About Us We believe everything in the internet must be free. So this tool was designed for free download documents from the internet. Legal Notice We are not associated with any website in anyway. Disclaimer We are not responsible for. This covers all doubt which generally comes during preparation competitive exams very clearly and has approaches which help you a lot. A very helpful book for those students who are Preparing for Competitive Exams. It deals with each and every problem that comes your way during your exam preparation.
Most of the students score less not because of lack of knowledge or hard work or intelligence, but because of a lack of guidance, planned approach, and poor study techniques. The book would be useful for students preparing for different competitive exams at different stages of preparation. The book has been written keeping the general student in mind.
Some of the points in the book might look old and simple while some may look new and interesting. But remember, in order to get the maximum benefit from the book, the focus has to be on implementation rather than reading the book like a novel. We are sure every time you read this book you will find something new and useful in it.
So read it as many times as possible. Read it whenever you get stuck in your preparation and answer every possible problem you can face during preparation. Consistent study of six to seven hours with proper planning can give success even to average students. And remember there are no shortcuts am sure you will find a to success. Avinash Agarwal is a seasoned counselor in the field of academics and life skills. Thus, we might call it an application-specific virus.
These viruses make use of a detailed knowledge of the files they attack to hide better than would be possible if they were able to infiltrate just any file. For example, they might hide in a data area inside the program rather than lengthening the file.
However, in order to do that, the virus must know where the data area is located in the program, and that differs from program to program. COM, since they are on virtually every PC in existence. Regardless of which file such a virus attacks, though, it must be very, very common, or the virus will never be able to find another copy of that file to reproduce in, and so it will not go anywhere.
COM would it be possible to begin leaping from machine to machine and travel around the world. The boot sector is the first thing a computer loads into memory from disk and executes when it is turned on. By attacking this area of the disk, the virus can gain control of the computer immediately, every time it is turned on, before any other program can execute.
In this way, the virus can execute before any other program or person can detect its existence. The Basics of the Computer Virus 16 The Functional Elements of a Virus Every viable computer virus must have at least two basic parts, or subroutines, if it is even to be called a virus. Firstly, it must contain a search routine, which locates new files or new areas on disk which are worthwhile targets for infection. This routine will determine how well the virus reproduces, e.
As with all programs, there is a size versus function- ality tradeoff here. The more sophisticated the search routine is, the more space it will take up. So although an efficient search routine may help a virus to spread faster, it will make the virus bigger, and that is not always so good.
Secondly, every computer virus must contain a routine to copy itself into the area which the search routine locates. The copy routine will only be sophisticated enough to do its job without getting caught. The smaller it is, the better. How small it can be will depend on how complex a virus it must copy. For example, a virus which infects only COM files can get by with a much smaller copy routine than a virus which infects EXE files.
This is because the EXE file structure is much more complex, so the virus simply needs to do more to attach itself to an EXE file. While the virus only needs to be able to locate suitable hosts and attach itself to them, it is usually helpful to incorporate some additional features into the virus to avoid detection, either by the computer user, or by commercial virus detection software.
Anti-detection routines can either be a part of the search or copy routines, or functionally separate from them. For example, the search routine may be severely limited in scope to avoid detection.
A routine which checked every file on every disk drive, without limit, would take a long time and cause enough unusual disk activity that an alert user might become suspicious.
Alternatively, an anti- detection routine might cause the virus to activate under certain special conditions. For example, it might activate only after a certain date has passed so the virus could lie dormant for a time.
Alternatively, it might activate only if a key has not been pressed for five minutes suggesting that the user was not there watching his computer.
Search, copy, and anti-detection routines are the only nec- essary components of a computer virus, and they are the compo- nents which we will concentrate on in this volume. Of course, many computer viruses have other routines added in on top of the basic three to stop normal computer operation, to cause destruction, or to play practical jokes.
Such routines may give the virus character, but they are not essential to its existence. If there is just a little more disk activity than expected, no one will probably notice, and the virus will go on its merry way.
The result is that the viruses on that particular system are killed off, either by themselves or by the clean up crew. The virus then becomes just like a Kamikaze pilot, who gives his life to accomplish the mission. For example, one well known virus turns a computer into a simulation of a wash machine, complete with graphics and sound. Another makes Friday the 13th truly a bad day by coming to life only on that day and destroying data. None the less, these kinds of routines are more properly the subject of volume three of this series, which discusses the military applications of computer viruses.
In this volume we will stick with the basics of designing the reproductive system. The delivery system is very, very impor- tant. The situation is similar to having an atomic bomb, but not the means to send it half way around the world in fifteen minutes. Sure, you can deploy it, but crossing borders, getting close to the target, and hiding the bomb all pose considerable risks. The effort to develop a rocket is worthwhile.
Tools Needed for Writing Viruses Viruses are written in assembly language. High level lan- guages like Basic, C, and Pascal have been designed to generate stand-alone programs, but the assumptions made by these lan- guages render them almost useless when writing viruses. They are simply incapable of performing the acrobatics required for a virus to jump from one host program to another. Thus, to create viruses, we must use assembly language.
If you have not done any programming in assembler before, I would suggest you get a good tutorial on the subject to use along side of this book. A few are mentioned in the Suggested Reading at the end of the book. However, I will assume that you have some knowledge of assembly language—at least at the level where you can understand what some of the basic machine instructions, like mov ax,bx do.
If you are not familiar with simpler assembly language programming like this, get a tutorial book on the subject. With a little work it will bring you up to speed. At present, there are three popular assemblers on the mar- ket, and you will need one of them to do any work with computer viruses. Thirdly, there is A86, which is shareware, and available on many bulletin board systems throughout the country.
You can get a copy of it for free by calling up one of these systems and downloading it to your computer with a modem. However, if you plan to use A86, the author demands that you pay him almost as much as if you bought one of the other assemblers. He will hold you liable for copyright violation if he can catch you. My favorite is TASM, because it does exactly what you tell it to without trying to outsmart you.
That is exactly what you want when writing a virus. Anything less can put bugs in you programs even when they are correctly written.
Batch files are provided to perform a correct assembly with each assembler. If you do not have an assembler, or the resources to buy one, or the inclination to learn assembly language, the viruses are provided in Intel hex format so they can be directly loaded onto your computer in executable form. The program disk also contains compiled, directly executable versions of each virus.
This virus is very small, comprising only bytes of machine language instructions. It is also fairly safe, be- cause it has one of the simplest search routines possible. It is also harmless because it contains no destructive code, and it tells you when it is infecting a new file, so you will know where it is and where it has gone.
On the other hand, its extreme simplicity means that this is not a very effective virus. It will not infect most files, and it can easily be caught. Still, this virus will introduce all the essential concepts necessary to write a virus, with a minimum of complexity and a minimal risk to the experimenter.
As such, it is an excellent instructional tool. Some DOS Basics To understand the means by which the virus copies itself from one program to another, we have to dig into the details of how the operating system, DOS, loads a program into memory and passes control to it. Only then can it reproduce. Then, it must be able to pass control back to the host program, so the host can execute in its entirety as well.
If it finds one it will load the file into memory and execute it. Of these two types of program files, COM files are much simpler. They have a predefined segment format which is built into the structure of DOS, while EXE files are designed to handle a user defined segment format, typical of very large and complicated programs.
Most importantly, DOS controls and allocates memory usage in the computer. So first it checks to see if there is enough room in memory to load the program. If it can, DOS then allocates the memory required for the program.
This step is little more than an internal housekeeping function. Such a step is necessary because more than one program may reside in memory at any given time. For example, pop-up, memory resident programs can remain in memory, and parent programs can load child programs into memory, which execute and then return control to the parent.
The lowest bytes of that memory was reserved for the operating system itself to store crucial data. For example, location 5 in memory contained a jump instruction to get to the rest of the operating system, which was stored in high memory, and its location differed according to how much memory the computer had.
Thus, programs written for these machines would access the operating system functions by calling location 5 in memory. Some of it is useful though, as we will see a little later. Once this is done, DOS is almost ready to pass control to the program. Before it does, though, it must set up the registers in the CPU to certain predetermined values. First, the segment registers must be set properly, or a COM program cannot run. In the microprocessor, all registers are 16 bit regis- ters.
The problem is that a 16 bit register will only allow one to address 64 kilobytes of memory. If you want to use more memory, you need more bits to address it. The can address up to one megabyte of memory using a process known as segmentation. It uses two registers to create a physical memory address that is 20 bits long instead of just Such a register pair consists of a segment register, which contains the most significant bits of the address, and an offset register, which contains the least significant bits.
The segment register points to a 16 byte block of memory, and the offset register tells how many bytes to add to the start of the 16 byte block to locate the desired byte in memory. This leads to the possibility of writing a single physical address in several different ways.
The proper choice is simply whatever is convenient for the programmer. However, it is standard program- ming practice to set the segment registers and leave them alone as much as possible, using offsets to range through as much data and code as one can 64 kilobytes if necessary. They each serve different purposes. The cs register specifies the 64K segment where the actual program instructions which are executed by the CPU are located.
It might typically be used to point to the video memory segment, for writing data directly to video, etc. COM files are designed to operate with a very simple, but limited segment structure. All data is stored in the same segment as the program code itself, and the stack shares this segment.
Since any given segment is 64 kilobytes long, a COM program can use at most 64 kilobytes for all of its code, data and stack. However, today it is not uncommon to find programs that require several hundred kilobytes of code, and maybe as much data.
Such programs must use a more complex segmentation scheme than the COM file format allows. The EXE file structure is designed to handle that complex- ity. The drawback with the EXE file is that the program code which is stored on disk must be modified significantly before it can be executed by the CPU. This makes it possible to store a straight binary image of the code to be executed on disk the COM file. When it is time to run the program, DOS only needs to set up the segment registers properly and execute it.
DOS picks the segment based on what free memory is available, and puts the PSP at the very start of that segment. When the program is done, it transfers control back to DOS, and DOS releases the memory reserved for that program and gives the user another command line prompt. An Outline for a Virus In order for a virus to reside in a COM file, it must get control passed to its code at some point during the execution of the program.
It is conceivable that a virus could examine a COM file and determine how it might wrest control from the program at any point during its execution. Such an analysis would be very difficult, though, for the general case, and the resulting virus would be anything but simple.
By far the easiest point to take control is right at the very beginning, when DOS jumps to the start of the program. Since the program itself has not yet executed, it cannot have set up data anywhere in memory, or moved the stack, so this is a very safe time for the virus to operate.
To gain control at startup time, a virus infecting a COM file must replace the first few bytes in the COM file with a jump to the virus code, which can be appended at the end of the COM file. Then, when the COM file is executed, it jumps to the virus, which goes about looking for more files to infect, and infecting them. When the virus is ready, it can return control to the host program. The problem in doing this is that the virus already replaced the first few bytes of the host program with its own code.
Thus it must restore those bytes, and then jump back to offset Hex, where the original program begins. Here, then, is the basic plan for a simple viral infection of a COM file. Imagine a virus sitting in memory, which has just been Figure 4: Replacing the first bytes in a COM file. It goes out and infects another COM file with itself. Step by step, it might work like this: 1.
An infected COM file is loaded into memory and executed. The viral code gets control first. The virus in memory searches the disk to find a suitable COM file to infect. If a suitable file is found, the virus appends its own code to the end of the file. The new virus will need these bytes when it executes. Next the virus in memory writes a jump instruction to the beginning of the file it is infecting, which will pass control to the new virus when its host program is executed.
Then the virus in memory takes the bytes which were originally the first bytes in its host, and puts them back at offset H. Finally, the viral code jumps to offset Hex and allows its host program to execute. We will need both a search mechanism and a copy mechanism. All of the information about every file on disk is stored in two areas on disk, known as the directory and the File Allocation Table, or FAT for short. The directory contains a 32 byte file descriptor record for each file.
The FAT is a map of the entire disk, which simply informs the operating system which areas are occupied by which files. The second is a backup, in case the first gets corrupted. On the other hand, a disk may have many directories. One directory, known as the root directory, is present on every disk, but the root may have multiple subdirectories, nested one inside of another to form a tree structure.
These subdirectories can be created, used, and removed by the user at will. Thus, the tree structure can be as simple or as complex as the user has made it. Both the FAT and the root directory are located in a fixed area of the disk, reserved especially for them. Subdirectories are stored just like other files with the file attribute set to indicate that this file is a directory. The operating system then handles this subdirectory file in a completely different manner than other files to make it look like a directory, and not just another file.
The subdirectory file simply consists of a sequence of 32 byte records describing the files in that directory. It may contain a 32 byte record with the attribute set to directory, which means that this file is a subdirectory of a subdirectory. The DOS operating system normally controls all access to files and subdirectories. If one wants to read or write to a file, he does not write a program that locates the correct directory on the disk, reads the file descriptor records to find the right one, figure out where the file is and read it.
Instead of doing all of this work, he simply gives DOS the directory and name of the file and asks it to open the file. DOS does all the grunt work. This saves a lot of time in writing and debugging programs. One simply does not have to deal with the intricate details of managing files and interfacing with the hardware. Interrupt 21H is the main DOS interrupt service routine that we will use. This function tells DOS to locate the file and prepare it for reading. The register ah contains the function number, which DOS uses to determine what you are asking it to do.
The other registers must be set up differently, depending on what ah is, to convey more information to DOS about what it is supposed to do. In the above example, the ds:dx register pair is used to point to the memory location where the name of the file to open is stored. The register al tells DOS to open the file for reading only. All of the various DOS functions, including how to set up all the registers, are detailed in many books on the subject.
Here we will only discuss the DOS functions we need, as we need them. This will probably be enough to get by. However, if you are going to write viruses of your own, it is definitely worthwhile knowing about all of the various func- tions you can use, as well as the finer details of how they work and what to watch out for.
To write a routine which searches for other files to infect, we will use the DOS search functions. The people who wrote DOS knew that many programs not just viruses require the ability to look for files and operate on them if any of the required type are found. Thus, they incorporated a pair of searching functions into the interrupt 21H handler, called Search First and Search Next.
These are some of the more complicated DOS functions, so they require the user to do a fair amount of preparatory work before he calls them. The first step is to set up an ASCIIZ string in memory to specify the directory to search, and what files to search for. This is simply an array of bytes terminated by a null byte 0. If not, a basic book on DOS will explain this syntax. DOS might find files like hyper. Register cl must be set to a file attribute mask which will tell DOS which file attributes to allow in the search, and which to exclude.
The logic behind this attribute mask is somewhat complex, so you might want to study it in detail in Appendix G. This data provides the program doing the search with the name of the file which DOS just found, its attribute, its size and its date of creation.
Since the calling program knows the address of the DTA, it can go examine that area for the file information after DOS has stored it there. To see how this function works more clearly, let us consider an example. In comparison with the Search First function, the Search Next is easy, because all of the data has already been set up by the Search First.
If no more matches are found, DOS will set ah to something besides zero on return. One must be careful here so the data in the DTA is not altered between the call to Search First and later calls to Search Next, because the Search Next expects the data from the last search call to be there. Of course, the computer virus does not need to search through all of the COM files in a directory. It must find one that will be suitable to infect, and then infect it. Given the name of a file on disk, it will determine whether that file is good to infect or not.
We can use this flag to determine whether to continue searching for other files, or whether we should go infect the one we have found. It is important to un- derstand if you want to write computer viruses, and more generally, it is useful in a wide variety of programs of all kinds. This function is particularly important to the success or failure of the virus, because it tells the virus when and where to move.
If it tells the virus to infect a program which does not have room for the virus, then the newly infected program may be inadvertently ruined. Then the file will grow larger and larger, until there is no more room for an infection.
If our search routine used this subroutine, it would always stop and say that the first COM file it found was the one to infect. The result would be that the first COM program in a directory would be the only program that would ever get infected. It would just keep getting infected again and again, and growing in size, until it exceeded its size limit and crashed. Then checking the file size to see if the virus will fit is a simple matter. If we add these bytes to ax, and ax overflows, then the file which the search routine has found is too large to permit a successful infection.
This can only be accomplished if the virus has some understanding of how it goes about infecting a file. In the TIMID virus, we have decided to replace the first few bytes of the host program with a jump to the viral code.
The virus we create here will always use a near jump to gain control when the program starts. Since a short jump only has a range of bytes, we could not use it to infect a COM file larger than bytes. The near jump allows a range of 64 kilobytes. Thus it can always be used to jump from the beginning of a COM file to the virus, at the end of the program, no matter how big the COM file is as long as it is really a valid COM file.
A near jump is represented in machine language with the byte E9 Hex, followed by two bytes which tell the CPU how far to jump. Thus, our first test to see if infection has already occurred is to check to see if the first byte in the file is E9 Hex. If it is anything else, the virus is clear to go ahead and infect. Looking for E9 Hex is not enough though.
Many COM files are designed so the first instruction is a jump to begin with. Thus the virus may encounter files which start with an E9 Hex even though they have never been infected.
The virus cannot assume that a file has been infected just because it starts with an E9. It must go farther. It must have a way of telling whether a file has been infected even when it does start with E9. One way to make this test simple and yet very reliable is to change a couple more bytes than necessary at the beginning of the host program.
The near jump will require three bytes, so we might take two more, and encode them in a unique way so the virus can be pretty sure the file is infected if those bytes are properly encoded.
The simplest scheme is to just set them to some fixed value. It will infect everything else. This function requires us to set ds:dx to point to the file name FNAME and to specify the access rights which we desire in the al register.
This will allow the virus to detect read-only files and avoid them, since the virus must write to a file to infect it. It is much better to find out that the file is read-only here, in the search routine, than to assume the file is good to infect and then have the virus fail when it actually attempts infection. If DOS opens the file successfully, it returns a file handle in ax. This is just a number which DOS uses to refer to the file in all future requests.
To read a file, one must set bx equal to the file handle number and cx to the number of bytes to read from the file. DOS stores an internal file pointer for each open file which keeps track of where in the file DOS is going to do its reading and writing from. The file pointer is just a four byte long integer, which specifies which byte in the selected file a read or write operation refers to. However, you should be aware that it is there, hidden away by DOS. It is an essential part of any file reading and writing we may want to do.
When it comes time for the virus to infect the file, it will have to modify this file pointer to grab a few bytes here and put them there, etc. Doing that is much faster and hence, less noticeable than reading a whole file into memory, manipulating it in memory, and then writing it back to disk. For now, though, the actual reading of the file is fairly simple.
The only possible error is that the file is not long enough to read five bytes, and we are pretty safe in assuming that most COM files will have more than four bytes in them.
The Copy Mechanism After the virus finds a file to infect, it must carry out the infection process. This time, however we want to go to the end of the file and store the virus there. To do so, we first move the file pointer using DOS function 42H. In calling function 42H, the register bx must be set up with the file handle number, and cx:dx must contain a 32 bit long integer telling where to move the file pointer to. There are three different ways this function can be used, as specified by the contents of the al register.
Since the first thing the virus must do is place its code at the end of the COM file it is attacking, it sets the file pointer to the end of the file. This is easy. To do so, one simply uses the DOS write function, 40 Hex.
To use function 40H one must set ds:dx to the location in memory where the data is stored that is going to be written to disk. In this case that is the start of the virus.
Next, set cx to the number of bytes to write and bx to the file handle. There is one problem here. Since the virus is going to be attaching itself to COM files of all different sizes, the address of the start of the virus code is not at some fixed location in memory. Every file it is attached to will put it somewhere else in memory. So the virus has to be smart enough to figure out where it is.
Here we assume that this memory location has al- ready been properly initialized. First, it must move the first five bytes of the COM file to a storage area in the viral code. We need only write them out to disk in the proper location. Note that there must be two separate areas in the virus to store five bytes of startup code.
This contains the first five bytes of the file it is actually attached to. We must also subtract 3 from this number because the relative jump is always referenced to the current instruction pointer, which will be pointing to H when the jump is actually executed. Data Storage for the Virus One problem we must face in creating this virus is how to locate data. The jumps and calls relocate themselves automatically.
T here are lots of different methods on the internet to learn Hacking. If you want to learn ethical hacking then just download hacking books from below and start exploring the Hacking World. Here i also give you a special hacking ebook in the end. These hacking ebooks are only for the noble knowledge purpose and must not be used for illegal purposes. One of the best Book for Beginners. If you are serious only then buy this book otherwise skip this.
Who is trying to learn to hack by watching a youtube video, then by searching on google? Today, some of you can learn to hack through Ethical Hacking ebooks.
0コメント