VLAD Magazine - Issue #4 - ARTICLE.3_1 - Windows Executable Infection (Technically Explained)

1.     Windows Executable Infection
2.                by
3.           Qark and Quantum [VLAD]
4.  
5.  
6.  This document attempts to explain technically NewExe infection for the
7.  virus writer.  This isn't for the novice coder and you'll need to
8.  understand DOS EXE infection before being able to use any of it.
9.  
10.  The infection described in detail here is the same as that used by the
11.  accompanying WinSurfer virus, there are other methods that can be done
12.  but they aren't our concern (it's up to you to develop new code!)
13.  
14.  You will want a copy of the New Exe header information which is available
15.  in Ralf Browns interrupt listings under Int21h AH=4Bh, a copy of which is
16.  included at the end of this article.
17.  
18.  This is a map of what we are trying to do:
19.  
20.        Before infection                  After Infection
21.  
22.      0h---------------------           0h---------------------  
23.        |                   |             |                   |
24.        |  DOS EXE header   |             |  DOS EXE header   |
25.        |                   |             |                   |
26.        ---------------------             ---------------------
27.        |                   |             |                   |
28.        |  DOS Code         |             |  DOS Code         |
29.        |                   |             |                   |
30.        |                   |         3F8h---------------------
31.    400h---------------------             |                   |
32.        |                   | <- Move     |  New EXE Header   |
33.        |  New EXE Header   |     this    |  and some tables  |
34.        |  and some tables  |      up     |                   |
35.        |                   |             | ----------------- |
36.        | ----------------- |             |   Segment         |
37.        |   Segment         |             |   Table           |
38.        |   Table           |             |                   |
39.        |                   |             |                   |
40.        |                   |   Insert -> | ----------------- | Virus segment
41.        | ----------------- |    this     | ----------------- | entry
42.        |   Misc Other      |             |   Misc Other      |
43.        |   Tables          |             |   Tables          |
44.        |                   |             |                   |
45.        x                   x             x                   x
46.        x                   x             x                   x
47.        x                   x             x                   x
48.  CS:IP ---------------------             ---------------------
49.        |                   |             |                   |
50.        |   Windows Code    |             |   Windows Code    |
51.        |   and Misc        |             |   and Misc        |
52.        |   Segments        |             |   Segments        |
53.        |                   |             |                   |
54.    End ---------------------       CS:IP ---------------------
55.                      | Virus segment     |
56.                  Append all  | with code etc     |
57.                 this ->  |                   |
58.                      --------------------- Virus
59.                      |                   | Relocation
60.                      End --------------------- Entry
61.  
62.  
63.  Infection Theory:
64.  -----------------
65.  Test the EXE to make sure its windows and that the NE is at offset 1024.
66.  Reduce the NE pointer at 3ch by eight.
67.  Reduce DOS SP by eight.
68.  Any NE offsets which are larger than the segment table offset must be
69.   increased by eight.
70.  Increment the segment counter.
71.  Save the CS:IP.
72.  Point the CS:IP to the new segment entry
73.  Calculate the position of the end of the segment table, move all data up to
74.   and including the segment table up by eight bytes.
75.  Add another segment entry
76.  Write the virus to the end of the file
77.  Write the relocation entry at the end of the file.
78.  ---
79.  
80.  That is a very basic overview of what is wanted.
81.  
82.  The main idea of it all is moving the NE header forward to add a new
83.  segment table entry, and changing the CS:IP to point to it.
84.  
85.  We'll go through all the stages step by step.
86.  
87.  Testing for a Windows executable.
88.  ---------------------------------
89.  
90.  A NewEXE file always begins with a DOS header and some DOS executable
91.  code.  With a Windows executable:
92.     The word at offset 0 is 'MZ'.
93.     The word at offset 18h is 40h or greater.
94.  assuming that these conditions are met then we also want the pointer to the
95.  NE header (3ch) to be equal to 400h.  The reason for this is that room is
96.  needed to move the NE header forward by 8.
97.  
98.  Rewriting the DOS header.
99.  -------------------------
100.  
101.  Before rewriting the DOS header, reduce the DOS SP field (10h) by 8, because
102.  if it was pointing to the end of the DOS code section it would point to
103.  the start of the NE header. (No real reason for doing it really)
104.  The NE header pointer at 3ch must be reduced by 8 because we intend on
105.  moving most of the NE header forward to that position.
106.  
107.  Modifications to the NE header.
108.  -------------------------------
109.  
110.  From this point onwards we are referring to the offsets in relation to the
111.  NE header.
112.  
113.  The pointer to the segment table is a word at 22h.  If any of the pointers
114.  at 4,24h,26h,28h,2ah are larger than [22h], then increase that
115.  pointer by eight.  The reason for this is that since we are inserting a
116.  new segment table entry, all tables behind the segment table will be
117.  eight bytes further from the start of the header.
118.  
119.  The segment counter is a word at offset 1ch.  Increment it by one because
120.  since we are adding another segment, we need to indicate this in the
121.  header.
122.  
123.  At offset 14h is the dword pointer to the program entry point, CS:IP
124.  where the CS is actually the segment table entry number.  Save this pointer
125.  for use in your relocation entry (that part will be explained in detail
126.  later on).  Now point the CS:IP instead to the virus segment.  Do this
127.  by writing the necessary starting IP value to 14h (offset of the entry into
128.  your segment) and the segment counter value into 16h (since the virus
129.  segment is the last in the segment table it will be equal to the segment
130.  counter value which we have incremented).
131.  
132.  You can work this out for yourself, but what you need to do now is move
133.  the entire NE header, up to and including the segment table, but not
134.  the data behind it, forward by eight bytes.  Here's an equation on
135.  calculating how much to move:
136.     ((segmentcounter-1)*8)+word ptr [22h]
137.  
138.  Directly after this position is where to insert the new virus segment entry.
139.  
140.  The Virus Segment Entry.
141.  ------------------------
142.  
143.  Format of new executable segment table record:
144.   00h    WORD    offset in the file (shift left by alignment shift for byte offs)
145.   02h    WORD    length of the image in file (0000h = 64K)
146.   04h    WORD    segment attributes (see below)
147.   06h    WORD    number of bytes to allocate for the segment (0000h = 64K)
148.  
149.  Offsets 2 and 6 in the segment record are just the virus size. Offset
150.  4 is the segment attribute, we use 180h, which makes the segment executable
151.  with relocations.
152.  
153.  Calculating offset 0 is more difficult.  It is necessary to get the file
154.  length and shift it right by the alignment shift value which was saved
155.  earlier.  I wouldn't know how to do a dword shift so I convert it to a
156.  division.
157.  
158.  File length into DX:AX :
159.     mov     ax,4202h
160.     xor     cx,cx
161.     cwd
162.     int     21h
163.  Shift right DX:AX by alignment shift:
164.     mov     cl,byte ptr alignment_shift
165.     push    bx
166.     mov     bx,1
167.     shl     bx,cl
168.     mov     cx,bx
169.     pop     bx
170.     div     cx
171.      AX=required offset 0 value
172.  
173.  Write this eight-byte table behind all the moved headers.
174.  
175.  Writing the Virus.
176.  ------------------
177.  
178.  Lseek to the end of the executable and write the virus.
179.  
180.  Writing the Relocation Entry.
181.  -----------------------------
182.  
183.  You need a relocation entry so that you can return control to the host
184.  after the virus has done its dirty work.  The relocation entries follow
185.  the segment itself.
186.  
187.  Format of relocation entry:
188.  Offset  Size    Description
189.   00     WORD    Number of relocation entries
190.      Offset  Size    Description
191.       00     BYTE    relocation type
192.       01     BYTE    relocation flags
193.       02     WORD    offset within segment
194.       04     WORD    target address segment
195.       06     WORD    target address offset
196.  
197.  
198.  The first word will be 1 because only 1 relocation entry.
199.  The first byte is 3 to signal a 32-bit pointer (a far jump).
200.  The second byte is 4 to signal additive relocation. (doesn't work without this)
201.  Word at offset 2 is the offset of the dword after the 'far jump' opcode.
202.  Word at offset 4 is the CS of the original host CS:IP
203.  Word at offset 6 is the IP of the original host CS:IP
204.  
205.  To put all this into code:
206.  
207.         db      0eah    ;Opcode of JMP FAR PTR
208.     ret_ip      dw      0
209.         dw      0ffffh
210.  
211.     relocation  dw      1       ;One relocation entry
212.         db      3       ;32bit pointer relocation
213.         db      4       ;Additive relocation
214.         dw      offset ret_ip   ;Offset of the relocation in segment
215.     hostcs      dw      0       ;CS:IP of place we want our relocation to
216.     hostip      dw      0       ; point.
217.  
218.  Note: the relocation address data (ret_ip) _must_ be FFFF:0000 as above
219.        because Windows treats it as a linked list.  If you don't understand
220.        don't worry, just do it!  It won't work otherwise.  It is important
221.        that before writing the virus body to the executable you set
222.        this address to FFFF:0000 so that the executable will be set up correctly.
223.  
224.  Write the relocation entry at the end of the file.
225.  
226.  Windows allows a standard Int 21h call just fine so all file manipulation
227.  is as simple as ever, with a few minor changes.
228.  
229.  
230.  Writting TSR/ISR's under Windows.
231.  ---------------------------------
232.  
233.  Windows is a protected mode environment and thus to set a vector under it we
234.  must manipulate the various tables that protected mode requires to be
235.  updated.  Of these tables, one is of interest to us.  The "Interrupt
236.  Descriptor Table" (IDT). The IDT holds all the Protected Mode interrupt
237.  vectors that are in the "Interrupt Vector Table" (IVT) - if they are
238.  supported - and some more.  This is all well and good - all we have to do is
239.  set a vector in the IDT to point to our code as we do with dos and the
240.  IVT but - there are complications.
241.  
242.  V86 mode.
243.  ---------
244.  
245.  When Windows is running in 386 enhanced mode the processor is locked into
246.  v86 mode.  In v86 mode, each application has its own 1mb memory block.  All
247.  EMS/XMS is locked away from the application and (usually) each process has
248.  its own IDT/IVT.  The idea is to allow the application to think it is
249.  alone on the system.  Any attempt to access any other tasks that may be
250.  running is a "violation of system integrity" and will cause an exception.
251.  This is no good for a virus and by now you're thinking we're screwed but
252.  Windows solves the problem for us.  Windows has but one IDT and of course
253.  only one IVT to shadow it and thus if we are to hook a vector in the IDT
254.  it will be reflected in every task.  (Ever seen that OS/2 warp advert where
255.  they say "... and true multi-tasking" - well this simply means that OS/2
256.  warp holds a separate IDT for every task under v86 mode.)
257.  
258.  Setting the Vector.
259.  -------------------
260.  
261.  So let's get this straight.. the IVT is the one at 0:0 that we all know and
262.  love and the IDT is a protected mode/v86 shadow of it.  So you're most
263.  probably asking "Why can't we just hook the IVT and let windows reflect it
264.  into the IDT?" - well there are 2 reasons: firstly windows doesn't "reflect"
265.  the IVT as we would like to think, actually copies the IVT into the IDT
266.  on startup then replaces certain routines with "protected mode call
267.  structures" which call the real mode routines some routines it doesn't
268.  even do this, secondly trying to access the IVT directly is a big nono and
269.  will cause an exception error.
270.  
271.  Can we use DOS?  well yes, you can... most dos functions have been reflected
272.  in Windows although windows is supposed to be trying to get rid of
273.  them. So you can call int 21,25/35 to set the vector but remember that this
274.  will be setting a vector in the GVT and only at the discretion of Windows.
275.  
276.  A better way: use DPMI.  Windows is NOT your host under protected mode or
277.  even v86 mode as Microsoft would have you believe.  Windows has an
278.  overlooker that provides Windows time-slicing and exceptional abilities.  In
279.  fact, all Windows does is act as a mediator to DPMI and basically slow things
280.  down.  So how do we use DPMI to set the vector?  well.. by using functions
281.  0204h/0205h  - with the vector in BL  - of the DPMI provider int 31.  This
282.  way windows have no say over what goes in its IDT and thus we have a LOT of
283.  control.
284.  
285.  Writing the Interrupt.
286.  ----------------------
287.  
288.  This is perhaps one of the easier things to do - once you understand the
289.  principles.  In protected mode/v86 mode, your code segment is supposed to be
290.  read-only and thus you're supposed to have a code, stack, and data segment.
291.  Everyone knows this is bad so what we need is a way to write to the code
292.  segment. You won't find one - writing to the code segment just isn't
293.  possible.  But - if we were to have a data segment that pointed to the same
294.  code segment then we could do it. (actually, we don't have any segments in
295.  protect mode.. we have a thing called a "selector" which gives access
296.  parameters to areas of memory.)
297.  
298.  To get an "alias selector" to the code segment we can use another DPMI
299.  function and bypass windows altogether: function ax=000ah with the code
300.  the selector in bx of int 31h, it returns a read/writeable alias selector to
301.  the code segment in ax.
302.  
303.  So now Protected mode isn't protected and we're free to write to the code
304.  segment. One problem arises from this idea.  Qark wanted to put this code
305.  to generate the alias in the loader part of the virus and store it in the
306.  code segment for the interrupt routine.  This seemed fine until I found out
307.  that Windows likes to move segments around.  One minute your code might be
308.  at one address the next it may be at another.  Thus you should always
309.  regenerate the alias on every execution of the ISR or lock down the segment
310.  - we chose against this last approach as it can cause exception errors from
311.  Windows (DPMI has no problems with this strategy.)
312.  
313.  For a detailed look at DPMI consult Ralf Brown's interrupt listing under
314.  int 31h.  These functions haven't been included in this text.
315.  
316.  Staying Resident.
317.  -----------------
318.  
319.  Finally: don't go resident off something that can be closed.  If you go
320.  resident off something like mine sweeper or something and the user closes
321.  the application, your code segment will be deleted and removed from the IDT
322.  and will point to an empty segment.  This will cause windows to hang.
323.  Solution: look for a process that will never be closed, direct action
324.  infect this as soon as you find it and only ever go resident off it.
325.  
326.  In the 'system.ini' file in your Windows directory, is a variable 'shell='
327.  that points to a file that is never closed.  Mostly it will be
328.  'progman.exe' but sometimes other programs are used, so read it in and
329.  infect it.
330.  
331.  To find the path of the Windows directory, search the environment for a
332.  variable called 'windir=' (yes, lowercase!).  On entry to any Windows
333.  executable ES will point to the PSP (or something functionally similar).
334.  The word at 2ch is the segment (selector) of the environment segment.
335.  Scan through this as you would within a DOS application.  We didn't discover
336.  this through any documentation, but when Quantum accidentally typed 'set'
337.  from within a DOS window.
338.  
339.  Facts and Possible Techniques.
340.  ------------------------------
341.  
342.  At offset 0eh in the New Executable header is the 'auto data segment index'.
343.  This is another segment table index, which will be automatically in DS
344.  on execution entry.  Although this is pure guesswork if you set that
345.  'auto data segment' to the same segment as CS, (ie in every way the same
346.  except the segment attributes) then you could write to your CS without
347.  using DPMI and would also open the gateway to polymorphic Windows viruses.
348.  (Polymorphism would be pretty useless if you had to put a DPMI call before
349.  you could write to your code segment.)
350.  
351.  Mark Ludwig's 'Windows Virus #2' uses a different form of infection in that
352.  it extends the length of the code segment as indicated in the segment
353.  table, and moves the entire host program starting from the end of the file
354.  back by virus length until the end of the code segment is reached, at which
355.  point the virus is written.  The IP is then repointed to the virus.
356.  There are some advantages to this, such as no need to add relocation entries
357.  because the jmp is intra-segment but this is greatly outweighed by the
358.  the fact that moving an entire file is very slow and a much larger number of
359.  pointers in the header need to be modified to account for the change.
360.  
361.  There are DPMI calls for allocating memory (Int 31h ax=501h) but it is
362.  unknown at this point whether the memory remains allocated after the program
363.  is closed.  Mark Ludwig makes extensive use of these calls for temporary
364.  buffers in his direct action 'Windows Virus #2'.
365.  
366.  Mark Ludwig also demonstrates the use of the WinAPI calls, which involve adding
367.  a new relocation entry for each call and pushing some stuff on the stack.
368.  This may become important when win95 comes out but for the moment it is
369.  more convenient to simply use int 21h.
370.  
371.  Some food for thought.
372.  ----------------------
373.  
374.  Microsoft has a dream [here we go], the dream is to control the world.  They
375.  intend to do this with applications like Windows [scary isn't it ?], and by
376.  the looks of it they might succeed.  A lot of people think computers should
377.  be easy, that there should be no skill involved in it and that everyone
378.  should HAVE to use one.  Microsoft is using this idea to flood the market
379.  with shit like Windows, in the hope that it will be accepted as a "standard".
380.  Windows is already this but Microsoft isn't happy with one success, they
381.  want to be on top of the hill.
382.  
383.  This is where we come in.  If Microsoft is going to succeed in taking over
384.  the world then we should be there making their lives difficult.  The
385.  WinSurfer virus created by us is so stable that an average Windows
386.  user wouldn't even notice it.  [Then again the average Windows user
387.  wouldn't notice if his hair caught on fire.]  And thus will stay with us
388.  for quite some time.  At least until AVers recognize the windows market
389.  and start releasing scanners.
390.  
391.  
392.  
393.  
394.  The New Executable format.     (From Ralf Browns Interrupt listing 21 AH=4B)
395.  --------------------------
396.  
397.  new executables begin running with the following register values
398.     AX = environment segment        (Wrong! AX=0)
399.     BX = offset of command tail in environment segment
400.     CX = size of the automatic data segment (0000h = 64K)
401.     ES,BP = 0000h                   (Wrong! ES=PSP)
402.     DS = automatic data segment
403.     SS:SP = initial stack
404.   the command tail corresponds to an old executable's PSP:0081h and
405.   following, except that the 0Dh is turned into a NUL (00h); new
406.   format executables have no PSP  (All wrong)
407.  
408. Format of .EXE file header:
409. Offset  Size    Description
410.  00h  2 BYTEs   .EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah)
411.  02h    WORD    number of bytes in last 512-byte page of executable
412.  04h    WORD    total number of 512-byte pages in executable (includes any
413.         partial last page)
414.  06h    WORD    number of relocation entries
415.  08h    WORD    header size in paragraphs
416.  0Ah    WORD    minimum paragraphs of memory to allocation in addition to
417.         executable's size
418.  0Ch    WORD    maxi paragraphs to allocate in addition to the executable's size
419.  0Eh    WORD    initial SS relative to start of executable
420.  10h    WORD    initial SP
421.  12h    WORD    checksum (one's complement of the sum of all words in the executable)
422.  14h    DWORD   initial CS:IP relative to start of executable
423.  18h    WORD    offset within the header of the relocation table
424.         40h or greater for new-format (NE,LE,LX,PE,etc.) executable
425.  1Ah    WORD    overlay number (normally 0000h = main program)
426. ---new executable---
427.  1Ch  4 BYTEs   ???
428.  20h    WORD    behavior bits
429.  22h 26 BYTEs   reserved for additional behavior info
430.  3Ch    DWORD   offset of new executable (NE,LE,etc) header within disk file,
431.         or 00000000h if plain MZ executable
432.  
433. Format of the new executable header:
434. Offset  Size    Description
435.  00h  2 BYTEs   "NE" (4Eh 45h) signature
436.  02h  2 BYTEs   linker version (major, then minor)
437.  04h    WORD    offset from the start of this header to the entry table (see below)
438.  06h    WORD    length of entry table in bytes
439.  08h    DWORD   file load CRC (0 in Borland's TPW)
440.  0Ch    BYTE    program flags (see below)
441.  0Dh    BYTE    application flags (see below)
442.  0Eh    WORD    auto data segment index
443.  10h    WORD    initial local heap size
444.  12h    WORD    initial stack size (added to data seg, 0000h if SS <> DS)
445.  14h    DWORD   program entry point (CS:IP), "CS" is index into segment table
446.  18h    DWORD   initial stack pointer (SS:SP), "SS" is segment index
447.         if SS=automatic data segment and SP=0000h, the stack pointer
448.         is set to the top of the automatic data segment, just below
449.         the local heap
450.  1Ch    WORD    segment count
451.  1Eh    WORD    module reference count
452.  20h    WORD    length of nonresident names table in bytes
453.  22h    WORD    offset from the start of this header to the segment table (see below)
454.  24h    WORD    offset from the start of this header to the resource table
455.  26h    WORD    offset from the start of this header to the resident names table
456.  28h    WORD    offset from the start of this header to the module reference table
457.  2Ah    WORD    offset from the start of this header to the imported names table
458.         (array of counted strings, terminated with a string of length
459.           00h)
460.  2Ch    DWORD   offset from the start of the file to nonresident names table
461.  30h    WORD    count of moveable entry point listed in the entry table
462.  32h    WORD    file alignment size shift count
463.         0 is equivalent to 9 (default 512-byte pages)
464.  34h    WORD    number of resource table entries
465.  36h    BYTE    target operating system
466.         00h unknown
467.         01h OS/2
468.         02h Windows
469.         03h European MS-DOS 4.x
470.         04h Windows 386
471.         05h BOSS (Borland Operating System Services)
472.  37h    BYTE    other EXE flags
473.         bit 0: supports long filenames
474.         bit 1: 2.X protected mode
475.         bit 2: 2.X proportional font
476.         bit 3: gangload area
477.  38h    WORD    offset to return thunks or the start of gangload area
478.  3Ah    WORD    offset to segment reference thunks or length of gangload area
479.  3Ch    WORD    minimum code swap area size
480.  3Eh  2 BYTEs   expected Windows version (minor version first)
481. Note:   this header is documented in detail in the Windows 3.1 SDK
482.     Programmer's Reference, Vol 4.
483.  
484. Bitfields for new executable program flags:
485. Bit(s)  Description
486.  0-1    DGROUP type
487.       0 = none
488.       1 = single shared
489.       2 = multiple (unshared)
490.       3 = (null)
491.  2      global initialization
492.  3      protected mode only
493.  4      8086 instructions
494.  5      80286 instructions
495.  6      80386 instructions
496.  7      80x87 instructions
497.  
498. Bitfields for new executable application flags:
499. Bit(s)  Description
500.  0-2    application type
501.     001 full screen (not aware of Windows/P.M. API)
502.     010 compatible with Windows/P.M. API
503.     011 uses Windows/P.M. API
504.  3      is a Family Application (OS/2)
505.  5      0=executable, 1=errors in image
506.  6      non-conforming programs (valid stack is not maintained)
507.  7      DLL or driver rather than application
508.     (SS:SP info invalid, CS:IP points at FAR init routine called with
509.       AX=module handle which returns AX=0000h on failure, AX nonzero on
510.       successful initialization)
511.  
512. Format of new executable segment table record:
513.  00h    WORD    offset in the file (shift left by align shift to get byte offs)
514.  02h    WORD    length of the image in file (0000h = 64K)
515.  04h    WORD    segment attributes (see below)
516.  06h    WORD    number of bytes to allocate for the segment (0000h = 64K)
517. Note:   the first segment table entry is entry number 1
518.  
519. Bitfields for segment attributes:
520. Bit(s)  Description
521.  0      data segment rather than code segment
522.  1      unused???
523.  2      real mode
524.  3      iterated
525.  4      movable
526.  5      sharable
527.  6      preloaded rather than demand-loaded
528.  7      execute-only (code) or read-only (data)
529.  8      relocations (directly following code for this segment)
530.  9      debug info present
531.  10,11  80286 DPL bits
532.  12     discardable
533.  13-15  discard priority
534.  
535. Format of new executable relocation data (immediately follows segment image):
536.  
537. Offset  Size    Description
538.  00h    WORD    number of relocation items
539.  02h 8N BYTEs   relocation items
540.         Offset  Size    Description
541.          00h    BYTE    relocation type
542.                 00h LOBYTE
543.                 02h BASE
544.                 03h PTR
545.                 05h OFFS
546.                 0Bh PTR48
547.                 0Dh OFFS32
548.          01h    BYTE    flags
549.                 bit 2: additive
550.          02h    WORD    offset within segment
551.          04h    WORD    target address segment
552.          06h    WORD    target address offset
553.  
554.  
555.  
556.         [end]
557.