The Search Mechanism-
In order to write the search mechanism for the virus (to search files for infecting) we must first understand the following things…
The information about every file on disk is stored in two areas on disk, known as the directory and the File Allocation Table (FAT). The directory contains a 32 byte file descriptor record for each file -
File Descriptor contains - the file’s name, size, date and time of creation, & the file attribute.
The FAT is a map of the entire disk, which simply informs the operating system which areas are occupied by which files.
Let us consider a simple example of calling a file and opening it for reading purpose only –
mov ds,SEG FNAME
mov dx,OFFSET FNAME
xor al,al
mov ah,3DH
int 21H
DOS is told what to do using Interrupt Service Routines (ISR). Interrupt 21H is the main DOS ISR. This program tells DOS to locate the file (FNAME) and prepare it for reading into memory. The “int 21H” instruction transfers control to DOS to perform the task. When DOS is finished opening the file, control returns to the statement immediately after the “int 21H”.
The register ah contains the function number, which tells DOS what to do. ds:dx register pair is used to point to the memory location where the name of the file to open is stored. The register al tells DOS to open the file for reading only.
To write a routine which searches for other files to infect, the DOS search functions are used (DOS has a pair of searching functions incorporated into it called Search First and Search Next). In order to search for a specific file in a particular directory an ASCIIZ string is used.
For example:
DB ’\system\hyper.*’,0
This string will set up the search function to search for all files with the name hyper, and any possible extent, in the subdirectory named system. DOS might find files like hyper.c, hyper.jpg, hyper.exe, etc. After setting up this ASCIIZ string, one must perform the following steps –
1).Set the registers ds and dx up to the segment and offset of this ASCIIZ string in memory.
2).Register cl must be set to a file attribute mask which will tell DOS which file attributes to allow in the search, and which to exclude.
3).Finally, to call the Search First function, one must set ah = 4E Hex.
If the search first function is successful, it returns with register al = 0 and it formats 43 bytes of data in the Disk Transfer Area, or DTA. This data provides the name of the file, its attribute, its size and its date of creation to the search program. If the search cannot find a matching file, DOS returns al non-zero, with no data in the DTA. Since the calling program knows the address of the DTA, it can go examine that area for the file information after DOS has stored it there.
Example: Suppose we want to find all the files in the currently logged directory with an extent “COM”, including hidden and system files.
SRCH_FIRST:
mov dx,OFFSET COMFILE ;set offset of asciiz string
mov cl,00000110B ;set hidden and system attributes
mov ah,4EH ;search first function
int 21H ;call DOS
or al,al ;check to see if successful
jnz NOFILE ;go handle no file found condition
FOUND: ;come here if file found
COMFILE DB ’*.COM’,0
In comparison with the Search First function, the Search Next is easy, because all of the data has already been set up by the Search First. Just set ah = 4F hex and call DOS interrupt 21H:
mov ah,4FH ;search next function
int 21H ;call DOS
or al,al ;see if a file was found
jnz NOFILE ;no, go handle no file found
FOUND2: ;else process the file
If another file is found the data in the DTA will be updated with the new file name, and ah will be set to zero on return. If no more matches are found, DOS will set ah to something besides zero on return. One must be careful here so the data in the DTA is not altered between the call to Search First and later calls to Search Next, because the Search Next expects the data from the last search call to be there.
………………will continue
No comments:
Post a Comment