Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

System file tables and their usage

Dark Angel
40hex [11]
June 1993

[Back to index] [Comments]

A powerful though seldom-used technique in virus writing is the use of the system file table, an internal DOS structure similar in some respects to FCBs, albeit vastly more powerful. The system file table holds the critical information on the state of an open file, including the current pointer location, the open mode, and the file size. Manipulation of the system file tables can often replace calls to corresponding DOS interrupt routines and therefore, when combined with other techniques, reduces the effectiveness of a TSR virus monitor and decreases code size.

Each open file has a corresponding system file table. The following tables come from Ralf Brown's interrupt listing.

Format of DOS 2.x system file tables:

OffsetSizeDescription
00hDWORDpointer to next file table
04hWORDnumber of files in this table
06h28h bytes per file
OffsetSizeDescription
00hBYTE number of file handles referring to this file
01hBYTE file open mode (see AH=3Dh)
02hBYTE file attribute
03hBYTE drive (0 = character device, 1 = A, 2 = B, etc)
04h11 BYTEsfilename in FCB format (no path, no period, blank-padded)
0FhWORD ???
11hWORD ???
13hDWORDfile size???
17hWORD file date in packed format (see AX=5700h)
19hWORD file time in packed format (see AX=5700h)
1BhBYTE device attribute (see AX=4400h)
character device
1Ch DWORD pointer to device driver
block device
1ChWORD starting cluster of file
1EhWORD relative cluster in file of last cluster accessed
20hWORD absolute cluster number of current cluster
22hWORD ???
24hDWORDcurrent file position???

Format of DOS 3.x system file tables and FCB tables:

OffsetSizeDescription
00hDWORDpointer to next file table
04hWORDnumber of files in this table
06h35h bytes per file
OffsetSizeDescription
00hWORD number of file handles referring to this file
02hWORD file open mode (see AH=3Dh) bit 15 set if this file opened via FCB
04hBYTE file attribute
05hWORD device info word (see AX=4400h)
07hDWORDpointer to device driver header if character device else pointer to DOS Drive Parameter Block (see AH=32h)
0BhWORD starting cluster of file
0DhWORD file time in packed format (see AX=5700h)
0FhWORD file date in packed format (see AX=5700h)
11hDWORDfile size
15hDWORDcurrent offset in file
19hWORD relative cluster within file of last cluster accessed
1BhWORD absolute cluster number of last cluster accessed 0000h if file never read or written???
1DhWORD number of sector containing directory entry
1FhBYTE number of dir entry within sector (byte offset/32)
20h11 BYTEsfilename in FCB format (no path/period, blank-padded)
2BhDWORD(SHARE.EXE) pointer to previous SFT sharing same file
2FhWORD (SHARE.EXE) network machine number which opened file
31hWORD PSP segment of file's owner (see AH=26h)
33hWORD offset within SHARE.EXE code segment of sharing record (see below) 0000h = none

Format of DOS 4+ system file tables and FCB tables:

OffsetSizeDescription
00hDWORDpointer to next file table
04hWORDnumber of files in this table
06h3Bh bytes per file
OffsetSizeDescription
00hWORD number of file handles referring to this file
02hWORD file open mode (see AH=3Dh) bit 15 set if this file opened via FCB
04hBYTE file attribute
05hWORD device info word (see AX=4400h) bit 15 set if remote file bit 14 set means do not set file date/time on closing
07hDWORDpointer to device driver header if character device else pointer to DOS Drive Parameter Block (see AH=32h) or REDIR data
0BhWORD starting cluster of file
0DhWORD file time in packed format (see AX=5700h)
0FhWORD file date in packed format (see AX=5700h)
11hDWORDfile size
15hDWORDcurrent offset in file
---local file
19hWORD relative cluster within file of last cluster accessed
1BhDWORDnumber of sector containing directory entry
1FhBYTE number of dir entry within sector (byte offset/32)
network redirector
19hDWORDpointer to REDIRIFS record
1Dh3 BYTEs???
20h11 BYTEsfilename in FCB format (no path/period, blank-padded)
2BhDWORD(SHARE.EXE) pointer to previous SFT sharing same file
2FhWORD (SHARE.EXE) network machine number which opened file
31hWORD PSP segment of file's owner (see AH=26h)
33hWORD offset within SHARE.EXE code segment of sharing record (see below) 0000h = none
35hWORD (local) absolute cluster number of last clustr accessed (redirector) ???
37hDWORDpointer to IFS driver for file, 0000000h if native DOS

In order to exploit this nifty structure in DOS, the virus must first find the location of the appropriate system file table. This may be easily accomplished with a few undocumented DOS calls. Given the file handle in bx, the following code will return the address of the corresponding system file table:

	mov ax,1220h		; Get job file table entry to ES:DI
	int 2fh			; DOS 3+ only

	mov bl,es:di		; get number of the SFT for the file handle
				; -1 = handle not open
	mov ax,1216h		; get address of the system file table
	int 2fh			; entry number bx
				; ES:DI now points to the system file table entry

Now that the system file table entry address is known, it is a trivial matter to alter the various bytes of the entry to fit your particular needs. Most viruses must first clear a file's attributes in order to open the file in read/write mode, since it would otherwise not be able to write to a read-only file. This handicap is easily overcome by opening the file in read-only mode (al = 0) and changing the byte (or word) referring to the file's open mode to 2. This has the added benefit of bypassing some resident alarms, which generally do not go off if a file is opened in read only mode. It is also possible to set a file's pointer by altering the double word at offset 15h (in DOS 3+). So a quick and easy way to reset the file pointer is:

	mov es:di+15h,0
	mov es:di+17h,0

It is acceptable to ignore the DOS 2.X system file table format. DOS 2.X is not in common use today and many programs simply refuse to run under such primitive versions. Most of the useful offsets are constant in DOS 3.X+, which simplifies the code tremendously.

This is only a surface treatment of a topic which warrants further investigation. Numerous opportunities exist for the enterprising virus author to exploit the power of the system file tables. But the only way to find these opportunities is to experiment. Have fun!

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua