return To index
Visual Basic .NET Source Code Infection --------------------------------------- alcopaul/brigada ocho may 16, 2011 Intro ----- Source code infection is not new, but it is interesting to implement especially in new languages. So far, there has been no appearance of a Visual Basic. .NET source code infector on the internet, until now. Simple Method ------------- A VB.NET source code infector can just copy itself to all *.vb files with "Sub Main()" or "Form_Load()" in the hard disk. But we don't wanna do that. Why? To make things elegant (hehehhe) and to save the virus some computing time. We don't wanna read *.vb files that are uninfectable (*.Designer.vb, AssemblyInfo.vb and other .vb files that are usually within \My Project folder). Our Method ---------- We can make our virus 1.) Search for a Visual Project file (*.vbproj) to ensure that there are compilable VB.NET projects in the harddisk. A .vbproj file is an xml file that contains information about a project. Important keys are Project/PropertyGroup/StartupObject and (Reference Include="namespace" /). 2.) Parse a .vbproj file and get the value of Project/PropertyGroup/StartupObject. The possible values are: a.) (Anyname).My.MyApplication - A Windows Forms Application and the Startup Class name is stored in .\My Project\Application.myapp. In Application.myapp, the key MyApplicationData/MainForm holds the Startup Class name. b.) (Anyname).(ModuleName) - A Non-Forms/Console Application and the the Startup Module name is \ (ModuleName). Most likely to contain a Sub Main(). c.) Sub Main - Most likely a Console Application that starts on Sub Main(). 3.) After it acquires the project type (Windows Form which probably has a "_Load(" or A non-Form/Console which probably has a "Sub Main()"), examine the *.vb files that comes along and is usually in the same directory with the .vbproj file. 4.) If the project is a Windows Form, check a .vb file for the Startup Class Name. If found, the file is set up as a startup and most probably contain a "_Load(". To be sure, check again for "_Load(". If found, it means we can infect the file. Otherwise, examine next .vb file. 5.) If the project is a non-Form/Console, check a .vb file for the Startup Module Name. If found, the file is set up as a startup and most probably contain a "Sub Main()". To be sure, check again for "Sub Main()". If found, it means we can infect the file. Otherwise, examine next .vb file. 6.) Infect the file. Read the source from itself then write to the .vb file. How Is This Possible? --------------------- When we run a source in the IDE, it is compiled in the IDE and the resulting .exe is run. The .exe generates the source code from itself (through quining) and does the file searching and infecting. Demo Code --------- A demo code comes with this article. Check it out in the Sources section. Conclusion ---------- Visual Basic .NET source code infection is not rocket science. Go search a programming language and make a source code infector.