Peter Ferrie
Virus Bulletin, July 2008, pp. 4-5
ISSN 0956-9979
July 2008
Download PDF (38.75Kb) (You need to be registered on forum)Everything old is new again - at least for some virus writers.
By the addition of a relocation table, Vista executables can be configured to use a dynamic image base. That essentially turns them into executable DLLs. Now a virus has come along that has made a `breakthrough' by infecting these executables - at least it would be a breakthrough if it weren't for the fact that relocatable executables have been supported since Windows 2000 (ASLR in 1999!), and we have seen plenty of viruses that can infect DLLs. What's more, applications can have different image bases even without a relocation table, which from the virus's point of view amounts to the same thing. There is no need for a virus to carry absolute addresses - the alternative is a technique called `relative addressing'.