K”hntark's Recursive Tunneling Toolkit
Version 4.1
Released 27 August 1993
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
1. DISCLAIMER
The author of this toolkit is in no way responsible for any
damage that its proper or improper usage might cause.
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
2. LICENSE?
You are free to include this toolkit in computer viruses.
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
3. INFO
You don't have to read this whole document before trying to
do something with the toolkit!
If you have never written a virus in Assembler, you can start
with the toolkit! (well, almost!)
K”hntark's Recursive Tunneling Toolkit is an object module
that can be linked to any virus.
The virus should be assembled and linked with KRTT41.OBJ
using Turbo Assembler 2.0 and above.
Using other Assemblers might cause unexpected results.
The toolkit, when called will try find the address of DOS's
real int 21h / 2Ah / 13h.
The output code returned will depend on the results found by
the toolkit.
KRTT41.OBJ is truly a NO-FRILLS object module. You need
nothing to use it. It is a simple, 'plug and play' item; just
save the registers, call it and act depending upon the
output.
Unlike other tunneling routines KRTT DOES NOT use Interrupt 1
to trace through the current interrupts, as this technique
can be easily disabled by any decent resident AV utility.
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
4. What the hell is tunneling?
Why use this?
A quick explanation: Antivirus system monitoring software are
Terminate and Stay Resident (TSR) programs that remain in
memory and hook or capture INT 21h / 2Ah / 13h and other
vital system interrupts.
These programs monitor all calls made to these interrupts for
'suspicious' or 'virus-like' behaviour. An example would be
unauthorized writing to a file thought INT 21h, function 40h.
These programs ensure that all viruses not using any
tunneling or stealth routines are detected when trying to
infect or remain resident in memory.
Some examples of such programs will even monitor their own
code to ensure they are not removed from memory or their
INT 21h handler is not replaced by other programs.
KRTT41 will get the DOS's original INT 21h / 2Ah / 13h, in
most cases, and can turn your virus into a 'smart' one by
warning about the possibility of strange AV software present
in memory.
Once DOS's original interrupts are found you can call them
directly to memory freely, bypassing any AV software present
in memory and infecting other files right through their
protection!
The ability to locate DOS's original INT 13h is provided
by KRTT to implement potentially destructive code.
(None of the examples contain such code.)
You could also use the original int 21h to allocate/free
memory and disable any software present in memory.
Such scenarios are possible but they have not tested fully,
so no claims can be made.
KRTT41's strength lies in a recursive nature which allows
tracing and scanning through multiple hooked INT 21h's.
You can load multiple non-conflicting system monitoring
antivirus programs and KRTT41 will go through them!
Be it 1 or 6 - admittedly a ridiculous situation - it won't
make a difference.
KTTR41 is very small due to its recursive nature. And
it is fast since it uses no memory locations for data
storage; all the operations are done directly in the CPU
registers.
KTTR41 is fully compatible with Trident's Polymorphic Engine
Version 1.4 and future polymorphic Engines.
Such compatibility is assured as long as KRTT 4.1 is linked
before any Polymophic Engine.
Note: See YB-1.ASM for TpE 1.4 linkage demonstration.
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
5. USAGE:
You need the following at the beginning of your program:
extrn TUNNEL:near
~~~~~~~~~~~~~~~~~
then call anytime during program execution (preferably at the
start):
call TUNNEL
~~~~~~~~~~~
Then store the address of the found INT 21h in a double word
location within your virus.
You can then call the real INT 21h doing a CALL DWORD PTR to
such location.
All this is shown in YB-1.ASM and YB-2.ASM
TUNNEL 4.1 procedure usage:
INPUT: bp=01 => Search for original INT 2Ah
bp=02 => Search for original INT 13h
Any other value in bp => Search for original INT 21h
(you MUST save any necessary registers)
OUTPUT: ah=00 Not found
ah=01 Found!
ah=02 Int 21h/ 2hA /13h Not Hooked
ah=03 DOS internal interrupts are hooked (search for
int 21h / 2Ah / 13h not conducted)
If found:
dx= INT 21h / 2Ah / 13h SEGMENT
di= INT 21h / 2Ah / 13h OFFSET
al= RECURSION DEPTH
REGISTERS DESTROYED: ax,bx,cx,dx,di,bp,es
At infection time you must add 248 (decimal) bytes to the
virus size. (see YB-1.ASM, YB-2.ASM)
ASSEMBLE: tasm /m <yourvirus>
LINK: tlink /x /t <yourvirus> krtt41.obj
or
LINK: tlink /x /t <yourvirus> krtt41.obj <poly-engine>.obj
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
6. TESTING:
The toolkit has been tested with a reasonable amount of
hardware and software.
Success for, loaded in the following order:
DOS 5.00 (high) + Vshield 106 (McAfee)
DOS 5.00 (high) + Vshield + Vshield 106
DOS 5.00 (high) + Virstop (FPROT 2.09)
DOS 5.00 (high) + TBdriver + TBfile (TBAV 6.03)
DOS 5.00 + Vshield (McAfee) + Virstop
DOS 5.00 + Vshield (McAfee) + Virstop
+ TBdriver + TBfile !!!!
You can switch the order of the first 2. Tbfile won't let
anything load if it is not loaded last.
DOS 5.00 (high) + QEMM 6.0 (high) + Vshield 106 (McAfee)
DOS 5.00 (high) + QEMM 6.0 (high) + Vshield + Vshield 106
DOS 5.00 (high) + QEMM 6.0 (high) + Virstop (FPROT 2.09)
DOS 5.00 (high) + QEMM 6.0 (high) + TBdriver + TBfile
(TBAV 6.03)
DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop
DOS 5.00 (high) + QEMM (high) + Vshield (McAfee) + Virstop
+ TBdriver + TBfile !!!!
KRTT is compatible MS-DOS and IBM DOS versions ranging from
3.1 to 6.0
The above results can be also reproduced against the
following:
QEMM 7.0
HIMEM.SYS
EMM386.SYS
VDEFEND (PCTOOLS 7.1)
Central Point Antivirus 1.3
Secure 2.35 (Mark Washburn)
Virex 2.8 (Ross Greenburg)
Flushot+ V1.84
Martin's Virus Trap V182 (Russia)
Antiviral Toolkit Pro 1.06 (Russia) (see YB-1 and YB-2)
Turbo Debugger 2.0
Watchdog (Leprechaun Software)
VSAFE (CPAV / MSAV)
Note that some of the above software developers costs $50+,
all circunvented by a free 248 byte program!
ННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН
8. Final Notes From the Depths of HELL
If you have any questions or doubts please look at the demo
viruses , YB-1.ASM, YB-2.ASM or the KTTRDEMO.ASM program.
Any questions or comments are appreciated
I can be contacted at CIS (Crypt InfoSystems) BBS.
and VX BBS's through out the world.
Not illegal yet!
K”hntark
љWEUHL KљMPKAAH!