EPO in C LUA DLLs. ● glósóli ● .
When for the first time I heard that LUA script files could use functions from
DLL files, I thought how to infect them. First, I created a virus that could
infect LUA script files to make it load the DLL of the virus. It was W32.Luna,
but it was very simple thing, since the only that it does it to trick LUA.
However, the DLLs that do export functions for the script files to use are a
little bit more complicated than mine. ;) They are often known as LUA C Libs.
Those DLLs contain an export that is "openlib_MODULENAME" being MODULENAME the
DLL's name (however, this not always true). It is usually the first export
(ordinal 1, and this is not always true, too). This function registers a
structure (like an export table) that contains a serie of pointers to names
and functions - that LUA script files use.
Export Table, looks like this:
DWORD offset FunctionName
DWORD offset FunctionAddress
Unfortunately, there is no address in the image structures for the exports, so
we need to parse the code for that. But this is very easy. The registration of
the export table happens (usually) when the first export (openlib_MODULENAME)
is called. To get it, we must first find a call to an API from LUA 5.1:
luaL_openlib. I believe the are some other APIs, too.
But here is a declaration for that API:
in DWORD p1 //state
in DWORD p2 //library name
in DWORD p3 //export table address
in DWORD p4 //up values
The parameter we want to get is p3, obviously. ;) Then you change the address
in the export table to point to virus code and that is all.
Virus-writing Bulletin 2011