home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
PS_VIR1.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
20KB
|
448 lines
//==// // // /|| // //==== //==// //| //
// // // // //|| // // // // //|| //
//==// //==// //=|| // // // // // || //
// // // // || // // // // // ||//
// // // // || //==== //==== //==// // ||/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DISCLAIMER: The author hereby disclaims himself
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DEDICATION: This was written to make the lives
of scum such as Patty Hoffman, John McAffee,
and Ross Greenberg a living hell.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
OTHER STUFF: Thanks go to The Shade of Sorrow,
Demogorgon, and Orion Rouge on their comments
(which I occasionally listened to!). Thanks
also to Hellraiser, who gave me an example of
some virus source code (his own, of course).
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dark Angel's Phunky Virus Writing Guide
---- ------- ------ ----- ------- -----
Virii are wondrous creations written for the sole purpose of spreading and
destroying the systems of unsuspecting fools. This eliminates the systems
of simpletons who can't tell that there is a problem when a 100 byte file
suddenly blossoms into a 1,000 byte file. Duh. These low-lifes do not
deserve to exist, so it is our sacred duty to wipe their hard drives off
the face of the Earth. It is a simple matter of speeding along survival of
the fittest.
Why did I create this guide? After writing several virii, I have noticed
that virus writers generally learn how to write virii either on their own
or by examining the disassembled code of other virii. There is an
incredible lack of information on the subject. Even books published by
morons such as Burger are, at best, sketchy on how to create a virus. This
guide will show you what it takes to write a virus and also will give you a
plethora of source code to include in your own virii.
Virus writing is not as hard as you might first imagine. To write an
effective virus, however, you *must* know assembly language. Short,
compact code are hallmarks of assembly language and these are desirable
characteristics of virii. However, it is *not* necessary to write in pure
assembly. C may also be used, as it allows almost total control of the
system while generating relatively compact code (if you stay away from the
library functions). However, you still must access the interrupts, so
assembly knowledge is still required. However, it is still best to stick
with pure assembly, since most operations are more easily coded in
assembly. If you do not know assembly, I would recommend picking up a copy
of The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-
22659-6). It is an easy-to-follow book covering assembly in great detail.
Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-
57064-5), as it is very helpful.
The question of which compiler to use arises often. I suggest using
Borland Turbo Assembler and/or Borland C++. I do not have a copy of
Zortech C (it was too large to download), but I would suspect that it is
also a good choice. Stay away from Microsoft compilers, as they are not as
flexible nor as efficient as those of other vendors.
A few more items round out the list of tools helpful in constructing virii.
The latest version of Norton Utilities is one of the most powerful programs
available, and is immeasurably helpful. MAKE SURE YOU HAVE A COPY! You
can find it on any decent board. It can be used during every step of the
process, from the writing to the testing. A good debugger helps. Memory
management utilities such as MAPMEM, PMAP, and MARK/RELEASE, are
invaluable, especially when coding TSR virii. Sourcer, the commenting
disassembler, is useful when you wish to examine the code of other virii
(this is a good place to get ideas/techniques for your virus).
Now that you have your tools, you are ready to create a work of art
designed to smash the systems of cretins. There are three types of virii:
1) Tiny virii (under 500 bytes) which are designed to be undetectable
due to their small size. TINY is one such virus. They are
generally very simple because their code length is so limited.
2) Large virii (over 1,500 bytes) which are designed to be
undetectable because they cover their tracks very well (all that
code DOES have a use!). The best example of this is the Whale
virus, which is perhaps the best 'Stealth' virus in existence.
3) Other virii which are not designed to be hidden at all (the writers
don't give a shit). The common virus is like this. All
overwriting virii are in this category.
You must decide which kind of virus you wish to write. I will mostly be
discussing the second type (Stealth virii). However, many of the
techniques discribed may be easily applied to the first type (tiny virii).
However, tiny virii generally do not have many of the "features" of larger
virii, such as directory traversal. The third type is more of a
replicating trojan-type, and will warrant a brief (very, very brief!)
discussion later.
A virus may be divided into three parts: the replicator, the concealer, and
the bomb. The replicator part controls the spread of the virus to other
files, the concealer keeps the virus from being detected, and the bomb only
executes when the activation conditions of the virus (more on that later)
are satisfied.
-=-=-=-=-=-=-=-
THE REPLICATOR
-=-=-=-=-=-=-=-
The job of the replicator is to spread the virus throughout the system of
the clod who has caught the virus. How does it do this without destroying
the file it infects? The easiest type of replicator infects COM files. It
first saves the first few bytes of the infected file. It then copies a
small portion of its code to the beginning of the file, and the rest to the
end.
+----------------+ +------------+
| P1 | P2 | | V1 | V2 |
+----------------+ +------------+
The uninfected file The virus code
In the diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1
and V2 are parts 1 and 2 of the virus. Note that the size of P1 should be
the same as the size of V1, but the size of P2 doesn't necessarily have to
be the same size as V2. The virus first saves P1 and copies it to the
either 1) the end of the file or 2) inside the code of the virus. Let's
assume it copies the code to the end of the file. The file now looks like:
+---------------------+
| P1 | P2 | P1 |
+---------------------+
Then, the virus copies the first part of itself to the beginning of the
file.
+---------------------+
| V1 | P2 | P1 |
+---------------------+
Finally, the virus copies the second part of itself to the end of the file.
The final, infected file looks like this:
+-----------------------------+
| V1 | P2 | P1 | V2 |
+-----------------------------+
The question is: What the fuck do V1 and V2 do? V1 transfers control of
the program to V2. The code to do this is simple.
JMP FAR PTR Duh ; Takes four bytes
Duh DW V2_Start ; Takes two bytes
Duh is a far pointer (Segment:Offset) pointing to the first instruction of
V2. Note that the value of Duh must be changed to reflect the length of
the file that is infected. For example, if the original size of the
program is 79 bytes, Duh must be changed so that the instruction at
CS:[155h] is executed. The value of Duh is obtained by adding the length
of V1, the original size of the infected file, and 256 (to account for the
PSP). In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal
(155 hex).
An alternate, albeit more difficult to understand, method follows