|
|
...The idea is that files should be "correct" in terms of anti-virus. That is, files created/infected with our code should be similar to usual applications as much as possible by their structure/code/actions (for example, calc.exe from Windows). The result: knowledge/experience/something else + a beautiful "clean" file internally and externally. To achieve this goal it is sufficient to take and examine each piece of at least one of any file - all other are studied/made similarly (PE-format is always at hand)....
|
|
| Browse project files - Download project files |
|
The main goal of garbage instructions - a hiding/protection of useful code (from av'ers, a watchful eye reverser and other curious). However, the "wrong" trash can lead to detection of viral code, thereby undermining all our efforts.
This text is about how to improve the quality of the generated garbage.
|
|
| Browse project files - Download project files |
|
...The copy protection is somewhat similar to EPO viruses, both should be rooted as deep in the program as possible. It's better to avoid obvious places like the entry and exit nodes. The problem is that if you have put the call to virus somewhere in the middle of the program it could be not executed at all! And where is the "middle"? In this article I will try to show how the dynamic analysis would help to solve this problem to inveigle the anti-virus into emulating a large amounts of code...
|
|
| See also: Linux.RELx |
|
I looked into the heart of the beast, and saw myself looking back. Laughing merrily, I took the beast by the hand and walked into the bright, brave new world. Today we are in a new age, an age of wires and silicon, an age of technology and data.
|
|
| |
|
here's a fairly simple way to find new target files: kernel32's ReadDirectoryChangesW api. the api does exactly what it sounds like; it "retrieves information that describes the changes within the specified directory. [*]" we can use this to our advantage by watching all drives we have access to and waiting for a victim files (pe/whatever) to be created (and/or modified, deleted, renamed, etc).
|
|
| |
|
...today i've got a new trick for you: undeletables in windows vista. this bug, like most, was found completely on accident. i was working on a completely unrelated project and had accidentally created a folder called...
|
|
| |
|
i've heard of this idea being done before, but don't ever remember seeing it. anyway, here it is: how to "hide" your entries in the registry.
all we're doing here is creating a thread to watch for regedit.exe to be running. once regedit is opened, we overwrite our key with something that looks legit. when regedit closes, we re-write our key and repeat.
|
|
| |
|
spreading worms is becoming more and more difficult. email servers have advanced their technologies to avoid mass-mailers; people do not open suspicious email attachments; most P2P users use torrents rather than downloading single files; even IRC users know not to accept DCC files from people they do not know/trust. so what's next?
|
|
| |
|
...i can't help but notice that most of the mass mailing worms coming from this "scene" don't actually perform a DNS lookup to acquire a SMTP server. this is silly; stop it now...
|
|
| |
|
...here's an idea for your next win32 malware: advapi32's SetKernelObjectSecurity(). sounds interesting, doesn't it? well friends, it is. according to msdn, the api "sets the security of a kernel object [*]" which seems rather obvious based on its name. but what this means for you and i is, we can prevent our process from being terminated via micro$oft's task manager or a call to TerminateProcessA() from an antivirus program [**]. unfortunately, this api will only work on win2k and above, but then again, it is 2009 and win2k died nearly a decade ago [***].
below is a simple example of using this api in c [****]...
|
|
| |
| Virtual Disks Infection |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
The usage of virtualization technology is increasing more and more nowadays, mainly because of it's safe test environment and ability to run another system without the use of multi-boot. In this article we are going to speak about VirtualBox virtual disks infection.
| |
| Browse project files - Download project files |
| Some ideas about OpenOffice infection |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
This article will try to explain a new way of infecting openoffice documents. Other OO virii have been written using the basic programming language offered by OO, like Starbucks, Stardust or the multi platform BadBunny. It is possible to infect the documents using their simple structure.
| |
| Browse project files - Download project files |
| A simple way to detect VirtualBox |
by WarGame/EOF (also in EOF-DR-RRLF) |
|
There are a lot of ways to detect virtualized env, here I will show only a simple trick to detect if you are running inside VirtualBox. This trick requires that guest additions (a component that let you exchange files between a virtualized system and the real one) are installed on the virtualized system because the detection is based on it.
| |
| Browse project files - Download project files |
| Controlling the process execution |
by v1rusL4ir (also in EOF-DR-RRLF) |
|
In my rootkit research I came to conclusion, that I need to have total control over the victim. Is the user about to execute some kind of AV or rootkit hunting software? If so, I need to be aware.
| |
| See also: pControl |
| Stealth API based decryptor |
by kaze/FAT (also in EOF-DR-RRLF) |
|
I'll try to present here a new approach to evade av detection. Instead of increasing the complexity of the decryptor, as most of the actual poly engines tend to, we will try to build a decryptor that looks as common as possible, hopping for the AV to cancel emulation. We will try to increase the risk of false positive during virus detection.
| |
| See also: Win32.Leon |
| Virtual Code |
by roy g biv (also in EOF-DR-RRLF) |
|
... my idea is to remove all code from a section, and use relocation data to restore it. Since the section is now only in virtual memory, I call it virtual code. It seems that IDA does not support multiple relocations being applied to the same location, so it cannot handle my files. :)
| |
| See also: Win32.Relock |
|
Other Address Space Layout Randomisation implentations require that a file has relocations, so that the sections can be moved to new locations in memory.
My Address Space Layout Randomisation does not require that a file has relocations. I call this "brutal" because of how it works - it makes a copy of the host process memory in a different location, and marks the old host process memory as NO_ACCESS. Then it redirects all accesses when a page fault occurs. The redirection is to a place in memory that is allocated "randomly".
What technique?
Simply that a protected process cannot be dumped using ordinary tools.
| |
| See also: Tool.BASLR |
| New Uses For FSAVE |
by roy g biv (also in EOF-DR-RRLF) |
|
FSAVE is an old instruction for the FPU which it seems has not been explored fully.
| |
| See also: Win32.Mimix.a |
|
Last time we talked about FPU for instruction reordering, but it is limited because we cannot use arithmetic operations. We can avoid that problem if we think about what else is stored in the FPU state: the MMX registers.
| |
| See also: Win32.Mimix.b |
|
Last time we talked about MMX for instruction reordering. It is great because we have 64-bit registers to use and there are no restrictions on the order of instructions or the arithmetic operations. Now we take it even further: the XMM registers.
| |
| See also: Win32.Mimix.c |
|
Since the advent of position-independent executables in Linux, the most interesting method of infection became possible - code integration, that is the matter in question in this article. The irony of it is that PIE, ASLR and ExecShield was meant to improve security of Linux applications, and at the same time it opened new opportunities for the viruses.
| |
| See also: Linux.Lacrimae |
| INT 0x80? No, thank you! |
by herm1t (also in EOF-DR-RRLF) |
|
After finishing the Lacrimae virus which is able to extend any section and thus import library functions, I spent some time thinking how an ordinary virus can use the libc or any other library. There are a lot of opportunities for the viruses having such a feature. Here I wish to present a method to do it, using test virus Linux.Pilot as an example.
| |
| See also: Linux.Pilot |
|
One of the widely used method of ELF files infection was propposed by Silvio Cesare. To inject the virus to a file the free space at the end of text segment, appeared as a result of alignment is used. Alignment is neccessary to prevent the beginning of the data segment and the end of text segment from ending up in the same page.
| |
| See also: Linux.Coin |
| Caveat virus |
by herm1t (also in EOF-DR-RRLF) |
|
This tutorial explains how to use a small amounts of space within Program Header Table to inject the tiny loader which will allocate the memory for the main virus body, load and execute it.
| |
| See also: Linux.Caveat |
| Hashin' the elves |
by herm1t (also in EOF-DR-RRLF) |
|
One day I was looking through the ELF files with objdump and called my attention to .hash section, and thought: gee, can't we take some advantage of it? Nice section after all. Located in the code segment. Could it be shrinked or removed? In this article I want to share my findings.
| |
| See also: Linux.Hasher |
| How to have fun with ptrace syscall |
by Cyberdude (also in EOF-DR-RRLF) |
|
In this text I want show to you how is possible to "hack" one process using some assembly strings and the Dynamic linker.
| |
| |
|
In this text I want show to you how is possible to "hack" one process using some assembly strings and the Dynamic linker.
| |
| |
|
Since most processes will run in userland mode by default under vista, MS didnt want to vandalize Authentic processes from running correctly, so they established virtualization trick to let processes store information they need virtually. In this article I am trying to get use of virtualization to setup a startup runner executable.
| |
| |
| Another BufferOverflow Article |
by Berniee/EOF (also in EOF #1) |
|
In this article I will introduce an explanation on how buffer overflows work by making an exploitable code through using c++ strcpy() function, and then exploit the strcpy() function to run our shellcode.
| |
| |
|
Making a PE appender is done by various ways adding new section, increasing last section or any other ways. Here I will explain infecting pe file by adding new resource which will contain our code.
| |
| |
| PowerShell viruses |
by sk0r/ex (also in EOF #1) |
|
In this tutorial I will teach you the basics of PowerShell coding and I will show you techniques like polymorphic variable changing...
| |
| |
| Ferite virus writing guide |
by WarGame/EOF (also in EOF #1) |
|
Some time ago browsing on the net I found a nice language called "ferite", this tutorial will (try to) explain you how to write auto-replicant programs in that language.
| |
| |
|
The article covers the following subjects:
- Sostituition Techniques
• Cesare's Ciphrature
• PlayFair Ciphrature
• Hill Ciphrature
• Polialphabetic Ciphrature
- Transposition Techniques
- Rotation Machines.
| |
| |
| Introdution to DES algorithm |
by Cyberdude (also in EOF #1) |
|
The article covers the following subjects:
- Introdution to DES algorithm, a simplification of Des: S-DES
- Flux ciphrature and block ciphrature
- Feistel's block ciphrature
- DES - Data Encryption Standard
- Block's ciphrature working terms.
| |
| |
|
The article covers the following subjects:
- The rapresentation of numbers in a finished space
- Two problems with addition operation
- The smooler positiv number considerable and the rapresentable it
- Binary unfinished rapresentations
- Polinomy sovling with Horner
- Linear systems resolution
- Gauss's elimination of unknown variables to obtain a triangulate upper matrix.
| |
| |
|
The article covers the following subjects:
- Base Knowledge about Modulate Arithmetic
- Euclide's Greatest common divisor algorithm and asm implementation
- The Modulate Polinomial Arithmetic in the Galois Field form GF(p^n)
-
The Rijndael Advanced Encryption Standard ciphrature's structure introduction
• The subphases of a single encryption phase
• The Aes key's expansion from 4 to 44 words procedure.
| |
| |
|
In this tutorial I describe how to infect executables by using the .NET runtime compiler.
| |
| |
| FBSL virus writing guide |
by Genetix/ex EOF (also in EOF #1) |
|
At first FBSL looks alot like VB. It has some common Pascal, C functions too. It's in early stages, not YET supporting arrays.. But it was fun to write these code's in this language!
| |
| |
| Hashes for encryption |
by Second Part To Hell/ex RRLF (also in EOF #1) |
|
If hash functions will be used in viruses for encryption, antivirus programms would have to use a bruteforce attack to find the real virus code. As bruteforce requires much time, and less scanning time is essential for antivirus-programs, hash-encryption might be a useful weapon against antivirus programs.
| |
| |
| Compress easy |
by tanMa/EOF (also in EOF #1) |
|
This article is about compression and will be short as possible because I don't want to bother you. Just want, advert you on some un-documented functions of Windows NT/XP and Windows Server 2003 that are used by OS it-self for internal operations during compression and some MS utility programs for managing files with attribute "compressed".
| |
| |
| Wardriving uncovered |
by Skvoznoy (also in EOF #1) |
|
Everything, that is required for the beginning of practical side of Wardriving is: notebook with Wi-fi card, some soft, GPS module for navigation and, of course, comfortable backpack :) After perusal of article you will learn to make itself maps of AP's, to analyze safety wireless Networks and even to make jokes there.
| |
| Browse project files - Download project files |
|
