Chapter 22: Simplest Windows NT Virus

Overview

Inserting a virus into an executable file is an intricate and tedious process. At the least, to achieve this goal it is necessary to study the format of the PE file and master several dozen API functions. Proceeding this way, a hacking beginner won't create anything for several months. Is it possible to get a jump start? It is. The New Technology File System (NTFS), which is the main file system under Windows XP, contains such a feature as streams, also known as extended attributes. Within a file, there might exist several independent data streams (Fig. 22.1).

Figure 22.1: NTFS supports several streams within a file

The name of the stream is separated from the file name by a colon , for example, my_file:stream . The main body of the file is stored in an unnamed stream; it is also possible to create new streams. Start FAR Manager, press <Shift>+<F4>, enter the file name and stream from the keyboard (for example, xxx:yyy ), and feed some text to the editor. Exit the editor, and you'll see the file named xxx with zero length. Why is this so? Where is the text that you have entered? Press <F4>, and you won't see anything. Everything is correct! If the name of the stream is not specified, the file system displays the main stream, and in this case the main stream is empty. The sizes of other streams are not displayed, and to reach their contents, the stream name must be explicitly specified. Enter from the command line the more < xxx:yyy command, and you'll see the text that you have entered.

Because creation of additional streams doesn't change the apparent size of the file, a virus inserted into additional stream probably will not be noticed. To pass control to that stream, the main stream has to be modified. The checksum will in-evitably change, and antivirus monitors won't like this. The problem with check-sums and antivirus monitors will be covered later in this chapter. For the moment, it is necessary to concentrate on the insertion strategy.