gmonkey.gif (29622 bytes)

features:
- size ~420 bytes
- win95/98 ring0-tsr (shadowram, idt#0E) PE-infector
- no win32api, vxdcalls or any other system services used, pure x86 code

kewl:
- infecting files in memory (only some files will flush to disk)

system requirements:
- standard PCI motherboard (because of shadowram residency)
- win95/98

on infected program start:
- tsr
- calc new location in C000:xxxx
- check if alredy resident
- open shadowram
- copy virus
- hook INT 0E (page fault)
- close shadowram
- go ring0
- restore host
- back to host

on INT 0E called

- handle/skip own errors
- check if error CS.dpl = 3
- take error address, check if address is in range [00400000..90000000] truncate it to 64k, go back 64k-by-64k until 'MZ' will be found
- now we have PE file, find section pointed by entrypointrva
- check section flags, must be readonly
- tempaddress = sectionstart + sectionphyssize - virussize
- check if alredy infected
- copy orig bytes from entrypoint to tempaddress
- copy virus to entrypoint

Source