, use GetModuleHandle and GetProcAddress to get API entrance, but if you want to know GetModuleHandle and GetProcAddress's entry address .:< This is obvious and impossible. In addition to copying GetModuleHandle and GetProcAddress code into our virus, we only use brute force to find the API entry in 2GB space.

Let's begin by explaining the memory map of windows, which starts with a 00000000 invalid address (I forgot exactly how much) to capture the pointer to an application error.
Then all the way to 0x7fffffff for the application space. 0x80000000 later for the system's space, DLLs and VxD are mapped here. What we're going to do is find Krnl32.dll from this 2GB space. In general, Programs under Windows are aligned at 64k boundaries. The first is the MZ file header, followed by the information in the header of the MZ to get the entry of the PE header. You can find all the DLLs by this tag. The PE header can get the entry of the DLL's EXPORT table, where the first item of the name PTR table is the name of the DLL, so that Krnl32.dll can be found and the address Table to get an entry for any API.

It is noteworthy that in this 2GB is not all and the address is valid, in a general program can be isxxxxxptr to determine whether the address is valid, but not in the virus. Only hook Exception, ignoring access to invalid address caused by Exception.  The structure of the exception chain in Windows is as follows: Fs:[0] The new value of ESP when the DWORD exception occurs, which points to the new value of the structure [ESP] DWORD fs:[0], which is the following [Esp+4] DWORD exception Handler's entry [Esp+8] DWORD exception handler use of the data first address [esp+12] dword-1 The detailed assembly code can write a __try...__except code in C and translate it into a compilation. As long as our exception handler jump directly to the virus to find the Krnl32.dll code, you can not cause GP error and access to any address. Examples can refer to the source code of HPS, PE header,export table see PE FORMAT.

1. dlls that are downloaded in Windows map to the same address in different process.

2. The function exported in the DLL records the offset of the relative DLL Image Base in the export table, changing the address of the offset using GetProcAddress. (Imagine a function that points a CreateProcess address to its own DLL, or intercepts getdlgitemtext to record password)

3, in the Kernel32.DLL section table in the 0x300 before the end, and the real code from the 0x1000 start, during which there are 3 K unused space, can be used to store our code. The image base of Kernel32.DLL can be obtained by Getmodulehandlea.

4. In any version of Windows, 3 basic DLLs are always loaded (Kernel32.dll,user32.dll,gdi32.dll), and for the same version of Windows, their image Base and the address of the exported function are always fixed. The resulting address can be used directly for virus use.

　　.386p .model flat,stdcall extrn getmodulehandlearoc extrn getprocaddressroc  extrn ExitProcessroc .data szKernel db  ' KERNEL32. DLL ',0 szfindfirst db  ' Findfirstfilea ',0 szfindnext db  ' FindNextFileA ',0  szfindclose db  ' findclose ',0 szgetcurrentdir db  ' Getcurrentdirectorya ',0  szgetwindir db  ' Getwindowsdirectorya ',0 szgetsysdir db  ' GetSystemDirectoryA ',0  szgetfileattrib db  ' Getfileattributesa ',0 szsetfileattrib db  ' SetFileAttributesA ', 0  szlopen db  ' _lopen ',0 szlread db  ' _lread ',0 szlwrite db  ' _ Lwrite ',0 szlclose db  ' _lclose ',0 szllseek db  ' _llseek ', 0&NBSP;HKERNEL&NBSP;DD  0 .code ;Initialize code start: push szKernel call  getmodulehandlea