If the Infected EXE file is now executed, the first Line of Code it will encounter will be the first byte of our Virus. Since CS:IP have been changed in the header (Part I) to point to our Virus. The first thing we will need to do, is set up a Variable offset, (As I call it). Basically
when TASM compiles our virus, all variables and other data locations are given a FIX address. Though in the case of the Virus this is NOT GOOD as viruses, tend to append themselves, and therefore variables are never in the same location...
Fig. 1
When TASM Compiles the above Code it turns it into Fig 2. (Below)
(Virus Just Compiled)
Fig 2
(Virus Infect To a File)
Fig 3Later when the Virus infects a File, it will represent Fig 3. Now, when the CALL command is executed, it PUSHes into the Stacks the NEXT CS:IP so when it has to RETurn, all it has to do is POP back the CS:IP to know exactly where it left off! So we can take advantage of the command, by POPing back ourselves, thus this will give us the NEXT byte from the CALL command. which as you see, in the examples is our POP BP statement.
However when the Virus is Freshly Compiled, all Registers values are GOOD, so that is why we must make BP=0 the first time, as the variables were set according to the sources, so no adjustment needed, though when we infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)
Boy, That was the HARDEST part of that, Now if you found that simple pat yourself on the back, as that is the only `BIG' Conflict people tend to disregard or forget. So any time while you are NOT resident but infected on the file, and you are running code from the infected file just use the
that BP Variable Pointer, for any data being loaded... Now lets put the routine together, along with the routine to EXECUTE the original EXE file
* After the Virus Has moved a copy of itself in memory, Control must be given back to the Original EXE file we just infected... This is the routine to do it..
Simple? Try it yourself. :D
However when the Virus is Freshly Compiled, all Registers values are GOOD, so that is why we must make BP=0 the first time, as the variables were set according to the sources, so no adjustment needed, though when we infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)
Boy, That was the HARDEST part of that, Now if you found that simple pat yourself on the back, as that is the only `BIG' Conflict people tend to disregard or forget. So any time while you are NOT resident but infected on the file, and you are running code from the infected file just use the
that BP Variable Pointer, for any data being loaded... Now lets put the routine together, along with the routine to EXECUTE the original EXE file
* After the Virus Has moved a copy of itself in memory, Control must be given back to the Original EXE file we just infected... This is the routine to do it..
Simple? Try it yourself. :D
RSS Feed (xml)
No comments:
Post a Comment