Win32 PE Virus INTRODUCTION 1

This article is intended for readers:
1, familiar with Win32 assembly. Do not understand the assembly only understand VB? Yes, VB can also write "virus", but that is not too miserable point?
2, familiar with PE structure. faint! If even PE file structure do not know, but also to infect who ah.
3, the virus has a "serious" love, at least not to hate. Because this article contains ingredients that may incur dissatisfaction with PC users, if you do not like the virus, please leave quickly.
4, if you are a virus master, do not laugh at the superficial of this article, this is an introductory article, I hope this can appear a large number of Chinese people to write the virus.
5, this is the most basic virus writing primer technology, if you are really a master (are you really a master?). How can you really be a master??? :)), you don't have to look at it.
　 One, how do I get the address of the KERNEL32 API?
1. The virus has no import table and is now out of fashion to grab the import table of the host program.
2. The generic technique now is to search the base address of Kernel32 from the 4G address space, and then find the address of the desired API from the KERNEL32 export table. Once you have the KERNEL32 API, it is easy to import the API of other DLLs, at least with LoadLibraryA and GetProcAddress (hehe, good basic method).
The first step is to determine the base address of the KERNEL32.
This address is different under the 98,2K,XP. Note that a good virus cannot be overly dependent on the features of an OS, so we can't write a dead 77E80000 in the virus. So we're going to search it out. In general, when a program executes, KERNEL32 is mapped to its address space, which is why we can search for its address.
Take a look at the base address of three OS, 98 for bff70000,2k to 77E80000,XP for 77e60000,ok, all over 70000000, we can start here. Of course if a one-byte search, then too slow, the general DLL is located in the 1M boundary, so we can use 10000 as a span.
There is also a problem, 4G space is not fully readable, the search somewhere will appear GPE error. What to do? Hmmmmmmmmmmmm,m$ has already thought of this, providing a technique called SEH in Win32 that allows you to strangle the errors that occur so that your program can continue to execute without crashing. Specific SEH in the compilation of the wording, as long as a few instructions, we can find some of their own virus to see the know.
Note that the PE file is similar to the image in memory, so we can search for Kernel32 as follows
Ebx->current Address,now is 70000000h
Set SEH Frame
#1
EBX = ebx + 10000h
if ebx = = 0 Then depressed in. Didn't find Kernel32??? Is crash or return host with you, I have nothing to say.
Word ptr [ebx] = = ' ZM '? No,goto #1
EAX = ebx + 3ch
EAX = ebx + [EAX]
Word ptr [ebx] = = ' EP '? No,goto #1
Now we're sure this is a PE Image,let's look up whether it ' s a dll,if not,goto #1
Then check the export DLL name, if it's not ' KERNEL32 '. DLL ', goto #1
Now go into it's export table,get the APIs address which we use to start our smart Work,hahahaha.
Remove SEH Frame
......
SEH handler:
Resume to #1
Specific details of the problem, we have to study. At present most Win32 viruses are the process, of course, the specific implementation method will be different.
　 Two, then what?
Remember the truth of a virus written: the sooner you return to the host program, the better, or a noticeable delay will cause even a beautiful user (? Beautiful women usually do not understand the computer, (voiceover: I have seen the female programmers are beautiful) ^_^) suspicion. So we should immediately allocate a piece of memory, copy it, create a virus thread there, and then return to the host program immediately. OK, now the host program is working properly, and our virus is starting to officially start, HoHo, to start our demon journey.
　 third, infect again and infect as fast as possible as many infections!
Infection is the root of the long-term survival of a virus, so we want a large-scale search, infection and reinfection!
Findfirstfile,findnextfile,findclose, unless you hook some system API (refer to Win32.kriz), otherwise these three APIs are Win32 virus essential, search re-search, infection and reinfection. I don't have to tell you exactly how to search:).
　　 four, in what way infection?
　　 at present, the Win32 virus is divided into two mainstream, one of the most common, covering the last section of the host program relocation, or simply prefix the last section behind, to expand it some. This technique is simple, as the example can be found in Funlove, which has a complex polymorphism engine with a large volume of viruses that are generally used.
The second class is like Elkern as much as possible into the host body, as far as possible, for VC compiled out of the PE file, it's file alignment is 4K, so the gap between the sections add up is likely to have 4,5k, Sufficient to tolerate the next Win32 virus. This technology is more troublesome, debugging is also complex, the main popular is elkern. (The CIH method is similar, but that is the Win95 virus, not within this tutorial).
Five, what else do you want to do?
In order to survive, we have to stay in memory as long as possible, not the end of the host program (many of the early Win32 viruses are like this: (). There are two ways to drop a file in the system directory like Funlove, modify the registry, or set up a system service. This approach is common and common, and most viruses, including worms, do so. But, hehe, releasing a file is too easy for people to notice. Another way is to infect all of the running processes. Good method, easy to implement under Win2K, CreateRemoteThread, but in order to achieve under all WIN32 platform, it is higher than the skill, not within the scope of this introductory tutorial.
Of course, if you can write a ring 0 virus that works on all WIN32 platforms, then I served you. This is not impossible, but the virus will be relatively large, but also very boring, not universal.
　 six, how to quickly infect
Remember, the basic two points
　 1, in the premise of not attracting attention as much as possible to search for files, when you finish a virus, run it, if it can search 15000~20000 files within one hours and you do not hear the hard drive of the sound, then congratulations, your virus can quickly infect.
2, use the file Mapping APIs, do not use ReadFile and WriteFile, the latter is slower.
Seven, Win32 virus best to how big size.
The answer is that the smaller the better, the better between 3k~6k (depressed, the bottom line is like my monthly salary: (). Now some special study of the virus of young people write more and more, a metamorphism virus to the smallest also 80k,hmmmmmmmmmmmmmm, no, so not, so the big one, the user is too easy to find. Foolish thought, polymorphism or metamorphism are not the most important, the general user will not disassemble your virus code, and then the powerful metamorphism engine will be avers killed, so, appropriate polymorphism, Cheat the little girl to be able. Do not believe you see, funlove not any encryption or polymorphism, is not the most popular Win32 virus? If you are passionate about metamorphism, suggest not to write the virus, to write disassembler, fight for more than Ida Pro.
Originally wanted to write in English, good to "internationalization", but my rotten English, foreigners can read, but the Chinese do not necessarily understand, so first will be written in Chinese this my first virus teaching article, and then turn into English bar.
Read the above simple tutorial, coupled with your own efforts to study, and to refer to some of the virus source code, I believe you can also easily write a Win32 virus. Do not be afraid of others laugh at your virus stupid, rest assured to write, write finished don't forget to show me oh *^__^*.

Win32 PE Virus INTRODUCTION 1