                          Construction via Exception
                              roy g biv / defjam
 
                                 -= defjam =-
                                  since 1992
                     bringing you the viruses of tomorrow
                                    today!


About the author:

Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64  (Shrug),  world's  first  viruses  that  infect  Office
applications  and  script  files  using the same  code  (Macaroni,  see  Virus
Bulletin  11/05  for  a description, but they call it Macar),  world's   first
viruses  that  can infect both VBS and JScript using the same code (ACDC,  see
Virus  Bulletin 11/05 for a description, but they call it Cada), world's first
virus  that  can  infect  CHM files (Charm, see Virus  Bulletin  10/06  for  a
description,  but they call it Chamb), world's first IDA plugin virus  (Hidan,
see Virus Bulletin 3/07 for a description), world's first viruses that use the
Microsoft  Script  Encoder  to dynamically encrypt the  virus  body  (Screed),
world's  first virus for StarOffice and OpenOffice (Starbucks), world's  first
virus  IDC  virus (ID10TiC), world's first polymorphic virus for Win64 on  AMD
AMD64  (Boundary, see Virus Bulletin 12/06 for a description, but they call it
Bounds),  world's first virus that can infect Intel-format and  PowerPC-format
Mach-O  files  (MachoMan,  see  Virus Bulletin 1/07  for  a  description,  but
they  call  it  Macarena), world's first virus that uses  Unicode  escapes  to
dynamically  encrypt  the virus body (Unicycle), world's first  self-executing
PIF  (Spiffy), world's first self-executing LNK (WeakLNK), world's first virus
that uses virtual code (Relock, see Virus Bulletin 3/10 for a description, but
they  call  it  Lerock),  world's first virus to  use  FSAVE  for  instruction
reordering (Mimix, see Virus Bulletin 1/10 for a description, but they call it
Fooper), world's first virus for ODbgScript (Volly), world's first Hiew plugin
virus  (Hiewg),  world's first virus that uses fake BOMs (Bombastic),  world's
first  virus  that  uses JScript prototypes to run itself  (Protato),  world's
first  virus  that  uses  Heaven's Gate for  replication  (Heaven,  see  Virus
Bulletin  12/11  for a description, but they call it Sobelow),  world's  first
virus for 010 Editor script (To_Be, see Virus Bulletin 1/13 for a description,
but  they  call  it  Toobin),  world's first  truly  polymorphic  Batch  virus
(Polymer,  see Virus Bulletin 5/12 for a description, but they call it Lymer),
and  world's  first virus that uses the GPU for decryption (OGLe).  Author  of
various  retrovirus  articles (eg see Vlad #7 for the strings that  make  your
code  invisible  to TBScan).  This is my tenth virus for JScript.  It  is  the
world's first virus to use exception handlers to construct the code.


What is it?

This is a technique that I developed about six years ago, and until now I have
not  seen  it used by anyone, so finally I release it.  JScript offers a  nice
way  to deal with exceptions, by using the "try/catch" sequence.  We place the
code  that  might fail inside the "try" block, and catch any exception in  the
"catch"  block.   The "catch" block can change the state to allow the code  to
continue  running,  or  it  can "throw" a result which  will  trigger  another
exception that will be caught by another "catch" block.  The "catch" block can
even  declare or alter variables that will have function-level scope which  is
great for making analysis difficult. :)

We can also use this technique to transfer control in a kind of anti-debugging
way by forcing the exception to occur.  This is the same thing that we do in
PE code.


How does it work?

We  want  to  construct our code from pieces which we will  define  inside  a
"catch"  block.   We  can do it by using two "try" blocks.  The  first  "try"
block  will  have  a "catch" block that does the concatenation.   Inside  the
first "try" block, we have a second "try" block which will force an exception
to  occur.   The  second "catch" will return the piece of code to  the  first
"catch" block.

The description is more difficult to understand than the code:

  try
  {
    try
    {
      1=1 //force exception
    }
    catch(b) //catch that exception
    {
        throw <piece of code> //return piece of code using another exception
    }
  }
  catch(c) //catch piece of code
  {
    a+=c //concatenate it
  }


Just one problem

Of course it is not quite so simple.  There is a problem if the code contains
quote  characters  - the ' or ".  We cannot escape these because  the  escape
sequence  will be lost and only the bare character is returned.  Instead,  we
can  carry  our own source with the quotes in encoded formed and replace  the
characters  dynamically,  like this.  We choose a unique character to  encode
our single and double-quotes, for example 'G' and 'B' in my case (I could not
use  'R'  because of "RegExp" or 'M' because of "Math").  We run  the  result
directly:

    a=String.fromCharCode(34) //double-quote
    b=String.fromCharCode(39) //single-quote
    c=<our code>
    eval(c.replace(new RegExp(fromCharCode(71),"g"),a).replace(new RegExp(fromCharCode(66),"g"),b))

That's  all  there is to it.  The code that forces the exception can be  made
polymorphic,  of  course, and more interesting would be to have  fake  blocks
that  appear to concatenate completely unrelated pieces of code.  It can work
because  if  no  exception  occurs then the "catch" block  will  not  execute
anything.  I show the path, it is for someone else to walk the path.


Greets to friendly people (A-Z):

Active - Benny - herm1t - hh86 - jqwerty - Malum - Obleak - Prototype -
Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras -
uNdErX - Vallez - Vecna - Whitehead


rgb/defjam oct 2012
iam_rgb@hotmail.com