SLAM4.023: To tie in a virus by Somniun
To tie in a Virus
by Somniun
somniun@hotmail.com
I wish to be grateful Virtual Daemon who lets and help me to continue in Slam VD thx !!! kiss * kiss *
- INTRODUCTION
- SOME HISTORY
- MY OWN PROPOSE
- 3.1 Short idea about my proposal.
- 3.2 How formatting a track different to DOS.
- 3.3 ASM Subroutine for own formatting.
- 3.4 Whole explication.
1) INTRODUCTION
Many times, when system is infected by a virus, operators used to say:
"Please remove it, doesn't matter what virus does, remove and kill it"
In this case, a lot of work of VX writers is destroyed, I wish these people look inside virus or ( if they can :] ) decode it to ADMIRE work. How could we change this situation ? may be, if we apply a technical, called " virus dependence", perhaps we can hear ' Please don't touch my virus ! '. Examples : when a virus intercept read and write a disk function and before apply some sort of cipher (encription) and all data in a disk keep encripted and only virus can give it encipher to system, then anybody user will wanted remove virus ;) . Other idea is apply compression method exclusive of virus , and my own idea (which I show in this article) format a track in particular way, that only virus known how access track. I know this is not impossible to remove, a good disassembler can do it, but this technical can complicate virus remotion, and a success remotion implicate to decode virus.
2) SOME HISTORY
There are some viruses which to forces to user wishes keep its:
- DBASE: this virus intercepts read/write disk function, and perform a randomly transposing in bytes of .DBF files.When user needs to read a .DBF file , virus restores these bytes, so nothing seems to be wrong. But if user removes virus he couldn't never read his .DBF again.
- BONZAI: when this virus goes containing a program, compresses the program and obtains space for keeps itself, in fact the final file size is the same. When DOS loads the program, is loading the virus and just the virus knows how descompres the original program.
- JOKE: this is not just a virus dependence, but when virus is active nobody would likes shut down its system and remove it !!!! In fact: when it is actives its copies some significative areas of hard disk in memory and erase this areas on disk. Then virus proposes operator to play a casino game and if operator wins, its restores these areas to disk and virus over its work, but if the operator lose.... well, you might guess !
3) MY OWN PROPOSAL
3.1 Short performing
My idea is to keep hidden information hidden from DOS, formatting a track in other way than DOS format a track, and record this information in these track.
If DOS can't read it, user needs keep the virus for recover it.
Perhaps can work this way:
When virus ( NO TSR) is active, in this moment, it can seeks for possible program (progx.com or progx.exe) to contamine.
When virus find it, virus must create a virus companion,...
This way:
if virus find a program named pgr1.com must keep pgr1.com in memory buffer and create other pgr1.com , which to replace at original pgr1.com. and if virus find a pgr1.com ,as well, must create other pgr1.com (it is sufficient, DOS call before .com than .exe)
This second and false pgr1.com will be our dear virus.
Then virus must save the original pgr1.com in a track with virus format own.
At this moment the work of virus is over and virus goes away.
So when DOS executes pgr1.(com or exe) it's executing the virus , it can take control of system and then it must recover the original pgr1, and only virus can do it.
May be it is a better idea hide data files, but it is harder, I tell about in a 3.4
First I wish show you ,how to format a track in a low-level, at least if you are bored reading whole article (may be it (?)) I think you'll enjoy with every technicals and secrets for this. At least I was fascinated and I use many time looking for information of this, and may be this can save your time :)
3.2 How to format a track in different way from DOS
Real track capacity
Each track has this structure:
A absolute number of bytes which are distribute follow:
(Imagine next lines are a track... "Imagination is the powerful tool of humans ")
---begin track--
GAP-DTL(ID-hole-sector)-GAP-DTL-(ID-hole-sector)....(here a variable number of chain of GAP-DTL-hole-sector)......GAP-DTL(id-hole-sector).
---end track--
GAP is a hole or space between sector, for security reason.If no there's GAP when a system writes a sector it can erase data of adjacent sector. And GAP will be our start because if we can correctly recalculate GAP, we can reduce it and use the "wasted" bytes for add more sectors.
DTL and hole : DTL are headers bytes of sector and hole is, a hole necessary just for time required by controller disk could read ID of sector and check if is it the seek sector.
Physical space track is permanent (of course we can't change it) and is permanent speed rotation and frequence and modulation of signal that record data in a diskette .
By all before ,amount of bit in a track is permanent too.
All preceding, let us compute exactly number of bits than track can keep:
CALCULATION OF ABSOLUTE AMOUNT OF BYTE IN 1 TRACK
(I'll show example to 5 1/4 drive , you need know exactly number and data for each drive that you are using)
- --You nee know speed rotation of drive for calculate how many time is needed for read or write 1 track.
- If speed rotation : 300 rpm(+/1.5%), then ( 60s / 300) time for rotate 1 track is 200ms
- ---You need know transference frequency
- If Transference frequency (MFM) between memory and disk is 250 Kbits/seg.
- Then in theory you can record 250 Kbits/s * 0.2= 50 Kbits in a track.
- 50 kbits = 50.000/8 =6250 bytes.
-
- Then this 6250 bytes are shared between GAP and DTL.
- Following with a 5 1/4 example in a track of 9 sectores with 512 bytes each, total number in real use is 512 *9= 4608 of one total of 6250.
- Then 6250-4608= 1642 "wasted" in GAP and headers sectors.
DDPT.
Before we'll recalculate GAP for introduce a new sector , we must understand what is and how use DDPT ( Disk Drive Parameter Table)
When system record a sector it record an ID for each sector in a header of its (physical on diskette )
ID are 4 bytes:
- C: number of track
- H: head number
- R: sector number
- N: number of bytes in sector
But it isn't sufficient, FDC (disk controller) need know other information, this information it is in a DDPT.
DDPT is table that is storage in a vector 1Eh of interrupt vector table, and if you can use DOS interrupt , you can call INT 21, function 32 (ah=32), undocumented function for obtain it correct position.
DDPT have 10 (0Ah) bytes with important information for drive work, 2 of these byte (5 and 7) are gap length between sector in write or read and length gap for format (There are two GAP, one for read and write and other for format)
You guess that if we change gap length we must change DDPT at necessary moment.
Then you can change pointer to DDPT like you change pointer of ordinary interrupt, and must keep old pointer to restoration. (I assume that if you are trying do this, you've played a bit with a low-level programming and you know how to hook interrupts).
We can copy the original DDPT and only change byte 5 and 7 for matching with our news data of GAP.
Come back at our GAP calculation. ( trust in me, at once we end)
For our example ( 5 1/4) GAP for format is 40h and DTL ( data length ) is 0FFh .
Then 40h + FFh =13Fh ( 319d) this is size of one sector + its gap.
We have 9 sector then 9 * 319 = 2871.
If we want introduce one sector more ( 10 now) we have 2871 /10.
Now one sector + gap will be 287 = 11F , then
11Fh - FFh = 20h and it is the new size of GAP ( ! AT END !)
moreover we must get the previous gap for read and write ( gap r/w ever is less than gap format, because system must begin read before data of sector) and calculates it the proportional manner at the new GAP format.
3.3) ASM subroutine for own formatting
;formtr - it is a subroutine for formatting track in own format
; this version use method of change long GAP
;if return with error ah not equal 0.
;inputs : bh = number of track
; bl = number of head
; ah = drive number
;public formtr
cseg segment ;para public 'code'
assume cs:cseg,ds:cseg,ss:cseg,es:cseg
formtr proc far
jmp inicio ;skip data area
dbt db ? ;drive base table
podbt dd ? ;pointer original DBT
ndbt db 10 dup (?) ;newbie dbt
ngapf db 20h
ngapr db 16h
track db ?
head db ?
drive db ?
idsec db 40 dup (?) ; table of( 4 bytes * number of sector),identif.
; -------get pointer to DBT (drive base table)__________________
inicio: mov track,bh
mov head,bl
mov drive,ah
mov ah,35h ;get pointer to original DBT, this address is in
mov al,1eh ; [0000:0078] because 1Eh * 4 = 78h
int 21h
mov word ptr [podbt],bx ;save offset of orig dbt
mov word ptr [podbt + 2],es ;save segment of orig dbt
;_______ copy DBT to my data area________________________________
push es
pop ds
push cs
pop es
mov si,bx
lea di,ndbt
cld
mov cx,0bh
rep movsb
;------ change old GAP (format) byte 5 and old GAP (R/W) byte 7 by my own GAP
push cs
pop ds
push cs
pop es
mov ah,ngapf
mov [ndbt + 5 ],ah
mov ah,ngapr
mov [ndbt + 7],ah
;----set the new DBT ( my own)
lea dx,ndbt
mov ah,25h
mov al,1Eh
int 21h
push cs
pop ds
;____fill buffer with new value for ID of new 10 sector .
mov cx,0ah
mov dh,1
sub bx,bx
fill: mov al,track ;set track number
mov [idsec + bx] ,al
add bx,1
mov al,head ;set head number
mov [idsec + bx],al
add bx,1
mov [idsec + bx],dh ;set sector number
add bx,1
mov [idsec + bx],2h ;number of bytes in this sector 1=256, 2=512
add dh,1h ; increase number of sector
add bx,1
sub cx,1h
jnz fill
;-------format track int 13h func. 05 -------
mov ah,05h
mov al,0ah ; format 10 sectores
lea bx,idsec ;offset address of buffer
mov ch,track
mov dh,head
mov dl,drive
push cx
pop es
int 13h
ret
formtr endp
cseg ends
end
-------------------------------------------------------------------------
3.4) Whole explain
(Forbidden for experimental virus programmers writers, they run the risk of sleep, may be they can wake up at point 4)
The objective of this article it's just give an idea, and no more, because this virus into a system show many symptom, and it'll be very suspicious.But I think this method can be successfully used, by other more complex virus. Moreover ,this virus hidden the original program, and it's no problem for nobody. It will be better if it hidden data file, but in this case, the virus will be TSR, and it will drive FAT ( this is quite complex, but it's possible)
It's a no TSR virus, when it come in active then:
- Open files .com /.exe in disk.
- Check if it is already contaminated, if yes, go to open a new file, if no then:
- keep the founded .com/.exe in buffer
- Seek a track for change its format how it do this ?
Virus can perform a random choose, with this it's probably that virus destroys information, but this not will be the first time that some virus do this.
May be virus can choose some of last track, this it is not absolutely sure, but have better chance.
Virus must check if the choose track is not a track's virus, then : hook INT 24 ( for handle error by virus) and try read by DOS read , if return with error, abandon this track and try with another.
When found a available track, must save (in a sequencial mode) the original program, and must keep in itself data area number track, number head and number of sector used by save the original program at this new format track. So just the virus ( and anybody more)can restores the original prog.
This method can be better:
there are other way to format a track and save the original data before reformatting it, then you can save other time, like nothing happen, and keep the original data accessible for dos, but with virus in this track and it no accessible for DOS. This manner virus destroy less information and have more chance to survival.
(If Team Slam continue with their patience for me and my english this will be in the next Slam)
5) Last, virus must save itself through DOS under name of original program.
REGARDS;
S O M N I U N ( El Sue§o )
somniun@hotmail.com