[Foxxy]

Hello, I have been learning malware analysis as a hobby, however, my main issue is that I can not find any technical documentation on how, specifically, file infectors work. I found a short tutorial on vxheavens.com, however, it was written poorly and was not created to fully explain the entirety of the process. My most prevalent questions are:

How does an appending file infector get loaded (I'm not talking EIP-wise)? It seems to me once you've written the virus, if the target file doesn't have a few of the main imports required for the file-infector, it would simply crash. (Would most file-infectors simply keep their own version of an import table, containing the addresses for their required functions?)

Do file infectors append their entirety, sections and all? If so, how on earth does the OS not get confused once it attempts to load the virus, and then the virus jumps to the actual code? (Is the OS smart enough to load the virus and then load the actual code once it is jumped to?)

I have many more questions, but those two are the biggest on my mind right now. If any of you could point me to some great technical documentation on file-infectors, that would be fantastic. (I have googled many times, however, it usually points to articles dedicated to your average layman.)

[SomeUnusedName]

I'll try to answer your questions:

File infectors usually append themselves and make sure they are loaded by possibly adding a section (so some structure accounts for the overhead and is actually loaded), or they include themselves in "free" space in existing sections. The next problem as you mentioned is that the virus can't be sure required modules (DLLs) are loaded, so they have to get their imports at runtime. This is common for any malware, in order to leave the IAT empty to not leave clues as to what they do. It also makes life harder for reversers, so that's a nice bonus.

From what I have seen, no, file infectors don't append themselves completely, this is not necessary. If the virus code is position-independent, they can just append their malicious code and "fix" the entry point to point to themselves. The Windows loader only loads what the headers account for. Again, either they virus has to embed itself in existing sections, or add a section entry for its own code to make sure the code is loaded. The loader then simply jumps to the code referenced by AddressOfEntryPoint, wherever that points to.