VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
Dark Angel «Phunky Virus Writing Guide» (35784)
Black Wolf «EXE Viruses» (15392)
Black Wolf «Guide to Memory Resident Viruses» (14291)
RatBoy «Overwriting virus tutorial #1» (13495)
Black Wolf «COM Viruses» (13374)

Library: MS-DOS specific

"Q" the Misanthrope
«HMA Residency» 15.71Kb 11071 hits
29a [2] (1998)
It allows you to put your virus in a location not seen with any of the conventional memory tools. MEM, CHKDSK and others don't indicate that more memory is being used in the HMA when a virus goes resident there.
«Playing 'Hide and Seek'» 11.67Kb 11584 hits
29a [2] (1998)
It is a game of one-up-man-ship between the VX and the AV community. VX seems to be winning this battle but is also forcing new improvements. VX creates virus. AV creates scan strings. VX creates mutation. AV creates smart detectors. VX creates stealth. AV counters that with direct access. VX creates tunneling. AV stops that. VX creates tracing. AV stumbles. VX creates retro. AV stumbles. VX creates Stop AV from memory scanning. AV stumbles. VX creates macro viruses. AV goes nuts. VX creates new places to hide from AV. AV will probably stumble again.
«Mid-Infection on relocations» 24.32Kb 9468 hits
Midfile infection is undoubtely one of the most interesting but not yet totally explored topics in virus writing. There aren't actually many midfile infectors around and there are even less "real" midfile infectors...
Black Wolf
«COM Viruses» 10.48Kb 13374 hits
[...] There are numerous methods to infect each file type - some of the more popular will be shown in this tutorial. The simplest type of executable file to infect is the .COM file. [...]
«Combined Viruses» 7.91Kb 10858 hits
Three main problems are apparent in the last two viruses that we need to fix. The first is that there is little or no error handling in the viruses. This can cause that wonderful 'Disk Error. Abort, Retry, or Fail?' message to appear on a write protected disk, which is generally not desirable. The next problem is that both viruses can be stopped by the read-only attribute.
«EXE Viruses» 9.37Kb 15392 hits
Infecting EXE files, however, is a little more complex than infecting COM's. Let us first take a look at exactly how an EXE is structured.
«Guide to Memory Resident Viruses» 53.19Kb 14291 hits
[...] A memory resident program (or TSR for Terminate and Stay Resident) is a program that leaves at least a portion of itself in memory after it terminates and waits for a particular even to take place before it 'activates' again. [...]
Cmdr PVC
«Guide to Resident Viruses» 27.13Kb 10440 hits
In this tutorial, I'm hoping to show exactly how to write the critical parts of a functioning memory resident virus, and provide a few source code examples and explanations for most of the methods I'm documenting.
Dark Angel
«Boot Infectors» 11.85Kb 12946 hits
40hex [14] (1995)
File based viruses are executed after the operating system loads. Boot infectors, however, latch onto the parts of the drive that are accessed by the BIOS when it attempts to load the operating system itself. Therefore, there is little that can be done to intercept the boot infector once it has successfully installed itself onto a disk.
«EXE Self-Disinfection» 17.26Kb 11996 hits
40hex [13] (1994)
In the last issue of 40Hex, Demogorgon presented an article on self-disinfecting COM files. COM file disinfection is simplistic and very straightforward. In this article, we shall deal with the somewhat more complex topic of EXE file self-disinfection.
«An Introduction to Non-Overwriting Virii» 37.97Kb 11374 hits
40hex [7] (1992)
This article is designed as a simple introduction to all interested to the world of nonoverwriting virii. All that is assumed is a working knowledge of 80x86 assembly language.
«Phunky Virus Writing Guide» 106.07Kb 35784 hits
This guide will show you what it takes to write a virus and also will give you a plethora of source code to include in your own virii.
«System file tables and their usage» 9.5Kb 9969 hits
40hex [11] (1993)
A powerful though seldom-used technique in virus writing is the use of the system file table, an internal DOS structure similar in some respects to FCBs, albeit vastly more powerful.
«UMB Residency» [SRC] 5.69Kb 8893 hits
40hex [14] (1995)
One day, while fiddling with loading programs into MSDOS UMB's, I realised that there are very few viruses that used UMB's. This is surprising, given the prevalence of UMB's and the ease with which DOS viruses may hide their presence through the use of UMB's.
Dark Fiber
«Single Stepping Tunnel Techniques» 21.41Kb 9759 hits
«Self Checking Executable Files» 9.81Kb 10130 hits
40hex [12] (1993)
In this article I will explain a method that will allow .COM files to be immune to simple viruses.
«Compatible, Resident Windows 95 Viruses» 15.18Kb 10565 hits
When I started investigating Windows 95, a shade under a year ago, I decided to make a list of matters I felt were important in any virus running under that pseudo-OS or needed further consideration. The basic list isn't long... Full compatability, Stay in memory after program termination, What about Ring-0/Ring-3 incompatabilities? Insert itself into the '95 boot sequence.
«Little SYS Infection Tutorial» 10.31Kb 11476 hits
Well, here we will speak a bit about the infection of devices drivers, they are really very easy to infect. When finishing this reading you will be able to add infection of device drivers to your virus, then it will be more c00l :)
«Upper memory residency» 14.39Kb 9350 hits
Well, i'll try to describe some routines used by some viruses to copy themselves into upper memory... in order to do this, i'll try to describe what's that we call upper memory, type we're interested in, the MCB, etc.
«Jerk1N's Tutorial Series» 22.21Kb 10125 hits
Lord Julus
«A guide to multipartite infectors 1.5» 40.82Kb 11217 hits
So, what is a multipartite virus ? Let's give a brief description: A Multipartite virus is a COM/EXE/BS/MBR infector. Well, for those of you who know something about this, the definition should be good enough. For those of you new in the business it means a virus capable to infect files and also the Boot Sector (or Master Boot) on a Hard Drive and a Floppy Disk.
«Tunneling Document #4 (Development of Emulation Systems)» 152.48Kb 10294 hits
Recently, emulation systems (aka Generic Decryption in the AV world) have come into the limelight, especially in the AV marketing process under many various names such as 'Viral Instruction Code Emulation' and 'Stryker', and even though their usage by the AV is in a crippled form, this document will take us into the wonderfull world of emulation and its uses by the virogen.
«Tunneling via Mini-Tunnelers» 74.74Kb 7613 hits
How about a new code tracing engine thatactually works as well as being smaller than the old one, as WELL as using the new CMT format as WELL as having commented source code that even -YOU- could understand?!?! How about i2a trapping, i20 and CP/M exploitation, and kernel scanning? All those and more await you in this document!
«Tunneling with Code Tracing» 71.26Kb 7248 hits
Insane Reality Magazine [8] (1996)
Here's a great tutorial on Tunneling via Emulation by Methyl, one of IRG's newest members. It should be noted that this article deals with the some what complex issue of Code Emulation, not just lame INT 01h single-stepping. For an example of an even more complex Code Emulator, you might want to see Tracer which is also inculuded in IR zine #8.
«Tunneling with Single step mode» [SRC] 53.79Kb 7920 hits
Xine [1] (1996)
Yes, welcome to my series of documents on tunneling, the only series that will teach you absolutely everything there is to know about tunneling... with easy to understand step by step instructions and complete source codes and example programs for you to look at, because, after all, you're only an amoeba!
«Overwriting virus tutorial #1» 11.12Kb 13495 hits
Chiba City Blues [3] (1995)
Well here it is my first instructional tutorial. I felt it was nesscary for this file since I could not find any tutorials that taught virus writing from the basic overwriting virus. Well that's how I started and now I want to show you. So that you too can have a long and fruitful life of codeing viruses. :)
«Overwriting virus tutorial #2» 14.75Kb 9368 hits
Also, we will move on to more complex overwriting .Com viruses.
Rock Steady
«Construction Kit on infecting .COM» [SRC] 7.04Kb 10147 hits
Nuke Info Journal [2] (1992)
Well I must state my opinion that there are certainly WAY too many overwriting viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the END of the Program.
«Contruction Kit for TSR Virii» 8.46Kb 11067 hits
Nuke Info Journal [2] (1992)
There are several ways to constructed your viruses. Mainly you have those which are RAM-Resident or better known as a TSR program. And with great thought we have those which are not RAM-Resident.A TSR virus will load into memory and can infect all programs that are executed by the computer. Such like my AmiLiA virus which will infect all EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot faster compared to a Non-Resident Virus. Because a NON-Resident Virus will only infect file each time it is ran. Though the NON-Resident will start off very slowly infecting the system files but after the virus is in the system after a number of weeks, it will certainly infect ALL files that are in the system. Where a TSR virus will USUALLY infect files that are executed. So that only files that are often executed will be infected. But The TSR virus can certainly infect A LOT more files than a Non-Resident JUST on the first Hour! It is out numbered 10 to 1. This is the advantage that all programmers enjoy and program TSR viruses. I will explain a SIMPLE method of making your program a TSR one. And it will be as flexible as you want so that NO ONE can stay you `Stole' this information off Rock Steady.
«Dir Stealth Method 2» 4.48Kb 9577 hits
Nuke Info Journal [4] (1992)
Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton Utilities, or *SOME* File Managing systems like DOS-Shell, the File increase of infected files is know visable. There is no doubt about it, if you only put Method #1 in your virus you will encounter times were the file increase shows. Its not because your Routine isn't good! But due to the fact that there is another way to Read the Dir Listing by DOS. An this method is Call File-find by ASCIIZ format.We just learned how to edit File-Find by FCB. Which is used by MS-DOS PC-DOS and some other programs. But unlike the others, they use the ASCIIZ file-Find method as it is EASIER to open, close, edite, and any other file access routine is ALOT easier with the ASCIIZ or (File Handle) system. So we will make our Virus Stealth to Method #2! Making us 100% Stealth from file-finds...
«Directory Stealth» 7.86Kb 9108 hits
Nuke Info Journal [4] (1992)
Stealth Viruses are the Viruses that I must admit Anti-Viral Queers Don't tend to like at all. Emagine if we added a polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features!
«Disinfecting an Infected File» [SRC] 11.05Kb 11326 hits
Nuke Info Journal [5] (1993)
The BEST advantage a virus can have is `Disinfecting of Fly' as we must try to basically hide the virus as well as possible!
«EXE Infections» 15.48Kb 12033 hits
Nuke Info Journal [4] (1992)
We must admit there are HUGE amount of Lame Viruses out there. Ever wonder why so many people talk about the AIDS virus? Its a fucken over writting virus. Its HUGE in size and its written in PASCAL. Please! Have a little more respect for the virus world. What happened to that old Bulgarian Spirit? That too has died. Bulgaria isn't writting as many top viruses as it used to! Or are we in for a surprise? (USSR Kicks!)Well to help people in advancing their Virus programming ability I will try to explain that basics in Infecting an EXE file. There are several ways to infect an EXE file. And I have tried several types. The best one I have programmed is the one you'll see. In Basic, it will infect EXEs by starting a new segment, only for the virus. This will infect EXEs over the size of 64k, and it is alot less complicated..
«Infection on Closing» [SRC] 17.48Kb 9588 hits
Nuke Info Journal [5] (1993)
[...] This routine goes out for a few people that had trouble hacking this routine themselves... I kinda like it, its my very OWN, no Dark Avenger hack, it is VERY straight forward, and kinda simple [...]
«Memory Stealth» 3.5Kb 9394 hits
Nuke Info Journal [4] (1992)
The Advantages of having a Memory Resident Virus, are unlimited. When our virus goes `TSR' it REALLY doesn't do ANYTHING. It just stays there, waiting to be called upon. the 80x86 really doesn't MULTITASK, so don't think the virus runs `in the Background' TSRs tend to hook on Interrupts, depending what function they must do. If it must be called upon OFTEN, hook Int 1C, if your must run when an File is Executed/Open/Close Hook Int 21h. And everytime Int 21h is called, Your Virus Runs FIRST, then it calls the original Int 21h.I will try to explain on how cut off a block of Memory, Then we'll allocate memory for the Virus, change the program MCB, and move the virus resident in memory.
Satan's Little Helper
«Finding INT 21's real address using the PSP» 11.67Kb 11263 hits
The real address of interrupt 21 is useful to almost all viruses it enables viruses to bypass resident monitoring software loaded as device drivers or TSR's. This article will demonstrate a method by which you can obtain the real address of INT 21 by using the entry at offset 6 in the PSP segment.
«Post discovery strategies» [SRC] 36.14Kb 10051 hits
Insane Reality Magazine [7] (1995)
Most virii these days, take many Pre-Discovery precautions. This simply means that they take precautions to avoid discovery, assuming the virus has not already been discovered. Common examples of Pre-Discovery Stratagies are File Stealth, Sector Stealth, and MCB stealth (i.e any stealth). These mechanisms are used to stop the virus being discovered, but once it has been discovered, and is in the hands of the AV, they're essentially useless. It is only a matter of days (or even hours) until a suitable scan string or algorithm has been determined, for inclusion in to there AV programs.There is how ever, a solution: post discovery strategies. These are mechanisms that instead of serving the purpose of hiding the virus from detection, make the virus harder to analyse, and hence determine a scan string or detection algorithm. To be entirely honest, the previous statement is not completely correct - in order to take advantage of any of these methods your virus can not have a scan string - without atleast polymorphism, Post Discovery Stratagies are useless. This document will be divided in to three main sections: Polymorphis, Anti-Bait Techniques, Anti-Debugger Techniques.
«A different way to make a TSR virus (or how a boot virus can hook dos interrupts)» 21.38Kb 11639 hits
Moreover, most boot virus cannot hook DOS interrupts,because when boot-virus loads aren't present DOS interrupt ,because dos loads after virus. In this example this boot-virus can hook INT 40 (dos int) and in the ended of load of virus, it restore a vector table and vector table looks intact.
Stomach Contents
«Let's talk Stealth» 15.86Kb 9528 hits
The concept is so simple, it's really not much to shout about, however, it's potential for dodging AV's is enormous.
Terminator Z
«VIRUSES: What they are, What they do, How they are written (The Virus Writer's Handbook: The Complete Guide)» 94.43Kb 11920 hits
This file is aimed at educating the public on the subject of viruses - what they are, how they work, and what techniques a virus author is likely to use. BY NO MEANS IS THIS TEXT FILE AIMED TO BE USED IN THE CREATION OF A VIRUS!
«Making Windows 95 Compatible Viruses» [SRC] 6.53Kb 9065 hits
Because a large number of potential victims use dos software without leaving windows, it is *imperative* that you do what you can to enable your virus to work without causing a disturbance. This article deals with potential compatibility problems and in most cases provides workarounds.
«The Risk of Debug Codes in Batch: what are debug codes and why they are dangerous?» [SRC] 6.21Kb 10314 hits
This paper shows the risk of „Debug Codes“ in Batch. It's useful for comprehension, if you have some assembler knowledge. Debug.EXE is a small assembler and disassember. In can be found on every version of Windows in c:\windows\command and is a relict of the old DOS times. If you start DEBUG and type „?“, DEBUG lists all its commands.
22 authors, 42 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka