EICAR Commented

1. ; ================
2. ; == About this ==
3. ; ================
4.  
5. ; This is an assembly file to generate the EICAR AntiVirus Test File.
6. ; Assembling this triggers your anti virus, so don't do it.
7. ; The file itself is not dangerous and servers as a safe AV demo.
8.  
9. ; The compiled assembly uses only instructions that result in the byte range 0x1F < x < 0x80
10. ; To achieve this, it uses a lot of XOR instructions because MOV is outside of ASCII
11. ; moving data to and from registers is done via PUSH/POP for the same reason.
12.  
13. ; ================
14. ; == Assembling ==
15. ; ================
16.  
17. ; Depending on your assembler, the settings differ. Flat assembler (FASM) doesn't has any of them.
18. ; 1. Disable all optimizations
19. ; 2. Set Target instruction set to 16 bit x86 (Real Mode)
20. ; 3. Set OS Target to DOS
21.  
22. ; ===============
23. ; == Verifying ==
24. ; ===============
25.  
26. ; If properly done, the output can be opened in any text editor and should read exactly:
27. ; X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
28. ; No other bytes should be in the file.
29.  
30. ; =============
31. ; == Running ==
32. ; =============
33.  
34. ; Your anti virus should trigger as soon as you assemble.
35. ; To actually run the binary, you have to disable your anti virus.
36. ; 64 bit Windows has no support for 16 bit executables anymore.
37. ; To run under 64 bit Windows, use a DOS emulator like DOSBox
38.  
39. ; =======================
40. ; == DOS Memory Layout ==
41. ; =======================
42.  
43. org 0100h   ; Make this a DOS .com executable
44. ; The first 0xFF bytes are used by DOS to store information for the application.
45. ; An example would be the command line string to extract the arguments from.
46. ; This is the reason why .com files start at offset 0x100
47. ; MS-DOS .com executables run under 16 bit mode and thus have to fit into 64K of memory.
48. ; This binary makes usage of the stack to avoid the MOV instruction.
49. ; The stack pointer is initialized by DOS to point to the end of memory (0xFFFE to fit a WORD).
50. ; Stack, data and code share the same unprotected memory page,
51. ; which means that if you are pushing too much onto the stack it will eventually overwrite code.
52. ; It also means that the stack size is primarily determined by how much memory you use for code and data.
53. ; There are at most 2 values on the stack and no memory for data storage is needed,
54. ; therefore only 4 bytes of memory need to be free of the 64k page for this application.
55.  
56. ; ===================
57. ; == Start Of Code ==
58. ; ===================
59.  
60. ; Get 0x214F on the stack
61. pop  ax     ; AX = 0 because DOS initialized the stack for us already and the memory is set to zero.
62. xor  ax,214Fh   ; xor with zero is the same as using mov but falls into ASCII range
63. push ax
64. ; Note: The reason we can try to get a value from an empty stack is because in x86 it wraps around
65.  
66. ; Get address of instruction to be changed and move it from ax into bx
67. and  ax,4140h   ; AX = 0x0140 because 0x214F was still in there: 0x214F & 0x4140 = 0x140
68. push ax
69. pop  bx
70.  
71. ; Get address location of printable string into dx. The DOS print call expects it to be there
72. xor  al,5Ch ; AX = 0x011C because we only use xor on the lower byte of the register (AL)
73. push ax
74. pop  dx
75.  
76. ; Get the first value (0x214F) back from the stack, modify it, and put it into the SI register
77. pop  ax
78. xor  ax,2834h   ; AX = 0x097B, AH = 0x09 -> DOS INT21 Service: "Display String"
79. push ax
80. pop  si
81. ; We don't have to worry about AL, because DOS INT21 only cares for AH.
82.  
83. ; Self modify code: change instruction at 0x0140 (second last instruction of this code) to "int 21h"
84. sub  [bx],si    ; [0x0140] = 0x2B48 - 0x097B = 0x21CD -> 0x21 = "DOS print string call", 0xCD = "int instruction"
85. ; This also overwrites the first byte of the last instruction
86.  
87. ; Self modify code: change instruction at 0x0142 (last two bytes of last instruction) to "int 20h"
88. inc  bx
89. inc  bx     ; BX = 0x0142
90. sub  [bx],si    ; [0x0142] = 0x2A48 - 0x097B = 0x20CD -> 0x20 = DOS exit call, 0xCD = "int instruction"
91.  
92. ; Jump over the string to the (meanwhile) changed Instruction at 0x0140.
93. jge  0140h  ; "jge" is the same as "jnl"
94. ; Because of the subtraction done before this jump, the required flags (S+Z) are set as needed.
95. ; This jump is always performed.
96.  
97. ; EICAR string in the middle of the file.
98. ; The '$' is used by the DOS print call to signal the end of a string, as opposed to the more common '\0' in C.
99. ; The content of the string can be freely changed as long as the length stays the same.
100. ; To keep the length, the string can be padded with '$'
101. ; If you change the string you likely will no longer trigger any anti virus response.
102. DB   "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
103.  
104. ; These two instructions are here to occupy 1+3 bytes
105. dec  ax
106. sub  cx,[bx+si+2Ah]