Application of CIH virus principle - reading and writing of physical memory

zhaozj2021-02-08  280

Everyone is very annoying CIH virus. You can teach us by Mao: "Want to see a problem in two places", CiH virus is terrible, but some special techniques it use can still learn from, this can be changed Windows 95/98 application cannot read and write physical memory directly. If you use VXD programming, you can call VMM function _mapphystolinear to map the physical address to the linear address and then modify, but you must write a VXD separately, trouble, then you can't Call the VMM function directly in the application? Generally, it is not possible, because the VMM function is to be called on Ring 0, and the general application works on Ring 3, then why CiH virus can call VMM function, CiH virus uses a technology, using Intel processor interrupt from Ring 3 Go to Ring 0, we can learn from this technology to call the VMM function. The following program demonstrates how to modify the physical memory - modify the encryption sector size (physical address 0000: 0525H) as an example in the Windows 95 encryption program :; ******************************************************** ***************************; * Windows 95 Encryption Software Core Module - Disk Sector Size Modification *; * * * This program modifies the disk sector size bytes at the memory physical address 0000: 0525 under Windows 95, *; * In order to be able to modify the physical address, this program uses the VMM function _MAPPHYSTOLINEAR to map physical address map *; * to linearity The address is modified. In order to call the VMM function in the application, this program uses a CIH virus *; * Principle, use the interrupt to turn the system from RING 3 to RING 0, and then call the VMM function.

转载请注明原文地址:https://www.9cbs.com/read-1383.html

New Post(0)