flat assembler
Message board for the users of flat assembler.
Index
> Windows > Bizarre - dual nature programs. |
Author |
|
okasvi 04 Aug 2006, 13:20
Nice, havent seen nothing like this before.
edit: I'm wondering, how you got an idea to do this? |
|||
04 Aug 2006, 13:20 |
|
MHajduk 04 Aug 2006, 14:03
Thanks.
I was suggested by COM/BAT programs, which are simple hm... viruses under DOS system (batchviruses). But presented examples are not malware and have only educational purpose. |
|||
04 Aug 2006, 14:03 |
|
MHajduk 04 Aug 2006, 16:04
And something for dessert: an example of HTML/COM 'dual nature' program:
Code: ; Program in FASM, which has a 'dual nature': it can be executed as a COM ; application (default) or viewed as a HTML page (after changing a program ; extension to '.html' or '.htm'). ; ; (C) Mikolaj Hajduk. ; org 100h ; New line char. ; NL equ 0Dh, 0Ah ; Sequence of assembler commands corresponding to '<!--' (begin of HTML comment). ; cmp al, 21h sub ax, 202Dh ; Skip the content of HTML page. ; jmp COMBody ; Content of HTML page. ; HTML: db '-->' ; End of HTML comment. db '<html><head><title>HTML/COM</title></head><body>' db '<center><h1>Hello from HTML!</h1></center></body></html>' ; Body of the COM program. ; COMBody: cmp al, 21h ; Begin of HTML comment (sequence '<!--'). sub ax, 202Dh ; ; Show message(s). ; mov ah, 09h mov dx, Text int 21h ; Wait until the key is pressed. ; PressAnyKey: mov ah, 1 int 16h jz PressAnyKey ; End of COM program. ; mov ax, 4C00h int 21h ; Message text. ; Text db "Hello from COM program!", NL, NL, 'Press any key: $ -->' |
|||
04 Aug 2006, 16:04 |
|
Reverend 04 Aug 2006, 21:22
Also when you have ready HTML file and put it as a stub in PE files it has dual nature. I've seen an example with some simple HTML file, but when the HTML is written correctly it should work even when after it there are the headers, code and data
|
|||
04 Aug 2006, 21:22 |
|
rugxulo 05 Aug 2006, 00:20
http://www.deater.net/weave/vmwprod/asm/
Quote:
|
|||
05 Aug 2006, 00:20 |
|
LocoDelAssembly 05 Aug 2006, 01:38
Code: format pe gui 4.0 include 'win32a.inc' start: mov eax, 0x8fffffff cpuid mov ebp, esp mov esp, buffer+4*4 push edx push ecx push ebx push eax mov esp, ebp invoke MessageBox, 0, buffer, tittle, MB_ICONINFORMATION ret buffer rb 4*4 db 0 tittle db "AMD64 Easter Egg",0 data import library user32,'USER32.DLL' import user32, MessageBox, 'MessageBoxA' end data Nice finding rugxulo Regards PD: IT'S HAMMER TIME |
|||
05 Aug 2006, 01:38 |
|
MHajduk 05 Aug 2006, 12:30
Señor 'Loco del assembly',
I'm afraid that I don't understand the essentials of 'duality' of Your program. ¿Could You explain it to me in details? Atentamente, Mikolaj Hajduk. |
|||
05 Aug 2006, 12:30 |
|
LocoDelAssembly 05 Aug 2006, 15:11
Señor Mikolaj Hajduk,
Yep, it's a completely off-topic post I know. I posted it because I found the linux code on the link that rugxulo posted but it has no duality at all. Atentamente, Hernán |
|||
05 Aug 2006, 15:11 |
|
MHajduk 18 Aug 2006, 11:37
Here is an example of HTML/EXE 'dual nature' program.
This program is based on babyboy10777's 'Manual .EXE template' (just changed and reedited a little). Code: ; Program in FASM, which is an example of HTML/EXE 'dual nature' program. ; After changing its extension from '.bin' to '.exe' it becomes normal ; Win application. If its extension has been modified to '.htm' or '.html', ; it may be viewed in WWW browser as a normal HTML page. ; ; (C) Mikolaj Hajduk, 18.08.2006. ; based on babyboy10777's 'Manual .EXE template'. ; macro align n { db ((n-1)-($+n-1) mod n) dup(0) } use32 exe_begin: dw 'MZ' ; Useless... db '<!--' ; Begin of HTML comment. db 36h dup(0) dd 40h db 'PE', 0, 0 ; Signature, dd 1014Ch, 0, 0, 0 ; cpu (.I386+). # sections, etc, dd 10F00E0h, 10Bh ; n/a, dd 0, 0, 0 ; .code/.idata/.data sizes, dd 1000h, 0, 0, 400000h ; entry, .code/.data offsets, base address, dd 1000h, 200h ; section alignment in memory and file: 1K/512, dd 1, 0, 4, 0 ; versions, dd (((1000h +\ ; image size = (rva + section size) aligned to 1000h, prg_core_end-prg_core)\ shr 12) + 1) shl 12 dd 200h, 0 ; section 1 offset, dw 2, 0 ; subsystem, dd 1000h, 1000h, 1000h, 0 ; stack/heap reserve/commit, dd 0, 16 ; flags, # directories, dq 0 ; "data directory" structures, dd it+0E00h ; import table rva, size... dd prg_core_end-it dq 14 dup(0) dq '.core' ; Section header. File offset = 138h. dd prg_core_end-prg_core ; Size, dd 1000h ; rva, dd exe_end-prg_core ; size rounded to 200h, dd 200h, 0, 0, 0 ; file offset, skip relocations, etc, dd 0E0000020h ; attributes: readable, writable, executable, etc, db 200h-$ dup(0) ; proceed to 200h/1000h. ; 'Core' of the program. ; prg_core: push 0 msgbox_caption+400E00h msgbox_message+400E00h 0 call dword [MessageBox+400E00h] push 0 call dword [ExitProcess+400E00h] ; Program data. ; msgbox_caption db 'HTML/EXE example.', 0 msgbox_message db 'Hello from EXE!', 0 ; Import table. ; it: dd 0, 0, 0, kernel_name+0E00h, kernel_table+0E00h dd 0, 0, 0, user_name+0E00h, user_table+0E00h dd 0, 0, 0, 0, 0 kernel_name db 'KERNEL32.DLL', 0 kernel_table: ExitProcess dd _ExitProcess+0E00h dd 0 _ExitProcess db 0, 0, 'ExitProcess', 0 user_name db 'USER32.DLL', 0 user_table: MessageBox dd _MessageBox+0E00h dd 0 _MessageBox db 0, 0, 'MessageBoxA', 0 ; End of the main part of application. ; prg_core_end: ; End of HTML comment. ; db '-->' ; Content of HTML page. ; db '<html><head><title>HTML/EXE</title></head>' db '<body text="black" bgcolor="black"><center>' db '<h1 style="color: red;">Hello from HTML!</h1>' db '</center></body></html>' align 512 exe_end: Regards, M.H. [EDIT] Images were moved to another server. [/EDIT] Last edited by MHajduk on 07 Nov 2006, 14:41; edited 2 times in total |
|||
18 Aug 2006, 11:37 |
|
OzzY 18 Aug 2006, 12:36
I got this idea years ago when I was learning ASM, I got interessed in viruses and how they work. I read lots of vx zines and I also read nowadays. I think it's very educative knowledge if used with ethics.
I also coded a COM/JPG virus for educational purposes and having fun only. COM programs are very flexible because they have no headers and are very tiny. I also coded one polymorphic engine that resulted in a COM file that could change every byte of its own. The cool thing is how FASM is designed, you have an exact image of the COM file in your ASM source code. And you can play around with headers. Also you can build MZ, PE or ELF executables from scratch using FASM. The best feature of FASM in my opinion is exactly this. If I build the import section in my PE in a way that user32.dll comes before kernel32.dll in my source code, it'll be also in this way in the EXE file. And I even don't need a linker! |
|||
18 Aug 2006, 12:36 |
|
MHajduk 18 Aug 2006, 13:57
OzzY wrote: I also coded one polymorphic engine that resulted in a COM file that could change every byte of its own. I think, that 'polymorphic engine' is very close to 'evolutional (genetic) engine'. Am I right? But in this case programmer have to accept that not every copy of virus will 'survive' in 'computer environment'. Regards, M.H. |
|||
18 Aug 2006, 13:57 |
|
MHajduk 21 Aug 2006, 13:32
What I want to say will be slightly off-topic here, but related to my last post.
A few years ago I wrote a packet of programs, which allows to creating crosswords matching to previously prepared scheme (mathematical model) by using genetic algorithm encoded in Java. Rest of programs, written in PERL, was designed for DTP purposes (output file was a program in PostScript). Last edited by MHajduk on 06 May 2007, 15:31; edited 2 times in total |
|||
21 Aug 2006, 13:32 |
|
sylwek32 07 Oct 2006, 03:35
Does it only work with the contained .PE or can a file be included?
Can you show more exmples? |
|||
07 Oct 2006, 03:35 |
|
rugxulo 08 Oct 2006, 00:53
Check this out:
Quote:
|
|||
08 Oct 2006, 00:53 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.