Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 100
Ú-----------------------------¿
| Xine - issue #5 - Phile 100 |
À-----------------------------Ù
Full stealth essay
is it dead with 32 bit platforms?
Hi, dear readers. Here follows another article that reminds you how all the
Win32 platforms are fucking us. Ok, here follows the shit of the article i
have written about this matter. It's a bit short and lame, but hey, i don't
want to annoy you, it's about one idea i have, and to fill 500 lines with
shit is not a "moral" act, so with 100 lines is enough ;)
Ú-------------------------------------¿
| Introduction - What's full stealth? |
À-------------------------------------Ù
Sigh, don't you know what is the full stealth technique? Ok, then you missed
the DOS age, or you re simply too lame for read this tute ;) The full
stealth technique was one of the most interesting ones in virus writing, and
they were focused to hide to the user the presence of a virus. So, if the
user opens an infected file and the virus was resident, the user would see
an uninfected copy of the program, exactly as it was before the infection.
It was also good as an anti-av technique. You don't need to know more about
it, and i don't want to annoy you, and waste bytes talking about old school
methods.
Ú---------------------------------------¿
| Is it viable under Win32 enviroments? |
À---------------------------------------Ù
Yes and no. The "yes" is because there is a full stealth virus out there,
called Zerg (sigh, this virus remembers me something...). AVPVE said that it
was really buggy, but it was full stealth indeed. The problem of the virus
(well, not problem at all, just a problem in general) is the fact that it is
a Ring-0 virus, and as you should know (even an amoeba knows) that it's only
for Win95 and Win98 platforms (via the security hole of the IDT and such).
Well, i said "it's not a problem at all", because there are many Ring-0
viruses very widespread, as CIH is. But as i am always looking to the future
i've seen it clear: Ring-0 viruses, aswell as DOS virus, are dead. Don't
misunderstand me, nowadays they aren't, but they have counted days. From
Win2000 in advance, you must say "good bye" to the real mode (for MS-DOS
viruses fuck up) and to the holes for jump to Ring-0 (for the Ring-0 viruses
fuck up). So, Ring-0 full stealth is dead, and this makes us to be at the
starting position (where there was the VLAD honoured member Quantum when he
made Bizatch), without a fucking idea of how to make it.
We had an advance with Ring-0 full stealth, and that was the fact that any
API uses the FSD functions for access files, and if we "blind" them there,
thay have no chance for fuck us. But as Ring-0 is dead, we have to search
for other solutions.
Ú------------------------------------------------¿
| A possible (but not effective at all) solution |
À------------------------------------------------Ù
I was thinking in an approach a'la K32 (nIgr0's method) of patching APIs,
but as that doesn't work in NT (because that doesn't let in any way to
manipulate memory outside the own process), so i had to think about other
ways. Then, i remembered some thing that one of my superior-beings, as
Ypsilon is, taught me about Remote Threads. Just think about it: you are
able to create a thread to another process that isn't your own,and i thought
about the possibility of hook (via the per-process method) all the file
handling APIs, thus being able to blind them to the infected file. But still
we have many problems with it, such as:
a) we can't know all the APIs about file handling, just because any
good coder could do his own using the File System functions direc-
tly via windoze drivers.
b) it would provoke a lot of errors, uncompatibilities hardly evita-
ble (ie mapping, etc)
c) it wouldn't solve at all the whole problem, just because the AV
could easily write ways for avoid our annoying
It could be made, it could be interesting, but it couldn't be the definitive
solution to the problem.
Ú-------------¿
| Final words |
À-------------Ù
By reading this article, you realized that there is no fucking solution,
the full stealth as we know is dead. I don't like to be too much pesimist,
but it's the fucking truth. One possible solution is to achieve Ring-0 in
WinNT/2k, but as it would be surely an exploit, the next SP (service pack)
would fix it. Dead way. Sigh.
Fuck, there's no chance, we'll be forced to make a WDM virus,and this is not
a good idea...
API level is a shit, it's limited, and we can't avoid that. We can so marve-
lous things with it, but full stealth is dead then. So, if the time doesn't
say the opposite (i hope it will!) the full stealth is dead.
- The boy you loved is the man that you fear - (Marilyn Manson)
----------------------------------------------------------------------------
(c) Billy Belcebu/IKX [15/12/99] "i'm not a terrorist. i'm an artist"
þ URL þ www.billybelcebu.org - www.beautifulpeople.cjb.net
þ EMAIL þ billy_belcebu@mixmail.com - billy_belcebu@ikx4ever.org
þ IRC þ irc-hispano #virus, undernet #virus #ikx
