Copy Link
Add to Bookmark
Report
Xine - issue #4 - Phile 101
/-----------------------------\
| Xine - issue #4 - Phile 101 |
\-----------------------------/
Tips and tricks about PE infection...
Educational purpose only and blah and blah...
File formats
______________________________________________________________________________
..CPL: you can infect .CPL (elements of the control panel) with any PE
infector by changing th entry point of the prog, only notice:
- the PEP (Program Entry Point) is called thrice:
* When the CPL is used for the first time: when windows is launched
(hehe, did u want to become resident at the start of win?)
* When you run it (hum...)
* When you finish to run it.
- You can also redirect the "CPLApplet" exported function that is the
actual entry point of a .CPL (cf Export table, it seem that CPLApplet
is always the 1st function exported)
..SCR: Screen savers are real PE, like .exe!
- You can, if you infect .SCR, look out the command line, if it is launched
with "/s", it mean that it'll load the screen saver ( /c is to
load the configuration part), so it mean that the computer will be
showing some graphic stuff, it mean then that you can search the
HD at your own rate. The screen saver is ended like any other prog
when the user come back and stop it, check it to stop at time ;)
..DLL: The only difference between executables and dynamic-link libraries
is their purpose, the content hardly change.
The "physical" differences are:
- the bit 13h in the word bit field at PE+16h is set to 1 for DLL
- the bit field at PE+5eh is only used for DLL, not for EXE and others
In the wild
______________________________________________________________________________
Relocation factor:
Each prog (except under NT?!?) is loaded with EAX = PEP, so you have just to
"lea ebp,[eax-offset VirusStart]" to have a correct ebp for
relocation.
Export table:
At PE+78h is the RVA of the export table (ET)
At ET+1Ch is the RVA of a table of RVA to function entry points, and
At ET+14h is the number of function exported
What about redirect an/several exported function instead of PEP...
Need space? What a stuff we have free for us to store datas in a PE header:
At PE+1ah is the linker version (1 word)
At PE+1ch are Total size of code, of initialised data and then of
uninitialised data (total:3 dwords).
At PE+2ch are Base of code and Base of data (2 dwords)
At PE+40h are OS version and Binary version (2 dwords)
At PE+4ch is Win32 version value (1 dword)
At PE+58h is a check sum used by NT drivers (1 dword)
At PE+5eh is a bit field, only used by DLL (1 word)
At PE+a0h are the RVA and the size of the relocation table (2 dwords)
At PE+b0h are the RVA and the size of the copyright infos (2 dwords)
In each section header, there are 3 dwords (at offset 18h) that are only used
in OBJ and LIB (those that are in PE format, so: none )
So, there is special places for us to use... let's do!
Before adding a section...
______________________________________________________________________________
Before adding a section header, there is some times a uninitialised data
section in PE. The dword at offset 14h in a section header is the RVA of the
content of the section; if the section contain uninitialised datas, that
dword would be null... Use that section and "or" his dword flags at offset
24h in the section header with e0000060h:
-31:write access
-30:read access
-29:execute access
-6:data loaded from file
-5:executable code
Also "and" it with ffffff7fh:
-7:data initialised to 0
Before addig a section content look at that:
* The relocation items are never used: there is a section space to use
if the relocation section is the last in file, use it and enlarge
it in the dwords at offset 8h (size in RAM) and offset 10h (size
in file). Don't forget to align that values to File alignement
(PE+3ch) and RAM alignement (PE+38h).
Note: don't hesitate to set that alignements to their minimum, I mean
1000h for RAM alignement and 100h for file alignement.
* Other wholes to use are those created by alignement of sections in file...
That value is often huge enough!
* Don't forget to calculate the 1st section content in File and the last
section header to use the 0 filled space between them, even if
you don't create a section header for them, the RVA base will,
at run time, point to PE, it remains to you just to calculate the
address of the datas ya added, even if it cannot be executed, but
copied before elsewhere...
! Why not to split your virus to fill all that holes and to add it a merger
at its beginning? (It's possible, I did it.)
Notice also that if you have space in RAM to allocate, you can do it at
infection time, by enlarging the last section in RAM. Even if it is
not enlarged in file, the difference will be uninitialised datas.
Notice that a crash would happend if you allocate more that 1 Mb by
this manner, but I hope it won't happend ;)
That's all folks!
°°°°°°°°°°°°
°°°°°°°°°°°° °±±±±±±±±±±±±°
°±±±±±±±±±±±±° °±²²²²²²²²²²²²±°
°±²²²²²²²²²²²²±° °±²ÛßßßßßßßßßßÛ²±°
°±²ÛßßßßßÛßßßßÛ²±° °±²Û 06-04-99 Û²±°
°±²Û n0ph|IKX Û²±° °±²ÛÜÜÜÜÜÜÜÜÜÜÛ²±° °°°°°°°°°°°°°°°°°°°°
°±²ÛÜÜÜÜÜÛÜÜÜÜÛ²±° °±²²²²²²²²²²²²±° °±±±±±±±±±±±±±±±±±±±±°
°±²²²²²²²²²²²²±° °±±±±±±±±±±±±° °±²²²²²²²²²²²²²²²²²²²²±°
°±±±±±±±±±±±±° °°°°°°°°°°°° °±²ÛßßßßßßßßßßßßßßßßßßÛ²±°
°°°°°°°°°°°° °±²Û n0ph@hotmail.com Û²±°
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° °±²ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ²±°
°±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±° °±²²²²²²²²²²²²²²²²²²²²±°
°±²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²±° °±±±±±±±±±±±±±±±±±±±±°
°±²ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ²±° °°°°°°°°°°°°°°°°°°°°
°±²Û http://members.xoom.com/n0ph Û²±°
°±²ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ²±°
°±²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²±°
°±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±°
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Sorry for windows viewers, but I had to fun w/ it.
