VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Library: Windows specific

«ICQ visions» [SRC] 5.54Kb 5835 hits
29a [7] (2003)
ICQ application is one of the most spreaded Instant Messenger programs at all. And like every such utility program it has its own evidency of all communicating persons. This gigant centralized database contains many private datas that can be abusable. Becoz of a high spread of this system it is logic to focus on ways it would be able to abuse these datas for some malware code spreading. Just imagine it - worm that retrieves private datas of all accessible persons, composes e-mail messages and spreads itself to all addresses. Hard to say why there still had not happened such data compromity and following epidemy.
«Microsoft .NET Common Language Runtime Overview» [SRC] 14.69Kb 6564 hits
29a [6] (2002)
Whole computer world talx about new platform from Microsoft, called .NET. Current implementation (January 2002) is also known as .NET FrameWork SDK which provide us base services. And also, there exists 2nd beta-version of Microsoft Visual Studio.NET, new visual environment where you can create your own .NET applicationz. I wrote this article becoz I couldn't sit and wait until someone will make a research instead of me. Well, you know me, I'm pretty curious guy and so I investigated on my own...
«MSIL-PE-EXE infection strategies» 10.1Kb 15268 hits
29a [7] (2004)
In my last article about .NET platform called "Microsoft .NET Common Language Runtime Overview" I introduced technologies that .NET Framework Beta2 provides us. I also showed infector for .NET applications written in C# (called "Donut" by AVerz). Very soon after publishing Microsoft released sharp version of Visual Studio .NET. Since that time nothing changed at all, this version does not differ from the beta2 much. But I had more time, documentation and knowledge to explore this environment.
Benny, Ratter
«Win2k.SFPDisable» [SRC] 8.43Kb 6124 hits
29a [6] (2002)
Well, how to start? In the past, there were many ideaz how to get rid off that new feature of Windows 2000 - The System File Protection. GriYo/29A was the first one who warned us and solved that problem very smartly. Using SfcIsFileProtected API that can tell us if the file is or is not protected by operating system. Viruses used this API and if file was protected, they simply did not infect it.
«Explaining the Usages of Pipes in Virus coding» [SRC] 6.89Kb 9595 hits
Ready Rangers Liberation Front [7] (2006)
So away from that article which I lost, I decided After tiny googling and having quick peek at M$ sdk, I found pretty beautiful explanation,especially from Iczelion's. Now how could we create pipes and implementt it in viruses. thats what I am going to explain in this article by describing how to create pipes (Anonymous types only, see next).
«Infecting PE files By Adding new resource» [SRC] 8.26Kb 12207 hits
Electrical Ordered Freedom #1 (2006)
Making a pe appender is done by various ways adding new section,increasing last section or any other ways. Here I will explain infecting pe file by adding new resource which will contain our code. The infecting code is taken from my previous virus "fag". NOTE: May be the following is to some point is un-understandable for some, because I tried to present the method as an idea and not as explaining it in depth!.
Billy Belcebú
«Using Structured Exception Handler (SEH)» [SRC] 3.54Kb 5907 hits
DDT [1] (1999)
Well, this is a very simple tutorial about the Structured Exception Handler. When i saw SEH implemented in a virus, i thought "Well, it does a lot. Must be very hard to implement". So i simple skipped its use. But, as my Destiny made General Protection Faults running under NT, as i read in 0BFF70000h, i realized that i had to do something. And SEH was the only way. Well, we can do it very complex to understand, or very easy. Of course, i prefer to do it more easy :)
«Per-process residency review: common mistakes» 10.28Kb 11471 hits
29a [7] (2004)
Per-process residency is a TSR method discovered by Jack Qwerty in the early days of win32 platform. This great vxer got an alternative way to hook system calls instead of global residency, very common under DOS environments but so hard to obtain under win32 (win32 means win9x, ME, NT, 2000, XP, ?).
«I will survive...» 7.1Kb 10770 hits
How would the perfect virus look like? There're many ideas, but the best idea would probably be to put a human inside a virus. This human would be able to produce new ideas and viruses etc., etc., etc..
«Find Victims with FindExecutable API» [SRC] 6.27Kb 9047 hits
Ready Rangers Liberation Front [5] (2004)
With FindExecutable you can get a full path of a application that manages a file type!
«Save your fingers - get your fake names from the i-net» [SRC] 15.03Kb 9022 hits
Ready Rangers Liberation Front [6] (2005)
Maybe you know this situation, you write a pretty good massmailer, i-net or P2P worm and you need some ideas for the fake names. You are sick seeing names like "Damn_Fine_Porn.mpg .exe" or "Photoshop Crack working!.exe". So what to do? Get some inspiration from the internet, go to some warez/crackz sites and copy and paste some real crack names including application name, exact version number and maybe the author of the crack. Looking a bit realer then "Micr0soft all products keygen.exe", huh?! You wanna do some good stuff, including many names... you are now copy and paste your name number 34, stupid work, no? At this point I ask you, why do you copy and paste a already existing huge database of names? Just write a simple but effective code and get thousends of names at runtime :). So read on and see how easy it is...
«Up to Date with the URLDownloadToFileA API» [SRC] 11.51Kb 9743 hits
Ready Rangers Liberation Front [5] (2004)
Hello again, today I want to show you a method to download a file from the internet (http) to the local machine. It's very easy with the URLDownloadToFileA API, but this API is not much commented. So I resulute to write this tutorial. I hope with this codes you are Up to Date =). Have fun...
«Execution redirection thru ‘Image File Execution Options’ key» [SRC] 8.62Kb 12454 hits
29a [#8 (2004)
I’m bored of worms and other malware which still use the well know, old fashioned, overexploited HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run registry key.
«EXPLORER in-memory infection» [SRC] 25.46Kb 14060 hits
29a [4full] (2000)
In this article I will expose a residence technique: To infect EXPLORER.EXE in memory and to stay resident on its address space.
«Snorting coke (and packets)» [SRC] 6.34Kb 5907 hits
29a [6] (2002)
Windows 2000 introduces a new concept for Windows users: The possibility of creating raw-sockets. We will use this new Windows capacity to capture network traffic on a net. What to make with captured packets is your decision, some suggestions are:
«Virus oriented VxD writing tutorial» 20.75Kb 12802 hits
29a [2] (1998)
This tutorial represents just a minimum introduction to VxD programming. To dominate the subject it deals with you need something more than this tutorial. Nevertheless, I've tried to explain everything very clearly, so noone stays on land ;)
«The VxDCall backdoor» 25.09Kb 13491 hits
29a [3] (1999)
After I read this fragment in Matt Pietrek's book 'Windows95 System Programming Secrets' I thought that VxD's might contain exported services, as DLL's do. I knew that VxD's exported services to other VxD's but did they export services to Win32?. If that was the case these services could be very useful for virus programming, because they are similar to API's but is running at ring-0.
«Win2K infection» 8.66Kb 12260 hits
29a [4full] (2000)
If we run any up-to-date Win32 virus under Windows2000 you will find out a nasty dialog box with message like this:
«Win32 Viral Networking Overwiew» [SRC] 26Kb 11323 hits
29a [4full] (2000)
we will speak above several aspects of Win32 networking, but always centering in our viral desires.
«The DLIT EPO techinque» 2.52Kb 9886 hits
Virus Writing Bulletin [1] (2011)
I found this technique a quite long time ago. This import mechanism has been available for more than 10 years! I took some time before even think to use it for an entrypoint obscuring virus.
«EPO in C LUA DLLs» 1.75Kb 10078 hits
Virus Writing Bulletin [1] (2011)
When for the first time I heard that LUA script files could use functions from DLL files, I thought how to infect them. First, I created a virus that could infect LUA script files to make it load the DLL of the virus. It was W32.Luna, but it was very simple thing, since the only that it does it to trick LUA.
«The true Export/Import business» [SRC] 3.16Kb 9567 hits
Virus Writing Bulletin [1] (2011)
I had this idea one year ago. I was thinking of how you can supply code for applications. For that, Windows uses DLLs. Obviously, you know what they are, and you know that they supply of code by export of functions. A DLL is loaded into the application memory and Windows resolves the imports, so that the application can use the code in the DLL by calling the function.The are two ways in which an application can import functions using the import table, one would be to import the functions by name, the second would be using the ordinals. When Windows successfully finds the name or ordinal in the DLL, it gets the function address from the export address table, the address is copied into the import address table in the application and so it continues. Here is where I had the strange idea. Windows doesn't check that the address in the export address table are actually valid. :) I mean, the address could be FFFFFFFF and Windows would anyway add to it the base address of the DLL and so it will be copied to the import address table.
«Hooking Windows API: Technics of hooking API functions on Windows» [SRC] 47.55Kb 10419 hits
29a [7] (2002)
This text is about hooking API functions on OS Windows. All examples here completely works on Windows systems based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably will also work on others Windows systems.You should be familiar with processes on Windows, assembler, PE files structure and some API functions to understand whole text.When using term "Hooking API" here, I mean the full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of API monitoring only. I will write about complete hooking.
«Invisibility on NT boxes, How to become unseen on Windows NT (Version: 1.2)» 50.49Kb 26270 hits
29a [7] (2003)
This document is about technics of hiding objects, files, services, processes etc. on OS Windows NT. These methods are based on hooking Windows API functions which are described in my document "Hooking Windows API".
«PE Infection school» 5.92Kb 12339 hits
Xine [2] (1997)
Infecting a PE files is a little complex unlike in dos, you must also do some "strange" things to open and read files. For those among us who do know little about Windows this may be tough to grasp but it just another hurdle that Microsoft has put in virii writers/just plain hackers of Win95.
«Stealth API-based decryptor» [SRC] 24.1Kb 12977 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
The main thing i really enjoy in virus writing is neither spreading nor weird target platform infection, it's just AV detection evading. And when I say stealth, i don't mean "kill any AV running on the victim's OS", I mean: not detected. But to be honest, writing a long-enough undectetd virus begins to be a real challenge. Nowadays, even the most advanced poly engines get detected in a few days. A few years ago, some little tricks like including big loops in decryptors, generating a lot of junk or using uncommon opcodes could fool some of the weakest emulators. But new techniques like code normalization can detect easily such tricky polymorphized decryptors.I'll try to present here a new approach to evade av detection. Instead of increasing the complexity of the decryptor, as most of the actual poly engines tend to, we will try to build a decryptor that looks as common as possible, hopping for the AV to cancel emulation. We will try to increase the risk of false positive during virus detection. This approach has been implemented in my last virus, win32.leon, which can be found in the virus section of this emag.
Lord Julus
«Accessing Windows 95 API's by scanning PE-tables» 26.63Kb 13243 hits
VX-tasy [articles] (1998)
Looking back in 1994 and reading the last article of the now dead group Nuke, you can get over an article written by the group's leader Rock Steady that talked about a so called, and awaited "Windows 4.0"... Try to put yourself there, back in time and imagine what you would feel reading this, but picture it well: Ms-Dos and Windows 3.11 existed. There were practicaly no Windows 3.11 viruses, except a few that infected the Dos part of the New Exe file... And when things were going so well, thousands of viruses on the market, so many that even virus authors didn't care anymore, this black thing appears from the dark... The NEW THREAT from Micro$oft... Let me recall you what was maybe the first article on what will become Windows 95:
«Win95 structures and secrets» 9.73Kb 9462 hits
[...] Since the start of Win95 many things that virii writers came to accept as easy to get, became harder. Things like the interrupt calls, filename paths to the system files. Well the API calls have replaced interrupts and virii writers have used several tricks to get the address to these calls. [...]
Cyrus Peikari, Seth Fogie, Ratter
«Details Emerge on the First Windows Mobile Virus» 43.5Kb 13981 hits
InformIT (2004)
This series concludes with Ratter describing the creation of WinCE4.Dust.
«DLL Hijacking in antiviruses» 13.19Kb 7186 hits
Inception #1 (EN) (2012)
DLL Hijacking - is referred to as DLL substitution. Many programs, when calling the LoadLibrary(char *) function, transmit the file name as a parameter, rather than the full way to it. That way, you can substitute one library being uploaded for any other one. This has to do with the search of the DLL beginning in the directory that contains the calling EXE-file. In this case the substituted DLL is launched with the same privileges as the running process.For AV, like for any other software, this attack technique can (and should) be used. Clearly, as a result of a successful attack, our code is working in a proxy application, has the same privileges and can do whatever it wants.
«How to make infected system to depend on the virus» [SRC] 32.36Kb 13928 hits
29a [5] (2000)
This article is intended for vx authors who want to equip their viruses the method whereby the infected computer will be dependent on the virus. In this case If an antivirus cleaned all infected files, the computer would be inaccessible. And as we can assume no antivirus won't disinfect files by special method.
Marco Ramilli
«PE Infector» [SRC] 4.77Kb 10121 hits (2011)
Hi Folks, today I want to share the simplest way to infect a Windows Portable Executable file. There are many different ways to implement an infection (or injection) by adding code into the PE free space but the way I am going to describe is probably the simplest and (with respect to _antony) the most primitive one.
«Gaining important datas from PEB under NT boxes» [SRC] 6Kb 11858 hits
29a [6] (2002)
After some years of using it, you are very familiar with SEH - Structured Exception Handling. When you set a exception frame you use more or less the same code snippet which works with the fs selector. Probably you also know that this selector points to a data structure known as TEB ie Thread Environment Block. This structure contains a lot of more or less useful values and structures and - what is important for us - also a pointer to PEB - Process Environment Block.
«Gaining passwords» [SRC] 7.24Kb 9223 hits
29a [6] (2002)
If you read my article about impersonation you've probably noticed that for have it working you need the account name and the password. It ain't a big problem to retrieve the account name. The problem is to gain the password of course. Here I'll present some ideas how to steal the passwords ...
«Impersonation, your friend» [SRC] 5.89Kb 9486 hits
29a [6] (2002)
Imagine a situation. You're running under security context of non administrator user but you have the admin password (how to gain it see my next article). You have the privileges you need and now you are thinking about what I will do with it? The answer for you is impersonation.Let's have a look at MSDN definition of impersonation: Impersonation is the ability of a thread to execute using different security information than the process that owns the thread.There exist a lot of types of impersonation eg DDE, a named-pipe, RPC impersonation etc. Generally impersonation is used when the server needs to act for while as the client. But we will use this method to declare our thread as an admin one and to create admin processes ...
«Infecting Winlogon» [SRC] 4.98Kb 9985 hits
29a [6] (2002)
You've probably tried to open winlogon process via OpenProcess api with desired access to write. And you've probably failed :) Why? Winlogon is one of the main Win32 subsystem components and thus is protected from other user-mode processes to modify him. As other components runs with the system privileges and thats why he's very interesting for us.Imagine a situation: Your virus is runned under normal user security context, but yet you're allowed to modify winlogon. What does it mean for you (except that you can turn off the sfp and install a password trojan :))? Everything runned in the winlogon process (ie also your remote thread) is runned under the system privileges which are equal to administrators ones. So put everything admin-neede in your virus to a remote thread in winlogon and you'll win :)So the key question is. How to make the system to let you modify winlogon and other win32 subsystems? Afaik there are two user-mode ways to achieve it.
«NtVDM under WinNT/2k/XP» [SRC] 8.44Kb 10570 hits
29a [7] (2004)
In this article I would like to present you the way the NT based operating system handle DOS and 16-bit Windows programs. It is really interesting and the subsystem which takes care of this is really a Good Piece of Software (TM) :-)You prolly tried to run some old apps or games on your NT box, sometimes you were succesfull, sometimes not. Why the hell doesn't my old good game run on my NT machine and by my friend on Win9x it does? you say maybe to yourself. Well NT operating system was designed with security in mind (yeah :-)). That means, that processes don't share their memory (at least the writeable part of it, with some exceptions of course), if one process crashes, it won't crash the entire operating system or different independent process. You don't have write access to the IDT thus you cannot easily get into ring0 and you cannot directly access I/O ports.Since most DOS and 16-Bit Windows progs don't only use the defined DOS/Windows api but use nasty hacks that talk directly to the hardware and/or access different processe's memory they simply cannot run under Windows NT without violating one of it's main base stones. Thatswhy some kind of jailbox, a virtual machine, is used in Windows NT based operating systems.
«Opening NT boxes for you and your comrades in arms» [SRC] 4.27Kb 8706 hits
29a [6] (2002)
You have infected a NT box and you're runned under the administrators group member security context. Now you can do everything you want with the machine. How to make the machine open for you even if you log in as a normal user?
«Ring0 under WinNT/2k/XP» 14.08Kb 10429 hits
29a [7] (2004)
Ring0 under NT? Does it also sound to you almost religious as to me? NT based operating systems weren't written as a toy so gaining ring0 under these is much harder (if not impossible) than under Win9x/Me. Yes there were exploits (like getadmin) that used bugs in the code but that was the badly written code. The design does not have any hole (i believe) that would let on well written system without bugs run nonprivileged code under ring0. But that's it. Microsoft unfortunately doesn't write code without bugs (what degrades the architecture; i wish, Microsoft would succeed in this particular task - to write at least one version of NT system without high priority flaws - to shut the fuckin linux radicals mouth. yes, open source is nice, M$ monopol is bad, but well i don't care - if there would be comparable nice OS i would love it (ReactOS is coming :-)) but i don't like *nix, anyway i do like FreeBSD, but less than NT :-))
«SFP revisited» [SRC] 6.54Kb 8921 hits
29a [7] (2004)
SFP again? you probably say reading the title of this article. Well because i found two nice ways to get rid of this i will bother you once more with it :-)
roy g biv
«Compiled HTML» [SRC] 4.64Kb 8864 hits
Ready Rangers Liberation Front [7] (2005)
Microsoft like to produce new file formats with more and more content. CHM files allow a single file to contain HTML pages, including graphics and scripts, something like an archive. They are very careful, though, to avoid documenting anything, so to create such files generally relies on their tools. CHMs carry all of the content in a single stream, compressed by the LZX algorithm. It is almost a solid archive, but contains a periodic state reset, to make the decompression faster (because it is not necessary to decompress the entire archive to reach the last file, but start from the last reset point and decompress from there).
«Heaven's Gate: 64-bit code in 32-bit file» [SRC] 4.79Kb 22671 hits
On 64-bit platform, there is only one ntoskrnl.exe, and it is 64-bit code. It also uses a different calling convention (registers, so called "fastcall") compared to 32-bit code (stack, so called "stdcall", old name was "pascal"). So how can 32-bit code run on 64-bit platform? There is "thunking" layer in wow64cpu.dll, which saves 32-bit state, converts parameters to 64-bit form, then runs "Wow64SystemServiceEx" in wow64.dll. But 64-bit registers are visible only in 64-bit mode, so how does wow64cpu.dll work? Here is what I call Heaven's Gate, but first we must go back to ntdll.dll.
«Heaven's Gate: 64-bit code in 32-bit file» [SRC] 7.28Kb 9244 hits
Valhalla #1 (2011)
On 64-bit platform, there is only one ntoskrnl.exe, and it is 64-bit code. It also uses a different calling convention (registers, so called "fastcall") compared to 32-bit code (stack, so called "stdcall", old name was "pascal"). So how can 32-bit code run on 64-bit platform? There is "thunking" layer in wow64cpu.dll, which saves 32-bit state, converts parameters to 64-bit form, then runs "Wow64SystemServiceEx" in wow64.dll. But 64-bit registers are visible only in 64-bit mode, so how does wow64cpu.dll work? Here is what I call Heaven's Gate, but first we must go back to ntdll.dll.
«How to break the rules with the class libraries» 16.72Kb 14757 hits
29a [7] (2004)
At the first look, object-oriented languages in the .NET framework (C#, C++, JScript, and Visual Basic) seem to be very strict. There are no pointers in JScript and Visual Basic, and they are limited in C# and C++. Type conversion is also restricted.
«Imported code» [SRC] 7.88Kb 5884 hits
Inception #1 (EN) (2013)
It is five years today that I first made this technique, and finally I finish implementing it. After writing virtual code, I tried to find another way to have operating system construct the code for me. This time, I use the import table to supply all of the values. This required some interesting tricks.
«Subtle SEH» [SRC] 4.38Kb 11771 hits
Everyone knows about Structured Exception Handling these days. First demonstrated in the Cabanas virus in 1998 by jqwerty, now many viruses and other applications use it for obfuscating code and anti-debugging tricks. It usually looks something like this:
«Virtual Code - Windows 7 update» 6.37Kb 5306 hits
Valhalla #3 (2012)
This is a technique that I demonstrated in 2007. My idea is to remove all code from a section, and use relocation data to restore it. Since the section is now only in virtual memory, I call it virtual code.
Alan Solomon
«Windows NT and Viruses» 7.13Kb 8920 hits
[...] As the use of Windows NT continues to grow throughout the corporate world, it becomes increasingly important to understand what impact viruses have under Windows NT [...]
«Dynamic Anti-Emulation using Blackbox Analysis» [SRC] 14.42Kb 6458 hits
Valhalla #2 (2011)
Viruses are threatened by Emulators. One can use Anti-Emulator tricks to avoid emulation, until AVs implement the new trick intro their program - so this benefit can not exceed a few hours?It can, if the virus can find and implement new Anti-Emulation tricks by itself. This text descibes how it can be done.
«Adding LDT entries in Win2K» 7.11Kb 16948 hits
I was surprised when found that win2k allows programs to add own LDT entries. When first entry is added, LDT for current process is created, with minimal possible size to contain this entry. I.e. if you will add one descriptor at LDT offset 16 (selector 0F), total LDT size will be 24 bytes, and previuous unused entries will be empty.
«Description of the win98/INT 2E services (VMM/NTKERN.VxD)» 44.22Kb 15840 hits
«Entering Ring-0 Using Win32 Api: Context Modification» 5.77Kb 14061 hits
When an operating system called "mustdie", this means at least something. So, here it is - unknown, shocking method of entering ring-0 under win9X.
«Hooking WinNT/2K/XP API v0.01» 2.64Kb 17117 hits
Our task is to hook some API functions in all existing processes, and in all new processes which may be created, under NT/2K/XP operating systems.
«Tracing under Win32» [SRC] 7.06Kb 12636 hits
«Writing into kernel from ring-3: Lets fuck pagetable» [SRC] 15.04Kb 15321 hits
Here will be described a method of writing into any region of memory from ring3 by means of pagetable modification.
23 authors, 55 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka