; TBSCAN's flags by qark
; +------------+
;
; I realise that this sort of thing was done in a crypt journal one time
; but since then Franz has added four or five new flags and they haven't
; been covered. While working on my polymorphics for Hemlock I discovered
; how the '@' flag was triggered and had to share my knowledge with the
; world.
;
codeseg segment
main proc far
assume cs:codeseg,ds:codeseg
mov ax,codeseg
mov ds,ax
mov ah,9 ;Display a message.
mov dx,offset tbscan
int 21h
;----------------------------------------------------------------------------
; The TBSCAN '@' flag.
;
; TBSCAN says "Encountered instructions which are not likely to be
; generated by an assembler, but by some code generator like a
; polymorphic virus."
;
; To give you an example of how TBSCAN finds this you must understand
; that in many circumstances it is possible to have two different ways
; of representing the one instruction.
;
; We will take 'OR CX,CX' as an example. It can be represented by:
; db 09h,0c9h or db 0bh,0c9h
; The first two-byte combination sets off the flag, the second does not.
; TBSCAN is correct in flagging it, because the first 'or cx,cx' is never
; produced naturally.
;
; |0 0 0 0 1 0 | 1 | 1 | <- 0B
; |0 0 0 0 1 0 | 0 | 1 | <- 09 (triggers a tbscan flag)
; | | | |
; | opcode |dir|word|
; | |bit| |
;
; Above is the format of the first byte of the OR instruction. As you
; can see the 'direction bit' is the difference between them. If the
; direction bit isn't set (which is what TBSCAN is looking for) it
; means that the source and destination fields exchange roles. A compiler
; won't do this, but a polymophic engine will.
;
; Likewise there are two ways of doing MOV AX,1234h
; db 05h,34h,12h or db 81h,0c0h,34h,12h
; The second one will trigger the '@' flag as well. This is because
; with AL/AX the instuctions are one byte less in size than with the
; other registers. An assembler will NEVER use the method that takes
; more bytes, but a polymorphic engine will. These are all things to
; watch out for when constructing a polymorphic engine. Remember to
; make the instructions natural.
;
; Franz deserves a clap for spotting these little things. Most of the
; other AV companies are content to sit on what they've got, but TBAV
; is continually improves. It is a good product.
;
;----------------------------------------------------------------------------
db 0bh,0c9h ;OR CX,CX
db 9,0c9h ;OR CX,CX
db 05h,34h,12h ;ADD AX,1234h
db 81h,0c0h,34h,12h ;ADD AX,1234h
;----------------------------------------------------------------------------
; The TBSCAN '1' flag.
;
; TBSCAN says "Found instructions which require a 80186 processor or
; above."
;
; This is pretty obvious. Just anything that won't run on an 8088.
; Easy enough to avoid.
;
;----------------------------------------------------------------------------
shr ax,3 ;This instruction only works on 286+
;----------------------------------------------------------------------------
; The TBSCAN 'A' flag.
;
; TBSCAN says "Suspicious Memory Allocation. Program uses an unusual
; way to search for, and/or allocate memory."
;
; It just looks for a compare with 'Z' instruction.
;
;----------------------------------------------------------------------------
cmp byte ptr [0],'Z' ;Often used while playing
;with MCB's.
;----------------------------------------------------------------------------
; The TBSCAN 'U' flag.
;
; TBSCAN says "Undocumented interrupt/DOS call. The program might be just
; tricky but can also be a virus using a non-standard way to detect
; itself."
;
; The only thing you have to watch out for here is calling int21 above
; AH=6e or use interrupts that are obscure (above 80h probably).
; There are plenty of unused int21 functions below 6e so it shouldn't be
; hard.
;
;----------------------------------------------------------------------------
mov ax,6e00h ;This one is ok.
int 21h
mov ax,6f00h ;This one causes a flag.
int 21h
mov ax,09191h ;This one is ok.
int 13h
mov ax,09191h ;This one causes a flag.
int 0b6h
mov ax,4c00h
int 21h ;Terminate
tbscan db 'TBSCAN FLAGS ME$'
;----------------------------------------------------------------------------
; The TBSCAN 'S' flag.
;
; TBSCAN says "Contains a routine to search for executable (.COM and .EXE)
; files."
;
; This just means that '*.com' or '*.exe' is in the code somewhere. You
; shouldn't have to worry about this because wild cards are only used
; in direct action viruses.
;
;----------------------------------------------------------------------------
wildcard db '*.com',0
main endp
codeseg ends
;----------------------------------------------------------------------------
; The TBSCAN 'K' flag.
;
; TBSCAN says "Unusual stack. The program has a suspicious or an odd
; stack."
;
; That flag can't be demonstrated here, but what it means is that the
; SS:SP points past the end of the file. This is only for EXE files
; and can be seen in some of my viruses. There isn't much that can
; be done about this unless you change the stub/infection code to your
; virus.
;
;----------------------------------------------------------------------------
- VLAD #3 INDEX -