29a-7.013

从29A上收集的病毒源码

InConEx - executing PE files in the own process memory context
--------------------------------------------------------------
by yoda


This program tries to load a target PE image into some memory in its
own memory context and execute it there.
Only PE files can be executed that have RelocationInformation included.
The ImportTable is initialized, the Relocation items are applyed to the
image and at the end also the windows internal stuff is adjusted, i.e.
fixing calling process module information (ImageBase, ImageSize, module
path, command line, current directory).

The built virtual module image is executed in an own thread, so the
server gets back execution control after the client thread terminates.

To avoid that the client applications will terminate the whole process
on the end of its execution, we simply hook the ExitProcess API. Every
process has to use this API to finish its execution, also if it's
not visible in the ImportTable because it's called by stubs (MFC, VB,
.NET, MSVCRT,...).

InConEx basically supports 9x and NT based operation systems but it
doesn't work on 9x as good as on NT. E.g. on 9x the DialogBoxParam calls
fail :(

Acknowledge:
~~~~~~~~~~~~
Z0MBiE           - Thanks for your nice sources. I got some information
                   about the _PageModifyPermissions service from them.
ELiCZ            - ..was the one who brought me on the idea to use this
                   service on 9x to get write access in Kernel32.
			       Addtionally I ripped some NT structures out of his undoc
			       package being available on ELiCZ.cjb.net.
Matt Pietreck    - Thanks for C sources describing the 9x internal
                   structures.

If someone wants to apply to this coding project, mail!
Please drop you lines to LordPE@gmx.net
Visit: y0da.cbj.net

yoda