www.delorie.com/archives/browse.cgi   search  
Mail Archives: djgpp/1995/12/22/15:49:29

Date: Fri, 22 Dec 1995 20:10:23
From: "Alaric B. Williams" <DJGPP AT abwillms DOT demon DOT co DOT uk>
Reply-To: DJGPP AT abwillms DOT demon DOT co DOT uk
To: smcdonal AT pcug DOT org DOT au, DJGPP AT sun DOT soe DOT clarkson DOT edu
Subject: Re: Natas
Lines: 43 

In your message dated Wednesday 20, December 1995 you wrote :
> Hmmm, virus people are shit. But.... Does anybody have code for one (no, 
> i'm not the sack that does it, I just wanna know how it's done, I will 
> leave it at code)? I'd like to know how they work. If anybody could send 
> me some code/explain how they work i'd be much obliged. 

Weeelll, I don't have any code, but I've read tonnes about 'em. They generally 
have to be in assembler for PCs, because an EXE file is a very 'secretive' 
format (hard to hack apart, as opposed to Acorn Archimedes programs, which are 
directories full of various executables to do different things, and thus you can 
write Arc viruses in BASIC!). The general plot for infection is thus:

(At this point in time, the virus has alloced a block of memory and is living in 
it, hooking the exec interrupt. When a request to execute an .EXE appears...)
The virus first of all takes the first few bytes of the program and remembers 
them. Next, it overwrites said bytes with a JUMP instruction to the end of the 
program. Next, it appends itself to the executable image, where the JUMP points 
to. This is a direct copy of the code in memory. The first part of the virus 
writes the stored bytes back to the front of the program image in memory - when 
the program is executed, it jumps straight to the virus code, and this step puts 
the program back as it was. The virus code allocates some memory, puts itself in 
there, hooks the exec interrupt, and JUMPs to the beginning of the program, 
which executes as normal...


Extensions to this involve having the first thing the virus does is to decrypt 
the rest of itself with a key stored inside itself - when it infects a new .EXE, 
it randomly chooses a key, encrypts with it as it writes itself to disk, and 
stores the key in the .EXE. 


And it gets a lot more ingenious (Stealth, etc...)


Regards,


ABW

-- 
Alaric B. Williams (alaric AT abwillms DOT demon DOT co DOT uk)
"A man walks into a bar, right, and he goes 'ouch' coz it's an iron bar"

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019