Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 09:52:32 +00:00
Code Releases Activity
a1fd00d187
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.tsr.asm
vxunderground 3e7d2e8262
Add files via upload
2021-01-12 18:01:59 -06:00

307 lines
10 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

; NOTE : This template is for .COM files only do not use for .EXE files!!
;
;
;
; Copyright 1986 by Dana Nowell - All rights reserved
;
; HISTORY:
; Version Date Name Description
; 1.0 11/10/86 dn first cut
; 1.01 11/21/86 dn Fixed memory allocation bug
; Added installation message
;
title TSR Template
NULL equ 00h
BELL equ 07h ; bell character
BACKSPACE equ 08h ; backspace character
TAB equ 09h ; tab character
LF equ 0ah ; line feed
F_FEED equ 0ch ; form feed
CR equ 0dh ; carriage return
EOF equ 1ah ; ctrl z ( end of file )
SPACE equ ' ' ; ascii space character
QUOTE equ '"'
SIGNATURE1 equ 6144h ; used for already
SIGNATURE2 equ 616eh ; resident check
DOS_INT equ 21h ; DOS function interrupt
DISP_CHAR equ 02h
GET_KEY equ 08h
DOS_SCR_MSG equ 09h
DOS_SET_INT equ 25h
DOS_RESIDENT equ 31h
DOS_GET_INT equ 35h
DOS_TERMINATE equ 4ch
DOS_STRING_TERM equ '$'
; Interrupt vectors used
HOOK_INT equ 1ch ; interrupt to be hooked ( timer tick now )
;------------------------------------------------------------------------------
;
; MACRO SECTION
;
;------------------------------------------------------------------------------
Version_msg macro
jmp short copyright_end
copyright_msg db CR, LF
db 'TSR Shell - Version 1.01', CR, LF
db 'Copyright 1986, Dana Nowell ', CR, LF, CR, LF
db 'May be distributed without license', CR, LF, '$'
copyright_end:
Msg copyright_msg
endm
Msg macro ptr
push dx
push ax
lea dx, ptr
mov ah, 09h
int 21h
pop ax
pop dx
endm
com segment para public 'code'
assume cs:com, ds:com, es:com
;------------------------------------------------------------------------------
;
; note: The PSP occurs at the beginning of the code segment
; for all programs. In COM files the code seg = data seg
;
;------------------------------------------------------------------------------
org 0
psp_start dw ? ; int 20h - possibly a block for unresolved
; externals during link ?
mem_size dw ? ; size of available memory in paragraphs
filler db ? ; reserved usually zero
dos_call db ? ; call
dd ? ; address of dos function handler
term_vector dd ? ; address of dos terminate routine
break_vector dd ? ; address of dos break routine
error_vector dd ? ; address of dos error routine
dos_reserved db 2 dup(?); reserved by dos
dos_handles db 20 dup(?) ; file handle array
environ_ptr dw ? ; seg of dos environment ( offset = 0 )
dos_work db 34 dup(?) ; dos work area
int_21h db ? ; int
db ? ; 21h
db ? ; retf ( return far )
reserved dw ? ; reserved by dos
fcb1_ext db 7 dup(?) ; fcb # 1 extension
fcb1 db 9 dup(?) ; fcb #1
fcb2_ext db 7 dup(?) ; fcb # 2 extension
fcb2 db 20 dup(?) ; fcb #2
;
; disk transfer area ( dta ) and parameter block occupy the same space
;
;
;dta db 128 dup(?) ; disk transfer area
param_len db ? ; length of parameter string ( excludes CR )
parameters db 127 dup(?) ; parameters
;------------------------------------------------------------------------------
;
; Note on standard fcb structure :
;
; The standard FCB is larger than the size reserved in the PSP if you
; intend to use to FCB data from the PSP move it to a different location.
;
;
; STANDARD STRUCTURE OF A FILE CONTROL BLOCK
;
;
; extension :
; offset length description
; -7 1 extension active flag ( 0ffh = active )
; -6 5 normally unused should be zeros
; -1 1 file attribute when extension is active
; 1 . . . . . . . 1 read-only
; 2 . . . . . . 1 . hidden
; 4 . . . . . 1 . . system
; 8 . . . . 1 . . . volume label
; 16 . . . 1 . . . . subdirectory
; 32 . . 1 . . . . . archive
; 64 . 1 . . . . . . unused
; 128 1 . . . . . . . unused
;
; fcb :
; offset length description
; 0 1 special drive number ( 1 byte )
; 0 = default
; 1 = a:
; 2 = b: etc
; 1 8 filename or device name
; 9 3 filename extension
; 12 2 current block number
; 14 2 record size
; 16 4 file size in bytes ( dos dir entry at open )
; 20 2 file date ( bit coded as in dir )
; 22 10 dos work area
; 32 1 current record number ( 0 - 127 )
; 33 4 random record number
;
;------------------------------------------------------------------------------
org 100h ; required for COM file ( skips PSP )
start:
jmp install ; install the demon
;-------------------------------------------------------------------
;
; resident data structures go here
;
;-------------------------------------------------------------------
old_int dd 0 ; original value of hooked interrupt
resident1 dw SIGNATURE1
resident2 dw SIGNATURE2
;-------------------------------------------------------------------
;
; new interrupt starts here
;
;-------------------------------------------------------------------
new_int:
pushf
sti ; must turn INT on if we're going to use them
;-------------------------------------------------------------------
;
; be well behaved and pass control to original int
;
;-------------------------------------------------------------------
popf
pushf
call dword ptr cs:old_int ; do old interrupt
iret ; bye bye
;------------------------------------------------------------------------------
;
; INSTALLATION DATA STRUCTURES AND CODE GO HERE
;
; WARNING WARNING WARNING - this area does not exist after installation
;
;------------------------------------------------------------------------------
last_resident_byte db 0 ; last resident byte
resident_flag dw 0 ; am I already resident ? ( 0 = NO )
install_msg db CR, LF, 'Installation Complete', CR, LF, '$'
already_installed_msg db CR, LF
db 'Already Installed - Installation Aborted'
db CR, LF, '$'
install proc near
Version_msg
mov al, HOOK_INT ; int to hook
mov ah, DOS_GET_INT ; get int(AL) vector ==> ES+BX
int DOS_INT ; do the int
lea si, old_int ; where to put old timer interrupt vector
mov [si], bx ; save the offset and segment
mov 2[si], es ; ( es also used in check resident )
call check_resident ; am I already resident ?
cmp resident_flag, 0
je not_resident
Msg already_installed_msg
mov ah, DOS_TERMINATE ; terminate & stay resident
mov al, 1 ; return value is 1 (already installed)
int DOS_INT ; bye-bye
not_resident:
mov dx, offset new_int ; offset of new timer interrupt
mov al, HOOK_INT ; timer tick
mov ah, DOS_SET_INT ; set int(AL) vector from DS+DX
int DOS_INT ; do the int
; program terminate and stay resident
Msg install_msg ; Display the installation message
mov dx, offset last_resident_byte
mov cl, 4 ; convert to paragraphs required to
shr dx, cl ; remain resident ( divide by 16 )
inc dx ; allow for any remainder of division
mov ah, DOS_RESIDENT ; terminate & stay resident
mov al, 0 ; return value is 0 (good return)
int DOS_INT ; bye-bye
install endp
;
; Check resident procedure
; requires es register to contain the segment address of
; the current location for the interrupt being hooked.
; use the DOS function 35h to obtain this information.
;
check_resident proc near
cmp es:resident1, SIGNATURE1
jne not_res
cmp es:resident2, SIGNATURE2
jne not_res
mov resident_flag, 1
not_res:
ret
check_resident endp
com ends
end start

View Git Blame Copy Permalink