Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Win95 structures and secrets

Murkry

[Back to index] [Comments]

Since the start of Win95 many things that virii writers came to accept as easy to get, became harder. Things like the interrupt calls, filename paths to the system files. Well the API calls have replaced interrupts and virii writers have used several tricks to get the address to these calls.

As for filename or path to system files, we have hard coded possible ones and also used the API's (of course this added a bit to our code). Of course back in the DOS days if we search the PSP we could find much of this info without relying on API calls. Well as many readers of Windows95 System Programming Secrets are aware there are several tables (or K32 objects) that are available for us but finding these tables requires API (or at least in the book they do). Well as you may have guessed by now the pointers to these tables are readily avaiable. In win95, A and B version as well as some of the earlier version the Registers seem to startup with similiar info.

Be warned that this info does not apply to WinNT in the release of Win98 I saw it was true though. (Side note, nice check for win95 to win nt is eax != eip then your probably not in 95 or something was playing with the registers b4 you got them. Hmm make sure your viruses restore all regs or some smart programmers may actually write some self aware programs that check this ;)

Anyway all 95 versions I have checked Regs start out with

        EAX  =  EIP of startup
        EBX  =  ???
        ECX  =  K32OBJ_MUTEX              appears
        EDX  =  K32OBJ_CRITICAL_SECTION   appears
        ESI  =  K32OBJ_PROCESS
        EDI  =  K32OBJ_THREAD
        EBP  =
        ESP  =  Strange info see below

Ok b4 all you experts yell (wait,, experts?? hell you write this):

EAX
is basicaly a fact
Ebx
00530000 or similiar number never points to a in processs address though
ECX
This is a Guess but it seems to point to a table and starts with 03 Read the Book to understand why 03 means something
ESI
points to a table that starts with 05 and I have used this table to get to the enviroment database which wonders of wonders has things like Full path and file name of executing file Paths and command line Startupinfo. Again reading the book will explain all or if you have access to the ddk you can verify this as I have done.
EDI
Table starts up with 06 and has all sorts of info in it
EBP
somewhere I have notes on what this points at, but I can't locate it I think MarkJ may have eaten it when I last babysat for him ;)
ESP
strange but if you look at a start up there are some very intersting numbers that always show up.

now this varies depending on lenght of name, but again we find pointers to locations that when examine are tables or pointers to entries in the tables as well as SEH pointers:

         
                +10 = File name of file being excuted
                        format is strange 'Host1',0,'EXE',0
                        whether or not you enter the extension or not it will
                        be caps and the name will be caps first letter
                        lowercase rest
                +c  = ebp = Dammit what is this number
                +8  = esi = obj_process database
                +4  = edi = obj_thread database
            EsP +0  = pnter into location in Kernel32

What does this mean to us virii/hackers of win95 lets say we want to write a virus that adds info to the end of the host but does not modify the host PE header so while the info is there it is not loaded into memory. (A new LE\Macro infector works like this) Step one we need the file name well check out the code below which will show a MessageBox with the file name in quotes when ran normaly but will show the file name without quotes if in td32 and I assume other debuggers (probaly not SI though) Be warn about this feature since this means if you are running a debugger to test it will work diffrently ie if you used this pointer to try and open the file it will fail since file "c:\filepath\foo.exe" is the file you will try to open not c:\filepath\foo.exe.

NOTE this is one way to get the info i could just use esi rather than get the info off the stack

        mov     edi,[esp +8]    ; Get the Pointer to process Database
        mov     edi,[edi+040h]  ; Within DataBase get pointer to the Enviroment
                                ; DataBase
        mov     edi,[edi+8]     ; In Enviroment DataBase get the Pnter to
                                ; Command line
        call    MessageBoxA,large 0,edi, offset tile,large 1

now there are a lot of other info avaiable in the other Database but the Enviroment Table is structured as:

     Offset
        00h    Ptr to the enviroment string  
               as you scan through the table you find  
                     =C:=C:\tasm\virii\over
                     TEMP=C:\WINDOWS\TEMP
                     PROMPT=$p$g
                     winbootdir=C:\WINDOWS
                     COMSPEC=C:\WINDOWS\COMMAND.COM
                     PATH=C:\BTI\WIN\BIN;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\UTIL;
                     TMP=C:\WINDOWS\TEMP
                     windir=C:\WINDOWS
                     CMDLINE=td32 host1
               
        * While the ; is used in the path all other items are delimited by 00h

        04h    unknown Zero as far as I have seen
        0Ch    pntr to str Current directory note when in 
                     td32
                          C:\TASM\VIRII\OVER\HOST1.EXE
                     Normal
                          "C:\TASM\VIRII\OVER\HOST1.EXE"
        10h     ptr to a copy of StartupInfo 

There are other entries but these are the ones I am showing for now since they are the ones I view as nice to have for virii related, See the book or DDK for more info.

As you can see the Enviroment database is as useful as the old dos psp oh btw there is still a PSP see Process Database offset 24h of course its the linear address, But exploring info that the stack has to offer is fun as well and as for the infamous FS:[0] seh area

this is called (in the book) Thread Information Block TIB point at by edi starting at offset 10h in that database.

Strangely this same info is also in the thread database

00 ddpointer to existing Exception handler (see 29A#2 for more info)
04 ddtop of stack
08 ddstack low
0chdww16tdb
0ehdwStackSelector 16 byte
10hddSelman list
14hddUser Pointer user accessable ???
18hddpnter TIB (book says) to me points to ESI obj process database
1chdwtibflags
1ehdwwin16MutexCount
20hddDebugContext
24hddpntr Current Priority
28hddMessage Queue
2chddpntr TLS Array

Get this grab the top of stack

now sub 4   get   0
        8         a pnter inside some location in Kernel32
        c         ?
        10        0
        14        looks like a copy of the PE header and a NE header of some
                  sort this entry may be important?? not sure

Again don't bet the house on this info, while the tables are documented I am sure a number of my fellow PE 32 bit virii friends will point out "Its not documented" when refering to my method od using esi or stack refrence to get the Process database location. I suspect in Win95\98 stays around long enough these items will be documented as people use them more and more. Of course just use the SEH method to protect your code and then feel free to try these ideas out if they SEH catches it then you can exit gracefully.

Anyway I include with this article a bried example file that shows the two methods of getting the File being excuted. I could have used esi to get the K32OBJ_PROCESS but I instead show the stack method of doing it.

-------------------------------------------------------------------------------
And here is some sample code. Compile as usual:
tasm32 /ml /m4 host1,,;
tlink32 /Tpe /aa /c /x host1,,, import32.lib
-------------------------------------------------------------------------------

.486
.model flat,stdcall


;Define the needed external functions and constants here.

extrn           ExitProcess:PROC
extrn           MessageBoxA:PROC

.data                                   ;the data area
dummy           dd      ?               ;just so tasm will compile it 
tile           db      'Hmm',0
.code                                   ;executable code starts here
 
HOST:
 
;Example of getting filename off stack
        mov     al,0
        lea     edi,[esp + 16D]         ;file name
        push    edi
        repne    scasb
        mov     byte ptr [edi - 1],2eh
        pop     edi
        call    MessageBoxA,large 0,edi, offset tile,large 1

;example  getiing the obj_process off the stack
; then geting enviroment database at offset 40h then offset to the filename
; notice the " "
        mov     edi,[esp +8]
        mov     edi,[edi+040h]
        mov     edi,[edi+8]
        call    MessageBoxA,large 0,edi, offset tile,large 1

        jmp     here


 
here:
        push    LARGE -1
        call    ExitProcess             ;Dummy host does nothing but end 
                                        ;like int 20 in Dos 
        end     HOST
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua