ejes consulting

Techincal Consulting Design and Automation

I call Phoney

leave a comment »

So today I was stumbling around on the internet, and found this kids site:

http://cyberfreax.in/2011/11/15/how-to-create-a-virus-2/

which features “how to create a virus”  Who could help themselves but read?

It turns out that this kid is completely full of it.  He tells you to copy this:

01100110011011110111001001101101011000010111010000
100000011000110011101001011100 0010000000101111010100010010111101011000

into a text file and rename it to something.exe and then run it.

Of course anyone with a bit of understanding on how the binary loader works would know that the loader wouldn’t recognize this as an executable program; ALL executable programs in windows start with either “MZ” or “PE”.  These are the “magic numbers” that tell the binary loader that these are, in fact, executable.

There is a lot going on behind the scenes here so let me explain WHY this won’t work.

Inside of a regular “exe” program is a structure to help the operating system determine how to load this program.  The structure looks like this (in C notation):

(info from: http://www.delorie.com/djgpp/doc/exe/)

struct EXE {
  unsigned short signature; /* == 0x5a4D */
  unsigned short bytes_in_last_block;
  unsigned short blocks_in_file;
  unsigned short num_relocs;
  unsigned short header_paragraphs;
  unsigned short min_extra_paragraphs;
  unsigned short max_extra_paragraphs;
  unsigned short ss;
  unsigned short sp;
  unsigned short checksum;
  unsigned short ip;
  unsigned short cs;
  unsigned short reloc_table_offset;
  unsigned short overlay_number;
};

The first short integer ‘signature’ is always 5a4d in MZ executables (by far less complex than PE executables) this is how the loader knows that this is a valid executable.

The first 16-bit integer is the number of bytes in the last block, unless it’s set to zero, which means the whole last block (152 bytes) is used.

The next 16-bit integer is total number of blocks in the executable file, and if the previous short integer is not zero, that number of the last block is used.

The next short is the number of relocation entries in the header, and the next is the number of “paragraphs” in the header.  Followed by the number of paragraphs of additional memory the program would need (that is, if there isn’t at least this many bytes free the loader will not try to load this program) most programmers know this as the BBS size. And finally, following that, is the maximum number of paragraphs of additional memory.

The next part is the relative value of the stack segment.  This value is added to the segment the program is loaded into, and used to initialize the SS (stack segment) register.

The next value is the initial value of the SP (stack pointer) register.  Then a word which is a checksum, which is usually not used.

The next is the initial value of the IP (instruction pointer) register, and then the CS (code segment) register (which is relative to the segment of the program loaded).  Then the offset of the first relocation item in the file, and finally ending with the overlay number.

If you examine the “binary” that Srivathsan provided, obviously none of this structure “fits.”

So what IS Srivathsan trying to pull?  Let’s take the binary, and bring it to a Binary-to-Ascii conversion site.  I used this one:

http://www.roubaixinteractive.com/PlayGround/Binary_Conversion/Binary_To_Text.asp

I pasted the “binary”, and pressed “To Text” and it comes back with:

format c:\ /Q/X

Oh!!  So he just encoded a “format” command and expected it to run.

This will NOT work.

So, what will work then?

There’s an older format, called “.COM” format that does still run in windows (XP tested).  A Com file (http://en.wikipedia.org/wiki/COM_file) is far less complex, it contains no header information, no relocation and no far jumps.

So it looks to me like you CAN use a .COM file in this way.  So now, to find some executable information you can place in this .com file.

To do this, I did a quick Google for “printable shellcode” and came back with a whole slew of stuff.  I chose this (i got it here(http://r00tsecurity.org/forums/topic/12019-16-bit-printable-shellcode-hello-world/):

X5))%@IP5YI5Y@5P!%PAP[55!5e 5O!54(P^)7CC)7SZBBXPSRABCABCABCABCABCABCABCABCABCZ[XH+H*hello world!$

As you might suspect from the final string, this is simply a “hello world” program; in printable ASCII!!

So, all you have to do is copy the above code, paste it into a text file, and rename the .txt extension to .com and ‘ta-da’ instant executable binary.

Nice try http://cyberfreax.in LOL

Advertisements

Written by ejes

November 17, 2011 at 1:30 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: