Teaching how to write viruses is a very sensitive topic. Will this cause virus flooding? Is it necessary to learn how to write viruses? This involves a problem. What is the cause of virus flooding? Is there too many people who write viruses, or are there too few people who know how to deal with viruses? When scammers are everywhere, should we let everyone know how to prevent them from being cheated or conceal them? How can we help people understand whether it is illegal?
I. How to Write Master Boot records and boot zone viruses
What is a Master Boot Record? Where are the primary boot records stored? The primary Boot Record is a program used to load the Boot Sector of the active partition of the hard disk. The primary Boot Record is stored in the hard drive with 0 channels, 0 cylinders, and 1 sector. The maximum length is one sector. When starting from the hard disk, the BIOS boot program loads the Master Boot Record to 0: 7c00h, and then gives control to the Master Boot Record. Generally, the boot virus exists in a floppy disk. Because the floppy disk does not have a partition, you can view it as the Master Boot Record of the floppy disk. The boot area of a floppy disk exists in its 0-channel, 0-plane, and 1-sector, with a length of one sector.
The general principle of the primary Boot Record virus.
Generally, this type of virus saves the original Master Boot Record and replaces the original Master Boot Record with its own program. When starting, when the virus body gets control, after processing it, the virus reads the original Master Boot Record to 0: 7c00, and then gives the control to the original Master Boot Record for startup. These viruses are usually infected with a virus-infected floppy disk when it is started. The infection to a floppy disk is generally performed when the system is infected with viruses.
What are precautions for writing a Master Boot Record virus?
1. What is used to save the original Master Boot Record.
As we all know, file viruses are used to save infected and modified files. Can a boot virus also use a file store to overwrite boot records? The answer is no. Because the Master Boot Record virus is executed before the operating system, you cannot use the functions of the operating system. Instead, you can only use the BIOS functions or use a direct IO Design. Generally, the disk service of BIOS stores the Master Boot Record in an absolute sector. Since 0 channels, 0 sides, and 2 sectors are reserved, they are usually used for storage.
2. Call the BIOS disk service functions to be mastered.
INT 13 H sub-function 02 H read sector
The call method is as follows:
Entry:
Ah = 02 h
Al = number of read sectors
Ch = track No.
CL = fan ID (starting from 1)
DH = No. 1
DL = physical drive letter
ES: BX --> buffer to be filled
Returned value: When CF is set, the call fails.
Ah = Status
Al = number of actually read sectors
INT 13 H sub-function 03h write sector
The call method is as follows:
Entry:
Ah = 03 h
Al = number of written sectors
Ch = track No.
CL = fan ID (starting from 1)
DH = No. 1
DL = physical drive letter
ES: BX --> Buffer
Returned value: When CF is set, the call fails.
Ah = Status
Al = number of actually written sectors
3. How to infect these viruses?
Generally, these viruses perform system monitoring by intercepting the interrupt vector INT 13 H. When there is a disk read/write on a floppy disk or hard disk, the virus checks whether the disk is clean. If the disk is not infected, the disk is infected.
4. Resident location
Generally, a virus obtains its resident space by modifying the basic memory size. The basic memory size is stored at 40 h: 13 H, in KB. The virus exists in the last few KB of memory.
========================================================== ============================
2. How to Write dos viruses?
Since the core war, viruses have evolved from the DOS era to the ipvs system. The current virus, from deformation and encryption to intelligence, is a daunting challenge. Today, the Internet has seen a flood of viruses, I am here to introduce the principles of viruses and hope you can study and exchange them together. (This article references some articles on the Internet and some content .)
To learn dos viruses, you must first learn or master the assembly language. DOS viruses are generally classified into Boot viruses, file viruses, and hybrid viruses. Most viruses are infected with COM and exe files, so you must understand the structure of COM files and exe files.
I. com file structure and principle
. COM file is relatively simple ,. COM file contains an absolute map of the program-that is, to run the program's accurate processor instructions and data in the memory, the MS-DOS loads the image directly by copying the file to the memory. com program, it does not make any changes. To load. com program, the MS-DOS first tries to allocate memory because. com program must be in a 64 K segment, so. the COM file size cannot exceed 65,024 (64 kB minus 256 bytes for PSP and at least 256 bytes for a starting stack ). If the MS-DOS cannot allocate enough memory for the program, a PSP, a starting stack, and QQ: 9750406, the allocation attempt fails. Otherwise, the MS-DOS allocates as much memory as possible (until all memory is retained), even if the. com program itself cannot be larger than 64 KB. Before trying to run another program or allocate another memory, most. com programs release unnecessary memory.
After memory allocation, the MS-DOS creates a PSP in the first 256 bytes of the memory, if the first FCB in the PSP contains a valid drive identifier, set Al to 00 h, otherwise it is 0ffh. MS-DOS also sets ah to 00h or 0ffh, depending on whether the second FCB contains a valid drive identifier. After building PSP, The MS-DOS starts loading immediately after PSP (offset 100 h. COM file, which sets SS, DS and ES as the PSP segment address, and then creates a stack. to create a stack, the MS-DOS sets the SP to 0000 h, if at least 64 KB of memory has been allocated; otherwise, it sets the Register to a value 2 greater than the total number of allocated bytes. finally, it pushes 0000h to the stack (this is to ensure compatibility with programs designed on earlier MS-DOS versions ). The MS-DOS starts the program by passing commands at an offset of H. The programmer must ensure that the first command of the. com file is the entry point of the program. Note that because the program is loaded at an offset of H, all code and data offsets must be relative to h. The assembly language programmer can ensure this by setting the initial value of the program to H.
One point (for example, by using the org 100 h statement at the beginning of the original program ).
Binary EXE file structure
The EXE file is complex. Each EXE file has a file header with the following structure:
EXE file header information
―――――――――――――――――――
Offsets offset offsets indicate offsets.
When 00 h-01 h when mz' EXE file mark
Limit 2 h-03 h limit file length except 512 remainder limit
04 H-05 h ......
06 h-07 h Number of relocation items
08 h-09 h except for 16 vendor names
20170ah-0bh required minimum number of segments
20170ch-0dh ......
Segment value (SS) segment of the rollback oeh-0fh stack segment
Listen 10 h-11 h later ...... SP then
├ 12 h-13 H others file checksum
Listen 14 h-15 h accept IP address limit
Listen 16 h-17 h then CS success
When 18 h-19 h then ......
When 1ah-1bh exceeds ......
Please 1ch again...
―――――――――――――――――――――――――
The. exe file contains a file header and a relocated program image. The file header contains information for the MS-DOS to load the program, such as the program size and initial register values. The file header also points to a relocation table, which contains a linked list of pointers pointing to the relocated segment addresses in the program image. The format of the file header corresponds to the exeheader structure:
Exeheader struc
Exsignature DW 5a4dh;. EXE mark
Exexrabytes DW? ; Number of bytes in the last (partial) Page
Expages DW? ; All and part of the pages in the file
Exrelocitems DW? ; Number of pointers in the relocation table
Exheadersize DW? ; Size of the file header in bytes
Exminalloc DW? ; Minimum allocation size
Exmaxalloc DW? ; Maximum allocation size
Exinitss DW? ; Initial SS value
Exinitsp DW? ; Initial sp value
Exchechsum DW? ; Complement verification Value
Exinitip DW? ; Initial IP value
Exinitcs DW? ; Initial Cs value
Exreloctable DW? ; The Byte offset of the relocated table
Exoverlay DW? ; Overwrite number
Exeheader ends program image, containing the processor code and initial data of the program, followed by the file header. The size is measured in bytes, equal to the size of the. exe file minus the size of the file header, or equal to the value of the exheadersize field multiplied by 16. The MS-DOS directly copies the image from the file to the memory to load the. exe program and then adjusts the relocated segment address described in the positioning table.
The positioning table is a relocation pointer array, each pointing to the relocated segment address in the program image. The exrelocitems field in the file header describes the number of pointers in the array, and the exreloctable field describes the offset of the starting file of the allocation table. Each relocation pointer consists of two 16-bit values: Offset and segment value. To load the. exe program, the MS-DOS first reads the file header to determine the. exe flag and calculates the size of the program image. Then it tries to apply for memory. First, it calculates the size of the program image file, the PSP size, and the memory size specified by the exminalloc field in the exeheader structure. If the total size exceeds the maximum available memory block size. Then the MS-DOS stops the loader and returns an error value. Otherwise, it calculates the size of the program image plus the PSP size plus the sum of the memory size specified by the exmaxalloc field in the exeheader structure. If the second sum is smaller than the maximum available memory block size, the MS-DOS allocates the calculated amount of memory. Otherwise, it allocates the maximum available memory blocks. After the memory is allocated, the MS-DOS determines the segment address, also known as the start segment address, and the MS-DOS loads the program image from here. If the values in the exminalloc domain and exmaxalloc domain are both zero, the MS-DOS loads the image to the highest memory possible. Otherwise, it loads the image next to the PSP domain. Next, the MS-DOS reads the items in the relocation table to adjust all segment addresses described by the relocable pointer. For each pointer in the relocation table, the MS-DOS looks for the corresponding relocated segment address in the program image and adds the starting segment address to it. Once the adjustment is completed, the segment address points to the code and Data Segment of the program loaded in the memory. The MS-DOS builds a 256-byte PSP at the lowest part of the allocated memory and sets Al and ah to the value set when the. com program is loaded. The MS-DOS uses the values in the file header to set the SP and SS, adjust the SS initial value, and add the starting address to it. The MS-DOS also sets es and DS as PSP segments. finally, the MS-DOS reads the initial values of CS and IP from the program file header, adds the starting segment address to CS, and transfers the control to the program at the adjusted address.
Iii. Principles of Boot viruses
To understand the principles of the boot virus, you must first understand the structure of the boot zone. A floppy disk has only one boot zone, which is called DOS boot secter. As long as the floppy disk is formatted, it will exist. The function is to find whether Io. sys dos. sys is present on the disk. If yes, the boot will be performed. If no, information such as 'no system disk... 'will be displayed. The hard disk has two boot zones, which are named as the master boot Zone on The 0th side and the 0th side and 1 slice. There are Master Boot programs and partition tables, and the master boot program searches for active partitions, the first sector of the partition is dos boot secter. The vast majority of the infected hard drive's primary Boot Sector and the DOS Boot Sector of the floppy disk.
* ** 3.5 "floppy disk format ***
3.5 "floppy disk is dual-sided, so the zero-track has both sides, and the front is 0-17 sectors,
The opposite side is the 18-35 sector.
0 sector: boot area (boot sector );
1-9 sectors: 1st fat area (the first file allocation table );
10-18 sectors: 2st fat area (Second file allocation table );
19-32 sectors: Root dir area (also called file directory table, FDT)
File directory table (root directory)
33-2879 sectors: Data Area)
* ** Master Boot Record structure of the hard disk ***
Structure of the Master Boot Record of the hard disk
Instructions on instructions for offset machine code symbols
0000 fa CLI; block interruptions
0001 33c0 XOR ax, ax
0003 8ed0 mov SS, ax; (SS) = 0000 h
0005 bc007c mov sp, 7c00; (SP) = 7c00h
0008 8bf4 mov Si, SP; (SI) = 7c00h
000a 50 PUSH AX
000b 07 pop es; (ES) = 0000 h
000c 50 PUSH AX
000d 1f pop Ds; (DS) = 0000 h
000e FB STI
000f FC ClD
0010 bf0006 mov Di, 0600
0013 b90001 mov CX, 0100; 512 bytes in total
0016 F2 repnz
0017 A5 movsw; the main boot program moves itself from 0000: 7c00
; 0000: 0600 place, for the DOS partition boot program Teng
; Outbound Space
0018 ea1d060000 JMP 0000: 061d; jump to 0000: 061d to continue execution, which is actually
; Execute the following mov command (at the offset of 001d)
001d bebe07 mov Si, 07be; 07be-0600 = 01be, 01be is the first address of the Partition Table
0020 b304 mov BL, 04; up to four partition tables, that is, up to four partitions
0022 803c80 CMP byte PTR [Si], 80; 80 h indicates active partition
0025 740e JZ 0035; Skip if you find the active partition
0027 803c00 CMP byte PTR [Si], 00; 00h indicates a valid Partition
002a 751c jnz 0048; neither 80 h nor 00h, the partition table is invalid
002c 83c610 Add Si, + 10; next Partition Table item, each item 16 bytes
002f fecb dec BL; Reduce the cyclic count by one
0031 75ef jnz 0022; check the next Partition Table item
0033 CD18 int 18; four do not boot into Rom basic
0035 8b14 mov dx, [Si]
0037 8b4c02 mov CX, [Si + 02]; take the surface, cylindrical, and sector of the guiding sector of the active partition
003a 8bee mov bp, Si; then check the Partition Table item
003c 83c610 Add Si, + 10
003f fecb dec BL
0041 741a JZ 005d; guide the active partition when all four are checked
0043 803c00 CMP byte PTR [Si], 00; 00h indicates the partition valid flag
0046 74f4 JZ 003c; if this partition table item is valid, continue to query the next
0048 be8b06 mov Si, 068b; 068b-0600 = 018b, take the "invalid partition" String
004b AC lodsb; one character from the string
004c 3c00 CMP Al, 00; 00h indicates the end of the string
004e 740b JZ 005b; when the string is displayed, it enters an endless loop.
0050 56 push Si
0051 bb0700 mov BX, 0007
0054 b40e mov ah, 0e
0056 CD10 int 10; displays one character
0058 5E pop Si
0059 ebf0 JMP 004b; the next character is displayed in a loop
005b ebfe JMP 005b; here it is an endless loop
005d bf0500 mov Di, 0005; boot fan for reading active partitions, up to 5 trial reads
0060 bb007c mov BX, 7c00
0063 b80102 mov ax, 0201
0066 57 push di
0067 CD13 INT 13; read
0069 5f pop di
006a 730c JNB 0078; Skip if the disk is successfully read
006c 33c0 XOR ax, ax
006e CD13 INT 13; disk reset if read fails
0070 4f dec di
0071 75ed jnz 0060; try again if less than five times
0073 bea306 mov Si, 06a3; 06a3-0600 = 00a3, that is, "error loading" String
0076 ebd3 JMP 004b; display the string and enter an endless loop
0078 bec206 mov Si, 06c2; 06c2-0600 = 00c2, that is, "missing..." String
0076 ebd3 JMP 004b; display the string and enter an endless loop
0078 bec206 mov Si, 06c2; 06c2-0600 = 00c2, that is, "missing..." String
007b bffe7d mov Di, 7dfe; 7dfe-7c00 = 01fe, that is, the guiding fan of the active partition
; The first address of the last two bytes of the partition
007e 813d55aa CMP word PTR [di], aa55; valid when the last two bytes are aa55h
0082 75c7 jnz 004b; if the value is invalid, the string is displayed and enters an endless loop.
0084 8bf5 mov Si, BP
0086 ea007c0000 JMP 0000: 7c00; if valid, skip to guide the partition
0080 49 6e 76 61 6C inval
0090 69 64 20 70 61 72 74 69-74 69 6f 6e 20 74 61 62 ID partition Tab
00a0 6C 65 00 45 72 72 6f 72-20 6C 6f 61 64 69 6e 67 le. error loading
00b0 20 6f 70 65 72 61 74 69-6e 67 20 73 79 73 74 65 operating 127e
00c0 6D 00 4D 69 73 73 69 6e-67 20 6f 70 65 72 61 74 M. Missing operat
00d0 69 6e 67 20 73 79 73 74-65 6D 00 00 FB 4C 38 1D ing system... l8.
00e0 00 00 00 00 00 00 00-00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 ...... Partition Table
01c0 01 00 06 0f 7f 9C 3f 00-00 00 F1 59 06 00 00 00 ......?.... Y ....
01d0 41 9d 05 0f FF 38 30 5a-06 00 40 56 06 00 00 00 A... 80z... @ v ....
01e0 00 00 00 00 00 00 00-00 00 00 00 00 00 00 ................
01f0 00 00 00 00 00 00 00 00-00 00 00 00 00 55 AA.
Use the 02 function of INT 13 h to read the Master Boot Record of the hard disk that is located at the first 0 sectors in the reserved sector of the hard disk to the ES: Bx of the memory. Now, read the program code for the following analysis:
1. Move the Master Boot Record Program
0e74: 7c00 33c0 XOR ax, ax; ax cleared
0e74: 7c02 8ed0 mov SS, ax; SS cleared
0e74: 7c04 bc007c mov sp, 7c00; SP = 7c00, stack in 0: 7c00h
0e74: 7c07 fb sti; on interrupt
0e74: 7c08 50 PUSH AX
0e74: 7c09 07 pop es; es = 0
0e74: 7c0a 50 PUSH AX
0e74: 7c0b 1f pop Ds; DS = 0
0e74: 7c0c FC ClD
0e74: 7c0d be1b7c mov Si, 7c1b; Source Address: 0: 7c1bh
0e74: 7c10 bf1b06 mov Di, 061b; Destination Address: 0: 061bh
0e74: 7c13 50 PUSH AX
0e74: 7c14 57 push di
0e74: 7c15 b9e501 mov CX, 01e5; move 01e5 bytes
0e74: 7c6 F3 repz; Master Boot records from 0: 7c1b-0: 7dff
0e74: 7c19 A4 movsb; move to 0: 061b-0: 07ff
0e74: 7c1a CB retf; transfer to 0: 061b to continue executing the program
2. Search for four hard disk partition tables in sequence and find the auto-lifting icon
0e74: 061b bebe07 mov Si, 07be; Si points to the self-lifting icon of Hard Disk Partition Table 1
0e74: 061e b104 mov Cl, 04; search for four partitions
0e74: 0620 382c CMP [Si], CH
0e74: 0622 7c09 JL 062d; if the 7th-bit [Si] is 1
Move the flag to 062dh
0e74: 0624 7515 jnz 063b; if [Si] is not 0, an error occurs.
0e74: 0626 83c610 Add Si, + 10; check the four partition tables in sequence until they are found
0e74: 0629 e2f5 loop 0620; self-lifting flag
0e74: 062b CD18 int 18; unable to find the auto-lifting flag.
.
0e74: 062d 8b14 mov dx, [Si]; Save the self-lifting drive letter in DL
0e74: 062f 8bee mov bp, Si; Save the address pointer of the Self-lifting partition on BP
0e74: 0631 83c610 Add Si, + 10; continue to test the partition after the auto-lifted Partition
0e74: 0634 49 dec CX; Bootstrap flag until all four partitions
0e74: 0635 7416 JZ 064d; check complete
0e74: 0637 382c CMP [Si], ch; if the remaining auto-lifting signs are not 0, an error occurs.
0e74: 0639 74f6 jz0631
3. An error occurred while writing the screen program segment
0e74: 063b be1007 mov Si, 0710; error message output, endless loop
0e74: 063e 4E dec Si
0e74: 063f AC lodsb
0e74: 0640 3c00 CMP Al, 00
0e74: 0642 74fa JZ 063e
0e74: 0644 bb0700 movbx, 0007
0e74: 0647 b40e mov ah, 0e
0e74: 0649 CD10 int 10
0e74: 064b ebf2 JMP 063f
The Main Boot Record Program of the hard disk is used to read the boot program from the source partition and transfer the control to the Partition Boot Program. The procedure is as follows:
1. Move the Master Boot Record Program of the hard disk that was originally read to 0: 7c00h to 0: 61bh;
(2) read the bootstrap flag of the four partition tables in sequence to find the bootstrap partition. If the partition cannot be found, execute the int18h boot exception to execute the interrupt program;
(3) Find the auto-lifted partition and check the system identifier of the partition. If the partition is a 32-bit fat table or a 16-bit fat table, but the extension function interrupted on the 13 th is supported, go to the call for the function No. 41 interrupted on the 13 th for Installation check. If the check is successful, run the extended READ function call on the 42 th to read the boot area program into the memory at 0: 7c00h, success: Jump to Step 1. If the read fails or the system is marked as another one, call the read sector function interrupted on the 13 th to read boot to 0: 7c00h;
(4) When the read sector function interrupted on the 13th is used, the trial read is performed five times in two ways. The first method is to directly read the boot program from the header sector of the Self-lifting partition. If the read is successful but the end flag is not 55aa, the second method is used, if the first method fails to be used for five times, the second method is used. If both methods fail to be read, the error handler will be transferred;
Worker successfully reads the boot program and transfers it to 0: 7c00h to run the boot program.