Aaron Bloomfield (aaron@virginia.edu)
@github | ↑ |
Image from here
(shamelessly copied from here)
ret
assembly command pops an address from the stack and then jumps thereret
in some subroutinepush [virus code address]
ret
push
followed immediately by a ret
add eax, 0
, etc.)call
opcode and replace the target with the virus addresscall
targets are outside the .text section of codeprintf()
, or <<
on cout
, etc.printf()
printf()
(and other methods) into the IAT when the program starts up lea si,Start ; start of encrypted code
; (computed by virus)
mov sp,0682h ; length of encrypted code (1666 bytes)
Decrypt:
xor [si],si ; xor code with its address
xor [si],sp ; xor code with its inverse index
inc si ; increment address pointer
dec sp ; decrement byte counter
jnz Decrypt ; loop if more bytes to decrypt
Start: ; virus code body
xor
commands is xor’ing it with the address, which will change with each infection
mov cx, 100h ; 100h = 256 bytes to write
mov ah, 40h ; 40h = DOS function number
int 21h ; Invoke DOS handler
for (each prototype in DLL export table)
if (0 == strcmp(name,"GetFileHandle(int)"))
infect(current export table address);
endfor
which has the subroutine name clearly visible, use:
INT 3
nop
; add rax, 0
; shr rax, 0
; etc.inc rax
followed by sub rax, 1
; Group 1: Prolog instructions
mov ax,0E9Bh ; set key 1
mov di,012Ah ; offset of virus Start
mov cx,0571h ; byte count, used as key 2
; Group 2: Decryption instructions
Decrypt:
xor [di],cx ; decrypt first 16-bit word with key 2
xor [di],ax ; decrypt first 16-bit word with key 1
; Group 3: Decryption instructions
inc di ; move on to next byte
inc ax ; slide key 1
; loop instruction (not part of Group 3)
loop Decrypt ; slide key 2 and loop back if not zero
; Random padding up to 39 bytes
Start: ; encrypted virus body starts here
pop edx pop eax
mov edi,0004h mov ebx,0004h
mov esi,ebp mov edx,ebp
mov eax,000Ch mov edi,000Ch
add edx,0088h add eax,0088h
mov ebx,[edx] mov esi,[eax]
mov [esi+eax*4+1118],ebx mov [edx+edi*4+1118],esi
etc. etc.
A future generation:
mov ebx,5500000Fh ; 3rd gen., constant has changed
mov dword ptr [esi],ebx
pop ebx ; junk
push ecx ; junk
mov ecx,5FC0000CBh ; constant has changed
add ecx,F191EBC0h ; ECX now has original value
mov dword ptr [esi+0004],ecx
A virus creation kit, which does exactly what it sounds like it does
Next Generation Virus Creation Kit (2001)