堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰
抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹
堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰
��������������������������������������
������ Billy Belceb� Virus Writing Guide 1.00 for Win32 太������
�������������������������������␓������
堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰
抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹抹
堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰堰
悽�----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺乞
� Disclaimer �
��----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺巳
The autor of this document isn't responsible of any kind of damage that co-
uld be made with the bad use of this information. The objective of this tu-
torial is to teach people how to create, and defend againist the attack of
a lame YAM virus :) This tute is for educational purposes only. So, lawyers,
i don't give a shit if a lamer takes this information and makes destructive
viruses. And if through this document you see anywhere that i encourage to
destroy or corromp data, go directly to buy glasses.
悽�----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺乞
� Presentations �
��----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺巳
Hello dear comrades,
do you remember the Billy Belceb� Virus Writing Guide? That was a big tute
about the nowadays obsolete MS-DOS viruses. Well, there i explained step by
step a lot of the most known viral techinques for DOS, and it was written
for teach the beginners, and make them the less lame possible. Well, here i
am again, and writing another (i hope) cool tutorial, but this time i'll
speak about the new threat for the computers of today, Win32 viruses, and of
course all the things that are related to that matter. I saw the lack of
complete tutorials, so i asked myself... Why don't i write a tutorial about
this? And here i am again :) The real pioneer in Win32 viruses was VLAD gro-
up, and the pioneer of making tutorials in the way i like was Lord Julus.
But i won't forget a guy that wrote interesting tutes, and released before
Lord Julus', of course i'm talking about JHB. Interesting techniques were
researched by Murkry, and later also by Jacky Qwerty... I hope i'm not
forgetting anyone important in Win32 virus coding (short) history. Take note
that i don't forget the roots of all this. As in my Virus Writing Guide
serials, i have to thank some music groups, as Blind Guardian, HammerFall,
Stratovarius, Rhapsody, Marilyn Manson, Iron Maiden, Metallica, Iced Earth,
RAMMS+EIN, Mago De Oz, Avalanch, Fear Factory, Korn, Hamlet and Def Con Dos.
All those thingies make the perfect atmosphere to write a lot for huge tutes
and code.
Heh, many changes happened to the typical structure of my guides, now i put
an index, and almost all the code presented is mine, or based in another's
but adapted by me, or simply, a very little percentage, ripped ;) Just kid-
ding. But hey,i tried to solve all the things i know i fucked in my VWGs for
the now completly extinct MS-DOS (RIP).
I must greet to Super/29A, that helped me with some aspects of this guide,
he has been one of my beta-testers, and he has contributed with some things
to this project.
NOTE: English ain't my first language (it's spanish), so excuse me for all
my misspells i made (a lot of), and notify me them for later updates of
this document. I've included some documents already released independently
in some VX magazines, but it's worth to read them because i fixed, spell-
checked them, and also i've added some more additional information. And
remember: versions 1.00 aren't never perfect, so notify me the possible
mistakes in this doc for further updates (i'll place the nick of the guy
that points me a bug in this same doc with a greet).
--- Contact me (but not for ask bullshits, i don't use to have time)
� E-mail billy_belcebu@mixmail.com
� Personal web page http://members.xoom.com/billy_bel
http://www.cryogen.com/billy_belcebu
Sweet dreams are made of this...
(c) 1999 Billy Belcebu/iKX
悽�----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺乞
� Index �
��----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺巳
Somebody (hi Qozah!) have told me, while he read a beta of thids tute, that
it was a bit chaotic, as it was very easy to get lost between chapters. I've
tried to reorganize a bit all this, anyway, i'm still chaothic, and my tutes
are italso :)
01. Disclaimer
02. Presentations
03. Index
04. Useful things for virus coding
05. A brief introduction
06. The PE header
07. Ring-3, coding in the user level
08. Ring-0, coding in the god level
09. Per-Process residency
10. Win32 optimization
11. Win32 antidebugging
12. Win32 polymorphism
13. Advanced Win32 techniques
14. Appendix 1: Payloads
15. Appendix 2: About the author
16. Last Words
悽�----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺乞
� Useful things for virus coding �
��----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺巳
You need some things before start writing virii. Here you have the programs
i recommend you ( If you haven't enough money for buy them... DOWNLOAD! ) :)
� Windows 95 or Windows NT or Windows 98 or Windows 3.x + Win32s :)
� The TASM 5.0 package (that includes TASM32 and TLINK32)
� SoftICE 3.23+ (or better) for Win9X, and for WinNT.
� The API list (Win32.HLP)
� Windows95 DDK, Windows98 DDK, Windows2000 DDK... ie, all M$ DDKs and SDKs.
� Strongly recommended Matt Pietrek document about PE header.
� Jacky Qwerty's PEWRSEC tool (depending if you put code in '.code').
� Some hash... oh, shit! It's what i want! :)
� Some e-zines like 29A(#2,#3),Xine(#2,#3,#4),VLAD(#6),DDT(#1)...
� Some Windows viruses, like Win32.Cabanas, Win95.Padania, Win32.Legacy...
� Some Windoze heuristical AV (NODICE32 recommended)-> www.eset.sk
� Neuromancer, by William Gibson, it's the holy book.
� This guide, of course!
I hope i'm not forgetting anything important.
悽�----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺乞
� A brief explanation �
��----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺----矓� 矓�---勺巳
Well, begin erasing of your head the concept of 16 bit MS-DOS coding, the
charming 16 bit offsets, the interrupts, the ways of going resident... all
this stuff that we have been using for a lot of years, nowadays haven't any
use. Yes, they aren't useful now. In this document, when i'm talking about
Win32, i mean Windows 95 (normal, OSR1, OSR2), Windows 98, Windows NT or
Windows 3.x + Win32s. The most dramatical change, at least in my humble vi-
ewpoint is the substitution of the interrupts for APIs, followed by the
change of the 16 bit registers and offset to 32 bit ones. Well, Windows
open us the doors for use another language instead ASM (as C), but
评论0