modify the EXE Header and the Relocation Pointer Table, as well
as adding its own code to the Load Module. This can be done in a
whole variety of ways, some of which require more work than
others. The INTRUDER virus will attach itself to the end of an EXE
program and gain control when the program first starts.
INTRUDER will have its very own code, data and stack
segments. A universal EXE virus cannot make any assumptions
about how those segments are set up by the host program. It would
crash as soon as it finds a program where those assumptions are
violated. For example, if one were to use whatever stack the host
program was initialized with, the stack could end up right in the
middle of the virus code with the right host. (That memory would
have been free space before the virus had infected the program.) As
soon as the virus started making calls or pushing data onto the stack,
it would corrupt its own code and self-destruct.
To set up segments for the virus, new initial segment values
for cs and ss must be placed in the EXE file header. Also, the old
initial segments must be stored somewhere in the virus, so it can
pass control back to the host program when it is finished executing.
We will have to put two pointers to these segment references in the
relocation pointer table, since they are relocatable references inside
the virus code segment.
Adding pointers to the relocation pointer table brings up
an important question. To add pointers to the relocation pointer
table, it may sometimes be necessary to expand that table’s size.
Since the EXE Header must be a multiple of 16 bytes in size,
relocation pointers are allocated in blocks of four four byte pointers.
Thus, if we can keep the number of segment references down to
two, it will be necessary to expand the header only every other time.
On the other hand, the virus may choose not to infect the file, rather
than expanding the header. There are pros and cons for both
possibilities. On the one hand, a load module can be hundreds of
kilobytes long, and moving it is a time consuming chore that can
make it very obvious that something is going on that shouldn’t be.
On the other hand, if the virus chooses not to move the load module,
then roughly half of all EXE files will be naturally immune to
infection. The INTRUDER virus will take the quiet and cautious
approach that does not infect every EXE. You might want to try the
other approach as an exercise, and move the load module only when
necessary, and only for relatively small files (pick a maximum size).
No comments:
Post a Comment