G9N 1: Brief Description: A New Concept/Technique

eZine lover (@eZine)

Published in 

G9N Magazine

 · 2 years ago

..o( Vampirism )o.........................[G9N-01.01].. 
:                                                     : 
: Brief Description: A New Concept/Technicque         : 
: G9N issue Date: May 2000                            : 
: Author: The Spy                                     : 
:.....................................................:

What is:

This is a new design time technicque that may help u make ur virus smaller, smarter, larger, n a lot of things more.

It bases in that in a system file, can b a lot of bytes that can help us, in a lot of ways. For example, if my virus ve da same some bytes that a system file ve, why i dont steal them?!?

A Very Stupid Example:

Lets c a very stupid example, that shows only how to steal da bytes, from a file. Of courz it is shitty, but it explain how to implement vampirism.

If we ve a file called kchalot.dll that contents this 11 bytes:

  B4 09 BA 03 01 CD 21 B4 4C CD 21

we can code that simple program:

--[sv_3.asm]-------------------8<------------------------------ 

.model tiny 
.code 
	org 100h 

main_begin: 
	jmp	skip 

fname	db	'kchalot.dll',00h 
stopit	db	13,10,'$' 

skip: 

	mov ax,3D00h 
	lea dx,fname 
	int 21h 
	jc sayno 

	xchg ax,bx 
	mov ah,3Fh 
	mov cx,11 
	lea dx,sayyes 
	int 21h 
	jmp sayyes 

sayno: 
	mov ah,9 
	lea dx,nofile 
	int 21h 
	mov ah,4Ch 
	int 21h 

nofile	db	'kchalot.dll is not in this directory','$' 

sayyes: 

end main_begin 

--[sv_3.asm]-------------------8<------------------------------ 

EB 10 90 6B 63 68 61 6C 6F 74 2E 74 78 74 00 0D 
0A 24 B8 00 3D BA 03 01 CD 21 72 0B 93 B4 3F B9 
11 00 BA 27 01 CD 21 B4 09 BA 32 01 CD 21 B4 4C 
CD 21 6B 63 68 61 6C 6F 74 2E 64 6C 6C 20 69 73 
20 6E 6F 74 20 69 6E 20 74 68 69 73 20 64 69 72 
65 63 74 6F 72 79 24 
                     ^. 
                       '- Here i append. 

---------------------------------------------------------------

If kchalot.dll is in da current directory, it will steal 11 bytes from it, n then execute it.

If kchalot.dll isnt in da current directory, it will prompt u da nofile error msg.

Whats da deal?

Da deal is that u can build ur virus at runtime, stealin blocks of bytes from da system files. Always if u know which bytes to steal.

How to:

How to find this bytes? U can make a searching proggie, that looks for da same bytes ur virus ve in all of da system files.

I ve designed one, that bases in generate a lot of blocks from da original one. Why? cuz may b, in da system file there r not da same bytes, but there r very similar bytes. WHAT? lets c an example:

virus bytes:

  12 34 56 78 9A BC DE F0

system file bytes:

  13 35 57 79 9B BD DF F1

As u can c, da system file, ve very similar bytes than da virus, n i ve only to dec every byte to ve da correct sequence of bytes i need.

Btw, u can find that:

virus bytes:

  12 34 56 78 9A BC DE F0

system file bytes:

  F0 DE BC 9A 78 56 34 12

In this case, u must turn da block, to ve da byte block u need. Well, in fact, i ve design my TSVT (The Spy's Vampirism Toolkit), to find da bytes in system files. It isnt finished yet, but it generate 512 diferent blocks.

Design Time Work:

In TSVT i ve implemented a simple idea, to generate a lot of blocks from da original one, da virus, that may help me to find more n better results.

For example, i put da original block into an array:

  34 21 02 12 55 89 96 07 ; Virus Original Block

n then i generate a lot of similar blocks in a bidimensional array, [Block,Byte]:

Block #][ Block Bytes 
      0][  34 21 02 12 55 89 96 07 ; Original Block 
      1][  35 22 03 13 56 8A 97 08 ; Original Block [+01h] 
      2][  36 23 04 14 57 8B 98 09 ; Original Block [+02h] 
      .][  . 
      .][  . 
    255][  33 20 01 11 54 88 95 06 ; Original Block [+FFh] 
    256][  07 96 89 55 12 02 21 34 ; Original Block (I) 
    257][  08 97 8A 56 13 03 22 35 ; Original Block (I) [+01h] 
    258][  09 98 8B 57 14 04 23 36 ; Original Block (I) [+02h] 
      .][  . 
      .][  . 
    511][  06 95 88 54 11 01 20 33 ; Original Block (I) [+FFh] 

  (I) = Invert(Block); 
  [+xxh] = [Block,Byte]:=[Block,Byte]+xxh;

As u can c, i ve generated 511 diferent blocks, n we also ve da virus original block, so we ve, 512 diferent blocks to find into da system files.

TSVT its only capable to generate this 512 diferent blocks, but i ve generated 1500 diferent blocks, but i vent coded them into TSVT. For da next version, i guess.

Searchin:

From da system files, i get a block of da same size of da virus, n i start to compare byte to byte with every block. So i only compute da consecutive bytes, but in future versions of TSVT it can find blocks like:

virus block:

   12 34 56 78 ...

system file:

   12 ?? 34 ?? 56 ?? 78 ...

Its very simple, but i vent time to code it yet.

I know, that da TSVTs searchin method isnt da best, but i was da faster one to code, so i ve decided implement it. Anyway it really found a lot of blocks.

How to implement it:

TSVT informs u all that u need to find da block:

• Blocksize: 778 bytes
• File: C:\Windows\System\blablabla.ext
• [Block,Offset] Amount bytes - Block # of da File

When TSVT report u a result u can use it. If TSVT tells u,

[257,3] 7 bytes - Block 21 of da File

Now u know that, in this current system file, in da offset blocksize*21+3, u ve 7 consecutive bytes, that matches exactly with da block 257 that TSVT ve generated, that is Original Block (I) [+01h].

For this version of TSVT:

From block 1 to 256, u ve da blocks [+ # of block in hex]
From block 257 to 512, u ve da same blocks in same order but Inverted

In TSVT 0.3b u can also set da accuracy report.

How to generate more blocks:

If u r tryin to build ur own program that searches into da system files for da bytes blocks u need. U must generate a lot of diferent blocks, n here r a few simple ideas:

  34 21 02 12 55 89 96 07 ; Original Block

- u can add da offset of da byte into da block, to itself. N also combinatin with da other generated blocks.

Bloke #][ Bytes dl Bloke 
      .][  . 
      .][  .0 .1 .2 .3 .4 .5 .6 .7 
    512][  34 22 04 15 59 8E 9C 0E ; Original Block <+p> 
    513][  35 23 05 16 5A 8F 9D 0F ; Original Block [+01h] <+p> 
    514][  36 24 06 17 5B 90 9E 10 ; Original Block [+02h] <+p> 
      .][  . 
      .][  . 
    767][  33 21 03 14 58 8D 9B 0D ; Original Block [+FFh] <+p> 
    768][  07 97 8B 58 16 07 27 3B ; Original Block (I) <+p> 
    769][  08 98 8C 59 17 08 28 3C ; Original Block (I) [+01h] <+p> 
    770][  09 99 8D 5A 18 09 29 3D ; Original Block (I) [+02h] <+p> 
      .][  . 
      .][  . 
   1023][  06 96 8A 57 15 06 26 3A ; Original Block (I) [+FFh] <+p>

<+p> = [Block,Byte]:=[Block,Byte]+Byte;

- n turn it again to gain new blocks!

Bloke #][ Bytes dl Bloke 
      .][  . 
      .][  .0 .1 .2 .3 .4 .5 .6 .7 
   1024][  0E 9C 8E 59 15 04 22 34 ; Original Block <+p> (I) 
   1025][  0F 9D 8F 5A 16 05 23 35 ; Original Block [+01h] <+p> (I) 
   1026][  10 9E 90 5B 17 06 24 36 ; Original Block [+02h] <+p> (I) 
      .][  . 
      .][  . 
   1235][  0D 9B 8D 58 14 03 21 33 ; Original Block [+FFh] <+p> (I) 
   1236][  3B 27 07 16 58 8B 97 07 ; Original Block (I) <+p> (I) 
   1237][  3C 28 08 17 59 8C 98 08 ; Original Block (I) [+01h] <+p> (I) 
   1238][  3D 29 09 18 5A 8D 99 09 ; Original Block (I) [+02h] <+p> (I) 
      .][  . 
      .][  . 
   1535][  3A 26 06 15 57 8A 96 06 ; Original Block (I) [+FFh] <+p> (I)

- well, use all that ur mind imagine.

More Complex Algorithms:

All of this blocks, r very simple to implement in asm, add xxh to every byte, turn a block, etc

But when u think to implement somethin more complex like an algorithm code it in asm, may b a very hard work.

Anyway, there r a lot of kewl algorithms we can use, like Fibonacci's one, that isnt so dificult to code.

The Spy,
Gentlemen, Start ur Minds