HOW TO INFECT EXECUTABLES ? (100% C/C++ - 0% ASM) ___________________________ I WILL NOT BE RESPONSIBLE OF THE HARM YOU CAN CAUSE AFTER READING THIS DOCUMENT. I JUST WROTE THIS ARTICLE FOR _INFORMATION ONLY_ I THINK EVERYBODY CAN HAVE ACCESS TO INFORMATION DON'T BLAME ME ! YOU WON'T FIND ANY SOURCE CODE IN THIS DOCUMENT ___________________________ YOU CAN DISTRIBUTE THIS ARTICLE EVERYWHERE FOR FREE (Only for free) IF YOU DON'T MODIFY IT ___________________________ Let's start. You probably read some tutorials on asm exe infectors. You know that you have to modify the header of the target file and blah blah blah... It's boring, right ? You are lazy, right ? :p You want to infect files with NO ASM knowledge ? It's possible ! (yes, you'll be able to code visual basic virii with this method) You have 2 files : |foo.exe| (target) |yourself.exe| (that's you ! argv[0]) Open foo.exe in read/binary mode put the whole file in a memory buffer, let's call it buffer1. Open yourself.exe in read/binary mode and put it into another buffer, ex : buffer2. Not very hard, right ? You now have 2 buffers, you can't write them like that it won't works. You need a virus "tag" to identify the virus of the old file (foo.exe). Just create a new buffer who's gonna own the tag. You can't do something like : char virus_tag[] = "<- Hello, i'm a virus ! ->"; because you'll find the string "<- Hello, i'm a virus ! ->" a bit everywhere in your exe, that's dirty and your virus will be bugged. The trick to pass thru that is simple : char *virus_tag = new char[50]; strcpy(virus_tag,"<- "); strcat(virus_tag,"Hello,"); strcat(virus_tag," I'm "); strcat(virus_tag,"a virus !"); strcat(virus_tag," ->\0"); You can now parse your exe files without finding the complete tag everywhere. Reopen the target file into output/binary mode. Put at the begining the "buffer2", then "virus_tag" and finally "buffer1". You now have a something like this : |virus_file|virus_tag|old_file| That's it, the file is infected... When launching the infected file, you'll see that only the virus will be launched... That's normal. The virus must parse himself with the "virus_tag". If found, it will open a random generated temp file (ex : c:\temp123.exe), put everything after the "virus_tag" in it, and start it. Your virus will be launched as well as the executable at the same time ! and it will have the name of the infected file in the task manager :) You'd better put the "parse yourself" function at the beginning of the execution if you want your program to be stealth. If you don't want to slow down the computer when infecting files, you can play with SetProcessPriority function or infect a file every 5 Minutes. You now have to code an infection routine who search for executables to infect, i'll let you do it yourself. You can parse them to know if they are infected or not (infecting multiple times a file will bug your virus and hurt your system :p) ! Important ! If an infected file is trying to infect another one, it will also copy its infected executable in the target and you'll have this : |virus_file|virus_tag|infected_file1|virus_tag|infected_file2| That's why you have to copy the right part of the infected file into buffer1. You'll see that your virus will be slower and bigger than asm virii. Well, if you don't like this method you can still learn asm :) I coded a trojan for "INFORMATION ONLY" with this infection method. (Cleaner + README include in the zip) (Download it at your own risk, the trojan may harm your system and the cleaner may not work !) !!! YOU HAVE BEEN WARNED !!! You can download it at : http://alkemy.homelinux.org/trooduku/Trooduku+Cleaner.zip I don't want to post sample cause lazy lamers could use it. I hope you learnt something and... sorry for this english :p. Enjoy ___________________________ GuiguiKun guillaume@latribu.be (please, don't ask me source code)