SELF-MODIFYING CODE PROJECT 1 OBJECTIVE To learn the basic techniques required to modify the code segment of a DOS COM file and to write a program with a practical application that does so. PROGRAM DESCRIPTION The program COMGUARD.COM is DOS application which modifies the code segment of every other COM file in the same directory. COMGUARD adds code to each of these programs that requires the user to enter a password in order to continue execution of the program. STRUCTURE OF COM FILES Unlike the EXE file format, the programmer has no input into the segment format of COM files. All COM files consist of 1 segment only, with no defined distinction between data and code. After DOS finishes some preparatory work, the COM file is loaded at offset 100h. The first 256 bytes are known as the Program Segment Prefix(PSP). Located at offset 80h is an important data structure called the DTA or Data Transfer Area. The DTA is important, but most of the rest of the PSP can be ignored by the programmer. Before actually starting execution of the COM program, DOS sets up the stack at the top of the segment. OUTLINE OF COMGUARD'S EXECUTION 1. Search for files in current directory ending in ".com". 2. Open the file and read 1st 5 bytes. 3. Check to see if the file has already been modified by COMGUARD by checking if the values of the 4th and 5th bytes match the COMGUARD identification string of "CG". 4. Make sure the file is not really an EXE file because after DOS 6.0 some files ending in ".com" were really EXEs. 5. Make sure the file is not so large that when COMGUARD adds its code it doesn't exceed the 64k segment size. 6. If the file passes 3-5 then its ok to modify, so COMGUARD opens it and writes the authentication code to the end of the file. 7. Calculate the size of the jump to the authentication code and write the jump instruction along with the identificatioin string to the beginning of the file. 8. Jump to step #1 and repeat until all files in the current directory have been checked. OUTLINE OF A MODIFIED PROGRAM'S EXECUTION 1. Jump to the authentication code at the end of the program body. 2. Calculate what virus writers call the Delta Offset. This is necessary because data is always referenced by absolute addresses which will change with every program COMGUARD infects. 3. Ask for the password and if the answer is wrong, then quit to DOS. 4. If the password is correct, then restore the first 5 bytes of the file and continue execution from there just like COMGUARD never existed. NEXT STEP Add the capability to modify the EXE file format as well.