Infects only 32bit PE files (I'm working on a solution to make it works also with 64bit PE)
●High ratio of success
●Stealthly
●Clean code
The virus will create in memory a map of the host (PE), after that he will start to analyze it.
If he finds that the host is already infected, he will stop the infection.
Will abort the infection also if he finds that the host has ASLR/DEP enabled and can't disable one of it, if is a .NET PE, if is a DLL PE, if the host has a TLS callback active, if has a Digital Signature and if is packed with UPX.
After all of this checks he start to iterate all the sections in the PE, and when he find a code cave (in this context a code cave is a sequence of null bytes (0x00)) large as the shellcode + 2 bytes he will place the shellcode in the codecave.
If everything is fine, he will update the OEP (Original Entry Point) of the host to redirect the "starting code" to the offset where the shellcode was placed.
When the shellcode has finished, the virus will redirect the "program code" to the real OEP of the host, so the user will think that everything is ok.
The virus will infect the AES Protect PE with the WinExec_Calc_x86.asm shellcode, which when launched will first execute calc.exe
GIFV Demonstration
I want to say thanks to those people who have written detailed articles about the PE file structure and about PE infection technique.
Matt Pietrek for the super detailed 'Peering Inside the PE: A Tour of the Win32 Portable Executable File Format' article.
KOrUPt for the beautiful 'Detailed Guide To Pe Infection' article.
dtm for this clear PoC 'PE File Infection' article
If you can help me to fix the 64bit infection part, feel free to contact me.
(mutu.adi.marian@gmail.com)
See the LICENSE file for details