Insertion of the Virus Code Near the Entry Point

Most viruses do not change the entry point; however, they insert at the specified address the command that carries out the jump to the virus body, having previously saved its original contents. Despite its seeming elegance , this algorithm is capricious and difficult to implement. First, it is necessary to mention that, to save the original machine instruction located in the entry point, the virus must determine its length, which is impossible without a built-in disassembler.

Most viruses limit themselves by saving the first 16 bytes (the maximum possible length of a machine command on the Intel platform) and then restoring them, thus bypassing the prohibition for code-segment modification. Some viruses assign the write attribute to the code segment, making it available for writing (if section attributes are not touched, it is possible to modify the code segment; however, IDA Pro won't tell you about it, because it is unable to work with segment attributes). There are also viruses that use the mprotect function for changing page attributes as they go. However, both methods are too noticeable, even without the jmp instruction that passes control to the virus body, which immediately attracts attention.

More advanced viruses scan the start-up procedure of the file to be infected, searching for the call or jmp instructions. Having found such an instruction, the virus replaces the called address with the address of its body. Despite its seeming elusiveness, it is not difficult to detect such a method of capturing control. First, the virus, in contrast to legally-called functions, doesn't use the arguments passed to it through the stack. It has no knowledge of their number or even their presence (automatic analysis of the number of passed arguments is unimaginable without integrating a fully-featured disassembler into the virus, which, in addition, would be equipped with a powerful analyzer). The virus carefully saves all the modified registers, being aware that functions might use an unknown calling convention when passing arguments via registers. The main issue is that when passing control to the original function, the virus must either remove the return address from the top of the stack ( otherwise , there will be two return addresses there) or call the original function using the jmp command instead of call. For normal programs written in high-level programming languages, both methods are atypical, and because of this the virus's presence is immediately disclosed.

Viruses that capture control in an arbitrary point of the program (often, far from the entry point) are more difficult to detect because the investigator must analyze large fragments of code that are not known beforehand. At the same time, the risk that the given branch of the program would never gain control rapidly grows with the increasing distance from the entry point. Therefore, as far as I know, most viruses never go beyond the limits of the first ret instruction they encounter.