.sis - Application setup package(You can get unsis tool from Symbian.com site, and it need Perl to run);
.jar - j2me application package(zip format);
.app/.exe/.mdl/.dll - application file;
.aif - Application Information File;
etc.
2. Symbian OS common application files:
App - Most of application is in this type (It likes execute file on windows in function, but it is most likes dynamic link library in implementation);
Console exe - only for testing, few;
Dll - dynamic link library in symbian;
Mdl - a special type dynamic link library, use to autostart, the file will release to c:\system\recogs directory, fullname is MIME Recognizer Dll;
3. virus spread way:
Trojan - most in app format, few in console exe format, trojan application will run directly;
Worm - most in app format, worm will setup a MDL file to start main app automaticly, and spread itself by infrared, bluetooth, MMS or email;
Virus - infect EPOC32 format file?
Part 2. Analyze MDL sample for "Drever.A"
Instruction:
1. Symbian OS support several CPU architectures, the most mobile is using ARM. The virus analyzed in this text is also on ARM platform, so reader should know the BASIC ARM INSTRUCTION AND ARM PROGRAMMING.
2. My main tool is IDA Pro 4.8. For reducing to use memory, Symbian OS APIs do not export the name(only by order), so we could not see the API name directly. I have written a IDA plugin to try to fix this problem. (The plugin is in testing, so I have not provided it yet. If you need or wanna try it, please contact me by email: jay_zephyr2002@yahoo.com.cn)
3. How to pass the parameters in Symbian OS API or function:
1) System will use R0-R3 to pass the parameters, generally speaking;
2) If there is more than 4 parameters, the other parameters will be pass by stack;
3) class method (not static) will use R0 to pass the class this pointer;
4) return value is use R0 register;
Symbian OS MDL Loader
-> 1. E32Dll(TDllReason) // exported by mdl file, entrypoint
-> 2. CreateRecognizer() // exported by mdl file, order = 1
===============================================================================
1. See Entrypoint in IDA result:
---------------------------[ BEGIN IDA DISASSEMBLE ]---------------------------
.text:10000000 Start:
.text:10000000 B loc_10000248
.text:10000248 loc_10000248:
.text:10000248 MOV R0, #0
.text:1000024C BX LR
----------------------------[ END IDA DISASSEMBLE ]----------------------------
this is the E32Dll function in C program, the source is just like:
////////////////////////////////////////////////////////////////////////////////
// Text end
OK, that's all! If you found any bugs, please let me know.
Thanks for reading.
================================================================================
Appendix:
================================================================================
The follow is the MyRecognizer class source:
