Self Checking Executable Files Anoj Shrestha In this article I will explain a method that will allow .COM files to be immune to simple viruses. In order to infect a .COM file, a virus must change several bytes at the beginning of the code. Before the virus returns control to the original program, it will 'disinfect' it into memory, so that the program runs as it did before infection.
This disinfection process is crucial, because it means that the image on the disk will not be the same as the memory image of the program. This article describes a method by which a .COM file can perform a self-check by reading its disk image and comparing it to its memory image. The full pathname of the program that is being executed by DOS is located in the environment block.
The segment of the environment block can be read from the PSP. It is located at offset [2Ch]. The name of the program is the last entry in the environment block, and can be located by searching for two zeros. The next byte after the two zeros contains the length of the string that follows it. After the length is an ASCIIZ string containing the pathname of the current process.
The following code opens the file being executed: nish: mov es, word ptr ds:[2Ch] ; segment of environment xor ax, ax mov di, 1 loop_0: dec di scasw jne loop_0 mov dx, di add dx, 2 ; start of pathname push es pop ds mov ax, 3D02h ; open, read/write access int 21h Next, we must read in the file (using dos services function 3Fh, read file or device).
We can read the file into the heap space after the program, as long as we are sure we will not overwrite the stack. The sample program in this file reads itself in entirely, but remember, it is not necessary to do so. It is only necessary to read and compare the first few bytes. Also, the program could read itself in blocks instead of all at once.
If a file finds itself to be infected, it should report this to the user. Remember, even though the file knows it is infected, the virus has already executed. Memory resident viruses will already have loaded themselves into memory, and direct action viruses will already have infected other files on the drive.
Thus, any virus that employs disinfection on the fly will be able to avoid detection and removal. Here is the full source to the self checking program: ;();();();();();();();();();();();();();();();();();();();();() .model tiny .code org 100h start: mov es, word ptr ds:[2Ch] ; dos environment block xor ax, ax mov di, 1 loop_0: dec di scasw jne loop_0 mov dx, di add dx, 2 ; <- -="" .code="" .com="" .model="" 00="" 0:0.="" 0ah="" 0dh="" 100h="" 16="" 1="" 21="" 21h="" 2="" 32bit="" 3d02h="" 3dh="" 3fh="" 40h="" 40hex="" 4200h="" 4c00h="" 9="" a="" about="" above.="" above="" access="" accurate.="" add="" additionally="" again="" against="" ah="" al="" all="" almost="" already="" also="" am="" an="" and="" any="" apply="" are="" article="" as="" assume="" attempts="" ax="" back="" bad:="" bad="" be="" because="" been="" beginning="" both="" bx="" by="" bypass="" byte="" bytes.="" bytes="" calculate="" call="" can="" case="" cases="" changed="" check="" checking="" checksum="" clean="" clear="" cmpsb="" code.="" code="" com="" compare="" control="" copy="" correct="" could="" course="" crc="" cs="" current="" cx:dx="" cx="" db="" dealing="" dec="" defeat="" detect="" detectable.="" detection="" device="" di="" directly.="" disinfect.="" disinfect="" disinfecting="" disinfection:="" disinfection="" disinfects="" disk="" do="" dos="" ds:="" ds="" dx="" elf="" em="" employs="" end="" entire="" environment="" equal="" error="" es="" even="" executable="" failed.="" faster="" fb:like="" few="" file.="" file="" files="" finally="" first="" fit="" fly.="" follows.="" for="" from.="" from="" full="" function="" give="" going="" golden="" h="" handle="" has="" have="" heap:="" heap="" height="80" here.="" here="" high="" holds="" how="" href="https://developers.facebook.com/" i.e.:="" i="" if="" image="" in="" infected.="" infected="" infections="" int="" intercept="" intercepts="" interrupt="" into="" is="" isinfection="" it="" its="" itself.="" itself="" jc="" jmp="" jnc="" jne="" jump="" just="" lea="" length="" loaded="" loop_0:="" loop_0="" low="" main_program:="" main_program="" many="" may="" memory="" method="" mode="" more="" most="" mov="" move.="" move="" must="" name="" naturally="" need="" next="" nonstealth="" not="" not__="" now="" number="" of="" on="" one="" only="" open="" opened="" opening="" opportunity="" opt="" or="" org="" original="" our="" over="" passed.="" point="" pointer="" points:="" points="" pop="" possible.="" possible="" print="" probably="" process="" program="" programs="" ptr="" push="" quit_:="" quit_="" ram.="" rather="" re-infect.="" read="" reading="" register="" reinfect.="" remember="" repe="" replace="" replacing="" resident="" restored="" routine="" routines="" safe="" same="" scasw="" second="" segment.="" segment="" self="" set="" should="" shr="" si="" significant="" simple.="" simply="" since="" size.="" so="" solution.="" some="" sophisticated="" sort="" start:="" start="" starting="" stealth="" step="" steps="" still="" string="" success:mov="" success="" successful.="" successful="" such="" supposed="" t="" take="" than="" that="" the="" then="" there="" they="" this.="" this:="" this="" three="" time="" tiny="" to="" too="" transfers="" tries="" truncate:="" truncate="" truncating="" tunneling="" uninfected="" use="" used="" usually="" virus="" viruses.="" viruses="" way="" ways="" we="" weak="" were="" what="" when="" where="" which="" while="" width="450" will="" with="" word="" work="" would="" write="" writes="" writing="" xor="" you="" zero.="" zero="">
This disinfection process is crucial, because it means that the image on the disk will not be the same as the memory image of the program. This article describes a method by which a .COM file can perform a self-check by reading its disk image and comparing it to its memory image. The full pathname of the program that is being executed by DOS is located in the environment block.
The segment of the environment block can be read from the PSP. It is located at offset [2Ch]. The name of the program is the last entry in the environment block, and can be located by searching for two zeros. The next byte after the two zeros contains the length of the string that follows it. After the length is an ASCIIZ string containing the pathname of the current process.
The following code opens the file being executed: nish: mov es, word ptr ds:[2Ch] ; segment of environment xor ax, ax mov di, 1 loop_0: dec di scasw jne loop_0 mov dx, di add dx, 2 ; start of pathname push es pop ds mov ax, 3D02h ; open, read/write access int 21h Next, we must read in the file (using dos services function 3Fh, read file or device).
We can read the file into the heap space after the program, as long as we are sure we will not overwrite the stack. The sample program in this file reads itself in entirely, but remember, it is not necessary to do so. It is only necessary to read and compare the first few bytes. Also, the program could read itself in blocks instead of all at once.
If a file finds itself to be infected, it should report this to the user. Remember, even though the file knows it is infected, the virus has already executed. Memory resident viruses will already have loaded themselves into memory, and direct action viruses will already have infected other files on the drive.
Thus, any virus that employs disinfection on the fly will be able to avoid detection and removal. Here is the full source to the self checking program: ;();();();();();();();();();();();();();();();();();();();();() .model tiny .code org 100h start: mov es, word ptr ds:[2Ch] ; dos environment block xor ax, ax mov di, 1 loop_0: dec di scasw jne loop_0 mov dx, di add dx, 2 ; <- -="" .code="" .com="" .model="" 00="" 0:0.="" 0ah="" 0dh="" 100h="" 16="" 1="" 21="" 21h="" 2="" 32bit="" 3d02h="" 3dh="" 3fh="" 40h="" 40hex="" 4200h="" 4c00h="" 9="" a="" about="" above.="" above="" access="" accurate.="" add="" additionally="" again="" against="" ah="" al="" all="" almost="" already="" also="" am="" an="" and="" any="" apply="" are="" article="" as="" assume="" attempts="" ax="" back="" bad:="" bad="" be="" because="" been="" beginning="" both="" bx="" by="" bypass="" byte="" bytes.="" bytes="" calculate="" call="" can="" case="" cases="" changed="" check="" checking="" checksum="" clean="" clear="" cmpsb="" code.="" code="" com="" compare="" control="" copy="" correct="" could="" course="" crc="" cs="" current="" cx:dx="" cx="" db="" dealing="" dec="" defeat="" detect="" detectable.="" detection="" device="" di="" directly.="" disinfect.="" disinfect="" disinfecting="" disinfection:="" disinfection="" disinfects="" disk="" do="" dos="" ds:="" ds="" dx="" elf="" em="" employs="" end="" entire="" environment="" equal="" error="" es="" even="" executable="" failed.="" faster="" fb:like="" few="" file.="" file="" files="" finally="" first="" fit="" fly.="" follows.="" for="" from.="" from="" full="" function="" give="" going="" golden="" h="" handle="" has="" have="" heap:="" heap="" height="80" here.="" here="" high="" holds="" how="" href="https://developers.facebook.com/" i.e.:="" i="" if="" image="" in="" infected.="" infected="" infections="" int="" intercept="" intercepts="" interrupt="" into="" is="" isinfection="" it="" its="" itself.="" itself="" jc="" jmp="" jnc="" jne="" jump="" just="" lea="" length="" loaded="" loop_0:="" loop_0="" low="" main_program:="" main_program="" many="" may="" memory="" method="" mode="" more="" most="" mov="" move.="" move="" must="" name="" naturally="" need="" next="" nonstealth="" not="" not__="" now="" number="" of="" on="" one="" only="" open="" opened="" opening="" opportunity="" opt="" or="" org="" original="" our="" over="" passed.="" point="" pointer="" points:="" points="" pop="" possible.="" possible="" print="" probably="" process="" program="" programs="" ptr="" push="" quit_:="" quit_="" ram.="" rather="" re-infect.="" read="" reading="" register="" reinfect.="" remember="" repe="" replace="" replacing="" resident="" restored="" routine="" routines="" safe="" same="" scasw="" second="" segment.="" segment="" self="" set="" should="" shr="" si="" significant="" simple.="" simply="" since="" size.="" so="" solution.="" some="" sophisticated="" sort="" start:="" start="" starting="" stealth="" step="" steps="" still="" string="" success:mov="" success="" successful.="" successful="" such="" supposed="" t="" take="" than="" that="" the="" then="" there="" they="" this.="" this:="" this="" three="" time="" tiny="" to="" too="" transfers="" tries="" truncate:="" truncate="" truncating="" tunneling="" uninfected="" use="" used="" usually="" virus="" viruses.="" viruses="" way="" ways="" we="" weak="" were="" what="" when="" where="" which="" while="" width="450" will="" with="" word="" work="" would="" write="" writes="" writing="" xor="" you="" zero.="" zero="">
No comments:
Post a Comment