hello to all! :) this is my first message on this board, I'm quite newbie so..I hope it is not a problem for you :)
I'm working to my thesis at university related to virus programming and anti-virus signature concepts. Part of my job must be spent in coding a couple of "old school" infectors and related signatures for antivirus. Well, I almost did it...but I have a problem. My code is not intended to harm or offence or doing lamerish things but, hell, i need it for graduation ;) I hope it doesn't break this community's rules...
but let's go to the problem
Let's say I have my appender virus. Since i cannot know the position of its starting point (it depends from the victim file), I calculate a "relocation index" I store in 'di' register I preserve for the execution of the virus itself. Something like:
call .foo
.foo:
pop di
sub di, .foo ; di = offset from start of segment
Finally i call the host program.
But i need to install an hook on int21h for some special purposes. I was easily able to save the old seg:off pair of int21 (with int21h, service 25h of DOS) and to replace it with a pair cs:di+MYINT21 with service 35h of int21h
and it works like a charm, but now i have at least two problems. This is the simplest version of my hook
MYINT21:
cmp ah, 0x4C ; exit to DOS?
je RESTOREINT
push ds
push si
pushf
mov ds, word ; di=????????
mov si, word
call far
pop si
pop ds
iret
well, the point is that if i can be sure that di register is not used by my virus, i cannot guarantee the same when the host is running (MYINT21 must be active under host's execution). More or less, the same problem with ds and si: i can push and pop them, but what about if the original int21 service use them as parameters?
I cannot far call with absolute addresses because the "trouble" of virus relocation
To find some absolute addresses to/from store few words is not a problem (there are some unused words in PSP, before location 0x100: i could store 'di' register there and retreive it only when needed), but how about the "far call with registers" problem? Maybe i could "hardcode" on the stack a far call opcode with an absolute address and jump to it?
I'm really in trouble OO
gabrio
I'm working to my thesis at university related to virus programming and anti-virus signature concepts. Part of my job must be spent in coding a couple of "old school" infectors and related signatures for antivirus. Well, I almost did it...but I have a problem. My code is not intended to harm or offence or doing lamerish things but, hell, i need it for graduation ;) I hope it doesn't break this community's rules...
but let's go to the problem
Let's say I have my appender virus. Since i cannot know the position of its starting point (it depends from the victim file), I calculate a "relocation index" I store in 'di' register I preserve for the execution of the virus itself. Something like:
call .foo
.foo:
pop di
sub di, .foo ; di = offset from start of segment
Finally i call the host program.
But i need to install an hook on int21h for some special purposes. I was easily able to save the old seg:off pair of int21 (with int21h, service 25h of DOS) and to replace it with a pair cs:di+MYINT21 with service 35h of int21h
and it works like a charm, but now i have at least two problems. This is the simplest version of my hook
MYINT21:
cmp ah, 0x4C ; exit to DOS?
je RESTOREINT
push ds
push si
pushf
mov ds, word ; di=????????
mov si, word
call far
pop si
pop ds
iret
well, the point is that if i can be sure that di register is not used by my virus, i cannot guarantee the same when the host is running (MYINT21 must be active under host's execution). More or less, the same problem with ds and si: i can push and pop them, but what about if the original int21 service use them as parameters?
I cannot far call with absolute addresses because the "trouble" of virus relocation
To find some absolute addresses to/from store few words is not a problem (there are some unused words in PSP, before location 0x100: i could store 'di' register there and retreive it only when needed), but how about the "far call with registers" problem? Maybe i could "hardcode" on the stack a far call opcode with an absolute address and jump to it?
I'm really in trouble OO
gabrio
viral stuff, regardless of how nice / useful it is is against the rules i think
sorry, i will not try to break guidelines anymore
but it was for a good reason :)
but it was for a good reason :)
Topic locked, pending deletion.