hello to all! :) this is my first message on this board, I'm quite newbie so..I hope it is not a problem for you :)

I'm working to my thesis at university related to virus programming and anti-virus signature concepts. Part of my job must be spent in coding a couple of "old school" infectors and related signatures for antivirus. Well, I almost did it...but I have a problem. My code is not intended to harm or offence or doing lamerish things but, hell, i need it for graduation ;) I hope it doesn't break this community's rules...

but let's go to the problem

Let's say I have my appender virus. Since i cannot know the position of its starting point (it depends from the victim file), I calculate a "relocation index" I store in 'di' register I preserve for the execution of the virus itself. Something like:

call .foo
pop di
sub di, .foo ; di = offset from start of segment

Finally i call the host program.

But i need to install an hook on int21h for some special purposes. I was easily able to save the old seg:off pair of int21 (with int21h, service 25h of DOS) and to replace it with a pair cs:di+MYINT21 with service 35h of int21h

and it works like a charm, but now i have at least two problems. This is the simplest version of my hook

cmp ah, 0x4C ; exit to DOS?
push ds
push si
mov ds, word ; di=????????
mov si, word
call far
pop si
pop ds

well, the point is that if i can be sure that di register is not used by my virus, i cannot guarantee the same when the host is running (MYINT21 must be active under host's execution). More or less, the same problem with ds and si: i can push and pop them, but what about if the original int21 service use them as parameters?

I cannot far call with absolute addresses because  the "trouble" of virus relocation

To find some absolute addresses to/from store few words is not a problem (there are some unused words in PSP, before location 0x100: i could store 'di' register there and retreive it only when needed), but how about the "far call with registers" problem? Maybe i could "hardcode" on the stack a far call opcode with an absolute address and jump to it?

I'm really in trouble OO

Posted on 2008-03-13 12:48:31 by TheClue
viral stuff, regardless of how nice / useful it is is against the rules i think
Posted on 2008-03-13 14:34:55 by evlncrn8
sorry, i will not try to break guidelines anymore

but it was for a good reason :)
Posted on 2008-03-13 19:22:57 by TheClue
Topic locked, pending deletion.
Posted on 2008-03-16 09:27:40 by SpooK