COM File Assembly and Disassembly

We've identified some of the things we need to develop in order to create a simple COM virus, and we've developed an abstract functional design of the virus itself. Prior to starting coding, we need to create a simple COM file that we can use as an initial target.

It's important that this initial target COM file be very simple and very small. That way, it'll be easier for us to disassemble and debug the file after infection to see if things are working correctly. The smaller the actual executable code and data in the file, the easier it will be to see what we've injected and debugged execution.

Now, we'll be using more modern tools, like IDA Pro, but these kinds of tools existed decades ago, too. Back then, you wouldn't have access to a disassembler (though some did exist), so you'd use the DEBUG program to trace execution. We'll use modern disassemblers and decompilers because of cheating! Yay!

Let's put together a really simple COM program. We're just going to add some numbers together, and we're not making any system calls at all. Here's the code:

; f_com.asm

; code segment
_TEXTsegmentwordpublic'CODE'
assume cs:_TEXT, ds:_DATA, ss:NOTHING
org100h

; Add two values
addem:
mov ax, a; add a and b
addax, b
movc, ax; place result in c
mov ax, 4c00h; no error
int21h; return to DOS
_TEXTends

; data segment
_DATAsegmentwordpublic'DATA'
adw3
bdw4
cdw?
_DATAends
end addem

Listing 1: F_COM.ASM

To compile the COM file, execute these commands:

(DOS_3.30) C:\WORK\ASM> tasm f_com.asm
(DOS_3.30) C:\WORK\ASM> tlink /t f_com

Listing 2: DOS compilation commands

We now have our first COM file! Let's take a look at it using a disassembler and see what it looks like. We're going to use Radare2 for this, but IDA works fine, too. To view with Radare2, invoke with the -b16 flag: r2 -b16 F_COM.COM. Then, you'll need to manually set the data segment, which starts after the INT 21 instruction. You can use the free version of the IDA disassembler too, but you'll need to manually set the data segment there as well. IDA Pro works great, but you know IDA == $$. Hopper is a great tool, too, but it doesn't support COM files and 8086 code, so it won't do much for us in this case.

Figure 1: Radare2 dissassembly of our assembled COM file

If you look at the generated disassembly in Figure 1, you can see that the disassembly is accurate enough — we have data being moved into the correct registers, we see the correct operations taking place, and we can see code being moved from the data segment into the registers. That is good enough for now.

Okay, we have developed our target file and played around with disassembly. Now, we're ready to start developing our virus code.