|
Thursday, 30 June 2005 |
This short article describes the so-called Entry-Point Obscuring (EPO) virus coding technique, primarily through a direct analysis of the Win32.CTX.Phage virus. The reader should know the basics of IA-32 assembly and the main elements of the Portable Executable (PE) file structure to fully understand this article. The author also advises the reader to review the Win32.CTX.Phage description written by Peter Szor and Wason Han , since this article does not cover all the features of the virus.
Why EPO and Win32.CTX.Phage
Entry-point obscuring viruses are very interesting because of the very difficult nature of its detection,
disinfection and removal. Nowadays the EPO technique is used in many different ways, however
Win32.CTX.Phage has been chosen for this article because it was written by the same author of other
such infamous viruses as Win9x.Margburg (one of the first Windows9x polymorphic virus, which first
appeared in the wildlist) and Win9x.HPS. The author of these viruses is known for his difficult-to-detect
and difficult-to-disinfect creations. CTX.Phage in particular involves many techniques that make the
disinfection process highly difficult, even after the virus is fully understood.
Understanding the Entry-Point Obscuring (EPO) technique
When a virus infects a file, it must find some way to attain control and be executed. Most of the PE file
infectors use the most common way of doing this -- they simply change the entry-point of the infected
application and make it point to the virus body. An example is shown below.
Original EXE |
Infected EXE |
Entry-point: 0x1000 (.code section) |
Entry-point: 0x6000 (.reloc section) |
Such virus activity is very easy to detect, as it usually results in files whose entry-point resides outside
the code section, and are therefore marked as suspicious by a virus scanner. Here is some example code,
which detects this type of infection:
(checks if the entry-point section is the last section):
// --- snip of scanner code ------------------------------------------------
...(snip)...
sections = pPE->FileHeader.NumberOfSections;
pSH = (PIMAGE_SECTION_HEADER)((DWORD)mymap+pMZ->e_lfanew + sizeof(IMAGE_NT_HEADERS));
while (sections != 0) {
if (IsBadReadPtr(&pSH,sizeof(PIMAGE_SECTION_HEADER)) == TRUE)
{
printf("[-] Error: Bad PE file
");
goto error_mode4;
}
char *secname=(char *) pSH->Name;
if (secname == NULL) strcpy(secname,"NONAME");
startrange=(DWORD) pSH->VirtualAddress + pPE->OptionalHeader.ImageBase;
endrange=(DWORD) startrange + pSH->Misc.VirtualSize;
...(snip)...
if (pSH->VirtualAddress <= pPE->OptionalHeader.AddressOfEntryPoint &&
pPE->OptionalHeader.AddressOfEntryPoint < pSH->VirtualAddress +
pSH->Misc.VirtualSize)
{
printf("[+] Checking call/jump requests from %s section (EP)
",
secname);
pSHC = pSH;
}
pSH++;
sections--;
}
pSH--;
if (pSHC == NULL)
{
printf("[-] Error: invalid entrypoint
");
goto error_mode4;
}
printf("[+] Starting heuristics scan on %s section...
",pSHC->Name);
if (pSHC == pSH)
{
printf("[!] Alert: Entrypoint points to last section (%s) -> 0x%.08x
",
pSH->Name,pPE->OptionalHeader.AddressOfEntryPoint +
pPE->OptionalHeader.ImageBase);
printf("[!] Alert: The file may be infected!
");
printf("[+] No deep-scan action was performed
");
goto error_mode4;
}
...(snip)...
// --- snip of scanner code ------------------------------------------------
The very reason why the EPO technique was developed was to avoid virus scanner detection. An entry-
point obscuring virus is a virus that doesnt get control from the host program directly. Typically, the
virus patches the host program with a jump/call routine, and receives control that way. While there are
many variations of the EPO technique, in this article we will look at one of them in detail.
|
