48 lines
2.3 KiB
Plaintext
48 lines
2.3 KiB
Plaintext
FUNPIV2.CVP 911006
|
|
|
|
Viral code insertion
|
|
|
|
There are four ways to attach code to an existing program:
|
|
overwrite existing program code, add code to the beginning of the
|
|
program, add code to the end of the program and not add code to the
|
|
existing program.
|
|
|
|
Overwriting viral programs are a very simplistic answer to the
|
|
problem of how to add code to an existing program without changing
|
|
the file size. By simply overlaying code which is already on the
|
|
disk, the original size remains unchanged. There are a few
|
|
problems with this approach.
|
|
|
|
The first is the problem of how to get the virus "called" when the
|
|
infected program is run. If the code is just inserted anywhere, it
|
|
may not be in a part of the program that gets used every time the
|
|
program is run. (Every programmer is aware of the Pareto
|
|
Principle's application here: 20 percent of the code does 80
|
|
percent of the work. Some code never gets called at all.) It is
|
|
possible, by an analysis of the code of the target program, to find
|
|
an "entry point" which is used extensively. It is also possible,
|
|
and a lot easier, to place a jump at the beginning of the program
|
|
which points to the viral code.
|
|
|
|
The second problem is much more difficult to deal with. If the
|
|
virus code overwrites existing portions of the program code, how do
|
|
you know the loss of that program code is not fatal to the target
|
|
program? Analysis of this type, on the original code, would be
|
|
very difficult indeed. "Successful" overwriting viri tend to be
|
|
short, and to look for extensive strings of NUL characters to
|
|
replace. (The NUL characters tend to be used to "reserve" stack
|
|
space, and thus are not vital to the program.) Even if the
|
|
original code is not vital to the program, it may, if replaced,
|
|
cause the program to exhibit strange behaviours, and thus lead to
|
|
detection of the viral infection.
|
|
|
|
Thus, while overwriting viri solve the problem of file size, they
|
|
bring with them some inherent problems which appear, at this time,
|
|
to severely limit their effectiveness "in the wild". To this date,
|
|
while many overwriting viri have been written, none have enjoyed
|
|
great "success", or become a widespread and major problem.
|
|
|
|
(The Zen-like nature of the opening paragraph will be explained in
|
|
future columns.)
|
|
|
|
copyright Robert M. Slade, 1991 FUNPIV2.CVP 911006 |