dark angel's phunky virus writing guide .txt

黑客培训教程

  ; Real Stuff
V2_End:

V1_Length EQU V1_End - V1_Start

Alternatively, you could store P1 in V2 as follows:

V2_Start:

P1_Start:
P1_End:

V2_End:

That's all there is to infecting a COM file without destroying it!  Simple,
no?   EXE files,  however, are a little tougher to infect without rendering
them inexecutable - I will cover this topic in a later file.

Now let  us turn our attention back to the replicator portion of the virus.
The steps are outlined below:

     1) Find a file to infect
     2) Check if it is already infected
     3) If so, go back to 1
     4) Infect it
     5) If infected enough, quit
     6) Otherwise, go back to 1

Finding a  file to  infect is  a  simple  matter  of  writing  a  directory
traversal procedure  and issuing  FINDFIRST  and  FINDNEXT  calls  to  find
possible files  to infect.   Once  you find  the file, open it and read the
first few  bytes.   If they are the same as the first few bytes of V1, then
the file  is already  infected.  If the first bytes of V1 are not unique to
your virus,  change it  so that they are.  It is *extremely* important that
your virus  doesn't reinfect  the same  files, since that was how Jerusalem
was first  detected.   If the file wasn't already infected, then infect it!
Infection should take the following steps:

     1) Change the file attributes to nothing.
     2) Save the file date/time stamps.
     3) Close the file.
     4) Open it again in read/write mode.
     5) Save P1 and append it to the end of the file.
     6) Copy V1 to the beginning, but change the offset which it JMPs to so
        it transfers control correctly. See the previous part on infection.
     7) Append V2 to the end of the file.
     8) Restore file attributes/date/time.

You should  keep a counter of the number of files infected during this run.
If the number exceeds, say three, then stop.  It is better to infect slowly
then to give yourself away by infecting the entire drive at once.

You must  be sure  to cover  your tracks  when you infect a file.  Save the
file's  original   date/time/attributes  and  restore  them  when  you  are
finished.   THIS IS VERY IMPORTANT!  It takes about 50 to 75 bytes of code,
probably less,  to do  these few simple things which can do wonders for the
concealment of your program.

I will  include code for the directory traversal function, as well as other
parts of the replicator in the next installment of my phunky guide.

-=-=-=-=-
CONCEALER
-=-=-=-=-
This is  the part  which conceals  the program  from notice by the everyday
user and virus scanner.  The simplest form of concealment is the encryptor.
The code for a simple XOR encryption system follows:

encrypt_val   db   ?

decrypt:
encrypt:
     mov ah, encrypt_val

     mov cx, part_to_encrypt_end - part_to_encrypt_start
     mov si, part_to_encrypt_start
     mov di, si

xor_loop:
     lodsb                 ; DS:[SI] -> AL
     xor al, ah
     stosb                 ; AL -> ES:[DI]
     loop xor_loop
     ret

Note the encryption and decryption procedures are the same.  This is due to
the weird  nature of  XOR.   You can CALL these procedures from anywhere in
the program,  but make sure you do not call it from a place within the area
to be  encrypted, as  the program  will crash.  When writing the virus, set
the encryption  value to  0.  part_to_encrypt_start and part_to_encrypt_end
sandwich the area you wish to encrypt.  Use a CALL decrypt in the beginning
of V2  to unencrypt  the file  so your  program can  run.  When infecting a
file, first change the encrypt_val, then CALL encrypt, then write V2 to the
end of the file, and CALL decrypt.  MAKE SURE THIS PART DOES NOT LIE IN THE
AREA TO BE ENCRYPTED!!!

This is how V2 would look with the concealer:

V2_Start:

Concealer_Start:
  .
  .
  .
Concealer_End:

Replicator_Start:
  .
  .
  .
Replicator_End:

Part_To_Encrypt_Start:
  .
  .
  .
Part_To_Encrypt_End:
V2_End:

Alternatively, you  could move  parts  of  the  unencrypted  stuff  between
Part_To_Encrypt_End and V2_End.

The value  of encryption  is readily  apparent.  Encryption makes it harder
for virus  scanners to  locate your virus.  It also hides some text strings
located in  your program.   It is the easiest and shortest way to hide your
virus.

Encryption is only one form of concealment.  At least one other virus hooks
into the  DOS interrupts  and alters  the output  of DIR  so the file sizes
appear normal.   Another  concealment scheme  (for TSR virii) alters DOS so
memory utilities  do not  detect the  virus.   Loading the virus in certain
parts of  memory allow  it to survive warm reboots.  There are many stealth
techniques, limited only by the virus writer's imagination.

-=-=-=-=-
THE BOMB
-=-=-=-=-
So now all the boring stuff is over.  The nastiness is contained here.  The
bomb part  of the virus does all the deletion/slowdown/etc which make virii
so annoying.   Set  some activation  conditions of  the virus.  This can be
anything, ranging  from when  it's your  birthday to  when  the  virus  has
infected 100  files.   When these  conditions are met, then your virus does
the good stuff.  Some suggestions of possible bombs:

     1) System slowdown - easily  handled  by  trapping  an  interrupt  and
        causing a delay when it activates.
     2) File deletion - Delete all ZIP files on the drive.
     3) Message display - Display a nice message saying  something  to  the
        effect of "You are fucked."
     4) Killing/Replacing the Partition Table/Boot Sector/FAT of  the  hard
        drive - This is very nasty, as most dimwits cannot fix this.

This is, of course, the fun part of writing a virus, so be original!

-=-=-=-=-=-=-=-
OFFSET PROBLEMS
-=-=-=-=-=-=-=-
There is  one caveat  regarding calculation of offsets.  After you infect a
file, the  locations of  variables change.  You MUST account for this.  All
relative offsets  can stay  the same, but you must add the file size to the
absolute offsets  or your  program will  not work.  This is the most tricky
part of  writing virii  and taking  these into  account can  often  greatly
increase the  size of  a virus.   THIS  IS VERY IMPORTANT AND YOU SHOULD BE
SURE TO  UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
If you  don't, you'll  get fucked  over and  your virus WILL NOT WORK!  One
entire part of the guide will be devoted to this subject.

-=-=-=-
TESTING
-=-=-=-
Testing virii  is a  dangerous yet  essential part  of the  virus  creation
process.   This is  to make  certain that people *will* be hit by the virus
and, hopefully,  wiped out.   Test  thoroughly and  make sure  it activates
under the  conditions.  It would be great if everyone had a second computer
to test  their virii  out, but,  of course, this is not the case.  So it is
ESSENTIAL that  you keep BACKUPS of your files, partition, boot record, and
FAT.   Norton is  handy in  this doing  this.  Do NOT disregard this advice
(even though  I know  that you will anyway) because you WILL be hit by your
own virii.   When  I wrote my first virus, my system was taken down for two
days because I didn't have good backups.  Luckily, the virus was not overly
destructive.   BACKUPS MAKE  SENSE!  LEECH A BACKUP PROGRAM FROM YOUR LOCAL
PIRATE BOARD!   I find a RamDrive is often helpful in testing virii, as the
damage is  not permanent.   RamDrives  are also useful for testing trojans,
but that is the topic of another file...

-=-=-=-=-=-=-
DISTRIBUTION
-=-=-=-=-=-=-
This is  another fun  part of  virus writing.   It  involves  sending  your
brilliantly-written  program   through  the  phone  lines  to  your  local,
unsuspecting bulletin  boards.   What you  should do  is infect a file that
actually does something (leech a useful utility from another board), infect
it, and upload it to a place where it will be downloaded by users all over.
The best  thing is  that it  won't be detected by puny scanner-wanna-bes by
McAffee, since it is new!  Oh yeah, make sure you are using a false account
(duh).   Better yet,  make a  false account  with the  name/phone number of
someone you  don't like  and upload  the infected  file under the his name.
You can  call back  from time to time and use a door such as ZDoor to check
the spread  of the virus.  The more who download, the more who share in the
experience of your virus!

I promised a brief section on overwriting virii, so here it is...
-=-=-=-=-=-=-=-=-
OVERWRITING VIRII
-=-=-=-=-=-=-=-=-
All these  virii do  is spread  throughout the  system.   They  render  the
infected files  inexecutable, so they are easily detected.  It is simple to
write one:

   +-------------+   +-----+   +-------------+
   | Program     | + |Virus| = |Virus|am     |
   +-------------+   +-----+   +-------------+

These virii are simple little hacks, but pretty worthless because of their
easy detectability.  Enuff said!

-=-=-=-=-=-=-=-=-=-=-=-=-
WELL, THAT JUST ABOUT...
-=-=-=-=-=-=-=-=-=-=-=-=-
wraps it  up for  this installment  of Dark  Angel's Phunky  virus  writing
guide.   There will (hopefully) be future issues where I discuss more about
virii and  include much  more source  code (mo' source!).  Till then, happy
coding!