Introduction to virus design under Win32

Source: Internet
Author: User

Introduction to virus design under Win32

This article assumes that you have a certain understanding of dos viruses and crash PM.

1. to infect any virus, you must have a host and add the virus code to the Host Program.
(Except for companion viruses ).
The following describes how to embed virus code into a PE file. for the structure of the PE file, see the previous article. Typical Structure of PE file: MZ Header dos stub code pe header optional header section table section 1 SECTION 2... the import table export table and DOS executable files are similar. The PE code image is divided into several sections, which are aligned in the file.
Page boundary (4 K ). In general, the file is loaded at the beginning of 401000 h, the first SECTION is at h, and the entry address is also h. The length of each SECTIO-N, a program written in advanced languages, cannot be a multiple of 4 K, so there will be an unused space at the end of the SECTION, the size can be obtained by the PHYSICAL SIZE-VIRTUALSIZE of the Section, the starting position of the file can be obtained by physical offset, which can be used to store virus code. In addition, generally, MZ Header + dos stud + PE
HEADER + optional header + section table is only about 1 K, while SECTION 1 starts from 4 K, and the empty area is enough to store a well-designed virus. CIH stores code in these free spaces.

2. allocate memory required for resident
For resident viruses, it is necessary to allocate the memory required for resident. In DOS, because all applications are mapped to the same linear address space, it is sufficient to use the general memory allocation call. In WIN32, each application has its own linear address space. A special function must be used to allocate a system address larger than 2 GB. Typical examples include VXD service _ PageAllocate and VxDCALL of kernel32.
_ PageReserve. For more information about _ PageAllocate, see the description in win98ddk. For information about VxDCall _ PageReserve, see the notes in the HPS source code.

3. The virus that intercepts the file I/O operation resident is activated by intercepting file I/O. You can use the VXD service.
IFSMgr_Install-FileSystemAPIHook (such as CIH) or interception of DOS Services callback (such as HPS) in VxDCall ).
Writing viruses under Win32 is not difficult. There are several things worth noting:

1. system function calls under Win32 are not implemented through interruption, but exported from DLL.
(Except for using the VxD service directly ). It is not easy to get the API entry directly in the virus. You can use the following work und.
In Windows of the same version, the entry to the same core function is always fixed.
(A function exported by Kernel32, gdi32, and user32 ). Therefore, you can use the following method to obtain the function entry:
. 386 p
. Model flat, stdcall
Extrn GetModuleHandleA: proc
Extrn GetProcAddress: proc
Extrn ExitProcess: proc
. Data
SzKernel db 'kernel32. DLL ', 0
SzFindFirst db 'findfirstfilea', 0
SzFindNext db 'findnextfilea', 0
SzFindClose db 'findclose', 0
SzGetCurrentDir db 'getcurrentdirectorya ', 0
SzGetWinDir db 'getwindowsdirectorya ', 0
SzGetSysDir db 'getsystemdirectorya ', 0
SzGetFileAttrib db 'getfileattributesa ', 0
SzSetFileAttrib db 'setfileattributesa ', 0
Szlopen db' _ lopen ', 0
Szlread db '_ lread', 0
Szlwrite db '_ lwrite', 0
Szlclose db '_ lclose', 0
Szllseek db '_ llseek', 0
HKernel dd 0
. Code
; Initialize code
Start:
Push szKernel
Call GetModuleHandleA
Mov hKernel, eax
Push szFindFirst
Push hKernel
Call GetProcAddress
Mov FindFirstFile, eax
....
Jmp VirusStart
InitExit:
Push 0
Call ExitProcess
VirusStart:
Jmp Entry
HostEntry dd InitExit
FindFirstFile dd 0
FindNextFile dd 0
...
Entry:
...
End start
Enter the function entry to be used in the Intialize Code and enter it in the virus, which can be used directly during virus running.

Ii. Mainly interception of file I/O operations.
There are several methods to intercept file I/O operations in Windows. There are two main methods used in viruses.
1. Use VxDCallIFSMgr_InstallFileSystemHook
2. Intercept the first function VxDCall exported from Kernel32.dll to DOS
Call for INT 21 (EAX = 2A0010 ).
The code for VxDCall is as follows:
Mov eax, dword ptr [esp + 04]
Pop dword ptr [esp]
Call fword ptr cs: [xxxxxxxx]
^ As long as the address pointed to by this address is changed to its own process portal, all VxDCall is captured.
When entering this process:
Eax = service number. If it is dos int 21, it will be 2A0010.
Esp [2c] eax value when Int 21 is called
~~~~ Pushad is missing. It should be 10 h.

Esp [30] ecx value when int 21 is called
~~~~ 14 h

Other registers are the values required for calling. (Segment registers are useless)
In the future, it will be no different from writing viruses in DOS.
Writing viruses in WINDOWS makes it troublesome to get the API entry. the APIs that can be used directly are in the DLL, while VXDCALL can be used only at RING0, And the dos int 21 service cannot be called directly. there are two methods to obtain the API entry in the DLL:

1. Create an import table during loading. During loading, WINDOWS locates the API entry address based on the import table. This is a common method for applications, but it is not suitable for viruses.
2. run the command to get the API endpoint by using GetModuleHandle and GetProcAddress, but you must know the endpoint of GetModuleHandle and GetProcAddress before running the command.: <this is obviously not possible. in addition to copying the code of GetModuleHandle and GetProcAddress to our virus, we only need to use brute force to find the API entry in 2 GB space.

First, let's take a look at the memory ing in WINDOWS. From 00000000, there is an Invalid Address (I forgot how much), which is used to capture the pointer to an application error.
Followed until 0x7FFFFFFF is the application space. after 0X80000000, it is the system space. DLL and VXD are mapped here. what we want to do is to find Krnl32.dll from the 2 GB space. generally, programs in Windows are aligned at the 64 K boundary. the first is the MZ file HEADER, followed by the entry for obtaining the pe header from the information in the mz header. with this mark, we can find all the DLL files. the pe header can get the dll export table entry, and the first item of name ptr table is the dll name, so we can find Krnl32.dll, and obtain the entry of any api from address table.

It is worth noting that not all of these 2 GB addresses are valid. In general programs, IsXXXXXPtr can be used to determine whether the addresses are valid, but not in viruses. only Hook Exception is allowed. Exceptions caused by invalid access addresses are ignored. the structure of the Exception Chain in Windows is as follows: fs: [0] New esp value when dword exception occurs. This value points to the following structure [esp] dword fs: [0] new value [esp + 4] dword exception handler's entry [esp + 8] dword exception handler's first data address [esp + 12] dword-1 detailed assembly you can use C to write a piece of code _ try... _ compile T code, and then translated into assembly. as long as our exception handler jumps directly to the virus to find the Krnl32.dll code, it can access any address without causing a GP Error. for example, see the source code of HPS, pe header, and export table. For more information, see pe format.

1. The DLL loaded in Windows is mapped to the same address in different processes.
2. The function exported in the DLL records the offset relative to the DLL Image Base in the export table. If you change the offset, the address obtained by using GetProcAddress changes. (IMAGINE directing the CreateProcess address to a function in your own DLL, or intercepting GetDlgItemText to record the Password)
3. In Kernel32.DLL, Section Table ends before 0x300, and the real code starts at 0x1000, during which there is 3 K unused space, which can be used to store our code. The Image Base of Kernel32.DLL can be obtained by GetModuleHandleA.
4. In any version of Windows, the three basic DLL files are always loaded (Kernel32.DLL, User32.DLL, GDI32.DLL), and for Windows of the same version, their Image Base, and the export function address is always fixed. The obtained address can be directly used for virus use. (You can also write a virus in NT, and change the system to 8 <)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.