Copy Link
Add to Bookmark
Report

40Hex Issue 05 File 007

eZine's profile picture
Published in 
40Hex
 · 4 months ago

40Hex Number 5 Volume 2 Issue 1                                      File 007 

HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT
PART II


In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly
tedious) method of searching for scan strings. In short, this was his
method:

1) Make a small carrier file.
2) Infect the carrier with the virus.
3) Fill parts of the virus with a dummy value until you isolate the
scan string.
4) Modify the virus so it is not detectable, i.e. switch the order of
the instructions.

The problem is, of course, that step 3 takes a maddeningly inordinate
amount of time. I shall present a tip which will save you much time.
The trick is, of course, to find out where the encryption mechanism and
hence the unencrypted portion where the scan string is usually located.
Once the encryption mechanism is located, isolating the scan string is
much simpler.

Of course, the problem is finding the encryption mechanism in the first
place. The simplest method of doing this is using V Communication's
Sourcer 486, or any similar dissassembler. Dissassemble the file and
search for the unencrypted portions. Most of the file will be DBs, so
search for any part which isn't. Once you have located those parts, all
you have to do is subtract 100h from the memory location to find its
physical offset in the file. You now have a general idea of where the
scan string is located, so perform step 3 until you find it.

Ack, you say, what if you don't have Sourcer? Well, all is not lost.
Load up the infected carrier in good old DEBUG. The first instruction
(in COM infections) should be a JMP. Trace (T) into the JMP and you
should be thrown into the area around the encryption mechanism. Use the
memory offset (relative to the PSP segment) and subtract 100h to find
the physical location of the unencrypted portion in the file. Once
again, once you have this, perform step 3. Simple, no?

Sometimes, SCAN looks for the writing portion of the code, which
generally calls INT 21h, function 40h. This is usually, though not
always, located somewhere near the encryption mechanism. If it is
not near there, all you have to do is trace through the virus until
it calls the write file function.

Another method of looking for scan codes is to break the infected carrier
file into a series of 50 byte overlapping chunks. For example, the first
chunk would be from offset 0 to 49, the second from 24 to 74, the third
from 49 to 99, etc. Then use SCAN to see which chunk holds the scan code.
This is by far the easiest, not to mention quickest, method.

One side note on step 1, making the carrier file. Some virii don't
infect tiny files. What you must do is create a larger file (duh).
Simply assemble the following two lines:

int 20h
db 98 dup (0)

(with all the garbage segment declarations and shit, of course) and
you'll have a nice 100 byte carrier which should be sufficient in most
cases, with maybe the exception of the Darth Vaders.

Enjoy!
-------------------------------------------------------------------------------
Dark Angel

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT