Stealth Viruses are the Viruses that I must admit Anti-Viral Queers Don't tend to like at all. Imagine if we added a Polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features!
People think that there is ALOT of more INFECTED PCs since the virus threat, started in 1986-7. Even though in the beginning only 10 or so viruses were known, they Infected more systems, Compared to the viruses today, where we have about 1300 and growing. But the truth is LESS PCs are getting infect now, as people are now Virus Aware. With all the utilities out, any joker can stop and clean a virus in seconds. Come on, how many people MEMORIZED COMMAND.COM size? Out of my head its 47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem.
A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth feature. That will NOT show you the INCREASE of file size, when the virus infects it. I have played with a few routines as such. I have tried reducing the File size in the FAT area, which results in the famous CHKDSK error reports of Loss Sectors, or Cross Links... And fixing them with CHKDSK will result in damaging the file for good.
What can we do? How about reducing the File size Right AFTER its read by DOS or any Utilities and right BEFORE its display on the screen! Yeah that's an Idea, Here's how to go about it...
First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h function 11h & 12h is called!
Here we go....
CONDITION: After calling Function 11h/12h (Int 21h) it will
search with the contents in the FCB. (*.*) which the DS:DX
registers point to the FCB. If successful it will DUPLICATE
the specified of the FCB in the current DTA (Disk Transfer Area)
And basically we will EDIT the info in the DTA!
NOTE: Just because we are using the DTA doesn't mean this will work for
function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to
search, that is a different procedure, though somewhat the same as
this one. See Method #2, for that.
Step 1. We call the Int 21h so we may have the results to play with
BEFORE DOS displays them on screen.
Step 2. Get the Current PSP, As the FCB is located inside the PSP
in COM files its CS:0000 - CS:00FF. But in EXEs it can be any-
where, Int21h/AH=51 (Undocemented) will do this for us.
Step 3. Unmask the seconds (see if its infected) Quit if NOT
Step 4. Get the current DTA
Step 5. Test if it is Either an Extended FCB or Normal! If Extended
Simple add 7h to the Address. (As Extended only have 7 bytes
extra in the begining)
Step 6. Minus File size from the DTA! & Restore Time Back
That's it! I think you don't get it if you don't have an example for this routines. :-)
Just email me and I will send you a full code of this routine. Just for EDUCATIONAL purpose only.
skip to main |
skip to sidebar
Just for EDUCATIONAL purpose only.
Favourites
Total Pageviews
Followers
Archives
-
▼
2008
(25)
-
▼
March
(23)
- Installment II: The Replicator
- Freebies " Ebook Secret of Ebay Marketing"
- Concealer and the BOMB!
- The Replicator
- Going Through the Virus
- Function of INT
- Free Assembly Compilers to You!
- Understanding the STACK
- The Registers (Continued)
- Top P-T-C system in the world!
- The Registers (AX)
- New affiliates
- Segments and Offsets
- Assembly Tutorial (Continued)
- Assembly Tutorial (As Requested)
- Stealth Viruses Method 2
- Stealth Viruses
- Time for make money for bloggers
- EXE Infections: Part 2
- EXE Infections: Part 1 "Infection Process"
- Disinfecting an Infected File
- Introduction
- Creating A Virus?
-
▼
March
(23)
Subscribe
RSS Feed (xml)Credits
No comments:
Post a Comment