2. Tech
  3. How to write DOS virus

How to write DOS virus

xiaoxiao2021-03-06  78

Since the magnetic core, the virus has developed from the virus of the DOS era to the virus of the Windos system. From the deformed, encrypted to intelligent, the virus is caused by people, and now the network is big, it is a big harm to people. I only do just throwing bricks, introducing the principle of viruses, I hope everyone will study exchanges. (This article refers to some articles on the network, and references some of the content.) To learn DOS, first you have to learn or master assembly language. DOS under the virus is generally divided into guided viruses, document viruses, hybrid viruses, and the like. Most viruses are infected with COM and EXE files, so you have to know the COM file and the EXE file structure. I.com file structure and principle. Com file relatively simple, .com file contains an absolute image of the program - means that in order to run the program accurate processor instruction and data in memory, MS-DOS directly The image is loaded from the file to the memory, which does not change any changes. To load a .com program, MS-DOS first tries to assign memory because .com programs must be in a 64K segment, so the size of the .com file cannot exceed 65,024 (64K minus 256 bytes for PSP and used for At least 256 bytes of a starting stack). If MS-DOS cannot assign a program, a PSP, a starting stack allocated enough memory, QQ: 9750406 assigns an attempt failed. Otherwise, MS-DOS assigns as much as possible memory (until all reserved memory), even if the .com program itself cannot be greater than 64K. Most. Com programs release any unwanted memory before trying to run another program or allocate additional memory. After the memory is allocated, MS-DOS establishes a PSP at the head 256 byte of the memory. If the first FCB in the PSP contains an active drive identifier, then Al is 00h, otherwise it is 0ffH. MS-DOS also sets AH to 00h or 0FFH, depending on whether the second FCB contains a valid drive identifier. After the PSP is built, MS-DOS will immediately start (offset 100h) after the PSP (offset 100h), which sets the SS, DS, and ES to the PSP segment address, then create a stack. To create a stack, MS-DOS set SP For 0000H, if at least 64K memory has been assigned; otherwise, it sets the register as the value of the total number of bytes allocated. Finally, it pushes the 0000h push the stack (this is to ensure the design of the early MS-DOS version " The compatibility of the program). MS-DOS launches the program by transfers the command to pass the command of 100 h. The programming must guarantee the first instruction of the .com file is the entry point of the program.

Note that because the program is loaded at the offset 100h, all code and data offset must also be relative to 100H. Assembly language programmer guarantees this point by 100 h by the initial value of the program (eg, starting at the beginning of the original program) Use statement org 100h). The EXE file structure EXE file is more complicated, each exe file has a file header, the structure is as follows: EXE file header information ------------------------------------------------------------------------------------------------------------------------------ - ├ Offset ┤ ┤ ┤ ├00H-01H ┤MZ'EXE file tag ┤ ├2H-03H ┤ file length except 512 ┤ ┤ ├ 04H-05H ┤ ............ Business ┤ ├06H-07H ┤ ┤ 定 定 项 ┤ ┤ ┤ ┤ 商 商 商 ┤ 商 ┤ ┤ ┤ ┤ ┤ ┤ ┤ 商 商 商 商 商 ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ ┤ 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段 段........ ┤ ├ e e e e 段 段 ┤ (ss) ┤ ├10H-11H ┤ ........ SP ┤ ├12H-13H ┤ Document Laboratory ┤14H-15H ┤IP ┤ ┤16H-17H ┤CS ┤ ┤18H-19H ┤ ............ ┤ ├1ah-1bh ┤ .......... .. ┤ ├1ch ┤ ............ ┤ ----------------------- .exe file contains a file Head and a resetable program image. The file header contains information for the MS-DOS for loading the program, such as the size of the program and the initial value of the register. The file header also points to a relocation table that contains a pointer chain table that points to the reproduction segment address in the program image. The form of the file header corresponds to the EXEHEADER structure: EXEHEADER STRUC EXSIGNATURE DW 5A4DH .EXE flag EXEXRABYTES DW? Last (section) Biode number EXRELOCITEMS DW? The pointer in the file in the file Maximum EXMINALLOC DW? Minimal Size size EXMAXALLOC DW? Maximum distribution size EXINITS DW? Initial SS Value Exchechsum DW? Initial SP Value Exchechsum DW? Reix Check Value EXITIP DW? Reccine IP Value EXINITCS DW? Initial CS Value EXRELOCTABLE DW? Relocation table byte offset EXOVERLAY DW? Overlay number EXEHEHEHEADER ENDS programming, including the initial data of processor code and program, followed by the file header. Its size is in bytes, or equal to the size of the .exe file minus the size of the file head, and is equal to the value of Exhiersize's domain by 16. MS-DOS Copy the image directly from the file to the memory load .exe program and adjust the resettable segment address described in the positioning table. The positioning table is a relocation pointer array, each of which is a resettable segment address in the program. The ExbandItems field in the file header illustrates the number of pointers in the array, and the ExreLocTable domain illustrates the starting file offset of the assigned table. Each relocation pointer consists of two 16-bit values: offset and segment values. To load the .exe program, MS-DOS first read the file header to determine the .exe flag and calculate the program image. Then it tries to apply for memory. First, it calculates the size of the program image file plus the size of the PSP and plus the sum of the SMINAlloc domain descriptions in the ExeHeader structure. If the sum exceeds the size of the maximum available memory block. The MS-DOS stops the plus program and returns an error value.

Otherwise, it calculates the size of the program image plus the size of the PSP and plus the sum of the memory size of the Exmaxalloc domain in the Exehead structure. If the second sum is less than the maximum available memory block, the MS-DOS assignment is calculated Memory amount. Otherwise, it assigns the maximum available memory block. After allocating memory, the MS-DOS determines the segment address, also known as the start segment address, and the MS-DOS loads the program image from which. If the value in the Exmic domain and the ExmaxAlloc domain is zero, the MS-DOS loads the image as much as possible to the highest end of memory. Otherwise, it loads the image onto the PSP domain. Next, the item in the MS-DOS read the reconciliation table is adjusted all the segment addresses described by the relocated pointer. For each pointer in the relocation table, the corresponding reconfiguration segment address in the MS-DOS lookup program map, and add the starting section address to it. Once the adjustment is completed, the segment address points to the code and data segment of the loaded program in memory. MS-DOS constructs 256 bytes of PSP at the lowest portion of the assigned memory, sets the AL and AH to load the .com program when it is loaded. Com program. MS-DOS uses the value in the file header to set SS, adjust the SS initial value, add the start address to it. MS-DOS also sets ES and DS to PSP segment address. Finally, the MS-DOS reads the initial value of CS and IP from the program file header, add the starting section address to CS, transfer control to the adjustment The program at the rear address. Third, the guided virus principle understand the principle of guided viruses, first understand the structure of the guiding area. There is only one boot area in the floppy disk, called DOS Boot SECTER, as long as the flopp is formatted, it will exist. Its function is to find out without IO.SYS DOS.sys on the disc, if it is guided, if you do not have information, 'NO System Disk ...' and other information. The hard disk has two guidance regions, which are called the main boot area in 0, 0, and the main bootrics and partition tables. The main boot program finds the activation partition, the first sector of the partition is DOS Boot SECTER. Most viruses infect the hard disk main guides and floppy disk DOS guiding sectors. *** 3.5 "Floppy Format *** 3.5" floppy disk is double-sided, so the zero track has two sides, the front is 0-17 sectors, and the opposite is 18-35 sectors.

0 sector: boot area; 1 - 9 sector: 1st Fat Area (first file allocation table); 10 - 18 sector: 2st Fat Area (second file allocation table); 19 32 sector: root dir area (also called File Directory Table, FDT) file catalog table (root directory) 33-2879 sector: Data Area *** Hard disk's main boot record structure *** Hard disk Guide Recording Structure Offset Machine Code Sign Instructions 0000 FA CLI; Shield Interrupt 0001 33C0 XOR AX, AX 0003 8ED0 MOV SS, AX; (SS) = 0000H 0005 BC007C MOV SP, 7C00; (SP) = 7C00H 0008 8BF4 MOV Si , Sp; (si) = 7C00H 000A 50 PUSH AX 000B 07 POP ES; (ES) = 0000H 000c 50 Push AX 000D 1F POP DS; (DS) = 0000H 000E FB STI 000F FC CLD 0010 BF0006 MOV Di, 0600 0013 B90001 MOV CX, 0100; Total 512 bytes 0016 F2 RepNZ 0017 A5 MOVSW; main boot program moves yourself from 0000: 7C00 to 0000: 0600, the guidance program for DOS partition; out of space 0018 EA1D060000 JMP 0000: 061D Jump to 0000: 061D, continue to execute, in fact; execute the following MOV command (001D offset) 001D bebe07 MOV Si, 07Be; 07be-0600 = 01BE, 01BE is the first site of the partition table 0020 B304 MOV BL, 04; Distribution table up to 4 items, up to 4 partition 0022 803C80 CMP BYTE PTR [Si], 80; 80H Representation Activity Partition 0025 740E JZ 0035; find the active partition, jump away 0027 803C00 CMP BYTE PTR [Si], 00; 00h is a logo 002a 751c jnz 0048; none of 80h is not 00h, the partition table is invalid 002C 83C610 Add Si, 10; Next Partition item, each 16-byte 002f fecb Dec BL; loop count minus one 0031 75ef jnz 0022; check the next partition entry 0033 CD18 INT 18; 4 can't boot, enter ROM Basic 0035 8B14 MOV DX, [ Si] 0037 8B4C02 MOV CX, [Si 02]; Take the surface, cylinder, sector 003A 8BEE MOV BP, SI of the active partition; then continue to check the back partition entry 003c 83c610 Add Si, 10 003f FECB DEC BL 0041 741A JZ 005D; 4 are checked, then guide the active partition 0043 803C00 CMP BYTE PTR [Si], 00; 00h is the partition effective flag 0046 74F4 jz 003c; this partition entry is valid, continue to check one 048 BE8B06 MOV SI, 068B; 068B-0600 = 018B, Take "Invalid Partition String 004b AC LODSB; take a character 004C 3C00 CMP Al, 00; 00h] The string tail 004E 740B jz 005b is displayed; Enter the dead cycle 0050 56 PUSH SI 0051 BB0700 MOV BX, 0007 0054 B40E MOV AH, 0E 0056 CD10 INT 10; Display a character 0058 5E POP Si 0059 EBF0 JMP 004B;

Cycle display Next character 005b Ebfe JMP 005b; here is dead cycle 005d bf0500 MOV Di, 0005; read into the leading fan of the active partition, up to 5 times 0060 BB007C MOV BX, 7C00 0063 B80102 MOV AX, 0201 0066 57 PUSH Di 0067 CD13 INT 13; Read 0069 5F POP DI 006A 730C JNB 0078; Reading Dish Jumping Walk 006C 33c0 XOR AX, AX 006E CD13 INT 13; Read Fails Reset Disk 0070 4F DI 0071 75ED JNZ 0060; less than 5 Try again 073 bea306 MOV SI, 06A3; 06A3-0600 = 00a3, "Error Loading String 0076 EBD3 JMP 004b; go to display the string, then enter the dead cycle 078 BEC206 MOV Si, 06C2; 06C2-0600 = 00c2, That is, "miss .. String 0076 EBD3 JMP 004b; go to the string, then enter the dead cycle 078 BEC206 MOV Si, 06C2; 06C2-0600 = 00c2," Missing .. String 007B BffE7D MOV DI, 7DFE; 7DFE-7C00 = 01FE, the leading fan of the active partition; the first two bytes of the zone 007E 813D5555A CMP Word PTR [Di], AA55; the last two bytes are AA55H, and the resulting 0082 75C7 jnz 004b; invalid, display string and enter the death Cycling 0084 8BF5 MOV Si, BP 0086 EA007C0000 JMP 0000: 7C00;

Effective row jump to guide the partition 0080 49 6e 76 61 6C Inval 0090 69 64 20 70 61 72 74 69-74 69 6F 6e 20 74 61 62 ID Partition Tab 00a0 6C 65 00 45 72 72 6F 72-20 6C 6F 61 64 69 6E 67 Le.error Loading 00B0 20 6F 70 65 72 61 74 69-6e 67 20 73 79 73 74 65 Operating Syste 00c0 6d 00 4D 69 73 73 69 6e-67 20 6F 70 65 72 61 74 m.Missing Operat 00D0 69 6E 67 20 73 79 73 74-65 6D 00 00 FB 4C 38 1D ing system ... L8. 00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ........ ........ 00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 ...... 0120 .......... 00 trillion 00-00 00 trillion ................ 01.3 trillion 00 00 00 00 00 00 00 00 | 0150 ............ 00 trillion 00-00 00 trillion ................ 0.16 billion 00 00 00 00 00 00 0 0 00 00 00] ..... 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- ... 00 00 00 00 00 ... ....... 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 9c 3f 00-00 00 f1 59 06 00 00 00 ...? .... Y .... 01d0 41 9d 05 0F FF 38 30 5A-06 00 40 56 06 00 00 00 00 A ... .80Z .. @ V .... 01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 using INT 13H 02 function call to keep the hard disk reserved in the sector 0 to 1 sector The hard disk main guides record the ES: BX read to memory.

Now analyze the reading program code: 1. Mobile main boot recorder 0e74: 7C00 33c0 xor ax, ax; AX Clear 0E74: 7C02 8ED0 MOV SS, AX; SS Clear 0e74: 7C04 BC007C MOV SP, 7C00; SP = 7C00, the stack is located at 0: 7C00H 0E74: 7C07 FB STI; open interrupt 0E74: 7C08 50 Push AX 0E74: 7C09 07 POP ES; ES = 0 0E74: 7C0A 50 Push AX 0E74: 7C0B 1F Pop DS; DS = 0 0E74: 7C0C FC CLD 0E74: 7C0D BE1B7C MOV SI, 7C1B; source address is 0: 7C1BH 0E74: 7C10 BF1B06 MOV DI, 061B; destination address is 0: 061BH 0E74: 7C13 50 Push AX 0E74: 7C14 57 Push di 0e74: 7C15 B9E501 MOV CX, 01E5; Mobile 01E5 byte 0E74: 7C18 F3 REPZ; transfer the main boot record from 0: 7C1B-0: 7DFF 0E74: 7C19 A4 MOVSB; move to 0: 061B-0: 07FF 0E74: 7C1A CB RETF; transfer To 0: 061B, continue to execute the program 2, sequentially find four hard disk partition tables, find the bootstrap sign 0E74: 061B Bebe07 MOV Si, 07Be; Si point to the boot mark 0E74: 061E B104 MOV CL, 04; Find four partitions 0E74: 0620 382C CMP [Si], CH 0E74: 0622 7C09 JL 062D; if [Si] is 1, it is self; lift, turn 062DH 0E74: 0624 7515 JNZ 063b; Si] not 0, error, turn 063bh 0e74: 0626 83C610 Add Si, 10; check four partition tables until 0E74: 0629 E2F5 loop 0620; bootstrap flag 0e74: 062b CD18 INT 18; Lift the logo, enter the boot difference; the normal processing program.

转载请注明原文地址:https://www.9cbs.com/read-121586.html

9cbs

New Post(0)