K”hntark's Recursive Tunneling Toolkit Version 4.1 Released 27 August 1993 อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 1. DISCLAIMER The author of this toolkit is in no way responsible for any damage that its proper or improper usage might cause. อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 2. LICENSE? You are free to include this toolkit in computer viruses. อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 3. INFO You don't have to read this whole document before trying to do something with the toolkit! If you have never written a virus in Assembler, you can start with the toolkit! (well, almost!) K”hntark's Recursive Tunneling Toolkit is an object module that can be linked to any virus. The virus should be assembled and linked with KRTT41.OBJ using Turbo Assembler 2.0 and above. Using other Assemblers might cause unexpected results. The toolkit, when called will try find the address of DOS's real int 21h / 2Ah / 13h. The output code returned will depend on the results found by the toolkit. KRTT41.OBJ is truly a NO-FRILLS object module. You need nothing to use it. It is a simple, 'plug and play' item; just save the registers, call it and act depending upon the output. Unlike other tunneling routines KRTT DOES NOT use Interrupt 1 to trace through the current interrupts, as this technique can be easily disabled by any decent resident AV utility. อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 4. What the hell is tunneling? Why use this? A quick explanation: Antivirus system monitoring software are Terminate and Stay Resident (TSR) programs that remain in memory and hook or capture INT 21h / 2Ah / 13h and other vital system interrupts. These programs monitor all calls made to these interrupts for 'suspicious' or 'virus-like' behaviour. An example would be unauthorized writing to a file thought INT 21h, function 40h. These programs ensure that all viruses not using any tunneling or stealth routines are detected when trying to infect or remain resident in memory. Some examples of such programs will even monitor their own code to ensure they are not removed from memory or their INT 21h handler is not replaced by other programs. KRTT41 will get the DOS's original INT 21h / 2Ah / 13h, in most cases, and can turn your virus into a 'smart' one by warning about the possibility of strange AV software present in memory. Once DOS's original interrupts are found you can call them directly to memory freely, bypassing any AV software present in memory and infecting other files right through their protection! The ability to locate DOS's original INT 13h is provided by KRTT to implement potentially destructive code. (None of the examples contain such code.) You could also use the original int 21h to allocate/free memory and disable any software present in memory. Such scenarios are possible but they have not tested fully, so no claims can be made. KRTT41's strength lies in a recursive nature which allows tracing and scanning through multiple hooked INT 21h's. You can load multiple non-conflicting system monitoring antivirus programs and KRTT41 will go through them! Be it 1 or 6 - admittedly a ridiculous situation - it won't make a difference. KTTR41 is very small due to its recursive nature. And it is fast since it uses no memory locations for data storage; all the operations are done directly in the CPU registers. KTTR41 is fully compatible with Trident's Polymorphic Engine Version 1.4 and future polymorphic Engines. Such compatibility is assured as long as KRTT 4.1 is linked before any Polymophic Engine. Note: See YB-1.ASM for TpE 1.4 linkage demonstration. อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 5. USAGE: You need the following at the beginning of your program: extrn TUNNEL:near ~~~~~~~~~~~~~~~~~ then call anytime during program execution (preferably at the start): call TUNNEL ~~~~~~~~~~~ Then store the address of the found INT 21h in a double word location within your virus. You can then call the real INT 21h doing a CALL DWORD PTR to such location. All this is shown in YB-1.ASM and YB-2.ASM TUNNEL 4.1 procedure usage: INPUT: bp=01 => Search for original INT 2Ah bp=02 => Search for original INT 13h Any other value in bp => Search for original INT 21h (you MUST save any necessary registers) OUTPUT: ah=00 Not found ah=01 Found! ah=02 Int 21h/ 2hA /13h Not Hooked ah=03 DOS internal interrupts are hooked (search for int 21h / 2Ah / 13h not conducted) If found: dx= INT 21h / 2Ah / 13h SEGMENT di= INT 21h / 2Ah / 13h OFFSET al= RECURSION DEPTH REGISTERS DESTROYED: ax,bx,cx,dx,di,bp,es At infection time you must add 248 (decimal) bytes to the virus size. (see YB-1.ASM, YB-2.ASM) ASSEMBLE: tasm /m LINK: tlink /x /t krtt41.obj or LINK: tlink /x /t krtt41.obj .obj อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 6. TESTING: The toolkit has been tested with a reasonable amount of hardware and software. Success for, loaded in the following order: DOS 5.00 (high) + Vshield 106 (McAfee) DOS 5.00 (high) + Vshield + Vshield 106 DOS 5.00 (high) + Virstop (FPROT 2.09) DOS 5.00 (high) + TBdriver + TBfile (TBAV 6.03) DOS 5.00 + Vshield (McAfee) + Virstop DOS 5.00 + Vshield (McAfee) + Virstop + TBdriver + TBfile !!!! You can switch the order of the first 2. Tbfile won't let anything load if it is not loaded last. DOS 5.00 (high) + QEMM 6.0 (high) + Vshield 106 (McAfee) DOS 5.00 (high) + QEMM 6.0 (high) + Vshield + Vshield 106 DOS 5.00 (high) + QEMM 6.0 (high) + Virstop (FPROT 2.09) DOS 5.00 (high) + QEMM 6.0 (high) + TBdriver + TBfile (TBAV 6.03) DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop + TBdriver + TBfile !!!! KRTT is compatible MS-DOS and IBM DOS versions ranging from 3.1 to 6.0 The above results can be also reproduced against the following: QEMM 7.0 HIMEM.SYS EMM386.SYS VDEFEND (PCTOOLS 7.1) Central Point Antivirus 1.3 Secure 2.35 (Mark Washburn) Virex 2.8 (Ross Greenburg) Flushot+ V1.84 Martin's Virus Trap V182 (Russia) Antiviral Toolkit Pro 1.06 (Russia) (see YB-1 and YB-2) Turbo Debugger 2.0 Watchdog (Leprechaun Software) VSAFE (CPAV / MSAV) Note that some of the above software developers costs $50+, all circunvented by a free 248 byte program! อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ 8. Final Notes From the Depths of HELL If you have any questions or doubts please look at the demo viruses , YB-1.ASM, YB-2.ASM or the KTTRDEMO.ASM program. Any questions or comments are appreciated I can be contacted at CIS (Crypt InfoSystems) BBS. and VX BBS's through out the world. Not illegal yet! K”hntark šWEUHL KšMPKAAH!