JustKernel

The most common type of viruses that exist are COM infectors that infect the COM files. As you are aware COM file is a direct binary image of what should be put into memory and executed by the CPU. COM files are  arranged in a particular format in memory and if you know the format you can easily overwrite the section of the COM file and make the system unstable.

————————————–Stack Area at 0xFFFFH

————————————-Unintialized Data

————————————COM file Image at 100H

———————————–PSP  0H

—————–Memory Map just before executing a COM file

To execute the COM file DOS does some preparatory work, loads the program into memory, and then give the program control. Till the program receives the control DOS is the executing entity.

COM files use only one segment.

Here is the organization of COM file.

offset – Description

0H – In21H instruction

2H- address of last allocated segment

4H- Reserved should be 0

5H – Far call to int 21 H

A – Int 22H

–

–

–

100H- Beginning of the COM program..

Yes this offset 100H is the point we were looking for..  Something creeping in your mind..

Yes , True, if you can put you virus code at this 100H offset, bang!!!!!!!! you are done..

xchg ax, bx

mov ah, 40H //copy instruction

mov cl, 42 //copy 42 bytes of virus

mov dx,100H //starting instruction of copy.

int 21h

This is just the start.. A simple COM infector..

In future I will try to explain more interesting concepts with all the inner level details.. All this with the help of viruses.

If you want the complete source code and need any calirification , do write to me or post your comment on justkernel.com or post your comment on http://www.linkedin.com/groups/Just-Kernel-3033180

Originally Posted On: 2011-06-12 11:52:19
Anshul Makkar, anshul_makkar@justkernel.com

Tags: its all positive learning., Virus