VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum


Virus Writing Bulletin [1]
January 2011

[Back to index] [Comments]

When for the first time I heard that LUA script files could use functions from DLL files, I thought how to infect them. First, I created a virus that could infect LUA script files to make it load the DLL of the virus. It was W32.Luna, but it was very simple thing, since the only that it does it to trick LUA.

However, the DLLs that do export functions for the script files to use are a little bit more complicated than mine. ;) They are often known as LUA C Libs.

Those DLLs contain an export that is "openlib_MODULENAME" being MODULENAME the DLL's name (however, this not always true). It is usually the first export (ordinal 1, and this is not always true, too). This function registers a structure (like an export table) that contains a serie of pointers to names and functions - that LUA script files use.

Export Table, looks like this:

	DWORD offset FunctionName
	DWORD offset FunctionAddress

Finding ET

Unfortunately, there is no address in the image structures for the exports, so we need to parse the code for that. But this is very easy. The registration of the export table happens (usually) when the first export (openlib_MODULENAME) is called. To get it, we must first find a call to an API from LUA 5.1: luaL_openlib. I believe the are some other APIs, too.

But here is a declaration for that API:

	in DWORD p1 //state
	in DWORD p2 //library name
	in DWORD p3 //export table address
	in DWORD p4 //up values

The parameter we want to get is p3, obviously. ;) Then you change the address in the export table to point to virus code and that is all.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka