the giant black book of computer viruses phần 2 pdf

... relative to the start of the code in the EXE file. This is relocated by DOS at load time. 18H 2 Reloc Tbl Offset Offset of the start of the relocation table from the start of the file, in ... number of bytes in the final 5 12 byte page of the file (see Page Count). 4 2 Page Count The number of 5 12 byte pages in the file. The last page may only be partially filled, with the number of ... be the first byte of the virus.3. Write the virus code currently executing to the end of the EXE filebeing attacked.4. Write the initial value of ss:sp, as stored in the EXE Header, to the location...

the giant black book of computer viruses phần 9 pdf

... 23 6,173 ,21 1,150,34 ,22 0 ,21 8 ,21 7,93,170,65,99,115 ,23 5,0 ,24 7, 72, 227 , 123 , 19,113,64 ,23 1 ,23 2,104,187,38 ,27 ,168,1 62, 119 ,23 0,190,61 ,25 2,90,54,10,167, 140,97 ,22 8 ,22 3,193, 123 ,24 2,189,7,91, 126 ,191,81 ,25 5,185 ,23 3,170 ,23 9,35, 24 , 72, 123 ,193 ,21 0,73,167 ,23 9,43,13,108,119,1 12, 16 ,2, 234,54,169,13 ,24 7, ... 193,14, 82, 5, 121 , 126 ,1 92, 129 ,24 7,180 ,20 1, 126 ,187,33,163 ,20 4 ,29 ,156 ,24 , 14 ,25 4,167,147,189,184,174,1 82, 2 12, 141,1 02, 33 ,24 4,61,167 ,20 8,155,167, 23 6,173 ,21 1,150,34 ,22 0 ,21 8 ,21 7,93,170,65,99,115 ,23 5,0 ,24 7, 72, 227 , 123 , ... 24 , 72, 123 ,193 ,21 0,73,167 ,23 9,43,13,108,119,1 12, 16 ,2, 234,54,169,13 ,24 7, 21 4,159,11,137, 32, 236 ,23 3 ,24 4,75,166 ,23 2,195,101 ,25 4, 72, 20,100 ,24 1 ,24 7, 154,86,84,1 92, 46, 72, 52, 124 ,156,79, 125 ,14 ,25 0,65 ,25 0,34 ,23 3 ,20 ,190,145, 135,186,199 ,24 1,53 ,21 5,197 ,20 9,117,4,137,36,8 ,20 3,14,104,83,174,153 ,20 8,...

the giant black book of computer viruses phần 1 ppsx

... willalready understand the majority of viruses being written today.Most of them are one of these three types and nothing more.Before we dig into how the simplest of these viruses, the overwriting ... far. Not so, the computer virus, becauseit attaches itself to otherwise useful programs. The computer userwill execute these programs in the normal course of using the computer, and the virus ... autonomous from man was the science fiction of the 1950’sand 1960’s. However, with computer viruses it has become the reality of the 1990’s. Just the idea that a program can take off andgo-and gain...

the giant black book of computer viruses phần 3 potx

... free at the time of the ;execution of the boot sector. ORG 0500HDISK_BUF: DB ? ;Start of the buffer;Here is the start of the boot sector code. This is the chunk we will take out ;of the compiled ... loading, the virus would have crashed the system. (And that, incidently, is why the virus we’re discussing is the Kilroy-B. The Kilroy virus dis-cussed in The Little Black Book of Computer Viruses ... [( 32* ROOT_ENTRIES) + SEC_SIZE - 1]/SEC_SIZEand the size of the file in sectors. The file size in bytes is stored atoffset 1CH from the start of the directory entry at 0000:0500H. The number of...

the giant black book of computer viruses phần 4 potx

... into the header. Next it hides the address of the old STRAT routineinternally in itself at STRJMP, and then writes the body of its codeto the end of the SYS file. That’s all there is to it. The ... Define the base of the segment associated to the new descriptor.This is the linear address of where that segment starts. The baseis set using DPMI function 7.4. Set the limit (size) of the new ... mov si ,21 H*4 ;save the old int 21 H vector mov di,OFFSET OLD _21 H movsw movsw mov ds:[si-4],OFFSET INT _21 H ;and install a new one mov ds:[si -2] ,cs push cs pop ds mov ah,62H int 21 H ;set...

the giant black book of computer viruses phần 5 pot

... (!((*lc==’X’)&&(*(lc+1)== 2 )&&(*(lc +2) ==1))) { (do something) }To determine whether a file is actually a copy of X21 itself,one must check for the existence of the host. For example, if the file which X21 ... pushed on the stack and the function is called with a far call. In OS /2 the function namesand the names of the modules where they reside are different, of course. For example, instead of calling ... function andthen disassemble it. the virus is run. Thus, all of Developer A and Developer B’s clientscould suffer loss from the virus, regardless of whether or not theydeveloped software of their...

the giant black book of computer viruses phần 6 pot

... move to the end of the file with the code mov ax,4C02H xor cx,cx xor dx,dx int 21 H The true file length is then returned in dx:ax. To this number it adds the distance from the end of the file ... address of the List of Lists using DOSInterrupt 21 H, Function 52H, an undocumented function. The List of Lists address is returned in in es:bx. Next, one must get the address of the start of the ... di,axFinally, the virus must modify the file during the infectionprocess so that it can calculate the exact original size of the file. Asyou may recall, the Yellow Worm had to pad the end of the originalEXE...

the giant black book of computer viruses phần 7 pot

... such techniques in the early 90’s. Some of the first viruses which employed such tech-niques were the 126 0 or V2P2 series of viruses. Before long, aBulgarian who called himself the Dark Avenger ... bit DW OFFSET TSS2IO - OFFSET TSS _2 ;iomap offfset pointerTSS2IO DB IOMAP_SIZE-1 dup (0) ;io map for task 2 DB 0FFH ;dummy byte for end of io map The labels are necessary so that the INIT_BASE ... [ebp+ 12] ,ax ;and return cs jmp GPF_EXIT ;all done, get out;This portion of code handles Interrupt 21 H calls. If the function is 11H,;12H, or 420 9H, then the virus code gets control. Otherwise, the...

the giant black book of computer viruses phần 8 pot

... end; $21 : case buf^[ip+1] of $C0 : ip:=ip +2; {and ax,ax} $C9 : ip:=ip +2; {and cx,cx} $D2 : ip:=ip +2; {and dx,dx} $DB : ip:=ip +2; {and bx,bx} $E4 : ip:=ip +2; {and sp,sp} $ED : ip:=ip +2; {and ... ip:=ip +2; {xor [si],dl} $15 : ip:=ip +2; {xor [di],dl} $17 : ip:=ip +2; {xor [bx],dl} $1C : ip:=ip +2; {xor [si],bl} $24 : ip:=ip +2; {xor [si],ah} $25 : ip:=ip +2; {xor [di],ah} $34 : ip:=ip +2; ... case buf^[ip+1] of $05 : ip:=ip +2; {mov [di],ax} $C0 : ip:=ip +2; {mov ax,ax} $C2 : ip:=ip +2; {mov dx,ax} $C6 : ip:=ip +2; {mov bp,bp} $C9 : ip:=ip +2; {mov cx,cx} $CE : ip:=ip +2; {mov si,cx}...

the giant black book of computer viruses phần 10 doc

... follows: al=0 moves the pointer relative to the beginning of the file, al=1 moves the pointer relative to the currentlocation, al =2 moves the pointer relative to the end of the file.Function ... Hydroxide virus.; (C) 1995 by The King of Hearts, All rights reserved.;Licensed to American Eagle Publications, Inc. for use in The Giant Black Book ;of Computer Viruses ;;Version 1.00; Initial ... - OFFSET BOOT_START + OFFSET SCRATCHBUF +5 12] ,cx mov BYTE PTR [VIRDH - OFFSET BOOT_START + OFFSET SCRATCHBUF +5 12] ,dh ;save in viral bs mov BYTE PTR [CHANGE_FLAG - OFFSET BOOT_START + OFFSET...

Xem thêm