Copy Link
Add to Bookmark
Report

SLAM3.032: How to make your own virus capture files by Virtual Daemon [SLAM]

eZine's profile picture
Published in 
Slam
 · 2 years ago

How to make your own virus capture files
by Virtual Daemon


Hello folks! Here goes a little Pascal program which will teach ya (I hope! ;) how to create your own virus capture files.

Why am I doing this? Well, I've made this program a very looong time ago, bcoz I didn't liked all the others capture files generated by AV's programs which had the AV's name in it (or a copyright shit)... My files are clean, no copyright, no shit, pure empty... :))

For some people who are wondering what is a "virus capture file": a virus capture file (in my conception) is a file of a fixed size filled out with a character that can be used to trap a virus in it.
The file may be COM or EXE. This program will create 2 files (one COM and one EXE), both of 20,000 bytes, which contains the simplest ASM code ("mov ah,4ch"/"int 21h"). The 4ch function is a DOS Terminate Program function. That means that the program does nothing but returns to DOS after executed.

When the files are executed, if there is an active resident virus in memory there will be a 98% chance that the virus will try to infect these 2 files. If the virus does infect the files, the size of the files will grow (only if the virus is non-overwriting). If the virus is overwriting then the actual code of the file will be overwritten and the file will remain with the same size. In both cases, the code of our program will be changed => the characters from our file will be changed.

This program can also verify if the file was "touched" by a virus but only in the first case. If the virus is overwriting, VIRCAP will report the file as not being modified in any way. Of course, this can be changed easily by checking if the first bytes of our file have been modified.

P.S. In case U didn't know, VIRCAP comes from VIRus CAPture... :))))))

VirCap also create 2 mirror files:

  • BOOT.CAP - contains the boot image
  • PART.CAP - contains the partition table image

The .CAP files can be used if there is a boot/MBR virus installed on your system.

What is the purpose of this program??? Hmmm.... I forgot... :)).hehe...

Seriously, the capture files created by VirCap can be used in studying virii or in creating a cool virii collection. How? Simple! If you have a TSR virus installed on your system, run VirCap. The virus will probably infect your CAPTURE.* files, and there you have: a working copy of the virus. The main advantage from another infected file, is that the virus can be seen very easy on the infected CAPTURE.* files, bcoz the files contains only the virus+a simple program (4 bytes=mov ah,4ch/int 21h).

You can use the source of VirCap to create your own Virus Capture program for free... :)) I wish you Good luck! No need for greetz or shit!

P.S. The source is not commented... Anyway, I hope you're not so lame that you can't understand it... ;))))

{$M 25384,0,655360} (* - Make Stack Size a little bigger - *) 

Uses Crt,Dos;
Var
CheckCom,CheckEXE,NotTheSame,Comp,ComInfect,ExeInfect:Boolean;

Procedure CheckFiles;
Var
F:File;
Begin
Assign(F,'CAPTURE.EXE');
{$I-}
Reset(F,1);
{$I+}
If IOResult=0 Then Begin
CheckEXE:=True;
Close(F);
End;
Assign(F,'CAPTURE.COM');
{$I-}
Reset(F,1);
{$I+}
If IOResult=0 Then Begin
CheckCOM:=True;
Close(F);
End;
End;

Procedure FisierCOM(FName:String);
Var
Comfile:Record
Code:Longint;
Data:Array [1..19996] Of Byte;
End;
F:File;
Begin
ComFile.Code:=$21CD4CB4;
FillChar(ComFile.Data,19996,176);
Assign(F,FName);
{$I-}
Reset(F);
{$I+}
If IOResult=0 Then Begin
Close(F);
Exit;
End;
ReWrite(F,1);
BlockWrite(F,ComFile,20000);
Close(F);
End;

Procedure FisierEXE(FName:String);
Var
ExeFile:Record
Antet:Array [1..256] Of Word;
Code:Longint;
Data:Array [1..19484] Of Byte;
End;
F:File;
Begin
With ExeFile Do Begin
Code:=$21CD4CB4;
FillChar(Antet,512,0);
Antet[01]:=$5A4D;Antet[02]:=$0020;
Antet[03]:=$0028;Antet[05]:=$0020;
Antet[07]:=$FFFF;Antet[13]:=$003E;
Antet[15]:=$0001;Antet[16]:=$30FB;
Antet[17]:=$726A;
FillChar(Data,19484,176);
End;
Assign(F,FName);
{$I-}
Reset(F,1);
{$I+}
If IOResult=0 Then Begin
Close(F);
Exit;
End;
ReWrite(F,1);
BlockWrite(F,ExeFile,20000);
Close(F);
End;

Procedure Compare(F1,F2:String);
Type
B=Array[1..1025] Of Byte;
Var
F,G:File;
Buf,Buf1:^B;
Size,M,W:Longint;
I:Word;
Begin
New(Buf);
New(Buf1);
Assign(F,F1);
Reset(F,1);
Assign(G,F2);
Reset(G,1);
BlockRead(F,Buf^[1],512);
blockread(G,Buf1^[1],512);
For I:=1 To 512 Do
If Buf^[I]<>Buf1^[I] Then NotTheSame:=True;
Dispose(Buf);
Dispose(Buf1);
Close(F);
Close(G);
End;

Procedure SaveBoot;
Var
Boot:Array[1..512] Of Byte;
F:File;
R:Registers;
Begin
R.Ah:=$02;
R.Dl:=$80;
R.Dh:=1;
R.Ch:=0;
R.Cl:=1;
R.Al:=1;
R.Es:=Seg(Boot);
R.Bx:=Ofs(Boot);
Intr($13,R);
Assign(F,'BOOT.CAP');
{$I-}
Reset(F,1);
{$I+}
If IOResult=0 Then Begin
Close(F);
Write('˛ Checking boot record...');
Assign(F,'BOOT.TMP');
ReWrite(F,1);
Comp:=True;
End
Else Begin
ReWrite(F,1);
Write('˛ Creating boot record image...');
End;
BlockWrite(F,Boot[1],512);
Close(F);
WriteLn('Done!');
If Comp Then Begin
Compare('BOOT.CAP','BOOT.TMP');
If NotTheSame Then Begin
WriteLn('˛ WARNING! Boot record was modified...');
NotTheSame:=False;
End;
Erase(F);
Comp:=False;
End;
End;

Procedure SavePart;
Var
Part:Array[1..512] Of Byte;
F:File;
R:Registers;
Begin
R.Ah:=$02;
R.Dl:=$80;
R.Dh:=0;
R.Ch:=0;
R.Cl:=1;
R.Al:=1;
R.Es:=Seg(Part);
R.Bx:=Ofs(Part);
Intr($13,R);
Assign(F,'PART.CAP');
{$I-}
Reset(F,1);
{$I+}
If IOResult=0 Then Begin
Close(F);
Write('˛ Checking partition table...');
Assign(F,'PART.TMP');
ReWrite(F,1);
Comp:=True;
End
Else Begin
ReWrite(F,1);
Write('˛ Creating partition table image...');
End;
BlockWrite(F,Part[1],512);
Close(F);
WriteLn('Done!');
If Comp Then Begin
Compare('PART.CAP','PART.TMP');
If NotTheSame Then Begin
WriteLn('˛ WARNING! Partition table was modified...');
NotTheSame:=False;
End;
Erase(F);
Comp:=False;
End;
End;

Procedure CheckDecoyExe(FName:String;OrLength:Longint);
Var
Fs:Longint;
F:File;
Begin
Assign(F,FName);
Reset(F,1);
Fs:=FileSize(F);
If Fs=OrLength Then Begin
ExeInfect:=False;
End
Else Begin
ExeInfect:=True;
End;
Close(f);
End;

Procedure CheckDecoyCom(FName:String;OrLength:Longint);
Var
Fs:Longint;
F:File;
Begin
Assign(F,FName);
Reset(F,1);
Fs:=Filesize(F);
If Fs=OrLength Then Begin
ComInfect:=False;
End
Else Begin
ComInfect:=True;
End;
Close(F);
End;

Begin
(* You are encouraged to remove the following 2 lines... :-) *)
WriteLn('Virus Capture v1.0, Copyright (c) 1997 by Virtual Daemon');
WriteLn('E-mail adress: virtual_daemon@hotmail.com');
(* Here begins the real program... ;-) *)
WriteLn;
CheckFiles;
If CheckEXE Or CheckCOM Then Write('˛ Checking files...')
Else Write('˛ Creating files...');
{$I-}
FisierEXE('CAPTURE.EXE');
{$I+}
If IOResult <> 0 Then Begin
WriteLn;
WriteLn('Ø Error creating EXE file !');
End;
{$I-}
FisierCOM('CAPTURE.COM');
{$I+}
If IOResult <> 0 Then Begin
WriteLn;
WriteLn('Ø Error creating COM file !');
End;
WriteLn('Done!');

SaveBoot;
SavePart;

SwapVectors;
Exec('CAPTURE.EXE','');
Exec('CAPTURE.COM','');
SwapVectors;
CheckDecoyExe('CAPTURE.EXE',20000);
CheckDecoyCom('CAPTURE.COM',20000);
If ComInfect=True Then WriteLn(' Ø Found one active COM virus.')
Else WriteLn(' Ø No active COM virus was found.');
If ExeInfect=True Then WriteLn(' Ø Found one active EXE virus.')
Else WriteLn(' Ø No active EXE virus was found.');
End.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT