中国DOS联盟

Since the core war, viruses have evolved from DOS-era viruses to Windows system viruses. From deformation, encryption to intelligent viruses, they are now hard to guard against. Currently, viruses are rampant on the network, causing great harm to people. Here, I just start a discussion, introducing the principles of viruses, hoping that everyone can study and communicate together. (This article refers to some articles on the network and quotes some content.)

To learn DOS viruses, you must first learn or master assembly language. DOS viruses are generally divided into boot viruses, file viruses, hybrid viruses, etc. Most viruses infect COM and EXE files, so you must understand the structures of COM and EXE files.

I. COM file structure and principle
The.COM file is relatively simple. The.COM file contains an absolute image of the program──that is, in order to run the program accurately, the processor instructions and data in memory, MS-DOS loads the.COM program by directly copying the image from the file to memory without making any changes. To load a.COM program, MS-DOS first tries to allocate memory. Since the.COM program must be in a 64K segment, the size of the.COM file cannot exceed 65,024 (64K minus 256 bytes for the PSP and at least 256 bytes for an initial stack). If MS-DOS cannot allocate enough memory for the program, a PSP, and an initial stack, the allocation attempt fails. Otherwise, MS-DOS allocates as much memory as possible (up to all reserved memory), even if the.COM program itself cannot be larger than 64K. Most.COM programs release any unnecessary memory before attempting to run another program or allocate additional memory.

After allocating memory, MS-DOS creates a PSP in the first 256 bytes of the memory. If the first FCB in the PSP contains a valid drive identifier, AL is set to 00h; otherwise, it is set to 0FFh. MS-DOS also sets AH to 00h or 0FFh, depending on whether the second FCB contains a valid drive identifier. After building the PSP, MS-DOS starts loading the.COM file immediately after the PSP (offset 100h). It sets SS, DS, and ES to the segment address of the PSP, and then creates a stack. To create a stack, MS-DOS sets SP to 0000h if at least 64K of memory has been allocated; otherwise, it sets the register to 2 more than the total number of bytes allocated. Finally, it pushes 0000h onto the stack (this is to ensure compatibility with programs designed on early versions of MS-DOS). MS-DOS starts the program by transferring control to the instruction at offset 100h. Program designers must ensure that the first instruction of the.COM file is the entry point of the program. Note that since the program is loaded at offset 100h, all code and data offsets must also be relative to 100h. Assembly language program designers can ensure this by setting the initial value of the program to 100h (for example, by using the statement org 100h at the beginning of the original program).

II. EXE file structure
The.EXE file is more complex. Each.EXE file has a file header, the structure is as follows:

　　　　　　　EXE file header information　　　　
　　　　──────────────────－
　　　　 ├ Offset ┤　　 Meaning　　　　　 　 　┤
　　　　 ├00h-01h ┤MZ『EXE file mark　　　　 ┤
　　　　 ├2h-03h　┤File length remainder when divided by 512 ┤
　　　　 ├04h-05h ┤............... quotient ┤
　　　　 ├06h-07h ┤Number of relocation items　 　 　┤
　　　　 ├08h-09h ┤Quotient of file header divided by 16　 ┤
　　　　 ├0ah-0bh ┤Minimum number of segments required to run the program ┤
　　　　 ├0ch-0dh ┤.............. large.... ┤
　　　　 ├oeh-0fh ┤Segment value of the stack segment (SS)　 　┤
　　　　 ├10h-11h ┤........sp　　　　　 ┤
　　　　 ├12h-13h ┤File checksum　　　　　　 ┤
　　　　 ├14h-15h ┤IP　　　　　　　　　　 ┤
　　　　 ├16h-17h ┤CS　　　　　　　　　　 ┤
　　　　 ├18h-19h ┤............　 ┤
　　　　 ├1ah-1bh ┤............　　　 　┤
　　　　 ├1ch　　 ┤............　　　 　　┤　
　────────────────────────－
The.EXE file contains a file header and a relocatable program image. The file header contains information for MS-DOS to load the program, such as the size of the program and the initial values of registers. The file header also points to a relocation table, which contains a linked list of pointers to the segment addresses of relocatable segments in the program image. The form of the file header corresponds to the EXEHEADER structure:
EXEHEADER STRUC
exSignature dw 5A4Dh ;.EXE mark
exExraBytes dw ? ;Number of bytes in the last (partial) page
exPages dw ? ;Total and partial number of pages in the file
exRelocItems dw ? ;Number of pointers in the relocation table
exHeaderSize dw ? ;Size of the file header in bytes
exMinAlloc dw ? ;Minimum allocation size
exMaxAlloc dw ? ;Maximum allocation size
exInitSS dw ? ;Initial SS value
exInitSP dw ? ;Initial SP value
exChechSum dw ? ;Complement checksum value
exInitIP dw ? ;Initial IP value
exInitCS dw ? ;Initial CS value
exRelocTable dw ? ;Byte offset of the relocation table
exOverlay dw ? ;Overlay number
EXEHEADER ENDS The program image contains processor code and initial data of the program, immediately following the file header. Its size in bytes is equal to the size of the.EXE file minus the size of the file header, and also equal to the value of the exHeaderSize field multiplied by 16. MS-DOS loads the.EXE program by directly copying the image from the file to memory and then adjusting the relocatable segment addresses described in the relocation table.

The relocation table is an array of relocation pointers, each pointing to a relocatable segment address in the program image. The exRelocItems field in the file header indicates the number of pointers in the array, and the exRelocTable field indicates the starting file offset of the allocation table. Each relocation pointer consists of two 16-bit values: offset and segment value. To load the.EXE program, MS-DOS first reads the file header to determine the.EXE mark and calculate the size of the program image. Then it tries to apply for memory. First, it calculates the sum of the size of the program image file, the size of the PSP, and the memory size indicated by the exMinAlloc field in the EXEHEADER structure. If the sum exceeds the size of the largest available memory block, MS-DOS stops loading the program and returns an error value. Otherwise, it calculates the sum of the size of the program image, the size of the PSP, and the memory size indicated by the exMaxAlloc field in the EXEHEADER structure. If the second sum is less than the size of the largest available memory block, MS-DOS allocates the calculated amount of memory. Otherwise, it allocates the largest available memory block. After allocating memory, MS-DOS determines the segment address, also called the starting segment address, from which it loads the program image. If the values in the exMinAlloc field and the exMaxAlloc field are both zero, MS-DOS loads the image as high as possible in memory. Otherwise, it loads the image immediately above the PSP area. Next, MS-DOS reads the items in the relocation table to adjust all segment addresses indicated by the relocation pointers. For each pointer in the relocation table, MS-DOS finds the corresponding relocatable segment address in the program image and adds the starting segment address to it. Once adjusted, the segment address points to the code and data segments of the loaded program in memory. MS-DOS creates a 256-byte PSP in the lowest part of the allocated memory, setting AL and AH to the values set when loading the.COM program. MS-DOS uses the values in the file header to set SP and SS, adjusts the initial value of SS, and adds the starting address to it. MS-DOS also sets ES and DS to the segment address of the PSP. Finally, MS-DOS reads the initial values of CS and IP from the program file header, adds the starting segment address to CS, and transfers control to the program at the adjusted address.

III. Boot virus principle
To understand the principle of the boot virus, first, you need to understand the structure of the boot sector. A floppy disk has only one boot sector, called the DOS BOOT SECTER. As long as the floppy disk is formatted, it will exist. Its function is to find whether there are IO.SYS and DOS.SYS on the disk. If there are, it boots; otherwise, it displays messages like 'NO SYSTEM DISK...'. A hard disk has two boot sectors. The master boot sector at sector 1 of track 0, side 0 contains the master boot program and the partition table. The master boot program finds the active partition, and the first sector of this partition is the DOS BOOT SECTER. The vast majority of viruses infect the hard disk master boot sector and the floppy disk DOS boot sector.

***3.5-inch floppy disk format***
A 3.5-inch floppy disk is double-sided, so the zero track has two sides, the front side has sectors 0-17, and the back side has sectors 18-35.
Sector 0: Boot area (boot sector);
Sectors 1-9: 1st FAT area (first file allocation table);
Sectors 10-18: 2st FAT area (second file allocation table);
Sectors 19-32: Root dir area (also called File Directory Table, FDT)
File directory table (root directory)
Sectors 33-2879: Data area (data area)

***Structure of the hard disk master boot record***
Structure of the hard disk master boot record
Offset　Machine code　Symbolic instruction　Description
0000　FA　CLI　;Mask interrupt
0001　33C0　XOR　AX,AX
0003　8ED0　MOV　SS,AX　;(SS)=0000H
0005　BC007C　MOV　SP,7C00　;(SP)=7C00H
0008　8BF4　MOV　SI,SP　;(SI)=7C00H
000A　50　PUSH　AX
000B　07　POP　ES　;(ES)=0000H
000C　50　PUSH　AX
000D　1F　POP　DS　;(DS)=0000H
000E　FB　STI
000F　FC　CLD
0010　BF0006　MOV　DI,0600
0013　B90001　MOV　CX,0100　;Total 512 bytes
0016　F2　REPNZ
0017　A5　MOVSW　;The master boot program copies itself from 0000:7C00 to
;0000:0600 to make space for the DOS partition boot program
0018　EA1D060000　JMP　0000:061D　;Jump to 0000:061D to continue execution, actually
;execute the following MOV instruction (at offset 001D)
001D　BEBE07　MOV　SI,07BE　;07BE-0600=01BE, 01BE is the start address of the partition table
0020　B304　MOV　BL,04　;There are up to 4 partition tables, i.e., up to 4 partitions
0022　803C80　CMP　BYTE　PTR　,80　;80H indicates an active partition
0025　740E　JZ　0035　;Jump if an active partition is found
0027　803C00　CMP　BYTE　PTR　,00　;00H is the flag of a valid partition
002A　751C　JNZ　0048　;Jump if neither 80H nor 00H, the partition table is invalid
002C　83C610　ADD　SI,+10　;Next partition table entry, each entry is 16 bytes
002F　FECB　DEC　BL　;Decrement the loop count by one
0031　75EF　JNZ　0022　;Check the next partition table entry
0033　CD18　INT　18　;If none can boot, enter ROM Basic
0035　8B14　MOV　DX,
0037　8B4C02　MOV　CX,　;Take the surface, cylinder, and sector of the boot sector of the active partition
003A　8BEE　MOV　BP,SI　;Then continue to check the subsequent partition table entries
003C　83C610　ADD　SI,+10
003F　FECB　DEC　BL
0041　741A　JZ　005D　;Jump to boot the active partition if all 4 are checked
0043　803C00　CMP　BYTE　PTR　,00　;00H is the valid partition flag
0046　74F4　JZ　003C　;If this partition table entry is valid, continue to check the next one
0048　BE8B06　MOV　SI,068B　;068B-0600=018B, take the "invalid partition" string
004B　AC　LODSB　;Take a character from the string
004C　3C00　CMP　AL,00　;00H indicates the end of the string
004E　740B　JZ　005B　;Jump if the string is displayed completely, then enter an infinite loop
0050　56　PUSH　SI
0051　BB0700　MOV　BX,0007
0054　B40E　MOV　AH,0E
0056　CD10　INT　10　;Display a character
0058　5E　POP　SI
0059　EBF0　JMP　004B　;Loop to display the next character
005B　EBFE　JMP　005B　;Here is an infinite loop
005D　BF0500　MOV　DI,0005　;Read the boot sector of the active partition, up to 5 attempts
0060　BB007C　MOV　BX,7C00
0063　B80102　MOV　AX,0201
0066　57　PUSH　DI
0067　CD13　INT　13　;Read
0069　5F　POP　DI
006A　730C　JNB　0078　;Jump if the read is successful
006C　33C0　XOR　AX,AX
006E　CD13　INT　13　;Reset the disk if the read fails
0070　4F　DEC　DI
0071　75ED　JNZ　0060　;Try to read again if less than 5 times
0073　BEA306　MOV　SI,06A3　;06A3-0600=00A3, i.e., the "Error loading" string
0076　EBD3　JMP　004B　;Go to display the string, then enter an infinite loop
0078　BEC206　MOV　SI,06C2　;06C2-0600=00C2, i.e., the "Missing.." string
0076　EBD3　JMP　004B　;Go to display the string, then enter an infinite loop
0078　BEC206　MOV　SI,06C2　;06C2-0600=00C2, i.e., the "Missing.." string
007B　BFFE7D　MOV　DI,7DFE　;7DFE-7C00=01FE, i.e., the start address of the last two bytes of the boot sector of the active partition
007E　813D55AA　CMP　WORD　PTR　,AA55　;The last two bytes are AA55H, which is valid
0082　75C7　JNZ　004B　;Jump to display the string and enter an infinite loop if invalid
0084　8BF5　MOV　SI,BP
0086　EA007C0000　JMP　0000:7C00　;Jump to boot this partition if valid
0080　49　6E　76　61　6C　Inval
0090　69　64　20　70　61　72　74　69-74　69　6F　6E　20　74　61　62　id　partition　tab
00A0　6C　65　00　45　72　72　6F　72-20　6C　6F　61　64　69　6E　67　le.Error　loading
00B0　20　6F　70　65　72　61　74　69-6E　67　20　73　79　73　74　65　operating　syste
00C0　6D　00　4D　69　73　73　69　6E-67　20　6F　70　65　72　61　74　m.Missing　operat
00D0　69　6E　67　20　73　79　73　74-65　6D　00　00　FB　4C　38　1D　ing　system...L8.
00E0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
00F0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0100　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0110　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0120　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0130　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0140　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0150　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0160　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0170　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0180　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
0190　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
01A0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
01B0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　80　01　................;Partition table
01C0　01　00　06　0F　7F　9C　3F　00-00　00　F1　59　06　00　00　00　......?....Y....
01D0　41　9D　05　0F　FF　38　30　5A-06　00　40　56　06　00　00　00　A....80Z..@V....
01E0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　00　00　................
01F0　00　00　00　00　00　00　00　00-00　00　00　00　00　00　55　AA　..............U.
Use the 02 function call of INT 13H to read the hard disk master boot record at sector 1 of track 0, side 0 in the hard disk reserved sector to ES:BX in memory. Now, the read program code is analyzed as follows:

1. Move the master boot record program
0E74:7C00　33C0　XOR　AX,AX　；Clear AX
0E74:7C02　8ED0　MOV　SS,AX　；SS clear
0E74:7C04　BC007C　MOV　SP,7C00　；SP=7C00, the stack is set at 0:7C00H
0E74:7C07　FB　STI　；Enable interrupts
0E74:7C08　50　PUSH　AX
0E74:7C09　07　POP　ES　；ES=0
0E74:7C0A　50　PUSH　AX
0E74:7C0B　1F　POP　DS　；DS=0
0E74:7C0C　FC　CLD
0E74:7C0D　BE1B7C　MOV　SI,7C1B　；Source address is 0:7C1BH
0E74:7C10　BF1B06　MOV　DI,061B　；Destination address is 0:061BH
0E74:7C13　50　PUSH　AX
0E74:7C14　57　PUSH　DI
0E74:7C15　B9E501　MOV　CX,01E5　；Move 01E5 bytes
0E74:7C18　F3　REPZ　；Move the master boot record from 0:7C1B-0:7DFF
0E74:7C19　A4　MOVSB　；Move to 0:061B-0:07FF
0E74:7C1A　CB　RETF　；Transfer to 0:061B to continue executing the program

2. Sequentially search the four hard disk partition tables to find the boot flag
0E74:061B　BEBE07　MOV　SI,07BE　；SI points to the boot flag of hard disk partition table 1
0E74:061E　B104　MOV　CL,04　；Search for four partitions
0E74:0620　382C　CMP　,CH
0E74:0622　7C09　JL　062D　；If the 7th bit of is 1, it is the boot flag, jump to 062DH
0E74:0624　7515　JNZ　063B　；If is not 0, an error occurs, jump to 063BH
0E74:0626　83C610　ADD　SI,+10　；Successively check the four partition tables until found
0E74:0629　E2F5　LOOP　0620　；Boot flag
0E74:062B　CD18　INT　18　；If the boot flag is not found, enter the BOOT exception handling program.
0E74:062D　8B14　MOV　DX,　；Save the boot drive number in DL
0E74:062F　8BEE　MOV　BP,SI　；Save the boot partition address pointer in BP
0E74:0631　83C610　ADD　SI,+10　；Continue to check the partitions after the boot partition
0E74:0634　49　DEC　CX　；Boot flag, until all four partitions are checked
0E74:0635　7416　JZ　064D　；Check完
0E74:0637　382C　CMP　,CH　；If the remaining boot flag is not 0, an error occurs
0E74:0639　74F6　JZ　0631　

3. Error, write screen program segment
0E74:063B　BE1007　MOV　SI,0710　；Error message output, infinite loop
0E74:063E　4E　DEC　SI
0E74:063F　AC　LODSB
0E74:0640　3C00　CMP　AL,00
0E74:0642　74FA　JZ　063E
0E74:0644　BB0700　MOV　BX,0007
0E74:0647　B40E　MOV　AH,0E
0E74:0649　CD10　INT　10
0E74:064B　EBF2　JMP　063F
The function of the hard disk master boot record program is to read the BOOT program of the boot partition and transfer control to the partition BOOT program. The entire program flow is as follows:
1. Move the hard disk master boot record program originally read into 0:7C00H to 0:61BH;
２. Sequentially read the boot flags of the four partition tables to find the boot partition. If not found, transfer to execute the BOOT exception execution interrupt program of INT18H;
３. After finding the boot partition, detect the system flag of this partition. If it is a 32-bit FAT table or a 16-bit FAT table but supports the extended function of interrupt 13, transfer to execute the 41st function call of interrupt 13 for installation and inspection. If the inspection is successful, execute the 42nd extended read function call to read the BOOT area program into memory 0:7C00H. If successful, jump to step 5. If the read fails or the system flag is other, call the read sector function call of interrupt 13 to read the BOOT to 0:7C00H;
４. When using the read sector function of interrupt 13, perform 5 attempts in two ways. The first way is to directly read the BOOT program from the first sector of the boot partition. If the read is successful but the end flag is not 55AA, use the second way. Also, if the first way of trial reading fails five times, use the second way. If both ways of trial reading fail, transfer to the error handling program;
５. If the BOOT area program is read successfully, transfer to execute the BOOT program at 0:7C00H

What the LZ said is really great, truly the style of an expert!~~
Unfortunately, I'm a noob and simply can't understand~~~~

Hehe, I'm a noob.
I can only envy the LZ right now.
Haha, I hope one day I'll be able to do these things too.

Oh, it's too advanced. Don't quite understand!

What a long post, but unfortunately I spent half a day and still didn't understand it. My level is too low, crying!

Not very easy to understand ah Gao

Not bad, reading it with great interest. I wonder if the original poster has other similar articles?

The building owner wrote very well, but if you want to know about exe, viruses and so on, I suggest everyone go to www.pediy.com to see, there are more learning materials.

Got it, such a great article, thanks to the楼主

That's really the demeanor of a master!~~

What the original poster said is really great, truly showing the demeanor of an expert!~~

Sure enough, it's a master. It's a bit deep, I understand it vaguely

That's really great... But I just can't understand it... I'm too noob