Directory Stealth

Stealth Viruses are the Viruses that I must admit Anti-Viral Queers don't tend to like at all. Emagine if we added a Polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features!      
                                                                          
People think that there is ALOT of more INFECTED PCs since the virus threat, started in 1986-7. Even though in the beginning only 10 or so viruses were known, they Infected more systems, Compared to the viruses today, where we have about 1300 and growing. But the truth is LESS PCs are getting infect now, as people are now Virus Aware. With all the utilities out, any joker can stop and clean a virus in seconds. Come on, how many people MEMORIZED COMMAND.COM size? Out of my head its 47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem.
                                                                          
A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth feature. That will NOT show you the INCREASE of file size, when the virus infects it. I have played with a few routines as such. I have tried reducing the File size in the FAT area, which results in the famous CHKDSK error reports of Loss Sectors, or Cross Links... And fixing them with CHKDSK will result in damaging the file for good.      
                                                                          
What can we do? How about reducing the File size Right AFTER its read by DOS or any Utilities and right BEFORE its display on the screen! Yeah that's an Idea, Here's how to go about it...          

   %Theory%                                                               
  ~~~~~~~~   
                                                               
First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h function 11h & 12h is called! If you don't know how to Hook Interrupts Read Functions of INT Article in this Site.

 
 
That's all that is needed in your Int21_Handler. Ofcourse if you are infecting file that are being Execute you add it ABOVE! Anyhow lets Explain the "DIR_STEALTH"
 
 


 %Algorithms%                                                             
 ~~~~~~~~~~~~         
                                                    
CONDITION: After calling Function 11h/12h (Int 21h) it will search with the contents in the FCB. (*.*) which the DS:DX registers point to the FCB. If successful it will DUPLICATE the specified of the FCB in the current DTA (Disk Transfer Area) And basically we will EDIT the info in the DTA!         
            
NOTE: Just because we are using the DTA doesn't mean this will work for function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to search, that is a different procedure, though somewhat the same as this one. See Method #2 (COMING SOON), for that.                                 
                                                                          
   Step 1. We call the Int 21h so we may have the results to play with    
                BEFORE DOS displays them on screen.                            
   Step 2. Get the Current PSP, As the FCB is located inside the PSP      
                in COM files its CS:0000 - CS:00FF. But in EXEs it can be any- 
                where, Int21h/AH=51 (Undocemented) will do this for us.        
   Step 3. Unmask the seconds (see if its infected) Quit if NOT           
   Step 4. Get the current DTA                                            
   Step 5. Test if it is Either an Extended FCB or Normal! If Extended    
               Simple add 7h to the Address. (As Extended only have 7 bytes   
               extra in the begining)                                         
   Step 6. Minus File size from the DTA! & Restore Time Back              
                                                                          
Here it is... Method #1                                                


Also before we start fiddling around we must know if we are working with and EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended has three fields appended to the normal one... (Above)


The END!!!!! Hehe.....

Comments

Popular posts from this blog

Free Disassembler For You!!

Installment II: The Replicator