Chapter 20: Method of Capturing Control

Correction of the Entry Point

The classical method, actively used even in the era of MS-DOS, is correction of the entry point ” one of the fields of the ELF, COFF, or a.out headers of the files to be infected. In ELF headers, this role is delegated to the e_entry field, and in a.out the a_entry field carries out the same task. Both fields contain virtual address (not the offset counted from the start of the file) of the machine instruction, to which control should be passed.

When inserting its body into the file, the virus memorizes the address of the original entry point and resets the entry point to its own body. Having accomplished all planned actions, the virus then returns control to the carrier program using the saved address of the original entry point. Although this technique seems flawless at first glance, it is not free from drawbacks because it ensures quick detection of the virus.

First, the entry point of most normal files points to the start of the file's code section. It is hard to insert there, and all existing methods of insertion are exposed to the risk of irreversibly damaging the executable file, which would make it unusable. An entry point that goes beyond the limits of the .text section is a clear indication of virus infection.

Second, analysis of any suspicious file starts from the environment of the entry point (and ends at the same location); therefore, no matter which method was used for insertion, the virus code attracts the investigator 's attention immediately.

Third, the entry point is an object, to which the legions of disk scanners , detectors, managers, and other antiviral tools pay vigilant attention.

Thus, using the entry point for capturing control is a primitive approach that, in the opinion of most virus writers, is even disgraceful. Contemporary viruses master other techniques of infection, and only naive beginners might rely on analysis of the entry point (that's how rumors about elusive and imperceptible viruses are born).