informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/DOCUMENTATION/routines.txt

484 lines
16 KiB
Plaintext
Raw Blame History

Routine List for Virus Creation Laboratory
------------------------------------------
This file contains a list of the routines inclueded with V.C.L. as
it is shipped. Routines under the "Effect Procedures" are possible effects
that your creation might have and are included in VCL.DAT. Routines listed
under "Condition Functions" are functions that return a value in AX; they
are used to test whether an effect should be called, and are also included
in VCL.DAT. Routines found under "Internal Routines" are inside the VCL.EXE
file, and may not be changed. They are called by V.C.L.-generated code
depending on which options are set. They are documented here in case you
decide to access them from a custom routine of your own. See the main
documentation for V.C.L. (VCL.DOC) for more information about assembler
routines and how to add them to V.C.L.
-------------------------------------------------------------------------------
Effect Procedures
=================
Procedure: beep
Decription: Beeps the PC speaker. CX holds the number of times
to beep.
Procedure: change_ram
Description: Changes the ammount of low (under 1 meg) memory the
computer appears to have. DX holds the new ammout
of memory, in kilobytes. This value remains unchanged
through a warm-reboot, and when the computer is
warm booted DOS will have less memory to use.
Procedure: clear_screen
Description: Clears the screen. There are no arguments. The BIOS
is used to clear the screen.
Procedure: cold_reboot
Decription: Performs a cold reboot of the system. Naturally this
procedure needs no parameters.
Procedure: corrupt_file
Description: Corrupts one or more files. DX points to the name of
the file (wildcards allowed; all matching files in the
current directory will be affected). The files are
encrypted by whatever the BIOS clock is at the time,
making them virtually unrecoverable.
Procedure: disable_parallel
Decription: Disables a parallel port. SI holds the port number
(LPT1 = 1, LPT2 = 2, etc.). The port will no longer
be usable (until the computer is rebooted) because
it address (stored in a table) will be wiped over.
Procedure: disable_prnt_scrn
Description: Disables the Print Screen key. A flag in the BIOS
is set so that it believes that something is already
being printed, disabling the effect.
Procedure: disable_serial
Description: Disables a serial port. SI holds the port number
(COM1 = 1, COM2 = 2, etc.). The port will no longer
be usable (until the computer is rebooted) because
its address (stored in a table) will be wiped over.
Procedure: display_string
Decription: Displays a string on the screen. SI points to the
string, which must be NULL terminated (ASCII code
0). The string is displayed using the BIOS screen
procedures, insuring that output will not be redirected.
Besides, the DOS procedure is slower, and has to be
terminated by a "$", which is incredibly lame.
Procedure: drop_program
Description: Drops a program into a file. DX points to the name
of the file (wildcards allowed; if the file name is
a wild card then all matchings file will be infected).
SI points to a table: the first word is the number of
bytes in the dropped program, the remaining bytes are
the program itself. The attributes, file date/time,
and size of the victim program are preserved, and
read-only/system/hidden attributes will not stop this
procedure from working. This procedure is used to
insert a message or code into a victim program. This
is useful for placing taunting messages in a file, or
for dropping a live virus into someone's .EXE from a
trojan horse. There are many uses.
Procedure: erase_files
Description: Erases one or more files. This procedure searches for the
file descriptor; if a valid file is found it is erased and
the process is repeated until no files are left. DX holds
a pointer to an ASCIIZ string containing the file mask.
The method of erasure is such that it is difficult to
recover files deleted with this routine.
Procedure: lock_up
Description: Locks up the computer. The interrupt flag is cleared,
disabling all interrupts, then the HLT command is used;
this locks up the computer so that it may only be restarted
with a cold reboot (achieved by either by turning off the
computer and turning it on again or by pressing the "reset"
button. There are no parameters needed (duh).
Procedure: machine_gun
Description: Clicks the PC speaker to simulate the sound of gun shots.
Most of this code was stolen from the Parasite-2B Virus
by Rock Steady, but I changed the delay procedure so that
the time between shots would stay constant regardless of
processor speed (on my 386-40 the original routine
sounded like a buzz). Basically this routine just turns
on and off the speaker quickly to make the clicking noise.
The number of shots to fire is passed in CX.
Procedure: out_port
Description: Outs a value to a port. AX holds the value to out,
DX holds the port number (0 - 65535).
Procedure: out_random
Description: Outs random values to all ports. This procedure retrieves
the BIOS timer count, then outs the low byte of it into
every single one of the 255 IO ports. This may do nothing,
or it can cause disk writes or formats, crashes, timer
problems, modem/printer problems, or all of the above.
It just depends. Most likely *something* bad will happen,
though usually just a crash.
Procedure: play_tune
Description: Plays a tune through the PC speaker. SI points to a table
of alternating frequency/duration values (word-length). The
frequency should be in hertz, the duration in clock ticks
(18.2 clock ticks/second). The table must be terminated
by a NULL (ASCII code 0). To produce a rest, used 0FFFFh
as the frequency (this is acutually 65535 cycles/second,
but human beings cannot hear frequencies that high, so
a rest is generated). I've found that 6 ticks for a quarter-
note works well (therefore 3 for an eighth-note, 12 for a
half-note, etc.). A lot of the code in this routine
was stolen from the sound() and nosound() procedures of
Borland C++ v3.0.
Procedure: print_string
Description: Prints a string on the printer. The address of the string
is passed in SI and the printer number is passed in DX
(LPT1 = 0, LPT2 = 1, etc.). The string must be NULL
terminated. If the printer is not on or does not exsist
this function will fail, of course.
Procedure: rom_basic
Description: Drops the computer into ROM BASIC if he has a true IBM
computer (ugh!). There is no escape from ROM BASIC
other than a reboot, and trust me, it ain't much fun to
play with (it's worse than even GWBASIC!). On compatibles
this interrupt will usually display a message and hang
the computer, or have no effect at all.
Procedure: serial_string
Description: Transmits a string to a serial port. DX holds the port
number (0 = COM1, 1 = COM2, etc.) and SI points to
the string, which must be NULL terminated. Remember that
when transmiting Hayes command strings that you must
include CR-LFs. (A special note: the Hayes string to
turn off the modem speaker is "ATM0 L0 (enter)." This is
quite useful when writing virii that call 1-900 numbers,
for example...)
Procedure: swap_parallels
Description: Swaps two parallel ports, causing untold havock. BX holds
the number of the first parallel port (LPT1 = 1, LPT2 = 2, etc.),
and SI holds the number of the second parallel port. This
effect lasts until the computer is rebooted.
Procedure: swap_serials
Description: Swaps two serial ports, causing untold havock. BX holds
the number of the first serial port (COM1 = 1, COM2 = 2, etc.),
and SI holds the number of the second serial port. This
effect lasts until the computer is rebooted.
Procedure: trash_disk
Description: Trashes a disk by overwritting the FAT, Boot, Directories,
etc. AX holds the drive number to trash (0 for A:,
1 for B:, etc.) and CX holds the number of sectors to
overwrite, starting with sector 0. The sectors will be
overwritten with whatever is in memory pointed to by
ES:BX. During the disk write all external interrupts
are disabled, preventing someone from pressing Ctrl-C
or Ctrl-Alt-Del.
Procedure: trash_disks
Description: Trashes one or more disks by overwritting their FAT, Boot,
Directories, etc. AX holds the starting drive number,
(0 for A:, 1 for B:, etc.) and CX holds the number of
sectors to overwrite, starting with sector 0. The sectors
will be overwritten with whatever is in memory pointed to by
ES:BX. During the disk write all external interrupts
are disabled, preventing someone from pressing Ctrl-C
or Ctrl-Alt-Del. All disks with a number less than or
equal to AX will be affected (for example, to trash drives
A through C, call trash_disks with AX = 2). Note that
the drives are accessed in reverse order, insuring that
any hard disks will be destroyed first, so if there are
no valid floppies then it will still be too late for the
victim to reset after he sees the drive lights go on.
Procedure: uncrunch_ansi
Description: Uncrunches and displays a run-length encoded ANSI produced
by The Draw. This code is stolen from UNCRUNCH.ASM included
with The Draw, but touched up a bit and re-commented. Data
for this routine must be created using The Draw and saving
to a packed ASM format. The offset to the data is passed
in SI. CX holds the length of the ANSI (this can be found in
IMAGEDATA_LENGTH of the code that The Draw produces; be sure
to remove any equates that The Draw inserts into the code it
produces).
Procedure: warm_reboot
Decription: Performs a warm reboot of the system. Naturally this
procedure needs no parameters.
------------------------------------------------------------------------------
Condition Functions
===================
Procedure: get_country
Description: Returns the DOS country code in AX. (The codes correspond
to the long-distance dialing prefixes for the respective
countries. See your DOS reference manual or local phone book
for a list of the country codes.)
Procedure: get_cpu
Description: Returns the model of the CPU installed. 8088s and
8086s return 86, 80286s 286, 80386s 386, and 80486s 486.
Procedure: get_day
Description: Returns the current day of the month (1 - 31) in AX.
Procedure: get_dos_version
Description: Returns the DOS version in AX. DOS versions before
2.0 return 0, while all others return the major
version number * 100 + the minor version number
(ex: a system running DOS 5.0 would return 500,
a system running DOS 3.3 would return 330, etc.)
Procedure: get_ems
Description: Returns the ammout of expanded memory in AX. This value
is in kilobytes of total (not available) EMS.
Procedure: get_floppies
Description: Returns the number of floppy drives installed (1 - 4) in AX.
Procedure: get_game_port
Description: Returns number of game ports installed (0 or 1) in AX.
Procedure: get_hour
Description: Returns the hour (0 - 23) in AX.
Procedure: get_minute
Description: Returns the current minute (0 - 59) in AX.
Procedure: get_month
Description: Returns the current month (1 - 12) in AX.
Procedure: get_parallel
Description: Returns the number of parallel ports in AX.
Procedure: get_ram
Description: Returns the ammount of RAM in AX. Note that this
is only the ammount of base RAM (under 1 meg), and
does not include EMS or XMS memory, and is in
kilobytes.
Procedure: get_random
Description: Returns a random number (0 - 65535) in AX. The number is
the lower word of the current BIOS timer tick count.
Procedure: get_rollover
Description: Returns the BIOS rollover flag (0 or 1), indicating whether
the computer has been on for 24-hours continuously (one) or
not (zero).
Procedure: get_second
Description: Returns the current second (0 - 59) in AX.
Procedure: get_serial
Description: Returns the number of serial ports (0 - 8) in AX.
Procedure: get_weekday
Description: Returns the number (0 for Sunday, 1 for Monday, etc.) of
the current day of the week in AX.
Procedure: get_year
Description: Returns the current year (1980 - 2099) in AX.
Procedure: infected_all
Description: Returns 0 if all files have been infected, 1 if not.
Note that this value applies to all searchable files,
not neccessarily every file on the disk, and that this
value is undefined if this is called before the search
routine (ie: only use it in "after" routines). The value
returned comes from the internal variable set_carry in
the infect_file procedure.
Procedure: is_4dos
Description: Returns 0 if 4DOS is installed, 1 if it is not.
------------------------------------------------------------------------------
Internal Routines
=================
Procedure: encrypt_code
Description: Mutates the encryption/decryption code. A new key is
chosen for the encryptor and the registers used in the
routine are changed (SI and DI are alternately used as
pointers to the encrypted code). Then the routine is
copied into the heap, along with code to write the
virus to the victim, and another copy (which decrypts
the virus) is added afterwards. The whole long routine
is then CALLed. The victim's file handle is passed to
this routine in the BX register.
Procedure: encrypt_decrypt
Description: Encrypts or decrypts the code, depending on whether or
not it is already encrypted. A simple XOR encryption
scheme is used, but code is mutated slightly to prevent
easy SCANing.
Procedure: find_files
Description: This routine is called by most search_files routines.
It searches the current directory for the first valid
file of the type who's mask is pointed to by DX. If
a valid file is found then infect_file is called. If
a file wasn't successfully infected then carry is set.
Procedure: infect_file
Description: Infects the file whose record is passed in the DTA. The
method of infection depends on which option(s) were chosen
by the user. The internal variable set_carry is set
to zero if no files were able to be infected, and the carry
flag set.
Procedure: search_file
Description: Searches for files to infect. If a valid file is found
infect_file is called. The search method is defined
by the user in the Options<6E>Search Type dialog box.
Procedure: stop_tracing
Description: Locks the computer if someone is tracing through the program.
Called whenever Stop Trace is set, this sets the interrupt
vectors three and one (tracing interrupt) to a new vector
which causes a system halt with all interrupts disabled.
This frustrates anyone trying to step through your creation.
If this fails then a short routine uses prefetch-queue
changing to lock the keyboard if a debugger is running;
under normal conditions nothing unusual happens. Some code
for these routines was taken from Demogorgon's article
"Concealment: Keep Your Code Hidden From Prying Eyes" in
40-Hex magazine volume #2, issue #2 (article #2). The
sequal to that article, "Code Concealment" (in 40-Hex volume
#2, issue #3, article #2), also by Demogorgon, provided
inspiration for the prefetch-queue-alteration routine.
These two articles provide great insight into methods of
preventing tracing and disassembly and are highly recommended
for people interested in the subject.
Procedure: traverse
Description: Traverses the directory tree looking for files to infect.
If a valid file is found infect_file is called. This
procedure is recursive, using about 128 bytes per call,
one call per level of the directory tree. This procedure
is only called when Options<6E>Search Type is set to "Directory
Tree." Carry is set if the search fails.
Procedure: traverse_path
Description: Traverses the DOS PATH variable looking for files to infect.
If a valid file is found infect_file is called. This
procedure is only called when Options<6E>Search Type is set to
"DOS PATH string." Carry is set if the search fails.
Reference in New Issue View Git Blame Copy Permalink