451

Battle for Peace It was a dark October evening, the lights of the industrial part had already gone out, and only all that could be seen in this dark area was a quick movement of shadows, merging either into a general picture, or bursting into pieces like a broken bottle. ... He fell into a ditch, clinging to some kind of iron pipe. At the same moment, a blue misty beam hung overhead and in the distance a dull fall of something massive was heard from the side where the shooter was apparently aiming. Probably the beam hit a piece of a house that was already burned and badly destroyed ... The man got up and ran on, now he could be seen: sme...

Inspector v 1.666 "... A long pause - and the surviving two phone. A relay has closed somewhere. Two telephone the voices connected directly to each other. Hello, Barton? Yes, Barton? - I'm twenty-four. - I'm twenty-six. We are both young. What's wrong? - I do not know. Listen..." (c) Bradbury R. "Night Call" That's all over. It turned out something that combines permutation and encryption, and, well, a utility for encrypting PE files. But is it over? And will it ever end? Probably not, and it pleases ... Inspector As already mentioned, inpector is a utility for encrypting PE files, as a key for encryption / decryption...

The DEE engine is a variation on the UEP theme. This technology involves "cutting" some command into a random place in the program code, usually jumping to the body of the virus. This technique makes it possible to claim that the virus is incurable, but in reality it can only complicate its detection. Suppose that UEP implements the replacement of a command at a random address in the program with something else - replacing it with jmp / call in a virus), but it is necessary that the length of the "embedded" command be less than or equal to the original one, because otherwise, the “embedded” command can ruin the one that follows it. Fi...

When we talk about permutation, we usually mention the permuting/mutating engine. This is our goal. With permutation, the appearance of the code changes and its analysis is also difficult. After disassembling, the source code becomes almost unreadable. The permutation engine must somehow know about the type of code being permuted. Without this information, it is impossible to correctly change the code. The options for providing this information can be different: a table of commands (here, you can represent commands abstractly and make a table of command replacements when mutated), then you need to describe a table element for each com...

LDIZX v 1.01 The disassembler is an example of what is not easy to write right away. In the process of working with it, new needs for something appear that were not relevant yesterday, and you have to modify the disassembler for your needs again. Tomorrow, you may need an even more flexible system - and history will repeat again. As you can understand, LDIZX is a disassembly engine and is the product of such a lack of demand. Main characteristics: Sufficiently complete information obtained at the output for the analysis / assembly of the command. Use as just a length disassembler Contains no data/absolute offsets Used universal C...

DTRASH v 1.00 Data-Trash Generator DTRASH is a garbage generator using data. The principle of its operation is such that it receives a list of addresses that can be used, flags, a buffer, etc. as input, and at the output there is a command in the buffer and its length. In total, the engine is capable of generating about 30-40 commands of various opcodes, except for modifications of the same commands like rcl reg,1 and rcl reg,im. In addition to memory accesses, common registers and operands are used. Main procedure (C call is used here): DWORD Dtrash( VOID* DataTable, // pointer to addresses DWORD DataCnt, // their number...

Use of data in viruses GETD v 1.0 Recently, the development of permutation has achieved quite a lot of success. Today you can easily "disassemble" the code of a virus / program into something similar to the source code, although in a form that is more pleasant for processing. Then, you can modify it by mutating, introducing garbage, generating false branches, shuffling the code, and other tricks. After that, the "source" is assembled again and the resulting code has a completely different signature. From the point of view of a heuristic antivirus that determines whether a certain code belongs to a certain permutator (engine), it is i...

Introduction to the magazine Here is a magazine dedicated to virus technologies, viruses and what somehow correlates to it or has a perspective character. Today there is such a trend - to publish magazines- , and all of them seem to be different, with different long names, meanings and viewers. Sit and think about Danilov, he gave the go-ahead for the copyright, and it was decided to release the Journal. The name of the magazine is due to the book by Ray Bradbury "451 Fahrenheit", this, for references, is paper burning temperature, i.e. at this temperature it's a log and burn ;) Basically, the magazine describes some engines, and the...