This post has been deleted for including content that does not fall within the guidlines of this forum.

It is the policy of the forum that no virus or virus related matters are allowed to be posted here, this is to protect the forum and its members.

Regards,

hutch@pbq.com.au
Posted on 2001-08-12 10:26:52 by snowingedge
oh boy,

where did you find that code piece?

some reasons why your program may crash:

1. you cannot execute a INT instruction in WIN32

2. in WINNT you cannot read or write the IDT

3. cli/sti is a priviledged instruction in ring 3. In Win32 apps it is not emulated in any case

-- -----------

to get CR3:

- in WINNT/W2K: im afraid you must write a device driver
- in WIN9x/ME: for a win32 best is to write a vxd (maybe there exist one already). Or write a 16-bit app/dll. These modules can get the address of the LDT. Then you can manipulate the LDT directly (avoid DPMI) to construct a call gate to enter ring 0 (this works, as I have tried out some years ago)

But again: I think for this problem there exist some solutions already. Check the internet

japheth
Posted on 2001-08-12 15:11:41 by japheth
snowingedge,

what this code do is patch a interrupt in IDT with the offset of your MyHookFuction, call the interrupt(thus calling your code in ring0), and then restoring IDT and exiting.

the ring0 code get cr3 and save it.

your problem is that you put the MyHookFuction PROC in the middle of your code!!! put this procedure after the ExitProcess() and all will be fine.

this code, of course, only work in w9x... nt and w2k have the IDT read-only for ring3 programs, as is supposed to be

japheth,

virus sourcecode... i can even say more... is from CIH(or a hack of it): same variable names, and same EQUate for the INT to hook(5 in debug, 3 in release version)

ancev

ps: if you want that the MessageBoxA() show something as '0xC0801fff', you know that you need convert it to a ascii string, no? the way it is will show garbage to you... :rolleyes:
Posted on 2001-08-12 22:01:23 by ancev
I've the source of a 32b to ASCII MessageBoxA program. That is if Hiro don't hack all of our heads off.
Posted on 2001-08-13 04:13:41 by eet_1024
thank u very much.

ancev,but i still have a question.you said the" ....your problem is that you put the MyHookFuction PROC in the middle of your code!!! put this procedure after the ExitProcess() and all will be fine......" I want to know the reason of it,could you tell me ??

have a nice night:) i'm waiting for your answer.
Posted on 2001-08-13 04:27:03 by snowingedge
snowingedge,

The rules of this forum are clear about any virus code whatsoever, it will be deleted no questions asked.

vecna,

Thanks for your expertise in recognising what the code was.

Regards,

hutch@pbq.com.au
Posted on 2001-08-13 04:51:13 by hutch--