flat assembler
Message board for the users of flat assembler.
Index
> DOS > help me with Timid virus's code |
Author |
|
vid 23 Nov 2005, 22:41
Theory: Part of code after VIRUS_START will be copied to different places in file, it will be runned at different offsets than are ones stored in labels, so virus need to know at what offset is it located. For example, let's say in original (host) file GET_START is located at offset 120h. But when it is added to other program (usually at the end), it can be on other offsets, so you can't use "mov [GET_START],something", because it would access 120h instead of real address where this copy of virus is. "call" and "jmp" are exception, they use relative addresses, like jump 5 bytes forward (jmp $+5) etc., so "call GET_START" works correctly at any place in memory, because it is "call $+3" (3 is size of this instruction, so this is call to next instruction). First part of code is used to determine offset where "VIRUS" label is really located Implementation: (this one is little tricky, but nice, good-old DOS times) VIR_START is defined at offset 0FF2Ah + size of data between "ORG 0FF2AH" and "VIR_START DW (?)". This in fact it means, it is at top of the stack (somtehing near below 0FFFF). So first access to stack will write to this variable (DS=CS=SS in COM file). First access is "call GET_START" (eg. call to following instruction), which in fact only pushes address of next instruction, eg. address of GET_START. So now you have in VIR_START address at which is GET_START located now. But virus starts at place behind "VIRUS:", so you subtract difference between GET_START and VIRUS from VIR_START, and you have address of VIRUS in VIR_START. |
|||
23 Nov 2005, 22:41 |
|
Torrey 25 Nov 2005, 10:54
I whipped this up in under 20 minutes while at work, it's horrid looking but it detects the Timid virus by looking for the VI signature.
Code: format PE GUI 4.0 entry BeginCode include '%fasminc%\win32a.inc' section '.code' executable readable writeable BeginCode: invoke FindFirstFileA,filemask,wfd mov [search_handle],eax @@: invoke CreateFileA,wfd.cFileName,(GENERIC_READ+GENERIC_WRITE),0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 mov [file_handle],eax invoke CreateFileMapping,eax,0,PAGE_READWRITE,0,0,0 mov [map_object],eax invoke MapViewOfFile,[map_object],FILE_MAP_ALL_ACCESS,0,0,0 mov [map_address],eax mov esi,eax add esi,0x3 cmp word [esi],'VI' je FoundOne FindNext: invoke FindNextFileA,[search_handle],wfd cmp eax,0 je AllDone jmp @B AllDone: invoke UnmapViewOfFile,[map_address] ret FoundOne: invoke wsprintf,timidout,timidin,wfd.cFileName add esp,0x0c invoke MessageBox,0,timidout,timidtitle,0 invoke UnmapViewOfFile,[map_address] jmp FindNext section '.data' data readable writeable timidtitle db 'Timid Virus Detection',0 timidin db 'Virus found in file: %s',0 timidout rb 512 wfd FINDDATA filemask db '*.com',0 search_handle dd ? file_handle dd ? map_object dd ? map_address dd ? section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',\ user,'USER32.DLL' import kernel32,\ FindFirstFileA,'FindFirstFileA',\ FindNextFileA,'FindNextFileA',\ CreateFileA,'CreateFileA',\ CreateFileMapping,'CreateFileMappingA',\ MapViewOfFile,'MapViewOfFile',\ UnmapViewOfFile,'UnmapViewOfFile' import user,\ MessageBox,'MessageBoxA',\ wsprintf,'wsprintfA' There are several more variants to this virus other than the one posted with source code. The source I pasted above would not detect all variants. Last edited by Torrey on 25 Nov 2005, 11:59; edited 1 time in total |
|||
25 Nov 2005, 10:54 |
|
Tomasz Grysztar 25 Nov 2005, 11:17
OK, so we've got some detection. What about healing of those files now?
And what if someone edited the virus to change only its signature? I suggest to try to make it into fully functional Anti-Timid program. |
|||
25 Nov 2005, 11:17 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.