-main-   -hh86 corner-   -artificial evolution-   -articles-   -viruses-   -LIP-   -online ezines-   -programs-   -links-


hh86 corner
agonisthh86@gmail.com or twitter or tumblr or homepage

Articles:


My articles and tutorials:
2013.11: Using CUDA PTX for decryption ~ 8 kB | also released in valhalla #4
2013.10: GPU powered file infection ~ 7 kB | also released in valhalla #4
2013.09: Java Class infection from PE32 files ~ 7 kB | also released in valhalla #4
2013.08: Infecting PE files with Java Bytecode ~ 7 kB | also released in valhalla #4
2013.07: EPO In Windows 64-bit ~ 5 kB | also released in Dark-Codez #5
2012.12: Debug Assisted Decoding ~ 7 kB | also released in valhalla #3
2012.12: Inline JScript For x86 Cryptography ~ 6 kB | also released in valhalla #3
2012.12: Infect Using CFF Explorer Scripting ~ 9 kB | also released in valhalla #3
2012.02: The flag of virtual space: Nonstandard Code Recreation ~ 10 kB | together with SPTH | also released in valhalla #2
2011.08: The Masquerader ~ 4 kB | also released in valhalla #1
2011.08: Function Me ~ 4 kB | also released in valhalla #1
2011.05: I Err.Raise, you fall ~ 7 kB | also released in valhalla #1
2011.05: Hidden in .NET ~ 5 kB | also released in valhalla #1
2010.12: BTX encryption ~ 5 kB | also released in Virus-writing Bulletin 2011
2010.12: The DLIT EPO techinque ~ 3 kB | also released in Virus-writing Bulletin 2011
2010.12: EPO in C LUA DLLs ~ 3 kB | also released in Virus-writing Bulletin 2011
2010.12: The true Export/Import business ~ 4 kB | also released in Virus-writing Bulletin 2011

Other texts:
2013.10: Interview with JPanic ~ 28 kB | together with SPTH | also released in valhalla #4
2013.10: Interview with roy g biv ~ 21 kB | together with SPTH | also released in valhalla #4
2012.08: Interview with VirusBuster about 29A ~ 18 kB | together with SPTH | also released in valhalla #3
2012.01: Interview with Peter Ferrie ~ 43 kB | together with SPTH | also released in valhalla #2



Viruses:


2013.10: W32.GLaDOS.B (also released in valhalla #4)
- W32 PE infector
- infects files using the CUDA GPU
- heavily optimized
- Written in assembler and PTX code (~910 lines)


2013.10: W32.GLaDOS (also released in valhalla #4)
- encrypted W32 PE infector
- decryption through GPGPU on CUDA capable devices using PTX code
- heavily optimized
- Written in assembler and PTX code (~1000 lines)


2013.09: W32.Grimes (also released in valhalla #4)
- Java Class infector using W32 code
- Prepends method table with its own method containing dropper code
- heavily optimized
- Written in assembler (~920 lines)


2013.08: Java.Sojourner (also released in valhalla #4)
- W32 PE infector using Java code
- Java Class written in assembler-like "Jasmin" assembler-language
- heavily optimized
- Written in assembler (~340 lines) and Jasmin-assembler (~420 lines)


2013.07: W32.NOON (also released in Dark-Codez #5)
- First virus using Pike files
- Infects Pike files using W32 code
- heavily optimized
- Written in assembler (~490 lines)


2012.12: W32.CFFe (also released in valhalla #3)
- First virus using CFF Explorer
- Infects W32 PE files using CFF scripts
- heavily optimized
- Written in assembler (~470 lines)


2012.12: W32.Unit00 (also released in valhalla #3 - Peter Ferrie: It's Mental Static, in VirusBulletin 03.2013)
- Infects W32 PE files
- Runs JavaScript inline by using OCX techniques
- Uses JavaScript to encrypt/decrypt the PE file with RC4 algorithm
- heavily optimized
- Written in assembler (~870 lines)


2012.12: W32.Atlas (also released in valhalla #3 - Peter Ferrie: Another Tussle With Tussie, in VirusBulletin 11.2013)
- Infects W32 PE files
- Decrypts itself using its own debugger
- heavily optimized
- Written in assembler (~710 lines)


2012.12: W32.Sigrun.C (also released in valhalla #3 - Peter Ferrie: A(c)es High, in VirusBulletin 02.2013)
- Infects W32 PE files
- First virus using AES-NI for AES128 encryption
- Transforms decrypter to encrypter: no need for two separate routines
- heavily optimized
- Written in assembler (~640 lines)


2012.03: W32.Posey (also released in valhalla #2 - Peter Ferrie: Tussling With Tussie, in VirusBulletin 08.2013)
- Infects W32 PE files
- Encodes the virusbody in the file-geometry
- Distances of exceptions gives code-information
- heavily optimized
- Written in assembler (~400 lines)


2012.03: W32.Fizzy (also released in valhalla #2 - Peter Ferrie: So, Enter Stage Right, in VirusBulletin 06.2012)
- Infects W32 PE files
- Uses special effects of the ENTER instruction to decrypt the virusbody
- heavily optimized
- Written in assembler (~400 lines)


2011.08: W32/64.Sofia (also released in valhalla #1 - Peter Ferrie: "Amfibee"-ous Vehicle, in VirusBulletin 04.2012)
- Infects W32 PE and W64 PE+ files
- code runs natively on both platforms
- Taking advantage of relationship between 32bit and 64bit instruction set
- heavily optimized
- Written in assembler (~550 lines)


2011.08: W32.Sigrun.B (also released in valhalla #1 - Peter Ferrie: If Svar Is The Answer, in VirusBulletin 02.2012)
- Infects W32 PE files
- Uses MMX instruction PMOVMASKB for encryption
- heavily optimized
- Written in assembler (~550 lines)


2011.08: W64.Sigrun.A (also released in valhalla #1 - Peter Ferrie: This Sig Doesn't Run, in VirusBulletin 01.2012)
- Infects W64 PE+ files
- Uses MMX instruction MASKMOVQ for encryption
- heavily optimized
- Written in assembler (~550 lines)


2011.05: W64.Haley (also released in valhalla #1 - Peter Ferrie: "Holey" Virus, Batman!, in VirusBulletin 09.2011)
- Infects W64 PE+ files
- Implements a new way of EPO using Exception Directory
- heavily optimized
- Written in assembler (~400 lines)


2010.12: W32.Exim (also released in Virus Writing Bulletin 2011)
- description soon
- Written in assembler


2010.12: W32.Haley (also released in Virus Writing Bulletin 2011)
- description soon
- Written in assembler


2010.12: W32.Bittersweet (also released in Virus Writing Bulletin 2011)
- description soon
- Written in assembler


2010.12: W32.Moon (also released in Virus Writing Bulletin 2011)
- description soon
- Written in assembler


2009.12: W32.Deelae-Family (Peter Ferrie: Deelaed Learning, in VirusBulletin 11.2010)
- Infects W32 PE files
- Implements new way of EPO using Delay Import Descriptor
- Written in assembler