40Hex Issue 11 Volume 3 Number 2 File 006 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ SFT's and Their Usage ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ By Dark Angel Phalcon/Skism ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ A powerful though seldom-used technique in virus writing is the use of the system file table, an internal DOS structure similar in some respects to FCBs, albeit vastly more powerful. The system file table holds the critical information on the state of an open file, including the current pointer location, the open mode, and the file size. Manipulation of the system file tables can often replace calls to corresponding DOS interrupt routines and therefore, when combined with other techniques, reduces the effectiveness of a TSR virus monitor and decreases code size. Each open file has a corresponding system file table. The following tables come from Ralf Brown's interrupt listing. Format of DOS 2.x system file tables: Offset Size Description 00h DWORD pointer to next file table 04h WORD number of files in this table 06h 28h bytes per file Offset Size Description 00h BYTE number of file handles referring to this file 01h BYTE file open mode (see AH=3Dh) 02h BYTE file attribute 03h BYTE drive (0 = character device, 1 = A, 2 = B, etc) 04h 11 BYTEs filename in FCB format (no path, no period, blank-padded) 0Fh WORD ??? 11h WORD ??? 13h DWORD file size??? 17h WORD file date in packed format (see AX=5700h) 19h WORD file time in packed format (see AX=5700h) 1Bh BYTE device attribute (see AX=4400h) ---character device--- 1Ch DWORD pointer to device driver ---block device--- 1Ch WORD starting cluster of file 1Eh WORD relative cluster in file of last cluster accessed ------ 20h WORD absolute cluster number of current cluster 22h WORD ??? 24h DWORD current file position??? Format of DOS 3.x system file tables and FCB tables: Offset Size Description 00h DWORD pointer to next file table 04h WORD number of files in this table 06h 35h bytes per file Offset Size Description 00h WORD number of file handles referring to this file 02h WORD file open mode (see AH=3Dh) bit 15 set if this file opened via FCB 04h BYTE file attribute 05h WORD device info word (see AX=4400h) 07h DWORD pointer to device driver header if character device else pointer to DOS Drive Parameter Block (see AH=32h) 0Bh WORD starting cluster of file 0Dh WORD file time in packed format (see AX=5700h) 0Fh WORD file date in packed format (see AX=5700h) 11h DWORD file size 15h DWORD current offset in file 19h WORD relative cluster within file of last cluster accessed 1Bh WORD absolute cluster number of last cluster accessed 0000h if file never read or written??? 1Dh WORD number of sector containing directory entry 1Fh BYTE number of dir entry within sector (byte offset/32) 20h 11 BYTEs filename in FCB format (no path/period, blank-padded) 2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file 2Fh WORD (SHARE.EXE) network machine number which opened file 31h WORD PSP segment of file's owner (see AH=26h) 33h WORD offset within SHARE.EXE code segment of sharing record (see below) 0000h = none Format of DOS 4+ system file tables and FCB tables: Offset Size Description 00h DWORD pointer to next file table 04h WORD number of files in this table 06h 3Bh bytes per file Offset Size Description 00h WORD number of file handles referring to this file 02h WORD file open mode (see AH=3Dh) bit 15 set if this file opened via FCB 04h BYTE file attribute 05h WORD device info word (see AX=4400h) bit 15 set if remote file bit 14 set means do not set file date/time on closing 07h DWORD pointer to device driver header if character device else pointer to DOS Drive Parameter Block (see AH=32h) or REDIR data 0Bh WORD starting cluster of file 0Dh WORD file time in packed format (see AX=5700h) 0Fh WORD file date in packed format (see AX=5700h) 11h DWORD file size 15h DWORD current offset in file ---local file--- 19h WORD relative cluster within file of last cluster accessed 1Bh DWORD number of sector containing directory entry 1Fh BYTE number of dir entry within sector (byte offset/32) ---network redirector--- 19h DWORD pointer to REDIRIFS record 1Dh 3 BYTEs ??? ------ 20h 11 BYTEs filename in FCB format (no path/period, blank-padded) 2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file 2Fh WORD (SHARE.EXE) network machine number which opened file 31h WORD PSP segment of file's owner (see AH=26h) 33h WORD offset within SHARE.EXE code segment of sharing record (see below) 0000h = none 35h WORD (local) absolute cluster number of last clustr accessed (redirector) ??? 37h DWORD pointer to IFS driver for file, 0000000h if native DOS In order to exploit this nifty structure in DOS, the virus must first find the location of the appropriate system file table. This may be easily accomplished with a few undocumented DOS calls. Given the file handle in bx, the following code will return the address of the corresponding system file table: mov ax,1220h ; Get job file table entry to ES:DI int 2fh ; DOS 3+ only mov bl,es:di ; get number of the SFT for the file handle ; -1 = handle not open mov ax,1216h ; get address of the system file table int 2fh ; entry number bx ; ES:DI now points to the system file table entry Now that the system file table entry address is known, it is a trivial matter to alter the various bytes of the entry to fit your particular needs. Most viruses must first clear a file's attributes in order to open the file in read/write mode, since it would otherwise not be able to write to a read- only file. This handicap is easily overcome by opening the file in read- only mode (al = 0) and changing the byte (or word) referring to the file's open mode to 2. This has the added benefit of bypassing some resident alarms, which generally do not go off if a file is opened in read only mode. It is also possible to set a file's pointer by altering the double word at offset 15h (in DOS 3+). So a quick and easy way to reset the file pointer is: mov es:di+15h,0 mov es:di+17h,0 It is acceptable to ignore the DOS 2.X system file table format. DOS 2.X is not in common use today and many programs simply refuse to run under such primitive versions. Most of the useful offsets are constant in DOS 3.X+, which simplifies the code tremendously. This is only a surface treatment of a topic which warrants further investigation. Numerous opportunities exist for the enterprising virus author to exploit the power of the system file tables. But the only way to find these opportunities is to experiment. Have fun!