Deactivations ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> Blade Runner The deactivation of a virus in memory is a standard process, and very ea- sy in deed. Anyway, i'm conscious that many of you aren't that intelli- igent, so i'll explain it clearly *step_by_step*; this is, those of you who have a bit more knowledge may just give it a look, or skip the whole article. Mmmh... let's see... first thing is the virus to be resident... :) Let's introduce this briefly :) A virus, in order to stay resident, has to change interrupt vectors so these point to it. In other words, a virus that hangs off int 21h, will change ES and BX when calling int 21h func 35h, or otherwise it will do this directly on 0000:(int#*4). Knowing the virus keeps the old vector addresses in its code, it is ob- vious that we'll have to look where it keeps them and replace them on the interrupt vector table. Once we know the theory, let's see it practically. Above all, we'll have to find a tool for our job. I personally use debug (as you can see, i use it for everything) :) but you'll prefer AVPUtil or some other new color- ful user friendly debugger. I even sometimes use a little program written by myself which is very useful for these kinda situations. Well, then we start. First step is to know the memory status, by means of int 21h function 35h (get interruption vector). Here it is, done with de- bug: C:\29A>debug -a100 1649:0100 mov ax,3521 1649:0103 int 21 1649:0105 -p AX=3521BX=0000CX=0000DX=0000SP=FFEEBP=0000SI=0000DI=0000 DS=1560ES=0000SS=1560CS=1560IP=0103 NV UP EI PL NZ NA PO NC 1560:0103 CD21 INT 21 -p AX=3521BX=410DCX=0000DX=0000SP=FFEEBP=0000SI=0000DI=0000 DS=1560ES=0011SS=1560CS=1560IP=0105 NV UP EI PL NZ NA PO NC 1560:0105 8BFF MOV DI,DI -q Then we look the values into ES and BX, which are segment and the offset of the interrupt vector. These are, in this case, 0011:410d. Ok, note it down or remember it and keep going :-) Now we have to pick a virus for our experiment. We'll use any of the Ba- rrotes family, the typical lame viruses mutated with PCTewls ;-) For ins- tance, Barrotes.1310.d... let's have a look at its payload and at what does Mr.Kaspersky tell us about it: Virus MIKELON por MSoft°±² °±² °±² °±² °±²373k] °±² ÉÍ[þ°±²ÍÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²Topic °±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±² º B°±²otes fa°±²y °±² °±² °±² °±² °±² °±² º Í°±²ÍÍÍÍÍÍÍ°±²Í °±² °±² °±² °±² °±² °±² º Th°±² are da°±²rous m°±²y resi°±² paras°±² virus°±²On exe°±²on the°±² º in°±²t C:\CO°±²ND.COM°±²e Then°±²ey hoo°±²T 21h °±²infect°±² COM- °±² º EX°±²iles ar°±²xecute°±²hey co°±²n the °±²rnal t°±²string°±² °±² º "c°±²ommand.°±²". On °±²ary, 5°±²hey er°±²MBR se°±², hook°±² 1Ch, °±² º di°±²ay the °±²sage "°±²s BARR°±² por O°±²" and °±²ral ve°±²al lin°±² º °±² °±² °±² °±² °±² °±² °±² °±² º "B°±²otes.84°±²hits C°±²iles o°±² °±² °±² °±² °±² º °±² °±² °±² °±² °±² °±² °±² °±² º "B°±²otes.13°±²d" doe°±²t corr°±²MBR. O°±²stalla°±² it us°±²386 °±² º in°±²uction.°±² displ°±²the me°±²e: "Vi°±²MIKELO°±²r MSof°±² °±² º °±² °±² °±² °±² °±² °±² °±² °±² º °±² °±² °±² °±² °±² °±² °±² °±² º B°±²otes.Te°±².1303 °±² °±² °±² °±² °±² °±² º Ä°±²ÄÄÄÄÄÄÄ°±²ÄÄÄÄÄ °±² °±² °±² °±² °±² °±² º It°±²not dan°±²ous me°±² resid°±²encryp°±²parasi°±²virus.°±²hooks °±² º 21°±²nd writ°±²itself°±²the en°±² COM- °±²EXE-fi°±²are ex°±²ed. On°±² º in°±²llation°±²ts C:C°±²ND.COM°±²e. On °±²ember,°±²h it h°±² INT 1°±² º al°±²and cha°±²s the °±²codes °±²eys ar°±²tered.°±²s viru°±²ntains°±² ÈÍ<þ°±²±±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±² Test mode: Analyzer Warnings CRC ßßßßßßßßßßßßßßßßßßß C:\29A (Programs) ßßßßßßßßßßßßßßßßßßßß C:\29A bar1310d.com : virus Barrotes.1310.d detected. Once we've seen the virus, we may start our work. For make it easier, we will use that little program i told you i sometimes use (CrackVir), writ- ten by myself... it's a program which intercepts int 21h function 4bh on- ce a virus is memory resident; this is, the virus won't be able to infect though it will be completely operational. This is quite easy to do... my program saves the original int 21h vector values, and, after running the virus, it intercepts function 4bh, so the virus, if it uses 4b00h for in- fecting, won't be able to hit any file. What we're left with now is easy. We run AVPUtil, or even debug, and look into the contents of int 21h, which is occupied by the virus. This time we're left with 9f9c:017b (segment will vary). Then we'll have to dump from the beginning (9f9c:0000), and search 0011:410d, which was the ori- ginal int 21h value (hex: 0D 41 11 00). With debug, we'll have to look ourselves for it, whilst with AVPUtil we can leave him look for it: Memory Dump: F2-save F3-text mode F4-HEX/ASCII F5-edit F7-find ÉÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ º9F9C:0103³[0D*41*11*00]55 01 18 D6 D0 0E D4 00 00 00 80 00 ³ º9F9C:0113³ D0 0E 5C 00 D0 0E 6C 00 D0 0E 94 B4 06 00 4D 5A ³ º9F9C:0123³ D4 01 0C 00 06 00 20 00 75 02 FF FF A8 00 54 0B ³ º9F9C:0133³ 89 19 58 08 A8 00 1E 00 00 00 06 00 00 00 50 31 ³ º9F9C:0143³ 2E 03 00 01 00 41 43 41 44 2E 45 58 45 10 00 00 ³ º9F9C:0153³ 02 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 2E 43 4F 4D ³ º9F9C:0163³ 2E 45 58 45 43 6F 70 79 72 69 67 68 74 20 28 43 ³ º9F9C:0173³ 29 20 31 39 38 38 2C 20 31 39 38 39 20 62 79 20 ³ º9F9C:0183³ 41 42 54 20 47 72 6F 75 70 2E 20 E3 08 00 00 EB ³ The search result is up there: int 21h is kept in 9f9c:0103 (103 the off- set, 105, the segment). Now we have enough information so as to create a generic memory remover for this virus, which is rather easy to code. Blade Runner/29A Los Angeles, 2019