2. Tech
  3. CIH file virus detection cancellation program

CIH file virus detection cancellation program

xiaoxiao2021-03-06  77

CIH file virus detection cancellation program

This program is compiled under TASM; CIH file virus detection cancellation program Gofirst Macroxy CX, CXXOR DX, DXMOV AX, 4200HINT 21H; File Pointer Note Refers to File Endmalterline Macromov DL, 0DHMOV AH, 02HINT 21H; Enter MOV DL, 0AHMOV AH, 02HINT 21H; wrap ENDMCOPYHANDLE MACROPUSH BXMOV AH, 45HINT 21H; copy the file handle MOV BX, AXMOV AH, 3EHINT 21H; Close the file copy POP BXENDMDATA SEGMENT PARA PUBLIC 'DATA'EXEFILE DB' * .EXE ', 00DIRFILE DB' * . * ', 00filebz db 00; file mark (COM: 00; EXE: FF) DiskSGN DB 00; Detection disk number currdisk db 00; current disk number Diskcha db 00, 3AH, 24HDAT DB 256 DUP (24h); disk transfer address Disk Transport Areaovermsg DB 'All CIH viruses have been cleared! ! ! ', 0DH, 0AH, 24H FileSuf DB 2000 DUP (0); stored the detected file part content PE_HEAD DB 4 DUP (0); Store PE Head pointer Virsuf DB 1024 DUP (0); store CIH virus header program VirPoint DB 4 DUP (0); store CIH first block and list area first pointer secnum db 00, 00; NUMBER OF FILE SECTIONST_ENTRY DB 4 DUP (0); True Entry RVAFILEMSG DB '(CIH Virus)', 24HCLEAMSG DB 'KILLED !!' 0DH, 0AH, 24HCL_ZERO DB 1024 DUP (0); Clear Data HZSM DB 'is scanning:', 24hBLANK DB 60 DUP (20H), 24h; Send Netdir DB "/", 64 DUP (0); Initial Directory Currdir DB "/ PE", 00, 63 DUP (24h); current directory UPDIR DB "..", 00; last directory DIRSUFF DB 4096 DUP (0); directory parameter reserved area DIRSUFP DB 00, 00; directory parameters Reserved Area Pointer DIRNUM DB 01, 00; Dish Directory Files Exenum DB 00, 00; Dial of Exe Files Virexe DB 00, 00; Dirmsg DB "Subdirectory Number:", 24HEXEMSG DB " * .Exe numbers: ", 24 Herrmsg DB"; Which Affected: ", 24HDECSUF DB 11 DUP (0); binary -> Decadal number storage area Titl DB" CIH Clean ASM Sourcecode Testing ", 0DH, 0AHDB" kuibing kuibing @ 163. COM ", 0DH, 0AH, 0DH, 0AHDB" The Virus IS A Paracic Virus Which Infects Windows 95/98. EXE Files ", 0DH, 0AHDB 0DH, 0AH, 0DH, 0AH, 24hBegin DB 07H, 07H," Starting by any key Detection / Clear Virus !! ", 0DH, 0AH, 24HData Endscode Segment Segment PARA public 'code'

Assume CS: CODE, DS: DATA, ES: DATA, SS: Stackkillcih Proc Farmov Di, 0082HMOV DL, [DI] DIMOV BL, [Di] Push DSXOR AX, AXPUSH AXPUSH DSMOV AX, DATAMOV DS, AXMOV ES, AXMOV AX , STACKMOV SS, AX; determines whether the detected disc number cmp bl, 0dhjz disk2AND DL, 05FHCMP DL, 41HJNZ DISK1MOV BYTE PTR [DISKSGN], 01HMOV BYTE PTR [DISKCHA], 41HJMP DISK2DISK1: CMP DL, 42HJNZ DISK3MOV BYTE PTR [DISKSGN], 02HMOV Byte PTR [Diskcha], 42HJMP Disk2disk3: CMP DL, 43HJNZ Disk2mov Byte Ptr [Disksgn], 03HMOV Byte Ptr [Diskcha], 43HDisk2: Mov Ah, 19HINT 21h; Take the current disk number MOV BYTE PTR [currdisk], Al; save the current VOI; CMP BYTE PTR [DiskSgn], 00HJNZ Disk4add Al, 41HMOV BYTE PTR [Diskcha], Aljmp Disk5; Disk4: MOV DL, BYTE PTR [DiskSgn] DLMOV AH, 0EHINT 21H; Select Disk Drive; Disk5: Push Esmov AX , 0040HMOV ES, AXMOV DI, 0087HMOV AL, ES: [DI] POP ​​ESCMP AL, 00HJZ CGAMOV AX, 0003HJMP CLSCGA: MOV AX, 0006HCLS: INT 10H; Qingtou MOV AH, 09HMOV DX, OFFSET TITLINT 21H MOV DX, OFFSET DAT First address -> DXMOV AH, 1AHINT 21H; Creat Datmov AH, 47HMOV DL, BYTE PTR [DiskSgn] MOV SI, OFFSET INTDIR 1INT 21H; Save Initial Directory Name MOV AH, 3BHMOV DX, OFFSET CURRDIR INT 21H; Back To the root directory MOV BYTE PTR [Filebz], 0FFH; set EXE file flag MOV DX, OFFSET EXEFILE; CAESK AND CLEAVIRUSCALL CLE_SDIR; Detect file and elimination in each subdirectory; MOV AH, 3BHMOV DX, Offset InitDirint 21h ; restore the original directory MOV DL, BYTE PTR [CURRDISK] MOV AH, 0EHINT 21H; select disk drive DONE: ALTERLINEMOV DX, OFFSET OVERMSGMOV AH, 09HINT 21HMOV DX, OFFSET DIRMSGMOV AH, 09HINT 21HMOV DI, OFFSET DIRNUMCALL BTOD; displays the number of directory ALTERLINE MOV DX, OFFSET EXEMSGMOV AH, 09HINT 21HMOV DI, OFFSET EXENUMCALL BTOD; EXE file number display MOV DX, OFFSET ERRMSGMOV AH, 09HINT 21HMOV DI, OFFSET VIREXECALL BTOD; virus EXE file number display ALTERLINEMOV CX, 0200HMOV AH, 01HINT 10H Restore the cursor MOV AH, 4CHINT 21H; End the program returned DOS ;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;; key programm ;;;;;;;;;;;;;;;;;;;;; ;;;;;;;; CLEA_VIRUS PROC NEAR;

Search for the EXE file in the same sub-file and detect if there is a virus and eliminate MOV CX, 027HMOV AH, 4EHINT 21h; search the first match file JNC lookjmp exit; did not find, -> exitlook: inchete PTR [Exenum] MOV DX, Offset Hzsmmov AH, 09HINT 21HMOV DX, OFFSET DISKCHAMOV AH, 09HINT 21HMOV DX, OFFSET CURRDIRMOV AH, 09HINT 21H; display the current directory path MOV DI, OFFSET CURRDIR 1CMP BYTE PTR [DI], 00HJZ ZJS1MOV AH, 02HMOV DL, 5CHINT 21HZJS1: MOV DX , Offset Datadd DX, 1EH; DX: Matching file name first AddProform Byte Ptr [Di], 00HJNZ BZ5INC DIMOV BYTE PTR [DI], 24HPOP DXMOV AH, 09HINT 21H; Display file name MOV DX, OFFSET DATADD DX, 1EHMOV AX, 3D02HINT 21H; Open Match File JNB CL0JMP nextfile ;;;;;;;;;;; CL0: MOV BX, AX MOV AX, 4200HMOV CX, 00hmov DX, 3CHINT 21H; file pointer moves to File head 3ch byte MOV DX, OFFSET FileSUF; File Buffer Address -> DXMOV CX, 04H MOV AH, 3FHINT 21H; File Address Of EXE Header JNB CL1JMP NextFileCL1: MOV AX, 4200HMOV CX, Word PTR [FileSuf 2] MOV DX, WORD PTR [filesis MOV WORD PTR [PE_HEAD], DX; Save PE File Head Pointer MOV WORD PTR [PE_HEAD 2], CXDEC DXINT 21H; File Pointer Move to NEW EXE Header-1MOV DX, OFFSET FileSUF; File Buffer Address -> DXMOV CX, 0200H MOV AH, 3FHINT 21H; Read 512 bytes (PE File Signature) JNB CL2JMP NEXTFILECL2: CMP WORD PTR [FILESUF 1], 04550H; see if is "PE" format fileJZ CL21JMP NEXTFILECL21: CMP BYTE PTR [FILESUF], 00HJNZ CL3; "XPE" May have CIH viursJMP NEXTFILE; Not Been Infected CiH VirusCL3: MOV CX, Word PTR [FileSuf 07h]; Get Number of Sectionsmov Word PTR [SECNUM], CXINC CXSHL CX, 1SHL CX, 1SHL CX, 1PUSH CX; (Section 1) * 8 = virus Block pointer zone size POP DI; Get PE File Entry Rvamov CX, Word PTR [FileSuf 2Bh]; MOV DX, Word PTR [FileSuf 29, 2A]; [FileSuf 29, 2A, 2B, 2CH] = Entry RVACMP CX, Word PTR [FileSuf 57h]; [FileSuf 55, 56, 57, 58h] = file header size = = c, v m] m d m m m d

Maybe Has CiH Virusjmp nextfile CL5: SUB DX, DIMOV WORD PTR [VirPoint], DXMOV WORD PTR [VirPoint 2H], CX; Save Cih First Block Pointmov AX, 4200HINT 21H; File Pointer Move to File Entry Address-Virus Pointer Size (DI) MOV DX, OFFSET VIRSUF; The first site of the viral buffer -> DXMOV CX, 100H MOV AH, 3FHINT 21H; Read 100H byte JNB CL6JMP nextfilecl6: CMP Word PTR [Virsuf Di 36h], 056CCHJZ CL7 ; May CIH virusJMP NEXTFILECL7: CMP WORD PTR [VIRSUF DI 4BH], 0FBCCHJZ CL8; Sure CIH virusJMP NEXTFILECL8: MOV DX, OFFSET FILEMSGMOV AH, 09HINT 21H; display virus MOV AX, 4301HMOV CX, 0020HMOV DX, OFFSET DATADD DX 1ehint 21h; set file attributes to archive; Save True Entry Rvamov AX, Word PTR [Virsuf DI 5EH] MOV Word PTR [T_ENTRY], AXMOV AX, WORD PTR [Virsuf DI 60H] MOV Word PTR [T_ENTRY 2H], AX; MOV DX, WORD PTR [VirPoint] MOV CX, Word PTR [VirPoint 2H]; Get Cih First Block Point Mov AX, 4200HINT 21H; File Pointer Move to File Entry Address-Virus Pointer Node Size; MOV CX, Word PTR [Virsuf Di-04h]; Take the first length of CIH virus, add CX, DI; plus CIH virus linked list pointer block area size MOV DX, OFFSET CL_ZEROMOV AH, 40HINT 21H; Virus first block and linked list pointer area Clear ;;;;;;;;;;;;;;;;;;;;;; clear other block viurs; omitted ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;; Restore True Entry RVA (Address of Entry Point) MOV AX, 4200HMOV CX, Word PTR [PE_HEAD 2] MOV DX, WORD PTR [PE_HEAD] Add DX, 28HADC CX, 0 INT 21H; The file pointer moves to the file header entry pointMov DX, OFFSET FileSUF; file buffer first address -> DX; MOV CX, 4H; MOV AH, 3FH; INT 21H; read Entry Point; JNB CL11; JMP nextfile CL11: MOV CX , Word PTR [T_ENTRY] MOV WORD PTR [FileSuf], CXMOV CX, Word PTR [T_Entry 2] MOV Word PTR [FileSuf 2], CXMOV CX, 2HMOV AH, 40HINT 21h; write normal Entry parameters back JB NextFileCopyHandle Mov Si, [Offset Dat 15H] MOV CL, [Si] MOV AX, 4301HMOV DX, OFFSET DATADD DX, 1EHINT 21H; Recovery file original property JB NextfileMov DX, Offset Datmov Si, Word PTR [Offset Dat 16h] MOV DI Word PTR [OFFSET DAT 18H] MOV CX, [Si] MOV DX, [DI] MOV AX, 5701HINT 21H;

Restore file original creation date MOV DX, OFFSET CLEAMSGMOV AH, 09HINT 21HINC BYTE PTR [VIREXE] NEXTfile: MOV AH, 3EHINT 21HCLDMOV DI, OFFSET DATADD DI, 1EHMOV CX, 0EHMOV AL, 24HREPZ STOSBMOV DI, OFFSET FILESUFMOV CX, 600HMOV AL, 00REPZ sTOSB; clean file buffer MOV CX, 0FFFFHBZ6: LOOP BZ6MOV CX, 0FFFFHBZ7: LOOP BZ7MOV CX, 0FFFFHBZ8: LOOP BZ8MOV CX, 0FFFFHBZ9: LOOP BZ9MOV DL, 0DHMOV AH, 02HINT 21H; only Enter MOV DX, OFFSET HZSMMOV AH, 09HINT 21HMOV DX, OFFSET Diskchamov AH, 09HINT 21HMOV DX, OFFSET Blankmov AH, 09HINT 21HMOV DL, 0DHMOV AH, 02HINT 21H; Enter MOV AH, 4FHINT 21HJC EXITJMP LOOKEXIT: RETCLEA_VIRUS ENDP ;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;; Search for each sub End EXE file and detects whether there is a virus and eliminate Cl_Subd: MOV DX, OFFSET Dirfilemov CX, 0010HMOV AH, 4EHINT 21H; Search the first matching file JNC looksjmp exits; did not find, -> EXITSLOOKS: MOV SI, Offset DataDD Si, 15hcmp Byte PTR [Si], 10HJZ NEXT1JMP NextSUBNEXT1: MOV BX, OFFSET DATADD BX, 1EH; BX: Matching file name Address CMP BYTE PTR [BX], 2E; is "." Or ".." subdirectory JNZ Sub1jmp nextsubsub1: INC [DIRNUM]; subdirectory number plus 1CLDMOV Si, Offset Datmov Di, Word PTR [Dirsufp] MOV CX, 0015HREPZ MOVSB; Save Current Directory Parameters Add Word PTR [Dirsufp], 0015H; Directory Parameter Pointer 15HMOV Di, Offset Currdir 1cmp Byte PTR [DI] , 00HJZ LP2LP1: INC DICMP BYTE PTR [Di], 00HJNZ LP1; Looking for Current Subscriber Name Road Mov Byte Ptr [Di], 5Chinc Dilp2: MOV Si, Bxmov CX, 0DHREPZ MOVSB ​​MOV DX, OFFSET CURRDIRMOV AH, 3BHINT 21H; Enter the next child catalog CLDMOV DI, OFFSET CURRDIR 1MOV CX, 003FHMOV AL, 24HREPZ Stosbmov AH, 47HMOV DL, BYTE PTR [Disksgn] MOV SI, OFFSET CURRDIR 1INT 21H; take the former sub-directory MOV BYTE PTR [filebz], 0FFH; EXE file logo MOV DX, OFFSET EXEFILECALL CLEA_VIRUS; Chessk and CLEAR CIH Virusjmp Cl_Subd; look for the current subdirectory Next directory and EXE file EXITS: MOV BX, OFFSET CURRDIR 1CMP BYTE PTR [BX], 00; Judgment Current The directory is the root directory of JNZ Sub2JMP Overs; the current directory is root directory ->

转载请注明原文地址:https://www.9cbs.com/read-93464.html

9cbs

New Post(0)