Introduction to virus design under Win32

This article assumes that you have a certain understanding of DOS viruses and crash PM.

1. A host is required to infect any virus.CodeAdd hostProgramMedium (except for companion virus)

The following describes how to embed the virus code into the PE file. for the structure of the PE file, see the previousArticle. Typical Structure of PE file: MZ header Dos Stub code PE Header optional Header Section Table Section 1 Section 2... the import table export table and DOS executable files are similar. The PE code image is divided into several sections, and the page boundary (4 K) is aligned in the file ). In general, the file is loaded at the beginning of 401000 H, the first section is at h, and the entry address is also H.

The length of each SECTIO-N, a program written in advanced languages, cannot be a multiple of 4 K, so there will be an unused space at the end of the section, the size can be obtained by the physical SIZE-VIRTUALSIZE of the section, the starting position of the file can be obtained by physical offset, which can be used to store virus code. In addition, generally, the MZ header + dos stud + peheader + optional Header + section table is only about 1 K, while section 1 starts from 4 K, and the blank space is enough to store a well-designed virus. CIH stores code in these free spaces.

2. allocate memory required for resident

For resident viruses, it is necessary to allocate the memory required for resident. In dos, because all applications are mapped to the same linear address space, it is sufficient to use the general memory allocation call. In Win32, each application has its own linear address space. A special function must be used to allocate a system address larger than 2 GB. Typical examples include VxD service _ pageallocate and vxdcall _ pagereserve of Kernel32. For more information about _ pageallocate, see the description in win98ddk. For information about vxdcall _ pagereserve, see the notes in the HPS source code.

3. The virus that intercepts the file I/O operation resident is activated by intercepting file I/O. You can use the VxD service.

IFSMgr_Install-FileSystemAPIHook (such as CIH) or interception of DOS services callback (such as HPS) in vxdcall ).

Writing viruses under Win32 is not difficult. There are several things worth noting:

1. system function calls under Win32 are not implemented through interruption, but exported from DLL

(Except for using the VxD service directly ). It is not easy to get the API entry directly in the virus. You can use the following work und.

In Windows of the same version, the entry of the same core function is always fixed (the function exported by Kernel32, GDI32, and USER32 ). Therefore, you can use the following method to obtain the function entry:

Enter the function entry to be used in the intialize code and enter it in the virus, which can be used directly during virus running.

My laptop with an operating system of Win2000 Server has recently been infected with a virus. I first used anti-virus software to scan the computer. The scan report is as follows:

Virus name: hacktool
File Name: C: \ winnt \ system32 \ ntservice.exe
Operation: deletion failed, isolation failed, Access Denied

How can we completely delete it?

Because c: \ winnt \ system32 \ ntservice.exe is already running, direct deletion is obviously impossible. So I run Windows Task Manager and select the ntservice.exe process in the process selection card. The result shows that the process cannot be aborted and access is denied ".

I suddenly thought that the Windows 2000 (XP) console can use the DOS command.

What is Console

The console is a simple running mode of windows. It can access the fat and NTFS partitions in the command line state without starting the graphical interface, and perform some settings and operations on the system. On the console, you can change system files, disable or disable a system service, disable or detach hardware devices, repair boot sectors, create partitions, and Format hard disk partitions.

Start the Console

For Windows 2000, we can start the computer with a CD, and then press the r key in the installation program menu to select "repair Windows 2000 installation ", then, press the C key in the repair menu and select "fault recovery console repair Windows2000 ". For Windows XP, start the computer with a CD, and then press R to choose repair, you can directly go to the console.

Install console-related options directly to the method in the Startup Menu: Put the disc into the optical drive, and then directly enter "D: \ i386 \ winnt32/cmdcons "and press enter (assume that your optical drive is d). Then click" yes "to install the console options in the Advanced Startup menu, in this way, you can directly access the console from the hard disk. This method applies to Windows 2000 and Windows XP.

In the command line of the console, for security reasons, we first back up ntservice.exe and run del c: \ winnt \ system32 \ ntservice.exe directly.

Ii. Mainly file I/O Interception

There are several methods to intercept file I/O operations in windows. There are two main methods used in viruses.

1. Use vxdcallifsmgr_installfilesystemhook

2. Intercept the first function vxdcall exported from kernel32.dll to DoS

Call for int 21 (eax = 2a0010 ).

The code for vxdcall is as follows:

MoV eax, dword ptr [esp + 04]
Pop dword ptr [esp]
Call fword PTR Cs: [XXXXXXXX]
^ As long as the address pointed to by this address is changed to its own process portal, all vxdcall is captured.

When entering this process:

Eax = service number. If it is dos int 21, it will be 2a0010.
ESP [2C] eax value when int 21 is called

~~~~ Pushad is missing. It should be 10 h.

ESP [30] ECx value when int 21 is called

~~~~ 14 h

Other registers are the values required for calling. (Segment registers are useless)

In the future, it will be no different from writing viruses in DOS.

Writing viruses in Windows makes it troublesome to get the API entry. the APIs that can be used directly are in the DLL, while vxdcall can be used only at ring0, And the DOS int 21 service cannot be called directly. there are two methods to obtain the API entry in the DLL:

1. Create an import table during loading. During loading, Windows locates the API entry address based on the import table. This is a common method for applications, but it is not suitable for viruses.

2. run the command to get the API endpoint by using getmodulehandle and getprocaddress, but you must know the endpoint of getmodulehandle and getprocaddress before running the command.: <this is obviously not possible. in addition to copying the code of getmodulehandle and getprocaddress to our virus, we only need to use brute force to find the API entry in 2 GB space.

First, let's take a look at the memory ing in windows. From 00000000, there is an Invalid Address (I forgot how much), which is used to capture the pointer of an application error.
Followed until 0x7fffffff is the application space. after 0x80000000, it is the system space. dll and VxD are mapped here. what we want to do is to find krnl32.dll from the 2 GB space. generally, programs in windows are aligned at the 64 K boundary. the first is the MZ file header, followed by the entry for obtaining the PE Header from the information in the MZ header. with this mark, we can find all the DLL files. the PE Header can get the DLL export table entry, and the first item of name PTR table is the DLL name, so we can find krnl32.dll, and obtain the entry of any api from address table ..

It is worth noting that not all of these 2 GB addresses are valid. In general programs, isxxxxxptr can be used to determine whether the addresses are valid, but not in viruses. only hook exception is allowed. Exceptions caused by invalid access addresses are ignored. the structure of the exception chain in Windows is as follows: FS: [0] New ESP value when DWORD exception occurs. This value points to the following structure [esp] dword fs: [0] new value [esp + 4] DWORD exception handler's entry [esp + 8] DWORD exception handler's first data address [esp + 12] DWORD-1 detailed assembly you can use C to write a piece of code _ try... _ compile T code, and then translated into assembly. as long as our exception handler jumps directly to the virus to find the krnl32.dll code, it will not cause GP err Or. For example, see the source code of HPS, PE Header, and export table. For more information, see PE format ..

1. The DLL loaded in Windows is mapped to the same address in different processes.

2. The function exported in the DLL records the offset relative to the DLL image base in the export table. If you change the offset, the address obtained by using getprocaddress changes. (IMAGINE directing the CreateProcess address to a function in your own DLL, or intercepting getdlgitemtext to record the password)

3. In kernel32.dll, Section Table ends before 0x300, and the real code starts at 0x1000, during which there is 3 K unused space, which can be used to store our code. The image base of kernel32.dll can be obtained by getmodulehandlea.

4. In any version of Windows, the three basic DLL files are always loaded (kernel32.dll, user32.dll, gdi32.dll), and for windows of the same version, their image base, and the export function address is always fixed. The obtained address can be directly used for virus use.

. 386 p. model flat, stdcall extrn getmodulehandlearoc extrn getprocaddressroc extrn exitprocessroc. data szkernel dB 'kernel32. dll ', 0 szfindfirst dB 'findfirstfilea', 0 szfindnext dB 'handler', 0 szfindclose dB 'handler', 0 szgetcurrentdir dB 'getcurrentdirectorya', 0 szgetwindir dB 'getwindowsdirectorya ', 0 szgetsysdir dB 'getsystemdirectorya ', 0 szgetfileattrib dB 'getfileattributesa', 0 szsetfileattrib dB 'setfileattributesa', 0 szlopen db' _ lopen ', 0 szlread dB' _ lread ', 0 szlwrite dB '_ lwrite', 0 szlclose dB' _ lclose', 0 szllseek dB '_ llseek', 0 hkernel dd 0. code; initialize code start: Push szkernel call getmodulehandlea