DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

COM File Assembly and Disassembly

Need help disassembling your COM virus?

Christopher Lamb user avatar by
Christopher Lamb
CORE ·
Nov. 28, 18 · Tutorial
Like (1)
Save
Tweet
Share
5.20K Views

Join the DZone community and get the full member experience.

Join For Free

We've identified some of the things we need to develop in order to create a simple COM virus, and we've developed an abstract functional design of the virus itself. Prior to starting coding, we need to create a simple COM file that we can use as an initial target.

It's important that this initial target COM file be very simple and very small. That way, it'll be easier for us to disassemble and debug the file after infection to see if things are working correctly. The smaller the actual executable code and data in the file, the easier it will be to see what we've injected and debugged execution.

Now, we'll be using more modern tools, like IDA Pro, but these kinds of tools existed decades ago, too. Back then, you wouldn't have access to a disassembler (though some did exist), so you'd use the DEBUG program to trace execution. We'll use modern disassemblers and decompilers because of cheating! Yay!

Let's put together a really simple COM program. We're just going to add some numbers together, and we're not making any system calls at all. Here's the code:

; f_com.asm

; code segment
_TEXTsegmentwordpublic'CODE'
assume cs:_TEXT, ds:_DATA, ss:NOTHING
org100h

; Add two values
addem:
mov ax, a; add a and b
addax, b
movc, ax; place result in c
mov ax, 4c00h; no error
int21h; return to DOS
_TEXTends

; data segment
_DATAsegmentwordpublic'DATA'
adw3
bdw4
cdw?
_DATAends
end addem

Listing 1: F_COM.ASM

To compile the COM file, execute these commands:

(DOS_3.30) C:\WORK\ASM> tasm f_com.asm
(DOS_3.30) C:\WORK\ASM> tlink /t f_com

Listing 2: DOS compilation commands

We now have our first COM file! Let's take a look at it using a disassembler and see what it looks like. We're going to use Radare2 for this, but IDA works fine, too. To view with Radare2, invoke with the -b16 flag: r2 -b16 F_COM.COM. Then, you'll need to manually set the data segment, which starts after the INT 21 instruction. You can use the free version of the IDA disassembler too, but you'll need to manually set the data segment there as well. IDA Pro works great, but you know IDA == $$. Hopper is a great tool, too, but it doesn't support COM files and 8086 code, so it won't do much for us in this case.

Image title

Figure 1: Radare2 dissassembly of our assembled COM file

If you look at the generated disassembly in Figure 1, you can see that the disassembly is accurate enough — we have data being moved into the correct registers, we see the correct operations taking place, and we can see code being moved from the data segment into the registers. That is good enough for now.

Okay, we have developed our target file and played around with disassembly. Now, we're ready to start developing our virus code.

Component Object Model Assembly (CLI)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • A Beginner's Guide to Back-End Development
  • How to Cut the Release Inspection Time From 4 Days to 4 Hours
  • When AI Strengthens Good Old Chatbots: A Brief History of Conversational AI
  • Handling Automatic ID Generation in PostgreSQL With Node.js and Sequelize

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: