Directory Stealth

Stealth Viruses are the Viruses that I must admit Anti-Viral Queers don't tend to like at all. Emagine if we added a Polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features!      
People think that there is ALOT of more INFECTED PCs since the virus threat, started in 1986-7. Even though in the beginning only 10 or so viruses were known, they Infected more systems, Compared to the viruses today, where we have about 1300 and growing. But the truth is LESS PCs are getting infect now, as people are now Virus Aware. With all the utilities out, any joker can stop and clean a virus in seconds. Come on, how many people MEMORIZED COMMAND.COM size? Out of my head its 47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem.
A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth feature. That will NOT show you the INCREASE of file size, when the virus infects it. I have played with a few routines as such. I have tried reducing the File size in the FAT area, which results in the famous CHKDSK error reports of Loss Sectors, or Cross Links... And fixing them with CHKDSK will result in damaging the file for good.      
What can we do? How about reducing the File size Right AFTER its read by DOS or any Utilities and right BEFORE its display on the screen! Yeah that's an Idea, Here's how to go about it...          

First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h function 11h & 12h is called! If you don't know how to Hook Interrupts Read Functions of INT Article in this Site.

That's all that is needed in your Int21_Handler. Ofcourse if you are infecting file that are being Execute you add it ABOVE! Anyhow lets Explain the "DIR_STEALTH"

CONDITION: After calling Function 11h/12h (Int 21h) it will search with the contents in the FCB. (*.*) which the DS:DX registers point to the FCB. If successful it will DUPLICATE the specified of the FCB in the current DTA (Disk Transfer Area) And basically we will EDIT the info in the DTA!         
NOTE: Just because we are using the DTA doesn't mean this will work for function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to search, that is a different procedure, though somewhat the same as this one. See Method #2 (COMING SOON), for that.                                 
   Step 1. We call the Int 21h so we may have the results to play with    
                BEFORE DOS displays them on screen.                            
   Step 2. Get the Current PSP, As the FCB is located inside the PSP      
                in COM files its CS:0000 - CS:00FF. But in EXEs it can be any- 
                where, Int21h/AH=51 (Undocemented) will do this for us.        
   Step 3. Unmask the seconds (see if its infected) Quit if NOT           
   Step 4. Get the current DTA                                            
   Step 5. Test if it is Either an Extended FCB or Normal! If Extended    
               Simple add 7h to the Address. (As Extended only have 7 bytes   
               extra in the begining)                                         
   Step 6. Minus File size from the DTA! & Restore Time Back              
Here it is... Method #1                                                

Also before we start fiddling around we must know if we are working with and EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended has three fields appended to the normal one... (Above)

The END!!!!! Hehe.....

EXE Infections: Part 2

The first part consisted on how to Infect the EXE file, from a resident virus. However, that is only HALF the code and understanding needed for EXE infectors. The part to follow, is on how to give control back to the original EXE file. This is one part of EXE infectors, that mostly EVERY ONE tend to forget to point out. Big tickle, you know how to infect the EXE, but can you make the original EXE run after its infection? Do you know how to restore the registers we took from the EXE header? Anyhow lets get going...

If the Infected EXE file is now executed, the first Line of Code it will encounter will be the first byte of our Virus. Since CS:IP have been changed in the header (Part I) to point to our Virus. The first thing we will need to do, is set up a Variable offset, (As I call it). Basically
when TASM compiles our virus, all variables and other data locations are given a FIX address. Though in the case of the Virus this is NOT GOOD as viruses, tend to append themselves, and therefore variables are never in the same location...

Fig. 1

When TASM Compiles the above Code it turns it into Fig 2. (Below)

(Virus Just Compiled)

Fig 2

(Virus Infect To a File)
Fig 3

Later when the Virus infects a File, it will represent Fig 3. Now, when the CALL command is executed, it PUSHes into the Stacks the NEXT CS:IP so when it has to RETurn, all it has to do is POP back the CS:IP to know exactly where it left off! So we can take advantage of the command, by POPing back ourselves, thus this will give us the NEXT byte from the CALL command. which as you see, in the examples is our POP BP statement.

However when the Virus is Freshly Compiled, all Registers values are GOOD, so that is why we must make BP=0 the first time, as the variables were set according to the sources, so no adjustment needed, though when we infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)

Boy, That was the HARDEST part of that, Now if you found that simple pat yourself on the back, as that is the only `BIG' Conflict people tend to disregard or forget. So any time while you are NOT resident but infected on the file, and you are running code from the infected file just use the
that BP Variable Pointer, for any data being loaded... Now lets put the routine together, along with the routine to EXECUTE the original EXE file

* After the Virus Has moved a copy of itself in memory, Control must be given back to the Original EXE file we just infected... This is the routine to do it..

Simple? Try it yourself. :D

Free Disassembler For You!!

As for the last post, I've already giving you the free assembler for your "project", and now I'll give you free disassembler for you to have an "experiment", note that I said EXPERIMENT(LOL), on assembly language or disassemble a complete project.

Turbo Assembler Free Download For You!

For so long I always give you tips and tutorial for creating a virus but I never give you a tools to create them. I think now is the time to give you my fellow readers a freebies.

Download free Turbo Assembler here. Thank you for being with me. :D

Reblog this post [with Zemanta]

EXE Infections: Part 1 "Infection Process" Cont'

First thing to do is read the EXE header for the file to be infected! That can be resolved by...
Next, after reading the first 28 bytes, you will need to set your file pointers to the end of the file.

After bringing your virus to the end, you may start the infection process
;Remember BX = File Handle DX:AX Pointer Location (EOF)

The following finds new CS:IP and SS:SP registers. It will create a new segment, and CS:IP will point to the beginning of the Virus. If you have other code, and the virus beginning is further down the First byte, just add the number of Bytes to AX.
Now we are Ready to write the virus to the EXE File! (Yeah!)

This code works 100% as is! (Resident Virus) For Non-Residents add a location pointer! Besides, Why the Hell are you write a non-Ressy Virus? You Gay? LOL!!~

Stay RESIDENT in my site OKAY!!!~
Reblog this post [with Zemanta]