03-10-2004, 04:00 AM
Quote:Zack, a pif file is executed, try renaming an EXE to pif and run it. It works.
Buffer overflow exploit does not execute the code itself, the overflowed data is read as pure asm code, and interpreted. Don't ask me why MS did that, to me it's just plain stupid to have a BMP decoder execute asm code.. but that's just me.
Guy, you seem to be a bit off in the way many viruses work. When a buffer overflow is exploited, the memeory afterwards can be overwritten. What most viruses which use exploits in this way do is replace some of the program code with new machine code. That's how both nimda and code red worked. In essence, the loader itself doesn't really execute asm code, it just executes itself, and when the overflow happens, it starts to execute the virus which it still pervieces to be "itself".