summaryrefslogtreecommitdiff
path: root/other/wrez/doc/FEATURES
blob: b02c8084f75de3e6a467d327a6a02f9c1ed84097 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65



wrez infection engine


features
========

basic features
--------------

	- fully pic code, useable as shellcode, too
	- no size restriction on virus code (though < ~20kb is good, see
	  below)
	- completely modular featureset, most of the code is optional and
	  can be turned on/off through a simple comment in the Makefile
	- small size: compressed between 2000 and 6000 bytes
	- fast infection (~30 binaries per second)


advanced features
-----------------

  anti-debugging
	- strace and ltrace in-memory detection
	- gdb stealthing, displaying its own memory as "not mapped"
	- (disabled by default) ptrace-detection

  anti-virus-detection
	- polymorph decryptor engine (LiME by zhugejin)

  runtime-related
	- cleanup code, leaving only very small memory footprint
	- compression engine, crunching the virus down to roughly %60 of the
	  original size. the original virus should be smaller than 20kb, for
	  the decompressor to work properly.
	- SIGSEGV/SIGILL catching protection around 90% of the virus code.
	  even in case the virus segfaults, its possible to recover to a sane
	  state in 99% of the cases.

  infection-related
	- activation through .ctors redirection at machine-code level, still
	  leaving the original .ctors section untouched and chaining it
	- sections/section header table relocation on infection
	- advanced user-uid infection, locating running processes and their
	  binaries
	- ability to infect binaries of running processes (avoiding ETXTBUSY)
	- as best as possible stat preservement when infecting ([cma]time,
	  mode, owner). access time (atime) is only preserved when running
	  as root

  api functionality
	- call api to any mapped library function (libc and others)
	- call, hook, chain, modify GOT entries of your host executeable or
	  any mapped library, (i.e. any GOT table). ability to watch and
	  redirect multiple GOT entries across multiple shared libraries
	  at once, watching and re-redirecting them when lazy binding is used.
	- host fingerprint functionality, change-detection


known weaknesses
================

	- not strip save