Code accompanying the VeXation development blog.
All code is written in x86 ASM targetting Borland Turbo Assembler 5.0 and Windows 95 and is licensed under the GPLv3.
Accompanying post: PE File Infector Basics
Working towards a basic Win95 PE file infector. Minijector will add its own code
to other PE executables in the same directory by appending a new section (named
.ireloc).
As described in the accompanying blog post this is not a complete working PE
file infector. The entry point of the infected program is not updated so the
injected copy is fully inert. The virus code is not position independent and
does not find kernel32.dll API addresses at runtime.
Accompanying post: A VXers Best Friend: The Delta Offset
"pijector" (position independent (self-in)jector) is a continuation of
Minijector. pijector.exe doesn't use a separate data section for its variable
data and instead modifies offsets within the code section. The offsets are
adjusted by the overall delta offset to make the variable references position
independent.
As described in the accompanying blog post this is still not a complete
working PE file infector. The entry point of the infected program is not updated
so the injected copy is fully inert. The virus code also does not find
kernel32.dll API addresses at runtime.
Accompanying post: Using Win95 Kernel32.dll exports Like a virus
"apifind" and "apifind2" are stand-alone examples of finding required win32 API
functions at runtime without hardcoding anything. Both find the kernel32.dll
base address, locate the GetProcAddress export in the DLL, and then
resolve required Windows API function addresses with GetProcAddress.
"apifind2" reduces some duplication by providing assembly macros for defining required API variables, describing the API functions/arguments, finding the API function addresses, and finally invoking the API functions. Start by reading "apifind" and then compare with "apifind2".
Accompanying post: Using Win95 Kernel32.dll exports Like a virus
"apisafejector" integrates the techniques/code from "apifind2" with "pijector".
By using dynamically resolved kernel32.dll function addresses the generation
1+ virus code now works without crashing! The primary challenge that remains is
fixing the virus code to call the original host program's entrypoint to avoid
detection.
This program represents a fun milestone because it's the first version of the
virus that is truly viral. Running apisafejector.exe in the same directory as
calc.exe will infect it. Running calc.exe next to a new executable (e.g.
cdplayer.exe) will infect that executable. Of course since the original
executable code is never run this is a very obvious virus, both calc and
cdplayer will appear broken :-)
Accompanying post: Calling the original entry-point
"epjector" extends "apisafejector" to handle restoring control flow to the
infected program's original entrypoint. Now when an infected program is run it
will try to propagate the infection as before but when it's done it will run the
original program. Now calc.exe and cdplayer.exe will not appear broken while
also spreading the infection >:)