Information Technology Reference
In-Depth Information
append viral body to the host and change code entry pointers in such a way that the
viral code gets executed first, then passing control back to the original host, allowing
for regular file execution. Therefore, the virus in question needs to open the host,
locate the correct section for viral code injection and finally append its code by
executing an NtWriteFile system call:
Table 5.
Virus injects its code into the host
This set of calls, while being the last sequence in replication, also form the final
block for GSR Pyramid, called the
Code Injection Block
. It inherits its input
parameters from its first system call NtCreateFile, while the outputs of NtWriteFile
become its output arguments. These four blocks form the final structure —
The Gene
of Self Replication
:
Replication
Memory Mapping
Block
Code Injection
Block
File Access
Block
Host Search
Block
Fig. 5.
Final replication behavior structure of a virus
The graph below shows the replication timeline along with the system calls related
to the replication for Xanax worm. There are two visible replication attempts, one of
which has been successful, reaching the top of the pyramid - the replication point.
