BLACK LIST SOFTWARE

BLACK LIST SOFTWARE SUPPORT FORUMS
It is currently Sat Sep 04, 2010 10:01 pm

View unanswered posts | View active topics


Board index » General Area » Articles Outlet

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 1 post ] 
  Print view Previous topic | Next topic 
Author Message
james
 Post subject: The Basic Computer Virus
PostPosted: Sat Jun 19, 2010 10:52 am 
Offline
Site Admin

Joined: Sat Jun 19, 2010 7:29 am
Posts: 12
Location: United States
This guide will only describe the most fundamental basics of a virus. The information provided is for educational purposes only.

A computer virus; not to be confused with Spyware or Adware, is a deadly and destructive piece of arbitrary code that has been injected into a legitimate host file. They may be introduced to a computer system in the form of a Trojan process (e.g. a pre-infected download), they may be created locally by a local process, they might be passed across a network or through an infected Floppy Disk, Compact Disk, or Thumb Drive, and in this guide, we made one by hand to help us demonstrate the basics of a virus.

A virus is not an executable process; instead a virus is a snippet of malicious code that needs an executable process to become active. Once the viral code has become apart of an active host, the virus may spread across disk to other host processes and perform just about any task available to the system.

Image

For our purposes, we have targeted a legitimate host process, notepad.exe. Here is the state of the host executable before it has been injected with arbitrary code. The table above provides to us a view of notepad.exe as seen by a debugger. The output is translated from binary and provided to us in the more familiar and readable Assembly language syntax. The Assembly language is read from top to bottom, so we start at the origin and work our way down. We took a very common approach to infecting a process with arbitrary code by injecting our arbitrary code into the unused portion of a Windows executable known as Codecaves. Codecaves live in abundance at the bottom of a Windows executable and is an ideal place to inject arbitrary code.

Image

Here is the state of the host executable after it has been injected with arbitrary code. Here we have injected a malformed call to Windows API which should throw a message box. After closing the message box, notepad.exe will continue to run as normal. We accomplished this by altering the origin and injecting our arbitrary code into the unused space of the executable. We then patch back the original instructions and return control to the host. This is a very common way to infect a host process and also a very destructive act. This method overwrites portions of the executable which cannot be recovered easily, if at all. Thus, the easiest way to repair an infected file is to replace the infected file with a clean one.

_________________
My mind creates what my hands could only imagine.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 1 post ] 

Board index » General Area » Articles Outlet

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group