ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Residence in Windows viruses at Ring-3 level ³ Billy Belceb£/DDT ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Here goes a brief introduction to one of the most asked topics in the virus scene nowadays, and one of the most interesting i think. I'm not trying to say that this little tutorial will make the job for you... Just the opposite because here i'll give you ideas, and almost all this article is theorical. Don't worry, there's some code, too. As i said in my "Heuristic Technology" article... "the experience is the mother of the science". % Introduction % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ When i was learning about residence (and asking a lot of people about this matter), i realized that there weren't any tutorials about this matter, and all the people i asked used completly different ways to do it. Here i will only explain the two ways i found more interesting : The Win95 global resi- dence (by nIgr0) and the per-process residence. Well, i recognise that there are a lot of ways for go resident under Win32 enviroments, but anyway i only commented this two way because they are the simplest ones under my viewpoint % Win9X Global Residence (nIgr0 method) % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The first time i saw this method was in Win95.K32 virus, made by my friend nIgr0 (the same that contributed to this magazine with his great Lord of the Rings). The objective of this residence is quite simple : copy the virus body to a hole, pass the control to the virus in that hole, hook APIs globally (modifying directly its code), and infect programs. I must say that this method WON'T work under WinNT, and you will see soon why. Well, as we all know, in Win9X (Win95, Win98) the kernel memory is read-only So we must find a way for make it to allow writes, as we want to write in it right?. Well, we can do it physically, but it will leave signs of our virus, and we don't want this. But... what if we unprotect in memory only the pages we need to? This is the solution. Then you wonder how. Well, we have, in the great VxDCALL 0 a function for do that, called _PageModifyPermissions. Let's see how to get VxDCALL 0 address: mov eax,0BFF70000h ; Put in EAX harcoded kernel mov ebx,dword ptr [eax+3Ch] ; Move ptr to begin of PE add ebx,eax ; Align it cmp word ptr [ebx],"EP" ; Is it a PE? jnz Not_PE ; Nope, go away mov ebx,[ebx+78h] ; Go to export table lea ebx,[ebx+1Ch+eax] ; Go to address table mov ebx,[ebx] ; And put its address in EBX add eax,[eax+ebx] ; And we have VxDCALL0 in EAX Simple, huh? :) Better save EAX now in a safe place, because we have now our wanted VxDCALL0 ;) Well, let's see how to call _PageModifyPermissions, as nIgr0 does. push 020060000h ; New page attributes (writ.) push 000000000h ; uninteresting push 000000001h ; Number of pages push ; page push 00001000Dh ; VxD 1 service D call Well, we need a system hole where move the virus body, right? I only know the existence of one (forgive me, i'm lame :P), located in 0BFF70400h, just after the PE header in memory. This memory zone is write protected, so you'll must unprotect that before do anything. Well, then, we you have done that, it's time to move the virus body to that zone. And you know how to do that :) A simple MOVSB loop will be enough. Now we give the control to the resident copy of the virus. We are now resident... charming, isn't it? ;) Well, but now it's time to make something... if we stay as we are now, we are just making nothing. We need to hook an API. As we are a global resident let's hook the APIs radically (i.e. globally ;) How? I think you are enough intelligent, and you had made a routine for catch the APIs we need, right? Just use the offset of the API(s) you liked more, and put it in memory into read-write mode, with the routine shown below. Just overwrite the first bytes in the API code with a routine that brings the control to your API handler (of course, save the overwritten bytes goddamit! ;). That API hand- ler must have the properly code for infect the program that request/is invo- lved in its use... and that's all folks. % Win9X Global Residence (GriYo's method) % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ No, no, no. I won't explain his method. Why? Heh, there is a very complete article about it, wrote by him in 29A#3, so go and download it if you still don't have that jewel. Hrm, in a very short brief comment, what it does is to "hook" the VxDCALL0 (heh, you remember?) for all file access, so it acts as the likeness of a normal TSR DOS infector, but in Win9X (read HPS virus). % Per-Process Residence % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Well, this is the only known way i know for make Win32 viruses to be reside- nt. Yes, you have read Win32 and not Win9X. This is because this method can work also under WinNT. First of all you must know what a process is. The thing that surprised me more is that the people that is beginning in the windows programming know what this is, and know what this method is, but they ussually don't know his name. Well, when we execute a Windows applica- tion, that is a process :) Very easy to understand. And what does this resi- dence way? First of all we must allocate memory, for put virus body there, but this memory is from the own process that we are executing. So, we allo- cate some memory that the system gives to the process. It could be made by using the API "VirtualAlloc". But... what for hook APIs? Well, the most use- ful solution that comes to my mind now is to change the API's addresses in the import table. It is, under my viewpoint, the only possible way. As the import could be written, this is more easy, and we don't need the help of any function of the VxDCALL0... But the weak point of this kinda residence is here too... as we look in the import we can only work with the imported functions, and the infection rate depends higly of what file we have infected. For example, if we infect the CMD.EXE of WinNT, and we have a handler for FindFirstFile(A/W) and FindNextFile(A/W), that infects all the files that are found using that APIs That makes our virii very infectious, mainly because that APIs're higly used when we make a DIR command under WinNT. Anyway, the Per-Process method is very weak if we don't make the virus that uses that method to have any other ways for make it more infectious, such as in Win32.Cabanas, a runtime part. Well, we make that runtime part to infect each time some files in the \WINDOWS and \WINDOWS\SYSTEM directories. Another good choice is, as i said before in the example with CMD.EXE, hit that very special files directly in the first infection of a system... Well, i explained sum theory. Just see what viruses do and understand it. Billy Belceb£, mass killer and ass kicker.