Assignment 4 Introduction

23  Download (0)

Full text

(1)

Assignment 4 Introduction

Assembly TA Wei-Yen Day

(2)

Computer Virus Basic

• A program attaches itself to another program

• Reproduces itself

• Executed later and create more copies

– 1.COM-> 2.COM 3.COM …

• It can certainly dig into your computer and do things you don’t want

(3)

Structure of Virus

• 2 basic routine!

– Search

– Copy itself

• More routine are a bit more complex

– Anti-detection – Anti-anti-virus

(4)

Virus Classification

• According to the types of programs they infect

– They may infect COM, EXE, or SYS files

• Note that a virus can be written to infect any kind of code

– C, Basic, a batch file, a Paradox or Dbase program

(5)

COM File Structure

• When one enters the name of program,

– DOS begins looking for COM, EXE, and BAT

• COM files are much simpler

– They have predefined segment format

– EXE files’ format are defined by programmer

– COM file is a direct binary image of what should be put into memory and executed by CPU

(6)

Assignment 4: Justin Virus

(7)

Goal

• Infect all .COM programs under the same folder and print some

mischievous lines

(8)

Overview

(9)

Virus Symbol

• Retain 5 bytes

– 3 bytes for jmp

– 2 bytes for mark of virus

• Infect a ?? program when the virus is executed

– nop – nop – nop – nop – nop

(10)

More About Virus

(11)

Checking Memory

• Compute the size from normal program to

“here”

• Actually program size

– We call it “si”

– pop si ;si is p1+p2

– sub si, offset here ;then si is p2

• All the memory address about virus should add “si”

(12)

Recover Original Program

• Due to the first execution, we should add 5 nop to allocate space (see p.7)

• Recover original program to memory (P1)

– mov ax, word ptr ds:FIRST_5_BYTE[si]

– mov ds:[100h], ax

– mov ax, word ptr ds:FIRST_5_BYTE[si+2]

– mov ds:[100h+2], ax

– mov al, word ptr ds:FIRST_5_BYTE[si+4]

– mov ds:[100h+4], al

(13)

Write Back P1

(14)

Print Mischievous Word

• Print some mischievous words

• When the infected file is executed, it would print the words virus produced first

• Infect others

(15)

Search Next File(1)

• FIND_FILE

– mov dx,OFFSET COM_MASK ;search for COM files – mov ah,4EH ;DOS find first file function – xor cx,cx ;CX holds all file attributes

• FIND_LOOP

– int 21h

– jc FIND_EXIT ;Exit if no files found – call FILE_OK ;file OK to infect?

– jc FIND_NEXT ;nope, look for another

(16)

Search Next File (2)

• FIND_EXIT

– ret ;else return with z set

• FIND_NEXT

– mov ah,4FH ;DOS find next file function – jmp FIND_LOOP ;Try finding another file

• COM_MASK BYTE '*.COM',0

• FILE_OK

– Check if the virus pattern exist

(17)

File OK, Infect It

• Back up the first 5 bytes from original program

• Copy virus itself to the program

• Move the pointer to head, and write first 5 bytes

– Write v1

– 3 bytes are jmp

– 2 bytes are pattern

• Infect next file

(18)

The Infecting Mission is Done!

• Let’s take a over view again:

• 1. Check Memory (store p2 size)

• 2. Recover original program

• 3. Print Lines

• 4. Search File to Infect

• 5. Infect it

• 6. Loop 3. 4.

• 7. If no file cab be infected, then the mission completed

(19)

Procedure of Justin

(20)

DEMO

(21)

Assignment 4 Note

• The .COM files (files your virus must infect) is here

http://wyday.csie.ntu.edu.tw/good_com.zip

• When you compile your code to produce a

virus, the anti-virus software in your computer might alert

– Try to set your anti-virus software to not detect the folder your virus is in

(22)

Checking Scenario

• The following is the judgment of assignment 4:

– If your virus can infect a .COM file (copy itself to attach another), you can get basic score

– If your virus can infect all .COM files under the same folder, you can get a better score

– If your virus can infect all .COM files under the same folder, and when you open the infected file, it infects all other files, you get a nice score

• If your virus can do all of above, and can avoid infecting files repeatedly, you do a good job!

– If your virus crash my computer, I would …

(23)

Now it’s your turn!

• Don’t just copy my code, think about it at first

• Actually it’s a simple virus, and it’s an easy work

• If you have any problem, google it! XD

• You can also discuss with me for sure

• Good luck to you guys!

Figure

Updating...

References

Related subjects :