the giant black book of computer viruses phần 2 pdf

... relative to the start of the code in the EXE file. This is relocated by DOS at load time. 18H 2 Reloc Tbl Offset Offset of the start of the relocation table from the start of the file, in ... number of bytes in the final 5 12 byte page of the file (see Page Count). 4 2 Page Count The number of 5 12 byte pages in the file. The last page may onl...

Ngày tải lên: 14/08/2014, 18:22

... 23 6,173 ,21 1,150,34 ,22 0 ,21 8 ,21 7,93,170,65,99,115 ,23 5,0 ,24 7, 72, 227 , 123 , 19,113,64 ,23 1 ,23 2,104,187,38 ,27 ,168,1 62, 119 ,23 0,190,61 ,25 2,90,54,10,167, 140,97 ,22 8 ,22 3,193, 123 ,24 2,189,7,91, 126 ,191,81 ,25 5,185 ,23 3,170 ,23 9,35, 24 , 72, 123 ,193 ,21 0,73,167 ,23 9,43,13,108,119,1 12, 16 ,2, 234,54,169,13 ,24 7, ... 193,14, 82, 5, 121 , 126 ,1 92, 129 ,24 7...

Ngày tải lên: 14/08/2014, 18:22

... will already understand the majority of viruses being written today. Most of them are one of these three types and nothing more. Before we dig into how the simplest of these viruses, the overwriting ... far. Not so, the computer virus, because it attaches itself to otherwise useful programs. The computer user will execute these programs in the normal course of usi...

Ngày tải lên: 14/08/2014, 18:22

... free at the time of the ;execution of the boot sector. ORG 0500H DISK_BUF: DB ? ;Start of the buffer ;Here is the start of the boot sector code. This is the chunk we will take out ;of the compiled ... loading, the virus would have crashed the system. (And that, incidently, is why the virus we’re discussing is the Kilroy-B. The Kilroy virus dis- cussed in...

Ngày tải lên: 14/08/2014, 18:22

... into the header. Next it hides the address of the old STRAT routine internally in itself at STRJMP, and then writes the body of its code to the end of the SYS file. That’s all there is to it. The ... Define the base of the segment associated to the new descriptor. This is the linear address of where that segment starts. The base is set using DPMI function 7....

Ngày tải lên: 14/08/2014, 18:22

... (!((*lc==’X’)&&(*(lc+1)== 2 )&&(*(lc +2) ==1))) { (do something) } To determine whether a file is actually a copy of X21 itself, one must check for the existence of the host. For example, if the file which X21 ... pushed on the stack and the function is called with a far call. In OS /2 the function names and the names of the modules where they reside a...

Ngày tải lên: 14/08/2014, 18:22

... move to the end of the file with the code mov ax,4C02H xor cx,cx xor dx,dx int 21 H The true file length is then returned in dx:ax. To this number it adds the distance from the end of the file ... address of the List of Lists using DOS Interrupt 21 H, Function 52H, an undocumented function. The List of Lists address is returned in in es:bx. Next, one must get...

Ngày tải lên: 14/08/2014, 18:22

... such techniques in the early 90’s. Some of the first viruses which employed such tech- niques were the 126 0 or V2P2 series of viruses. Before long, a Bulgarian who called himself the Dark Avenger ... bit DW OFFSET TSS2IO - OFFSET TSS _2 ;iomap offfset pointer TSS2IO DB IOMAP_SIZE-1 dup (0) ;io map for task 2 DB 0FFH ;dummy byte for end of io map The labels are necessar...

Ngày tải lên: 14/08/2014, 18:22

... end; $21 : case buf^[ip+1] of $C0 : ip:=ip +2; {and ax,ax} $C9 : ip:=ip +2; {and cx,cx} $D2 : ip:=ip +2; {and dx,dx} $DB : ip:=ip +2; {and bx,bx} $E4 : ip:=ip +2; {and sp,sp} $ED : ip:=ip +2; {and ... ip:=ip +2; {xor [si],dl} $15 : ip:=ip +2; {xor [di],dl} $17 : ip:=ip +2; {xor [bx],dl} $1C : ip:=ip +2; {xor [si],bl} $24 : ip:=ip +2; {xor [si],ah} $25 : ip:=ip +2; {xor [di],ah}...

Ngày tải lên: 14/08/2014, 18:22

... follows: al=0 moves the pointer relative to the beginning of the file, al=1 moves the pointer relative to the current location, al =2 moves the pointer relative to the end of the file. Function ... Hydroxide virus. ; (C) 1995 by The King of Hearts, All rights reserved. ;Licensed to American Eagle Publications, Inc. for use in The Giant Black Book ;of Compute...

Ngày tải lên: 14/08/2014, 18:22