flat assembler
Message board for the users of flat assembler.

Index > Heap > I want to dl a virus, where can I get one?

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
bitshifter



Joined: 04 Dec 2007
Posts: 764
Location: Massachusetts, USA
bitshifter
I was just kidding Smile

Funny that you put some fire out there
and you tell them that it burns, but people
want to play with this fire anyway...
Post 01 Feb 2010, 16:26
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2141
Location: Estonia
Madis731
The steps:
1) Open TheNastiestVirusOnEarth.exe.zip (my browser default is 7-Zip)
2) See that it contains .text and .idata
3) Open .text (211 bytes) - nah, that's not it - it just contains some data
4) Open .idata (146 bytes) - hmm, it only contains links to KERNEL32.DLL USER32.DLL and ExitProcess MessageBoxA

so:
5) up one directory
6) rename to .exe
7) Execute

Hmm, nothing bad happened.

Notes:
7-zip new beta has capabilities to open executables as archives and as FASMW is my default editor F4-key openes the sections in FASM.
Post 01 Feb 2010, 17:06
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
Tyler: Most viruses try to do something illegal over the network such as send SPAM, so it might be a bad idea to let them identify themselves with your IP even if you intend to nuke the machine afterwards. Bad things may happen (e.g. your ISP sends you a legal notice or worse).

If you really want to do this you may want to rather make a honeybox (a lot more fun!). You'll need two machines, put Windows on one and Linux on the other. Configure the Linux with two network interfaces, connect the outer one to the internet and the inner one to the windows box. Configure the Linux box to forward all incoming traffic to the windows box, but block or at least filter any outgoing requests (block SMTP and port-scanning behaviour?). Turn off the firewall on the windows box, clear all passwords or set them to widely known defaults and let it all be for a while. Run Wireshark or similar on Linux box. Windows box gets infected by viruses and you get to see everything that is going on! Great Fun!

I tried to set one of those up at work. Kinda too much work, but very cool once up!

LP,
Jure
Post 02 Feb 2010, 00:47
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Sorry it took me so long to respond, it took me a while to get crap working again.
Quote:

Easy. Stick a random pendrive in your machine. Most of the time, you'll get at least one, or maybe a dozen. Don't forget to be logged in as an administrative user and enable all autoruns.

Where the heck am I supposed to get a random pen drive?
Quote:

I wrote a virus just for Tyler. Enjoy

And I find this after I uninstall Windows, I haven't got it working again yet and I'm inpatient, what does it do?

DustWolf: That does sound like fun, but where do I get the second computer?

I've already found "Anti Virus 1.0" on "serialz.com"(or something like that). It got flagged by Windows Defender, I let it through, but nothing interesting happened. So, I just went ahead with my original plan.
I was really hoping for something similar to, if not adware. Something that does stuff directly in front of you, instead of trying to hide it. Or at least something that could screw with stuff without me having to allow it to. Like the old viruses, more focused on notoriety and infamy as opposed to today's viruses that are completely centered on illegal profit.
Just a question, how do bios viruses work? Considering that processors start in real mode, it would be rather impossible to start the virus as a second process.
Post 02 Feb 2010, 02:27
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
DustWolf: Would it be safe to set that up in a VM? I got VMware, which allows you to setup the Guest as if it was connecting directly to a network(the gust literally has it's own IP with the router), I could setup one VM to be the Linux and another to be the Windows. Or would doing this put the host in danger?

revolution: Ah, I was so excited Crying or Very sad. It didn't do anything, but display a message box.
Post 02 Feb 2010, 04:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Did you think I would post a real virus? Confused
Post 02 Feb 2010, 04:48
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
No, it was sarcasm.
Post 02 Feb 2010, 05:46
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Tyler wrote:
Where the heck am I supposed to get a random pen drive?

Um, dunno. A friend, collegue, family member, etc. maybe? Pendrives are not as rare nowadays as they were 10 years ago.
Post 02 Feb 2010, 11:30
View user's profile Send private message Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
Tyler wrote:
DustWolf: Would it be safe to set that up in a VM? I got VMware, which allows you to setup the Guest as if it was connecting directly to a network(the gust literally has it's own IP with the router), I could setup one VM to be the Linux and another to be the Windows. Or would doing this put the host in danger?


I have done it by having the Linux as host and the Windows as a VM, however setting up the interfaces properly is very tricky with VMWare as the VMNets do not behave as normal interfaces, but have built-in IP configuration as well. However it can be done.

I doubt a Windows VM can threaten a Linux host (I think the worst they could do is speculate on what you are doing on your host, using VT timings), however should anything bad happen, just reset the VM to a snapshot, problem solved.

Note that all of this is still a lot of work (no howto will help, hacking is needed to get it to work).
Post 02 Feb 2010, 20:05
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
Tyler wrote:
Just a question, how do bios viruses work? Considering that processors start in real mode, it would be rather impossible to start the virus as a second process.


Ahh yes. The bliss of Microsoft programming education.

In reality, real-mode is not a single-tasking environment. The PC architecture can run multiple programs simultaneously regardless of processor mode, using interrupts. Just hook your program up as an ISR and it will be executed whenever the interrupt is called by hardware, interrupting (hence the name) other processes.

LP,
Jure
Post 02 Feb 2010, 20:14
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
DustWolf



Joined: 26 Jan 2006
Posts: 373
Location: Ljubljana, Slovenia
DustWolf
revolution wrote:
Did you think I would post a real virus? Confused


X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Cool

LP,
Jure
Post 02 Feb 2010, 20:16
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
I don't feel like learning all the opcodes used in that, is there a disassembler that can show the asm for it?
Post 03 Feb 2010, 00:28
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Any disassembler will do. It's all ASCII, so copy it to your text editor, save and disassemble.

This may help too. Wink

And BTW, EICAR is not a virus. It's a test file for AVs.
Post 03 Feb 2010, 01:42
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
The string "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$" should execute perfectly fine - wonder why they felt the need to jump over it?
Code:
org $100
   inc bp          ; E
 dec cx          ; I
 inc bx          ; C
 inc cx          ; A
 push dx         ; R
 sub ax,$5453    ; -ST
       inc cx          ; A
 dec si          ; N
 inc sp          ; D
 inc cx          ; A
 push dx         ; R
 inc sp          ; D
 sub ax,$4E41    ; -AN
       push sp         ; T
 dec cx          ; I
 push si         ; V
 dec cx          ; I
 push dx         ; R
 push bp         ; U
 push bx         ; S
 sub ax,$4554    ; -TE
       push bx         ; S
 push sp         ; T
 sub ax,$4946    ; -FI
       dec sp          ; L
 inc bp          ; E
 and [si],sp     ; !$    
...interesting how that last instruction doesn't damage the first byte of the string. Very Happy
Post 03 Feb 2010, 09:58
View user's profile Send private message Visit poster's website Reply with quote
score_under



Joined: 27 Aug 2009
Posts: 27
score_under
@"Nasty Virus.exe.zip"
Heh, I hadn't thought of that CALL trick to push a string before. I wonder if it actually has any legitimate practical use. Wink
Post 03 Feb 2010, 20:31
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
bitRAKE wrote:
wonder why they felt the need to jump over it?
It just occurred to me: the self-modified code might need the jump on some processors to load the new code. (Kind of psychotic answering myself, but I'm okay with that, lol.)

_________________
¯\(°_o)/¯ unlicense.org
Post 05 Feb 2010, 03:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
bitRAKE wrote:
bitRAKE wrote:
wonder why they felt the need to jump over it?
It just occurred to me: the self-modified code might need the jump on some processors to load the new code.
I not sure but I think this only applied to the old 8086/88 and 80286 (maybe 80386?) with the six byte prefetch queue. So if your instruction was more than six bytes away from the current instruction then you are good to go for SMC. Certainly the later CPUs (Pentium and up) have lots of silicon dedicated to ensuring that SMC will always work without jumping.
Post 05 Feb 2010, 03:11
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
format pe gui 4.0

mov eax, @f+2
mov edx, $C3C3C3C3
mov byte [$+4], 0  ; Just in case that first write generates a PF
jmp @f

align 64
@@:
mov [eax], edx
xor ebx, ebx
xor ecx, ecx
int3               ; Never reached    
The program terminates always gracefully. I've used those XORs to try to force the processor to make the mistake of executing them without noticing the four RETs but still I couldn't manage to execute int3.

I'm glad bitRAKE talked about this, I always assumed that modifications inside fetched 16-byte chunks were unnoticeable for processors.
Post 05 Feb 2010, 03:41
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 693
Location: Adelaide
sinsi
A write to a code segment that is cached invalidates the cache line(s). If it's been decoded (or partly decoded) the prefetch queue is also cleared and it starts again.
That was the way to test between an 8088 and 8086. From memory, the 8088 didn't have a prefetch queue and the 8086 had a 6-byte queue.
Post 05 Feb 2010, 04:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
I thought the 8088 had a 4-byte prefetch queue? Anyhow, it doesn't matter, you could still write to upcoming code and the 8086/8088 might not see it and execute the old code from the queue. Does anyone know about the 286 and 386? I can't find it mentioned in my docs and my old 286 systems are not currently available to me for testing.
Post 05 Feb 2010, 04:36
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.