- "Virus code and executable file", I have a doubt
- Posted by ssdcool5 on May 17th, 2008
I am reading "Security in Computing" Pearson Education. In the book it
is written that virus attaches itself to executable or we can say it
appends its code to the exe.
According to my knowledge exe is compiled form of code of program. Now
virus is appending its code to exe means it is changing the code. How
it is possible, how without decompiling virus changes exe?
Pls solve my doubt.
Thank You
- Posted by David H. Lipman on May 17th, 2008
From: "ssdcool5" <ssdcool5@gmail.com>
| I am reading "Security in Computing" Pearson Education. In the book it
| is written that virus attaches itself to executable or we can say it
| appends its code to the exe.
| According to my knowledge exe is compiled form of code of program. Now
| virus is appending its code to exe means it is changing the code. How
| it is possible, how without decompiling virus changes exe?
| Pls solve my doubt.
| Thank You
Viruse can be appended, prepended or inserted into the middle of the code.
Trojans also do this to make legitimate files "trojanized". The difference is that the
infected files don't self replicate.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Ant on May 17th, 2008
"ssdcool5" wrote:
Executable files have headers, and one will indicate where the program
entry point is; i.e. the first instruction to be executed. An
appending virus will save the value at the entry point (it doesn't
need to decompile it) and replace it with its own instruction to jump
to the virus code. It may then restore the saved value and jump to it
afterwards so the original code can run.
- Posted by ssdcool5 on May 17th, 2008
On May 18, 3:46*am, "Ant" <n...@home.today> wrote:
but program entry point is in the form of code itself, i mean to say
it is an instruction in the code, isn't it? that means ultimately,the
code of executable is changed. If thats OK then it must be decompiled.
I dont know am i right or wrong, pls explain ur statement "virus will
save the value at the entry point". what value?
- Posted by ssdcool5 on May 17th, 2008
is there any other way to edit executable file other than decompiling
it?
- Posted by Ant on May 18th, 2008
"ssdcool5" wrote:
Yes.
Yes.
No.
The code at the entry point.
Let's try again. The infecting program looks in the header of the
executable it wants to infect for the location of the entry point in
the code. It then overwrites what's at the entry point with a jump to
the virus code. It may save what was originally at the entry point (it
only needs to save as much data as it will overwrite) so it can
restore it later. It doesn't need to decompile anything; it only needs
to properly read the header for the information required.
- Posted by ssdcool5 on May 18th, 2008
On May 18, 5:10*am, "Ant" <n...@home.today> wrote:
I understand what u r saying but my question is how any virus can
read the source code of exe without decompiling it?
- Posted by David W. Hodgins on May 18th, 2008
On Sat, 17 May 2008 20:24:38 -0400, ssdcool5 <ssdcool5@gmail.com> wrote:
There is no need to see source code. The virus writer does have to have
a basic understanding of the structure of an exe file, and a small amount
of knowledge of machine language.
The simplest viruses will just append it's code to the exe file. Use
the entry address copied from the header to build a jump instruction,
and append that to the file, so that the real program will run after
the virus. Modify the entry point in the exe header to point to the
old end of file address+1 (i.e. the start of the virus), so it gets
control when the program is started.
The virus doesn't need any information about what the program it's infecting
does, as all exe files have standard formats, for the headers at the start
of the file. All the virus writer needs to know, is the header format,
how to append stuff to a file, how to construct a jump instruction, and how
to update part of the file, in place.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
- Posted by ssdcool5 on May 18th, 2008
On May 18, 6:13*am, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
exe.
But i can analyze ur answer and come to the conclusion that, virus
writer writes separate assembly langauge code and gets appended itself
to the exe file, so that the code of exe is not accessed. Is that
right?
- Posted by David W. Hodgins on May 18th, 2008
On Sat, 17 May 2008 22:23:43 -0400, ssdcool5 <ssdcool5@gmail.com> wrote:
Most virsuses are written in assembler. There are virus "kits", that
let script kiddies write viruses in higher level languages, and then
use the kit to do generate the actual installation executable, but
they tend to be very easy for the anti-virus wirters to id.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
- Posted by ssdcool5 on May 18th, 2008
On May 18, 8:11*am, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
see my intention is not to understand how viruses are written, but it
is to understand how an executable can be modified.
i know the the virus maker kits.in 1994 they made chaos in computer
world.
pls somebody tell me about exe file
- Posted by Jim on May 18th, 2008
"ssdcool5" <ssdcool5@gmail.com> wrote in message
news:bc5a1cc7-a8b7-4c04-ba5f-344c10469adb@k13g2000hse.googlegroups.com...
optimizations applied to source code during compilation, the best one can do
is disassemble the program.
Understanding theoutput of the disassembler is quite difficult. Since all a
malware writer needs to know is the size of the file, the location of the
entry point, and the address contained at that location, there is no need to
disassemble anything.
Jim
- Posted by ssdcool5 on May 18th, 2008
On May 18, 8:38*am, "Jim" <jim-nor...@sbcglobal.com> wrote:
but the location of the entry point can be recognized only if one has
access to the code. is that right?
without disassembling how can he get the address?
- Posted by David W. Hodgins on May 18th, 2008
On Sat, 17 May 2008 23:49:54 -0400, ssdcool5 <ssdcool5@gmail.com> wrote:
The format of the various exe headers are well documented. All the virus
writer has to do is read the .exe file, and copy the address of the entry
point, (which is stored at a specific offset in all exe files) into a
manufactured jump instruction, back to the original entry point, append
the manufactured jump instruction to the end of the virus code, and then
replace the original entry point with the address that will start the virus.
Such viruses are pretty rare now, as the type of code required is pretty
easy for virus scanners to catch.
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
- Posted by David W. Hodgins on May 18th, 2008
On Sat, 17 May 2008 23:49:54 -0400, ssdcool5 <ssdcool5@gmail.com> wrote:
Just to clarify, the address is stored in the file, in a well known
location.
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
- Posted by ssdcool5 on May 18th, 2008
On May 18, 12:14*pm, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
i searched the net but i didn't get the documentation of exe file
can u mention some links about the documentation of executables and if
u know then some links about .exe, bin, com specification regarding
headers, data fields etc.
thank u very much
- Posted by ssdcool5 on May 18th, 2008
On May 18, 12:16*pm, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
- Posted by Jim on May 18th, 2008
"ssdcool5" <ssdcool5@gmail.com> wrote in message
news:aa71eee1-f318-4dd5-a21b-7ffee58d215e@z72g2000hsb.googlegroups.com...
On May 18, 12:14 pm, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
i searched the net but i didn't get the documentation of exe file
can u mention some links about the documentation of executables and if
u know then some links about .exe, bin, com specification regarding
headers, data fields etc.
thank u very much
You are not likely to find such documentation on the internet. It is
probably only found in a book on Windows internals.
Jim
- Posted by Jim on May 18th, 2008
"ssdcool5" <ssdcool5@gmail.com> wrote in message
news:9e93211b-7190-437d-8159-8da72c4d4817@b64g2000hsa.googlegroups.com...
On May 18, 12:16 pm, "David W. Hodgins" <dwhodg...@nomail.afraid.org>
wrote:
All you need to do is examine the permissions. Any account which has the
write permission can do whatever it wishes with an executable.
Jim
- Posted by David W. Hodgins on May 18th, 2008
On Sun, 18 May 2008 12:24:48 -0400, ssdcool5 <ssdcool5@gmail.com> wrote:
The first entry returned from a google search of "exe header format" is
http://www.delorie.com/djgpp/doc/exe/
The initial value of the ip register is the start point, and is stored
in two bytes, at an offset of 0x14 bytes into the file. Note that this
format is for 16 bit dos executables. 32 and 64 bit exe files use the PE
format, which is described at
http://en.wikipedia.org/wiki/Portable_Executable with links
at the end of the document to a ms site where you can download the
details.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
