{"id":18016138,"url":"https://github.com/cpu/vexation","last_synced_at":"2025-03-26T18:31:48.488Z","repository":{"id":42244253,"uuid":"168220892","full_name":"cpu/vexation","owner":"cpu","description":"Win95 retro virus dev.","archived":false,"fork":false,"pushed_at":"2023-06-19T16:01:55.000Z","size":16294,"stargazers_count":11,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-22T06:41:43.373Z","etag":null,"topics":["portable-executable","retrocomputing","tasm","virus","vx","win95","x86-assembly"],"latest_commit_sha":null,"homepage":"https://log.vexation.ca","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cpu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-29T20:09:54.000Z","updated_at":"2024-05-16T05:54:32.000Z","dependencies_parsed_at":"2024-10-30T04:27:01.348Z","dependency_job_id":null,"html_url":"https://github.com/cpu/vexation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cpu%2Fvexation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cpu%2Fvexation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cpu%2Fvexation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cpu%2Fvexation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cpu","download_url":"https://codeload.github.com/cpu/vexation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245712837,"owners_count":20660302,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["portable-executable","retrocomputing","tasm","virus","vx","win95","x86-assembly"],"created_at":"2024-10-30T04:16:16.227Z","updated_at":"2025-03-26T18:31:47.458Z","avatar_url":"https://github.com/cpu.png","language":"Assembly","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VeXation\n\nCode accompanying [the VeXation development blog](https://log.vexation.ca).\n\nAll code is written in x86 ASM targetting Borland Turbo Assembler 5.0 and\nWindows 95 and is licensed under the GPLv3.\n\n## minijector\n\nAccompanying post: [PE File Infector Basics](https://log.vexation.ca/2019/01/pe-file-infector-basics.html)\n\nWorking towards a basic Win95 PE file infector. Minijector will add its own code\nto other PE executables in the same directory by appending a new section (named\n`.ireloc`).\n\nAs described in the accompanying blog post this is not a complete working PE\nfile infector. The entry point of the infected program is not updated so the\ninjected copy is fully inert. The virus code is not position independent and\ndoes not find `kernel32.dll` API addresses at runtime.\n\n## pijector\n\nAccompanying post: [A VXers Best Friend: The Delta Offset](https://log.vexation.ca/2019/03/a-vxers-best-friend-delta-offset.html)\n\n\"pijector\" (position independent (self-in)jector) is a continuation of\nMinijector. `pijector.exe` doesn't use a separate data section for its variable\ndata and instead modifies offsets within the code section. The offsets are\nadjusted by the overall delta offset to make the variable references position\nindependent.\n\nAs described in the accompanying blog post this is *still* not a complete\nworking PE file infector. The entry point of the infected program is not updated\nso the injected copy is fully inert. The virus code also does not find\n`kernel32.dll` API addresses at runtime.\n\n## apifind \u0026 apifind2\n\nAccompanying post: [Using Win95 Kernel32.dll exports Like a virus](https://log.vexation.ca/2019/04/using-win95-kernel32dll-exports-like.html)\n\n\"apifind\" and \"apifind2\" are stand-alone examples of finding required win32 API\nfunctions at runtime without hardcoding anything. Both find the `kernel32.dll`\nbase address, locate the `GetProcAddress` export in the DLL, and then\nresolve required Windows API function addresses with `GetProcAddress`.\n\n\"apifind2\" reduces some duplication by providing assembly macros for defining\nrequired API variables, describing the API functions/arguments, finding the API\nfunction addresses, and finally invoking the API functions. Start by reading\n\"apifind\" and then compare with \"apifind2\".\n\n## apisafejector\n\nAccompanying post: [Using Win95 Kernel32.dll exports Like a virus](https://log.vexation.ca/2019/04/using-win95-kernel32dll-exports-like.html)\n\n\"apisafejector\" integrates the techniques/code from \"apifind2\" with \"pijector\".\nBy using dynamically resolved `kernel32.dll` function addresses the generation\n1+ virus code now works without crashing! The primary challenge that remains is\nfixing the virus code to call the original host program's entrypoint to avoid\ndetection.\n\nThis program represents a fun milestone because it's the first version of the\nvirus that is truly viral. Running `apisafejector.exe` in the same directory as\n`calc.exe` will infect it. Running `calc.exe` next to a new executable (e.g.\n`cdplayer.exe`) will infect that executable. Of course since the original\nexecutable code is never run this is a very obvious virus, both `calc` and\n`cdplayer` will appear broken :-)\n\n## epjector\n\nAccompanying post: [Calling the original entry-point](https://log.vexation.ca/entry-points)\n\n\"epjector\" extends \"apisafejector\" to handle restoring control flow to the\ninfected program's original entrypoint. Now when an infected program is run it\nwill try to propagate the infection as before but when it's done it will run the\noriginal program. Now `calc.exe` and `cdplayer.exe` will not appear broken while\nalso spreading the infection \u003e:)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcpu%2Fvexation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcpu%2Fvexation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcpu%2Fvexation/lists"}