Key technologies for viruses (2)

zhaozj2021-02-08  232

-r AX = 0000 bx = 0000 cx = 09f1 dx = 0000 sp = fffe bp = 0000 Si = 0000 di = 0000 DS = 0CA4 ES = 0CA4 SS = 0CA4 CS = 0CA4 IP = 0100 NV UP EI PL NZ NA PO NC 0CA4 : 0100 B8371E MOV AX, 1E37 -A AF1 0CA4: 0AF1 MOV AH, 0 0CA4: 0AF3 INT 16; Waiting button 0ca4: 0AF5 CMP Al, 1B; Waiting for ESC Keys 0CA4: 0AF7 JNZ AF1 0CA4: 0AF9 MOV Word PTR [100] 3fb8; three bytes started by the recovery program 0ca4: 0Aff MoV Byte PTR [102], Le 0ca4: 0b04 Push CS; Put CS: 100 0CA4: 0B05 MOV SI, 100 0CA4: 0B08 PUSH Si 0CA4: 0B09 RETF; Retf returns to CS: 100, the program starts at 0ca4: 0B0A

-A 100 0CA4: 0100 JMP AF1; the beginning of the program is changed to the module that jumps to the modified module 0CA4: 0103

-RCX CX 09F1: A0A

-w Writing 00a0a bytes

-Q

After the modification, do the following more.com, find anything wrong? The result will not be executed by the ESC key program, the process is simple: 1. Modify the commands at the beginning of the program into the program where you jump to the last added. 2. The first execution of the added program (equivalent to the viral module) and wait for the ESC key. 3. Press the ESC key to modify the command starting instruction, and jump back to the beginning (execute the original program). Ok, if you can understand this, then you will not be very far away from the COM virus.

转载请注明原文地址:https://www.9cbs.com/read-1398.html

New Post(0)