                              
                               Quiz #4
                                  By
                              Horny Toad



        Try and see how many of these you can answer without
your notes.  Most of them should be fairly easy.  They should
be common knowledge if you want to advance in virus writing.
Again, like the previous quizes, don't sweat it.  Use these
questions as a reminder of the concepts that you need to
learn.



Questions for Quiz 4


1.  What are the traditional two characters used to identify an EXE
    file?

2.  After an EXE file has been loaded into memory, what ES and DS point
    to?

3.  How would, for example, the address of an EXE file's data segment be
    stored in DS?

4.  What considerations must be taken when defining a stack?

5.  How would you view and EXE file's header in DEBUG?

6.  What length restrictions apply to EXE files?

7.  What is the size of a paragraph?

8.  Describe the purpose and location of the relocation table.

9.  What values of the EXE header need to be changed? Why?

10. Why does the length of the program code need to be expressed in two
    values: PartPag and PagCnt?

11. What is the length of the formatted portion of the EXE header?  How
    long can the EXE header be?

12. Which field in the header is typically used for storing an infection
    marker?

13. Why is it important to save the CS:IP and SS:SP before infection
    takes place?

14. How do the TASM compile directives differ between compiling an EXE
    file and a COM file?





Brief answers to Quiz 3

1. Describe the difference between the int 27h and the MCB manipulation
   techniques in going resident.
MCB distinguished by user defined "memory carving". Amount and memory
owner is user specified.
2. Why is the MCB technique more preferred?
MCB manip is less obvious. Harder to catch.
3. How is conventional memory divided up?
Divided into blocks of memory/each block having a corresponding MCB.
4. What are the essential attributes of a resident virus?
Hide and not be found. Multiply without getting caught.
5. Why is a self-recognition routine necessary in resident code?
So that a virus doesn't infect itself .
6. Where is the MCB located in relation to its corresponding block of
   memory?
Directly before it.
7. What is the difference in using int 27h and int 21h function 31h?
Called slightly differently. Under 64k -> use int 27h.
8. What information can be derived from the MCB?
Status, PSP address of owner, MB size, owner filename.
9. What are the benefits/disadvantages of prepending vs. appending
   int 27h virii?
Prepending involves more addressing considerations... For now, append.
10. Where is the IVT located?
The IVT is located at address 0000:0000.
11. Describe two techniques in changing the IVT to point to your ISR.
Direct manipulation or use interrupt 21h function 25h and 35h.
12. Describe the normal interrupt process.
Read the tutorial.
13. What considerations need to be taken when program execution is
    transferred to your custom ISR?
Firstly, make sure that you save/restore registers before/after execution.
14.   Where is the number 1 location to find out information on individual         
      interrupts?
Ralf Browns's interrupt list.  Get it!
15.   Describe certain precautions that you can take in experimenting with  
      actual virus code.
Take a look at the code. Disassemble it.  Identify suspicious routines.



