29A Issue 03 02 16

Published in

· 4 years ago

  

	      Load and execute program, TbMem exploit  ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ 
			     Written by 	       ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ 
			    Darkman/29A 		ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ 
						       ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ 
						       ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ 

ÄÄÄÄÄÄÄÄÄÄÄÄ 
Introduction 
ÄÄÄÄÄÄÄÄÄÄÄÄ 

  When a program is terminated (function 00h, 31h and 4Ch), TbMem examines if 
a interrupt has been set by comparing the interrupt vector table with its 
lookup table. TbMem does nothing more than comparing the interrupt vector 
table with its lookup table. TbMem doesn't examine every interrupt vector in 
the interrupt vector table, below is an overview of the interupt vectors being 
examined by TbMem: 

  INT 08h (IRQ 0  System timer) 
  INT 09h (IRQ 1  Keyboard) 
  INT 10h (BIOS System Video Services) 
  INT 13h (BIOS Fixed disk/FDD Services) 
  INT 15h (BIOS System Services) 
  INT 16h (BIOS Keyboard Services) 
  INT 17h (BIOS Printer Services (LPT)) 
  INT 1Ah (BIOS Real-Time Clock Services) 
  INT 1Ch (BIOS User Timer Tick) 
  INT 20h (DOS Program Terminate) 
  INT 21h (DOS Function call) 
  INT 26h (DOS Absolute Disk Write) 
  INT 28h (DOS Idle) 
  INT 29h (DOS Fast Console Output) 
  INT 2Ah (Local Area Network) 
  INT 2Fh (Software Multiplex) 
  INT 40h (BIOS Diskette Service) 
  INT 50h (BIOS Reserved) 
  INT 70h (IRQ 8  AT Real Time Clock) 
  INT 76h (IRQ 14 AT Fixed Disk) 

ÄÄÄÄÄÄÄÄÄÄÄ 
The exploit 
ÄÄÄÄÄÄÄÄÄÄÄ 

  When a program is executed (function 4B00h), the lookup table is recreated. 
This means if a virus makes changes in the interrupt vector table and then 
afterwards execute or just tries to execute some other program. TbMem will be 
unable to detect any changes in the interrupt vector table, since the lookup 
table will be identical to the interrupt vector table. To avoid TbMem 
detecting changes in the interrupt vector table simply include the following 
code in your virus after the interrupt vectors has been set: 

	     mov     ax,4b00h		 ; Load and execute program 
	     int     21h 

ÄÄÄÄÄÄÄÄÄÄÄ 
Final notes 
ÄÄÄÄÄÄÄÄÄÄÄ 

  This technique could easily be combined with the Server function call DOS 
exploit, making the exploit even more powerful. A example of how to use the 
Server function call DOS exploit can be found in Carriers, which is included 
in 29A Magazine issue 2. 

  I don't know for how long the above described exploit has been working, but 
it seems like Qark already knew about this exploit long ago. A example of this 
TbMem exploit can also be found in Padania, which is included in VLAD Magazine 
issue 7. 

  I've documented another TbMem exploit, which amazingly enough still works. 
You can find the article, which I've named "ThunderBYTE Anti-Virus API's", in 
Source of Kaos Magazine issue 3. It exploits both TbMem and TbScanX.

29A Issue 03 02 16

Share this article

Let's discover also

29A Issue 01 01 05

29A Issue 02 01 02

29A Issue 03 01 02

29A Issue 03 01 01

29A Issue 02 01 03

29A Issue 02 03 03

29A Issue 03 03 07

29A Issue 02 01 01

29A Issue 03 01 04

29A Issue 02 02 08

Recent Articles

Oh I think it is the first time I am seeing king Charles

My British citizenship

Crema catalana ketogenica

Leeto Phreako Headz Issue 4

Leeto Phreako Headz Issue 3

Leeto Phreako Headz Issue 2 (Part II of II)

Sea Serpents and Lake Monsters: Legends or Reality ?

The Palenque Stela, evidence of ancient astronauts?

Leeto Phreako Headz Issue 2 (Part I of II)

Interview d'Alain Finkielkraut

Recent Comments