Polymorphic Parasite (x86) WriteUp

[JMC31337]

i may banter a lil in the opening, but that is how i was taught when i was in highschool learning ASM from the ukranians and russians, bootkits from the chinese

You give a short shoutout or point to be made and ya write and code

Here, i use the LCRN (LCG) from the GiantBlack Book of Viruses (Physicist Dr. Mark Ludwig) and his 16-bit many hoops

and recreated it for x86 (32 bit)

VXWriteUp.pdf

[Luca91]

Thank you, I’ll definitely read it tonight!

RIP Mark Ludwig 🪦

I still have his “The little black book of computer viruses” on my bedside table, bought from Amazon US more than 15 years ago! 

[Luca91]

Ok, I just finished reading. Congratulations, it was a good read and made me smile a couple of times... BUT IT'S INCOMPLETE 

 

I have a couple of comments:

1) It looks like you're really determined to 0-out DllCharacteristics to get predictable addresses... but is that really necessary? Other than the WoW64 execution flag exploit, I don't see any real benefit to this. What am I missing? Also, the lack of the execution flag will cause this sample to fail on a real x86 OS.

2) You add 0x1000 to both the raw and virtual addresses because you don't have the real size of the virus. However, there is a real easy trick to get the size: just wrap your viral code with two labels (say _virii_start and _virii_end) and then you can get the real size by substracting _virii_start from  _virii_end.

3) Small QoL improvement: since you provided a huge list of API addresses, you could add a comment at the end of each line, indicating the actual API name.

 

Again, kudos to you for your work! I can't wait to read the missing part! 

Edited 6 hours ago by Luca91