Details Emerge on the First Windows Mobile Virus (Part 3 of 3)
In this article I'll try to explain how I, Ratter, proceeded while creating Dust, the first Pocket PC virus, including which techniques and utilities I used. I'll also include annotated source code. Following the description, I'll cover which problems I faced when moving from Win32 to WinCE, and present my theories about future directions in Pocket PC viruses.
To completely understand the source code in this article, you'll need to know at least the basics of ARM instructions; start with Seth Fogie's article "Embedded Reverse Engineering: Cracking Mobile Binaries" (PDF). At the end of that document, advanced ARM topics are also explained. In addition, a basic knowledge of the portable executable format will help. You can download the utilities that you'll need to convert the source code to its executable form.
First, we'll cut everything between these two labels:
** virus_source ** ** virus_source_end **
Then we'll paste that code to a new file called wince_dust.asm. For compiling, we'll use armasm (the Microsoft macro assembler for ARM) and the WinCE-aware version of Microsoft link. Both these utilities can be found here and we'll use them as follows:
armasm wince_dust.asm link /MACHINE:ARM /SUBSYSTEM:WINDOWSCE wince_dust.obj
After these steps, the executable file wince_dust.exe is created, which can be transferred to the PDA and tested. The virus infects all suitable PE .exe files in the root directory (My device) of the device. Before the infection itself, the virus asks for permission (see Figure 1).
Figure 1 WinCE4.Dust asking user permission to spread.