233 lines
8.7 KiB
Plaintext
233 lines
8.7 KiB
Plaintext
|
|
K”hntark's Recursive Tunneling Toolkit
|
|
Version 4.1
|
|
Released 27 August 1993
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
1. DISCLAIMER
|
|
|
|
The author of this toolkit is in no way responsible for any
|
|
damage that its proper or improper usage might cause.
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
2. LICENSE?
|
|
|
|
You are free to include this toolkit in computer viruses.
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
3. INFO
|
|
|
|
You don't have to read this whole document before trying to
|
|
do something with the toolkit!
|
|
|
|
If you have never written a virus in Assembler, you can start
|
|
with the toolkit! (well, almost!)
|
|
|
|
K”hntark's Recursive Tunneling Toolkit is an object module
|
|
that can be linked to any virus.
|
|
|
|
The virus should be assembled and linked with KRTT41.OBJ
|
|
using Turbo Assembler 2.0 and above.
|
|
|
|
Using other Assemblers might cause unexpected results.
|
|
|
|
The toolkit, when called will try find the address of DOS's
|
|
real int 21h / 2Ah / 13h.
|
|
|
|
The output code returned will depend on the results found by
|
|
the toolkit.
|
|
|
|
KRTT41.OBJ is truly a NO-FRILLS object module. You need
|
|
nothing to use it. It is a simple, 'plug and play' item; just
|
|
save the registers, call it and act depending upon the
|
|
output.
|
|
|
|
Unlike other tunneling routines KRTT DOES NOT use Interrupt 1
|
|
to trace through the current interrupts, as this technique
|
|
can be easily disabled by any decent resident AV utility.
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
4. What the hell is tunneling?
|
|
Why use this?
|
|
|
|
A quick explanation: Antivirus system monitoring software are
|
|
Terminate and Stay Resident (TSR) programs that remain in
|
|
memory and hook or capture INT 21h / 2Ah / 13h and other
|
|
vital system interrupts.
|
|
|
|
These programs monitor all calls made to these interrupts for
|
|
'suspicious' or 'virus-like' behaviour. An example would be
|
|
unauthorized writing to a file thought INT 21h, function 40h.
|
|
|
|
These programs ensure that all viruses not using any
|
|
tunneling or stealth routines are detected when trying to
|
|
infect or remain resident in memory.
|
|
|
|
Some examples of such programs will even monitor their own
|
|
code to ensure they are not removed from memory or their
|
|
INT 21h handler is not replaced by other programs.
|
|
|
|
|
|
KRTT41 will get the DOS's original INT 21h / 2Ah / 13h, in
|
|
most cases, and can turn your virus into a 'smart' one by
|
|
warning about the possibility of strange AV software present
|
|
in memory.
|
|
|
|
Once DOS's original interrupts are found you can call them
|
|
directly to memory freely, bypassing any AV software present
|
|
in memory and infecting other files right through their
|
|
protection!
|
|
|
|
The ability to locate DOS's original INT 13h is provided
|
|
by KRTT to implement potentially destructive code.
|
|
(None of the examples contain such code.)
|
|
|
|
You could also use the original int 21h to allocate/free
|
|
memory and disable any software present in memory.
|
|
|
|
Such scenarios are possible but they have not tested fully,
|
|
so no claims can be made.
|
|
|
|
KRTT41's strength lies in a recursive nature which allows
|
|
tracing and scanning through multiple hooked INT 21h's.
|
|
|
|
You can load multiple non-conflicting system monitoring
|
|
antivirus programs and KRTT41 will go through them!
|
|
|
|
Be it 1 or 6 - admittedly a ridiculous situation - it won't
|
|
make a difference.
|
|
|
|
KTTR41 is very small due to its recursive nature. And
|
|
it is fast since it uses no memory locations for data
|
|
storage; all the operations are done directly in the CPU
|
|
registers.
|
|
|
|
KTTR41 is fully compatible with Trident's Polymorphic Engine
|
|
Version 1.4 and future polymorphic Engines.
|
|
|
|
Such compatibility is assured as long as KRTT 4.1 is linked
|
|
before any Polymophic Engine.
|
|
|
|
Note: See YB-1.ASM for TpE 1.4 linkage demonstration.
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
5. USAGE:
|
|
|
|
You need the following at the beginning of your program:
|
|
|
|
extrn TUNNEL:near
|
|
~~~~~~~~~~~~~~~~~
|
|
then call anytime during program execution (preferably at the
|
|
start):
|
|
|
|
call TUNNEL
|
|
~~~~~~~~~~~
|
|
Then store the address of the found INT 21h in a double word
|
|
location within your virus.
|
|
|
|
You can then call the real INT 21h doing a CALL DWORD PTR to
|
|
such location.
|
|
|
|
All this is shown in YB-1.ASM and YB-2.ASM
|
|
|
|
TUNNEL 4.1 procedure usage:
|
|
|
|
INPUT: bp=01 => Search for original INT 2Ah
|
|
bp=02 => Search for original INT 13h
|
|
Any other value in bp => Search for original INT 21h
|
|
(you MUST save any necessary registers)
|
|
|
|
OUTPUT: ah=00 Not found
|
|
ah=01 Found!
|
|
ah=02 Int 21h/ 2hA /13h Not Hooked
|
|
ah=03 DOS internal interrupts are hooked (search for
|
|
int 21h / 2Ah / 13h not conducted)
|
|
|
|
If found:
|
|
dx= INT 21h / 2Ah / 13h SEGMENT
|
|
di= INT 21h / 2Ah / 13h OFFSET
|
|
al= RECURSION DEPTH
|
|
|
|
REGISTERS DESTROYED: ax,bx,cx,dx,di,bp,es
|
|
|
|
|
|
At infection time you must add 248 (decimal) bytes to the
|
|
virus size. (see YB-1.ASM, YB-2.ASM)
|
|
|
|
ASSEMBLE: tasm /m <yourvirus>
|
|
|
|
LINK: tlink /x /t <yourvirus> krtt41.obj
|
|
|
|
or
|
|
|
|
LINK: tlink /x /t <yourvirus> krtt41.obj <poly-engine>.obj
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
6. TESTING:
|
|
|
|
The toolkit has been tested with a reasonable amount of
|
|
hardware and software.
|
|
|
|
Success for, loaded in the following order:
|
|
|
|
DOS 5.00 (high) + Vshield 106 (McAfee)
|
|
DOS 5.00 (high) + Vshield + Vshield 106
|
|
DOS 5.00 (high) + Virstop (FPROT 2.09)
|
|
DOS 5.00 (high) + TBdriver + TBfile (TBAV 6.03)
|
|
|
|
DOS 5.00 + Vshield (McAfee) + Virstop
|
|
DOS 5.00 + Vshield (McAfee) + Virstop
|
|
+ TBdriver + TBfile !!!!
|
|
|
|
You can switch the order of the first 2. Tbfile won't let
|
|
anything load if it is not loaded last.
|
|
|
|
DOS 5.00 (high) + QEMM 6.0 (high) + Vshield 106 (McAfee)
|
|
DOS 5.00 (high) + QEMM 6.0 (high) + Vshield + Vshield 106
|
|
DOS 5.00 (high) + QEMM 6.0 (high) + Virstop (FPROT 2.09)
|
|
DOS 5.00 (high) + QEMM 6.0 (high) + TBdriver + TBfile
|
|
(TBAV 6.03)
|
|
|
|
DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop
|
|
DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop
|
|
+ TBdriver + TBfile !!!!
|
|
|
|
KRTT is compatible MS-DOS and IBM DOS versions ranging from
|
|
3.1 to 6.0
|
|
|
|
The above results can be also reproduced against the
|
|
following:
|
|
|
|
QEMM 7.0
|
|
HIMEM.SYS
|
|
EMM386.SYS
|
|
VDEFEND (PCTOOLS 7.1)
|
|
Central Point Antivirus 1.3
|
|
Secure 2.35 (Mark Washburn)
|
|
Virex 2.8 (Ross Greenburg)
|
|
Flushot+ V1.84
|
|
Martin's Virus Trap V182 (Russia)
|
|
Antiviral Toolkit Pro 1.06 (Russia) (see YB-1 and YB-2)
|
|
Turbo Debugger 2.0
|
|
Watchdog (Leprechaun Software)
|
|
VSAFE (CPAV / MSAV)
|
|
|
|
Note that some of the above software developers costs $50+,
|
|
all circunvented by a free 248 byte program!
|
|
|
|
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
8. Final Notes From the Depths of HELL
|
|
|
|
If you have any questions or doubts please look at the demo
|
|
viruses , YB-1.ASM, YB-2.ASM or the KTTRDEMO.ASM program.
|
|
|
|
Any questions or comments are appreciated
|
|
|
|
I can be contacted at CIS (Crypt InfoSystems) BBS.
|
|
and VX BBS's through out the world.
|
|
|
|
Not illegal yet!
|
|
|
|
K”hntark
|
|
|
|
šWEUHL KšMPKAAH!
|