the creation of computer viruses

... think of viruses as sort of a black art. The purpose of this volume is to bring them out of the closet and look at them matter -of- factly, to see them for what they are, technically speaking: computer ... yet. There are two kinds of jump 36 The Little Black Book of Computer Viruses The Basics of the Computer Virus A plethora of negative magazine articles and books have catalyzed a new kind of hypochondria ... Black Book of Computer Viruses than 64 kilobytes, we may load the size of the file we want to infect into the ax register: mov ax,WORD PTR [FSIZE] Next we add the number of bytes the virus will...

Ngày tải lên: 09/12/2013, 17:15

... the search with the name of the file which DOS just found, its attribute, its size and its date of creation. Some of the data reported in the DTA is also used by DOS for performing the Search Next ... of memory, and the offset register tells how many bytes to add to the start of the 16 byte block to locate the desired byte in memory. For example, if the ds register is set to 1275 Hex and the ... 00 At 80H we find the value 0EH, which is the length of “Hello there!”, followed by the string itself, terminated by <CR>=0DH. Likewise, the PSP contains the address of the system environment,...

Ngày tải lên: 19/03/2014, 13:43

... far. Not so, the computer virus, because it attaches itself to otherwise useful programs. The computer user will execute these programs in the normal course of using the computer, and the virus ... up with plenty of good reasons why fiat creation can’t occur. In the world of bits and bytes, many of these philosophical conundrums just disappear. (The fiat creation of computer viruses 6 Please ... viruses 2. Companion viruses 3. Parasitic viruses If you can understand these three simple types of viruses, you will already understand the majority of viruses being written today. Most of them...

Ngày tải lên: 14/08/2014, 18:22

... relative to the start of the code in the EXE file. This is relocated by DOS at load time. 18H 2 Reloc Tbl Offset Offset of the start of the relocation table from the start of the file, in ... be the first byte of the virus. 3. Write the virus code currently executing to the end of the EXE file being attacked. 4. Write the initial value of ss:sp, as stored in the EXE Header, to the location ... [FFF8H] The first is the address 100H, used to return from the subroutine just placed on the stack to offset 100H, where the host will be. The next is the address of the routine hiding just under the...

Ngày tải lên: 14/08/2014, 18:22

... free at the time of the ;execution of the boot sector. ORG 0500H DISK_BUF: DB ? ;Start of the buffer ;Here is the start of the boot sector code. This is the chunk we will take out ;of the compiled ... SEC_SIZE - 1]/SEC_SIZE and the size of the file in sectors. The file size in bytes is stored at offset 1CH from the start of the directory entry at 0000:0500H. The number of sectors to load is SIZE ... loading, the virus would have crashed the system. (And that, incidently, is why the virus we’re discussing is the Kilroy-B. The Kilroy virus dis- cussed in The Little Black Book of Computer Viruses...

Ngày tải lên: 14/08/2014, 18:22

... writes. First, DEVIRUS finds the end of the host file and uses that as the offset for the new STRAT routine, writing this value into the header. Next it hides the address of the old STRAT routine internally ... STRAT routine internally in itself at STRJMP, and then writes the body of its code to the end of the SYS file. That’s all there is to it. The logic of DEVIRUS is depicted in Figure 14.3, and its ... as the data segment selector, once we have finished defining it. 3. Define the base of the segment associated to the new descriptor. This is the linear address of where that segment starts. The...

Ngày tải lên: 14/08/2014, 18:22

... function and then disassemble it. the virus is run. Thus, all of Developer A and Developer B’s clients could suffer loss from the virus, regardless of whether or not they developed software of their ... pushed on the stack and the function is called with a far call. In OS/2 the function names and the names of the modules where they reside are different, of course. For example, instead of calling ... Most of the people who buy Developer A’s software will never even have the opportunity to watch the virus replicate because they don’t develop software and they don’t have any C files on their...

Ngày tải lên: 14/08/2014, 18:22

... data at the end of the file where the virus is hiding, the virus can defeat the read, or simply truncate it so that only the host is read. If the read requests data at the beginning of the file, ... relative to the end of the file using Function 42H, Subfunction 2 must be adjusted to be relative to the end of the host. The virus handles this by first doing a move to the end of the file with the ... directory full of Slips-infected EXE files and use PKZIP on them to create a ZIP file of them, all of the files in the ZIP file will be uninfected, even if all of the actual files in the directory...

Ngày tải lên: 14/08/2014, 18:22

... should include them. At the other end of the scale, the fancier you want to get, the better. You can probably think of a lot of instructions that modify at most one register. The more possibilities ... such techniques in the early 90’s. Some of the first viruses which employed such tech- niques were the 1260 or V2P2 series of viruses. Before long, a Bulgarian who called himself the Dark Avenger ... instructions—and then put the instruction in the work space, and adjust cx to reflect the number of bytes used. RAND_INSTR is passed the same flags as RAND_CODE. To design RAND_INSTR, we classify the random,...

Ngày tải lên: 14/08/2014, 18:22

... in the directory where the file is missing, and you don’t have integrity data for any of them anymore. You scan them, sure, but the scanner turns up nothing. Why was the file missing? Are any of ... much work. All one has to do is calculate the size of the file from the EXE header, rather than from the file system, and use that to add the virus to the file. An alternative would be to simply ... routine moves the virus (this program) to the end of the EXE file ;Basically, it just copies everything here to there, and then goes and ;adjusts the EXE file header and two relocatables in the program,...

Ngày tải lên: 14/08/2014, 18:22

... with ah=2AH. On return, cx is the year, dh is the month, and dl is the day of the month, while al is the day of the week, 0 to 6. Thus, to trigger on any Friday the 13th, a trigger might look ... consult some of the material available on The Collection CD-ROM. 1 On the face of it, writing destructive code is the simplest programming task in the world. When someone who doesn’t know the first ... TRIG_VAL copies of itself and then trigger. Each copy will have a fresh counter set to zero. The Lehigh virus, which was one of the first viruses to receive a lot of publicity in the late 80’s, used...

Ngày tải lên: 14/08/2014, 18:22

... the pointer relative to the beginning of the file, al=1 moves the pointer relative to the current location, al=2 moves the pointer relative to the end of the file. Function 43H: Get and Set File ... is passed the number of contiguous free sectors desired in bx, ;and it attempts to locate them on the disk. If it can, it returns the FAT ;entry number in cx, and the C flag reset. If there aren’t ... FATMAN.ASM is the FAT manager routines. These differ slightly from the FATMAN.ASM originally listed with the BBS virus because the FAT is sometimes encrypted. The PASS.ASM include file contains the pass...

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22

Ngày tải lên: 14/08/2014, 18:22