return To index


Visual Basic .NET Source Code Infection
---------------------------------------
alcopaul/brigada ocho
may 16, 2011


Intro
-----

Source code infection is not new, but it is interesting to implement especially in new
languages. So far, there has been no appearance of a Visual Basic. .NET source code infector 
on the internet, until now.

Simple Method
-------------

A VB.NET source code infector can just copy itself to all *.vb files with "Sub Main()" or "Form_Load()"
in the hard disk. But we don't wanna do that. Why? To make things elegant (hehehhe) and to save the 
virus some computing time. We don't wanna read *.vb files that are uninfectable (*.Designer.vb, 
AssemblyInfo.vb and other .vb files that are usually within \My Project folder).

Our Method
----------

We can make our virus

1.) Search for a Visual Project file (*.vbproj) to ensure that there are compilable VB.NET projects
in the harddisk. A .vbproj file is an xml file that contains information about a project. Important
keys are Project/PropertyGroup/StartupObject and (Reference Include="namespace" /).

2.) Parse a .vbproj file and get the value of Project/PropertyGroup/StartupObject. The possible
values are:

    a.) (Anyname).My.MyApplication - A Windows Forms Application and the Startup Class name is stored
        in .\My Project\Application.myapp. In Application.myapp, the key MyApplicationData/MainForm 
        holds the Startup Class name.  
    b.) (Anyname).(ModuleName) - A Non-Forms/Console Application and the the Startup Module name is \
        (ModuleName). Most likely to contain a Sub Main().
    c.) Sub Main - Most likely a Console Application that starts on Sub Main().

3.) After it acquires the project type (Windows Form which probably has a "_Load(" or A non-Form/Console
which probably has a "Sub Main()"), examine the *.vb files that comes along and is usually in
the same directory with the .vbproj file.

4.) If the project is a Windows Form, check a .vb file for the Startup Class Name. If found, the file 
is set up as a startup and most probably contain a "_Load(". To be sure, check again for "_Load(".  If 
found, it means we can infect the file. Otherwise, examine next .vb file.

5.) If the project is a non-Form/Console, check a .vb file for the Startup Module Name. If found, 
the file is set up as a startup and most probably contain a "Sub Main()". To be sure, check again for 
"Sub Main()". If found, it means we can infect the file. Otherwise, examine next .vb file.

6.) Infect the file. Read the source from itself then write to the .vb file.


How Is This Possible?
---------------------

When we run a source in the IDE, it is compiled in the IDE and the resulting .exe is run. The .exe
generates the source code from itself (through quining) and does the file searching and infecting.

Demo Code
---------

A demo code comes with this article. Check it out in the Sources section.

Conclusion
----------

Visual Basic .NET source code infection is not rocket science. Go search a programming language and make
a source code infector.