/-----------------------------\ | Xine - issue #4 - Phile 101 | \-----------------------------/ Tips and tricks about PE infection... Educational purpose only and blah and blah... File formats ______________________________________________________________________________ ..CPL: you can infect .CPL (elements of the control panel) with any PE infector by changing th entry point of the prog, only notice: - the PEP (Program Entry Point) is called thrice: * When the CPL is used for the first time: when windows is launched (hehe, did u want to become resident at the start of win?) * When you run it (hum...) * When you finish to run it. - You can also redirect the "CPLApplet" exported function that is the actual entry point of a .CPL (cf Export table, it seem that CPLApplet is always the 1st function exported) ..SCR: Screen savers are real PE, like .exe! - You can, if you infect .SCR, look out the command line, if it is launched with "/s", it mean that it'll load the screen saver ( /c is to load the configuration part), so it mean that the computer will be showing some graphic stuff, it mean then that you can search the HD at your own rate. The screen saver is ended like any other prog when the user come back and stop it, check it to stop at time ;) ..DLL: The only difference between executables and dynamic-link libraries is their purpose, the content hardly change. The "physical" differences are: - the bit 13h in the word bit field at PE+16h is set to 1 for DLL - the bit field at PE+5eh is only used for DLL, not for EXE and others In the wild ______________________________________________________________________________ Relocation factor: Each prog (except under NT?!?) is loaded with EAX = PEP, so you have just to "lea ebp,[eax-offset VirusStart]" to have a correct ebp for relocation. Export table: At PE+78h is the RVA of the export table (ET) At ET+1Ch is the RVA of a table of RVA to function entry points, and At ET+14h is the number of function exported What about redirect an/several exported function instead of PEP... Need space? What a stuff we have free for us to store datas in a PE header: At PE+1ah is the linker version (1 word) At PE+1ch are Total size of code, of initialised data and then of uninitialised data (total:3 dwords). At PE+2ch are Base of code and Base of data (2 dwords) At PE+40h are OS version and Binary version (2 dwords) At PE+4ch is Win32 version value (1 dword) At PE+58h is a check sum used by NT drivers (1 dword) At PE+5eh is a bit field, only used by DLL (1 word) At PE+a0h are the RVA and the size of the relocation table (2 dwords) At PE+b0h are the RVA and the size of the copyright infos (2 dwords) In each section header, there are 3 dwords (at offset 18h) that are only used in OBJ and LIB (those that are in PE format, so: none ) So, there is special places for us to use... let's do! Before adding a section... ______________________________________________________________________________ Before adding a section header, there is some times a uninitialised data section in PE. The dword at offset 14h in a section header is the RVA of the content of the section; if the section contain uninitialised datas, that dword would be null... Use that section and "or" his dword flags at offset 24h in the section header with e0000060h: -31:write access -30:read access -29:execute access -6:data loaded from file -5:executable code Also "and" it with ffffff7fh: -7:data initialised to 0 Before addig a section content look at that: * The relocation items are never used: there is a section space to use if the relocation section is the last in file, use it and enlarge it in the dwords at offset 8h (size in RAM) and offset 10h (size in file). Don't forget to align that values to File alignement (PE+3ch) and RAM alignement (PE+38h). Note: don't hesitate to set that alignements to their minimum, I mean 1000h for RAM alignement and 100h for file alignement. * Other wholes to use are those created by alignement of sections in file... That value is often huge enough! * Don't forget to calculate the 1st section content in File and the last section header to use the 0 filled space between them, even if you don't create a section header for them, the RVA base will, at run time, point to PE, it remains to you just to calculate the address of the datas ya added, even if it cannot be executed, but copied before elsewhere... ! Why not to split your virus to fill all that holes and to add it a merger at its beginning? (It's possible, I did it.) Notice also that if you have space in RAM to allocate, you can do it at infection time, by enlarging the last section in RAM. Even if it is not enlarged in file, the difference will be uninitialised datas. Notice that a crash would happend if you allocate more that 1 Mb by this manner, but I hope it won't happend ;) That's all folks! °°°°°°°°°°°° °°°°°°°°°°°° °±±±±±±±±±±±±° °±±±±±±±±±±±±° °±²²²²²²²²²²²²±° °±²²²²²²²²²²²²±° °±²ÛßßßßßßßßßßÛ²±° °±²ÛßßßßßÛßßßßÛ²±° °±²Û 06-04-99 Û²±° °±²Û n0ph³IKX Û²±° °±²ÛÜÜÜÜÜÜÜÜÜÜÛ²±° °°°°°°°°°°°°°°°°°°°° °±²ÛÜÜÜÜÜÛÜÜÜÜÛ²±° °±²²²²²²²²²²²²±° °±±±±±±±±±±±±±±±±±±±±° °±²²²²²²²²²²²²±° °±±±±±±±±±±±±° °±²²²²²²²²²²²²²²²²²²²²±° °±±±±±±±±±±±±° °°°°°°°°°°°° °±²ÛßßßßßßßßßßßßßßßßßßÛ²±° °°°°°°°°°°°° °±²Û n0ph@hotmail.com Û²±° °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° °±²ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ²±° °±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±° °±²²²²²²²²²²²²²²²²²²²²±° °±²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²±° °±±±±±±±±±±±±±±±±±±±±° °±²ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ²±° °°°°°°°°°°°°°°°°°°°° °±²Û http://members.xoom.com/n0ph Û²±° °±²ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ²±° °±²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²±° °±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±° °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Sorry for windows viewers, but I had to fun w/ it.